You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

218 lines
8.3 KiB

  1. # ADR 047: Handling evidence from light client
  2. ## Changelog
  3. * 18-02-2020: Initial draft
  4. * 24-02-2020: Second version
  5. * 13-04-2020: Add PotentialAmnesiaEvidence and a few remarks
  6. ## Context
  7. If the light client is under attack, either directly -> lunatic/phantom
  8. validators (light fork) or indirectly -> full fork, it's supposed to halt and
  9. send evidence of misbehavior to a correct full node. Upon receiving an
  10. evidence, the full node should punish malicious validators (if possible).
  11. ## Decision
  12. When a light client sees two conflicting headers (`H1.Hash() != H2.Hash()`,
  13. `H1.Height == H2.Height`), both having 1/3+ of the voting power of the
  14. currently trusted validator set, it will submit a `ConflictingHeadersEvidence`
  15. to all full nodes it's connected to. Evidence needs to be submitted to all full
  16. nodes since there's no way to determine which full node is correct (honest).
  17. ```go
  18. type ConflictingHeadersEvidence struct {
  19. H1 types.SignedHeader
  20. H2 types.SignedHeader
  21. }
  22. ```
  23. _Remark_: Theoretically, only the header, which differs from what a full node
  24. has, needs to be sent. But sending two headers a) makes evidence easily
  25. verifiable b) simplifies the light client, which does not have query each
  26. witness as to which header it possesses.
  27. When a full node receives the `ConflictingHeadersEvidence` evidence, it should
  28. a) validate it b) figure out if malicious behaviour is obvious (immediately
  29. slashable) or the fork accountability protocol needs to be started.
  30. ### Validating headers
  31. Check both headers are valid (`ValidateBasic`), have the same height, and
  32. signed by 1/3+ of the validator set that the full node had at height
  33. `H1.Height`.
  34. - Q: What if light client validator set is not equal to full node's validator
  35. set (i.e. from full node's point of view both headers are not properly signed;
  36. this includes the case where none of the two headers were committed on the
  37. main chain)
  38. Reject the evidence. It means light client is following a fork, but, hey, at
  39. least it will halt.
  40. - Q: Don't we want to punish validators who signed something else even if they
  41. have less or equal than 1/3?
  42. No consensus so far. Ethan said no, Zarko said yes.
  43. https://github.com/tendermint/spec/pull/71#discussion_r374210533
  44. ### Figuring out if malicious behaviour is immediately slashable
  45. Let's say H1 was committed from this full node's perspective (see Appendix A).
  46. _If neither of the headers (H1 and H2) were committed from the full node's
  47. perspective, the evidence must be rejected._
  48. Intersect validator sets of H1 and H2.
  49. * if there are signers(H2) that are not part of validators(H1), they misbehaved as
  50. they are signing protocol messages in heights they are not validators =>
  51. immediately slashable (#F4).
  52. * if `H1.Round == H2.Round`, and some signers signed different precommit
  53. messages in both commits, then it is an equivocation misbehavior => immediately
  54. slashable (#F1).
  55. * if `H1.Round != H2.Round` we need to run full detection procedure => not
  56. immediately slashable.
  57. * if `ValidatorsHash`, `NextValidatorsHash`, `ConsensusHash`,
  58. `AppHash`, and `LastResultsHash` in H2 are different (incorrect application
  59. state transition), then it is a lunatic misbehavior => immediately slashable (#F5).
  60. If evidence is not immediately slashable, fork accountability needs to invoked
  61. (ADR does not yet exist).
  62. It's unclear if we should further break up `ConflictingHeadersEvidence` or
  63. gossip and commit it directly. See
  64. https://github.com/tendermint/tendermint/issues/4182#issuecomment-590339233
  65. If we'd go without breaking evidence, all we'll need to do is to strip the
  66. committed header from `ConflictingHeadersEvidence` (H1) and leave only the
  67. uncommitted header (H2):
  68. ```go
  69. type ConflictingHeaderEvidence struct {
  70. H types.SignedHeader
  71. }
  72. ```
  73. If we'd go with breaking evidence, here are the types we'll need:
  74. ### F1. Equivocation
  75. Existing `DuplicateVoteEvidence` needs to be created and gossiped.
  76. ### F4. Phantom validators
  77. A new type of evidence needs to be created:
  78. ```go
  79. type PhantomValidatorEvidence struct {
  80. Header types.Header
  81. Vote types.Vote
  82. LastHeightValidatorWasInSet int64
  83. }
  84. ```
  85. It contains a validator's public key and a vote for a block, where this
  86. validator is not part of the validator set. `LastHeightValidatorWasInSet`
  87. indicates the last height validator was in the validator set.
  88. ### F5. Lunatic validator
  89. ```go
  90. type LunaticValidatorEvidence struct {
  91. Header types.Header
  92. Vote types.Vote
  93. InvalidHeaderField string
  94. }
  95. ```
  96. To punish this attack, we need support for a new Evidence type -
  97. `LunaticValidatorEvidence`. This type includes a vote and a header. The header
  98. must contain fields that are invalid with respect to the previous block, and a
  99. vote for that header by a validator that was in a validator set within the
  100. unbonding period. While the attack is only possible if +1/3 of some validator
  101. set colludes, the evidence should be verifiable independently for each
  102. individual validator. This means the total evidence can be split into one piece
  103. of evidence per attacking validator and gossipped to nodes to be verified one
  104. piece at a time, reducing the DoS attack surface at the peer layer.
  105. Note it is not sufficient to simply compare this header with that committed for
  106. the corresponding height, as an honest node may vote for a header that is not
  107. ultimately committed. Certain fields may also be variable, for instance the
  108. `LastCommitHash` and the `Time` may depend on which votes the proposer includes.
  109. Thus, the header must be explicitly checked for invalid data.
  110. For the attack to succeed, VC must sign a header that changes the validator set
  111. to consist of something they control. Without doing this, they can not
  112. otherwise attack the light client, since the client verifies commits according
  113. to validator sets. Thus, it should be sufficient to check only that
  114. `ValidatorsHash` and `NextValidatorsHash` are correct with respect to the
  115. header that was committed at the corresponding height.
  116. That said, if the attack is conducted by +2/3 of the validator set, they don't
  117. need to make an invalid change to the validator set, since they already control
  118. it. Instead they would make invalid changes to the `AppHash`, or possibly other
  119. fields. In order to punish them, then, we would have to check all header
  120. fields.
  121. Note some header fields require the block itself to verify, which the light
  122. client, by definition, does not possess, so it may not be possible to check
  123. these fields. For now, then, `LunaticValidatorEvidence` must be checked against
  124. all header fields which are a function of the application at previous blocks.
  125. This includes `ValidatorsHash`, `NextValidatorsHash`, `ConsensusHash`,
  126. `AppHash`, and `LastResultsHash`. These should all match what's in the header
  127. for the block that was actually committed at the corresponding height, and
  128. should thus be easy to check.
  129. `InvalidHeaderField` contains the invalid field name. Note it's very likely
  130. that multiple fields diverge, but it's faster to check just one. This field
  131. MUST NOT be used to determine equality of `LunaticValidatorEvidence`.
  132. ### F2. Amnesia
  133. ```go
  134. type PotentialAmnesiaEvidence struct {
  135. VoteA types.Vote
  136. VoteB types.Vote
  137. }
  138. ```
  139. To punish this attack, votes under question needs to be sent. Fork
  140. accountability process should then use this evidence to request additional
  141. information from offended validators and construct a new type of evidence to
  142. punish those who conducted an amnesia attack.
  143. See ADR-056 for the architecture of the fork accountability procedure.
  144. ## Status
  145. Proposed.
  146. ## Consequences
  147. ### Positive
  148. * Tendermint will be able to detect & punish new types of misbehavior
  149. * light clients connected to multiple full nodes can help full nodes notice a
  150. fork faster
  151. ### Negative
  152. * Accepting `ConflictingHeadersEvidence` from light clients opens up a DDOS
  153. attack vector (same is fair for any RPC endpoint open to public; remember that
  154. RPC is not open by default).
  155. ### Neutral
  156. ## References
  157. * [Fork accountability spec](https://github.com/tendermint/spec/blob/master/spec/consensus/light-client/accountability.md)
  158. ## Appendix A
  159. If there is an actual fork (full fork), a full node may follow either one or
  160. another branch. So both H1 or H2 can be considered committed depending on which
  161. branch the full node is following. It's supposed to halt if it notices an
  162. actual fork, but there's a small chance it doesn't.