-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uptime slashing allows a 1/3+ instance to fully take over the network #3054
Comments
Nice write-up Hendrik of our discussion. On the last point, I would add that it may not take substantially longer depending on how well an attacker understands the PoS implementation. |
My basic point of view on this is it's exactly the kind of attack I would love to see in Game of Stakes. You potentially can do things about this class of attack by incorporating changes at the consensus layer. But I am excited about seeing attribution and social consensus driving a response. |
But, I think denying specific group of validators by another specific group of validators is a clear evidence of censorship. Why Cosmos(or tendermint) does not have a slashing mechanism on these acts? If we set enough long time window and enough statistical hurdle, we might can monitor and prevent the censorship attack in advance. Is there any side-effect of this slashing idea? So, down-time slashing can be defined by not just missing, but statistically enough missing of a sufficiently large group of proposers |
Why no automated slashing mechanism? Because it's not possible to differentiate between a network level censorship attack and cartel censorship attack at the protocol level. |
Oh, so, a validator missing certain blocks proposed by certain group of validators can be forced by a detailed timing network level attack?(disrupt signing on certain proposer's blocks) That can lead to a "Falsification" of slashing. I understand now. Thanks. |
Have not seen that. Fine to close in favor of it. |
Credit also goes to @adrianbrink who initially described the attack and with whom I discussed this attack.
Let's imagine a network where a byzantine actor A controls 1/3+ (34%) of the voting weight and all other groups of validators B (32%), C (17%), D (17%) act according to the default logic of Cosmos and Tendermint.
Normally this would allow A to halt the network but not cause any further damage (except for faking lower uptimes by conducting a censorship attack).
Now since we have uptime slashing and subsequently jailing the following can happen:
n_blocks
>MinSignedPerWindow
n_blocks
>MinSignedPerWindow
=> A has a 2/3+ majority and can censor B out of the set to be the only validator.
=> Network takeover
Without action taken by the other validators within these
2*SigningWindow
the2f+1
assumption is broken (even though not the statedf < N/3
).The only way to prevent this is for the others to actively monitor the network and censor A at the point they detect the byzantine behaviour.
In a live network this would mean that 1/3+ would have to detect this and patch in censorship within the said window. WIth a
SigningWindow
of 5000 blocks and a block time of 5s the first set of validators would have ~7h to patch this and the 2nd batch another ~7h.We should therefore think about countermeasures or set a more forgiving
SigningWindow
@adrianbrink Pointed out that even without slashing the 1/3+ instance can gain a 2/3+ majority by inflating them away and censoring their delegation TXs, however this would take substantially longer.
CC @adrianbrink @leoluk
For Admin Use
The text was updated successfully, but these errors were encountered: