Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect merkle validation in process_deposit #703

Closed
gnattishness opened this issue Jan 28, 2020 · 2 comments
Closed

Incorrect merkle validation in process_deposit #703

gnattishness opened this issue Jan 28, 2020 · 2 comments

Comments

@gnattishness
Copy link
Contributor

gnattishness commented Jan 28, 2020

What is wrong?

process_deposit accepts deposits with an invalid merkle proof as valid

https://github.com/status-im/nim-beacon-chain/blob/257771d9af971621dc73b572c56d5e856ac75ad5/beacon_chain/spec/beaconstate.nim#L57-L70

How can it be fixed

  1. process_deposit should fail if is_valid_merkle_branch() is false e.g. return false
  2. is_valid_merkle_branch() should be called with depth=DEPOSIT_CONTRACT_TREE_DEPTH + 1 according to the spec (https://github.com/ethereum/eth2.0-specs/blob/v0.10.1/specs/phase0/beacon-chain.md#deposits)

How it was found

Discovered via beacon-fuzz (initial testing of deposit fuzzer).
Triggering case: nim-deposit-crash-5d4907f2962783d3806b93bfe1a5f4c808b1c3bf with the following beacon_states
Or the pre-processed input deposit_preprocessed_invalid_merkle.ssz can be directly passed to the nimbus harness nfuzz_deposit

@djrtwo
Copy link
Contributor

djrtwo commented Jan 28, 2020

Interesting, we have a case to cover an invalid merkle branch in the consensus tests here -- https://github.com/ethereum/eth2.0-specs/blob/7b76808a1c28dc44d449dee7619e301130066959/tests/core/pyspec/eth2spec/test/phase_0/block_processing/test_process_deposit.py#L228-L240

I'll see if I can figure out what the difference between this case is and why it's not adequately covered in our vectors

@tersec
Copy link
Contributor

tersec commented Jan 30, 2020

Feel free to re-open if this doesn't fix things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants