AleoNet
[HackerOne-2452182] Store `Proposal` and `SignedProposals` to disk and remove proposal expiration
Motivation
This PR has two changes to address https://github.com/AleoHQ/snarkOS/issues/3171:
-
Reverted proposal expiration introduced in https://github.com/AleoHQ/snarkOS/pull/3202.
- This approach was unsafe because it violated the non-equivocation properties of our BFT protocol.
- A community member @ghostant-1017 also highlighted this issue in a bug bounty finding [HackerOne-2452182].
-
The
ProposalCache(pendingProposalandSignedProposals) will be stored to a file on shutdown, loaded on bootup, and cleared withsnarkos clean.- Ensures that honest validators do not create multiple proposals on the same round
- Ensures that we do not sign additional validator proposals on the same round after a reboot.
Implications
-
If enough (a majority) of validators reboot their nodes at the same time, there could be a halting case.
- If we signed proposals past our ledger round, but all nodes have thrown away their
Storage, then we won't have the signatures required to reconstruct the original proposal state. - This will need to be remedied by having all validators delete their
proposal_cachefile and reboot.
- If we signed proposals past our ledger round, but all nodes have thrown away their
-
Validators looking to swap machines will need to migrate their
proposal_cachefile between machines to ensure honest behavior.
Test Plan
Extensive local and burn-in testing will need to be performed.
Related PRs
Reverts: https://github.com/AleoHQ/snarkOS/pull/3202. An extension of: https://github.com/AleoHQ/snarkOS/pull/3200
TODO
- [ ] Add unit tests for serialization
- [ ] Add unit tests to ensure the enforcement properties with the new stored proposal.
- [ ] Consider adding new log messages to inform validators of the importance of the storage.
