-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[High] Missing check to prevent multiple bundle submissions in one single consensus block #2442
Comments
We definitely expect to have multiple bundles per consensus block for the same domain, this is not a bug. Also consensus moves forward even if it has invalid bundles in it. Operators will be punished, but the data will stay in consensus history forever. Can you elaborate what is the issue here exactly? |
If having multiple bundles/calls to
The security of the domain consensus system heavily depends on the ability of honest domain operators to submit a fraud proof before reaching |
I'm not sure if we already have an issue for that, but it is definitely the case to make this transition, it just didn't happen yet implementation-wise. |
I believe #2289 is the relevant issue. |
I still believe this issue is a misunderstanding.
Every |
Right, if the consensus block doesn't contain bundle there will be no domain block produced, if there are bundles, no matter one or more, only one domain block will be produced. One domain block corresponds to one ER so there is only one valid ER available for the operator to submit with the bundle, even if there are multiple bundles in the next consensus block they all have the same ER. One edge case is after fraud proof is submitted, some bad ERs will be pruned/reverted, so there will be multiple valid ERs available to submit. For the honest farmer, it will only accept the bundle with the same ER that extends the current head ER in its tx pool, so the consensus block produced by the honest farmer contains bundle with the same ER. But because we don't have explicit checks during block execution to ensure all bundles have the same ER, it is possible for the malicious farmer to construct a block containing multiple bundles and each contains an ER that extends another ER in the block, essentially submitting multiple different ERs and forward the challenge period more than 1. In fact, we were plan to utilize this to handle #1673. |
Maybe I'm missing something but in the code I don't see any strong protection against submitting multiple execution receipts with consecutive Should be possible to use the |
@jakoblell This issue of operators being able to submit multiple consecutive bundles within the same consensus block does not exist. To expand more on the flow of bundle submission, Once the bundle is submitted to the tx-pool of the consensus chain, since its an unsigned call, tx-pool does validate unsigned extrinsic here Assuming the latest So for a given consensus block, there wont be any bundles with ER that consecutively extend the domain block more than 1. Please confirm if I missed anything |
any thoughts on the above @jakoblell ? |
This may be correct for the tx-pool validation but this doesn't matter if the attacker is producing the consensus chain block (which is a totally permissionless operation and just requires a valid proof of archival storage submission). In that case, the attacker can skip the tx pool validation and all other nodes will only run the validation via Therefore I strongly recommend adding an extra on-chain check to ensure that |
Thank you for explanation I have sent a PR to patch this here - #2790 |
Confirmed fixed in #2790, closing issue. |
Issue description
As of now there is no check to prevent submission of multiple bundles for a domain in one single consensus block.
In the (unlikely but not totally impossible) case an attacker has a large number of winning
proof_of_election
solutions within a short period of time, this may allow directly reachingConfirmationDepth
within a short sequence of consensus blocks. If all the consensus chain blocks required for reachingConfirmationDepth
are generated by the attacker (possible if the attacker is also operating a large farmer), honest operators will not be able to submit a fraud proof before the invalid domain execution receipt is considered final.Risk
Attackers may be able to mint SSC tokens via invalid domain execution receipts.
Mitigation suggestion
Ensure that only one single
submit_bundle
call for a domain can be dispatched per consensus block. This will ensure that honest operators have at least 18 blocks to submit a fraud proof.The text was updated successfully, but these errors were encountered: