zolfa
/
tendermint

# Evidence

Evidence is an important component of Tendermint's security model. Whilst the coreconsensus protocol provides correctness gaurantees for state machine replicationthat can tolerate less than 1/3 failures, the evidence system looks to detect andgossip byzantine faults whose combined power is greater than  or equal to 1/3. It is worth noting thatthe evidence system is designed purely to detect possible attacks, gossip them,commit them on chain and inform the application running on top of Tendermint.Evidence in itself does not punish "bad actors", this is left to the discretionof the application. A common form of punishment is slashing where the validatorsthat were caught violating the protocol have all or a portion of their votingpower removed. Evidence, given the assumption that 1/3+ of the network is stillbyzantine, is susceptible to censorship and should therefore be considered addedsecurity on a "best effort" basis.
This document walks through the various forms of evidence, how they are detected,gossiped, verified and committed.
> NOTE: Evidence here is internal to tendermint and should not be confused with
> application evidence

## Detection

### Equivocation

Equivocation is the most fundamental of byzantine faults. Simply put, to preventreplication of state across all nodes, a validator tries to convince some subsetof nodes to commit one block whilst convincing another subset to commit adifferent block. This is achieved by double voting (hence`DuplicateVoteEvidence`). A successful duplicate vote attack requires greaterthan 1/3 voting power and a (temporary) network partition between the aforementionedsubsets. This is because in consensus, votes are gossiped around. When a nodeobserves two conflicting votes from the same peer, it will use the two votes ofevidence and begin gossiping this evidence to other nodes. [Verification](#duplicatevoteevidence) is addressed further down.
```gotype DuplicateVoteEvidence struct {    VoteA Vote    VoteB Vote
    // and abci specific fields}```
### Light Client Attacks

Light clients also comply with the 1/3+ security model, however, by using adifferent, more lightweight verification method they are subject to adifferent kind of 1/3+ attack whereby the byzantine validators could sign analternative light block that the light client will think is valid. Detection,explained in greater detail[here](../light-client/detection/detection_003_reviewed.md), involves comparisonwith multiple other nodes in the hope that at least one is "honest". An "honest"node will return a challenging light block for the light client to validate. Ifthis challenging light block also meets the[validation criteria](../light-client/verification/verification_001_published.md)then the light client sends the "forged" light block to the node.[Verification](#lightclientattackevidence) is addressed further down.
```gotype LightClientAttackEvidence struct {    ConflictingBlock LightBlock    CommonHeight int64
      // and abci specific fields}```
## Verification

If a node receives evidence, it will first try to verify it, then persist it.Evidence of byzantine behavior should only be committed once (uniqueness) andshould be committed within a certain period from the point that it occurred(timely). Timelines is defined by the `EvidenceParams`: `MaxAgeNumBlocks` and`MaxAgeDuration`. In Proof of Stake chains where validators are bonded, evidenceage should be less than the unbonding period so validators still can bepunished. Given these two propoerties the following initial checks are made.
1. Has the evidence expired? This is done by taking the height of the `Vote`   within `DuplicateVoteEvidence` or `CommonHeight` within   `LightClientAttakEvidence`. The evidence height is then used to retrieve the   header and thus the time of the block that corresponds to the evidence. If   `CurrentHeight - MaxAgeNumBlocks > EvidenceHeight` && `CurrentTime -   MaxAgeDuration > EvidenceTime`, the evidence is considered expired and   ignored.
2. Has the evidence already been committed? The evidence pool tracks the hash of   all committed evidence and uses this to determine uniqueness. If a new   evidence has the same hash as a committed one, the new evidence will be   ignored.
### DuplicateVoteEvidence

Valid `DuplicateVoteEvidence` must adhere to the following rules:
- Validator Address, Height, Round and Type must be the same for both votes
- BlockID must be different for both votes (BlockID can be for a nil block)
- Validator must have been in the validator set at that height
- Vote signature must be correctly signed. This also uses `ChainID` so we know  that the fault occurred on this chain
### LightClientAttackEvidence

Valid Light Client Attack Evidence must adhere to the following rules:
- If the header of the light block is invalid, thus indicating a lunatic attack,  the node must check that they can use `verifySkipping` from their header at  the common height to the conflicting header
- If the header is valid, then the validator sets are the same and this is  either a form of equivocation or amnesia. We therefore check that 2/3 of the  validator set also signed the conflicting header.
- The nodes own header at the same height as the conflicting header must have a  different hash to the conflicting header.
- If the nodes latest header is less in height to the conflicting header, then  the node must check that the conflicting block has a time that is less than  this latest header (This is a forward lunatic attack).
## Gossiping

If a node verifies evidence it then broadcasts it to all peers, continously sendingthe same evidence once every 10 seconds until the evidence is seen on chain orexpires.
## Commiting on Chain

Evidence takes strict priority over regular transactions, thus a block is filledwith evidence first and transactions take up the remainder of the space. Tomitigate the threat of an already punished node from spamming the network withmore evidence, the size of the evidence in a block can be capped by`EvidenceParams.MaxBytes`. Nodes receiving blocks with evidence will validatethe evidence before sending `Prevote` and `Precommit` votes. The evidence poolwill usually cache verifications so that this process is much quicker.
## Sending Evidence to the Application

After evidence is committed, the block is then processed by the block executorwhich delivers the evidence to the application via `EndBlock`. Evidence isstripped of the actual proof, split up per faulty validator and only thevalidator, height, time and evidence type is sent.
```protoenum EvidenceType {  UNKNOWN             = 0;  DUPLICATE_VOTE      = 1;  LIGHT_CLIENT_ATTACK = 2;}
message Evidence {  EvidenceType type = 1;  // The offending validator  Validator validator = 2 [(gogoproto.nullable) = false];  // The height when the offense occurred  int64 height = 3;  // The corresponding time where the offense occurred  google.protobuf.Timestamp time = 4 [    (gogoproto.nullable) = false, (gogoproto.stdtime) = true];  // Total voting power of the validator set in case the ABCI application does  // not store historical validators.  // https://github.com/tendermint/tendermint/issues/4581  int64 total_voting_power = 5;}```
`DuplicateVoteEvidence` and `LightClientAttackEvidence` are self-contained inthe sense that the evidence can be used to derive the `abci.Evidence` that issent to the application. Because of this, extra fields are necessary:
```gotype DuplicateVoteEvidence struct {  VoteA *Vote  VoteB *Vote
  // abci specific information  TotalVotingPower int64  ValidatorPower   int64  Timestamp        time.Time}
type LightClientAttackEvidence struct {  ConflictingBlock *LightBlock  CommonHeight     int64
  // abci specific information  ByzantineValidators []*Validator  TotalVotingPower    int64         Timestamp           time.Time }```
These ABCI specific fields don't affect validity of the evidence itself but mustbe consistent amongst nodes and agreed upon on chain. If evidence with theincorrect abci information is sent, a node will create new evidence from it andreplace the ABCI fields with the correct information.