Fix amnesia faults vulnerability #308

[ranchalp]

Problem Description

This implementation addresses a critical safety vulnerability (#308 ) in Horcrux that can lead to chain forks in Tendermint-based networks. The vulnerability, known as the "amnesia fault," occurs when Horcrux nodes in a distributed validator setup lose track of their consensus locks due to network partitions, allowing them to sign conflicting blocks.

The Amnesia Fault Scenario

1. Network Partition: The network splits into groups A, B, and C
2. Partial Lock: Group A sees enough prevotes to lock on Block V at Round R
3. Missing Lock: Group B doesn't see the prevotes and remains unlocked
4. Network Recovery: When the network recovers, Group B can sign a conflicting Block W
5. Chain Fork: This leads to a chain fork as different parts of the network have committed different blocks

Root Cause

The root cause is that Horcrux is stateless with respect to Tendermint consensus locks. The remote signer only tracks what it has signed (high watermark) but doesn't maintain the consensus-critical state of what the validator is locked on. This allows the validator to "forget" its lock and sign conflicting blocks.

Solution Overview

This implementation adds consensus lock tracking to Horcrux, making the remote signer consensus-aware. The solution ensures that:

1. Lock Tracking: The system tracks what block/value the validator is locked on
2. Lock Validation: Before signing any block, the system checks if it would violate an existing lock
3. Lock Updates: Locks are updated when PRECOMMIT messages are signed according to Tendermint rules
4. Lock Persistence: Locks persist for all future rounds within the same height

Tendermint Locking Rules Implementation

The implementation follows the correct Tendermint consensus locking rules:

If a PRECOMMIT for value V is signed in round R for tendermint's consensus instance Id then:

1. Rule 1.1 [lock on V]: For PROPOSAL and PREVOTE messages, allow only signing for V in rounds R' ≥ R
2. Rule 1.2 [lock on V']: If a PRECOMMIT message for V' is requested and signed in round R' > R such that V' ≠ V, then lock on V' instead for all rounds R'' > R'

Key Points:

• Locks persist for ALL future rounds within the same height
• Locks are only cleared when moving to a different height
• PRECOMMIT messages in later rounds can release and set new locks
• PROPOSAL and PREVOTE messages in later rounds must respect the existing lock

Implementation Details

Data Structures

ConsensusLock

type ConsensusLock struct {
    Height    int64  `json:"height"`
    Round     int64  `json:"round"`
    Value     []byte `json:"value,omitempty"`     // The locked block hash/value
    ValueType string `json:"value_type"`         // "block" or "nil"
}

Updated SignState

The SignState structure now includes a ConsensusLock field to track the current consensus lock state.

Key Functions

ValidateConsensusLock

func (signState *SignState) ValidateConsensusLock(hrs HRSKey, signBytes []byte) error

• Checks if signing the given block would violate an existing consensus lock
• Returns an error if the lock would be violated
• Allows signing if no lock exists or if the lock is not applicable

Lock Update Logic

The consensus lock is updated in three scenarios:

1. First lock for height: When no lock exists, set the lock based on PRECOMMIT
2. Lock release/update: When PRECOMMIT for different value V' is signed in higher round R' > R
3. Lock preservation: When PRECOMMIT for same value V is signed in higher round (no change needed)

Integration Points

ThresholdValidator.Sign()

• Added consensus lock validation before proceeding with signing
• Updates consensus lock when PRECOMMIT is signed
• Preserves existing lock state in sign state consensus

LocalCosigner.sign()

• Added consensus lock validation before local signing
• Updates consensus lock when PRECOMMIT is signed locally

SignState.blockDoubleSign()

• Added consensus lock validation as the first check
• Ensures lock violations are caught early in the signing process

[pompon0]

omitzero? omitempty does not apply to custom types: https://pkg.go.dev/encoding/json

[ranchalp]

It will show up as an empty struct {} when not locked now.

[pompon0]

exactly, with omitzero it won't show up at all.

[pompon0]

it should be possible to lock at height 0 and round 0, no?

[ranchalp]

yes, thanks fixed.

[pompon0]

how about having just Value? nil for nil locked, non-nil for block locked.

[ranchalp]

fair, done. Thanks

[ranchalp]

Fair, done thanks

[pompon0]

nit: you can quickly define a custom error types as type ErrName { error } and then construct it using ErrName{fmt.Errorf(...)}. And the most proper way of defining structured errors is type ErrName { <custom fields> } and postponing the fmt.Sprintf to func (e *ErrName) Error() { return fmt.Sprintf() }, so that message rendering can be skipped altogether if not needed.

[ranchalp]

Done thanks.

[pompon0]

nit: the canonical way to casting errors is by using errors.As().

[ranchalp]

Done thanks

[pompon0]

that needs to be fixed before merging, no?

[pompon0]

and we need an e2e test that it actually works

[ranchalp]

Done thanks.

[ranchalp]

Thanks @pompon0 I addressed your comments

[pompon0]

it is misleading that you are setting ConsensusLock to the old value and then immediately overwriting it. inline the updateConsensusLock call instead.

[pompon0]

the "update" prefix is implying that updateConsensusLock is mutating its argument(s). Consider something like "nextConsensusLock" or some other name which would imply that it is a pure function.

[pompon0]

nit: hrs.Height > ... for defense-in-depth

[pompon0]

and return error if <

[pompon0]

(same for round)

[pompon0]

make it return an error if parsing fails

[pompon0]

imo, it is more desirable to fail when we don't know what we are signing.

[pompon0]

I think we have a problem here - we should compare pol_round against ConsensusLock.Round here, not current round. For proposal signing we can extract it, but prevotes do not include pol round.

[ranchalp]

This is Tendermint type of stuff. What matters for Horcrux signing is consistency, which is only relative to the round of the latest signed precommit. That is, one thing is the highest round where Tendermint state sees the highest POL. But for singing on Horcrux what matters is that whatever is proposed for signing next is consistent with what has been proposed for signing before, not the POL. And the only time that we need to update and carry over locks when it comes to signing is after a Precommit message.

This implementation of Horcrux should not conflict with a correct Tendermint signer since nodes will lock on a value only when sending a Precommit message, and only will sign Prevotes or send Proposals for the locked value until the next Precommit message (if the Tendermint implementation follows the Tendermint spec from this paper as the official documentation says).

[pompon0]

discussed offline. We need to amend API to handle branch on line 28 of https://arxiv.org/pdf/1807.04938

[ranchalp]

#310 (comment)

[ranchalp]

Thanks for the comments, just addressed them, except for pushback on one of them (see the conversation in the related comment).

[pompon0]

why do you use string to index by height?

[ranchalp]

Reverted to the version we discussed in sync that uses the POL round.

[ericjohncarlson]

Been watching this PR closely and it seems like this has stalled out. Is the original concern still a problem and is this expected to be merged?