fix(dpp): validate encrypted_note length in structure validation

[QuantumExplorer]

Issue being fixed or feature implemented

Defense-in-depth: the encrypted_note field in each SerializedAction must be exactly 216 bytes (epk 32 + enc_ciphertext 104 + out_ciphertext 80). Currently this is only validated deep in the ABCI layer during reconstruct_and_verify_bundle. Adding early validation in the DPP validate_structure rejects oversized/malformed data before it wastes network bandwidth.

What was done?

• Added a new ShieldedEncryptedNoteSizeMismatchError consensus error (code 10823) with expected_size and actual_size fields
• Added ENCRYPTED_NOTE_SIZE constant (216) and validate_encrypted_note_sizes() function in common_validation.rs
• Called validate_encrypted_note_sizes from all 5 shielded transition types' validate_structure implementations:
  • ShieldTransitionV0
  • ShieldFromAssetLockTransitionV0
  • ShieldedTransferTransitionV0
  • UnshieldTransitionV0
  • ShieldedWithdrawalTransitionV0
• Added 7 unit tests in common_validation.rs covering correct size, too short, too long, empty, multiple actions, and second-action-invalid scenarios
• Added 1 integration test per transition type (5 total) verifying rejection of invalid encrypted_note sizes

How Has This Been Tested?

• cargo fmt -p dpp -- passes
• cargo check -p dpp -- compiles cleanly
• cargo test -p dpp -- shielded -- all 74 tests pass (12 new tests added)

Breaking Changes

None. This is a purely additive validation that catches invalid data earlier.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Enforces exact encrypted-note size across all shielded transaction types, rejecting invalid notes early in structure validation.
  • Adds a clear ShieldedEncryptedNoteSizeMismatchError reported when sizes mismatch, surfaced in both native and WASM error paths.

• Tests

  • Added comprehensive unit tests covering valid cases and multiple invalid encrypted-note size scenarios, and updated integration tests to expect the earlier validation error.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2f71d234-8646-48cd-9dff-94ad260ffe76

📥 Commits

Reviewing files that changed from the base of the PR and between 6f940d7 and 444de8d.

📒 Files selected for processing (4)

• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shield/tests.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_transfer/tests.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_withdrawal/tests.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/unshield/tests.rs

---

📝 Walkthrough

Walkthrough

Adds ENCRYPTED_NOTE_SIZE constant and a new ShieldedEncryptedNoteSizeMismatchError type; introduces validate_encrypted_note_sizes() and integrates it into multiple shielded state-transition validators with tests; makes common_validation public; updates error codes, WASM error mapping, and Drive-ABCI to use the canonical size.

Changes

Cohort / File(s)	Summary
Error Type Definition packages/rs-dpp/src/errors/consensus/basic/state_transition/shielded_encrypted_note_size_mismatch_error.rs	New public struct ShieldedEncryptedNoteSizeMismatchError { expected_size: u32, actual_size: u32 } with constructor, accessors, Display, serialization derives, and From→ConsensusError conversion.
Basic Error & Exports packages/rs-dpp/src/errors/consensus/basic/basic_error.rs, packages/rs-dpp/src/errors/consensus/basic/state_transition/mod.rs	Added BasicError::ShieldedEncryptedNoteSizeMismatchError(...) variant and re-exported the new module.
Error Codes & WASM Bridge packages/rs-dpp/src/errors/consensus/codes.rs, packages/wasm-dpp/src/errors/consensus/consensus_error.rs	Mapped the new error to code 10823 and added WASM mapping for ShieldedEncryptedNoteSizeMismatchError in the JS conversion path.
Common Validation packages/rs-dpp/src/state_transition/state_transitions/shielded/common_validation.rs	Added pub const ENCRYPTED_NOTE_SIZE: usize = 216 and pub fn validate_encrypted_note_sizes(actions: &[SerializedAction]) -> SimpleConsensusValidationResult with unit tests.
Shielded Validators packages/rs-dpp/src/state_transition/state_transitions/shielded/.../v0/state_transition_validation.rs (shield_from_asset_lock, shield, shielded_transfer, shielded_withdrawal, unshield)	Each validator now calls validate_encrypted_note_sizes(&self.actions) after action-count checks and short-circuits on mismatch; added tests asserting ShieldedEncryptedNoteSizeMismatchError.
Module Visibility packages/rs-dpp/src/state_transition/state_transitions/shielded/mod.rs	Changed common_validation visibility from pub(crate) to pub to expose ENCRYPTED_NOTE_SIZE and validators.
Drive ABCI Sync & Tests packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_common/mod.rs, .../tests.rs, .../shielded_transfer/tests.rs, .../shielded_withdrawal/tests.rs, .../unshield/tests.rs	Drive-ABCI now imports canonical ENCRYPTED_NOTE_SIZE and asserts component sizes sum to it; tests adjusted to expect ShieldedEncryptedNoteSizeMismatchError earlier in validation pipeline.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant Validator as ShieldedStateTransitionValidator
    participant CV as common_validation::validate_encrypted_note_sizes
    participant Error as ConsensusError
    participant Drive as DriveABCI

    Client->>Validator: submit shielded state transition
    Validator->>CV: validate_encrypted_note_sizes(actions)
    alt sizes match
        CV-->>Validator: Ok
        Validator->>Validator: continue other validations
        Validator-->>Drive: pass validated transition
    else size mismatch
        CV-->>Validator: ShieldedEncryptedNoteSizeMismatchError(expected, actual)
        Validator->>Error: wrap as BasicError::ShieldedEncryptedNoteSizeMismatchError
        Error-->>Client: return consensus error
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I count each byte with twitching nose and paws,
Two hundred sixteen — that’s my rule and laws.
If notes are short or stretched beyond the line,
I thump and raise an error, tidy and fine. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 78.05% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding validation for encrypted_note length in structure validation, which is the primary focus of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/validate-encrypted-note-length

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 96.15385% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.89%. Comparing base (2fb112c) to head (444de8d).
⚠️ Report is 12 commits behind head on v3.1-dev.

Files with missing lines	Patch %	Lines
...on/state_transitions/shielded/common_validation.rs	92.59%	6 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##           v3.1-dev    #3368      +/-   ##
============================================
+ Coverage     75.87%   75.89%   +0.02%     
============================================
  Files          2912     2914       +2     
  Lines        283860   284254     +394     
============================================
+ Hits         215375   215735     +360     
- Misses        68485    68519      +34     

Components	Coverage Δ
dpp	65.82% <96.15%> (+0.10%)	⬆️
drive	81.66% <ø> (+0.01%)	⬆️
drive-abci	85.98% <ø> (-0.01%)	⬇️
sdk	31.25% <ø> (ø)
dapi-client	79.06% <ø> (ø)
platform-version	∅ <ø> (∅)
platform-value	58.46% <ø> (ø)
platform-wallet	60.40% <ø> (ø)
drive-proof-verifier	48.00% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (4)

packages/rs-dpp/src/errors/consensus/codes.rs (1)

235-241: Keep the shielded code block numerically sorted.

10823 is currently listed after 10825, which makes this registry a bit harder to audit for gaps or accidental reuse later.

♻️ Suggested reorder

             Self::ShieldedZeroAnchorError(_) => 10821,
             Self::ShieldedInvalidValueBalanceError(_) => 10822,
-            Self::ShieldedTooManyActionsError(_) => 10825,
             Self::ShieldedEncryptedNoteSizeMismatchError(_) => 10823,
+            Self::ShieldedTooManyActionsError(_) => 10825,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rs-dpp/src/errors/consensus/codes.rs` around lines 235 - 241, The
shielded error code mapping is out of numerical order: move the match arm for
ShieldedEncryptedNoteSizeMismatchError(_) (10823) so the sequence is sorted
ascending; update the block containing Self::ShieldedNoActionsError,
Self::ShieldedEmptyProofError, Self::ShieldedZeroAnchorError,
Self::ShieldedInvalidValueBalanceError,
Self::ShieldedEncryptedNoteSizeMismatchError, Self::ShieldedTooManyActionsError
to emit codes 10819, 10820, 10821, 10822, 10823, 10825 respectively.

packages/rs-dpp/src/state_transition/state_transitions/shielded/unshield_transition/v0/state_transition_validation.rs (1)

114-127: Assert the reported sizes too.

This only checks the variant, so a regression in the expected_size / actual_size payload would still pass. Matching those fields here would strengthen the transition-level wiring test as well as the reject path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/rs-dpp/src/state_transition/state_transitions/shielded/unshield_transition/v0/state_transition_validation.rs`
around lines 114 - 127, Update the test
should_reject_invalid_encrypted_note_size to assert the reported expected and
actual sizes in the ShieldedEncryptedNoteSizeMismatchError payload instead of
using a wildcard; after setting transition.actions[0].encrypted_note = vec![4u8;
100] and calling transition.validate_structure(platform_version), pattern-match
the result.errors to
ConsensusError::BasicError(BasicError::ShieldedEncryptedNoteSizeMismatchError {
expected_size, actual_size }) and assert expected_size equals the known correct
size and actual_size equals 100 so the test fails if either value is incorrect;
locate this assertion near the existing assert_matches and adjust the pattern to
capture and compare those fields.

packages/rs-dpp/src/state_transition/state_transitions/shielded/shield_transition/v0/state_transition_validation.rs (1)

33-37: Version this size check like the other consensus limits.

Everything else in this validator pulls consensus bounds from platform_version, but this new helper call makes the encrypted-note length an implicit global constant. Threading platform_version through here now would make a future note-layout change much easier to roll out compatibly.

♻️ Suggested direction

-        let result = validate_encrypted_note_sizes(&self.actions);
+        let result = validate_encrypted_note_sizes(&self.actions, platform_version);

Then resolve the expected encrypted-note size inside the helper from versioned data rather than a global constant.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/rs-dpp/src/state_transition/state_transitions/shielded/shield_transition/v0/state_transition_validation.rs`
around lines 33 - 37, The encrypted-note size check in
validate_encrypted_note_sizes currently relies on a global ENCRYPTED_NOTE_SIZE
constant instead of using versioned consensus limits; update the call site in
state_transition_validation.rs so you pass the platform_version (or versioned
config) into validate_encrypted_note_sizes(&self.actions, platform_version) and
change the helper validate_encrypted_note_sizes to accept that version parameter
and resolve the expected size from the platform_version (instead of
ENCRYPTED_NOTE_SIZE) before validating each action.encrypted_note length; keep
the function name validate_encrypted_note_sizes and the actions field to locate
and modify the code.

packages/rs-dpp/src/state_transition/state_transitions/shielded/common_validation.rs (1)

9-12: LGTM with minor observation.

The constant value 216 correctly matches the breakdown (epk 32 + enc_ciphertext 104 + out_ciphertext 80) and aligns with the ENCRYPTED_NOTE_SIZE in drive-abci's shielded_common module as documented in the comment.

Consider whether this constant could be defined in a shared location (e.g., a common crate) to prevent potential divergence if one is updated without the other. The comment mitigates this by noting the relationship, but a single source of truth would be more robust.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/rs-dpp/src/state_transition/state_transitions/shielded/common_validation.rs`
around lines 9 - 12, The ENCRYPTED_NOTE_SIZE constant is duplicated; move it to
a single shared location and have this module reference that constant instead of
defining its own. Create or use a common crate/module that exports
ENCRYPTED_NOTE_SIZE (the same 216 value) and replace the local const in this
module (the ENCRYPTED_NOTE_SIZE definition and its comment) with an import/use
of the shared symbol; remove the local definition to avoid divergence and update
the doc comment to reference the shared constant (and keep the breakdown
epk/enc_ciphertext/out_ciphertext in the comment for clarity).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/rs-dpp/src/errors/consensus/codes.rs`:
- Around line 235-241: The shielded error code mapping is out of numerical
order: move the match arm for ShieldedEncryptedNoteSizeMismatchError(_) (10823)
so the sequence is sorted ascending; update the block containing
Self::ShieldedNoActionsError, Self::ShieldedEmptyProofError,
Self::ShieldedZeroAnchorError, Self::ShieldedInvalidValueBalanceError,
Self::ShieldedEncryptedNoteSizeMismatchError, Self::ShieldedTooManyActionsError
to emit codes 10819, 10820, 10821, 10822, 10823, 10825 respectively.

In
`@packages/rs-dpp/src/state_transition/state_transitions/shielded/common_validation.rs`:
- Around line 9-12: The ENCRYPTED_NOTE_SIZE constant is duplicated; move it to a
single shared location and have this module reference that constant instead of
defining its own. Create or use a common crate/module that exports
ENCRYPTED_NOTE_SIZE (the same 216 value) and replace the local const in this
module (the ENCRYPTED_NOTE_SIZE definition and its comment) with an import/use
of the shared symbol; remove the local definition to avoid divergence and update
the doc comment to reference the shared constant (and keep the breakdown
epk/enc_ciphertext/out_ciphertext in the comment for clarity).

In
`@packages/rs-dpp/src/state_transition/state_transitions/shielded/shield_transition/v0/state_transition_validation.rs`:
- Around line 33-37: The encrypted-note size check in
validate_encrypted_note_sizes currently relies on a global ENCRYPTED_NOTE_SIZE
constant instead of using versioned consensus limits; update the call site in
state_transition_validation.rs so you pass the platform_version (or versioned
config) into validate_encrypted_note_sizes(&self.actions, platform_version) and
change the helper validate_encrypted_note_sizes to accept that version parameter
and resolve the expected size from the platform_version (instead of
ENCRYPTED_NOTE_SIZE) before validating each action.encrypted_note length; keep
the function name validate_encrypted_note_sizes and the actions field to locate
and modify the code.

In
`@packages/rs-dpp/src/state_transition/state_transitions/shielded/unshield_transition/v0/state_transition_validation.rs`:
- Around line 114-127: Update the test should_reject_invalid_encrypted_note_size
to assert the reported expected and actual sizes in the
ShieldedEncryptedNoteSizeMismatchError payload instead of using a wildcard;
after setting transition.actions[0].encrypted_note = vec![4u8; 100] and calling
transition.validate_structure(platform_version), pattern-match the result.errors
to ConsensusError::BasicError(BasicError::ShieldedEncryptedNoteSizeMismatchError
{ expected_size, actual_size }) and assert expected_size equals the known
correct size and actual_size equals 100 so the test fails if either value is
incorrect; locate this assertion near the existing assert_matches and adjust the
pattern to capture and compare those fields.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 371c2fe6-64b7-4960-bf65-f835671f6135

📥 Commits

Reviewing files that changed from the base of the PR and between 95bdf2c and 85e05ad.

📒 Files selected for processing (10)

• packages/rs-dpp/src/errors/consensus/basic/basic_error.rs
• packages/rs-dpp/src/errors/consensus/basic/state_transition/mod.rs
• packages/rs-dpp/src/errors/consensus/basic/state_transition/shielded_encrypted_note_size_mismatch_error.rs
• packages/rs-dpp/src/errors/consensus/codes.rs
• packages/rs-dpp/src/state_transition/state_transitions/shielded/common_validation.rs
• packages/rs-dpp/src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/v0/state_transition_validation.rs
• packages/rs-dpp/src/state_transition/state_transitions/shielded/shield_transition/v0/state_transition_validation.rs
• packages/rs-dpp/src/state_transition/state_transitions/shielded/shielded_transfer_transition/v0/state_transition_validation.rs
• packages/rs-dpp/src/state_transition/state_transitions/shielded/shielded_withdrawal_transition/v0/state_transition_validation.rs
• packages/rs-dpp/src/state_transition/state_transitions/shielded/unshield_transition/v0/state_transition_validation.rs

[thepastaclaw]

Code Review

Well-structured defense-in-depth PR that adds early encrypted_note length validation at the DPP layer for all 5 shielded transition types. One blocking issue: the new BasicError variant is missing from the wasm-dpp exhaustive match, which will break WASM compilation. The duplicate ENCRYPTED_NOTE_SIZE constant across DPP and drive-abci is a minor drift risk worth addressing.

Reviewed commit: ec86d05

🔴 1 blocking | 🟡 1 suggestion(s) | 💬 1 nitpick(s)

1 additional finding(s) omitted (not in diff).

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/wasm-dpp/src/errors/consensus/consensus_error.rs`:
- [BLOCKING] lines 956-959: Missing WASM binding for ShieldedEncryptedNoteSizeMismatchError breaks compilation
  The `from_basic_error` match (lines 469–959) is exhaustive with no wildcard arm. The new `BasicError::ShieldedEncryptedNoteSizeMismatchError` variant added in this PR has no corresponding match arm, so `wasm-dpp` will fail to compile with a non-exhaustive patterns error. Every other shielded error (`ShieldedNoActionsError`, `ShieldedTooManyActionsError`, `ShieldedEmptyProofError`, `ShieldedZeroAnchorError`, `ShieldedInvalidValueBalanceError`) has both an import at line 96 and a `generic_consensus_error!` match arm. The new variant needs both: (1) add `ShieldedEncryptedNoteSizeMismatchError` to the import at line 96, and (2) add a match arm after the `ShieldedInvalidValueBalanceError` arm at line 957.

In `packages/rs-dpp/src/state_transition/state_transitions/shielded/common_validation.rs`:
- [SUGGESTION] lines 9-12: Duplicate ENCRYPTED_NOTE_SIZE constant risks silent divergence with drive-abci
  This PR introduces `pub const ENCRYPTED_NOTE_SIZE: usize = 216` as a hardcoded literal. The same value already exists in `packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_common/mod.rs:50` computed from component sizes (`EPK_SIZE + ENC_CIPHERTEXT_SIZE + OUT_CIPHERTEXT_SIZE`). Both evaluate to 216 today, but if the note format changes, only one may be updated. Since drive-abci already depends on DPP and the new constant is `pub`, drive-abci should import `dpp::state_transition::state_transitions::shielded::common_validation::ENCRYPTED_NOTE_SIZE` instead of maintaining its own copy. This creates a single source of truth and makes divergence — which would cause DPP to accept notes that ABCI rejects, or vice versa — impossible.

[thepastaclaw]

Code Review

Clean incremental push addressing our prior suggestion about the duplicate ENCRYPTED_NOTE_SIZE constant. DPP's constant is now the canonical source of truth (module made pub), drive-abci imports it, and a compile-time assertion guards against future divergence. Exactly the right fix.

Reviewed commit: 03352ff

[thepastaclaw]

Code Review

Trivial incremental push: strengthens 3 existing test assertions to verify error payload values (expected_size/actual_size) and adds the missing WASM binding for ShieldedEncryptedNoteSizeMismatchError. Both changes follow established patterns exactly. No issues found.

Reviewed commit: 6f940d7

[thepastaclaw]

Code Review

Trivial incremental push updating 4 drive-abci integration tests to expect BasicError::ShieldedEncryptedNoteSizeMismatchError instead of StateError::InvalidShieldedProofError, reflecting that the encrypted_note size check now happens in DPP structure validation rather than during proof verification. All test assertions are correctly updated. No issues found.

Reviewed commit: 444de8d