If the last header hash matches the nodes last `BlockID` then it can also discard it on the assumption that a fork can not remerge and hence this is just a trace of valid headers.
### Figuring out if malicious behaviour is immediately slashable
The node then continues to loop in descending order checking that the headers hash doesn't match it's own blockID for that height. Once it reaches the height that the block ID matches the hash it then sends the common header, the trusted header and the diverged header (common header is needed for lunatic evidence) to determine if the divergence is a real offense to the tendermint protocol or if it is just fabricated.
Let's say H1 was committed from this full node's perspective (see Appendix A).
_If neither of the headers (H1 and H2) were committed from the full node's
perspective, the evidence must be rejected._
### Figuring out if malicious behaviour
Intersect validator sets of H1 and H2.
The node first examines the case of a lunatic attack:
* if there are signers(H2) that are not part of validators(H1), they misbehaved as
they are signing protocol messages in heights they are not validators =>
immediately slashable (#F4).
* The validator set of the common header must have at least 1/3 validator power that signed in the divergedHeaders commit
* if `H1.Round == H2.Round`, and some signers signed different precommit
messages in both commits, then it is an equivocation misbehavior => immediately
slashable (#F1).
* One of the deterministically derived hashes (`ValidatorsHash`, `NextValidatorsHash`, `ConsensusHash`,
`AppHash`, or `LastResultsHash`) of the header must not match:
* if `H1.Round != H2.Round` we need to run full detection procedure => not
immediately slashable.
* We then take every validator that voted for the invalid header and was a validator in the common headers validator set and create `LunaticValidatorEvidence`
* if `ValidatorsHash`, `NextValidatorsHash`, `ConsensusHash`,
`AppHash`, and `LastResultsHash` in H2 are different (incorrect application
state transition), then it is a lunatic misbehavior => immediately slashable (#F5).
If this fails then we examine the case of Equivocation (either duplicate vote or amnesia):
If evidence is not immediately slashable, fork accountability needs to invoked
(ADR does not yet exist).
*This only requires the trustedHeader and the divergedHeader*
It's unclear if we should further break up `ConflictingHeadersEvidence` or
* if `trustedHeader.Round == divergedHeader.Round`, and a validator signed for the block in both headers then DuplicateVoteEvidence can be immediately formed
If we'd go without breaking evidence, all we'll need to do is to strip the
committed header from `ConflictingHeadersEvidence` (H1) and leave only the
uncommitted header (H2):
* if `trustedHeader.Round != divergedHeader.Round` then we form PotentialAmnesiaEvidence as some validators in this set have behaved maliciously and protocol in ADR 56 needs to be run.
```go
type ConflictingHeaderEvidence struct {
H types.SignedHeader
}
```
*The node does not check that there is a 1/3 overlap between headers as this may not be point of the fork and validator sets may have since changed*
If we'd go with breaking evidence, here are the types we'll need:
If no evidence can be formed from a light trace, it is not a legitimate trace and thus the
connection with the peer should be stopped
### F1. Equivocation
### F1. Equivocation
@ -172,7 +172,7 @@ punish those who conducted an amnesia attack.
See ADR-056 for the architecture of the handling amnesia attacks.
See ADR-056 for the architecture of the handling amnesia attacks.
NOTE: Conflicting headers evidence used to also create PhantomValidatorEvidence
NOTE: Conflicting headers trace used to also create PhantomValidatorEvidence
but this has since been removed. Refer to Appendix B.
but this has since been removed. Refer to Appendix B.
## Status
## Status
@ -183,14 +183,15 @@ Proposed.
### Positive
### Positive
* Light client has increased secuirty against Lunatic attacks.
* Tendermint will be able to detect & punish new types of misbehavior
* Tendermint will be able to detect & punish new types of misbehavior
* light clients connected to multiple full nodes can help full nodes notice a
* light clients connected to multiple full nodes can help full nodes notice a
fork faster
fork faster
### Negative
### Negative
* Accepting `ConflictingHeadersEvidence` from light clients opens up a DDOS
attack vector(same is fair for any RPC endpoint open to public; remember that
* Accepting `ConflictingHeadersEvidence` from light clients opens up a large DDOS
attack vector(same is fair for any RPC endpoint open to public; remember that