mempool: remove only valid (Code==0) txs on Update #3625

melekes · 2019-05-06T09:59:21Z

so evil proposers can't drop valid txs in Commit stage.

Also remove invalid (Code!=0) txs from the cache so they can be
resubmitted.

In the end of commit stage, we will update mempool to remove all the txs
in current block.

// Update mempool.
err = blockExec.mempool.Update(
	block.Height,
	block.Txs,
	TxPreCheck(state),
	TxPostCheck(state),
)

Assum an account has 3 transactions in the mempool, the sequences are
100, 101 and 102 separately, So an evil proposal can only package the
101 and 102 transactions into its proposal block, and leave 100 still in
mempool, then the two txs will be removed from all validators' mempool
when commit. So the account lost the two valid txs.

@ebuchman:

In the longer term we may want to do something like #2639 so we can
validate txs before we commit the block. But even in this case we'd only
want to run the equivalent of CheckTx, which means the DeliverTx could
still fail even if the CheckTx passes depending on how the app handles
the ABCI Code semantics. So more work will be required around the ABCI
code. See also #2185

Updated all relevant documentation in docs
Updated all code comments where relevant
Wrote tests
Updated CHANGELOG_PENDING.md

@rickyyangz

so evil proposers can't drop valid txs in Commit stage. Also remove invalid (Code!=0) txs from the cache so they can be resubmitted. Fixes #3322 @rickyyangz: In the end of commit stage, we will update mempool to remove all the txs in current block. // Update mempool. err = blockExec.mempool.Update( block.Height, block.Txs, TxPreCheck(state), TxPostCheck(state), ) Assum an account has 3 transactions in the mempool, the sequences are 100, 101 and 102 separately, So an evil proposal can only package the 101 and 102 transactions into its proposal block, and leave 100 still in mempool, then the two txs will be removed from all validators' mempool when commit. So the account lost the two valid txs. @ebuchman: In the longer term we may want to do something like #2639 so we can validate txs before we commit the block. But even in this case we'd only want to run the equivalent of CheckTx, which means the DeliverTx could still fail even if the CheckTx passes depending on how the app handles the ABCI Code semantics. So more work will be required around the ABCI code. See also #2185

codecov-io · 2019-05-06T10:07:46Z

Codecov Report

Merging #3625 into develop will decrease coverage by 0.11%.
The diff coverage is 88.88%.

@@            Coverage Diff             @@
##           develop   #3625      +/-   ##
==========================================
- Coverage    63.31%   63.2%   -0.12%     
==========================================
  Files          218     217       -1     
  Lines        18253   18165      -88     
==========================================
- Hits         11557   11481      -76     
+ Misses        5737    5717      -20     
- Partials       959     967       +8

Impacted Files	Coverage Δ
mempool/mempool.go	`84.21% <ø> (ø)`	⬆️
state/execution.go	`73.41% <100%> (+0.11%)`	⬆️
mempool/clist_mempool.go	`81.54% <87.5%> (-0.43%)`	⬇️
privval/signer_validator_endpoint.go	`75.55% <0%> (-10%)`	⬇️
privval/socket_listeners.go	`86.2% <0%> (-6.9%)`	⬇️
privval/signer_service_endpoint.go	`85.45% <0%> (-3.64%)`	⬇️
privval/signer_remote.go	`80% <0%> (-2%)`	⬇️
blockchain/reactor.go	`70.56% <0%> (-0.94%)`	⬇️
consensus/replay.go	`70.2% <0%> (-0.82%)`	⬇️
consensus/reactor.go	`70.6% <0%> (-0.71%)`	⬇️
... and 7 more

mempool/clist_mempool_test.go

liamsi · 2019-05-06T18:28:40Z

mempool/clist_mempool.go

+			// Block, proposed by evil proposer:
+			//   101 -> 102
+			// Mempool (if you remove txs):
+			//   100


Can we write this down as a test case (which fails without the changes)?

TestMempoolUpdate will fail without the changes

I understand but I wondered if we should have the above example in a test instead of what is there in TestMempoolUpdate. But NVM. TestMempoolUpdate is actually better as it is more minimalistic!

liamsi

LGTM

Otherwise, we'll be trying to include them in each consecutive block. The downside is that evil proposers will be able to drop valid transactions (see #3322). Reverts #3625 Fixes #3699

@rickyyangz

* mempool: remove only valid (Code==0) txs on Update so evil proposers can't drop valid txs in Commit stage. Also remove invalid (Code!=0) txs from the cache so they can be resubmitted. Fixes tendermint#3322 @rickyyangz: In the end of commit stage, we will update mempool to remove all the txs in current block. // Update mempool. err = blockExec.mempool.Update( block.Height, block.Txs, TxPreCheck(state), TxPostCheck(state), ) Assum an account has 3 transactions in the mempool, the sequences are 100, 101 and 102 separately, So an evil proposal can only package the 101 and 102 transactions into its proposal block, and leave 100 still in mempool, then the two txs will be removed from all validators' mempool when commit. So the account lost the two valid txs. @ebuchman: In the longer term we may want to do something like #2639 so we can validate txs before we commit the block. But even in this case we'd only want to run the equivalent of CheckTx, which means the DeliverTx could still fail even if the CheckTx passes depending on how the app handles the ABCI Code semantics. So more work will be required around the ABCI code. See also tendermint#2185 * add changelog entry and tests * improve changelog message * reformat code

melekes added 2 commits May 6, 2019 15:37

add changelog entry and tests

15c47bb

improve changelog message

b115cc3

melekes marked this pull request as ready for review May 6, 2019 11:42

melekes requested review from ebuchman and xla as code owners May 6, 2019 11:42

liamsi reviewed May 6, 2019

View reviewed changes

mempool/clist_mempool_test.go Outdated Show resolved Hide resolved

liamsi reviewed May 6, 2019

View reviewed changes

mempool/clist_mempool_test.go Outdated Show resolved Hide resolved

liamsi reviewed May 6, 2019

View reviewed changes

mempool/clist_mempool_test.go Outdated Show resolved Hide resolved

liamsi reviewed May 6, 2019

View reviewed changes

reformat code

87db96b

melekes self-assigned this May 7, 2019

liamsi approved these changes May 7, 2019

View reviewed changes

melekes merged commit 27909e5 into develop May 7, 2019

melekes deleted the 3322-evil-proposers branch May 7, 2019 08:25

This was referenced May 7, 2019

Evil proposers can drop valid txs in Commit stage #3322

Closed

v0.31.6 release preview #3637

Closed

melekes mentioned this pull request May 30, 2019

temporary #3684

Closed

44 tasks

melekes mentioned this pull request Jun 1, 2019

remove invalid transactions from the mempool #3701

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mempool: remove only valid (Code==0) txs on Update #3625

mempool: remove only valid (Code==0) txs on Update #3625

melekes commented May 6, 2019 •

edited

codecov-io commented May 6, 2019 •

edited

liamsi May 6, 2019 •

edited

melekes May 6, 2019

liamsi May 7, 2019

liamsi left a comment

mempool: remove only valid (Code==0) txs on Update #3625

mempool: remove only valid (Code==0) txs on Update #3625

Conversation

melekes commented May 6, 2019 • edited

codecov-io commented May 6, 2019 • edited

Codecov Report

liamsi May 6, 2019 • edited

Choose a reason for hiding this comment

melekes May 6, 2019

Choose a reason for hiding this comment

liamsi May 7, 2019

Choose a reason for hiding this comment

liamsi left a comment

Choose a reason for hiding this comment

melekes commented May 6, 2019 •

edited

codecov-io commented May 6, 2019 •

edited

liamsi May 6, 2019 •

edited