Skip to content

fix: decouple DEXExtension execution and port Curve25519 weak key safeguards#761

Open
D-H-O-R-A wants to merge 1 commit into
wavesplatform:masterfrom
D-H-O-R-A:feature/matcher-compat-and-security
Open

fix: decouple DEXExtension execution and port Curve25519 weak key safeguards#761
D-H-O-R-A wants to merge 1 commit into
wavesplatform:masterfrom
D-H-O-R-A:feature/matcher-compat-and-security

Conversation

@D-H-O-R-A

Copy link
Copy Markdown

This PR resolves dynamic classloader linkage issues when running the DEX extension within the newly updated JVM node and ports critical cryptographic safety checks.

Key changes:

  1. Thread Pool Decoupling in DEXExtension:

    • Removed direct dependency on the node's context.actorSystem dispatcher, which caused classloader linkage errors due to Akka-to-Pekko/Scala 3 transition.
    • Implemented an internally managed, isolated JVM thread pool (ScheduledExecutorService wrapped inside a Monix Scheduler).
    • Added structured lifecycle hooks to gracefully shut down the thread pool during extension shutdown to avoid thread leaks.
  2. Curve25519 Low-Order Weak Key Protection:

    • Ported the isWeakPublicKey and BlacklistedKeys safety validation from the node into the Matcher domain core (package.scala in waves-integration).
    • Overrode signature verification (verify) to reject weak public keys by default, blocking potential signature forgery and spoofing attacks at the REST API entrypoint.
    • Preserved compatibility by allowing optional bypass (checkWeakPk = false) for legacy internal validation paths.
  3. Validation and Environment:

    • Upgraded SBT version to 1.12.11 to ensure perfect building and task execution compatibility under OpenJDK 17.
    • Added comprehensive unit tests in CryptoSpec.scala covering weak key rejection, standard key acceptance, and bypass parameters.

Developer Contact:

…ation

Developer Contact:
- Email: diegoantunes2301@gmail.com
- WhatsApp: +5511974289097
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant