-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attacks possible if we always accept non-adjacent headers #79
Comments
Can we not wait to gossip them until verified via adjacent verification (or if that does not check out, they won't be gossiped at all)?
Couldn't that be fixed by estimating a time/height for the time that has past from genesis? |
This is the simplest thing we can do. When we discussed this with @renaynay, we had a concern that the headers won't gossip because no one will regossip them, but in fact, all well-connected nodes will be synced up to the tip and will do adjacent verification to submit it further. Only nodes who didn't catch up to the tip won't reshare them, which I think is not bad and even intuitively feels right.
I think so, but I remember @musalbas had some concerns about block time assumptions not being realistic/precise. It might be that we don't need perfect precision in this case, and would like to hear your thoughts. |
This PR disables skipping verification and accepts all the incoming non-adjacent headers. These headers will later be verified via adjacent verification and rejected if invalid. Test that proves that Syncer rejects and continues to work with a fault header: celestiaorg/go-header#76 Potential outcomes of doing so: celestiaorg/go-header#79 Additionally, the PR reverts the genesis hash change to the hash pointing to height 1. Supersedes #2449, which became zombie --------- Co-authored-by: rene <[email protected]>
This PR disables skipping verification and accepts all the incoming non-adjacent headers. These headers will later be verified via adjacent verification and rejected if invalid. Test that proves that Syncer rejects and continues to work with a fault header: celestiaorg/go-header#76 Potential outcomes of doing so: celestiaorg/go-header#79 Additionally, the PR reverts the genesis hash change to the hash pointing to height 1. Supersedes #2449, which became zombie --------- Co-authored-by: rene <[email protected]>
TODO (outcomes from meeting on 12.7.23)
|
The default trusting period in celestia-core https://github.com/celestiaorg/celestia-core/blob/v0.34.x-celestia/cmd/cometbft/commands/light.go#L90. |
|
We realized that non-adjacent verification might produce false negatives in Tendermint consensus. Additionally, not all chains have non-adjacent verification, and before this change, we dropped all headers that failed the non-adjacency verification. However, we should give them a second chance and keep them as sync targets. Additionally: * Introduces typical verification flow. Users had to verify time, height, and chain-id themselves, but not anymore. * We reject known headers, and it's a hard failure now. * Non-adjacent verification failure is considered a soft failure. Closes #79
This PR disables skipping verification and accepts all the incoming non-adjacent headers. These headers will later be verified via adjacent verification and rejected if invalid. Test that proves that Syncer rejects and continues to work with a fault header: celestiaorg/go-header#76 Potential outcomes of doing so: celestiaorg/go-header#79 Additionally, the PR reverts the genesis hash change to the hash pointing to height 1. Supersedes #2449, which became zombie --------- Co-authored-by: rene <[email protected]>
We were talking about Rollkit implications with @nashqueue and found a few attacks with the current solution:
The text was updated successfully, but these errors were encountered: