scrtlabs · valdok · Jul 28, 2025 · Feb 21, 2025 · Feb 26, 2025 · Apr 10, 2025
@@ -82,6 +82,7 @@ import (
 	slashingtypes "github.com/cosmos/cosmos-sdk/x/slashing/types"
 	capabilitykeeper "github.com/cosmos/ibc-go/modules/capability/keeper"
 	capabilitytypes "github.com/cosmos/ibc-go/modules/capability/types"
+	crontypes "github.com/scrtlabs/SecretNetwork/x/cron/types"
 
 	"cosmossdk.io/log"
 	upgradetypes "cosmossdk.io/x/upgrade/types"
@@ -322,6 +323,7 @@ func NewSecretNetworkApp(
 		panic(err)
 	}
 	app.txConfig = txConfig
+	app.AppKeepers.CronKeeper.SetTxConfig(txConfig)
 
 	app.AppKeepers.InitCustomKeepers(appCodec, legacyAmino, bApp, bootstrap, homePath, computeConfig)
 	app.setupUpgradeStoreLoaders()
@@ -591,6 +593,7 @@ func SetOrderBeginBlockers(app *SecretNetworkApp) {
 		compute.ModuleName,
 		reg.ModuleName,
 		ibcswitchtypes.ModuleName,
+		crontypes.ModuleName,
 		circuittypes.ModuleName,
 	)
 }
@@ -624,6 +627,7 @@ func SetOrderInitGenesis(app *SecretNetworkApp) {
 
 		ibcfeetypes.ModuleName,
 		feegrant.ModuleName,
+		crontypes.ModuleName,
 		circuittypes.ModuleName,
 	)
 }
@@ -653,6 +657,7 @@ func SetOrderEndBlockers(app *SecretNetworkApp) {
 		compute.ModuleName,
 		reg.ModuleName,
 		ibcswitchtypes.ModuleName,
+		crontypes.ModuleName,
 		circuittypes.ModuleName,
 	)
 }
@@ -33,6 +33,7 @@ import (
 	"github.com/cosmos/ibc-go/v8/modules/apps/transfer"
 	ibc "github.com/cosmos/ibc-go/v8/modules/core"
 	ibctm "github.com/cosmos/ibc-go/v8/modules/light-clients/07-tendermint"
+	"github.com/scrtlabs/SecretNetwork/x/cron"
 	ibcswitch "github.com/scrtlabs/SecretNetwork/x/emergencybutton"
 
 	codectypes "github.com/cosmos/cosmos-sdk/codec/types"
@@ -78,6 +79,7 @@ var mbasics = module.NewBasicManager(
 		ica.AppModuleBasic{},
 		packetforwardrouter.AppModuleBasic{},
 		ibcfee.AppModuleBasic{},
+		cron.AppModuleBasic{},
 	},
 		// our stuff
 		customModuleBasics()...,

@@ -55,6 +55,9 @@ import (
 	ibcexported "github.com/cosmos/ibc-go/v8/modules/core/exported"
 	ibckeeper "github.com/cosmos/ibc-go/v8/modules/core/keeper"
 	"github.com/scrtlabs/SecretNetwork/x/compute"
+	cronkeeper "github.com/scrtlabs/SecretNetwork/x/cron/keeper"
+	crontypes "github.com/scrtlabs/SecretNetwork/x/cron/types"
+
 	reg "github.com/scrtlabs/SecretNetwork/x/registration"
 
 	ibcpacketforwardkeeper "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v8/packetforward/keeper"
@@ -81,6 +84,7 @@ type SecretAppKeepers struct {
 	AuthzKeeper      *authzkeeper.Keeper
 	BankKeeper       *bankkeeper.BaseKeeper
 	CapabilityKeeper *capabilitykeeper.Keeper
+	CronKeeper       *cronkeeper.Keeper
 	StakingKeeper    *stakingkeeper.Keeper
 	SlashingKeeper   *slashingkeeper.Keeper
 	MintKeeper       *mintkeeper.Keeper
@@ -237,6 +241,15 @@ func (ak *SecretAppKeepers) InitSdkKeepers(
 	)
 	ak.CircuitKeeper = &circuitKeeper
 
+	cronKeeper := cronkeeper.NewKeeper(
+		appCodec,
+		ak.keys[crontypes.StoreKey],
+		ak.memKeys[crontypes.StoreKey],
+		ak.AccountKeeper,
+		authtypes.NewModuleAddress(crontypes.ModuleName).String(),
+	)
+	ak.CronKeeper = cronKeeper
+
 	feegrantKeeper := feegrantkeeper.NewKeeper(
 		appCodec,
 		runtime.NewKVStoreService(ak.keys[feegrant.StoreKey]),
@@ -370,6 +383,7 @@ func (ak *SecretAppKeepers) InitCustomKeepers(
 		bootstrap,
 	)
 	ak.RegKeeper = &regKeeper
+	ak.CronKeeper.SetRegKeeper(regKeeper)
 
 	// Assaf:
 	// Rules:
@@ -515,6 +529,7 @@ func (ak *SecretAppKeepers) InitCustomKeepers(
 		runtime.NewKVStoreService(ak.keys[compute.StoreKey]),
 		*ak.AccountKeeper,
 		ak.BankKeeper,
+		*ak.CronKeeper,
 		*ak.GovKeeper,
 		*ak.DistrKeeper,
 		*ak.MintKeeper,
@@ -537,6 +552,12 @@ func (ak *SecretAppKeepers) InitCustomKeepers(
 	ak.ComputeKeeper = &computeKeeper
 	wasmHooks.ContractKeeper = ak.ComputeKeeper
 
+	// wasmMsgServer := compute.NewMsgServerImpl(*ak.ComputeKeeper)
+	// fmt.Printf("wasmMsgServer: %+v\n", wasmMsgServer)
+	// ak.CronKeeper.WasmMsgServer = compute.NewCronWasmMsgServerAdapter(wasmMsgServer)
+	// ak.ComputeKeeper.SetCronKeeper(*ak.CronKeeper)
+	// fmt.Printf("ak.CronKeeper.WasmMsgServer: %+v\n", ak.CronKeeper.WasmMsgServer)
+
 	// Compute receive: Switch -> Fee -> Packet Forward -> WASM Hooks
 	var computeStack porttypes.IBCModule
 	computeStack = compute.NewIBCHandler(ak.ComputeKeeper, ak.IbcKeeper.ChannelKeeper, ak.IbcFeeKeeper)
@@ -589,6 +610,7 @@ func (ak *SecretAppKeepers) InitKeys() {
 		ibcswitch.StoreKey,
 		ibchookstypes.StoreKey,
 		circuittypes.StoreKey,
+		crontypes.StoreKey,
 	)
 
 	ak.tKeys = storetypes.NewTransientStoreKeys(paramstypes.TStoreKey)
@@ -612,6 +634,7 @@ func initParamsKeeper(appCodec codec.BinaryCodec, legacyAmino *codec.LegacyAmino
 	paramsKeeper.Subspace(compute.ModuleName)
 	paramsKeeper.Subspace(reg.ModuleName)
 	paramsKeeper.Subspace(ibcswitch.ModuleName).WithKeyTable(ibcswitchtypes.ParamKeyTable())
+	paramsKeeper.Subspace(crontypes.ModuleName)
 
 	return paramsKeeper
 }
@@ -39,6 +39,8 @@ import (
 	ibc "github.com/cosmos/ibc-go/v8/modules/core"
 	ibctm "github.com/cosmos/ibc-go/v8/modules/light-clients/07-tendermint"
 	"github.com/scrtlabs/SecretNetwork/x/compute"
+	"github.com/scrtlabs/SecretNetwork/x/cron"
+	crontypes "github.com/scrtlabs/SecretNetwork/x/cron/types"
 	ibcswitch "github.com/scrtlabs/SecretNetwork/x/emergencybutton"
 	reg "github.com/scrtlabs/SecretNetwork/x/registration"
 )
@@ -55,6 +57,7 @@ var ModuleAccountPermissions = map[string][]string{
 	ibcfeetypes.ModuleName:         nil,
 	ibcswitch.ModuleName:           nil,
 	compute.ModuleName:             {authtypes.Burner},
+	crontypes.ModuleName:           nil,
 }
 
 func Modules(
@@ -88,5 +91,6 @@ func Modules(
 		packetforward.NewAppModule(app.AppKeepers.PacketForwardKeeper, app.AppKeepers.GetSubspace(packetforwardtypes.ModuleName)),
 		ibcfee.NewAppModule(app.AppKeepers.IbcFeeKeeper),
 		ibcswitch.NewAppModule(app.AppKeepers.IbcSwitchKeeper, app.AppKeepers.GetSubspace(ibcswitch.ModuleName)),
+		cron.NewAppModule(app.appCodec, *app.AppKeepers.CronKeeper),
 	}
 }
@@ -91,9 +91,9 @@ block-verifier = { path = "../shared/block-verifier", optional = true }
 time = "=0.3.17"
 ed25519-dalek = { version = "1.0", default-features = false }
 sha2 = "0.10"
-tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.4", default-features = false, features = ["rust-crypto"] }
-tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.4", default-features = false }
-tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.4", default-features = false, features = ["rust-crypto"] }
+tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
+tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false }
+tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
 
 [dependencies.webpki]
 git = "https://github.com/mesalock-linux/webpki"

@@ -199,7 +199,9 @@ enclave {
             [in, count=in_encrypted_random_len] const uint8_t* in_encrypted_random,
             uintptr_t in_encrypted_random_len,
             [out, count=32] uint8_t* decrypted,
-            [out, count=32] uint8_t* next_validator_set_evidence
+            [out, count=32] uint8_t* next_validator_set_evidence,
+            [in, count=in_cron_msgs_len] const uint8_t* in_cron_msgs,
+            uintptr_t in_cron_msgs_len
         );
     };
 

@@ -17,6 +17,8 @@ pub unsafe extern "C" fn ecall_submit_block_signatures(
     in_encrypted_random_len: u32,
     decrypted_random: &mut [u8; 32],
     next_validator_set_evidence: &mut [u8; 32],
+    in_cron_msgs: *const u8,
+    in_cron_msgs_len: u32,
 ) -> sgx_status_t {
     #[cfg(feature = "light-client-validation")]
     {
@@ -31,6 +33,8 @@ pub unsafe extern "C" fn ecall_submit_block_signatures(
             in_encrypted_random_len,
             decrypted_random,
             next_validator_set_evidence,
+            in_cron_msgs,
+            in_cron_msgs_len,
         )
     }
 

@@ -18,9 +18,10 @@ sgx_trts = {rev = "d2d339cbb005f676bb700059bd51dc689c025f6b", git = "https://git
 sgx_types = { rev = "d2d339cbb005f676bb700059bd51dc689c025f6b", git = "https://github.com/apache/teaclave-sgx-sdk.git" }
 
 [dependencies]
-tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.4", default-features = false, features = ["rust-crypto"] }
-tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.4", default-features = false }
-tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.4", default-features = false, features = ["rust-crypto"] }
+sha2 = "0.10"
+tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
+tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false }
+tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
 lazy_static = "1.4.0"
 log = "0.4.17"
 

@@ -1,10 +1,15 @@
+use core::convert::TryInto;
 use std::slice;
 
 use sgx_types::sgx_status_t;
 
 use enclave_utils::{validate_const_ptr, validate_input_length, validate_mut_ptr, KEY_MANAGER};
 use log::debug;
 use log::error;
+use std::convert::TryFrom;
+use tendermint::signature::Ed25519Signature;
+use tendermint::Hash;
+use tendermint::Signature;
 
 macro_rules! unwrap_or_return {
     ($result:expr) => {
@@ -18,6 +23,8 @@ macro_rules! unwrap_or_return {
 use crate::txs::tx_from_bytes;
 use crate::wasm_messages::VERIFIED_BLOCK_MESSAGES;
 
+use sha2::{Digest, Sha256};
+
 const MAX_VARIABLE_LENGTH: u32 = 100_000;
 const MAX_BLOCK_DATA_LENGTH: u32 = 22_020_096; // 21 MiB = max block size
 const RANDOM_PROOF_LEN: u32 = 80;
@@ -37,6 +44,8 @@ pub unsafe fn submit_block_signatures_impl(
     in_encrypted_random_len: u32,
     decrypted_random: &mut [u8; 32],
     next_validator_set_evidence: &mut [u8; 32],
+    in_cron_msgs: *const u8,
+    in_cron_msgs_len: u32,
 ) -> sgx_status_t {
     if let Err(e) = validate_inputs(
         in_header,
@@ -62,6 +71,12 @@ pub unsafe fn submit_block_signatures_impl(
         &[]
     };
 
+    let cron_msgs_slice = if in_cron_msgs_len != 0 && !in_cron_msgs.is_null() {
+        slice::from_raw_parts(in_cron_msgs, in_cron_msgs_len as usize)
+    } else {
+        &[]
+    };
+
     let (validator_set, height) = {
         let extra = KEY_MANAGER.extra_data.lock().unwrap();
         let validator_set = match extra.decode_validator_set() {
@@ -86,6 +101,20 @@ pub unsafe fn submit_block_signatures_impl(
 
     let txs = unwrap_or_return!(crate::verify::txs::validate_txs(txs_slice, &header));
 
+    let cron_msgs = if cron_msgs_slice.len() > 0 {
+        let msgs = crate::txs::txs_from_bytes(cron_msgs_slice).map_err(|e| {
+            error!("Error parsing cron msgs from proto: {:?}", e);
+            sgx_status_t::SGX_ERROR_INVALID_PARAMETER
+        });
+        if msgs.is_err() {
+            error!("Error parsing cron msgs from proto: {:?}", msgs);
+            return sgx_status_t::SGX_ERROR_INVALID_PARAMETER;
+        }
+        Some(msgs.unwrap())
+    } else {
+        None
+    };
+
     let mut message_verifier = VERIFIED_BLOCK_MESSAGES.lock().unwrap();
 
     if message_verifier.remaining() != 0 {
@@ -104,6 +133,31 @@ pub unsafe fn submit_block_signatures_impl(
         message_verifier.append_msg_from_tx(parsed_tx);
     }
 
+    let mut hasher = Sha256::new();
+    hasher.update(cron_msgs_slice);
+    let hash_result = hasher.finalize();
+    let hash_result: [u8; 32] = hash_result.into();
+
+    let implicit_hash = tendermint::Hash::Sha256(hash_result);
+
+    if implicit_hash != header.header.implicit_hash {
+        error!("Implicit hash does not match header implicit hash");
+        return sgx_status_t::SGX_ERROR_INVALID_PARAMETER;
+    }
+
+    if let Some(cron_msgs) = cron_msgs {
+        for msg in cron_msgs {
+            let parsed_cron_msg = unwrap_or_return!(tx_from_bytes(msg.as_slice()).map_err(|_| {
+                error!("Unable to parse tx bytes from proto");
+                sgx_status_t::SGX_ERROR_INVALID_PARAMETER
+            }));
+
+            dbg!(&parsed_cron_msg);
+
+            message_verifier.append_msg_from_tx(parsed_cron_msg);
+        }
+    }
+
     message_verifier.set_block_info(
         header.header.height.value(),
         header.header.time.unix_timestamp_nanos(),

@@ -1,14 +1,15 @@
+use crate::verify::block::verify_block;
+use core::time::Duration;
 use log::error;
 use sgx_types::sgx_status_t;
+use sha2::{Digest, Sha256};
 use tendermint::block::signed_header::SignedHeader;
 use tendermint::block::{Commit, Header};
 use tendermint::validator::Set;
 use tendermint_light_client_verifier::types::UntrustedBlockState;
 use tendermint_proto::v0_38::types::Header as RawHeader;
 use tendermint_proto::Protobuf;
 
-use crate::verify::block::verify_block;
-
 pub fn validate_block_header(
     block_header_slice: &[u8],
     validator_set: &Set,
@@ -32,10 +33,20 @@ pub fn validate_block_header(
         return Err(sgx_status_t::SGX_ERROR_FILE_RECOVERY_NEEDED);
     }
 
+    if signed_header.header.hash() != signed_header.commit.block_id.hash {
+        error!(
+            "Error verifying block hash in header! got {:?}, expected: {:?}",
+            signed_header.header.hash(),
+            signed_header.commit.block_id.hash
+        );
+        return Err(sgx_status_t::SGX_ERROR_INVALID_PARAMETER);
+    }
+
     let untrusted_block = UntrustedBlockState {
         signed_header: &signed_header,
         validators: validator_set,
         next_validators: None,
+        implicit_hash: signed_header.header.implicit_hash,
     };
 
     let result = verify_block(&untrusted_block);