'Verifying flows in Corda

How does a notary/node verify that a specific flow has been called when it receives the transaction?

Does this mean Corda can guarantee that the flow has not been modified from what was stated in the corresponding Cordapp?

cordacorda-flow


Solution 1:[1]

In detail:

  1. It's a DLT (Distributed Ledger Technology); so in a sense, you can't really trust anyone.
  2. The notary doesn't receive flows, it receives transactions and makes sure that there is no double-spend (i.e. consumed inputs are not being consumed again).
  3. Even if you gave a node your CorDapp, it can override the responder flow. See links below.
  4. Wrong assumptions about responder flows: https://www.corda.net/blog/corda-flow-responder-wrong-assumptions/
  5. Configuring responder flows: https://docs.corda.net/flow-overriding.html
  6. Overriding flows from external CorDapps: https://dzone.com/articles/extending-and-overriding-flows-from-external-corda
  7. When you send and receive data between an initiator and its responders; the received data (on both ends) is considered untrusted; you must unwrap it and validate it: https://docs.corda.net/api-flows.html#receive

So in short:

  1. Your initiator must validate any received data from the responder(s).
  2. Your responder must validate any received data from the initiator; plus if you expect the initiator to be a certain entity, you must validate that the counter-party (that sent you the flow session) is who you expect it to be (e.g. flowSession.counterParty == "O=Good Org, L=London, C=UK").

Solution 2:[2]

Adel's answer covers the right ways to not trust your counterparties from the application flow level but there are also operational protections which can used. Strong contracts can help prevent badly formed transactions as Corda does not allow for unknown contracts in a well setup network.

The network parameters defines what smart contract cordapp jars are acceptable for validation. The most common form of contract constraints is signature constraints which means that any contract jar signed by the same developer key can be accepted. This prevents a malicious counterparty from forcing you to run weak validation: https://docs.corda.net/api-contract-constraints.html#signature-constraints

As of Corda 4 any unrecognized contract cordapp jar will not be trusted unless the node operator explicitly tells Corda to trust the jar. https://docs.corda.net/cordapp-build-systems.html#cordapp-contract-attachments Once a signature is trusted then any future jars signed by that signature will implicitly be trusted.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Adel Rustum
Solution 2 Austin Moothart

Related Questions

Schema Validation Error for custom queryable states using `UUID` as a column

Schema Validation Error for custom queryable states using `UUID` as a column

Cannot inline bytecode built with JVM target 1.8 into bytecode that is being built with JVM target 1.6

Must the Flow code be the same in all nodes?

issueRef parameter in CashIssueFlow

Flow Testing for Cash Contract

CommercialPaper Tutorial, creating a flow to issue,move and redeem a currency

States Matching Logic Corda

Counterparty sent session rejection message at unexpected time with message class com.upgrade.CustomContractUpgradeFlow$Initiate is not registered

How to map a rather complex Business Process like Order to Cash to Corda Flow(s)

In Corda flow tests, how to get the modularized cordapps assigned only to the respective parties?

Corda responder flow not answering

How to display the states on Corda terminal

Must the Flow code be the same in all nodes?

issueRef parameter in CashIssueFlow