-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BEEFY: slash validators voting on non-finalized forks #1120
Comments
Actually, on the runtime-side I don't think we get any benefit to use generate_proof() and verify_proof() to prove the bad vote. It is enough to show the bad vote mmr_root is different than the on-chain one. Using |
Please correct me if I'm wrong, but I don't think checking misbehaviour at the voting level is sufficient (nor even necessary). What ultimately matters for attacking the bridge is the signatures on the payload (and here equivocating against what's finalised via GRANDPA). My intuition so far is that we should be checking the signatures in the payload updating the smart contract's MMRRoot (https://github.com/Snowfork/snowbridge/blob/main/core/packages/contracts/src/BeefyClient.sol). |
That’s right, the important part here is offering the The BEEFY voter gossip fisherman is just nice-to-have. This issue tracks the machinery we need to have in place on Polkadot side to be able to accept a “invalid-fork-vote” proof of some sort, verify it on-chain and initiate slashing if valid. Separate work (bridge repo) needs to go in the relayers (or maybe even dedicated fishermen) that follow both sides of the bridge and look for |
Co-authored-by: tgmichel <[email protected]>
Description
BEEFY voters should only vote on GRANDPA finalized blocks - vote only on canonic chain/fork.
Votes on blocks from different forks should (automatically) lead to stake slashing (more aggressive slashing than GRANDPA equivocations, since this scenario is intentionally dishonest).
We should add client/voter detection of such misbehavior as well as runtime logic for reporting proofs of misbehavior and subsequent slashing consequences.
Proposed solution
Runtime side
pallet::call
topallet_beefy
similar to report_equivocation that takesInvalidPayloadProof
pallet_beefy_mmr
topallet_beefy::EquivocationReportSystem
to be able to verifyInvalidPayloadProof
:offending_vote.mmr_root
!= on-chainmmr_root
(combined with above, it proves what we need)Client-side
cc @Lederstrumpf, @andresilva
The text was updated successfully, but these errors were encountered: