From 79bb549748fb55556922ddde6064dda270912324 Mon Sep 17 00:00:00 2001
From: UdjinM6 <UdjinM6@users.noreply.github.com>
Date: Fri, 27 Mar 2026 15:50:41 +0300
Subject: [PATCH 1/2] fix: Guard mnauth by local masternode service

Co-authored-by: OpenAI Codex <codex@openai.com>
---
 src/evo/mnauth.cpp | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/evo/mnauth.cpp b/src/evo/mnauth.cpp
index d724e30e5807..4f54135ca1f3 100644
--- a/src/evo/mnauth.cpp
+++ b/src/evo/mnauth.cpp
@@ -19,9 +19,21 @@
 void CMNAuth::PushMNAUTH(CNode& peer, CConnman& connman, const CActiveMasternodeManager& mn_activeman)
 {
     CMNAuth mnauth;
-    if (mn_activeman.GetProTxHash().IsNull()) {
+    const uint256 pro_tx_hash{mn_activeman.GetProTxHash()};
+    if (pro_tx_hash.IsNull()) {
         return;
     }
+    if (peer.IsInboundConn()) {
+        const CService expected_service{mn_activeman.GetService()};
+        const CService connected_service{static_cast<const CService&>(peer.addrBind)};
+        if (expected_service != connected_service) {
+            LogPrint(BCLog::NET_NETCONN, /* Continued */
+                     "CMNAuth::%s -- Not sending MNAUTH on unexpected local service, expected=%s, connected=%s, "
+                     "peer=%d\n",
+                     __func__, expected_service.ToStringAddrPort(), connected_service.ToStringAddrPort(), peer.GetId());
+            return;
+        }
+    }
 
     const auto receivedMNAuthChallenge = peer.GetReceivedMNAuthChallenge();
     if (receivedMNAuthChallenge.IsNull()) {
@@ -39,7 +51,7 @@ void CMNAuth::PushMNAUTH(CNode& peer, CConnman& connman, const CActiveMasternode
     }
     const uint256 signHash{::SerializeHash(std::make_tuple(mn_activeman.GetPubKey(), receivedMNAuthChallenge, peer.IsInboundConn(), nOurNodeVersion))};
 
-    mnauth.proRegTxHash = mn_activeman.GetProTxHash();
+    mnauth.proRegTxHash = pro_tx_hash;
 
     // all clients uses basic BLS
     mnauth.sig = mn_activeman.Sign(signHash, false);

From 20c61390b45956ac7880d39c65a6a58a9a6f7e44 Mon Sep 17 00:00:00 2001
From: UdjinM6 <UdjinM6@users.noreply.github.com>
Date: Fri, 27 Mar 2026 15:57:27 +0300
Subject: [PATCH 2/2] test: Add functional test for mnauth service guard

Co-authored-by: OpenAI Codex <codex@openai.com>
---
 test/functional/p2p_mnauth.py  | 56 ++++++++++++++++++++++++++++++++++
 test/functional/test_runner.py |  2 ++
 2 files changed, 58 insertions(+)
 create mode 100755 test/functional/p2p_mnauth.py

diff --git a/test/functional/p2p_mnauth.py b/test/functional/p2p_mnauth.py
new file mode 100755
index 000000000000..61f2816445a0
--- /dev/null
+++ b/test/functional/p2p_mnauth.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+# Copyright (c) 2026 The Dash Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+"""
+Test MNAUTH emission on the registered masternode service only.
+"""
+
+from test_framework.test_framework import (
+    DashTestFramework,
+    MasternodeInfo,
+)
+from test_framework.util import (
+    assert_equal,
+    p2p_port,
+)
+
+
+class P2PMNAUTHTest(DashTestFramework):
+    def add_options(self, parser):
+        self.add_wallet_options(parser)
+
+    def set_test_params(self):
+        self.alt_port = p2p_port(10)
+        self.mn_port = p2p_port(2)
+        self.set_dash_test_params(3, 1, extra_args=[
+            [],
+            [],
+            [f"-bind=127.0.0.1:{self.alt_port}", f"-externalip=127.0.0.1:{self.mn_port}"],
+        ])
+
+    def run_test(self):
+        masternode: MasternodeInfo = self.mninfo[0]
+        masternode_node = masternode.get_node(self)
+        connector = self.nodes[1]
+        use_v2transport = self.options.v2transport
+
+        expected_addr = f"127.0.0.1:{masternode.nodePort}"
+        alternate_addr = f"127.0.0.1:{self.alt_port}"
+
+        self.wait_until(lambda: masternode_node.masternode("status")["state"] == "READY")
+        assert_equal(masternode_node.masternode("status")["service"], expected_addr)
+
+        self.log.info(f"Connect to the registered masternode service over {'v2' if use_v2transport else 'v1'} and expect MNAUTH")
+        with connector.assert_debug_log([f"Masternode probe successful for {masternode.proTxHash}"]):
+            assert_equal(connector.masternode("connect", expected_addr, use_v2transport), "successfully connected")
+
+        self.log.info(f"Connect to the alternate bind over {'v2' if use_v2transport else 'v1'} and expect no MNAUTH")
+        with masternode_node.assert_debug_log(["Not sending MNAUTH on unexpected local service"]):
+            with connector.assert_debug_log(["connection is a masternode probe but first received message is not MNAUTH"]):
+                assert_equal(connector.masternode("connect", alternate_addr, use_v2transport), "successfully connected")
+
+
+if __name__ == '__main__':
+    P2PMNAUTHTest().main()
diff --git a/test/functional/test_runner.py b/test/functional/test_runner.py
index 3b5375eb83cd..203711b51a72 100755
--- a/test/functional/test_runner.py
+++ b/test/functional/test_runner.py
@@ -353,6 +353,8 @@
     'p2p_ibd_txrelay.py',
     'rpc_coinjoin.py',
     'rpc_masternode.py',
+    'p2p_mnauth.py --v1transport',
+    'p2p_mnauth.py --v2transport',
     'rpc_mnauth.py',
     'rpc_verifychainlock.py',
     'wallet_create_tx.py --legacy-wallet',