Avoid duplicated signatures when building transactions

[grarco]

Describe your changes

Closes #4203.

This PR modifies adds a new method on the Tx type to remove duplicated sections. This function is then called in the signing function before producing the wrapper signature (which is computed on all the sections) and the dump_tx function (in case the dumped tx needed to be signed offline).

To support this logic the PartialEq implementation for the Authorization type is now manually provided and ignores the way the signer is specified, focusing instead on the targets and the actual signature.

As a side note, also the PartialEq implementation for SigningTxData has been updated to account for the shielded hash.

Checklist before merging

• If this PR has some consensus breaking changes, I added the corresponding breaking:: labels
  • This will require 2 reviewers to approve the changes
• If this PR requires changes to the docs or specs, a corresponding PR is opened in the namada-docs repo
  • Relevant PR if applies:
• If this PR affects services such as namada-indexer or namada-masp-indexer, a corresponding PR is opened in that repo
  • Relevant PR if applies:

[codecov]

Codecov Report

Attention: Patch coverage is 98.71795% with 1 line in your changes missing coverage. Please review.

Project coverage is 74.60%. Comparing base (9527ea9) to head (fa5bdbf).
Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
crates/tx/src/section.rs	96.87%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4230      +/-   ##
==========================================
+ Coverage   74.59%   74.60%   +0.01%     
==========================================
  Files         342      342              
  Lines      108724   108792      +68     
==========================================
+ Hits        81101    81169      +68     
  Misses      27623    27623              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[murisi]

While the overall approach taken here to avoid duplicate signatures makes sense, checking whether Authorization sections are duplicates after they have been produced (by checking structural equality) seems less robust than not producing duplicates in the first place. But perhaps this (situation where a signing process is redundantly being done twice) is unavoidable...

[murisi]

Doesn't this code only prove that public_keys is a subset of other_public_keys? Imagine that public_keys = vec![x, x, y, y] and other_public_keys = vec![w,x,y,z], wouldn't this logic conclude that public_keys and other_public_keys are equivalent (because both vectors have the same length and all the elements of the former are contained in the latter)?

[grarco]

You're right! I tried a different approach in fa5bdbf

[murisi]

Doesn't this code only prove that targets is a subset of other_targets? Imagine that targets = vec![x, x, y, y] and other_targets = vec![w,x,y,z], wouldn't this logic conclude that targets and other_targets are equivalent (because both vectors have the same length and all the elements of the former are contained in the latter)?

[grarco]

Same as above, thanks!

[murisi]

This definition could work. But it has the implication that if Authorization::signer contains the variant Signer::PubKeys and someone tampers with one of the public keys in that list so that Authorization::verify_signature can no longer pass, this PartialEq implementation would still say that the tampered instance is still equal to the original. No? If so, is this desirable?

Also, given that this function defines a partial equivalence relation, I guess false should be returned in those cases where there is insufficient information to check/conclude equality of the signers? No?

[grarco]

That's correct. The representation of the signer being different in the duplicated authorizations I could see on mainnet was the drive to modify this trait implementation. My reasoning was that once we establish the equality of the signature's targets and of the signatures themselves we can safely consider the two Authorizations to be the same even if the signers are expressed differently. In case of the signers being straight different (which would cause one of the two instances to fail the signature verification check) I believe we are looking at something else than just equality: I guess one should check the integrity of the sections at the byte level using a digest or similar techniques (see also my answer to your next question since it's related to this one)

[murisi]

Does it matter that partially equivalent Authorizations might not have the same cryptographic hash? Or is this impossible? Could this sort of definition of partial equality confuse people in the future? (This definition seems to be calculated specifically to deal with our duplicate signatures issue (no?), but could be unintuitive in other cases/situations...)

[grarco]

I don't believe PartialEq should guarantee a byte-level match between the two instances but rather a logical equivalence (as I said in the previous question, when safety is critical one should explicitly rely on the digest of the expected instance).

I do see your point on this implementation being potentially confusing in other situations: I could try to reintroduce the check on the signer with a more refined logic. My only concern is the case when a multisig signer is expressed as a set of keys in one instance and as an address in the other one: in this case there's no way I can resolve the equivalence without a query to storage (but there's a chance we always express multisig signers as a set of keys which would solve this issue).

An alternative could be to come up with a different function for this comparison and restore the previous implementation of PartialEq (net of ignoring the order of the set of keys which I think is a required update regardless).

[grarco]

While the overall approach taken here to avoid duplicate signatures makes sense, checking whether Authorization sections are duplicates after they have been produced (by checking structural equality) seems less robust than not producing duplicates in the first place. But perhaps this (situation where a signing process is redundantly being done twice) is unavoidable...

We already try to filter duplicated instanced of SigningTxData but there are cases where this logic fails (such as in case of different wrapper signers, even though we should only produce a single wrapper signature, see #3901, or the case of an offline procedure where we could get duplicated signatures from the members of a multisig account): hence the need to integrate this logic with a pruning mechanism for duplicated sections. I do agree with you though and we should try to improve the signing procedure over time to avoid producing duplicated signatures as much as possible