Skip to content

Subtask: persist signed-transfer nonces and reject replay across restarts #728

Closed
Closed
Subtask: persist signed-transfer nonces and reject replay across restarts#728
Labels
area: walletWallet or transfer flowneeds strong contributorRequires repo familiarity or higher-risk changesseverity: highImportant near-term worktype: securitySecurity-sensitive issue
@Scottcjn

Description

@Scottcjn
Scottcjn
opened on Mar 9, 2026

Parent issue: Scottcjn/Rustchain#726

Summary

Add a persisted nonce/idempotency ledger for /wallet/transfer/signed so replayed signed transfers are rejected even after process restart.

Why This Matters

payout_preflight.py validates nonce shape, but the safety property comes from actually recording and enforcing nonce usage in the transaction path.

Scope

  • persist used nonces or idempotency keys in the ledger/database
  • reject exact replay and stale duplicate signed transfer submissions
  • document nonce lifetime and failure behavior
  • add tests for replay before and after restart or DB reconnect

Acceptance Criteria

  • used nonces are persisted durably
  • replayed signed transfers are rejected with explicit error output
  • tests cover duplicate submission and restart behavior
  • docs explain nonce semantics for clients

Non-Goals

  • redesigning the full wallet API
  • unrelated admin transfer changes

Routing

Use this child issue for signed-transfer replay protection work. Keep umbrella coordination on #726.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: walletWallet or transfer flowneeds strong contributorRequires repo familiarity or higher-risk changesseverity: highImportant near-term worktype: securitySecurity-sensitive issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions