integrate hashvault

sei-db/state_db/sc/hashvault/noop_hashvault.go

@@ -0,0 +1,30 @@
+package hashvault
+
+import "context"
+
+var _ HashVault = (*NoopHashVault)(nil)
+
+// NoopHashVault is a HashVault implementation that does nothing. It provides no equivocation
+// protection whatsoever. It exists for two purposes:
+//   - tests that construct a BlockExecutor but do not exercise the vault, and
+//   - the explicit, operator-opted-in "hash-vault-disabled-unsafe" escape hatch.
+//
+// Production code must never substitute this for a real vault without a deliberate human decision.
+type NoopHashVault struct{}
+
+// NewNoopHashVault returns a HashVault whose methods are all no-ops.
+func NewNoopHashVault() *NoopHashVault {
+	return &NoopHashVault{}
+}
+
+func (n *NoopHashVault) CommitToHash(_ context.Context, _ uint64, _ []byte) error {
+	return nil
+}
+
+func (n *NoopHashVault) Prune(_ context.Context, _ uint64) error {
+	return nil
+}
+
+func (n *NoopHashVault) Close(_ context.Context) error {
+	return nil
+}

sei-tendermint/config/config.go

@@ -78,21 +78,27 @@ type Config struct {
 	// AutobahnConfigFile is the path to a JSON file containing the Autobahn (GigaRouter)
 	// configuration. Leave empty to disable Autobahn.
 	AutobahnConfigFile string `mapstructure:"autobahn-config-file"`
+
+	// HashVaultDisabledUnsafe disables the block-hash equivocation guard (HashVault). The vault is
+	// on by default (false). Setting this to true is an explicit, last-resort operator decision to
+	// run WITHOUT equivocation protection; the node logs loudly that it is unsafe.
+	HashVaultDisabledUnsafe bool `mapstructure:"hash-vault-disabled-unsafe"`
 }
 
 // DefaultConfig returns a default configuration for a Tendermint node
 func DefaultConfig() *Config {
 	return &Config{
-		BaseConfig:      DefaultBaseConfig(),
-		RPC:             DefaultRPCConfig(),
-		P2P:             DefaultP2PConfig(),
-		Mempool:         DefaultMempoolConfig(),
-		StateSync:       DefaultStateSyncConfig(),
-		Consensus:       DefaultConsensusConfig(),
-		TxIndex:         DefaultTxIndexConfig(),
-		Instrumentation: DefaultInstrumentationConfig(),
-		PrivValidator:   DefaultPrivValidatorConfig(),
-		SelfRemediation: DefaultSelfRemediationConfig(),
+		BaseConfig:              DefaultBaseConfig(),
+		RPC:                     DefaultRPCConfig(),
+		P2P:                     DefaultP2PConfig(),
+		Mempool:                 DefaultMempoolConfig(),
+		StateSync:               DefaultStateSyncConfig(),
+		Consensus:               DefaultConsensusConfig(),
+		TxIndex:                 DefaultTxIndexConfig(),
+		Instrumentation:         DefaultInstrumentationConfig(),
+		PrivValidator:           DefaultPrivValidatorConfig(),
+		SelfRemediation:         DefaultSelfRemediationConfig(),
+		HashVaultDisabledUnsafe: false,
 	}
 }
 

sei-tendermint/config/toml.go

@@ -636,6 +636,12 @@ restart-cooldown-seconds = {{ .SelfRemediation.RestartCooldownSeconds }}
 # Leave empty to disable Autobahn.
 autobahn-config-file = "{{ .AutobahnConfigFile }}"
 
+# hash-vault-disabled-unsafe disables the block-hash equivocation guard (HashVault).
+# DO NOT set this to true unless you are knowingly running an UNSAFE node as a last-resort
+# recovery measure. A node with this enabled has NO protection against changing its mind about
+# a committed block's hash, and will log error-level warnings on every startup.
+hash-vault-disabled-unsafe = {{ .HashVaultDisabledUnsafe }}
+
 `
 
 // defaultConfigTemplate combines manual and auto-managed templates for backward compatibility

sei-tendermint/internal/blocksync/reactor_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/stretchr/testify/require"
 	dbm "github.com/tendermint/tm-db"
 
+	"github.com/sei-protocol/sei-chain/sei-db/state_db/sc/hashvault"
 	abci "github.com/sei-protocol/sei-chain/sei-tendermint/abci/types"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/config"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/internal/consensus"
@@ -113,6 +114,7 @@ func makeReactor(
 		bus,
 		sm.NopMetrics(),
 		types.DefaultConsensusPolicy(),
+		hashvault.NewNoopHashVault(),
 	)
 
 	r, err := NewReactor(

sei-tendermint/internal/consensus/common_test.go

@@ -18,6 +18,7 @@ import (
 	dbm "github.com/tendermint/tm-db"
 	"go.opentelemetry.io/otel/sdk/trace"
 
+	"github.com/sei-protocol/sei-chain/sei-db/state_db/sc/hashvault"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/abci/example/kvstore"
 	abci "github.com/sei-protocol/sei-chain/sei-tendermint/abci/types"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/config"
@@ -519,7 +520,7 @@ func newStateWithConfigAndBlockStore(
 		panic(fmt.Errorf("eventBus.Start(): %w", err))
 	}
 
-	blockExec := sm.NewBlockExecutor(stateStore, app, mempool, evpool, blockStore, eventBus, sm.NopMetrics(), types.DefaultConsensusPolicy())
+	blockExec := sm.NewBlockExecutor(stateStore, app, mempool, evpool, blockStore, eventBus, sm.NopMetrics(), types.DefaultConsensusPolicy(), hashvault.NewNoopHashVault())
 	wal, err := OpenWAL(thisConfig.Consensus.WalFile())
 	if err != nil {
 		panic(err)

sei-tendermint/internal/consensus/reactor_test.go

@@ -15,6 +15,7 @@ import (
 	dbm "github.com/tendermint/tm-db"
 	"go.opentelemetry.io/otel/sdk/trace"
 
+	"github.com/sei-protocol/sei-chain/sei-db/state_db/sc/hashvault"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/abci/example/kvstore"
 	abci "github.com/sei-protocol/sei-chain/sei-tendermint/abci/types"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/config"
@@ -294,7 +295,7 @@ func TestReactorWithEvidence(t *testing.T) {
 		eventBus := eventbus.NewDefault()
 		require.NoError(t, eventBus.Start(ctx))
 
-		blockExec := sm.NewBlockExecutor(stateStore, proxyApp, mempool, evpool, blockStore, eventBus, sm.NopMetrics(), types.DefaultConsensusPolicy())
+		blockExec := sm.NewBlockExecutor(stateStore, proxyApp, mempool, evpool, blockStore, eventBus, sm.NopMetrics(), types.DefaultConsensusPolicy(), hashvault.NewNoopHashVault())
 		wal, err := OpenWAL(thisConfig.Consensus.WalFile())
 		require.NoError(t, err)
 

sei-tendermint/internal/consensus/replay.go

@@ -7,6 +7,7 @@ import (
 	"sort"
 
 	"github.com/gogo/protobuf/proto"
+	"github.com/sei-protocol/sei-chain/sei-db/state_db/sc/hashvault"
 	abci "github.com/sei-protocol/sei-chain/sei-tendermint/abci/types"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/config"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/crypto/merkle"
@@ -116,6 +117,7 @@ type Handshaker struct {
 	eventBus        *eventbus.EventBus
 	genDoc          *types.GenesisDoc
 	consensusPolicy types.ConsensusPolicy
+	hashVault       hashvault.HashVault
 
 	nBlocks int // number of blocks applied to the state
 }
@@ -127,6 +129,7 @@ func NewHandshaker(
 	eventBus *eventbus.EventBus,
 	genDoc *types.GenesisDoc,
 	consensusPolicy types.ConsensusPolicy,
+	hashVault hashvault.HashVault,
 ) *Handshaker {
 	return &Handshaker{
 		stateStore:      stateStore,
@@ -135,6 +138,7 @@ func NewHandshaker(
 		eventBus:        eventBus,
 		genDoc:          genDoc,
 		consensusPolicy: consensusPolicy,
+		hashVault:       hashVault,
 	}
 }
 
@@ -401,15 +405,24 @@ func (h *Handshaker) replayBlocks(
 		if i == finalBlock && !mutateState {
 			// We emit events for the index services at the final block due to the sync issue when
 			// the node shutdown during the block committing status.
-			blockExec := sm.NewBlockExecutor(h.stateStore, app, newReplayTxMempool(app), sm.EmptyEvidencePool{}, h.store, h.eventBus, sm.NopMetrics(), h.consensusPolicy)
+			blockExec := sm.NewBlockExecutor(
+				h.stateStore,
+				app,
+				newReplayTxMempool(app),
+				sm.EmptyEvidencePool{},
+				h.store,
+				h.eventBus,
+				sm.NopMetrics(),
+				h.consensusPolicy,
+				h.hashVault)
 			appHash, err = sm.ExecCommitBlock(ctx,
-				blockExec, app, block, h.stateStore, h.genDoc.InitialHeight, state)
+				blockExec, app, block, h.stateStore, h.genDoc.InitialHeight, state, h.hashVault)
 			if err != nil {
 				return nil, err
 			}
 		} else {
 			appHash, err = sm.ExecCommitBlock(ctx,
-				nil, app, block, h.stateStore, h.genDoc.InitialHeight, state)
+				nil, app, block, h.stateStore, h.genDoc.InitialHeight, state, h.hashVault)
 			if err != nil {
 				return nil, err
 			}
@@ -446,7 +459,16 @@ func (h *Handshaker) replayBlock(
 
 	// Use stubs for both mempool and evidence pool since no transactions nor
 	// evidence are needed here - block already exists.
-	blockExec := sm.NewBlockExecutor(h.stateStore, app, newReplayTxMempool(app), sm.EmptyEvidencePool{}, h.store, h.eventBus, sm.NopMetrics(), h.consensusPolicy)
+	blockExec := sm.NewBlockExecutor(
+		h.stateStore,
+		app,
+		newReplayTxMempool(app),
+		sm.EmptyEvidencePool{},
+		h.store,
+		h.eventBus,
+		sm.NopMetrics(),
+		h.consensusPolicy,
+		h.hashVault)
 
 	var err error
 	state, err = blockExec.ApplyBlock(ctx, state, meta.BlockID, block, nil)

sei-tendermint/internal/consensus/replay_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	dbm "github.com/tendermint/tm-db"
 
+	"github.com/sei-protocol/sei-chain/sei-db/state_db/sc/hashvault"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/abci/example/kvstore"
 	abci "github.com/sei-protocol/sei-chain/sei-tendermint/abci/types"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/config"
@@ -693,7 +694,7 @@ func testHandshakeReplay(
 	// now start the app using the handshake - it should sync
 	genDoc, err := sm.MakeGenesisDocFromFile(cfg.GenesisFile())
 	require.NoError(t, err)
-	handshaker := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy())
+	handshaker := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy(), hashvault.NewNoopHashVault())
 	proxyApp := proxy.New(app, proxy.NopMetrics())
 	err = handshaker.Handshake(ctx, proxyApp)
 	if expectError {
@@ -741,7 +742,7 @@ func applyBlock(
 	eventBus *eventbus.EventBus,
 ) sm.State {
 	testPartSize := types.BlockPartSizeBytes
-	blockExec := sm.NewBlockExecutor(stateStore, appClient, mempool, evpool, blockStore, eventBus, sm.NopMetrics(), types.DefaultConsensusPolicy())
+	blockExec := sm.NewBlockExecutor(stateStore, appClient, mempool, evpool, blockStore, eventBus, sm.NopMetrics(), types.DefaultConsensusPolicy(), hashvault.NewNoopHashVault())
 
 	bps, err := blk.MakePartSet(testPartSize)
 	require.NoError(t, err)
@@ -879,7 +880,7 @@ func TestHandshakeErrorsIfAppReturnsWrongAppHash(t *testing.T) {
 	//		- 0x03
 	{
 		app := &badApp{numBlocks: 3, allHashesAreWrong: true}
-		h := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy())
+		h := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy(), hashvault.NewNoopHashVault())
 		proxyApp := proxy.New(app, proxy.NopMetrics())
 		assert.Error(t, h.Handshake(ctx, proxyApp))
 	}
@@ -890,7 +891,7 @@ func TestHandshakeErrorsIfAppReturnsWrongAppHash(t *testing.T) {
 	//		- RANDOM HASH
 	{
 		app := &badApp{numBlocks: 3, onlyLastHashIsWrong: true}
-		h := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy())
+		h := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy(), hashvault.NewNoopHashVault())
 		proxyApp := proxy.New(app, proxy.NopMetrics())
 		require.Error(t, h.Handshake(ctx, proxyApp))
 	}
@@ -1119,7 +1120,7 @@ func TestHandshakeUpdatesValidators(t *testing.T) {
 	// now start the app using the handshake - it should sync
 	genDoc, err = sm.MakeGenesisDocFromFile(cfg.GenesisFile())
 	require.NoError(t, err)
-	handshaker := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy())
+	handshaker := NewHandshaker(stateStore, state, store, eventBus, genDoc, types.DefaultConsensusPolicy(), hashvault.NewNoopHashVault())
 	proxyApp := proxy.New(app, proxy.NopMetrics())
 	require.NoError(t, handshaker.Handshake(ctx, proxyApp), "error on abci handshake")
 

sei-tendermint/internal/state/execution.go

@@ -17,6 +17,8 @@ import (
 	"github.com/sei-protocol/sei-chain/sei-tendermint/libs/utils"
 	tmtypes "github.com/sei-protocol/sei-chain/sei-tendermint/proto/tendermint/types"
 	"github.com/sei-protocol/sei-chain/sei-tendermint/types"
+
+	"github.com/sei-protocol/sei-chain/sei-db/state_db/sc/hashvault"
 	"github.com/sei-protocol/seilog"
 	otrace "go.opentelemetry.io/otel/trace"
 )
@@ -60,6 +62,11 @@ type BlockExecutor struct {
 	// below, which is a runtime atomic.Bool flipped on for the Giga executor.
 	consensusPolicy types.ConsensusPolicy
 
+	// hashVault is the block-hash equivocation guard. Every applied block's hash is committed to
+	// it; if it ever rejects a hash the node halts. Never nil (a no-op implementation is used when
+	// the operator disables the vault or in tests).
+	hashVault hashvault.HashVault
+
 	// cache the verification results over a single height
 	cache map[string]struct{}
 }
@@ -74,6 +81,7 @@ func NewBlockExecutor(
 	eventBus *eventbus.EventBus,
 	metrics *Metrics,
 	consensusPolicy types.ConsensusPolicy,
+	hashVault hashvault.HashVault,
 ) *BlockExecutor {
 	return &BlockExecutor{
 		eventBus:        eventBus,
@@ -85,6 +93,7 @@ func NewBlockExecutor(
 		cache:           make(map[string]struct{}),
 		blockStore:      blockStore,
 		consensusPolicy: consensusPolicy,
+		hashVault:       hashVault,
 	}
 }
 
@@ -400,6 +409,13 @@ func (blockExec *BlockExecutor) ApplyBlock(ctx context.Context, state State, blo
 	}
 	saveBlockTime := time.Now()
 	state.AppHash = fBlockRes.AppHash
+
+	// Commit this block's hash to the equivocation guard before saving state. See commitHashToVault.
+	// A returned error is a benign shutdown cancellation; genuine faults panic inside the call.
+	if err := commitHashToVault(ctx, blockExec.hashVault, block.Height, block.Hash()); err != nil {
+		return state, err
+	}
+
 	if err := blockExec.store.Save(state); err != nil {
 		return state, err
 	}
@@ -421,6 +437,16 @@ func (blockExec *BlockExecutor) ApplyBlock(ctx context.Context, state State, blo
 		} else {
 			logger.Debug("pruned blocks", "pruned", pruned, "retain_height", retainHeight)
 		}
+		// Align the vault's retention with what is actually still on disk, not the requested
+		// retainHeight: prune it to the blockstore's current base. Block/state pruning is best-effort
+		// and non-atomic, so a (partial) failure can leave blocks below retainHeight on disk. Pruning
+		// to the real base guarantees the vault boundary never advances past a block that can still be
+		// replayed — which would otherwise make a later CommitToHash fatally reject an on-disk height
+		// (ErrBelowPruneBoundary). A prune failure is GC, not equivocation: log and continue.
+		base := blockExec.blockStore.Base()
+		if err := blockExec.hashVault.Prune(ctx, uint64(base)); err != nil { //nolint:gosec // base is non-negative
+			logger.Error("failed to prune hashvault", "base", base, "err", err)
+		}
 	}
 	blockExec.metrics.PruneBlockLatency.Observe(float64(time.Since(pruneBlockTime).Milliseconds()))
 	if pruneBlockSpan != nil {
@@ -697,6 +723,41 @@ func FireEvents(
 	}
 }
 
+// commitHashToVault records the block hash for the given height in the equivocation guard and halts
+// the node on any error. It is shared by ApplyBlock (live blocks) and ExecCommitBlock (blocks caught
+// up during the ABCI handshake) so every applied height is guarded identically.
+//
+// A genuine failure halts the node — we cannot prove the node is still committed to a single hash for
+// this height, so failing closed is the only safe option. We distinguish a confirmed equivocation
+// (ErrHashMismatch: never restart without human investigation) from an operational failure (I/O,
+// corruption), which must not cry equivocation.
+//
+// Context cancellation/deadline is NOT a failure to record the hash: CommitToHash returns on its first
+// line without attempting any write, and it only happens because the node is shutting down. There is no
+// risk of proceeding unguarded, so we unwind cleanly by returning the error to the caller (which logs
+// and aborts the apply) instead of panicking.
+func commitHashToVault(ctx context.Context, vault hashvault.HashVault, height int64, hash []byte) error {
+	err := vault.CommitToHash(ctx, uint64(height), hash) //nolint:gosec // block height is non-negative
+	if err == nil {
+		return nil
+	}
+	if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+		logger.Info("HashVault commit aborted by context cancellation during shutdown; not recording hash",
+			"height", height, "err", err)
+		return fmt.Errorf("hashvault CommitToHash aborted at height %d: %w", height, err)
+	}
+	if errors.Is(err, hashvault.ErrHashMismatch) {
+		logger.Error("FATAL: HashVault detected a block-hash mismatch — the node has equivocated. "+
+			"Halting. DO NOT RESTART WITHOUT HUMAN INTERVENTION.",
+			"height", height, "hash", fmt.Sprintf("%X", hash), "err", err)
+	} else {
+		logger.Error("FATAL: HashVault could not commit the block hash (operational error, not a "+
+			"confirmed equivocation). Halting.",
+			"height", height, "hash", fmt.Sprintf("%X", hash), "err", err)
+	}
+	panic(fmt.Sprintf("hashvault CommitToHash failed at height %d: %v", height, err))
+}
+
 //----------------------------------------------------------------------------------------------------
 // Execute block without state. TODO: eliminate
 
@@ -710,6 +771,7 @@ func ExecCommitBlock(
 	store Store,
 	initialHeight int64,
 	s State,
+	hashVault hashvault.HashVault,
 ) ([]byte, error) {
 	finalizeBlockResponse, err := appConn.FinalizeBlock(
 		ctx,
@@ -757,6 +819,13 @@ func ExecCommitBlock(
 		return nil, err
 	}
 
+	// Guard the replayed height exactly as ApplyBlock guards live blocks, so heights caught up during
+	// the ABCI handshake are recorded in (and checked against) the equivocation guard.
+	// A returned error is a benign shutdown cancellation; genuine faults panic inside the call.
+	if err := commitHashToVault(ctx, hashVault, block.Height, block.Hash()); err != nil {
+		return nil, err
+	}
+
 	// ResponseCommit has no error or log
 	return finalizeBlockResponse.AppHash, nil
 }