-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
double-signing protection #4059
Comments
I believe this can be considered a duplicate of #2237 (comment). We have discussed this on a few calls, just not gotten around to working on it. |
We will review #2237 and provide updated spec so that it can include the "mode" abstraction! Thank you for connecting this! |
Seems reasonable. One question I have surrounds the following:
Will it only need to look past "unbonding period" # of blocks? |
@alexanderbez no. Practically it will be definitely much less than that. I am imagining like 50 blocks or less. The main purpose of this feature is to double check that another node is "currently" validating with same valoper or valconspub on the chain. I think maximum look up height might be around several hundred blocks because this usecase does not need more. |
I think you still have to be careful here though. The node could be offline > 50 blocks. |
That's true. Maybe we want to
How do you think? |
I think to start just have a node not be started with privval.json, the feature of switching is a bit harder and would have to have more in-depth thought and research, but would be easier solved when we have different modes for validating and full nodes |
Keep in mind that looking up recent votes is only possible if the node is synced well.(and it is one of the prime objective of this feature) Therefore, if we want to add the prevention method to check recent votes, the procedure should be from non validating > validating while it is running. What we can differentiate fullnode/validator mode is that
|
below is our new spec of double-signing protection which also includes "mode" concept.
Implementation detail will follow up soon next week! |
Implementation spec of Double Signing Risk Reduction [ADR-51](https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-051-double-signing-risk-reduction.md) by B-Harvest - Add `DoubleSignCheckHeight` config variable to ConsensusConfig for "How many blocks looks back to check existence of the node's consensus votes when before joining consensus" - Add `consensus.double_sign_check_height` to `config.toml` and `tendermint node` as flag for set `DoubleSignCheckHeight` - Set default `consensus.double_sign_check_height` to `0` ( it could be adjustable in this PR, disable when 0 ) Refs - [ADR-51](https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-051-double-signing-risk-reduction.md) - [#4059 - [#4262
Per #5147 (comment), #5147 will not work without fast sync / state sync. |
I think this Issue is now effectively a duplicate of the one that's tracking the "Tendermint Modes" work, so I'm going to close it. But please re-open it if I misunderstood! |
The text was updated successfully, but these errors were encountered: