-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data structure discrepancy on deferred attestation #7805
Comments
I'm not sure how to progress this one, Is the assertion here that we're making an incorrect decision? Any future / deferred attestations should be not processed and how they're queue'd shouldn't matter? |
Before starting, I'm not saying that Teku is wrong. Teku is doing well under the consensus specification. For example, in the above scenario, validator X is making double-voting (yes, this is slashable) attestation and releasing it before the proper slot. Therefore, both double-voting attestations are considered attestations from the future. However, map -based implementations (like Teku or Prysm) will make different decisions (because, as you know, the map is based on key-value unlike the queue, which doesn't guarantee the order). Therefore, it is not 100% deterministic whether the processing order will be [att_0, att_1] or [att_1, att_0] unlike queue-based implementations. This is a minor and non-urgent discrepancy. Because, as you know, in the real world this may not be a big problem due to there being more than 900K validators and a lot of slashers are watching it. Also, the order of arrival of the attestations will be unpredictable (except when packet orders are manipulated by a larger-scale network attacker). |
@hcnam This is an interesting idea! I think your issue probably belongs on the My intuition is that it's kind of OK not to specify the queueing order because attestation arrival is unpredictable anyway. The P2P gossip conditions don't mandate propagation of early attestations, so an attacker could quite easily queue their different attestations on different nodes even without the different queue structures (e.g. gossip just There are some proposals floating around for making fork choice more resilient to these type of split views, e.g. https://ethresear.ch/t/view-merge-as-a-replacement-for-proposer-boost/13739. You might like to get involved and contribute to that effort? IMO it would be great to prove some resilience properties about the combination of the P2P conditions & the fork choice spec. |
To add some nuance to the above, there are a few complicating factors to the gossip-based view split:
|
If we're moving this to consensus-specs shall I close this issue here? Not much we can really do to progress this directly... |
I've moved this issue to consensus-specs/issues/3498 |
Description
We’ve checked several implementations, but they adopt different data structures for deferring future attestations: Lighthouse and Nimbus are using queue, and Prysm and Teku using map to save early received attestations (Prysm uses non-deterministic map, but Teku uses deterministic map structure).
Due to the above discrepancy, if a slashable pair of attestation (like double voting two different block that shares the same parent block) enter
onAttestation
, Prysm makes a non-deterministic fork choice result. See scenario below.Steps to Reproduce
Scenario
Assumption: No attestation except Attestation X and Y, or B and C has same vote. attester_slashing was not received yet.
Steps:
Expect: head is B due to other use queue for deferred attestation (later ignored)
Result: Teku deterministically makes the same decisions while Prysm nondeterministically makes different decisions (Note that the results from Teku and Prysm may be different from Lighthouse and Nimbus).
References:
Lighthouse: queued_attestations
Teku: deferredAttestations, futureAttestations
Prysm: processAttestations, AttCaches
Nimbus: queuedAttestations
The text was updated successfully, but these errors were encountered: