Commit Graph

601 Commits

Author SHA1 Message Date
7e9b2c6615 fix(net): verify RandomX at correct height in AcceptBlockHeader + cap locator
header-pow: AcceptBlockHeader passed the caller's reused *ppindex (and a height
derived from it, ==0 for a new header) to CheckBlockHeader instead of the
header's own local pindex + real height. Post-IBD this made
RandomXValidationRequired(0) false, so CheckRandomXSolution returned true WITHOUT
verifying (and the fRandomXVerified short-circuit could fire on an unverified
header) - silently defeating the header-flood PoW gate from b9fdc7981. Resolve
pindexPrev up-front, pass real height (parent+1) and the local (NULL) pindex so
the post-IBD RandomX check actually runs; IBD stays fast (fCheckPOW=0).
Stability-tested: 303 valid headers accepted across a 4-node RandomX net,
0 false rejects / bans.

#9 (MEDIUM) GETBLOCKS/GETHEADERS deserialized an unbounded CBlockLocator.vHave
(~130k hashes) and scanned it linearly under cs_main with no ban - a
message-thread liveness DoS. Add MAX_LOCATOR_SZ=101 + Misbehaving, matching the
adjacent vInv/headers caps.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-14 11:21:28 -05:00
adf2bacdbd feat: fee-ordered mempool eviction (TrimToSize/Expire) + displacement on admission
This fork never ported Bitcoin's mempool size-limiting: CTxMemPool had no TrimToSize/
Expire and LimitMempoolSize was commented out. An earlier commit added a blunt
DynamicMemoryUsage admission cap that bounded memory but bluntly REJECTED new txs when
full -- so a high-fee tx could not push out a low-fee one. This implements proper
fee-ordered eviction using the per-tx feerate index that already exists (mapTx index 1,
CompareTxMemPoolEntryByFee), with no new index and no descendant-tracking port.

- CTxMemPool::TrimToSize(sizelimit, pvNoSpendsRemaining): while DynamicMemoryUsage() is
  over the limit, evict the lowest-feerate tx (the tail of the feerate index) and its
  in-mempool descendants (recursive remove), re-deriving the tail each iteration.
  Terminates (pool strictly shrinks) and cleans every secondary index via remove().
- CTxMemPool::Expire(time): age-based sweep (entry time older than `time`), for
  LimitMempoolSize's -mempoolexpiry.
- LimitMempoolSize re-enabled (Expire + TrimToSize) and called from ConnectTip on every
  block connect. (No pcoinsTip->Uncache -- CCoinsViewCache has none in this fork; it is
  only a UTXO-cache perf hint.)
- AcceptToMemoryPool now ADDS the tx then TrimToSizes: a higher-fee tx displaces
  lower-fee ones; if this tx was itself the lowest-feerate (evicted), it is rejected
  ("mempool full"). Replaces the blunt reject-when-full cap.
- DEFAULT_MEMPOOL_EXPIRY 1 -> 72 hours (age-Expire is now live; 1h was too aggressive).

Known simplification (documented in code): per-tx feerate, not descendant-aggregate
(CPFP) scoring, and no rollingMinimumFeeRate anti-thrash. Adversarially reviewed
(termination, iterator safety, recursive-lock safety, index cleanup all confirmed) and
runtime-tested on the fleet: pool stays bounded under a 1600-tx flood, verifychain ok,
no hang/crash.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-09 09:01:06 +02:00
389c8c7383 fix: cap mempool memory usage (-maxmempool) to bound an OOM DoS
This fork never ported Bitcoin's fee-ordered mempool eviction: CTxMemPool has no
TrimToSize/Expire, and LimitMempoolSize's body + call site are both commented out and
reference an undefined DEFAULT_MAX_MEMPOOL_SIZE. So the mempool had no total-size
ceiling. Together with the just-restored removeExpired() and near-free tx admission, a
peer could flood transactions to exhaust every node's memory (incl. pool/payout nodes).

Add a simple admission cap in AcceptToMemoryPool: once the pool exceeds -maxmempool it
refuses new admissions with DoS(0) (no ban -- a full pool isn't the peer's fault). This
is not fee-ordered eviction (that needs the absent TrimToSize machinery) but it bounds
the footprint; removeExpired() already evicts unmineable expired txs on each block
connect. New DEFAULT_MAX_MEMPOOL_SIZE=300 (MB, Bitcoin's default) is far above DragonX's
normal mempool, so normal operation is unaffected. Reviewed: bytes-vs-bytes comparison,
read under LOCK(pool.cs) on a recursive mutex (no deadlock); only the reorg re-add path
and new sends route through it, and only at 300MB.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-09 04:58:39 +02:00
810bd6712f fix: make nCoinCacheUsage std::atomic to close an adaptive-dbcache data race
The scheduled AdjustCoinCacheForMemoryPressure task writes nCoinCacheUsage from
the scheduler thread holding no lock, while cs_main-holding threads
(FlushStateToDisk, VerifyDB) read it -- an unsynchronized read/write of a
non-atomic size_t (C++ UB). Make it std::atomic<size_t>; correct the comment
that incorrectly described the access as lock-free/race-free.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-08 05:48:39 +02:00
84aefb5475 Remove assumeutxo / UTXO-snapshot feature
Removes the dumptxoutset RPC, -loadutxosnapshot / -loadutxosnapshotunsafe,
the CCoinsViewDB Dump/LoadSnapshot machinery + CUTXOSnapshotHeader, the
AssumeutxoData chainparams anchor, the LoadSnapshotChainstate activation +
reorg-below-H guard, the persisted assumeutxo-height flag, and the gtest.

Rationale: it duplicated the existing bootstrap (same skip-the-genesis-grind
fast-sync, no speed advantage), its only real edge was a trust model we don't
need for this chain, and it was inert anyway (no published snapshot hash in
chainparams). The -loadutxosnapshot load path adopted an external UTXO set and
bypassed genesis validation, so removing it also drops that attack surface.
Builds clean (no dangling references); the kept IBD speedups (RandomX
pre-verify, adaptive dbcache, tlsmanager) are untouched.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 16:42:37 -05:00
1f2b109d95 Add opt-in bulk block streaming (-bulkblocksync)
A single getblockstrm request makes a peer stream a contiguous range of old
blocks back-to-back as ordinary BLOCK messages, amortizing the per-block
round-trip over the whole range instead of the MAX_BLOCKS_IN_TRANSIT_PER_PEER
window. This targets the bandwidth-delay-product ceiling that dominates IBD
from few/high-latency peers below the checkpoint.

Design (off by default; negotiated via a NODE_BULKBLOCKS service bit; the
default getdata IBD path is untouched when disabled):
- protocol: NODE_BULKBLOCKS service bit + getblockstrm/blockstream messages.
- requester: in SendMessages, after FindNextBlocksToDownload, when the first
  needed block is >= BULK_TIP_MARGIN (5000) below the network tip and the peer
  advertises the bit and we are in IBD, request a contiguous range (<=128
  blocks) instead of per-block getdata; mark the range in-flight.
- server: stream the range (caps 128 blocks / 8 MiB; reads outside cs_main;
  per-peer flood throttle), then a trailing blockstream header with the actual
  count sent. Self-suppresses while the server itself is in IBD.
- received blocks ride the existing BLOCK -> ProcessNewBlock path (fully
  validated; checkpoints below 2.84M still apply); the trailing header
  reconciles partial deliveries and the range is freed on a 90s timeout, so a
  partial/withheld/refused batch falls back to the normal path (no leak, no
  permanent gap, no disconnect). In-flight tracking is by literal hash, so a
  reorg cannot orphan range entries.

Hardened against the issues found in two adversarial review passes (drain vs
timeout, partial reconciliation, ownership-guarded frees, one-shot header,
reorg-proof helpers, cs_main hold). Validated end-to-end between two local
v1.0.3 nodes (128/128 and partial serves; height advanced; no errors).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 21:22:54 -05:00
78ea2aac5b Add -maxblocksintransit: tunable per-peer block-download window
The per-peer in-flight block window (MAX_BLOCKS_IN_TRANSIT_PER_PEER) was a
hardcoded 16. On a single, high-latency peer during IBD the transfer is
bandwidth-delay-product bound (window / RTT), so with tiny sub-checkpoint
blocks the window, not bandwidth, is the ceiling — measured ~4x throughput
going 16 -> 64 on a 350ms-RTT peer. Make it a runtime flag (default 16,
clamped 1..4096), logged at startup. No behavior change at the default.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 21:22:32 -05:00
1673cfb6dc IBD/sync speedups: parallel RandomX pre-verify, adaptive dbcache, P2P download fixes
- Parallel RandomX PoW pre-verification pool (CCheckQueue) run ahead of the serial
  connect; consensus-neutral (inline CheckRandomXSolution fallback still verifies
  anything not pre-verified). New -randomxverifythreads (default = -par).
- Adaptive dbcache: default sizes the UTXO/coins cache to most of RAM and shrinks
  under memory pressure, always leaving a reserve free; -dbcache pins a fixed value.
- P2P block download: bounded socket recv-drain loop (tlsmanager); frontier-block
  reassignment to break head-of-line stalls (-blockreassigntimeout); ProcessGetData
  serves a bounded batch of blocks per pass instead of one (fixes the serve-side
  one-block-per-tick throttle that caps download network-wide).
- assumeutxo: dumptxoutset RPC + LoadSnapshot machinery + AssumeutxoData chainparams.
- Signed bootstrap verification (util/bootstrap-dragonx.sh, util/sign-bootstrap.md).
- gtest: RandomX pre-verify consensus-equivalence test + UTXO-snapshot round-trip;
  revived the gtest harness (Makefile.am include fix, Makefile.gtest.include).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-19 12:30:10 -05:00
onryo
58b65f9670 Update copyrights 2024-02-27 23:59:59 +01:00
Duke
e8dc755f06 Reduce memory usage of CBlockIndex
Ported code from https://github.com/zcash/zcash/pull/6192 with various changes needed
for the Hush codebase.
2023-04-13 23:30:23 -04:00
Duke
e033a2e6eb Update copyrights to 2023 2023-02-09 18:06:03 -05:00
zanzibar
512da314a5 BIP155 (addrv2)
Tor v3 + i2p
2023-01-06 15:23:22 +00:00
Duke
ae64eb2392 Remove alerts 2022-12-18 08:24:49 -08:00
Jonathan "Duke" Leto
5d2307a709 Update copyrights to 2022 2022-09-19 15:45:30 -07:00
Duke Leto
b4f38e2a77 Increase nMinDiskSpace to 1GB 2021-12-12 11:12:10 -05:00
Duke Leto
231850740e CZindexStats 2021-06-16 11:07:20 -04:00
Duke Leto
8c25b745b3 Start to persist zindex stats to disk 2021-06-15 00:47:56 -04:00
Duke Leto
4a536d62dc Update copyrights 2021-04-17 13:03:22 -04:00
Duke Leto
fd0d0e6c75 Remove unused partition check code
This code is unused and was disabled in BTC core and then deleted,
since it didn't work correctly: https://github.com/bitcoin/bitcoin/pull/8275
2021-02-22 04:44:57 -05:00
Duke Leto
cde6d33ad1 The term 'whitelist' is racist and so we choose to call this feature 'allowlist' 2021-01-10 10:46:22 -05:00
Duke Leto
b58c15b9fb update copyrights 2020-12-10 07:45:36 -05:00
Duke Leto
6e3d994b77 Mempool optimizations and cleanup 2020-12-07 09:13:45 -05:00
Duke Leto
abc0b55d05 Hush Hush Hush 2020-12-04 09:42:59 -05:00
Duke Leto
be16f80abc Hush Full Node is now GPLv3
Any projects which want to use Hush code from now on will need to be licensed as
GPLv3 or we will send the lawyers: https://www.softwarefreedom.org/

Notably, Komodo (KMD) is licensed as GPLv2 and is no longer compatible to receive
code changes, without causing legal issues. MIT projects, such as Zcash, also cannot pull
in changes from the Hush Full Node without permission from The Hush Developers,
which may in some circumstances grant an MIT license on a case-by-case basis.
2020-10-21 07:28:10 -04:00
Duke Leto
a7f88a87aa Update copyright URL to be https 2020-09-20 13:17:38 -04:00
Duke Leto
a2b3316664 Port PR93 from @denioD 2020-03-07 13:55:12 -05:00
Duke Leto
7609fe8bbb Logging and copyrights 2019-12-29 12:16:44 -05:00
Duke Leto
de0b5938a1 copyright 2019-12-10 17:51:08 -05:00
Duke Leto
62613ed77a main.h changes 2019-12-10 17:50:28 -05:00
Duke Leto
e87d029968 Mostly-working Hush full node sans Verus!!!
Every line of Verus-specific code has been removed from the codebase.
This code compiles on Linux and can do a partial sync. A full sync
and other extensive tests need to be done before it's merged into
the duke branch.

BUGS:

One known bug is that the node starts to CPU mine by default, lol.
2019-11-05 09:42:21 -05:00
Jonathan "Duke" Leto
d03d774c18 Fix zindex flag detection 2019-08-20 20:19:24 -07:00
Jonathan "Duke" Leto
5c310aa048 Define -zindex 2019-08-18 18:55:34 -07:00
jl777
52445b8430 Slowflag into CBOPRET if 2019-07-08 02:56:48 -11:00
blackjok3r
69626ff68d revert undo file size 2019-05-06 16:38:22 +08:00
blackjok3r
0d47cda145 initial commit for payments merge RPC 2019-05-06 00:57:06 +08:00
blackjok3r
2a5a86b1ce change default expiry height to 200 instead of 20. To stop wallet getting corrupted. 2019-04-30 11:20:02 +08:00
jl777
3db5e5a874 =1 2019-04-11 23:52:05 -11:00
jl777
082aec73ff =0 2019-04-11 23:51:44 -11:00
jl777
d47d2dd595 Better way to avoid sync errors 2019-04-11 23:49:24 -11:00
jl777
0d16e99532 Dont fetch ahead if cbopret chain, yes it will slow it down 2019-04-11 22:49:52 -11:00
blackjok3r
76e3a7f283 skip dpow check on everything but ProcessNewBlock. 2019-04-12 13:55:06 +08:00
jl777
8a9eaea869 Pass through block and previndex 2019-04-01 20:40:26 -11:00
blackjok3r
cce73b01a7 new tempfile rotation. 2019-02-01 04:01:16 +08:00
blackjok3r
c14e0909c6 Fix using temp file for receiving blocks. 2019-01-29 07:06:00 +08:00
jl777
e4791f54e6 Merge branch 'FSM' into patch-gcc-8 2019-01-25 16:33:13 -11:00
jl777
669f5c4d39 Const 2019-01-24 01:55:15 -11:00
blackjok3r
c3df1b8747 add auto purge of orphans from before notarisation. 2019-01-24 17:16:42 +08:00
jl777
1f46aa58e6 Allow tunable maxreorg 2019-01-09 01:26:25 -11:00
jl777
9269bc177c Allow tunable maxreorg 2019-01-09 01:25:23 -11:00
jl777
42911ea6c2 Double maxreorg 2019-01-09 01:21:29 -11:00