MUST use GENESIS_FORK_VERSION to sign BLSToExecutionChange message
#3206
Conversation
|
The spec change looks good, and understand the thinking behind it. The p2p handling of these messages is tricky, though. I believe that @potuz talked about this during the call earlier today, but the handling of these messages prior to the capella hard fork activating is trickier. As it stands, there are the following two wrinkles in the system:
The end result of these two points is that there appears to be no way for publish credentials change operations early with the hope that they will be ahead of potential hackers who may have access to their keys. Would it be unreasonable to drop the IGNORE condition and expect beacon nodes to queue the operations when they see them prior to the hard fork? I recognize that this opens additional questions such as should the nodes store the operations on-disk so that they aren't lost on restart, but even if the queue is purely in-memory that would still give a better flow for the operations both before and during the hard fork. |
|
I agree that the handling of the first broadcasting is a bit tricky. I think there is no good solution to the problem. However, my thinking is slightly orthogonal to Jim's so I'll leave it here briefly noted:
The reason for this thinking is that hackers and users would be on the same level, fighting for inclusions. Users that have access to exchanges with KYC or similar can try to get large pools/operators or existing projects to have their keys in their pools before hand. Those nodes will not rebroadcast any different change for the same keys, and being very large operators, they will be very well connected so in case of a race to broadcast to a lone validator, they have a better chance than a small hacker with a couple of beacons. Hackers do not gain anything by flooding the network with early messages. It's safe to assume that sophisticated hackers will be trying to get their messages as early as possible. If we start accepting messages at subscription we will see plenty of these multiple times since clients can subscribe at different points. In short, although I don't like any option, I think stock clients should agree to something like 1--3 above and let the hackers/users race for the off-chance that their stolen keys will be picked by a random small staker. |
I think that a hacker (especially if unknown to the victim) is likely to act faster than the unsuspecting victim. So I tend to agree with Potuz that it's best to have them on the same playing field and at the fork boundary as everyone will have a chance to touch their software by that boundary and not some arbitrary amount prior to the fork. |
| @@ -61,6 +61,8 @@ This topic is used to propagate signed bls to execution change messages to be in | |||
|
|
|||
| The following validations MUST pass before forwarding the `signed_bls_to_execution_change` on the network: | |||
|
|
|||
| - _[IGNORE]_ `current_epoch >= CAPELLA_FORK_EPOCH`, | |||
There was a problem hiding this comment.
should we have the wall-clock skew variability here (MAXIMUM_GOSSIP_CLOCK_DISPARITY) as we do on some gossip conditions (e.g. beacon block)?
I guess that gives the hackers something to try to game more. but some of the initial broadcasts, otherwise, will be IGNORE'd by accident due to subtle clock skew
tests/core/pyspec/eth2spec/test/helpers/bls_to_execution_changes.py
Outdated
Show resolved
Hide resolved
As ethereum/pm#702 discussion, making
BLSToExecutionChangefork-agnostic could make it easier to handle the message generation and validation.Changes:
GENESIS_FORK_VERSIONto signBLSToExecutionChangemessage.state.genesis_validators_rootis still part of the source of theBLSToExecutionChangedomain. (Depositdomain does NOT usestate.genesis_validators_rootas part of the source) .signed_bls_to_execution_changemessage beforeCAPELLA_FORK_EPOCHConsiderations/discussions:
BLSToExecutionChangefast.