-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Make satisfy finality when elect voters #119
Closed
Closed
Commits on Jul 2, 2020
-
Since the light client work introduced in v0.33 it appears full nodes are no longer fully verifying commit signatures during block execution - they stop after +2/3. See in VerifyCommit: https://github.com/tendermint/tendermint/blob/0c7fd316eb006c0afc13996c00ac8bde1078b32c/types/validator_set.go#L700-L703 This means proposers can propose blocks that contain valid +2/3 signatures and then the rest of the signatures can be whatever they want. They can claim that all the other validators signed just by including a CommitSig with arbitrary signature data. While this doesn't seem to impact safety of Tendermint per se, it means that Commits may contain a lot of invalid data. This is already true of blocks, since they can include invalid txs filled with garbage, but in that case the application knows they they are invalid and can punish the proposer. But since applications dont verify commit signatures directly (they trust tendermint to do that), they won't be able to detect it. This can impact incentivization logic in the application that depends on the LastCommitInfo sent in BeginBlock, which includes which validators signed. For instance, Gaia incentivizes proposers with a bonus for including more than +2/3 of the signatures. But a proposer can now claim that bonus just by including arbitrary data for the final -1/3 of validators without actually waiting for their signatures. There may be other tricks that can be played because of this. In general, the full node should be a fully verifying machine. While it's true that the light client can avoid verifying all signatures by stopping after +2/3, the full node can not. Thus the light client and full node should use distinct VerifyCommit functions if one is going to stop after +2/3 or otherwise perform less validation (for instance light clients can also skip verifying votes for nil while full nodes can not). See a commit with a bad signature that verifies here: 56367fd. From what I can tell, Tendermint will go on to think this commit is valid and forward this data to the app, so the app will think the second validator actually signed when it clearly did not.
Configuration menu - View commit details
-
Copy full SHA for 5e52a6e - Browse repository at this point
Copy the full SHA 5e52a6eView commit details -
consensus: Do not allow signatures for a wrong block in commits
Closes #4926 The dump consensus state had this: "last_commit": { "votes": [ "Vote{0:04CBBF43CA3E 385085/00/2(Precommit) 1B73DA9FC4C8 42C97B86D89D @ 2020-05-27T06:46:51.042392895Z}", "Vote{1:055799E028FA 385085/00/2(Precommit) 652B08AD61EA 0D507D7FA3AB @ 2020-06-28T04:57:29.20793209Z}", "Vote{2:056024CFA910 385085/00/2(Precommit) 652B08AD61EA C8E95532A4C3 @ 2020-06-28T04:57:29.452696998Z}", "Vote{3:0741C95814DA 385085/00/2(Precommit) 652B08AD61EA 36D567615F7C @ 2020-06-28T04:57:29.279788593Z}", Note there's a precommit in there from the first val from May (2020-05-27) while the rest are from today (2020-06-28). It suggests there's a validator from an old instance of the network at this height (they're using the same chain-id!). Obviously a single bad validator shouldn't be an issue. But the Commit refactor work introduced a bug. When we propose a block, we get the block.LastCommit by calling MakeCommit on the set of precommits we saw for the last height. This set may include precommits for a different block, and hence the block.LastCommit we propose may include precommits that aren't actually for the last block (but of course +2/3 will be). Before v0.33, we just skipped over these precommits during verification. But in v0.33, we expect all signatures for a blockID to be for the same block ID! Thus we end up proposing a block that we can't verify.
Configuration menu - View commit details
-
Copy full SHA for 8ccfdb9 - Browse repository at this point
Copy the full SHA 8ccfdb9View commit details -
Configuration menu - View commit details
-
Copy full SHA for cefeab0 - Browse repository at this point
Copy the full SHA cefeab0View commit details -
Configuration menu - View commit details
-
Copy full SHA for 606d0a8 - Browse repository at this point
Copy the full SHA 606d0a8View commit details
Commits on Jul 30, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 52d8794 - Browse repository at this point
Copy the full SHA 52d8794View commit details
Commits on Aug 4, 2020
-
Merge pull request #112 from line/apply_v0.33.6
Apply tendermint v0.33.6
Configuration menu - View commit details
-
Copy full SHA for 0f9516a - Browse repository at this point
Copy the full SHA 0f9516aView commit details
Commits on Aug 5, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 9a75993 - Browse repository at this point
Copy the full SHA 9a75993View commit details
Commits on Aug 7, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 6994d02 - Browse repository at this point
Copy the full SHA 6994d02View commit details
Commits on Aug 13, 2020
-
Configuration menu - View commit details
-
Copy full SHA for c6e66bc - Browse repository at this point
Copy the full SHA c6e66bcView commit details
Commits on Aug 17, 2020
-
Merge pull request #101 from line/feature/signature_aggregation
Introduce composite key to delegate features to each function key
Configuration menu - View commit details
-
Copy full SHA for 40a2944 - Browse repository at this point
Copy the full SHA 40a2944View commit details
Commits on Sep 14, 2020
-
feat: Make staisfy finality when elect voter
kukugi committedSep 14, 2020 Configuration menu - View commit details
-
Copy full SHA for e34a58c - Browse repository at this point
Copy the full SHA e34a58cView commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.