CORDA-2577 Disable or delete the no-downgrade rule (#4741)

With (Contract JARs) rolling upgrades the downgrade rule cannot be effectively check as the platform can't tell the difference between a transaction that's downgrading because of an attack, vs a transaction that's downgrading because Alice has upgraded but Bob hasn't yet. During a rolling upgrade we would expect state versions to fluctuate up and down as data gets read/written by a mix of nodes. With the feature as implemented Alice will upgrade and start trading with Bob. Bob will be able to read and process the states Alice sent him, but the moment he tries to consume such a state he will fail. This will result in cascading flow deaths and a hung business network the moment an upgrade starts.
2025-06-18 15:18:16 +00:00 · 2019-02-13 11:36:43 +00:00
parent 873e9a5442
commit 10e7c07c11
9 changed files with 10 additions and 50 deletions
--- a/docs/source/api-contract-constraints.rst
+++ b/docs/source/api-contract-constraints.rst
@ -116,7 +116,7 @@ CorDapp is 4 or greater, then transaction verification will fail with a ``Transa
 the owning ``Contract`` *can* be identified, but the ``ContractState`` has been bundled with a different contract, then
 transaction verification will fail with a ``TransactionContractConflictException``.

-.. _contract_non-downgrade_rule_ref:
+.. _contract_downgrade_rule_ref:

 App versioning with signature constraints
 -----------------------------------------
--- a/docs/source/app-upgrade-notes.rst
+++ b/docs/source/app-upgrade-notes.rst
@ -100,10 +100,7 @@ properly for future releases.
   future not hold true. You should know the platform version of the node releases you want to target.

 The new ``versionId`` number is a version code for **your** app, and is unrelated to Corda's own versions.
-It is used to block state downgrades: when a state constraint can be satisfied
-by multiple attachments, the version is tracked in the ledger and cannot decrement. This ensures security
-fixes in CorDapps stick and can't be reversed by downgrading states to an earlier version. See
-":ref:`contract_non-downgrade_rule_ref`" for more information.
+It is used to informative purposes only. See ":ref:`contract_downgrade_rule_ref`" for more information.

 **Split your app into contract and workflow JARs.** The duplication between ``contract`` and ``workflow`` blocks exists because you should split your app into
 two separate JARs/modules, one that contains on-ledger validation code like states and contracts, and one
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@ -50,10 +50,6 @@ Version 4.0

 * ``JacksonSupport.createInMemoryMapper`` was incorrectly marked as deprecated and is no longer so.

-* Transaction building and verification enforces new contract attachment version non-downgrade rule.
-  For a given contract class, the contract attachment of the output states must be of the same or newer version than the contract attachment of the input states.
-  See :ref:`Contract attachment non-downgrade rule <contract_non-downgrade_rule_ref>` for further information.
-
 * Standardised CorDapp version identifiers in jar manifests (aligned with associated cordapp Gradle plugin changes).
  Updated all samples to reflect new conventions.

--- a/docs/source/release-notes.rst
+++ b/docs/source/release-notes.rst
@ -122,9 +122,6 @@ allows tool developers to assume that if a class name appears to be owned by an
 semantics of that class actually *were* defined by that organisation, thus eliminating edge cases that
 might otherwise cause confusion.

-**No downgrades.** Transaction building and verification enforces new contract attachment version non-downgrade rule.
-For a given contract class, the contract attachment of the output states must be of the same or newer version than
-the contract attachment of the input states. See :ref:`Contract attachment non-downgrade rule <contract_non-downgrade_rule_ref>` for further information.

 Network parameters in transactions
 ++++++++++++++++++++++++++++++++++
--- a/docs/source/versioning.rst
+++ b/docs/source/versioning.rst
@ -96,9 +96,7 @@ It's entirely expected and reasonable to have an open source contracts module an
 sophisticated or proprietary business logic, machine learning models, even user interface code. There's nothing that restricts it to just
 being Corda flows or services.

-.. important:: The ``versionId`` specified for the JAR manifest is checked by the platform. Downgrades are not allowed: you cannot take a state
-   that was created with version 5 of your app, and then create a state with version 4. This is to prevent attacks in which bugs
-   are fixed, but an adversary uses an old version of the app to continue exploiting them. Version tracking in states is handled for you
-   automatically as long as the information is provided in your Gradle file. See ":ref:`contract_non-downgrade_rule_ref`" for more information.
+.. important:: The ``versionId`` specified for the JAR manifest is checked by the platform and is used for informative purposes only.
+ See ":ref:`contract_downgrade_rule_ref`" for more information.

 .. note:: You can read the original design doc here: :doc:`design/targetversion/design`.