-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow loading a list of relays from an API #136
Comments
just pointing out that this is a classic "security vs convenience" trade-off. if we assume a "battle-hardened" validation setup then not only does the operator have to open IP access to the relays but also to this "relay provider" and the relay provider must take a lot of care to not be compromised. the "low-hanging fruit" class of damage that could be done by compromise of an endpoint like this issue suggests is pretty minimal although I can see how it could be exploited for a liveness fault (esp. if I found a zero-day in the local builder fallback pipeline) -- im sure we can think of increasingly damaging attacks if we spend more time on it |
its also worth considering other discovery mechanisms beyond a registry provided by a direct API. I know at least ethereum and bitcoin have DNS-based discovery modes (if someone goes down this road, look into authenticating the DNS records a la DNSSEC) and in the limit we could even bake our own discovery layer on top of discv5. |
Thanks for the input Alex 🙏 Let's discuss and evaluate this further. This feature is particularly relevant for parties that manage a large amount of validators, where reconfiguring and restarting mev-boost manually across a large number of nodes is cumbersome. The best setup to use this feature seems a statically hosted JSON on multiple providers (rather than a dynamic API/service). |
yeah I think re-loading a local file is much easier to secure than making arbitrary network requests :) |
There has not been much interest in loading a remote list, so let's start with the local config and see if the need arises to allow loading it from an API as well. |
For reference, this could also be solved by a local script that queries the API, or a smart contract, and writes the local config file. |
mev-boost should have the ability to load a list of relays from an URL. This allows updating the used relays without needing to update the CL clients / mev-boost service.
The text was updated successfully, but these errors were encountered: