Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consensus: prevent unjustified view-change from transmitted dummy blocks (using NEWVIEW signatures) #1160

Open
sdbondi opened this issue Sep 27, 2024 · 0 comments
Open

consensus: prevent unjustified view-change from transmitted dummy blocks (using NEWVIEW signatures) #1160

sdbondi opened this issue Sep 27, 2024 · 0 comments
Milestone
v0.8.0

Comments

@sdbondi
Copy link
Member

sdbondi commented Sep 27, 2024
edited
Loading

Background

Currently, once NEWVIEW messages reach a quorum, we discard them and propose a block with one or more dummy parents.

When performing catch-up, we send dummy blocks to force the syncing node to move the view forward without having to wait for a view change from a leader timeout. This is a vulnerability because a dummy can be sent at any time. In general, there should be no need to send a dummy (or alternatively a dummy should contain some proof of quorum).

Proposal 1

Add a new field to blocks that contains NEWVIEW signatures. These are required when proposing dummy block parents (i.e. block.justify().block != block.parent).

These are validated and will force a change to the next view.

Protocol modifications:

  • Catch-up should no longer send dummy blocks
  • Dummy block bool should be removed from the message proto
  • if any dummy blocks are received, they should be rejected (this is implicitly the case as the proposer signature will either be missing or the incorrect proposer for the height will be on the block).
  • NEWVIEW signatures MUST be present and valid if the justify does not justify the parent block
  • NEWVIEW signatures MUST be empty if the block justifies the parent block
  • NEWVIEW justification MUST be committed in the block id (hash)

Implementation:
A new QC type that contains all the signatures (e.g NewViewQc) used in the block as an optional field.

Proposal 2

NEWVIEW signatures should sign the dummy block, and those signatures should be used to justify it (new high QC)

Proposal 3

We send the last vote to the next leader when available, therefore in this case we already know that a majority has sent NEWVIEW if there is a new high QC. In the rarer case that there is no previous vote, we may want to block sign the last dummy to prove a view change (proposal 2). So the validation for a leader fail block could simply be a new high QC in the block, otherwise reject.

Acceptance:

  1. Start a swarm with >= 4 nodes.
  2. Shut down one of the nodes
  3. Wait for one or more leader failures and committed dummy blocks
  4. Restart the node
  5. The node quickly caches up to the tip and includes the required dummy blocks
@sdbondi sdbondi converted this from a draft issue Sep 27, 2024
@sdbondi sdbondi added this to the v0.0.1 milestone Sep 27, 2024
@sdbondi sdbondi changed the title consensus: NEWVIEW signatures should be proposed in block consensus: prevent unjustified view-change from transmitted dummy blocks (using NEWVIEW signatures) Sep 27, 2024
@sdbondi sdbondi mentioned this issue Sep 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Tari Digital Assets Network (DAN) backlog
Status: Backlog
Milestone
v0.8.0
Development

No branches or pull requests
1 participant
@sdbondi