Fix multi-arch oracle HMAC ring signature import#4854
Conversation
|
Welcome to RustChain! Thanks for your first pull request. Before we review, please make sure:
Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150) A maintainer will review your PR soon. Thanks for contributing! |
github-actions
Bot
added
BCOS-L1
508704820
left a comment
508704820
left a comment
There was a problem hiding this comment.
Code Review: Fix Multi-Arch Oracle HMAC Ring Signature Import
Summary
Moves import hmac from inside the if __name__ == "__main__" block to module-level imports. Previously, hmac was only available in demo mode, not in production code path.
What Works Well
- Correct fix: hmac was imported at the bottom (demo only), making it unavailable in production
- Test coverage: 63-line test file verifying HMAC ring signature works
- Fallback removed: The old
if 'hmac' in dir()fallback is replaced with direct import - Clean: Removes the misplaced import from main block
Issues Found
1. Low — Old fallback was silently insecure
The old code had:
.digest() if 'hmac' in dir() else hashlib.sha256(final_seed).digest()This means in production (where hmac wasn't imported), the ring signature degenerated to a simple SHA-256 hash — defeating the purpose of the HMAC ring signature scheme. This was a silent security degradation.
2. Nit — Test could be more comprehensive
The test verifies HMAC works but doesn't test the fallback behavior (which is now removed). A test verifying that the ring signature output differs from plain SHA-256 would be valuable.
Verdict: Approve
Important fix. The silent fallback to SHA-256 was a security issue.
godd-ctrl
left a comment
godd-ctrl
left a comment
There was a problem hiding this comment.
Approved current head 97ef52e.
Validation performed:
- python -m pytest tests\test_multi_arch_oracles_hmac.py -q -> 1 passed
- python -m py_compile rips\rustchain-core\src\mutator_oracle\multi_arch_oracles.py tests\test_multi_arch_oracles_hmac.py -> passed
- git diff --check origin/main...HEAD -- changed files -> passed
- python tools\bcos_spdx_check.py --base-ref origin/main -> passed
- python -m ruff check ... --select E9,F821,F811 --output-format=concise -> unavailable in this environment: No module named ruff
The regression test proves the library-import path uses HMAC over the seed and architecture contribution set rather than the old sha256(seed) fallback.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
saim256
left a comment
saim256
left a comment
There was a problem hiding this comment.
Approved current head 97ef52e3c129d6f1168d3751025557167dc84513.
This correctly narrows #4852 to the production-relevant failure: when the module is imported as a library, hmac was absent from module globals and the ring signature silently fell back to sha256(final_seed). Moving hmac to module scope, removing the fallback, and deleting the __main__-only import makes the HMAC path unconditional.
The new regression covers the important contract: it imports the module through the library path, registers two architectures, generates a seed, asserts the signature equals hmac.new(seed.seed, sorted_arch_ids, sha256).digest(), and also asserts it is not the old sha256(seed.seed) fallback.
Validation I ran locally:
git diff --check origin/main...HEAD -- rips/rustchain-core/src/mutator_oracle/multi_arch_oracles.py tests/test_multi_arch_oracles_hmac.py-> passedpython -m py_compile rips\rustchain-core\src\mutator_oracle\multi_arch_oracles.py tests\test_multi_arch_oracles_hmac.py-> passedpython tools\bcos_spdx_check.py --base-ref origin/main->BCOS SPDX check: OKpython -m ruff check rips\rustchain-core\src\mutator_oracle\multi_arch_oracles.py tests\test_multi_arch_oracles_hmac.py --select E9,F821,F811 --output-format=concise-> passedpython -m pytest tests\test_multi_arch_oracles_hmac.py -q-> 1 passed
I do not see a blocker in this focused patch.
508704820
left a comment
508704820
left a comment
There was a problem hiding this comment.
Code Review — #4854
1. Same core fix as #4853 — HMAC import to module level
This PR also moves the hmac import from the bottom of the file to module level, fixing the same if 'hmac' in dir() bug that always evaluates to False.
2. Includes regression tests
Unlike #4853, this PR includes test_multi_arch_oracles_hmac.py with 63 lines of tests. This is valuable for preventing the bug from recurring.
3. Duplicate of #4853
Both #4853 and #4854 fix the same hmac import issue. #4854 is the better PR because it includes tests. Recommend merging this one over #4853.
4. Test coverage
The tests verify:
- HMAC is available and used correctly
- The broken conditional fallback is eliminated
- Ring signature functionality works with proper HMAC
— Xeophon
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
loganoe
left a comment
loganoe
left a comment
There was a problem hiding this comment.
Review for Scottcjn/rustchain-bounties#73 on current head 97ef52e3c129d6f1168d3751025557167dc84513.
The HMAC fix addresses the library-import failure mode cleanly: hmac is now available at module scope, the silent sha256(final_seed) fallback is gone, and the new regression proves generate_mutation_seed() returns an HMAC over the final seed and sorted architecture contribution set rather than the previous plain SHA-256 fallback.
Validation performed:
PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --no-project --with pytest --with flask python -m pytest tests/test_multi_arch_oracles_hmac.py -q-> 1 passedpython3 -m py_compile rips/rustchain-core/src/mutator_oracle/multi_arch_oracles.py tests/test_multi_arch_oracles_hmac.py-> passedgit diff --check origin/main...HEAD -- rips/rustchain-core/src/mutator_oracle/multi_arch_oracles.py tests/test_multi_arch_oracles_hmac.py-> passedpython3 tools/bcos_spdx_check.py --base-ref origin/main-> OK
No blocking issues found in this focused patch.
6 participants
Summary
hmacat module load time for the multi-architecture mutator oracle.sha256(final_seed)fallback so generated mutation seeds always carry the intended HMAC ring signature.generate_mutation_seed()returns an HMAC over the final seed and architecture contribution set.Root Cause
hmacwas only imported inside the__main__demo block. Whenmulti_arch_oracles.pyis imported as a library,generate_mutation_seed()silently takes the fallback branch and returnssha256(final_seed)instead of the intended HMAC ring signature. The issue body describes this as a crash, but the production-relevant failure is that the HMAC path is bypassed outside the demo entrypoint.Fixes #4852.
Validation
python -m pytest tests\test_multi_arch_oracles_hmac.py -q-> 1 passedpython -m py_compile rips\rustchain-core\src\mutator_oracle\multi_arch_oracles.py tests\test_multi_arch_oracles_hmac.py-> passedgit diff --check -- rips\rustchain-core\src\mutator_oracle\multi_arch_oracles.py tests\test_multi_arch_oracles_hmac.py-> passedpython tools\bcos_spdx_check.py --base-ref origin/main-> OKpython -m ruff check ... --select E9,F821,F811 --output-format=concise-> unavailable locally:No module named ruffPayout
Nomad-Syndiode-Worker. Payout details can be provided privately if needed.