fix(security): re-verify block signature during fork replay

- Manager.switchFork now re-validates each replayed block's witness signature
  before applying. The witness account's permission can change between forks
  (via permission-update transactions), so a signature that was valid on the
  original chain may no longer be valid on the replay path.
- Use `if (!validateSignature(...)) throw new ValidateSignatureException`
  rather than discarding the boolean return: validateSignature only throws
  on malformed signature bytes; an attacker-supplied valid-format signature
  with a wrong-signer address returns false. Discarding the return would let
  that attack through.
- The existing switchFork catch list already includes
  ValidateSignatureException, so the new throw is wired into the existing
  switchback path with no additional handling.
- Add three BlockCapsule.validateSignature contract tests pinning the two
  failure modes the fix relies on: signer-mismatch returns false, signer-match
  returns true, and a 65-byte malformed signature throws
  ValidateSignatureException.

Author: wb

framework/src/main/java/org/tron/core/db/Manager.java

@@ -1140,6 +1140,11 @@ private void switchFork(BlockCapsule newHead)
         Exception exception = null;
         // todo  process the exception carefully later
         try (ISession tmpSession = revokingStore.buildSession()) {
+          if (!item.getBlk().validateSignature(
+              getDynamicPropertiesStore(), getAccountStore())) {
+            throw new ValidateSignatureException(
+                "switch fork: block " + item.getBlk().getNum() + " signature invalid");
+          }
           applyBlock(item.getBlk().setSwitch(true));
           tmpSession.commit();
         } catch (AccountResourceInsufficientException

framework/src/test/java/org/tron/core/capsule/BlockCapsuleTest.java

@@ -1,5 +1,8 @@
 package org.tron.core.capsule;
 
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
 import com.google.protobuf.ByteString;
 import java.io.IOException;
 import java.util.ArrayList;
@@ -21,6 +24,11 @@
 import org.tron.core.config.args.Args;
 import org.tron.core.exception.BadBlockException;
 import org.tron.core.exception.BadItemException;
+import org.tron.core.exception.ValidateSignatureException;
+import org.tron.core.store.AccountStore;
+import org.tron.core.store.DynamicPropertiesStore;
+import org.tron.protos.Protocol.Block;
+import org.tron.protos.Protocol.BlockHeader;
 import org.tron.protos.Protocol.Transaction.Contract.ContractType;
 import org.tron.protos.contract.BalanceContract.TransferContract;
 
@@ -180,6 +188,95 @@ public void testGetTimeStamp() {
     Assert.assertEquals(1234L, blockCapsule0.getTimeStamp());
   }
 
+  /**
+   * Pin the contract that switchFork's signature recheck relies on:
+   * when the recovered signer address does not match the witness address,
+   * validateSignature returns false (no exception). switchFork uses the
+   * boolean return to decide whether to throw, so this contract is what
+   * makes the fix work for "wrong signer" attacks.
+   */
+  @Test
+  public void testValidateSignatureReturnsFalseWhenSignerMismatch() throws Exception {
+    String signerKey = PublicMethod.getRandomPrivateKey();
+    String witnessKey = PublicMethod.getRandomPrivateKey();
+    byte[] witnessAddress = PublicMethod.getAddressByteByPrivateKey(witnessKey);
+
+    BlockCapsule block = new BlockCapsule(2,
+        Sha256Hash.wrap(ByteString.copyFrom(ByteArray.fromHexString(
+            "9938a342238077182498b464ac0292229938a342238077182498b464ac029222"))),
+        4321,
+        ByteString.copyFrom(witnessAddress));
+    block.sign(ByteArray.fromHexString(signerKey));
+
+    DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
+    when(dps.getAllowMultiSign()).thenReturn(0L);
+    AccountStore accountStore = mock(AccountStore.class);
+
+    Assert.assertFalse(block.validateSignature(dps, accountStore));
+  }
+
+  /**
+   * Same key path under the happy case: when signer == witness, validateSignature
+   * returns true. Guards against any future refactor that accidentally inverts
+   * the comparison or strips the witness check.
+   */
+  @Test
+  public void testValidateSignatureReturnsTrueWhenSignerMatches() throws Exception {
+    String key = PublicMethod.getRandomPrivateKey();
+    byte[] witnessAddress = PublicMethod.getAddressByteByPrivateKey(key);
+
+    BlockCapsule block = new BlockCapsule(3,
+        Sha256Hash.wrap(ByteString.copyFrom(ByteArray.fromHexString(
+            "9938a342238077182498b464ac0292229938a342238077182498b464ac029222"))),
+        5678,
+        ByteString.copyFrom(witnessAddress));
+    block.sign(ByteArray.fromHexString(key));
+
+    DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
+    when(dps.getAllowMultiSign()).thenReturn(0L);
+    AccountStore accountStore = mock(AccountStore.class);
+
+    Assert.assertTrue(block.validateSignature(dps, accountStore));
+  }
+
+  /**
+   * The other failure mode switchFork must handle: signature bytes are
+   * malformed (cannot recover a public key). validateSignature wraps the
+   * underlying SignatureException as ValidateSignatureException, which the
+   * existing catch block in switchFork already handles.
+   */
+  @Test(expected = ValidateSignatureException.class)
+  public void testValidateSignatureThrowsForMalformedSignature() throws Exception {
+    byte[] witnessAddress = PublicMethod.getAddressByteByPrivateKey(
+        PublicMethod.getRandomPrivateKey());
+
+    // 65-byte signature with valid length but garbage content — passes Rsv parsing
+    // but fails ECDSA recovery, surfacing SignatureException → ValidateSignatureException.
+    byte[] garbageSigBytes = new byte[65];
+    Arrays.fill(garbageSigBytes, (byte) 0xAB);
+    ByteString garbageSig = ByteString.copyFrom(garbageSigBytes);
+
+    BlockHeader.raw rawData = BlockHeader.raw.newBuilder()
+        .setNumber(4)
+        .setTimestamp(1111)
+        .setParentHash(ByteString.copyFrom(ByteArray.fromHexString(
+            "9938a342238077182498b464ac0292229938a342238077182498b464ac029222")))
+        .setWitnessAddress(ByteString.copyFrom(witnessAddress))
+        .build();
+    BlockHeader header = BlockHeader.newBuilder()
+        .setRawData(rawData)
+        .setWitnessSignature(garbageSig)
+        .build();
+    Block proto = Block.newBuilder().setBlockHeader(header).build();
+    BlockCapsule block = new BlockCapsule(proto);
+
+    DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
+    when(dps.getAllowMultiSign()).thenReturn(0L);
+    AccountStore accountStore = mock(AccountStore.class);
+
+    block.validateSignature(dps, accountStore);
+  }
+
   @Test
   public void testConcurrentToString() throws InterruptedException {
     List<Thread> threadList = new ArrayList<>();