Reject data columns that does not descend from finalize root instead of ignoring it #8179
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…data column if parent does not descend from the finalize root.
jimmygchen
added
ready-for-review
jimmygchen
changed the title
michaelsproul
approved these changes
Oct 9, 2025
Member
michaelsproul
left a comment
michaelsproul
left a comment
There was a problem hiding this comment.
Nice improvement, makes sense to me.
michaelsproul
added
ready-for-merge
6 tasks
mergify bot
pushed a commit
that referenced
this pull request
Oct 16, 2025
This PR reverts #8179. It turns out that the fix was invalid because an unknown root is always not a finalized descendant: https://github.com/sigp/lighthouse/blob/522bd9e9c6ac167f2231525e937c9ebbcb86cf6e/consensus/proto_array/src/proto_array.rs#L976-L979 so for any data columns with unknown parents, it will always penalise the gossip peer and disconnect it pretty quickly. On a small network, the node may lose all of its peers. The impact is pretty obvious when the peer count is small and sync speed is slow, and is therefore easily reproducible by running a fresh supernode on devnet-3. This isn't as obvious on a live testnet like holesky / sepolia, we haven't noticed this, probably due to its high peer count and sync speed - the nodes might be able to reach head quickly before losing too many peers. The previous behaviour isn't ideal but safe: triggering unknown parent lookup and penalise the bad peer if it happens to be malicious or faulty. So for now it's safer to revert the change and plan for a proper fix after the v8 release. Co-Authored-By: Jimmy Chen <[email protected]>
jchavarri
pushed a commit
to jchavarri/lighthouse
that referenced
this pull request
Oct 21, 2025
…of ignoring it (sigp#8179) This issue was identified during the fusaka audit competition. The [`verify_parent_block_and_finalized_descendant`](https://github.com/sigp/lighthouse/blob/62d9302e0f9dd9f94d0325411a3029b36ad90685/beacon_node/beacon_chain/src/data_column_verification.rs#L606-L627) in data column gossip verification currently load the parent first before checking if the column descends from the finalized root. However, the `fork_choice.get_block(&block_parent_root)` function also make the same check internally: https://github.com/sigp/lighthouse/blob/8a4f6cf0d5b6b261b2c3439ce7c05383a53d30c5/consensus/fork_choice/src/fork_choice.rs#L1242-L1249 Therefore, if the column does not descend from the finalized root, we return an `UnknownParent` error, before hitting the `is_finalized_checkpoint_or_descendant` check just below. Which means we `IGNORE` the gossip message instead `REJECT`, and the gossip peer is not _immediately_ penalised. This deviates from the spec. However, worth noting that lighthouse will currently attempt to request the parent from this peer, and if the peer is not able to serve the parent, it gets penalised with a `LowToleranceError`, and will get banned after ~5 occurences. https://github.com/sigp/lighthouse/blob/ffa7b2b2b9e3b4e70678e2c749b8bc45234febd7/beacon_node/network/src/sync/network_context.rs#L1530-L1532 This PR will penalise the bad peer immediately instead of performing block lookups before penalising it. Co-Authored-By: Jimmy Chen <[email protected]>
jchavarri
pushed a commit
to jchavarri/lighthouse
that referenced
this pull request
Oct 21, 2025
This PR reverts sigp#8179. It turns out that the fix was invalid because an unknown root is always not a finalized descendant: https://github.com/sigp/lighthouse/blob/522bd9e9c6ac167f2231525e937c9ebbcb86cf6e/consensus/proto_array/src/proto_array.rs#L976-L979 so for any data columns with unknown parents, it will always penalise the gossip peer and disconnect it pretty quickly. On a small network, the node may lose all of its peers. The impact is pretty obvious when the peer count is small and sync speed is slow, and is therefore easily reproducible by running a fresh supernode on devnet-3. This isn't as obvious on a live testnet like holesky / sepolia, we haven't noticed this, probably due to its high peer count and sync speed - the nodes might be able to reach head quickly before losing too many peers. The previous behaviour isn't ideal but safe: triggering unknown parent lookup and penalise the bad peer if it happens to be malicious or faulty. So for now it's safer to revert the change and plan for a proper fix after the v8 release. Co-Authored-By: Jimmy Chen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue Addressed
This issue was identified during the fusaka audit competition.
The
verify_parent_block_and_finalized_descendantin data column gossip verification currently load the parent first before checking if the column descends from the finalized root.However, the
fork_choice.get_block(&block_parent_root)function also make the same check internally:lighthouse/consensus/fork_choice/src/fork_choice.rs
Lines 1242 to 1249 in 8a4f6cf
Therefore, if the column does not descend from the finalized root, we return an
UnknownParenterror, before hitting theis_finalized_checkpoint_or_descendantcheck just below.Which means we
IGNOREthe gossip message insteadREJECT, and the gossip peer is not immediately penalised. This deviates from the spec.However, worth noting that lighthouse will currently attempt to request the parent from this peer, and if the peer is not able to serve the parent, it gets penalised with a
LowToleranceError, and will get banned after ~5 occurences.lighthouse/beacon_node/network/src/sync/network_context.rs
Lines 1530 to 1532 in ffa7b2b
This PR will penalise the bad peer immediately instead of performing block lookups before penalising it.