[codex] add evm-only staking precompile#3616
Conversation
|
The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).
|
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## codex/sei-v3-evm-only-scaffold #3616 +/- ##
==================================================================
- Coverage 58.27% 58.15% -0.13%
==================================================================
Files 2176 2187 +11
Lines 176783 178461 +1678
==================================================================
+ Hits 103024 103781 +757
- Misses 64710 65383 +673
- Partials 9049 9297 +248
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
PR SummaryHigh Risk Overview The executor now runs registered precompile contracts (not only fail-closed placeholders) via a new adapter that builds a The precompile API splits module state into Staking implements create/edit validator, delegate, redelegate, undelegate, queries, commission checks, JSON-backed indexes, and end-block validator-set reconciliation, mature unbonding/redelegation, and historical info—payable stake goes to a deterministic escrow address in usei. Unimplemented registry addresses still return Documentation and broad executor e2e / staking unit tests cover payable forwarding and a full delegation lifecycle through maturity. Reviewed by Cursor Bugbot for commit accacbf. Bugbot is set up for automated code reviews on this repo. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
codchen
force-pushed
the
codex/sei-v3-evm-only-scaffold
branch
2 times, most recently
from
ab82ec3 to
23fc6d3
Compare
| record, ok, err := getUnbondingDelegation(ctx.Store, pair.DelegatorAddress, pair.ValidatorAddress) | ||
| if err != nil || !ok { | ||
| return err | ||
| } |
There was a problem hiding this comment.
Missing unbonding record skips payout
Medium Severity
In completeUnbonding and completeRedelegation, when the store lookup returns ok == false with a nil error, the functions return success instead of failing. The mature-queue loop still deletes queue entries, so a queued unbonding pair without a matching record can be dropped without releasing escrowed stake or cleaning redelegation indexes.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit b90eb37. Configure here.
There was a problem hiding this comment.
this is consistent with cosmos behavior
codchen
force-pushed
the
codex/evmonly-staking-precompile
branch
2 times, most recently
from
27e3acc to
550f6fa
Compare
![seidroid[bot]](https://avatars.githubusercontent.com/in/2745135?s=60&v=4){kind=small}
There was a problem hiding this comment.
Adds the first SDK-free staking custom precompile for the evm-only executor, with byte-keyed storage-backed state, an end-block hook, and a thorough test suite including a full delegate→redelegate→undelegate lifecycle. The implementation closely mirrors Cosmos staking semantics and looks correct; the main open concern is flat gas accounting for state-growing operations. No blocking correctness bugs found.
Findings: 0 blocking | 9 non-blocking | 4 posted inline
Blockers
- None at the file/PR level.
Non-blocking
- Gas accounting (Codex finding #1): custom precompile execution charges only the flat RequiredGas (writeGas=20000 + 16/byte). Staking writes JSON-encoded indexes (validators index, per-validator/per-delegator delegation lists, queues) that are re-read, sorted, and re-serialized into chunked storage slots on every mutation — O(n) SSTOREs charged as a flat fee. Block gas therefore does not bound precompile state growth or runtime, allowing cheap unbounded index growth. This mirrors existing Sei precompile flat-gas behavior and the evm-only path is documented as early-integration, so non-blocking — but should be revisited before production (per-operation/per-byte-of-stored-state metering).
- Disagree with Codex finding #2 (editValidator minSelfDelegation vs validator.Tokens): Cosmos x/staking msg_server.EditValidator also checks
MinSelfDelegation.GT(validator.Tokens), not self-delegation. The implementation here is faithful Cosmos parity, not a new invariant break. - Disagree with Codex finding #3 (commission max-change uses signed delta, not abs): Cosmos
Commission.ValidateNewRateuses signednewRate.Sub(c.Rate).GT(MaxChangeRate)and also permits unbounded decreases. The code (and its comment) intentionally matches upstream, so this is parity rather than a bug. - Cursor second-opinion review file (cursor-review.md) is empty — that pass produced no output. REVIEW_GUIDELINES.md is also empty/absent, so no repo-specific standards were applied.
- Documented limitations (no rewards/slashing/jailing, shares track tokens 1:1, historical info recorded in end-block rather than begin-block) are clearly noted in the README; just confirm downstream consumers/indexers tolerate the zero-amount DelegationRewardsWithdrawn events and the deferred historical-info availability.
- 4 suggestion(s)/nit(s) flagged inline on specific lines.
| if isTransaction(method.Name) { | ||
| gas = writeGas | ||
| } | ||
| return gas + inputByteGas*uint64(len(input)) //nolint:gosec // input length is bounded by memory. |
There was a problem hiding this comment.
[suggestion] Gas is flat per call (writeGas + 16/byte of input) regardless of how much module-like state the operation rewrites. delegate/redelegate/undelegate rewrite O(n) JSON index lists (validators index, per-validator/per-delegator delegation lists, time queues) into chunked storage slots, so the real SSTORE/CPU cost can far exceed the charged gas, and block gas no longer bounds state growth. This matches existing Sei precompile flat-gas semantics and the path is experimental, so not blocking — but worth per-operation metering before this backs production state. (Codex finding #1.)
| if err != nil { | ||
| return nil, err | ||
| } | ||
| if minSelfDelegation.Cmp(tokens) > 0 { |
There was a problem hiding this comment.
[nit] Codex flags this as comparing minSelfDelegation against validator.Tokens (which includes third-party delegations). Note this matches Cosmos x/staking msg_server.EditValidator, which also checks msg.MinSelfDelegation.GT(validator.Tokens). So this is faithful parity, not a newly introduced invariant break — no change needed unless intentional divergence from Cosmos is desired here.
| return errCommissionNegative | ||
| case newRate.Cmp(maxRate) > 0: | ||
| return errCommissionGTMaxRate | ||
| case new(big.Rat).Sub(newRate, oldRate).Cmp(maxChange) > 0: |
There was a problem hiding this comment.
[nit] Codex flags that large commission decreases bypass the max-change check because this uses signed newRate - oldRate rather than the absolute delta. This actually matches Cosmos Commission.ValidateNewRate, which likewise uses the signed delta and allows unbounded decreases. Given the stated goal of Cosmos parity (and the function doc), this is correct as written — not a bug.
| } else if err := addPoolNotBonded(ctx.Store, useiAmount); err != nil { | ||
| return nil, err | ||
| } | ||
| p.emit(ctx, "Delegate", ctx.Caller, validatorAddress, util.CloneBig(ctx.ApparentValue)) |
There was a problem hiding this comment.
[nit] Minor unit inconsistency: the Delegate event emits the raw wei ApparentValue (18 decimals), while Undelegate (line 392) and Redelegate (line 334) emit the usei amount arg (6 decimals). Worth confirming this matches the canonical Sei staking precompile event semantics so indexers decode all three consistently.
Address review findings on the SDK-free staking precompile: - redelegate/undelegate now enforce Cosmos guardrails: reject self-redelegation, transitive redelegation, and over-MaxEntries unbonding/redelegation entries. - delegation shares are reported as an sdk.Dec (scaled by 10^precision) to match the keeper-backed precompile. - create/editValidator validate commission bounds, the 24h rate-change rule, and min-self-delegation increase/cap; stricter decimal parsing rejects fraction/scientific forms. - historicalInfo query is read-only again; historical info is tracked and pruned in the end-block hook. - powerReduction set to 1_000_000 (Sei DefaultPowerReduction); tests use SEI-scale stakes. - validators query no longer re-reads validators; README documents the staking parity limitations. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
codchen
force-pushed
the
codex/evmonly-staking-precompile
branch
from
550f6fa to
accacbf
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit accacbf. Configure here.
| } | ||
| if err := setHistoricalInfo(ctx.Store, ctx.Block.Number); err != nil { | ||
| return nil, err | ||
| } |
There was a problem hiding this comment.
Historical param ignored on writes
Low Severity
createValidator and editValidator always call setHistoricalInfo during the transaction, while end-block trackHistoricalInfo skips recording when HistoricalEntries is zero. With historical tracking disabled via params, validator create/edit can still persist and index historical snapshots, diverging from the intended Cosmos-style behavior.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit accacbf. Configure here.
There was a problem hiding this comment.
Adds a substantial, well-tested SDK-free staking precompile for the evm-only executor. The main blocker is that createValidator accepts an arbitrary/empty consensus pubkey, which can later be emitted as an invalid consensus ValidatorUpdate; there are also a few divergences from Cosmos staking semantics (tie-break ordering, unenforced MaxVotingPowerRatio) and a flat gas model worth addressing.
Findings: 1 blocking | 7 non-blocking | 3 posted inline
Blockers
- None at the file/PR level.
- 1 blocking issue(s) flagged inline on specific lines.
Non-blocking
- MaxVotingPowerRatio / MaxVotingPowerEnforcementThreshold are surfaced in Params but never enforced anywhere in delegate/createValidator/redelegate/endblock, so a validator can accumulate more than the configured maximum voting-power share. Defaults are "0" (disabled) so there's no immediate impact, but if a non-zero ratio is ever loaded it is silently ignored. (Raised by Codex.) Either enforce it or document the gap explicitly in README's limitations list.
- Gas is charged as a flat readGas/writeGas plus per-input-byte, independent of how much state is actually written. Mutating handlers rewrite whole JSON blobs and re-sort/rewrite entire string-list indexes (validators/index, delegator/validator delegation indexes, queues) — O(n) storage slots for a fixed 20000 gas. On a live chain this underprices unbounded state growth and is a potential DoS vector; consider metering by bytes/slots written before this path is production-wired.
- util.EmitEvent silently swallows Pack errors (returns without emitting), so a future event/ABI mismatch would drop logs with no signal. A test or at least a comment documenting the intentional best-effort behavior would help.
- Cursor's second-opinion review (cursor-review.md) produced no output / was empty.
- Codex's review aligned with the findings here: consensus-pubkey validation (reported as the inline blocker), the equal-power tie-break ordering, and the unenforced MaxVotingPowerRatio.
- 2 suggestion(s)/nit(s) flagged inline on specific lines.
| commissionMaxRate := args[3].(string) | ||
| commissionMaxChangeRate := args[4].(string) | ||
| minSelfDelegation := args[5].(*big.Int) | ||
| pubKey, err := hex.DecodeString(pubKeyHex) |
There was a problem hiding this comment.
[blocker] createValidator hex-decodes pubKeyHex with no length/format validation, so an empty string or any wrong-length byte string is accepted as the consensus pubkey. That key is stored on the Validator and later emitted verbatim as precompiles.ValidatorUpdate{PubKey: ...} from endblock.go, which feeds consensus validator-set updates. The Cosmos path requires a valid cryptotypes.PubKey of a type supported by the consensus params; here an empty or malformed (e.g. non-32-byte ed25519) key produces an invalid validator update. Validate the decoded length against the expected consensus key type before accepting. (Also flagged by Codex.)
| if left != right { | ||
| return left > right | ||
| } | ||
| return validators[i].OperatorAddress < validators[j].OperatorAddress |
There was a problem hiding this comment.
[suggestion] Equal-power ties are broken by OperatorAddress in ascending order. Cosmos's power index orders tied validators by operator address in descending byte order (addresses are stored complemented in the ValidatorsByPower index). When tied candidates straddle the MaxValidators cutoff, this can select a different bonded set than the staking rules being replicated. Ordering is deterministic, but to match Cosmos consider reversing the tie-break (or document the intentional divergence). (Also flagged by Codex.)
| } else if err := addPoolNotBonded(ctx.Store, useiAmount); err != nil { | ||
| return nil, err | ||
| } | ||
| p.emit(ctx, "Delegate", ctx.Caller, validatorAddress, util.CloneBig(ctx.ApparentValue)) |
There was a problem hiding this comment.
[nit] The Delegate event amount is emitted in wei (ctx.ApparentValue), whereas Undelegate/Redelegate emit the usei amount. This unit inconsistency across the events is a footgun for log consumers — confirm it intentionally mirrors the legacy Sei staking precompile, and consider a comment noting it.
1 participant
Summary
Adds the first SDK-free custom precompile for the evm-only executor: staking at
0x0000000000000000000000000000000000001005.This PR wires custom precompile execution into the evm-only executor, stores precompile module-like state as storage owned by the precompile address, and adds an end-block hook for staking validator-set updates and delayed redelegation/undelegation completion. It also keeps staking token handling explicitly usei-only for the evm-only path.
Details
giga/evmonly/precompiles/util.Validation
go test ./giga/evmonly/...