[security] Disclosed v3.18.0 fixes: sign full ObservedTx wrapper + scheduler cachectx

Itzamnarequested to merge
security/disclosed-3.18.0-fixes into develop

Summary

Backport to public develop of the two security patches shipped in the v3.18.0 private mainnet image. Source disclosure has already happened via tag v3.18.0-disclosed (commit af46db22bd) — this MR is the corresponding land on develop so the fixes carry forward to future releases.

Commits

  1. scheduler/cachectx (116e2016c2) — wraps wasmKeeper.Execute in a CacheContext + panic recovery in x/scheduler/keeper/keeper.go so a panicking or erroring scheduled contract no longer aborts EndBlock. Emits schedule_start / schedule_end events. Originally thornode-private!2.
  2. fix(common): sign full ObservedTx wrapper (d73906b65b) — replaces ObservedTx.GetSignablePayload() with GetSignablePayloadWithInbound(bool) so the inbound bit is bound into the signed bytes; introduces internal attestableObservedTx wrapper for the AttestationGossip path. Prevents a proposer-forgery class of attack where the same ObservedTx bytes could be replayed across the inbound/outbound boundary. Originally thornode-private!1.
  3. test: migrate observer tests (2110f2628b) — develop added 7 new test callsites (obsTx.GetSignablePayload()) and 4 new NewAttestationState(&tx) callsites after the security patch's base. This commit migrates them to the new API so the cherry-pick lands without test regressions. Outbound inbound bit applied to all sites except attestation_spent_refs_committed_test.go:146 (XMR inbound test).

Conflict resolution notes (commits 1, 2)

  • x/scheduler/keeper/keeper.go (commit 1 amend): re-added "fmt" import — the upstream merge dropped it but develop's defer/recover block in ExecuteSchedule still uses fmt.Sprintf. Verified by go build ./x/scheduler/....
  • bifrost/observer/attestation_gossip.go (commit 2): keep both observedTxKey() (develop-side helper) and attestableObservedTx (security-patch wrapper). The blocks are semantically independent — different helpers added at the same insertion point. Resolution preserves both.

Verification

go build ./...
go vet ./bifrost/observer/...
# both clean

Source disclosure context

The exact source built into the v3.18.0 private mainnet image is at https://gitlab.com/thorchain/thornode/-/tree/v3.18.0-disclosed (af46db22bd). This MR's diff is what was already running in the mainnet container; landing it on develop just makes it the canonical version going forward.

Test plan

  • CI green on this branch
  • Reviewer verifies the test migration in commit 3 matches the new wrapper semantics
  • No regression in bifrost/observer test suite

🤖 Disclosed source backport — patches verified against the running mainnet image.

Edited by Itzamna

Merge request reports