[Security] Critical (attackable): CL Header Metadata Is Not Bound to EL Payload Metadata

[sebastian-osec]

Context

Summit blocks combine consensus-layer header metadata with an embedded execution-layer payload that is later validated through the Engine API. Honest proposal construction normally keeps these two metadata sources aligned: the Summit header height and timestamp describe the same block as the embedded execution payload's block number and timestamp.

That binding must be enforced by validators when they verify received proposals. Proposer-side construction conventions are not a security boundary, especially as proposer participation becomes less permissioned, because a Byzantine eligible proposer can construct block objects that honest code would not produce.

Claim

A Byzantine proposer can submit a Summit block whose consensus header passes Summit's parent, height, timestamp, state-root, checkpoint, validator-delta, and withdrawal checks while the embedded execution payload carries a different block number or timestamp. Summit does not require payload.block_number == header.height or payload.timestamp == header.timestamp before the block can be accepted by the application verifier.

Impact

Summit can certify and finalize headers and checkpoints whose consensus metadata describes one height or time while the embedded execution payload executes under different EL metadata. This breaks the expected one-to-one meaning of a Summit block across CL and EL consumers.

The mismatch can bypass Summit's CL timestamp policy, confuse proof or checkpoint consumers that trust the Summit header, and create CL/EL consistency failures for descendants and recovery flows. If the mismatched payload is EL-valid, nodes can execute under EL metadata that disagrees with the finalized Summit header; if it is EL-invalid, the existing finalizer path can still advance CL height and head after logging the invalid payload.

Root Cause

Summit binds the payload bytes to the header through payload_hash, but it does not enforce semantic consistency between duplicated CL and EL metadata fields. Engine API validation cannot enforce this relationship because Reth validates the EL payload against EL rules and does not know Summit's header.height or header.timestamp.

Code

• Summit blocks carry a Summit Header and an independent ExecutionPayloadV3: https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/block.rs#L15
• Block::compute_digest hashes the EL payload into payload_hash while separately passing CL height and timestamp into the header: https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/block.rs#L51, https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/block.rs#L71
• Block decoding checks that the payload hash matches the header payload hash, but does not compare EL payload number/timestamp against CL header height/timestamp: https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/block.rs#L94
• Honest proposal construction passes a local timestamp into Reth and then builds the Summit header, but this is proposer-side convention rather than verifier enforcement: https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L515, https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L551
• Remote verification checks Summit parent, height, timestamp, and wall-clock bounds without an Engine API call in handle_verify: https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L598, https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L613, https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L622, https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L638
• Verification continues through state root, checkpoint, validator deltas, and withdrawals without binding EL payload metadata to the Summit header: https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L648, https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L670, https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L690, https://github.com/SeismicSystems/summit/blob/ed2c5c8/application/src/actor.rs#L702
• EL payload validation happens later in finalizer execution; if invalid, the finalizer logs the failure but still advances Summit latest height, view, and head digest: https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/engine_client.rs#L49, https://github.com/SeismicSystems/summit/blob/ed2c5c8/finalizer/src/actor.rs#L1331, https://github.com/SeismicSystems/summit/blob/ed2c5c8/finalizer/src/actor.rs#L1398, https://github.com/SeismicSystems/summit/blob/ed2c5c8/finalizer/src/actor.rs#L1414
• Finalizer advances CL state from the Summit header while proof metadata is taken from EL payload block metadata: https://github.com/SeismicSystems/summit/blob/ed2c5c8/finalizer/src/actor.rs#L1414, https://github.com/SeismicSystems/summit/blob/ed2c5c8/finalizer/src/actor.rs#L1459

Fix

Enforce the CL/EL metadata binding during application verification before validators vote or notarize a proposal. Reject any block where block.payload.block_number != block.header.height or block.payload.timestamp != block.header.timestamp, and keep this check alongside any pre-vote Engine API validation. Add regression tests showing that verifier acceptance fails for otherwise valid blocks with mismatched Summit header height/timestamp and EL payload block number/timestamp.

[matthias-wright]

Proposed fix: #190