SIP-5 draft: block hash + state root commitment consistency (Bug B fix)

[satyakwok]

Draft SIP for Bug B fix (2026-05-31 testnet cascade). See sips/sip-5.md for full text. Approaches B1 (speculative apply, recommended) vs B4 (drop state_root from hash). Activation plan, rollback, review questions inside. Related: sentrix-labs/sentrix#751 (Bug B), #750 (Bug A), #752 (defense check).

Summary by CodeRabbit

• Bug Fixes

  • Fork-gated consensus fix to prevent stored blocks from becoming inconsistent between block hash and claimed state root; includes recommended approach for proposers/validators and an alternative trade-off.

• Documentation

  • Added SIP-5: motivation, activation/migration and rollback plans, compatibility guarantees, security considerations, open questions, and a reference implementation sketch.

[coderabbitai]

📝 Walkthrough

Walkthrough

SIP-5 adds a specification to fix a consensus bug where stored blocks can have inconsistent block.hash vs block.justification.block_hash; it recommends fork-gated B1 (proposer speculative-apply to set real state_root and recompute hash, validator dual verification) and documents B4 alternative, activation, rollback, and a reference implementation sketch.

Changes

Cohort / File(s)	Summary
SIP-5 specification sips/sip-5.md	Adds SIP-5: metadata, abstract, motivation, recommended fix B1 (proposer speculative-apply, recompute block.hash, validator verification), alternative B4, add_block_impl changes, fork predicate and activation/rollback plan, reference speculative-apply API wiring, security considerations, and references/license.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• Bug B: block.hash recomputed post-apply doesn't update embedded justification — produces internally inconsistent blocks sentrix#751: Documents the same post-apply block hash inconsistency and proposes the same B1/B4 fork-gated remediation and add_block_impl changes.
• Bug A: off-trie consensus state drift (pending_rewards, total_minted, epoch_state) — silent fork-trigger on any consuming tx sentrix#750: Related report targeting the add_block_impl and proposer/validator state_root handling implicated by this SIP.

Poem

🐰 A rabbit nibbles through a forked code tree,
Rewrites state roots so blocks agree;
It hops, it applies, then recomputes with care,
Consensus now tidy, no mismatched pair —
✨ Hop on, little fix, we’ll keep you rare.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'SIP-5 draft: block hash + state root commitment consistency (Bug B fix)' clearly and specifically summarizes the main change: a new SIP-5 document addressing a consensus bug (Bug B) related to block hash and state root consistency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/sip-5-bug-b-block-hash-state-root

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@sips/sip-5.md`:
- Line 179: Update the spec text for the function signature
Blockchain::speculative_apply_for_state_root(&block) -> SentrixResult<[u8; 32]>
to use "txs" instead of "tx's" so the description reads "clones the trie +
applies block txs + returns root WITHOUT mutating chain state" and ensure any
other occurrences in the same sentence or nearby lines use the same "txs"
wording for consistency.
- Around line 113-120: Specify the fork activation predicate explicitly and use
it everywhere: define that new rules apply when block.height >=
BLOCK_HASH_WITH_REAL_STATE_ROOT_HEIGHT (or choose > if preferred) and then
update all occurrences in the SIP (proposer, validator, apply sections and the
text around lines 145-153 and the paragraphs describing pre/post-fork behavior)
to reference that canonical predicate; ensure wording is exact (e.g., "When
block.height >= BLOCK_HASH_WITH_REAL_STATE_ROOT_HEIGHT, proposer must pre-apply
and validators must accept hashes with real state root") so there is a single
authoritative rule used throughout.
- Around line 82-93: Add an explicit verification that the received block's
declared hash matches a locally computed hash: after deserializing the proposed
Block in the BftMessage::Propose handler (main.rs) compute the hash via the
block's hash function (e.g. block.calculate_hash() or equivalent) and compare it
to block.hash; if block.hash is missing or differs, log a warning and
reject/return (do not prevote) before proceeding to the state_root check
(bc_read.speculative_apply_for_state_root and block.state_root handling).
- Around line 99-100: Remove the recomputation/reassignment lines that set
last.state_root and last.hash (the L1561-1563 pattern and siblings) because the
proposer-supplied block already carries state_root and hash; in add_block (and
any validator code that currently does computed_root ==
block.state_root.unwrap()) replace the unwrap usage with an explicit
validation/reject branch that returns an error if block.state_root is None or
malformed and only compares when present (i.e., check block.state_root.is_some()
then compare computed_root to the contained value and reject on mismatch), and
ensure any places referencing last.calculate_hash() do not overwrite proposer
values but instead verify consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9b73cd2a-47c9-4211-87c3-2f31dc35000c

📥 Commits

Reviewing files that changed from the base of the PR and between 6dc0609 and 0d05799.

📒 Files selected for processing (1)

• sips/sip-5.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

sips/sip-5.md (1)

220-222: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Include validator block.hash recomputation in the reference-implementation checklist.

The normative spec now requires validators to verify both hash claim and state_root claim, but the skeleton only lists state_root verification on the validator path. Please add an explicit checklist item for recomputing block.calculate_hash() and rejecting on mismatch so implementers don’t accidentally ship only half the validation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sips/sip-5.md` around lines 220 - 222, The checklist in the reference
implementation omits validator-side hash recomputation: update the validator
path notes to explicitly require recomputing block.calculate_hash() and
rejecting proposals when it mismatches the proposer’s claimed block.hash in
addition to verifying block.state_root; specifically mention adding this check
in the BftMessage::Propose handler (the validator path) and ensure
add_block_impl behavior around block.state_root and legacy recompute still
documents that validators must recompute and compare block.calculate_hash()
unless block.state_root was provided and post-fork rules exempt recompute.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@sips/sip-5.md`:
- Around line 220-222: The checklist in the reference implementation omits
validator-side hash recomputation: update the validator path notes to explicitly
require recomputing block.calculate_hash() and rejecting proposals when it
mismatches the proposer’s claimed block.hash in addition to verifying
block.state_root; specifically mention adding this check in the
BftMessage::Propose handler (the validator path) and ensure add_block_impl
behavior around block.state_root and legacy recompute still documents that
validators must recompute and compare block.calculate_hash() unless
block.state_root was provided and post-fork rules exempt recompute.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a48f54db-a019-4f34-9ebc-e793d9d08366

📥 Commits

Reviewing files that changed from the base of the PR and between 0d05799 and d402266.

📒 Files selected for processing (1)

• sips/sip-5.md