NONEVM-3227: logpoller defensive validations (#452)

* fix: logpoller defensive validations

* fix: simplify

* chore: better test pattern

Author: jadepark-dev

pkg/logpoller/block.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/xssnick/tonutils-go/address"
 	"github.com/xssnick/tonutils-go/ton"
 
 	"github.com/smartcontractkit/chainlink-ton/pkg/logpoller/models"
@@ -24,6 +25,13 @@ func (lp *service) getMasterchainBlockRange(ctx context.Context) (*models.BlockR
 		return nil, fmt.Errorf("failed to get current masterchain info: %w", err)
 	}
 
+	// validate that the returned block belongs to the masterchain.
+	// a compromised or faulty liteserver could return valid blocks from the wrong workchain,
+	// which would cause the logpoller to track incorrect chain data.
+	if toBlock.Workchain != address.MasterchainID {
+		return nil, fmt.Errorf("expected masterchain block (workchain %d), got workchain %d", address.MasterchainID, toBlock.Workchain)
+	}
+
 	lastProcessedBlock, err := lp.getLastProcessedBlock(toBlock)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get last processed block: %w", err)

pkg/logpoller/block_test.go

@@ -1,12 +1,66 @@
 package logpoller
 
 import (
+	"context"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/xssnick/tonutils-go/address"
+	"github.com/xssnick/tonutils-go/ton"
+
+	"github.com/smartcontractkit/chainlink-common/pkg/logger"
 )
 
+// mockAPIClient is a minimal mock for ton.APIClientWrapped used in unit tests
+type mockAPIClient struct {
+	ton.APIClientWrapped // embed to satisfy interface
+	masterchainInfo      *ton.BlockIDExt
+	masterchainErr       error
+}
+
+func (m *mockAPIClient) CurrentMasterchainInfo(_ context.Context) (*ton.BlockIDExt, error) {
+	return m.masterchainInfo, m.masterchainErr
+}
+
+func TestGetMasterchainBlockRange_WorkchainValidation(t *testing.T) {
+	t.Run("rejects non-masterchain workchain", func(t *testing.T) {
+		mock := &mockAPIClient{
+			masterchainInfo: &ton.BlockIDExt{Workchain: 0, SeqNo: 100}, // workchain 0 is base chain, not masterchain
+		}
+
+		lp := &service{
+			lggr: logger.Sugared(logger.Nop()),
+			clientProvider: func(_ context.Context) (ton.APIClientWrapped, error) {
+				return mock, nil
+			},
+		}
+
+		_, err := lp.getMasterchainBlockRange(context.Background())
+		require.Error(t, err)
+	})
+
+	t.Run("accepts masterchain workchain", func(t *testing.T) {
+		mock := &mockAPIClient{
+			masterchainInfo: &ton.BlockIDExt{Workchain: address.MasterchainID, SeqNo: 100},
+		}
+
+		lp := &service{
+			lggr: logger.Sugared(logger.Nop()),
+			clientProvider: func(_ context.Context) (ton.APIClientWrapped, error) {
+				return mock, nil
+			},
+			lastProcessedBlock: 100, // same as SeqNo, so no new blocks
+		}
+
+		// should return nil (no new blocks) without error
+		blockRange, err := lp.getMasterchainBlockRange(context.Background())
+		require.NoError(t, err)
+		require.Nil(t, blockRange, "no new blocks when seqno matches lastProcessedBlock")
+	})
+}
+
 func TestComputeLookbackWindow(t *testing.T) {
 	t.Run("Basic lookback calculation", func(t *testing.T) {
 		currentSeqNo := uint32(1000)

pkg/logpoller/loader/loader.go

@@ -244,6 +244,10 @@ func (l *rawTxLoader) listTransactionsWithBlock(ctx context.Context, addr *addre
 			return nil, nil, fmt.Errorf("failed to parse cell from transaction bytes: %w", err)
 		}
 
+		if err = validateTransactionListResponse(len(txList), len(t.IDs), limit); err != nil {
+			return nil, nil, err
+		}
+
 		resTxs := make([]*tlb.Transaction, len(txList))
 		resBlocks := make([]*ton.BlockIDExt, len(txList))
 
@@ -289,3 +293,15 @@ func (l *rawTxLoader) listTransactionsWithBlock(ctx context.Context, addr *addre
 
 	return nil, nil, errors.New("unknown response type")
 }
+
+// validateTransactionListResponse validates liteserver response to prevent DoS attacks.
+// checks that response doesn't exceed requested limit and that block IDs array matches transaction count (runtime panic prevention).
+func validateTransactionListResponse(txCount, idsCount int, limit uint32) error {
+	if txCount > int(limit) {
+		return fmt.Errorf("liteserver returned %d transactions, exceeding requested limit %d", txCount, limit)
+	}
+	if idsCount != txCount {
+		return fmt.Errorf("block IDs count (%d) does not match transaction count (%d)", idsCount, txCount)
+	}
+	return nil
+}

pkg/logpoller/loader/loader_test.go

@@ -0,0 +1,34 @@
+package loader
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateTransactionListResponse(t *testing.T) {
+	tests := []struct {
+		name      string
+		txCount   int
+		idsCount  int
+		limit     uint32
+		expectErr bool
+	}{
+		{"valid response within limit", 10, 10, 100, false},
+		{"response at exact limit", 100, 100, 100, false},
+		{"response exceeding limit", 101, 101, 100, true},
+		{"mismatched IDs count (fewer)", 10, 5, 100, true},
+		{"mismatched IDs count (more)", 5, 10, 100, true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateTransactionListResponse(tt.txCount, tt.idsCount, tt.limit)
+			if tt.expectErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

pkg/logpoller/parser.go

@@ -66,6 +66,11 @@ func (lp *service) parseTx(tx *tlb.Transaction, block *ton.BlockIDExt, chainID s
 		return nil, errors.New("transaction is nil")
 	}
 
+	// validate block metadata is present - required for log storage
+	if block == nil {
+		return nil, errors.New("block is nil")
+	}
+
 	if tx.IO.Out == nil {
 		// this should never happen, since we filter out transactions without output messages in the loader
 		return nil, errors.New("transaction has no output messages")

pkg/logpoller/parser_test.go

@@ -0,0 +1,28 @@
+package logpoller
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/xssnick/tonutils-go/tlb"
+	"github.com/xssnick/tonutils-go/ton"
+
+	"github.com/smartcontractkit/chainlink-ton/pkg/logpoller/models"
+)
+
+func TestParseTxValidation(t *testing.T) {
+	// minimal service for testing - only need to test nil checks
+	lp := &service{}
+	filterIndex := models.FilterIndex{}
+
+	t.Run("rejects nil transaction", func(t *testing.T) {
+		_, err := lp.parseTx(nil, &ton.BlockIDExt{}, "chainID", filterIndex)
+		require.Error(t, err)
+	})
+
+	t.Run("rejects nil block", func(t *testing.T) {
+		tx := &tlb.Transaction{}
+		_, err := lp.parseTx(tx, nil, "chainID", filterIndex)
+		require.Error(t, err)
+	})
+}

pkg/ton/tvm/wallet.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/xssnick/tonutils-go/address"
 	"github.com/xssnick/tonutils-go/ton"
 	"github.com/xssnick/tonutils-go/ton/wallet"
 )
@@ -70,7 +71,7 @@ func MyLocalTONWalletDefault(client ton.APIClientWrapped) (*wallet.Wallet, error
 	if err != nil {
 		return nil, fmt.Errorf("failed to create highload wallet: %w", err)
 	}
-	mcFunderWallet, err := wallet.FromPrivateKeyWithOptions(client, rawHlWallet.PrivateKey(), walletVersion, wallet.WithWorkchain(-1))
+	mcFunderWallet, err := wallet.FromPrivateKeyWithOptions(client, rawHlWallet.PrivateKey(), walletVersion, wallet.WithWorkchain(int8(address.MasterchainID)))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create highload wallet: %w", err)
 	}