feat(confidentialrelay): gateway forwards relay responses as a bundle; enclave verifies#22807
Open
nadahalli wants to merge 4 commits into
Open
feat(confidentialrelay): gateway forwards relay responses as a bundle; enclave verifies#22807nadahalli wants to merge 4 commits into
nadahalli wants to merge 4 commits into
Conversation
Make the gateway a keyless dumb fan-in for confidential-relay responses and move all signature verification to the enclave. Previously the gateway counted unverified, attacker-supplied signer identities toward quorum, so a single compromised relay node could forge quorum and starve the enclave of the real result (a liveness break). Gateway: replace the signature-counting aggregator with a bundler that forwards every collected per-node response in one bundle, without merging, trusting, or counting signatures. Forward at the 2F+1 response threshold (so >=F+1 honest responses are guaranteed present) and forward a partial bundle on timeout instead of erroring. Relay node: emit a single Signature per response; keep populating the deprecated Signatures array during the migration window. Bumps chainlink-common to the bundle-types commit, pinned to the #2109 branch until it merges (PR is draft until then).
Contributor
|
I see you updated files related to
|
Contributor
|
✅ No conflicts with other open PRs targeting |
Re-point from the temporary #2109 branch pin to the merged main commit (87b1e75d), now that chainlink-common#2109 has landed.
product-security-plaid-production
Bot
requested review from
cedric-cordenier and
vyzaldysanchez
Resolve the aggregator_test.go modify/delete conflict by keeping #22807's deletion: #22516 (now on develop) added validEnclaveConfig to that file, but the dumb-bundler replaces the aggregator entirely and that helper is unused elsewhere. Relay packages build and tests pass with #22516's config-verify changes merged in.
… lint
- Bump chainlink-common to 87b1e75d in the 6 sibling modules (core/scripts,
deployment, integration-tests{,/load}, system-tests/{lib,tests}) so the
module graph is consistent (fixes Clean Go Tidy + deployment test builds).
- Lint: fmt.Errorf -> errors.New (perfsprint); []byte(fmt.Sprintf) -> fmt.Appendf
and drop the generic ptr() wrapper (modernize); use assert instead of require
inside test goroutines (testifylint).
|
vreff
reviewed
Jun 12, 2026
Comment on lines
+688
to
+689
| // Deprecated: kept populated during the migration window so any reader still | ||
| // on the array field continues to work; remove once nothing reads Signatures. |
Contributor
There was a problem hiding this comment.
why are we "migrating" with no customers?
vreff
reviewed
Jun 12, 2026
Comment on lines
+52
to
+54
| sort.Slice(out, func(i, j int) bool { | ||
| return bytes.Compare(out[i].Signature.Signer, out[j].Signature.Signer) < 0 | ||
| }) |
Contributor
There was a problem hiding this comment.
why are we sorting by signer?
vreff
reviewed
Jun 12, 2026
Comment on lines
+252
to
+254
| // valid signatures (e.g. faulty nodes stayed silent). The gateway does not | ||
| // decide that; it forwards whatever it collected and lets the enclave, the | ||
| // trust anchor, accept or reject. |
Contributor
There was a problem hiding this comment.
Is this for censorship resistance? The gateway can always censor things.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes the gateway a dumb fan-in for confidential-relay responses and moves all signature verification to the enclave, closing a liveness gap where the gateway counted unverified, attacker-supplied signer identities toward quorum (one compromised relay node could forge quorum and starve the enclave of the real result).
aggregator.go) withbundler.go, a keyless fan-in that forwards every collected per-node response in oneSignedXResponseBundlewithout merging, trusting, or counting signatures. Forwards at the 2F+1 response threshold (so >=F+1 honest responses are guaranteed present), and forwards a partial bundle on timeout instead of erroring.Signatureper response; keeps populating the deprecatedSignaturesarray during the migration window.Depends on chainlink-common #2109 (bundle types). Draft until that merges and common is released; go.mod is temporarily pinned to the #2109 branch.