fix(attestations): add domain separation to signature verification (#8799)

* feat(attestations): add domain separation to signature verification

* fix(attestations): update e2e tests with domain-separated signing

* fix(gmp): update e2e tests with domain-separated signing

---------

Co-authored-by: srdtrk <59252793+srdtrk@users.noreply.github.com>
Co-authored-by: mattac21 <matt@cosmoslabs.io>

Author: 3 people

e2e/tests/attestations/attestations_test.go

@@ -5,7 +5,6 @@ package attestations
 import (
 	"context"
 	"crypto/ecdsa"
-	"crypto/sha256"
 	"encoding/json"
 	"strconv"
 	"testing"
@@ -441,7 +440,7 @@ func (s *AttestationsTestSuite) TestMsgTransfer_Timeout_Attestations() {
 		stateAttestationData, err := stateAttestation.ABIEncode()
 		s.Require().NoError(err)
 
-		signatures := s.signAttestationData(stateAttestationData)
+		signatures := s.signAttestationData(stateAttestationData, attestations.AttestationTypeState)
 		updateProof := &attestations.AttestationProof{
 			AttestationData: stateAttestationData,
 			Signatures:      signatures,
@@ -515,7 +514,7 @@ func (s *AttestationsTestSuite) createPacketAttestationProof(height uint64, path
 	attestationData, err := packetAttestation.ABIEncode()
 	s.Require().NoError(err)
 
-	signatures := s.signAttestationData(attestationData)
+	signatures := s.signAttestationData(attestationData, attestations.AttestationTypePacket)
 	proof := &attestations.AttestationProof{
 		AttestationData: attestationData,
 		Signatures:      signatures,
@@ -525,8 +524,8 @@ func (s *AttestationsTestSuite) createPacketAttestationProof(height uint64, path
 	return proofBz
 }
 
-func (s *AttestationsTestSuite) signAttestationData(data []byte) [][]byte {
-	hash := sha256.Sum256(data)
+func (s *AttestationsTestSuite) signAttestationData(data []byte, attestationType attestations.AttestationType) [][]byte {
+	hash := attestations.TaggedSigningInput(data, attestationType)
 	var signatures [][]byte
 	for _, key := range s.attestorKeys {
 		sig, err := crypto.Sign(hash[:], key)
@@ -550,7 +549,7 @@ func (s *AttestationsTestSuite) createNonMembershipProof(height uint64, path []b
 	attestationData, err := packetAttestation.ABIEncode()
 	s.Require().NoError(err)
 
-	signatures := s.signAttestationData(attestationData)
+	signatures := s.signAttestationData(attestationData, attestations.AttestationTypePacket)
 	proof := &attestations.AttestationProof{
 		AttestationData: attestationData,
 		Signatures:      signatures,

e2e/tests/gmp/base_test.go

@@ -5,7 +5,6 @@ package gmp
 import (
 	"context"
 	"crypto/ecdsa"
-	"crypto/sha256"
 	"testing"
 	"time"
 
@@ -248,7 +247,7 @@ func (s *GMPTestSuite) createAttestationProof(path, commitment []byte) []byte {
 	data, err := attestation.ABIEncode()
 	s.Require().NoError(err)
 
-	hash := sha256.Sum256(data)
+	hash := attestations.TaggedSigningInput(data, attestations.AttestationTypePacket)
 	signatures := make([][]byte, len(s.attestorKeys))
 	for i, key := range s.attestorKeys {
 		sig, err := crypto.Sign(hash[:], key)

modules/light-clients/attestations/client_state.go

@@ -101,7 +101,7 @@ func (cs *ClientState) verifyMembership(
 		return errorsmod.Wrapf(ErrInvalidAttestationProof, "failed to unmarshal proof: %v", err)
 	}
 
-	if err := cs.verifySignatures(&attestationProof); err != nil {
+	if err := cs.verifySignatures(&attestationProof, AttestationTypePacket); err != nil {
 		return err
 	}
 
@@ -171,7 +171,7 @@ func (cs *ClientState) verifyNonMembership(
 		return errorsmod.Wrapf(ErrInvalidAttestationProof, "failed to unmarshal proof: %v", err)
 	}
 
-	if err := cs.verifySignatures(&attestationProof); err != nil {
+	if err := cs.verifySignatures(&attestationProof, AttestationTypePacket); err != nil {
 		return err
 	}
 

modules/light-clients/attestations/client_state_test.go

@@ -162,7 +162,7 @@ func (s *AttestationsTestSuite) TestVerifyMembership() {
 			newTimestamp := uint64(2 * time.Second.Nanoseconds())
 			stateAttestation := s.createStateAttestation(newHeight, newTimestamp)
 			signers := []int{0, 1, 2}
-			updateProof := s.createAttestationProof(stateAttestation, signers)
+			updateProof := s.createAttestationProof(stateAttestation, signers, attestations.AttestationTypeState)
 
 			err := s.lightClientModule.VerifyClientMessage(ctx, clientID, updateProof)
 			s.Require().NoError(err)
@@ -177,7 +177,7 @@ func (s *AttestationsTestSuite) TestVerifyMembership() {
 			// Commitment is stored as raw value (not hashed)
 			hashedPath := crypto.Keccak256(tc.attestedPath)
 			packetAttestation := s.createPacketAttestation(newHeight, []attestations.PacketCompact{{Path: hashedPath, Commitment: tc.value}})
-			membershipProof := s.createAttestationProof(packetAttestation, signers)
+			membershipProof := s.createAttestationProof(packetAttestation, signers, attestations.AttestationTypePacket)
 			membershipProofBz := s.marshalProof(membershipProof)
 
 			proofHeight := clienttypes.NewHeight(0, newHeight)
@@ -210,7 +210,7 @@ func (s *AttestationsTestSuite) TestVerifyMembershipMalformedProof() {
 	s.Require().ErrorContains(err, "failed to unmarshal proof")
 
 	malformedData := []byte("invalid-packet-attestation-data")
-	proof := s.createAttestationProof(malformedData, []int{0, 1, 2})
+	proof := s.createAttestationProof(malformedData, []int{0, 1, 2}, attestations.AttestationTypePacket)
 	proofBz := s.marshalProof(proof)
 
 	err = s.lightClientModule.VerifyMembership(ctx, clientID, proofHeight, 0, 0, proofBz, path, value)
@@ -237,7 +237,7 @@ func (s *AttestationsTestSuite) TestVerifyMembershipVariableLengthPath() {
 	hashedPath := crypto.Keccak256(shortPath)
 	packetAttestation := s.createPacketAttestation(newHeight, []attestations.PacketCompact{{Path: hashedPath, Commitment: value32}})
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(packetAttestation, signers)
+	proof := s.createAttestationProof(packetAttestation, signers, attestations.AttestationTypePacket)
 	proofBz := s.marshalProof(proof)
 
 	proofHeight := clienttypes.NewHeight(0, newHeight)
@@ -261,7 +261,7 @@ func (s *AttestationsTestSuite) TestVerifyMembershipInvalidKeyPathLength() {
 	hashedPath := crypto.Keccak256(bytes.Repeat([]byte{0x01}, 32))
 	packetAttestation := s.createPacketAttestation(newHeight, []attestations.PacketCompact{{Path: hashedPath, Commitment: value32}})
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(packetAttestation, signers)
+	proof := s.createAttestationProof(packetAttestation, signers, attestations.AttestationTypePacket)
 	proofBz := s.marshalProof(proof)
 	proofHeight := clienttypes.NewHeight(0, newHeight)
 
@@ -291,7 +291,7 @@ func (s *AttestationsTestSuite) TestVerifyNonMembershipInvalidKeyPathLength() {
 	hashedPath := crypto.Keccak256(bytes.Repeat([]byte{0x01}, 32))
 	packetAttestation := s.createPacketAttestation(newHeight, []attestations.PacketCompact{{Path: hashedPath, Commitment: make([]byte, 32)}})
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(packetAttestation, signers)
+	proof := s.createAttestationProof(packetAttestation, signers, attestations.AttestationTypePacket)
 	proofBz := s.marshalProof(proof)
 	proofHeight := clienttypes.NewHeight(0, newHeight)
 
@@ -399,7 +399,7 @@ func (s *AttestationsTestSuite) TestVerifyNonMembership() {
 			newTimestamp := uint64(2 * time.Second.Nanoseconds())
 			stateAttestation := s.createStateAttestation(newHeight, newTimestamp)
 			signers := []int{0, 1, 2}
-			updateProof := s.createAttestationProof(stateAttestation, signers)
+			updateProof := s.createAttestationProof(stateAttestation, signers, attestations.AttestationTypeState)
 
 			err := s.lightClientModule.VerifyClientMessage(ctx, clientID, updateProof)
 			s.Require().NoError(err)
@@ -417,7 +417,7 @@ func (s *AttestationsTestSuite) TestVerifyNonMembership() {
 				}
 			}
 			packetAttestation := s.createPacketAttestation(newHeight, hashedPackets)
-			nonMembershipProof := s.createAttestationProof(packetAttestation, signers)
+			nonMembershipProof := s.createAttestationProof(packetAttestation, signers, attestations.AttestationTypePacket)
 			nonMembershipProofBz := s.marshalProof(nonMembershipProof)
 
 			proofHeight := clienttypes.NewHeight(0, newHeight)

modules/light-clients/attestations/light_client_module_test.go

@@ -2,7 +2,6 @@ package attestations_test
 
 import (
 	"crypto/ecdsa"
-	"crypto/sha256"
 	"testing"
 	"time"
 
@@ -62,8 +61,8 @@ func (s *AttestationsTestSuite) SetupTest() {
 	s.lightClientModule = attestations.NewLightClientModule(cdc, storeProvider)
 }
 
-func (s *AttestationsTestSuite) createAttestationProof(attestationData []byte, signers []int) *attestations.AttestationProof {
-	hash := sha256.Sum256(attestationData)
+func (s *AttestationsTestSuite) createAttestationProof(attestationData []byte, signers []int, attestationType attestations.AttestationType) *attestations.AttestationProof {
+	hash := attestations.TaggedSigningInput(attestationData, attestationType)
 	signatures := make([][]byte, 0, len(signers))
 
 	for _, idx := range signers {
@@ -157,7 +156,7 @@ func (s *AttestationsTestSuite) freezeClient(ctx sdk.Context, clientID string) {
 func (s *AttestationsTestSuite) updateClientState(ctx sdk.Context, clientID string, height, timestamp uint64) {
 	stateAttestation := s.createStateAttestation(height, timestamp)
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(stateAttestation, signers)
+	proof := s.createAttestationProof(stateAttestation, signers, attestations.AttestationTypeState)
 	_ = s.lightClientModule.UpdateState(ctx, clientID, proof)
 }
 
@@ -241,7 +240,7 @@ func (s *AttestationsTestSuite) TestCheckForMisbehaviourReturnsFalse() {
 
 	stateAttestation := s.createStateAttestation(initialHeight+1, initialTimestamp+uint64(time.Second.Nanoseconds()))
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(stateAttestation, signers)
+	proof := s.createAttestationProof(stateAttestation, signers, attestations.AttestationTypeState)
 
 	foundMisbehaviour := s.lightClientModule.CheckForMisbehaviour(ctx, testClientID, proof)
 	s.Require().False(foundMisbehaviour, "CheckForMisbehaviour should return false")

modules/light-clients/attestations/signature.go

@@ -9,16 +9,38 @@ import (
 	errorsmod "cosmossdk.io/errors"
 )
 
+// AttestationType distinguishes attestation types to prevent cross-protocol signature replay.
+type AttestationType byte
+
+const (
+	// AttestationTypeState is used for client update (state) attestations.
+	AttestationTypeState AttestationType = 0x01
+	// AttestationTypePacket is used for packet membership/non-membership attestations.
+	AttestationTypePacket AttestationType = 0x02
+)
+
 const (
 	// SignatureLength is the expected length of an ECDSA signature (r||s||v)
 	SignatureLength = 65
 	// recoveryIDIndex is the byte position of the recovery ID (v) in the signature
 	recoveryIDIndex = 64
+	// domainSeparatedPreimageLen is the length of the domain-separated signing preimage:
+	// 1-byte type tag + 32-byte SHA-256 hash.
+	domainSeparatedPreimageLen = 1 + sha256.Size
 )
 
+// TaggedSigningInput computes the domain-separated prehash: `sha256(type_tag || sha256(data))`.
+func TaggedSigningInput(data []byte, attestationType AttestationType) [32]byte {
+	innerHash := sha256.Sum256(data)
+	var tagged [domainSeparatedPreimageLen]byte
+	tagged[0] = byte(attestationType)
+	copy(tagged[1:], innerHash[:])
+	return sha256.Sum256(tagged[:])
+}
+
 // verifySignatures verifies that the attestation proof has valid signatures from unique attestors
-// meeting the quorum threshold. Signatures cover sha256(attestationData).
-func (cs *ClientState) verifySignatures(proof *AttestationProof) error {
+// meeting the quorum threshold. Signatures cover `sha256(type_tag || sha256(attestationData))`.
+func (cs *ClientState) verifySignatures(proof *AttestationProof, attestationType AttestationType) error {
 	if len(proof.Signatures) == 0 {
 		return errorsmod.Wrap(ErrInvalidSignature, "signatures cannot be empty")
 	}
@@ -28,7 +50,7 @@ func (cs *ClientState) verifySignatures(proof *AttestationProof) error {
 		attestorSet[common.HexToAddress(addr)] = true
 	}
 
-	hash := sha256.Sum256(proof.AttestationData)
+	hash := TaggedSigningInput(proof.AttestationData, attestationType)
 	seenSigners := make(map[common.Address]bool)
 
 	for i, sig := range proof.Signatures {

modules/light-clients/attestations/signature_test.go

@@ -2,12 +2,13 @@ package attestations_test
 
 import (
 	"bytes"
-	"crypto/sha256"
 	"strings"
 	"time"
 
 	"github.com/ethereum/go-ethereum/crypto"
 
+	clienttypes "github.com/cosmos/ibc-go/v10/modules/core/02-client/types"
+	commitmenttypesv2 "github.com/cosmos/ibc-go/v10/modules/core/23-commitment/types/v2"
 	"github.com/cosmos/ibc-go/v10/modules/light-clients/attestations"
 )
 
@@ -31,7 +32,7 @@ func (s *AttestationsTestSuite) TestVerifySignatures() {
 			name: "failure: unknown signer",
 			setupProof: func(attestationData []byte) *attestations.AttestationProof {
 				unknownKey, _ := crypto.GenerateKey()
-				hash := sha256.Sum256(attestationData)
+				hash := attestations.TaggedSigningInput(attestationData, attestations.AttestationTypeState)
 				unknownSig, _ := crypto.Sign(hash[:], unknownKey)
 				return &attestations.AttestationProof{
 					AttestationData: attestationData,
@@ -43,7 +44,7 @@ func (s *AttestationsTestSuite) TestVerifySignatures() {
 		{
 			name: "failure: duplicate signer",
 			setupProof: func(attestationData []byte) *attestations.AttestationProof {
-				hash := sha256.Sum256(attestationData)
+				hash := attestations.TaggedSigningInput(attestationData, attestations.AttestationTypeState)
 				sig1, _ := crypto.Sign(hash[:], s.attestors[0])
 				sig2, _ := crypto.Sign(hash[:], s.attestors[0])
 				return &attestations.AttestationProof{
@@ -114,7 +115,7 @@ func (s *AttestationsTestSuite) TestAddressCaseInsensitiveComparison() {
 	newTimestamp := uint64(2 * time.Second.Nanoseconds())
 	attestationData := s.createStateAttestation(newHeight, newTimestamp)
 
-	hash := sha256.Sum256(attestationData)
+	hash := attestations.TaggedSigningInput(attestationData, attestations.AttestationTypeState)
 	sig, err := crypto.Sign(hash[:], privKey)
 	s.Require().NoError(err)
 
@@ -126,3 +127,47 @@ func (s *AttestationsTestSuite) TestAddressCaseInsensitiveComparison() {
 	err = s.lightClientModule.VerifyClientMessage(ctx, clientID, proof)
 	s.Require().NoError(err)
 }
+
+func (s *AttestationsTestSuite) TestCrossDomainReplay() {
+	initialHeight := uint64(100)
+	initialTimestamp := uint64(time.Second.Nanoseconds())
+	clientID := testClientID
+	ctx := s.chainA.GetContext()
+
+	s.initializeClient(ctx, clientID, initialHeight, initialTimestamp)
+
+	newHeight := uint64(200)
+	newTimestamp := uint64(2 * time.Second.Nanoseconds())
+	attestationData := s.createStateAttestation(newHeight, newTimestamp)
+
+	// Sign as Packet, verify as State — must fail
+	packetProof := s.createAttestationProof(attestationData, []int{0, 1, 2}, attestations.AttestationTypePacket)
+	err := s.lightClientModule.VerifyClientMessage(ctx, clientID, packetProof)
+	s.Require().Error(err)
+	s.Require().ErrorContains(err, "not in attestor set")
+
+	// Sign as State, verify as Packet (via membership) — must fail
+	hashedPath := crypto.Keccak256(bytes.Repeat([]byte{0x01}, 32))
+	value := bytes.Repeat([]byte{0xAB}, 32)
+	packetAttestation := s.createPacketAttestation(initialHeight, []attestations.PacketCompact{{Path: hashedPath, Commitment: value}})
+	stateSignedProof := s.createAttestationProof(packetAttestation, []int{0, 1, 2}, attestations.AttestationTypeState)
+	proofBz := s.marshalProof(stateSignedProof)
+
+	proofHeight := clienttypes.NewHeight(0, initialHeight)
+	path := commitmenttypesv2.NewMerklePath(bytes.Repeat([]byte{0x01}, 32))
+	err = s.lightClientModule.VerifyMembership(ctx, clientID, proofHeight, 0, 0, proofBz, path, value)
+	s.Require().Error(err)
+	s.Require().ErrorContains(err, "not in attestor set")
+
+	// Sign as State, verify as Packet (via non-membership) — must fail
+	zeroCommitment := make([]byte, 32)
+	nonMemPath := bytes.Repeat([]byte{0x02}, 32)
+	hashedNonMemPath := crypto.Keccak256(nonMemPath)
+	nonMemPacketAttestation := s.createPacketAttestation(initialHeight, []attestations.PacketCompact{{Path: hashedNonMemPath, Commitment: zeroCommitment}})
+	stateSignedNonMemProof := s.createAttestationProof(nonMemPacketAttestation, []int{0, 1, 2}, attestations.AttestationTypeState)
+	nonMemProofBz := s.marshalProof(stateSignedNonMemProof)
+
+	err = s.lightClientModule.VerifyNonMembership(ctx, clientID, proofHeight, 0, 0, nonMemProofBz, commitmenttypesv2.NewMerklePath(nonMemPath))
+	s.Require().Error(err)
+	s.Require().ErrorContains(err, "not in attestor set")
+}

modules/light-clients/attestations/update.go

@@ -25,7 +25,7 @@ func (cs *ClientState) VerifyClientMessage(ctx sdk.Context, cdc codec.BinaryCode
 		return errorsmod.Wrapf(clienttypes.ErrInvalidClient, "expected type %T, got type %T", (*AttestationProof)(nil), clientMsg)
 	}
 
-	return cs.verifySignatures(attestationProof)
+	return cs.verifySignatures(attestationProof, AttestationTypeState)
 }
 
 // UpdateState updates the consensus state to a new height and timestamp.

modules/light-clients/attestations/update_test.go

@@ -39,7 +39,7 @@ func (s *AttestationsTestSuite) TestUpdateState() {
 			newHeight := uint64(200)
 			newTimestamp := uint64(2 * time.Second.Nanoseconds())
 			attestationData := s.createStateAttestation(newHeight, newTimestamp)
-			proof := s.createAttestationProof(attestationData, tc.signers)
+			proof := s.createAttestationProof(attestationData, tc.signers, attestations.AttestationTypeState)
 
 			err := s.lightClientModule.VerifyClientMessage(ctx, clientID, proof)
 			if tc.expErr != "" {
@@ -75,7 +75,7 @@ func (s *AttestationsTestSuite) TestUpdateStateIdempotency() {
 	newTimestamp := uint64(2 * time.Second.Nanoseconds())
 	attestationData := s.createStateAttestation(newHeight, newTimestamp)
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(attestationData, signers)
+	proof := s.createAttestationProof(attestationData, signers, attestations.AttestationTypeState)
 
 	err := s.lightClientModule.VerifyClientMessage(ctx, clientID, proof)
 	s.Require().NoError(err)
@@ -104,7 +104,7 @@ func (s *AttestationsTestSuite) TestVerifyClientMessageFrozenClient() {
 	newTimestamp := uint64(2 * time.Second.Nanoseconds())
 	attestationData := s.createStateAttestation(newHeight, newTimestamp)
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(attestationData, signers)
+	proof := s.createAttestationProof(attestationData, signers, attestations.AttestationTypeState)
 
 	err := s.lightClientModule.VerifyClientMessage(ctx, clientID, proof)
 	s.Require().NoError(err)
@@ -116,7 +116,7 @@ func (s *AttestationsTestSuite) TestVerifyClientMessageFrozenClient() {
 	s.Require().Equal(exported.Frozen, status)
 
 	newProofData := s.createStateAttestation(uint64(300), uint64(4*time.Second.Nanoseconds()))
-	newProof := s.createAttestationProof(newProofData, signers)
+	newProof := s.createAttestationProof(newProofData, signers, attestations.AttestationTypeState)
 
 	err = s.lightClientModule.VerifyClientMessage(ctx, clientID, newProof)
 	s.Require().ErrorIs(err, attestations.ErrClientFrozen)
@@ -137,15 +137,15 @@ func (s *AttestationsTestSuite) TestUpdateStateOnMisbehaviourPanics() {
 	newTimestamp := uint64(2 * time.Second.Nanoseconds())
 	attestationData := s.createStateAttestation(newHeight, newTimestamp)
 	signers := []int{0, 1, 2}
-	proof := s.createAttestationProof(attestationData, signers)
+	proof := s.createAttestationProof(attestationData, signers, attestations.AttestationTypeState)
 
 	err := s.lightClientModule.VerifyClientMessage(ctx, clientID, proof)
 	s.Require().NoError(err)
 	_ = s.lightClientModule.UpdateState(ctx, clientID, proof)
 
 	conflictingTimestamp := uint64(3 * time.Second.Nanoseconds())
 	conflictingAttestationData := s.createStateAttestation(newHeight, conflictingTimestamp)
-	conflictingProof := s.createAttestationProof(conflictingAttestationData, signers)
+	conflictingProof := s.createAttestationProof(conflictingAttestationData, signers, attestations.AttestationTypeState)
 
 	updateStateOnMisbehaviourFunc := func() {
 		s.lightClientModule.UpdateStateOnMisbehaviour(ctx, clientID, conflictingProof)