fix: Dedup Vote Extensions in ValidateVoteExtensions

[davidterpay]

Description

Closes: #18893

This PR resolves issue opened in #18893. This PR adds a validator address cache to ValidateVoteExtensions which ensure's that multiple of the same vote extensions cannot be included in the extended commit info.

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title
• confirmed ! in the type prefix if API or client breaking change
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• reviewed "Files changed" and left comments if necessary
• included the necessary unit and integration tests
• added a changelog entry to CHANGELOG.md
• updated the relevant documentation or specification, including comments for documenting Go code
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed all author checklist items have been addressed
• reviewed state machine logic, API design and naming, documentation is accurate, tests and test coverage

[coderabbitai]

Walkthrough

The change implements a mechanism to ensure vote extensions submitted by validators are not duplicated. This is achieved by introducing a cache to track submissions, which helps prevent the same vote extension from being processed more than once. This enhances the security of the voting process by enforcing the required quorum and preventing manipulation by malicious actors.

Changes

File(s)	Change Summary
baseapp/abci_utils.go baseapp/abci_utils_test.go	Introduced a cache map to de-duplicate vote extensions in the ValidateVoteExtensions function. Added a new test function TestValidateVoteExtensionsDuplicateVotes to the ABCIUtilsTestSuite struct.
CHANGELOG.md	Modified the baseapp module to fix the de-duplication of vote extensions during validation in ValidateVoteExtensions.
baseapp/abci_test.go	Significantly reworked the TestBaseApp_VoteExtensions function, including the generation of multiple private keys and corresponding public keys, handling of vote extensions and signatures, and adjustment of the processing of vote extensions from the previous block to include validator addresses.

Assessment against linked issues

Objective	Addressed	Explanation
Bug Fix for de-duplication of vote extensions in ValidateVoteExtensions (#18893)	✅
Security Enhancement to prevent quorum bypassing (#18893)	✅
Prevent manipulation of on-chain state (#18893)	✅
Ensure proper validation of vote extensions (#18893)	✅

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

Note: Auto-reply has been disabled for this repository by the repository owner. The CodeRabbit bot will not respond to your comments unless it is explicitly tagged.

• You can tag CodeRabbit on specific lines of code or entire files in the PR by tagging @coderabbitai in a comment. Examples:
  • @coderabbitai generate unit tests for this file
  • @coderabbitai modularize this function
• You can tag @coderabbitai in a PR comment and ask questions about the PR and the codebase. Examples:
  • @coderabbitai gather interesting statistics about this repository and render them in a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai generate unit tests for the src/utils.ts file.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[facundomedica]

What do you think if instead of de-duplicating we just return an error? That way the rest of the validators could reject the proposal during ProcessProposal, otherwise it could open up the possibility to lots of duplicate data going around

[coderabbitai]

The new test function TestValidateVoteExtensionsDuplicateVotes correctly simulates the scenario of duplicate vote extensions and asserts that an error is expected. This aligns with the PR's objective to prevent duplicate vote extensions from being processed.

However, it would be beneficial to include a comment explaining why the error is expected and what specific error message or type is anticipated. This would improve the maintainability and clarity of the test for future developers.

+ // TestValidateVoteExtensionsDuplicateVotes ensures that an error is returned
+ // when duplicate vote extensions are detected. This is critical for preventing
+ // potential security vulnerabilities as described in issue #18893.
  func (s *ABCIUtilsTestSuite) TestValidateVoteExtensionsDuplicateVotes() {
      ...
+     // The error should specifically indicate the presence of duplicate vote extensions.
      s.Require().Error(baseapp.ValidateVoteExtensions(s.ctx, s.valStore, 3, chainID, llc))
  }

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	// check ValidateVoteExtensions works with duplicate votes
	func (s *ABCIUtilsTestSuite) TestValidateVoteExtensionsDuplicateVotes() {
	ext := []byte("vote-extension")
	cve := cmtproto.CanonicalVoteExtension{
	Extension: ext,
	Height: 2,
	Round: int64(0),
	ChainId: chainID,
	}
	bz, err := marshalDelimitedFn(&cve)
	s.Require().NoError(err)
	extSig0, err := s.vals[0].privKey.Sign(bz)
	s.Require().NoError(err)
	ve := abci.ExtendedVoteInfo{
	Validator: s.vals[0].toValidator(333),
	VoteExtension: ext,
	ExtensionSignature: extSig0,
	BlockIdFlag: cmtproto.BlockIDFlagCommit,
	}
	llc := abci.ExtendedCommitInfo{
	Round: 0,
	Votes: []abci.ExtendedVoteInfo{
	ve,
	ve,
	ve,
	},
	}
	// expect fail (duplicate votes)
	s.Require().Error(baseapp.ValidateVoteExtensions(s.ctx, s.valStore, 3, chainID, llc))
	}
	// TestValidateVoteExtensionsDuplicateVotes ensures that an error is returned
	// when duplicate vote extensions are detected. This is critical for preventing
	// potential security vulnerabilities as described in issue #18893.
	func (s *ABCIUtilsTestSuite) TestValidateVoteExtensionsDuplicateVotes() {
	ext := []byte("vote-extension")
	cve := cmtproto.CanonicalVoteExtension{
	Extension: ext,
	Height: 2,
	Round: int64(0),
	ChainId: chainID,
	}
	bz, err := marshalDelimitedFn(&cve)
	s.Require().NoError(err)
	extSig0, err := s.vals[0].privKey.Sign(bz)
	s.Require().NoError(err)
	ve := abci.ExtendedVoteInfo{
	Validator: s.vals[0].toValidator(333),
	VoteExtension: ext,
	ExtensionSignature: extSig0,
	BlockIdFlag: cmtproto.BlockIDFlagCommit,
	}
	llc := abci.ExtendedCommitInfo{
	Round: 0,
	Votes: []abci.ExtendedVoteInfo{
	ve,
	ve,
	ve,
	},
	}
	// The error should specifically indicate the presence of duplicate vote extensions.
	s.Require().Error(baseapp.ValidateVoteExtensions(s.ctx, s.valStore, 3, chainID, llc))
	}

[davidterpay]

What do you think if instead of de-duplicating we just return an error? That way the rest of the validators could reject the proposal during ProcessProposal, otherwise it could open up the possibility to lots of duplicate data going around

I'm not fully sure if there is an scenario where duplicate VEs in the extended commit info could be included under normal conditions - which is why minimally continuing and ignoring the vote extension is definitely necessary. If duplicate vote extensions can only be included by proposers, then erroring does make more sense.

update:
per @facundomedica, it'll throw an error.

[alexanderbez]

utACK. Thanks!

[alexanderbez]

Let's backport this to 0.50.x

cc @facundomedica

[facundomedica]

LGTM, thank you!
Here's the code that creates the vote extensions on CometBFT btw: https://github.com/cometbft/cometbft/blob/f72d930a68386f6139838449d0653ef0621f7b29/internal/state/execution.go#L504