cosmwasm: replace cw_storage in cw_wormhole

wormchain: pulled in the pre-release cw_wormhole ict/integration test added shutdown tests lint cleanup shutdown utils cleanup Deploy SeiEVM testnet (#4209) * cli: arbitrary chain registration * Deploy SeiEVM Testnet --------- Co-authored-by: Evan Gray <[email protected]> Node: Update Celo watcher (#4210) * Node: Update Celo watcher * Code review rework docs: add TransferFees conformance note (#4212) * docs: add TransferFees conformance note * docs: clarify cosmwasm core contract * fix: make link relative Deploy Monad testnet (#4218) CONTRIBUTING: update to forbid PRs the contain only minor wording adjustments Node/Solana: Reobservation by transaction ID (#4223) * Node/Solana: Reobservation by transaction ID * Code review rework Double the limits on Ethereum and Solana (#4225) * Double the limits on Ethereum and Solana Due to high network volumes on Ethereum and Solana, the limits are being doubled for these 2 chains * Fixed the hardcoded max daily limit in the tests chore: add cw wormhole interchain tests (#4189) * wormchain: cw_wormhole ict start * wormchain(interchaintest): initial test implementation * Add Additional Core Contract ICTs * Finish Core Contract VAA ICTs * Add Replay Protection Checks * Extract Helper Commands * Fix Modify Genesis * Hook into ICT Workflow * Add Missing UpgradeContract VAA Test * Add Additional Fee Checks --------- Co-authored-by: Kaku <[email protected]> Co-authored-by: Obie Kaku <[email protected]> node: Add Transfer Verifier mechanism (#4169) Adds a new package and command-line tool for Transfer Verification. This is a process of validating message publications from the core contracts. When a message is emitted, Transfer Verification will examine the corresponding receipt or other logs to ensure that funds were sent into the token bridge whenever this kind of message is emitted from the core bridge. This is a defense-in-depth mechanism to guard against a scenario where an attacker finds a way to spoof message publications. Node/Solana: Beef up commitment check (#4231) Github: Update node code owners (#4232) Node: Change TxHash to TxID in MessagePublication (#4219) * Node: Change TxHash to TxID in MessagePublication * Code review rework * More code review rework * Limit TxID to 255 bytes and add test for it * Code review rework node: Governor token list update (#4208) * node: governor token list update * Update based on USD depeg stats * Update codeowners --------- Co-authored-by: djb15 <[email protected]> clients/js: support alternative aptos networks Node: Add support for Movement (#4236) pulled in joel's ict based shutdown contract tests update ict cw_wormhole wasm binary updated makefile to run the tests with proper features updated rust tests in workflow ignore unused variables and functions during shutdown mode fixing package exclusion rerendered artifacts rerendered artifacts Node: Audit chain IDs Node: Allow no heartbeating in testnet (#4240) Deploy token bridge to Monad testnet (#4238) Node/Aptos: Don't replay old observation on startup (#4243) Deployment: Add Movement testnet token bridge (#4245) Node/Solana: Shim support in testnet (#4241) * Node/Solana: Shim support in testnet * Code review rework Node: Remove references to SignedObservation (#4244) * Node: Remove references to SignedObservation * Code review rework Node/Hack: Add tool to test go-ethereum subscriptions (#4214) * Node/Hack: SeiEVM watcher test app * Make tool general purpose Revert #4225 (#4247) Node: Remove Monad Devnet support (#4248) Node/Solana: Fix shim observation message (#4249) feat: mainnet validator hot swaps (#4203) * Add ICT Local Image * Fix ICT Workflow * feat: allow validator hot swapping in mainnet * Integrate with CI * fix: comments * readd state lookup updated ict workflow versions updated dockerfile to seperately generate the shutdown contracts removed unnecessary files
wormhole-foundation · Feb 3, 2025 · d0b5894 · d0b5894
1 parent 1dbe845
commit d0b5894
Show file tree

Hide file tree

Showing 142 changed files with 13,661 additions and 5,182 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -40,21 +40,21 @@
 
 # Protobuf for node
 
-/proto/node/ @evan-gray @bruce-riley
+/proto/node/ @evan-gray @bruce-riley @panoel
 
 # Guardiand node
 
 ## Fallback
 
-/node/ @bruce-riley @evan-gray @SEJeff
+/node/ @bruce-riley @evan-gray @panoel @SEJeff
 
 ## Entrypoint / RPC
 
 /node/cmd/ @bruce-riley @panoel @evan-gray
 
 ## DB
 
-/node/pkg/db/ @bruce-riley @panoel
+/node/pkg/db/ @bruce-riley @evan-gray @panoel
 
 ## Accountant
 
@@ -78,11 +78,11 @@
 
 ## Public RPC
 
-/node/pkg/publicrpc/ @bruce-riley @panoel
+/node/pkg/publicrpc/ @bruce-riley @evan-gray @panoel
 
 ## Supervisor Framework
 
-/node/pkg/supervisor/ @bruce-riley @evan-gray
+/node/pkg/supervisor/ @bruce-riley @evan-gray @panoel
 
 ## Watchers
 
@@ -91,6 +91,7 @@
 ## Hacks / Tools
 
 /node/hack/ @bruce-riley @panoel @evan-gray
+/node/hack/governor @claudijd @SEJeff @djb15 @johnsaigle
 
 ## Documentation
 

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -332,7 +332,7 @@ jobs:
           go-version: "1.23.3"
       # The go-ethereum and celo-blockchain packages both implement secp256k1 using the exact same header, but that causes duplicate symbols.
       - name: Run golang tests
-        run: cd node && go test -v -timeout 5m -race -ldflags '-extldflags "-Wl,--allow-multiple-definition" ' ./...
+        run: cd node && go test -v -timeout 5m -race ./...
 
   # Run Rust lints and tests
   rust-lint-and-tests:
@@ -343,7 +343,9 @@ jobs:
       matrix:
         manifest:
           - path: cosmwasm/Cargo.toml
-            args: "--workspace --locked"
+            args: "--workspace --locked --exclude 'shutdown-*'"
+          - path: cosmwasm/Cargo.toml
+            args: "-p 'shutdown-*' --no-default-features --locked"
           - path: terra/Cargo.toml
             args: "--workspace --locked"
           - path: sdk/rust/Cargo.toml

diff --git a/.github/workflows/wormchain-icts.yml b/.github/workflows/wormchain-icts.yml
@@ -14,13 +14,45 @@ permissions:
 
 env:
   GO_VERSION: 1.21
+  TAR_PATH: /tmp/wormchain-docker-image.tar
+  IMAGE_NAME: wormchain-docker-image
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  build-docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: wormchain/interchaintest/go.sum
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and export
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: wormchain/Dockerfile.ict
+          tags: wormchain:local
+          outputs: type=docker,dest=${{ env.TAR_PATH }}
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}
+          path: ${{ env.TAR_PATH }}
+
   e2e-tests:
+    needs: build-docker
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -29,7 +61,11 @@ jobs:
           - "ictest-cancel-upgrade"
           - "ictest-upgrade"
           - "ictest-wormchain"
-          - "ictest-ibc-receiver"
+          # Disabled due to flakiness in CI.
+          # - "ictest-ibc-receiver"
+          - "ictest-validator-hotswap"
+          - "ictest-cw-wormhole"
+          - "ictest-cw-shutdown-contracts"
       fail-fast: false
 
     steps:
@@ -42,6 +78,17 @@ jobs:
       - name: checkout chain
         uses: actions/checkout@v4
 
+      - name: Download Tarball Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}
+          path: /tmp
+
+      - name: Load Docker Image
+        run: |
+          docker image load -i ${{ env.TAR_PATH }}
+          docker image ls -a
+
       - name: Run Test
         id: run_test
         continue-on-error: true

diff --git a/.golangci.yml b/.golangci.yml
@@ -28,3 +28,7 @@ issues:
       text: "^func.*supervisor.*(waitSettle|waitSettleError).*$"
       linters:
         - unused
+    # This file contains hard-coded Sui core contract addresses that are marked as hardcoded credentials.
+    - path: pkg/txverifier/sui_test.go
+
+      text: "G101: Potential hardcoded credentials"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -23,9 +23,7 @@ and code reviews are our most important tools to accomplish that.
   Small commits, meaningful commit messages and useful comments make it easier to review code and improve the
   quality of code review as well as review turnaround times. It's much easier to spot mistakes in small,
   well-defined changes.
-- We welcome typo and grammar fixes to *public facing* documents. This includes
-  things like the whitepapers, but excludes inline code comments. PRs that touch
-  only the latter will be rejected. Fixing typos in comments alongside other non-trivial engineering work is welcome.
+- PRs that only correct typos or make minor wording adjustments will be rejected. Fixing typos alongside other non-trivial engineering work is welcome.
 - Pull requests that modify dependencies must be well-documented so that the benefits of updating can be weighed against
   security and compatibility concerns. Low-effort PRs that update dependencies without any documentation will be rejected.
 

diff --git a/Makefile b/Makefile
@@ -38,7 +38,6 @@ node: $(BIN)/guardiand
 .PHONY: $(BIN)/guardiand
 $(BIN)/guardiand: CGO_ENABLED=1
 $(BIN)/guardiand: dirs generate
-	@# The go-ethereum and celo-blockchain packages both implement secp256k1 using the exact same header, but that causes duplicate symbols.
-	cd node && go build -ldflags "-X github.com/certusone/wormhole/node/pkg/version.version=${VERSION} -extldflags -Wl,--allow-multiple-definition" \
+	cd node && go build -ldflags "-X github.com/certusone/wormhole/node/pkg/version.version=${VERSION}" \
 	  -mod=readonly -o ../$(BIN)/guardiand \
 	  github.com/certusone/wormhole/node
diff --git a/Tiltfile b/Tiltfile
@@ -604,6 +604,11 @@ if evm2:
     )
 
 
+# Note that ci_tests requires other resources in order to build properly:
+# - eth-devnet  -- required by: accountant_tests, ntt_accountant_tests, tx-verifier
+# - eth-devnet2 -- required by: accountant_tests, ntt_accountant_tests
+# - wormchain   -- required by: accountant_tests, ntt_accountant_tests
+# - solana      -- required by: spydk-ci-tests
 if ci_tests:
     docker_build(
         ref = "sdk-test-image",
@@ -635,6 +640,16 @@ if ci_tests:
             sync("./testing", "/app/testing"),
         ],
     )
+    docker_build(
+        ref = "tx-verifier-monitor", 
+        context = "./devnet/tx-verifier-monitor/",
+        dockerfile = "./devnet/tx-verifier-monitor/Dockerfile"
+    )
+    docker_build(
+        ref = "tx-verifier-test", 
+        context = "./devnet/tx-verifier-monitor/",
+        dockerfile = "./devnet/tx-verifier-monitor/Dockerfile.cast"
+    )
 
     k8s_yaml_with_ns(
         encode_yaml_stream(
@@ -644,6 +659,11 @@ if ci_tests:
                     "BOOTSTRAP_PEERS", str(ccqBootstrapPeers)),
                     "MAX_WORKERS", max_workers))
     )
+
+    # transfer-verifier -- daemon and log monitoring
+    k8s_yaml_with_ns("devnet/tx-verifier.yaml")
+
+    k8s_yaml_with_ns("devnet/tx-verifier-test.yaml")
 
     # separate resources to parallelize docker builds
     k8s_resource(
@@ -676,6 +696,20 @@ if ci_tests:
         trigger_mode = trigger_mode,
         resource_deps = [], # testing/querysdk.sh handles waiting for query-server, not having deps gets the build earlier
     )
+    # launches tx-verifier binary and sets up monitoring script
+    k8s_resource(
+        "tx-verifier-with-monitor",
+        resource_deps = ["eth-devnet"],
+        labels = ["tx-verifier"],
+        trigger_mode = trigger_mode,
+    )
+    # triggers the integration tests that will be detected by the monitor
+    k8s_resource(
+        "tx-verifier-test",
+        resource_deps = ["eth-devnet", "tx-verifier-with-monitor"],
+        labels = ["tx-verifier"],
+        trigger_mode = trigger_mode,
+    )
 
 if terra_classic:
     docker_build(

diff --git a/clients/js/src/cmds/aptos.ts b/clients/js/src/cmds/aptos.ts
@@ -57,12 +57,19 @@ export const builder = (y: typeof yargs) =>
       "init-token-bridge",
       "Init token bridge contract",
       (yargs) =>
-        yargs.option("network", NETWORK_OPTIONS).option("rpc", RPC_OPTIONS),
+        yargs
+          .option("network", NETWORK_OPTIONS)
+          .option("rpc", RPC_OPTIONS)
+          .option("contract-address", {
+            describe: "Core contract address",
+            type: "string",
+            demandOption: false,
+          }),
       async (argv) => {
         const network = getNetwork(argv.network);
-        const contract_address = evm_address(
-          contracts.tokenBridge(network, "Aptos")
-        );
+        const contract_address =
+          argv["contract-address"] ||
+          evm_address(contracts.tokenBridge(network, "Aptos"));
         const rpc = argv.rpc ?? NETWORKS[network].Aptos.rpc;
         await callEntryFunc(
           network,
@@ -104,13 +111,18 @@ export const builder = (y: typeof yargs) =>
             demandOption: true,
             describe: "Initial guardian's addresses (CSV)",
             type: "string",
+          })
+          .option("contract-address", {
+            describe: "Core contract address",
+            type: "string",
+            demandOption: false,
           }),
       async (argv) => {
         const network = getNetwork(argv.network);
 
-        const contract_address = evm_address(
-          contracts.coreBridge(network, "Aptos")
-        );
+        const contract_address =
+          argv["contract-address"] ||
+          evm_address(contracts.coreBridge(network, "Aptos"));
         const guardian_addresses = argv["guardian-address"]
           .split(",")
           .map((address) => evm_address(address).substring(24));
@@ -196,11 +208,15 @@ export const builder = (y: typeof yargs) =>
         const b = serializePackage(p);
         const seed = Buffer.from(argv["seed"], "ascii");
 
-        let module_name = APTOS_DEPLOYER_ADDRESS_DEVNET + "::deployer";
-        if (network == "Testnet" || network == "Mainnet") {
-          module_name =
-            "0x0108bc32f7de18a5f6e1e7d6ee7aff9f5fc858d0d87ac0da94dd8d2a5d267d6b::deployer";
+        let deployer = APTOS_DEPLOYER_ADDRESS_DEVNET;
+        const addresses = argv["named-addresses"]?.split(",") || [];
+        for (const addressPair of addresses) {
+          const [name, address] = addressPair.split("=");
+          if (name === "deployer") {
+            deployer = address;
+          }
         }
+        const module_name = deployer + "::deployer";
         const rpc = argv.rpc ?? NETWORKS[network].Aptos.rpc;
         await callEntryFunc(
           network,
@@ -223,12 +239,19 @@ export const builder = (y: typeof yargs) =>
             describe: "Message to send",
             demandOption: true,
           })
-          .option("network", NETWORK_OPTIONS),
+          .option("network", NETWORK_OPTIONS)
+          .option("rpc", RPC_OPTIONS)
+          .option("sender", {
+            describe: "Sender address",
+            type: "string",
+            demandOption: false,
+          }),
       async (argv) => {
         const network = getNetwork(argv.network);
-        const rpc = NETWORKS[network].Aptos.rpc;
-        let module_name = APTOS_DEPLOYER_ADDRESS_DEVNET + "::sender";
-        if (network == "Testnet" || network == "Mainnet") {
+        const rpc = argv.rpc ?? NETWORKS[network].Aptos.rpc;
+        let module_name =
+          (argv.sender || APTOS_DEPLOYER_ADDRESS_DEVNET) + "::sender";
+        if (!argv.sender && (network == "Testnet" || network == "Mainnet")) {
           module_name =
             "0x0108bc32f7de18a5f6e1e7d6ee7aff9f5fc858d0d87ac0da94dd8d2a5d267d6b::sender";
         }

diff --git a/cosmwasm/Cargo.lock b/cosmwasm/Cargo.lock
diff --git a/cosmwasm/Cargo.toml b/cosmwasm/Cargo.toml
@@ -31,6 +31,10 @@ panic = 'abort'
 incremental = false
 overflow-checks = true
 
+[workspace.package]
+shutdown-core-bridge-cosmwasm = { path = "contracts/shutdown-wormhole", default-features = false }
+
+
 [workspace.dependencies.serde_wormhole]
 version = "0.1.0"
 path = "../sdk/rust/serde_wormhole"

diff --git a/cosmwasm/Dockerfile b/cosmwasm/Dockerfile
@@ -12,6 +12,8 @@ COPY cosmwasm/artifacts /code/artifacts
 COPY sdk/rust /sdk/rust
 
 RUN --mount=type=cache,target=/target,id=cosmwasm_target --mount=type=cache,target=/usr/local/cargo/registry optimize.sh .
+# Build only shutdown contracts with no default features
+RUN --mount=type=cache,target=/target,id=cosmwasm_target --mount=type=cache,target=/usr/local/cargo/registry optimize.sh ./contracts/shutdown-wormhole ./contracts/shutdown-token-bridge
 
 FROM scratch as artifacts
 COPY --from=builder /code/artifacts /
diff --git a/cosmwasm/Makefile b/cosmwasm/Makefile
@@ -17,7 +17,9 @@ tools/node_modules: tools/package-lock.json
 .PHONY: test
 ## Run unit tests
 test:
-	cargo test --workspace --locked
+	cargo test --workspace --locked --exclude 'shutdown-*'
+	cargo test -p 'shutdown-*' --no-default-features --locked
+
 
 
 .PHONY: clean