go-spacemesh icon indicating copy to clipboard operation
go-spacemesh copied to clipboard

Published 20 hours ago verified publisher icon spacemeshos

Propagation of messages for the wrong round of Hare

Open barakshani opened this issue 5 years ago • 3 comments

We should consider not propagating hare messages with layer/round which are not correct (not current or early)

barakshani avatar Jan 01 '20 15:01 barakshani

Contextually invalid messages, on the level of layers, are not propagated.

https://github.com/spacemeshos/go-spacemesh/blob/a09b57a6d7be625b78233fed8128dc2f02e21ef5/hare/broker.go#L146-L165 https://github.com/spacemeshos/go-spacemesh/blob/a09b57a6d7be625b78233fed8128dc2f02e21ef5/hare/broker.go#L246-L258

Intra-layer contextual validity (i.e. level of rounds), however, is not addressed by the p2p message handler. https://github.com/spacemeshos/go-spacemesh/blob/a09b57a6d7be625b78233fed8128dc2f02e21ef5/hare/algorithm.go#L410-L429

https://github.com/spacemeshos/go-spacemesh/blob/a09b57a6d7be625b78233fed8128dc2f02e21ef5/hare/messagevalidation.go#L130

jonZlotnik avatar Aug 29 '22 19:08 jonZlotnik

My train of thought here needs to be double checked, but here it is:

Eligibility within the context of the message is validated by the broker and returns ValidationIgnore to p2plib if the message is internally invalid. The local round is not checked against the round for which the message proves eligibility, only the local layer is checked.

You can exploit this if you’re eligible for round x in Layer n such that n==currentLayer and x < currentRound. In other words, once your round in hare passes, you can spam the network with messages from the same round and cause Hare to grind to a halt until MaxItterations has passed. How often you can exploit this per epoch depends on the size of the network and number of nodes under your control.

jonZlotnik avatar Sep 21 '22 20:09 jonZlotnik

The exploit previously described can be solved in two ways. If possible, both solutions should be implemented as they help in different ways.

The first solution is definitely possible to implement. And is related to the solution for issue #1467

  • rework or wrap the ticker/clock logic for the hare rounds and allow querying of "current round" from the broker.
  • check if the round has passed when contextually validating a message at the broker level
  • drop messages with at least pubsub.ValidationIgnore if the round has passed (with an extra margin of error = network prop delay).

The second solution depends on the answer to the question in https://github.com/spacemeshos/pm/issues/178 and the implementation should take https://github.com/spacemeshos/go-spacemesh/issues/1038 into account so as to ensure the correct message (e.g. the first one, last one, best one?) is the one processed by the consensus process.

  • drop messages for nodes that we've received a message from.

jonZlotnik avatar Sep 21 '22 20:09 jonZlotnik