-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
approval-voting: Make sure we always mark approved candidates approved in a different relay chain context #4153
Conversation
…d in a different relay chain context ... see for more detail why this is needed #4149 (comment) Signed-off-by: Alexandru Gheorghe <[email protected]>
Signed-off-by: Alexandru Gheorghe <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great find!
The root cause analysis seems on point, but I'm not sure about the fix itself. I mean it does fix this scenario, but I don't know if can create other issues or can be abused, so maybe it's a good idea to summon @rphmeier for discussion here.
The fix seems very subtle to me. I didn't think this too deep, but an alternative would be to approve it under all blocks known in |
@sandreim convinced me offline that this ^^^ is the proper fix, will come back with a new version, marking the PR as draft until I get that done. |
You mean if we mark the candidate approved in other blocks when it got approved in one of the fork, yeah that's right we would increase the chances of an attacker. |
Signed-off-by: Alexandru Gheorghe <[email protected]>
Signed-off-by: Alexandru Gheorghe <[email protected]>
Signed-off-by: Alexandru Gheorghe <[email protected]>
Ended up making this fix more explicit by scheduling a waking up on forked relay blocks, only if there is no wake up scheduled and if the validator in question already has an assignment on it. Additionally, improved the unittest to test the exact scenario I described here: #4149 (comment). @sandreim @ordian let me know what you think. Marking it as ready for re-review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @alexggh this much better now 👍🏼
Co-authored-by: Andrei Sandu <[email protected]>
Co-authored-by: Andrei Sandu <[email protected]>
Signed-off-by: Alexandru Gheorghe <[email protected]>
Signed-off-by: Alexandru Gheorghe <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good to me. Nice work!
Signed-off-by: Alexandru Gheorghe <[email protected]>
cdedf3d
to
eabe2b7
Compare
I've no idea how I missed this one, so.. We do assignments using private VRFs of the relay chain VRF when the candidate gets included, so candidates have different assignments based upon when they're included. We should not give adversaries more control over the selection of approval checkers, but there are roughly two axies here:
Abstractly, once assignments exist then they should be executed, possibly creating remote disputes. In principle, if relay block R includes parablock X then finality for R should ideally wait upon all assignments for X on all relay chain forks, but how much does this matter? We've always worried about 2 in the context of an adversary making two forks, one which includes the core and one which abandons the core, with which the adversary kills the including fork if approval chekers look unfavorable. In this, the abandonment fork could safely finalize early, but then the assignments should still occur on the inclusion fork, and create a remote dispute. As the adversay loses temporarily, we ensure they exaust all the dots before winning. In theory, adversaries could include the same candidate in many relay chain forks, and then advance and finalize only the fork where we assign too few honest checkers. We never really covered this case in the security analysis, but does the adversary have enough checkers? As an off the cuff approximation, an adversary needs core collisions in multi-sets given by their own tranche zero assignments. We have We'll take I remembered much smaller numbers there, so maybe I've screwed up the above, but this suggests adversaries have simple attack windows like 1% of the time, but the multi-attack windows still strink rapidly in size. |
... see for more detail why this is needed
#4149 (comment)
TODO: