You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The contract download feature is intended to support local development. There is a security check that seems unnecessary when used for this purpose, specifically here
:thrownew Exception($"Null \"{nameof(validatedRootIndex)}\" in state height response");
this basically forbids using any node that is not voted into the list of state validators by the consensus committee. It should be possible to use nodes that you trust e.g. I want to use our COZ nodes because the NEO nodes are very slow. This could be done by using localrootindex instead of validatedrootindex.
I see 3 ways of solving this
always use localrootindex instead of validatedrootindex
have a flag like --allow-localroot to use localrootindex if validatedrootindex is null
the inverse of 2. where we allow localrootindex by default unless passing some flag like --require-rootvalidated-state
The text was updated successfully, but these errors were encountered:
I wouldn't characterize this as a security check. If the user doesn't explicitly specify a block height to download, the command gets "most recent available". How the command chooses "most recent available" doesn't seem that critical.
How about a slight variation on option 1: Use localrootindex if validatedrootindex is not available. Something like this maybe?
if(stateHeight==0){uint?localRootIndex,validatedRootIndex;try{(localRootIndex, validatedRootIndex)=await stateAPI.GetStateHeightAsync().ConfigureAwait(false);}catch(RpcExceptione)when(e.Message.Contains("Method not found")){thrownew Exception("Could not get state information. Make sure the remote RPC server has state service support");}stateHeight= validatedRootIndex.HasValue
? validatedRootIndex.Value
: localRootIndex.HasValue
? localRootIndex.Value
:thrownew Exception($"GetStateHeight did not return local or validated root index");}
The
contract download
feature is intended to support local development. There is a security check that seems unnecessary when used for this purpose, specifically hereneo-express/src/neoxp/Node/NodeUtility.cs
Lines 244 to 245 in c6424c0
this basically forbids using any node that is not voted into the list of state validators by the consensus committee. It should be possible to use nodes that you trust e.g. I want to use our COZ nodes because the NEO nodes are very slow. This could be done by using
localrootindex
instead ofvalidatedrootindex
.I see 3 ways of solving this
localrootindex
instead ofvalidatedrootindex
--allow-localroot
to uselocalrootindex
ifvalidatedrootindex
isnull
localrootindex
by default unless passing some flag like--require-rootvalidated-state
The text was updated successfully, but these errors were encountered: