Description
After a wallet switches to a new guardian, the old guardian continues to list and mutate state for that account. There’s no push mechanism to notify the old guardian it lost the account.
Result: Same accountId exists on both old and new guardians with different currentCommitment values. Both believe they’re authoritative.
Repro Steps
- Wallet A is served by Guardian X
- Wallet A submits guardian_switch tx to Guardian Y
- Check dashboards: Wallet A still appears on Guardian X and Guardian Y
- Both guardians accept state updates for Wallet A independently
Impact
- Split-brain: Two guardians hold conflicting state for one account
- Stale acceptance: Old guardian accepts txs after the account switched away. State seems to reset if wallet switches back, but behavior is undefined
- Unclear canonical source: With diverging commitments, it’s not obvious which one the network treats as valid
Root Cause
guardian_switch txs go to the new guardian only. Old guardian lacks any notification or required reconciliation against on-chain guardian metadata.
Potential Approaches
- Guardian polls chain for commitments it doesn’t recognize - works for small account sets, but polling cost scales poorly
- Node provides filtered events API - node sends only relevant deregistration events to guardians
- Push deregistration on switch - guardian_switch tx explicitly notifies old guardian
- Mark account disabled on detection - stop serving state once guardian realizes it’s stale
Description
After a wallet switches to a new guardian, the old guardian continues to list and mutate state for that account. There’s no push mechanism to notify the old guardian it lost the account.
Result: Same accountId exists on both old and new guardians with different currentCommitment values. Both believe they’re authoritative.
Repro Steps
Impact
Root Cause
guardian_switch txs go to the new guardian only. Old guardian lacks any notification or required reconciliation against on-chain guardian metadata.
Potential Approaches