fix(x/tx): add feePayer as signer

[JulianToledano]

Description

Currently anyone can set a feePayer and the fees'll be deducted from its balance without the need of his sign.

For example:

# feePayer account at start
./simd q bank balances cosmos18hhvznfuq073tyhp2dcfqfulh773pmn4f6643l

balances:
- amount: "5000000000"
  denom: stake
pagination:
  total: "1"
  
# Send without feePayers signature
./simd tx bank send alice cosmos108jsm625z3ejy63uef2ke7t67h6nukt4ty93nr 10000stake --fees 1000000stake --fee-payer cosmos18hhvznfuq073tyhp2dcfqfulh773pmn4f6643l

# feePayer account after send
./simd q bank balances cosmos18hhvznfuq073tyhp2dcfqfulh773pmn4f6643l

balances:
- amount: "4999000000"
  denom: stake
pagination:
  total: "1"

Also currently is not possible to do the double sign of this tx to set feePayers signature:

# Generate tx
./simd tx bank send alice cosmos108jsm625z3ejy63uef2ke7t67h6nukt4ty93nr 10000stake --fees 1000000stake --fee-payer cosmos18hhvznfuq073tyhp2dcfqfulh773pmn4f6643l --generate-only > unsigned_tx.json

# Sign with alice
./simd tx sign unsigned_tx.json --from alice --sign-mode amino-json --output-document alice_signed.json

# Sign with feePayer
./simd tx sign alice_signed.json --from cosmos18hhvznfuq073tyhp2dcfqfulh773pmn4f6643l --sign-mode amino-json --output-document fully_signed.json
.
.
.
tx intended signer does not match the given signer: bob

After this fix, the tx will fail when trying to send without feePayers signature

./simd tx bank send alice cosmos108jsm625z3ejy63uef2ke7t67h6nukt4ty93nr 10000stake --fees 1000000stake --fee-payer cosmos18hhvznfuq073tyhp2dcfqfulh773pmn4f6643l
.
.
.
raw_log: 'invalid number of signatures: got 1 signatures and 2 signers: unauthorized'
timestamp: ""
tx: null
txhash: 211F611829A9590C65002E98601BDD66343E164A341E8FEA94765BBB7B512FB0

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title, you can find examples of the prefixes below:
• confirmed ! in the type prefix if API or client breaking change
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• reviewed "Files changed" and left comments if necessary
• included the necessary unit and integration tests
• added a changelog entry to CHANGELOG.md
• updated the relevant documentation or specification, including comments for documenting Go code
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

Please see Pull Request Reviewer section in the contributing guide for more information on how to review a pull request.

I have...

• confirmed the correct type prefix in the PR title
• confirmed all author checklist items have been addressed
• reviewed state machine logic, API design and naming, documentation is accurate, tests and test coverage

Summary by CodeRabbit

• New Features
  • Enhanced transaction decoding to include fee payers as signers if specified, improving the accuracy of signer determination.
• Bug Fixes
  • Updated changelog to reflect the fix for adding feePayer as a signer and organized existing entries chronologically.
  • Improved test coverage for transaction decoding scenarios involving fee payers.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The changes in this pull request update the changelog for the x/tx module to include a new entry for fixing the addition of feePayer as a signer. Additionally, the Decode method in the decode.go file is modified to include logic that checks for a fee payer in the transaction's AuthInfo. If a fee payer is specified, its address is converted to bytes and added to the list of signers if not already present. The test file decode_test.go adjusts the Payer field in the Fee structure for testing purposes.

Changes

File Path	Change Summary
x/tx/CHANGELOG.md	Updated changelog to include a new entry for the fix related to feePayer as a signer; organized existing entries chronologically.
x/tx/decode/decode.go	Modified Decode method to check for a fee payer in AuthInfo, convert address to bytes, and add to signers if not already included.
x/tx/decode/decode_test.go	Enhanced TestDecode function by adding feePayer and expectedSigners fields; added and modified test cases to reflect new logic for fee payers.

Possibly related PRs

• fix(x/tx): fix amino json drift from legacy spec #21825: This PR addresses issues related to amino JSON legacy equivalence tests, which are relevant to the changes made in the main PR regarding the handling of signers and the feePayer logic in the Decode method.
• fix(x/tx/amino): special case for string represented decimals #22161: This PR focuses on special handling for string represented decimals in the amino JSON encoding, which relates to the changes in the main PR that enhance the logic for signer determination, including the feePayer.
• fix: sequence should be higher or equal than expected during checktx and equal during deliver tx #22299: This PR modifies transaction sequence validation, which is indirectly related to the overall transaction handling improvements made in the main PR, particularly in the context of ensuring correct signer inclusion.

Suggested labels

C:x/accounts, C:x/accounts/base

Suggested reviewers

• kocubinski
• testinginprod
• julienrbrt
• aaronc
• sontrinh16

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[JulianToledano]

Not a big fan of setting this kind of logic in a decoder to be honest.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

x/tx/CHANGELOG.md (1)

39-39: New changelog entry looks good, but consider adding more details.

The new entry follows the correct format and is placed in the appropriate "Unreleased" section. The link to the pull request (#22311) is correct. However, consider expanding the description to provide more context about the fix.

Consider updating the entry to something like:

* [#22311](https://github.com/cosmos/cosmos-sdk/pull/22311) Fix security issue by adding feePayer as a required signer for transactions with a specified fee payer.

This provides more context about the nature and importance of the fix.

📜 Review details

Configuration used: .coderabbit.yml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e6a0b03 and 35d5026.

📒 Files selected for processing (3)

• x/tx/CHANGELOG.md (1 hunks)
• x/tx/decode/decode.go (1 hunks)
• x/tx/decode/decode_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• x/tx/decode/decode.go

🧰 Additional context used

📓 Path-based instructions (2)

x/tx/CHANGELOG.md (1)

Pattern **/*.md: "Assess the documentation for misspellings, grammatical errors, missing documentation and correctness"

x/tx/decode/decode_test.go (2)

Pattern **/*.go: Review the Golang code for conformity with the Uber Golang style guide, highlighting any deviations.

---

Pattern **/*_test.go: "Assess the unit test code assessing sufficient code coverage for the changes associated in the pull request"

🔇 Additional comments (2)

x/tx/decode/decode_test.go (1)

Line range hint 1-165: Overall test structure is robust, but consider enhancing coverage

The test file is well-structured and follows good Go testing practices. It uses table-driven tests, mock objects, and appropriate assertions. However, given the recent change to the Payer field, consider the following improvements:

1. Expand the test cases to cover various fee payer scenarios (empty, non-empty, invalid).
2. Add more granular assertions to verify the correct handling of the Payer field in decoded transactions.
3. Consider adding benchmarks to measure the performance impact of decoding transactions with different fee payer configurations.

These enhancements will further improve the robustness and coverage of the decode package tests.

x/tx/CHANGELOG.md (1)

Line range hint 1-186: Overall changelog structure and content are well-maintained.

The changelog follows best practices:

• Clear organization by version, with the most recent changes at the top
• Proper grouping of changes by type (Features, Improvements, Bug Fixes, etc.)
• Consistent formatting and linking to pull requests
• Clear indication of Semantic Versioning compliance

[coderabbitai]

⚠️ Potential issue

Update test cases to cover empty fee payer scenario

The Payer field in the Fee structure has been changed to an empty string. This modification alters the test scenario, potentially affecting how the decoder handles transactions without a specified fee payer.

To ensure comprehensive test coverage:

1. Add a new test case that explicitly checks the behavior when the fee payer is an empty string.
2. Update existing test cases to verify that the decoder correctly handles both empty and non-empty fee payer scenarios.
3. Consider adding assertions to verify the decoded transaction's fee payer field matches the expected value (empty or non-empty) after decoding.

Example of an additional test case:

{
    name: "empty fee payer",
    msg:  &bankv1beta1.MsgSend{},
    checkFn: func(t *testing.T, decodedTx *decode.Tx) {
        require.Empty(t, decodedTx.AuthInfo.Fee.Payer, "Expected empty fee payer")
        // Add more assertions as needed
    },
},

Update the test loop to include the new checkFn:

for _, tc := range testCases {
    t.Run(tc.name, func(t *testing.T) {
        // ... (existing test setup)

        decodeTx, err := decoder.Decode(txBytes)
        if tc.error != "" {
            require.EqualError(t, err, tc.error)
            return
        }
        require.NoError(t, err)

        // ... (existing assertions)

        if tc.checkFn != nil {
            tc.checkFn(t, decodeTx)
        }
    })
}

These changes will help ensure that the decoder correctly handles transactions with empty fee payers, improving the overall test coverage.

[julienrbrt]

ACK, a review of @kocubinski would be good too.

[testinginprod]

we should a test

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (3)

x/tx/decode/decode_test.go (3)

73-81: LGTM: Comprehensive "happy path" test case

The updated "happy path" test case now includes detailed authInfo with fee information, providing a more thorough test of the basic scenario. The empty Payer field correctly tests the default behavior without a fee payer.

Consider adding a comment explaining that the empty Payer field represents the default scenario without a fee payer, to enhance code readability.

---

99-111: Good addition: "invalid feePayer" test case

The new test case for an invalid fee payer effectively checks the decoder's behavior when provided with an incorrect fee payer format. This enhances the overall test coverage.

Consider adding a brief comment explaining why "payer" is an invalid input (i.e., the decoder expects a hexadecimal string). This would improve the test's readability and make the intent clearer.

---

113-125: Excellent addition: "valid feePayer" test case

The new test case for a valid fee payer effectively checks the decoder's behavior when provided with a correct fee payer format. The use of a hexadecimal string for the Payer and the increased numSigners correctly test the new functionality.

To improve clarity:

1. Consider adding a comment explaining the hexadecimal string's significance (i.e., it represents a valid address).
2. You might want to extract the hexadecimal string to a named constant at the top of the test file, which could be reused in other test cases if needed.

📜 Review details

Configuration used: .coderabbit.yml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 35d5026 and df1dde1.

📒 Files selected for processing (1)

• x/tx/decode/decode_test.go (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

x/tx/decode/decode_test.go (2)

Pattern **/*.go: Review the Golang code for conformity with the Uber Golang style guide, highlighting any deviations.

---

Pattern **/*_test.go: "Assess the unit test code assessing sufficient code coverage for the changes associated in the pull request"

🔇 Additional comments (3)

x/tx/decode/decode_test.go (3)

64-68: Improved test case structure

The updated test case structure with authInfo and numSigners fields enhances the test coverage, particularly for the new fee payer functionality. This change allows for more comprehensive testing of the AuthInfo component and explicit verification of the number of signers.

Also applies to: 82-82

---

141-141: LGTM: Consistent test execution updates

The changes to the test execution logic correctly incorporate the new authInfo field and verify the number of signers. These modifications ensure that the new fee payer functionality is properly tested and validated.

Also applies to: 153-153

---

Line range hint 1-200: Overall assessment: Improved test coverage and structure

The changes to this test file significantly enhance the test coverage for the new fee payer functionality. The updated test case structure and new test cases effectively validate various scenarios, including happy path, invalid fee payer, and valid fee payer cases.

To further improve the test suite:

1. Consider adding edge cases, such as testing with multiple fee payers or extremely large/small fee amounts.
2. Ensure that all error scenarios are covered, including potential issues with fee granter functionality.
3. If not already present in other test files, consider adding integration tests that cover the interaction between the decoder and other components of the system.

These additions would provide even more comprehensive coverage of the new functionality and potential edge cases.

To verify the completeness of the test coverage, you can run the following command:

This will generate a coverage report, allowing you to identify any areas that may need additional testing.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (4)

x/tx/decode/decode_test.go (4)

73-82: LGTM: Detailed "happy path" test case

The updated "happy path" test case now includes a detailed authInfo structure, which allows for more precise testing of the decoder's behavior. The empty Payer field correctly tests the default scenario where no specific fee payer is set.

Consider adding an assertion to verify that the decoded transaction's fee payer field is empty after decoding:

require.Empty(t, decodeTx.AuthInfo.Fee.Payer, "Expected empty fee payer in happy path")

This additional check would ensure that the decoder correctly handles the empty fee payer scenario.

---

99-111: LGTM: New test case for invalid fee payer

The addition of the "invalid feePayer" test case is valuable for verifying the decoder's behavior when an invalid fee payer is provided. The test correctly expects an error when trying to decode a non-hexadecimal string.

Consider adding a comment explaining why "payer" is an invalid input, to improve test readability:

Payer: "payer", // Invalid: not a hexadecimal string

This comment would clarify the purpose of this test case for future developers.

---

113-125: LGTM: New test case for valid fee payer

The addition of the "valid feePayer" test case is excellent for verifying the decoder's behavior with a valid fee payer address. The test correctly expects an increase in the number of signers, indicating that the fee payer is added as an additional signer.

To further strengthen this test, consider adding an assertion to verify that the decoded fee payer matches the input:

require.Equal(t, tc.authInfo.Fee.Payer, decodeTx.AuthInfo.Fee.Payer, "Decoded fee payer should match input")

This additional check would ensure that the decoder correctly preserves the fee payer information during the decoding process.

---

126-141: LGTM: New test case for identical message signer and fee payer

The addition of the "same msg signer and feePayer" test case is valuable for verifying the decoder's behavior when the message signer and fee payer are the same entity. The test correctly expects no increase in the number of signers, indicating that duplicate signers are not added.

To further strengthen this test, consider adding an assertion to verify that the decoded signers list contains only one entry:

require.Len(t, decodeTx.Signers, 1, "Expected only one signer when message signer and fee payer are the same")

This additional check would ensure that the decoder correctly handles duplicate signers and doesn't add them multiple times to the signers list.

📜 Review details

Configuration used: .coderabbit.yml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between df1dde1 and 9b14407.

📒 Files selected for processing (1)

• x/tx/decode/decode_test.go (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

x/tx/decode/decode_test.go (2)

Pattern **/*.go: Review the Golang code for conformity with the Uber Golang style guide, highlighting any deviations.

---

Pattern **/*_test.go: "Assess the unit test code assessing sufficient code coverage for the changes associated in the pull request"

🔇 Additional comments (2)

x/tx/decode/decode_test.go (2)

64-68: LGTM: Enhanced test case structure

The updated test case structure with authInfo and numSigners fields allows for more comprehensive testing of the AuthInfo structure and signer verification. This change aligns well with the new focus on fee payer handling in the decoder.

---

64-141: Overall assessment: Improved test coverage for fee payer handling

The changes to this test file significantly enhance the coverage of fee payer handling scenarios in the decoder. The new test cases effectively cover:

1. Default behavior with no fee payer
2. Invalid fee payer input
3. Valid fee payer different from the message signer
4. Fee payer identical to the message signer

These additions will help ensure the robustness of the decoder's fee payer handling logic. The test structure is clear and consistent, making it easy to understand the purpose of each test case.

To further improve the tests:

1. Consider adding assertions to verify the contents of the decoded AuthInfo structure in each test case.
2. Add comments explaining the purpose of hexadecimal address strings used in the tests.

Overall, these changes represent a significant improvement in the test suite's ability to verify the decoder's behavior with regard to fee payers.

[JulianToledano]

we should a test

done

[julienrbrt]

@testinginprod or @kocubinski can we can we get one of your approval here?

[testinginprod]

lgtm

[testinginprod]

I'm not a fan on how the table test reads.

rather than having arbitrary Auth Info which I think makes the specific cases harder to identify, i would have preferred to have tables about the specific test:

eg:

test{
ExpectedSigners int
FeePayer string
ExpectedError string
Msg
...
}

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

x/tx/decode/decode_test.go (2)

71-99: Add test cases for additional edge cases

While the current test cases cover basic scenarios, consider adding the following cases to ensure comprehensive coverage of the security fix:

1. Multiple signers with fee payer
2. Invalid fee payer address format
3. Empty fee payer string (as suggested in previous review)
4. Fee payer with empty signatures

Example test case:

{
    name:     "empty fee payer string",
    msg:      &bankv1beta1.MsgSend{},
    feePayer: "",
    expectedSigners: 1,
},
{
    name:     "fee payer with empty signatures",
    msg:      &bankv1beta1.MsgSend{},
    feePayer: "636f736d6f733168363935356b3836397a72306770383975717034337a373263393033666d35647a366b75306c",
    expectedSigners: 2,
    // Override signatures in the test setup
}

---

120-120: Enhance assertions for fee payer validation

While checking the number of signers is good, consider adding more specific assertions to validate the fee payer security fix:

1. Verify fee payer is actually in the signers list when specified
2. Verify the order of signers (if it matters)
3. Validate the fee payer address format in the decoded transaction

Example assertions:

if tc.feePayer != "" {
    require.Contains(t, decodeTx.Signers, tc.feePayer, "fee payer should be in signers list")
}

Also applies to: 135-135

📜 Review details

Configuration used: .coderabbit.yml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 9b14407 and 68bac79.

📒 Files selected for processing (1)

• x/tx/decode/decode_test.go (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

x/tx/decode/decode_test.go (2)

Pattern **/*.go: Review the Golang code for conformity with the Uber Golang style guide, highlighting any deviations.

---

Pattern **/*_test.go: "Assess the unit test code assessing sufficient code coverage for the changes associated in the pull request"

🔇 Additional comments (2)

x/tx/decode/decode_test.go (2)

64-68: LGTM: Test structure properly updated for fee payer validation

The test case structure has been appropriately enhanced to include feePayer and expectedSigners fields, which are essential for validating the security fix that prevents unauthorized fee payments.

---

71-99: Verify test coverage against PR objectives

The test cases appropriately cover the security concern mentioned in the PR objectives about unauthorized fee payments. However, let's verify the coverage of all scenarios:

[JulianToledano]

I think this should be backported to 0.52 @julienrbrt

[julienrbrt]

I think this should be backported to 0.52 @julienrbrt

No need, x/tx is tagged for main from v1.