Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

always atomically update justified and finalized #2727

Merged
merged 6 commits into from
Nov 22, 2021

Conversation

djrtwo
Copy link
Contributor

@djrtwo djrtwo commented Nov 18, 2021

When finalized is updated, the fork choice should always update to the justification that finalized the new checkpoint atomically with the finality update.

This document goes into the problem unearthed and the solution -- https://notes.ethereum.org/YfStc2i6Rgenk_gzhEojfQ?view

Note that this bug can only be triggered on mainnet with >1/3 slashing, and if you are willing to do that, there are plenty of much more interesting attacks you'd probably pull off. This patch is a must prior to the Merge (along with proposer boosting!)

Thank you @realbigsean and @paulhauner for bringing the issue to our attention!


@adiasg's comment copied from below:

This PR makes 2 changes:

  1. Only make atomic updates to store (as discussed above)
  2. Allow old attestations from blocks to be processed

Fix for atomic updates to store looks good.
Also good to move ahead with processing old attestations from blocks for now - that's the only way to make atomic updates to the store work in our current testing setup. If that changes in the future, this logic should go through security analysis (esp. for flip-flop attacks).

@djrtwo djrtwo changed the title [WIP] always atomically update justified and finalized always atomically update justified and finalized Nov 18, 2021
@hwwhww
Copy link
Contributor

hwwhww commented Nov 18, 2021

Also thank @ajsutton for noticing this issue months ago!


on_attestation changes

Along with the on_block function update, this PR also brings on_attestation function update for making the test case pass correctly.

We introduce an is_from_block flag to on_attestation function to signal if the given attestation is carried with a BeaconBlock message or as a single Attestation message.

  • If is_from_block is False, that means it's from Attestation message, we have to check validate_target_epoch_against_current_time.
  • If is_from_block is True, we skip validate_target_epoch_against_current_time validation.

Copy link
Contributor

@adiasg adiasg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR makes 2 changes:

  1. Only make atomic updates to store
  2. Allow old attestations from blocks to be processed

Fix for atomic updates to store looks good.
Also good to move ahead with processing old attestations from blocks for now - that's the only way to make atomic updates to the store work in our current testing setup. If that changes in the future, this logic should go through security analysis (esp. for flip-flop attacks).

@djrtwo djrtwo merged commit bbdb0d8 into dev Nov 22, 2021
@djrtwo djrtwo deleted the fc-dev-validate_target_epoch_scope-patch branch November 22, 2021 16:42
adiasg added a commit that referenced this pull request Nov 22, 2021
bors bot pushed a commit to sigp/lighthouse that referenced this pull request Dec 13, 2021
## Issue Addressed

Resolves: #2741
Includes: #2853 so that we can get ssz static tests passing here on v1.1.6. If we want to merge that first, we can make this diff slightly smaller

## Proposed Changes

- Changes the `justified_epoch` and `finalized_epoch` in the `ProtoArrayNode` each to an `Option<Checkpoint>`. The `Option` is necessary only for the migration, so not ideal. But does allow us to add a default logic to `None` on these fields during the database migration.
- Adds a database migration from a legacy fork choice struct to the new one, search for all necessary block roots in fork choice by iterating through blocks in the db.
- updates related to ethereum/consensus-specs#2727
  -  We will have to update the persisted forkchoice to make sure the justified checkpoint stored is correct according to the updated fork choice logic. This boils down to setting the forkchoice store's justified checkpoint to the justified checkpoint of the block that advanced the finalized checkpoint to the current one. 
  - AFAICT there's no migration steps necessary for the update to allow applying attestations from prior blocks, but would appreciate confirmation on that
- I updated the consensus spec tests to v1.1.6 here, but they will fail until we also implement the proposer score boost updates. I confirmed that the previously failing scenario `new_finalized_slot_is_justified_checkpoint_ancestor` will now pass after the boost updates, but haven't confirmed _all_ tests will pass because I just quickly stubbed out the proposer boost test scenario formatting.
- This PR now also includes proposer boosting ethereum/consensus-specs#2730

## Additional Info
I realized checking justified and finalized roots in fork choice makes it more likely that we trigger this bug: ethereum/consensus-specs#2727

It's possible the combination of justified checkpoint and finalized checkpoint in the forkchoice store is different from in any block in fork choice. So when trying to startup our store's justified checkpoint seems invalid to the rest of fork choice (but it should be valid). When this happens we get an `InvalidBestNode` error and fail to start up. So I'm including that bugfix in this branch.

Todo:

- [x] Fix fork choice tests
- [x] Self review
- [x] Add fix for ethereum/consensus-specs#2727
- [x] Rebase onto Kintusgi 
- [x] Fix `num_active_validators` calculation as @michaelsproul pointed out
- [x] Clean up db migrations

Co-authored-by: realbigsean <seananderson33@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants