Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Peer synchronization requires too much trust #39

Open
xloem opened this issue Jan 31, 2016 · 2 comments
Open

Peer synchronization requires too much trust #39

xloem opened this issue Jan 31, 2016 · 2 comments

Comments

@xloem
Copy link

xloem commented Jan 31, 2016

It looks like the synchronization code picks the peer which gives the highest block height, and then tries to synchronize only from them.

This looks very vulnerable to a misbehaving peer which has a higher block height but will not synchronize to that height. Instead the block tree should be built from all connected peers, and a peer not judged as certainly providing the highest height until it has actually provided valid blocks at that height.

See https://github.com/Qoracoin/Qora/blob/master/Qora/src/controller/Controller.java#L693
@agran
Copy link
Collaborator

agran commented Mar 1, 2016

I too noticed this vulnerability.

@catbref
Copy link
Collaborator

catbref commented Apr 18, 2018

There have been changes in v0.26.9 which might address this as misbehaving peers are blacklisted for a while. "misbehaving" includes not sending blocks, or sending out-of-order blocks, or blocks on a radically different fork - which essentially lets a node settle on the right fork/chain by way of network consensus.

Review would be appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xloem @agran @catbref