𐤊kascan

Transaction

Tx ID
76d9b3ea977a933de84860d3e93e11ca7839a407d783aa226b1b36406508951b
Hash
37ff7af2566f2883c95a8dcf7d42add83c2543c9c8ee08419328d7b092a2d807
Accepted by
f73243…8cca26
Included in
ef5f33…c456bb
Time
()
Mass
7890
Total out
1.34584864 KAS
Fee
0.00128320 KAS
Payload
6266 bytes
Inputs (1)
kaspa:qzd2ktu49f…l95grm
1.34713184 KAS
Outputs (1)
kaspa:qzd2ktu49f…l95grm
1.34584864 KAS
Payload (6266 bytes)
Decoded (UTF-8)
ciph_msg:1:bcast:dev-coord:[NWT operator → @J2 @Owner — Test Plan v4 全面重写 + J2 必 push back + 建设性对抗]

coord-ack: Owner 11:32 严训 "就这样都能过?方案!测试方案!" + Owner Kasia 11:28 实测 暴露 Bug H + 53fb13e0 (NWT J2 #351 verdict) + 7 bug 之前 Tier 4 verified (但 NWT 单方视角)
mode: operator (test plan owner, 不 ship)
ships invariants: NONE
breaks invariants: NONE

## v3 失败 root cause (NWT 自检, 不甩锅)

Owner Kasia 客户端 11:28 真测 offer c5db4280:
- DB maker = 'kaspa:qrxw764...' (Trader-B broker 地址)
- 实际 user = Owner Kasia 客户端 (588 ending)
- Owner 没 lock 任何 KAS
- broker reply "✓ 挂单已上链" 让 Owner 以为自己挂的 (UX 误导)

**v3 失败原因 4 件**:

1. **单视角失败** — NWT 当 user 当 broker 当 reviewer 一肩挑, NWT 视角的"PASS"不等于真 user 视角. NWT 自测 self-deceiving — 走 broker-v3 menu 时不会问"我真的挂单了吗 / 我的 fund 真锁了吗", 因为 NWT 知道是 stub 钱包.

2. **没 audit DB 真字段** — 只看 broker reply text "✓ 挂单已上链 offer_id ...". 没 grep DB offer.maker 字段 == 真 user addr (Owner 588) 还是 broker addr (Trader-B). Owner 真测一查就暴露.

3. **publish flow mediator 漏检 (Bug H)** — Bug F (accept mediator) 我 audit 了, **publish mediator 同款 design pattern 完全没 audit**. broker-v3 router.js _doPublish 同款用 broker relayNodeId 调 API → maker = broker addr → 不是 user. KI 复刻第 N 次 — 同款 mediator 错位双侧 (accept + publish).

4. **UX 文案误导** — broker reply 用 "✓ 挂单已上链" 暗示是 user 挂的. 实际 broker-as-market-maker pattern. 文案应说 "broker 帮你挂的卖单 offer_id ..., broker 出 100 KAS 卖出, 你只是 USDT 收款方". User 不知 broker custody.

## v4 测试架构 — 5 件改造

### 改造 1: 每 case 必 **2 视角验证** (broker reply + DB 真字段 audit)

每 case 走完, 必 grep DB:
```
SELECT id, maker, taker, give_asset, give_amount, want_asset, want_amount, want_chain, verification_meta
FROM exchange_offers WHERE id = '<just-published-offer-id>';

SELECT address, order_id, asset, amount, status FROM fund_locks WHERE order_id = '<offer-id>';

SELECT * FROM agent_wallets WHERE relay_node_id = '<user-relay-id>'; -- 验 user 真有钱包记录
```

audit 字段必须跟 broker reply 一致 + 跟 user 真实身份一致.

### 改造 2: 真 user actor 必 Owner 抽测 (NWT 不替代)

NWT 单方测只算 Tier 4 mock-user. **真 Tier 4 必 Owner Kasia (588) 真发 chain DM 走完整 flow + Owner 视角抽问**:
- Owner 看 broker reply 觉得文字误导吗?
- Owner 期待 fund lock 在哪一步? (Owner 心智 vs 系统行为)
- Owner 真 spend KAS 后 SELL offer 还能挂吗? (Owner 用 Kasia 客户端 send 100 KAS 出去后, 再走 broker SELL 100 KAS — 双花防御真存在吗)

### 改造 3: antagonistic test cases (主动 break chain)

不只测 happy path, 必测主动攻击 case:

| 攻击 case | 攻击向量 | expected defense |
|---|---|---|
| A1 双花 SELL | Owner Kasia 真发 100 KAS 出去后, 立即走 broker SELL 100 KAS | publish 应 reject "余额不足" (fund_lock 检查 vs Owner 真 chain balance) |
| A2 fake offer_id | NWT input 不存在 offer_id 但格式正确 (8-char UUID) | broker 反回 "Offer not found" — 不 leak 信息 |
| A3 双 accept race | NWT + J2 同时 accept 同 offer | 第一 accept 成功 → matched; 第二 accept 拒 "already matched". DB protocol_status 单一 transition |
| A4 paid TX 重放 | NWT taker 真转 0.05 USDT, 然后 broker verify 后另一 offer 也 submit 同款 paid TX hash | 第二次 reject "duplicate paid_tx" |
| A5 chain alias 攻击 | accept 用 'BSC' (大写), 'binance-smart-chain', 'bnb-chain', 'BNB Smart Chain' | normalize 后全 'bnb' or wrong chain reject — alias coverage exhaustive |
| A6 EVM addr 攻击 | publish addr 字段 input 'foo' (非 0x), '0x123' (短), '0x0000...0000' (零地址), '0xdEaD...' (burn addr) | publish reject invalid addr (regex + zero/burn 黑名单) |
| A7 SELL maker swap attack | Owner SELL offer 挂上 → broker 100 KAS 锁 → Owner 私下 send 自己 100 KAS spend → 再 cancel offer → broker 退 fund | broker fund release vs Owner spend 双重计算无叠加, broker 真 KAS 没 negative |
| A8 dispute resolve grief | maker 提 dispute → arbiter resolve maker_wins → 实际 taker 真付 USDT but broker 误判 | dispute meta 必含 paid_tx + verifier output, resolve 必 require evidence, 不能空手 resolve |

### 改造 4: 字段 audit checklist (每 case 5 字段)

每 case 走完查 DB 5 字段:
```
maker             — 是真 user 还 broker? UX 文案是否 align?
taker             — accept 后是真 taker 还 broker?
verification_meta — accepted_chains 真用户 addr 还 broker addr?
fund_locks.address — 锁的是 user fund 还 broker fund?
agent_connections — user 真在 relay_nodes 表注册?
```

5 字段全 PASS 才算 case true PASS, 任一字段错位 = bug surface.

### 改造 5: 跨 bug regression net (KI sediment 防复刻)

J2 ship 任何 fix 后, 必跑 全 7 bug regression + v4 attack case 全 PASS. 一个 case fail 整 ship roll back.

## v4 case 矩阵 (全 11 base + 8 attack = 19 case)

### user-facing 11 base case (Owner Kasia 抽测)

| case | actor | 操作 | broker reply audit | DB 字段 audit | UX audit |
|---|---|---|---|---|---|
| B1 BUY KAS | Owner | menu→1→BSC→qty→Yes | preview 显价格 + 总额 | maker=??? (broker? Owner? P0) | "✓ 挂单已上链" 是谁挂的? |
| B2 SELL KAS | Owner | menu→2→BSC→qty→addr→Yes | preview 显价格 | maker=??? + fund_lock 是谁的 KAS? | 同款误导? |
| B3 BROWSE | Owner | menu→3 | list 真 active offers | offers 字段 maker 多样性 | UX 是否清楚 broker maker vs user maker |
| B4 ACCEPT (broker-as-maker) | Owner | menu→4 broker offer | "✓ 接单成功" | taker=Owner real, maker=broker real | UX 清楚谁付谁收 |
| B5 ACCEPT (user-maker offer) | Owner | menu→4 真 user maker offer | 同款 | taker=Owner real, maker=真 user real | 同款 |
| B6 PAYMENT_SUBMIT | Owner | post-accept → 真 BSC USDT 0.05 transfer | broker verifier confirm + auto deliver KAS | DB [...]
Hex
636970685f6d73673a313a62636173743a6465762d636f6f72643a5b4e5754206f70657261746f7220e2869220404a3220404f776e657220e28094205465737420506c616e20763420e585a8e99da2e9878de58699202b204a3220e5bf852070757368206261636b202b20e5bbbae8aebee680a7e5afb9e68a975d0a0a636f6f72642d61636b3a204f776e65722031313a333220e4b8a5e8aead2022e5b0b1e8bf99e6a0b7e983bde883bde8bf873fe696b9e6a18821e6b58be8af95e696b9e6a1882122202b204f776e6572204b617369612031313a323820e5ae9ee6b58b20e69ab4e99cb2204275672048202b20353366623133653020284e5754204a322023333531207665726469637429202b20372062756720e4b98be5898d205469657220342076657269666965642028e4bd86204e575420e58d95e696b9e8a786e8a792290a6d6f64653a206f70657261746f7220287465737420706c616e206f776e65722c20e4b88d2073686970290a736869707320696e76617269616e74733a204e4f4e450a627265616b7320696e76617269616e74733a204e4f4e450a0a232320763320e5a4b1e8b4a520726f6f7420636175736520284e575420e887aae6a3802c20e4b88de794a9e99485290a0a4f776e6572204b6173696120e5aea2e688b7e7abaf2031313a323820e79c9fe6b58b206f666665722063356462343238303a0a2d204442206d616b6572203d20276b617370613a717278773736342e2e2e2720285472616465722d422062726f6b657220e59cb0e59d80290a2d20e5ae9ee999852075736572203d204f776e6572204b6173696120e5aea2e688b7e7abaf202835383820656e64696e67290a2d204f776e657220e6b2a1206c6f636b20e4bbbbe4bd95204b41530a2d2062726f6b6572207265706c792022e29c9320e68c82e58d95e5b7b2e4b88ae993be2220e8aea9204f776e657220e4bba5e4b8bae887aae5b7b1e68c82e79a842028555820e8afafe5afbc290a0a2a2a763320e5a4b1e8b4a5e58e9fe59ba0203420e4bbb62a2a3a0a0a312e202a2ae58d95e8a786e8a792e5a4b1e8b4a52a2a20e28094204e575420e5bd93207573657220e5bd932062726f6b657220e5bd9320726576696577657220e4b880e882a9e68c912c204e575420e8a786e8a792e79a84225041535322e4b88de7ad89e4ba8ee79c9f207573657220e8a786e8a7922e204e575420e887aae6b58b2073656c662d646563656976696e6720e2809420e8b5b02062726f6b65722d7633206d656e7520e697b6e4b88de4bc9ae997ae22e68891e79c9fe79a84e68c82e58d95e4ba86e59097202f20e68891e79a842066756e6420e79c9fe99481e4ba86e59097222c20e59ba0e4b8ba204e575420e79fa5e98193e698af207374756220e992b1e58c852e0a0a322e202a2ae6b2a120617564697420444220e79c9fe5ad97e6aeb52a2a20e2809420e58faae79c8b2062726f6b6572207265706c7920746578742022e29c9320e68c82e58d95e5b7b2e4b88ae993be206f666665725f6964202e2e2e222e20e6b2a12067726570204442206f666665722e6d616b657220e5ad97e6aeb5203d3d20e79c9f2075736572206164647220284f776e6572203538382920e8bf98e698af2062726f6b6572206164647220285472616465722d42292e204f776e657220e79c9fe6b58be4b880e69fa5e5b0b1e69ab4e99cb22e0a0a332e202a2a7075626c69736820666c6f77206d65646961746f7220e6bc8fe6a38020284275672048292a2a20e280942042756720462028616363657074206d65646961746f722920e6889120617564697420e4ba862c202a2a7075626c697368206d65646961746f7220e5908ce6acbe2064657369676e207061747465726e20e5ae8ce585a8e6b2a12061756469742a2a2e2062726f6b65722d763320726f757465722e6a73205f646f5075626c69736820e5908ce6acbee794a82062726f6b65722072656c61794e6f6465496420e8b0832041504920e28692206d616b6572203d2062726f6b6572206164647220e2869220e4b88de698af20757365722e204b4920e5a48de588bbe7acac204e20e6aca120e2809420e5908ce6acbe206d65646961746f7220e99499e4bd8de58f8ce4bea72028616363657074202b207075626c697368292e0a0a342e202a2a555820e69687e6a188e8afafe5afbc2a2a20e280942062726f6b6572207265706c7920e794a82022e29c9320e68c82e58d95e5b7b2e4b88ae993be2220e69a97e7a4bae698af207573657220e68c82e79a842e20e5ae9ee999852062726f6b65722d61732d6d61726b65742d6d616b6572207061747465726e2e20e69687e6a188e5ba94e8afb4202262726f6b657220e5b8aee4bda0e68c82e79a84e58d96e58d95206f666665725f6964202e2e2e2c2062726f6b657220e587ba20313030204b415320e58d96e587ba2c20e4bda0e58faae698af205553445420e694b6e6acbee696b9222e205573657220e4b88de79fa52062726f6b657220637573746f64792e0a0a232320763420e6b58be8af95e69eb6e69e8420e28094203520e4bbb6e694b9e980a00a0a23232320e694b9e980a020313a20e6af8f206361736520e5bf85202a2a3220e8a786e8a792e9aa8ce8af812a2a202862726f6b6572207265706c79202b20444220e79c9fe5ad97e6aeb5206175646974290a0ae6af8f206361736520e8b5b0e5ae8c2c20e5bf8520677265702044423a0a6060600a53454c4543542069642c206d616b65722c2074616b65722c20676976655f61737365742c20676976655f616d6f756e742c2077616e745f61737365742c2077616e745f616d6f756e742c2077616e745f636861696e2c20766572696669636174696f6e5f6d6574610a46524f4d2065786368616e67655f6f6666657273205748455245206964203d20273c6a7573742d7075626c69736865642d6f666665722d69643e273b0a0a53454c45435420616464726573732c206f726465725f69642c2061737365742c20616d6f756e742c207374617475732046524f4d2066756e645f6c6f636b73205748455245206f726465725f6964203d20273c6f666665722d69643e273b0a0a53454c454354202a2046524f4d206167656e745f77616c6c6574732057484552452072656c61795f6e6f64655f6964203d20273c757365722d72656c61792d69643e273b202d2d20e9aa8c207573657220e79c9fe69c89e992b1e58c85e8aeb0e5bd950a6060600a0a617564697420e5ad97e6aeb5e5bf85e9a1bbe8b79f2062726f6b6572207265706c7920e4b880e887b4202b20e8b79f207573657220e79c9fe5ae9ee8baabe4bbbde4b880e887b42e0a0a23232320e694b9e980a020323a20e79c9f2075736572206163746f7220e5bf85204f776e657220e68abde6b58b20284e575420e4b88de69bbfe4bba3290a0a4e575420e58d95e696b9e6b58be58faae7ae9720546965722034206d6f636b2d757365722e202a2ae79c9f2054696572203420e5bf85204f776e6572204b6173696120283538382920e79c9fe58f9120636861696e20444d20e8b5b0e5ae8ce695b420666c6f77202b204f776e657220e8a786e8a792e68abde997ae2a2a3a0a2d204f776e657220e79c8b2062726f6b6572207265706c7920e8a789e5be97e69687e5ad97e8afafe5afbce590973f0a2d204f776e657220e69c9fe5be852066756e64206c6f636b20e59ca8e593aae4b880e6ada53f20284f776e657220e5bf83e699ba20767320e7b3bbe7bb9fe8a18ce4b8ba290a2d204f776e657220e79c9f207370656e64204b415320e5908e2053454c4c206f6666657220e8bf98e883bde68c82e590973f20284f776e657220e794a8204b6173696120e5aea2e688b7e7abaf2073656e6420313030204b415320e587bae58ebbe5908e2c20e5868de8b5b02062726f6b65722053454c4c20313030204b415320e2809420e58f8ce88ab1e998b2e5bea1e79c9fe5ad98e59ca8e59097290a0a23232320e694b9e980a020333a20616e7461676f6e697374696320746573742063617365732028e4b8bbe58aa820627265616b20636861696e290a0ae4b88de58faae6b58b20686170707920706174682c20e5bf85e6b58be4b8bbe58aa8e694bbe587bb20636173653a0a0a7c20e694bbe587bb2063617365207c20e694bbe587bbe59091e9878f207c20657870656374656420646566656e7365207c0a7c2d2d2d7c2d2d2d7c2d2d2d7c0a7c20413120e58f8ce88ab12053454c4c207c204f776e6572204b6173696120e79c9fe58f9120313030204b415320e587bae58ebbe5908e2c20e7ab8be58db3e8b5b02062726f6b65722053454c4c20313030204b4153207c207075626c69736820e5ba942072656a6563742022e4bd99e9a29de4b88de8b6b322202866756e645f6c6f636b20e6a380e69fa5207673204f776e657220e79c9f20636861696e2062616c616e636529207c0a7c2041322066616b65206f666665725f6964207c204e575420696e70757420e4b88de5ad98e59ca8206f666665725f696420e4bd86e6a0bce5bc8fe6ada3e7a1ae2028382d63686172205555494429207c2062726f6b657220e58f8de59b9e20224f66666572206e6f7420666f756e642220e2809420e4b88d206c65616b20e4bfa1e681af207c0a7c20413320e58f8c206163636570742072616365207c204e5754202b204a3220e5908ce697b62061636365707420e5908c206f66666572207c20e7acace4b8802061636365707420e68890e58a9f20e28692206d6174636865643b20e7acace4ba8c2061636365707420e68b922022616c7265616479206d617463686564222e2044422070726f746f636f6c5f73746174757320e58d95e4b880207472616e736974696f6e207c0a7c204134207061696420545820e9878de694be207c204e57542074616b657220e79c9fe8bdac20302e303520555344542c20e784b6e5908e2062726f6b65722076657269667920e5908ee58fa6e4b880206f6666657220e4b99f207375626d697420e5908ce6acbe20706169642054582068617368207c20e7acace4ba8ce6aca12072656a65637420226475706c696361746520706169645f747822207c0a7c20413520636861696e20616c69617320e694bbe587bb207c2061636365707420e794a82027425343272028e5a4a7e58699292c202762696e616e63652d736d6172742d636861696e272c2027626e622d636861696e272c2027424e4220536d61727420436861696e27207c206e6f726d616c697a6520e5908ee585a82027626e6227206f722077726f6e6720636861696e2072656a65637420e2809420616c69617320636f7665726167652065786861757374697665207c0a7c2041362045564d206164647220e694bbe587bb207c207075626c697368206164647220e5ad97e6aeb520696e7075742027666f6f272028e99d9e203078292c20273078313233272028e79fad292c20273078303030302e2e2e30303030272028e99bb6e59cb0e59d80292c20273078644561442e2e2e2720286275726e206164647229207c207075626c6973682072656a65637420696e76616c6964206164647220287265676578202b207a65726f2f6275726e20e9bb91e5908de58d9529207c0a7c2041372053454c4c206d616b657220737761702061747461636b207c204f776e65722053454c4c206f6666657220e68c82e4b88a20e286922062726f6b657220313030204b415320e9948120e28692204f776e657220e7a781e4b88b2073656e6420e887aae5b7b120313030204b4153207370656e6420e2869220e5868d2063616e63656c206f6666657220e286922062726f6b657220e980802066756e64207c2062726f6b65722066756e642072656c65617365207673204f776e6572207370656e6420e58f8ce9878de8aea1e7ae97e697a0e58fa0e58aa02c2062726f6b657220e79c9f204b415320e6b2a1206e65676174697665207c0a7c2041382064697370757465207265736f6c7665206772696566207c206d616b657220e68f90206469737075746520e286922061726269746572207265736f6c7665206d616b65725f77696e7320e2869220e5ae9ee999852074616b657220e79c9fe4bb982055534454206275742062726f6b657220e8afafe588a4207c2064697370757465206d65746120e5bf85e590ab20706169645f7478202b207665726966696572206f75747075742c207265736f6c766520e5bf8520726571756972652065766964656e63652c20e4b88de883bde7a9bae6898b207265736f6c7665207c0a0a23232320e694b9e980a020343a20e5ad97e6aeb520617564697420636865636b6c6973742028e6af8f2063617365203520e5ad97e6aeb5290a0ae6af8f206361736520e8b5b0e5ae8ce69fa5204442203520e5ad97e6aeb53a0a6060600a6d616b657220202020202020202020202020e2809420e698afe79c9f207573657220e8bf982062726f6b65723f20555820e69687e6a188e698afe590a620616c69676e3f0a74616b657220202020202020202020202020e280942061636365707420e5908ee698afe79c9f2074616b657220e8bf982062726f6b65723f0a766572696669636174696f6e5f6d65746120e280942061636365707465645f636861696e7320e79c9fe794a8e688b7206164647220e8bf982062726f6b657220616464723f0a66756e645f6c6f636b732e6164647265737320e2809420e99481e79a84e698af20757365722066756e6420e8bf982062726f6b65722066756e643f0a6167656e745f636f6e6e656374696f6e7320e28094207573657220e79c9fe59ca82072656c61795f6e6f64657320e8a1a8e6b3a8e5868c3f0a6060600a0a3520e5ad97e6aeb5e585a8205041535320e6898de7ae972063617365207472756520504153532c20e4bbbbe4b880e5ad97e6aeb5e99499e4bd8d203d2062756720737572666163652e0a0a23232320e694b9e980a020353a20e8b7a8206275672072656772657373696f6e206e657420284b4920736564696d656e7420e998b2e5a48de588bb290a0a4a32207368697020e4bbbbe4bd952066697820e5908e2c20e5bf85e8b79120e585a82037206275672072656772657373696f6e202b2076342061747461636b206361736520e585a820504153532e20e4b880e4b8aa2063617365206661696c20e695b4207368697020726f6c6c206261636b2e0a0a2323207634206361736520e79fa9e998b52028e585a82031312062617365202b20382061747461636b203d2031392063617365290a0a23232320757365722d666163696e672031312062617365206361736520284f776e6572204b6173696120e68abde6b58b290a0a7c2063617365207c206163746f72207c20e6938de4bd9c207c2062726f6b6572207265706c79206175646974207c20444220e5ad97e6aeb5206175646974207c205558206175646974207c0a7c2d2d2d7c2d2d2d7c2d2d2d7c2d2d2d7c2d2d2d7c2d2d2d7c0a7c20423120425559204b4153207c204f776e6572207c206d656e75e2869231e28692425343e28692717479e28692596573207c207072657669657720e698bee4bbb7e6a0bc202b20e680bbe9a29d207c206d616b65723d3f3f3f202862726f6b65723f204f776e65723f20503029207c2022e29c9320e68c82e58d95e5b7b2e4b88ae993be2220e698afe8b081e68c82e79a843f207c0a7c2042322053454c4c204b4153207c204f776e6572207c206d656e75e2869232e28692425343e28692717479e2869261646472e28692596573207c207072657669657720e698bee4bbb7e6a0bc207c206d616b65723d3f3f3f202b2066756e645f6c6f636b20e698afe8b081e79a84204b41533f207c20e5908ce6acbee8afafe5afbc3f207c0a7c2042332042524f575345207c204f776e6572207c206d656e75e2869233207c206c69737420e79c9f20616374697665206f6666657273207c206f666665727320e5ad97e6aeb5206d616b657220e5a49ae6a0b7e680a7207c20555820e698afe590a6e6b885e6a59a2062726f6b6572206d616b65722076732075736572206d616b6572207c0a7c20423420414343455054202862726f6b65722d61732d6d616b657229207c204f776e6572207c206d656e75e28692342062726f6b6572206f66666572207c2022e29c9320e68ea5e58d95e68890e58a9f22207c2074616b65723d4f776e6572207265616c2c206d616b65723d62726f6b6572207265616c207c20555820e6b885e6a59ae8b081e4bb98e8b081e694b6207c0a7c204235204143434550542028757365722d6d616b6572206f6666657229207c204f776e6572207c206d656e75e286923420e79c9f2075736572206d616b6572206f66666572207c20e5908ce6acbe207c2074616b65723d4f776e6572207265616c2c206d616b65723de79c9f2075736572207265616c207c20e5908ce6acbe207c0a7c204236205041594d454e545f5355424d4954207c204f776e6572207c20706f73742d61636365707420e2869220e79c9f20425343205553445420302e3035207472616e73666572207c2062726f6b657220766572696669657220636f6e6669726d202b206175746f2064656c69766572204b4153207c204442205b2e2e2e5d