Verify incoming TransmissionResponses
#3083
Conversation
|
I believe this risks OOMing the validator. I know of two paths where we request transmissions:
We could receive many pings in parallel, and a single For pings I'd imagine it would be better to follow the path of For |
| @@ -363,7 +363,7 @@ impl<N: Network> Worker<N> { | |||
| self.spawn(async move { | |||
| while let Some((peer_ip, transmission_response)) = rx_transmission_response.recv().await { | |||
| // Process the transmission response. | |||
| self_.finish_transmission_request(peer_ip, transmission_response); | |||
| self_.finish_transmission_request(peer_ip, transmission_response).await; | |||
There was a problem hiding this comment.
do we need to process the transmission response entries in the order they arrive? if not, we could spawn tasks that performs this action, in order to be able to perform multiple of them concurrently
| @@ -182,16 +182,13 @@ impl<N: Network, C: ConsensusStorage<N>> LedgerService<N> for CoreLedgerService< | |||
| (TransmissionID::Transaction(expected_transaction_id), Transmission::Transaction(transaction_data)) => { | |||
| match transaction_data.clone().deserialize_blocking() { | |||
There was a problem hiding this comment.
it's not ideal that we do blocking deserialization in an async context; we should either do it before calling check_transaction_basic (with a deserialized transaction), or use a blocking task here
| @@ -201,16 +198,13 @@ impl<N: Network, C: ConsensusStorage<N>> LedgerService<N> for CoreLedgerService< | |||
| (TransmissionID::Solution(expected_commitment), Transmission::Solution(solution_data)) => { | |||
| match solution_data.clone().deserialize_blocking() { | |||
There was a problem hiding this comment.
check_transmission_basic is too strict for all TransmissionResponse. It will cause liveness issues. For example, it's common that a valid Certificate contains a transaction that tries to consume a serial number that is already consumed. With this patch, the validator will fail to sync the transaction and thus will fail to fetch the Certificate.
The validator should perform some more basic checks (e.g. exclude Fee transaction, invalid format) before signing BatchPropose. It should not reject the transaction if already included in a Certificate.
Co-authored-by: ljedrz <ljedrz@users.noreply.github.com> Signed-off-by: Raymond Chu <14917648+raychu86@users.noreply.github.com>
|
@randomsleep can you elaborate?
This sounds like something which should be invalid.
This PR introduces calling |
|
I believe @randomsleep might be correct that we may not need to verify the transmissions in the BatchCertificate, because it may prevent us from syncing certificates that are included in a subsequent subdag. Perhaps these transactions/double-spends were going to be aborted in the block; instead, we forcefully ignore ignore transmissions which prevents us from syncing up with the certificate. The validator would then get stuck until is starts syncing via blocks. Definitely needs more thought. However, we definitely do need to verify the transmissions from the proposals. |
|
Yes, @raychu86 have explained. However, while checking 'BatchPropose', we should also allow duplicated transactions. This is because at the time some validarors may have committed some transactions but others haven't. |
|
My thoughts on transaction checking rules:
|
|
This should be replaced by AleoNet/snarkVM#2376 and #3104. |
Motivation
This PR performs transmission verification when processing transmissions from
TransmissionResponses. Previously we were blindly accepting them into the batch, which could lead to possible halting cases, where malicious nodes inject faulty transactions.This should fix:
#2990
#2991