SRLabs: introduce staking harness

Author: R9295

.github/workflows/rust.yml

@@ -372,6 +372,20 @@ jobs:
         run: |
           scripts/runtime-benchmark.sh check
 
+  staking-fuzzer-build:
+    name: staking-fuzzer-build (Linux x86-64)
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      
+      - name: install ziggy
+        run: cargo install --force ziggy cargo-afl honggfuzz grcov
+
+      - name: build fuzzer
+        run: scripts/build-fuzzer.sh
+
   # This job checks all crates individually, including no_std and other featureless builds.
   # We need to check crates individually for missing features, because cargo does feature
   # unification, which hides missing features when crates are built together.
@@ -499,6 +513,7 @@ jobs:
       - check-runtime-benchmarks
       - cargo-check-individually
       - cargo-unused-deps
+      - staking-fuzzer-build
     steps:
       - name: Check job statuses
         # Another hack is to actually check the status of the dependencies or else it'll fall through
@@ -511,3 +526,4 @@ jobs:
           [[ "${{ needs.check-runtime-benchmarks.result }}" == "success" ]] || exit 1
           [[ "${{ needs.cargo-check-individually.result }}" == "success" ]] || exit 1
           [[ "${{ needs.cargo-unused-deps.result }}" == "success" ]] || exit 1
+          [[ "${{ needs.staking-fuzzer-build.result }}" == "success" ]] || exit 1

.gitignore

@@ -1,2 +1,4 @@
 /.idea
 /target
+./fuzz/staking/target
+./fuzz/staking/output

Cargo.lock

@@ -15,6 +15,7 @@ members = [
     "domains/test/service",
     "domains/test/utils",
     "shared/*",
+    "fuzz/staking",
     "test/subspace-test-client",
     "test/subspace-test-runtime",
     "test/subspace-test-service",

Cargo.toml

@@ -36,6 +36,13 @@ sp-version = { workspace = true, features = ["serde"] }
 subspace-core-primitives.workspace = true
 subspace-runtime-primitives.workspace = true
 
+# fuzz feature optional dependencies
+domain-pallet-executive = {workspace = true, optional = true}
+pallet-timestamp = {workspace = true, optional = true}
+pallet-block-fees = {workspace = true, optional = true}
+sp-externalities = {workspace = true, optional = true}
+sp-keystore = {workspace = true, optional = true}
+
 [dev-dependencies]
 domain-pallet-executive.workspace = true
 hex-literal.workspace = true
@@ -85,3 +92,11 @@ runtime-benchmarks = [
     "sp-runtime/runtime-benchmarks",
     "sp-subspace-mmr/runtime-benchmarks",
 ]
+
+fuzz = [
+    "dep:domain-pallet-executive",
+    "dep:pallet-timestamp",
+    "dep:pallet-block-fees",
+    "dep:sp-externalities",
+    "dep:sp-keystore",
+]

crates/pallet-domains/Cargo.toml

@@ -0,0 +1,212 @@
+// Copyright 2025 Security Research Labs GmbH
+// Permission to use, copy, modify, and/or distribute this software for
+// any purpose with or without fee is hereby granted.
+//
+// THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
+// WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+// OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
+// FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+// DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+// AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+// OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+use alloc::collections::BTreeSet;
+use frame_system::Account;
+use pallet_balances::{Holds, TotalIssuance};
+use sp_core::H256;
+use sp_domains::{DomainId, OperatorId};
+use sp_runtime::traits::One;
+
+use crate::staking::{
+    Operator, OperatorStatus, SharePrice, mark_invalid_bundle_author, unmark_invalid_bundle_author,
+};
+use crate::staking_epoch::do_finalize_domain_current_epoch;
+use crate::{
+    BalanceOf, Config, Deposits, DomainBlockNumberFor, DomainStakingSummary, HeadDomainNumber,
+    InvalidBundleAuthors, Operators, PendingSlashes, ReceiptHashFor,
+};
+
+/// Fetch the next epoch's operators from the DomainStakingSummary
+#[allow(clippy::type_complexity)]
+pub fn get_next_operators<T: Config>(
+    domain_id: DomainId,
+) -> Vec<Operator<BalanceOf<T>, T::Share, DomainBlockNumberFor<T>, ReceiptHashFor<T>>> {
+    let domain_summary = DomainStakingSummary::<T>::get(domain_id)
+        .expect("invariant violated: We must have DomainStakingSummary");
+    let mut prev_ops = vec![];
+    for operator_id in &domain_summary.next_operators {
+        let operator = Operators::<T>::get(*operator_id).expect(
+            "invariant violated: Operator in next_operator set is not present in Operators",
+        );
+        prev_ops.push(operator)
+    }
+    prev_ops
+}
+
+/// Finalize the epoch and transition to the next one
+pub fn conclude_domain_epoch<T: Config>(domain_id: DomainId) {
+    let head_domain_number = HeadDomainNumber::<T>::get(domain_id);
+    HeadDomainNumber::<T>::set(domain_id, head_domain_number + One::one());
+    do_finalize_domain_current_epoch::<T>(domain_id)
+        .expect("invariant violated: we must be able to finalize domain epoch");
+}
+
+/// Mark an operator as having produced an invalid bundle
+pub fn fuzz_mark_invalid_bundle_authors<T: Config<DomainHash = H256>>(
+    operator: OperatorId,
+    domain_id: DomainId,
+) -> Option<H256> {
+    let pending_slashes = PendingSlashes::<T>::get(domain_id).unwrap_or_default();
+    let mut invalid_bundle_authors_in_epoch = InvalidBundleAuthors::<T>::get(domain_id);
+    let mut stake_summary = DomainStakingSummary::<T>::get(domain_id).unwrap();
+    if pending_slashes.contains(&operator) {
+        return None;
+    }
+    let er = H256::random();
+    mark_invalid_bundle_author::<T>(
+        operator,
+        er,
+        &mut stake_summary,
+        &mut invalid_bundle_authors_in_epoch,
+    )
+    .expect("invariant violated: could not mark operator as invalid bundle author");
+    DomainStakingSummary::<T>::insert(domain_id, stake_summary);
+    InvalidBundleAuthors::<T>::insert(domain_id, invalid_bundle_authors_in_epoch);
+    Some(er)
+}
+
+/// Unmark an operator as having produced an invalid bundle
+pub fn fuzz_unmark_invalid_bundle_authors<T: Config<DomainHash = H256>>(
+    domain_id: DomainId,
+    operator: OperatorId,
+    er: H256,
+) {
+    let pending_slashes = PendingSlashes::<T>::get(domain_id).unwrap_or_default();
+    let mut invalid_bundle_authors_in_epoch = InvalidBundleAuthors::<T>::get(domain_id);
+    let mut stake_summary = DomainStakingSummary::<T>::get(domain_id).unwrap();
+
+    if pending_slashes.contains(&operator)
+        || crate::Pallet::<T>::is_operator_pending_to_slash(domain_id, operator)
+    {
+        return;
+    }
+
+    unmark_invalid_bundle_author::<T>(
+        operator,
+        er,
+        &mut stake_summary,
+        &mut invalid_bundle_authors_in_epoch,
+    )
+    .expect("invariant violated: could not unmark operator as invalid bundle author");
+
+    DomainStakingSummary::<T>::insert(domain_id, stake_summary);
+    InvalidBundleAuthors::<T>::insert(domain_id, invalid_bundle_authors_in_epoch);
+}
+
+/// Fetch operators who are pending slashing
+pub fn get_pending_slashes<T: Config>(domain_id: DomainId) -> BTreeSet<OperatorId> {
+    PendingSlashes::<T>::get(domain_id).unwrap_or_default()
+}
+
+/// Check staking invariants before epoch finalization
+pub fn check_invariants_before_finalization<T: Config>(domain_id: DomainId) {
+    let domain_summary = DomainStakingSummary::<T>::get(domain_id).unwrap();
+    // INVARIANT: all current_operators are registered and not slashed nor have invalid bundles
+    for operator_id in &domain_summary.next_operators {
+        let operator = Operators::<T>::get(*operator_id).unwrap();
+        if !matches!(
+            operator.status::<T>(*operator_id),
+            OperatorStatus::Registered
+        ) {
+            panic!("operator set violated");
+        }
+    }
+}
+
+/// Check staking invariants after epoch finalization
+#[allow(clippy::type_complexity)]
+pub fn check_invariants_after_finalization<T: Config<Balance = u128, Share = u128>>(
+    domain_id: DomainId,
+    prev_ops: Vec<Operator<BalanceOf<T>, T::Share, DomainBlockNumberFor<T>, ReceiptHashFor<T>>>,
+) {
+    let domain_summary = DomainStakingSummary::<T>::get(domain_id).unwrap();
+    for operator_id in domain_summary.current_operators.keys() {
+        let operator = Operators::<T>::get(operator_id).unwrap();
+        // INVARIANT: 0 < SharePrice < 1
+        SharePrice::new::<T>(operator.current_total_shares, operator.current_total_stake)
+            .expect("SharePrice to be present");
+    }
+
+    // INVARIANT: Total domain stake == accumulated operators' curent_stake.
+    let aggregated_stake: BalanceOf<T> = domain_summary
+        .current_operators
+        .values()
+        .fold(0, |acc, stake| acc.saturating_add(*stake));
+
+    assert!(aggregated_stake == domain_summary.current_total_stake);
+    // INVARIANT: all current_operators are registered and not slashed nor have invalid bundles
+    for operator_id in domain_summary.current_operators.keys() {
+        let operator = Operators::<T>::get(operator_id).unwrap();
+        if !matches!(
+            operator.status::<T>(*operator_id),
+            OperatorStatus::Registered
+        ) {
+            panic!("operator set violated");
+        }
+        // INVARIANT: Shares add up
+        let mut shares: T::Share = 0;
+        for (operator, _nominator, deposit) in Deposits::<T>::iter() {
+            if *operator_id == operator {
+                shares += deposit.known.shares;
+            }
+        }
+        assert!(shares <= operator.current_total_shares);
+    }
+
+    // INVARIANT: all operators which were part of the next operator set before finalization are present now
+    assert_eq!(prev_ops.len(), domain_summary.current_operators.len());
+}
+
+/// Check general Substrate invariants that must always hold
+pub fn check_general_invariants<
+    T: Config<Balance = u128>
+        + pallet_balances::Config<Balance = u128>
+        + frame_system::Config<AccountData = pallet_balances::AccountData<u128>>,
+>(
+    initial_total_issuance: BalanceOf<T>,
+) {
+    // After execution of all blocks, we run invariants
+    let mut counted_free: <T as pallet_balances::Config>::Balance = 0;
+    let mut counted_reserved: <T as pallet_balances::Config>::Balance = 0;
+    for (account, info) in Account::<T>::iter() {
+        let consumers = info.consumers;
+        let providers = info.providers;
+        assert!(
+            !(consumers > 0 && providers == 0),
+            "Invalid account consumers or providers state"
+        );
+        counted_free += info.data.free;
+        counted_reserved += info.data.reserved;
+        let max_lock: <T as pallet_balances::Config>::Balance =
+            pallet_balances::Locks::<T>::get(&account)
+                .iter()
+                .map(|l| l.amount)
+                .max()
+                .unwrap_or_default();
+        assert_eq!(
+            max_lock, info.data.frozen,
+            "Max lock should be equal to frozen balance"
+        );
+        let sum_holds: <T as pallet_balances::Config>::Balance =
+            Holds::<T>::get(&account).iter().map(|l| l.amount).sum();
+        assert!(
+            sum_holds <= info.data.reserved,
+            "Sum of all holds ({sum_holds}) should be less than or equal to reserved balance {}",
+            info.data.reserved
+        );
+    }
+    let total_issuance = TotalIssuance::<T>::get();
+    let counted_issuance = counted_free + counted_reserved;
+    assert_eq!(total_issuance, counted_issuance);
+    assert!(total_issuance >= initial_total_issuance);
+}

crates/pallet-domains/src/fuzz_utils.rs

@@ -9,14 +9,22 @@ mod benchmarking;
 #[cfg(test)]
 mod tests;
 
+#[cfg(all(not(test), feature = "std", feature = "fuzz"))]
+pub mod tests;
+
 pub mod block_tree;
 pub mod bundle_storage_fund;
 pub mod domain_registry;
 pub mod extensions;
+#[cfg(feature = "fuzz")]
+pub mod fuzz_utils;
 pub mod migrations;
 mod nominator_position;
 pub mod runtime_registry;
 pub mod staking;
+#[cfg(feature = "fuzz")]
+pub mod staking_epoch;
+#[cfg(not(feature = "fuzz"))]
 mod staking_epoch;
 pub mod weights;
 
@@ -508,7 +516,7 @@ mod pallet {
 
     #[pallet::storage]
     #[pallet::getter(fn domain_staking_summary)]
-    pub(super) type DomainStakingSummary<T: Config> =
+    pub(crate) type DomainStakingSummary<T: Config> =
         StorageMap<_, Identity, DomainId, StakingSummary<OperatorId, BalanceOf<T>>, OptionQuery>;
 
     /// List of all registered operators and their configuration.
@@ -540,7 +548,7 @@ mod pallet {
 
     /// List of all deposits for given Operator.
     #[pallet::storage]
-    pub(super) type Deposits<T: Config> = StorageDoubleMap<
+    pub(crate) type Deposits<T: Config> = StorageDoubleMap<
         _,
         Identity,
         OperatorId,
@@ -552,7 +560,7 @@ mod pallet {
 
     /// List of all withdrawals for a given operator.
     #[pallet::storage]
-    pub(super) type Withdrawals<T: Config> = StorageDoubleMap<
+    pub(crate) type Withdrawals<T: Config> = StorageDoubleMap<
         _,
         Identity,
         OperatorId,
@@ -571,7 +579,7 @@ mod pallet {
     /// When the epoch for a given domain is complete, operator total stake is moved to treasury and
     /// then deleted.
     #[pallet::storage]
-    pub(super) type PendingSlashes<T: Config> =
+    pub(crate) type PendingSlashes<T: Config> =
         StorageMap<_, Identity, DomainId, BTreeSet<OperatorId>, OptionQuery>;
 
     /// The pending staking operation count of the current epoch, it should not larger than
@@ -668,7 +676,7 @@ mod pallet {
     // the runtime upgrade tx from the consensus chain and no any user submitted tx from the bundle), use
     // `domain_best_number` for the actual best domain block
     #[pallet::storage]
-    pub(super) type HeadDomainNumber<T: Config> =
+    pub(crate) type HeadDomainNumber<T: Config> =
         StorageMap<_, Identity, DomainId, DomainBlockNumberFor<T>, ValueQuery>;
 
     /// A temporary storage to hold any previous epoch details for a given domain