-
Notifications
You must be signed in to change notification settings - Fork 25
[FUZZ] Beaconfuzz_v2 crash-5f5801ee2ad7be3a2c9017f3c731ccdbd3b0e64c #61
Comments
I just noticed that the stacktrace has a statement |
Thanks for your efforts @parithosh! beacon-fuzz/beaconfuzz_v2/Makefile Lines 53 to 54 in 4e32905
But this would only be a config issue during the attempt to reproduce, and not during the initial crash identification. |
@gnattishness I confirm, when |
@pventuzelo glad that it was a config error then :D |
I reopen the issue until we give a try to your testcase, look like the variable was not set only during the repro |
With the latest update of prysm and beaconfuzz_v2, i'm not able to repro the bug using this command:
or using:
|
Look like my environment was not correct during the previous test, i'm reopening this issue: My command for testing:
other command:
Result:
Meaning: nimbus is not agree with prysm and lighthouse cc @zedt3ster |
Thanks for reporting @parithosh - this is another great find by the structural fuzzer, highlighting a subtle difference between how Nimbus, Prysm and Lighthouse handle the As per the eth2 specification: def process_attester_slashing(state: BeaconState, attester_slashing: AttesterSlashing) -> None:
attestation_1 = attester_slashing.attestation_1
attestation_2 = attester_slashing.attestation_2
assert is_slashable_attestation_data(attestation_1.data, attestation_2.data)
assert is_valid_indexed_attestation(state, attestation_1)
assert is_valid_indexed_attestation(state, attestation_2)
slashed_any = False
indices = set(attestation_1.attesting_indices).intersection(attestation_2.attesting_indices)
for index in sorted(indices):
if is_slashable_validator(state.validators[index], get_current_epoch(state)):
slash_validator(state, index)
slashed_any = True
assert slashed_any The function def is_valid_indexed_attestation(state: BeaconState, indexed_attestation: IndexedAttestation) -> bool:
"""
Check if ``indexed_attestation`` is not empty, has sorted and unique indices and has a valid aggregate signature.
"""
# Verify indices are sorted and unique
indices = indexed_attestation.attesting_indices
if len(indices) == 0 or not indices == sorted(set(indices)):
return False
# Verify aggregate signature
pubkeys = [state.validators[i].pubkey for i in indices]
domain = get_domain(state, DOMAIN_BEACON_ATTESTER, indexed_attestation.data.target.epoch)
signing_root = compute_signing_root(indexed_attestation.data, domain)
return bls.FastAggregateVerify(pubkeys, signing_root, indexed_attestation.signature) It turns out that Lighthouse and Prysm are performing the indexed attestation validation as part of their signature verification: In Lighthouse: The closure For Prysm:
When BLS signatures are disabled, As a result, the For Nimbus:
In the snippet linked above, we can see that Nimbus performs an additional check on the attesting indices: let num_validators = state.validators.lenu64
if anyIt(indexed_attestation.attesting_indices, it >= num_validators):
return err("indexed attestation: not all indices valid validators") As a result, the This explains the discrepancy raised by the fuzzer. Thanks again for reporting this @parithosh ! |
Thanks for the details response @zedt3ster ! Glad I could be of help :) |
I've identified a fuzzer crash and am contributing to the security of Ethereum 2!
I've done and provided the following:
[FUZZ]
issue already refers to that crasherbeacon-fuzz
version or commit used.Info to Reproduce
make fuzz_attester_slashing-struct
crash-5f5801ee2ad7be3a2c9017f3c731ccdbd3b0e64c
crash-5f5801ee2ad7be3a2c9017f3c731ccdbd3b0e64c.zip
Crash output and stacktrace
Attached as a screenshot:
Re-ran the input on the nightly compiler (
rustup default nightly
, it refused to compile ondefault
).Command used to re-run input:
RUST_BACKTRACE=1 cargo fuzz run struct_attester_slashing fuzz/artifacts/struct_attester_slashing/crash-5f5801ee2ad7be3a2c9017f3c731ccdbd3b0e64c
Stacktrace:
Your Environment
b56bf452adc05ac5b0a73aa8844dac0465894ebc refs/heads/beaconfuzz_v2
The text was updated successfully, but these errors were encountered: