You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

53 lines
2.8 KiB

  1. # ADR 051: Double Signing Risk Reduction
  2. ## Changelog
  3. * 27-11-2019: Initial draft
  4. * 13-01-2020: Separate into 2 ADR, This ADR will only cover Double signing Protection and ADR-052 handle Tendermint Mode
  5. * 22-01-2020: change the title from "Double signing Protection" to "Double Signing Risk Reduction"
  6. ## Context
  7. To provide a risk reduction method for double signing incidents mistakenly executed by validators
  8. - Validators often mistakenly run duplicated validators to cause double-signing incident
  9. - This proposed feature is to reduce the risk of mistaken double-signing incident by checking recent N blocks before voting begins
  10. - When we think of such serious impact on double-signing incident, it is very reasonable to have multiple risk reduction algorithm built in node daemon
  11. ## Decision
  12. We would like to suggest a double signing risk reduction method.
  13. - Methodology : query recent consensus results to find out whether node's consensus key is used on consensus recently or not
  14. - When to check
  15. - When the state machine starts `ConsensusReactor` after fully synced
  16. - When the node is validator ( with privValidator )
  17. - When `cs.config.DoubleSignCheckHeight > 0`
  18. - How to check
  19. 1. When a validator is transformed from syncing status to fully synced status, the state machine check recent N blocks (`latest_height - double_sign_check_height`) to find out whether there exists consensus votes using the validator's consensus key
  20. 2. If there exists votes from the validator's consensus key, exit state machine program
  21. - Configuration
  22. - We would like to suggest by introducing `double_sign_check_height` parameter in `config.toml` and cli, how many blocks state machine looks back to check votes
  23. - <span v-pre>`double_sign_check_height = {{ .Consensus.DoubleSignCheckHeight }}`</span> in `config.toml`
  24. - `tendermint node --consensus.double_sign_check_height` in cli
  25. - State machine ignore checking procedure when `double_sign_check_height == 0`
  26. ## Status
  27. Implemented
  28. ## Consequences
  29. ### Positive
  30. - Validators can avoid double signing incident by mistakes. (eg. If another validator node is voting on consensus, starting new validator node with same consensus key will cause panic stop of the state machine because consensus votes with the consensus key are found in recent blocks)
  31. - We expect this method will prevent majority of double signing incident by mistakes.
  32. ### Negative
  33. - When the risk reduction method is on, restarting a validator node will panic because the node itself voted on consensus with the same consensus key. So, validators should stop the state machine, wait for some blocks, and then restart the state machine to avoid panic stop.
  34. ### Neutral
  35. ## References
  36. - Issue [#4059](https://github.com/tendermint/tendermint/issues/4059) : double-signing protection