Skip to content

Commit 5aef791

Browse files
authored
[runtime]: hash EVM GET storage slot in Tendermint state-proof verification (#990)
1 parent 4710bc7 commit 5aef791

1 file changed

Lines changed: 10 additions & 1 deletion

File tree

modules/ismp/state-machines/evm/src/tendermint.rs

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -298,7 +298,16 @@ pub fn verify_evm_kv_proofs(
298298
(addr, slot_arr)
299299
};
300300

301-
let key = storage_key_for(proof.height.id.state_id, &addr.0, slot);
301+
// Ethermint-style Tendermint EVM stores expose EVM storage under IAVL keys of the form
302+
// `prefix || address || keccak256(slot)` (see `verify_non_membership`,
303+
// `DefaultEvmKeys::storage_key`, and the prover's `abci_query_key` docs). The GET `keys`
304+
// carry the raw 32-byte storage slot, so it must be keccak256-hashed before being folded
305+
// into the IAVL key — exactly as the membership and non-membership paths already do.
306+
// Without this, the key resolves to one that never exists in the tree, so a valid ICS23
307+
// non-existence proof for the unhashed key falsely reports a present slot as absent
308+
// (returns `None`), which can release source escrow for an order that was actually filled.
309+
let hashed_slot = ICS23HostFunctions::keccak256(&slot).0;
310+
let key = storage_key_for(proof.height.id.state_id, &addr.0, hashed_slot);
302311

303312
let commitment_proof = CommitmentProofBytes::try_from(ev.proof.clone())
304313
.map_err(|e| TendermintEvmError::InvalidCommitmentProof(e.to_string()))?;

0 commit comments

Comments
 (0)