Bug: Proposal execution hash is deterministic and predictable

[508704820]

Bug: Proposal execution hash is deterministic and predictable

Severity: Medium (Governance)

File: governance/proposals.py, execute_proposal() (line 389)

Description:
tx_hash = hashlib.sha256(f"{proposal_id}:{now}".encode()).hexdigest() generates the execution transaction hash from only the proposal ID and timestamp. Both values are publicly known, making the hash predictable before execution.

Impact:

• Attackers can pre-compute expected execution hashes
• Breaks transaction unpredictability guarantees
• Could enable front-running of proposal executions

Expected Fix:
Include a cryptographic nonce (e.g., secrets.token_bytes(32)) in the hash input.

[saim256]

Submitted a complementary fix in PR #4962:

#4962

PR #4842 fixes the rips/rustchain-core/governance/proposals.py implementation. This follow-up fixes the remaining deterministic execution hash in rips/python/rustchain/governance.py, which still used only proposal_id and executed_at.

What changed:

• Adds a 32-byte secrets.token_bytes() nonce to the Python package governance execution_tx_hash input.
• Adds a focused regression that pins the execution timestamp, executes the same proposal twice with different mocked nonces, and verifies the hashes differ and match the nonce-bound expected digests.

Validation:

• python -m pytest tests\test_python_governance_execution_hash.py -q -> 1 passed
• python -m py_compile rips\python\rustchain\governance.py tests\test_python_governance_execution_hash.py -> passed
• python -m ruff check rips\python\rustchain\governance.py tests\test_python_governance_execution_hash.py --select E9,F821,F811,F841 --output-format=concise -> passed
• git diff --check origin/main...HEAD -> passed
• python tools\bcos_spdx_check.py --base-ref origin/main -> OK

No production node, live governance service, wallet, or destructive testing was used.

Bounty wallet if eligible: RTC253255d034065a839cd421811ec589ae5b694ffc