Page MenuHomePhabricator

Delay finalization until 2 hours after IBD is recorded as finished
AbandonedPublic

Authored by schancel on Sat, Nov 24, 02:45.

Details

Reviewers
jasonbcox
Group Reviewers
Restricted Project
Summary

This commit attempts to avoid the following attack:

  1. Attacker mines 10 blocks after the most recent checkpoint but not off of the current global chain tip.
  2. Attacker performs an eclipse attack against a node undergoing IBD, and supplies these 10 blocks. Attacker may or may not manipulate DAA to add more blocks on top with low difficulty.
  3. Attacker prevents other block headers from being seen during this time, causing the node in question to download those 10 blocks.
  4. Victim finalizes the first of those blocks. Victim is stuck until manual intervention is used.

This code assumes that the eclipse attack cannot be maintained consistently for 2 hours, and that during that time at least some blocks from the true global best chain will filter through and displace the attacker's blocks, allowing the victim to escape the attack. That seems like a reasonable assumption to me.

Test Plan

Unsure. There does not seem to be a clean way to mock IBD.

Diff Detail

Repository
rABC Bitcoin ABC
Branch
ibd-delay (branched from master)
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 4094
Build 6259: Bitcoin ABC Teamcity Staging
Build 6258: arc lint + arc unit

Event Timeline

schancel created this revision.Sat, Nov 24, 02:45
Herald added a reviewer: Restricted Project. · View Herald TranscriptSat, Nov 24, 02:45
jtoomim added a subscriber: jtoomim.Sat, Nov 24, 03:00

So the attack here is this:

  1. Attacker mines 10 blocks after the most recent checkpoint but not off of the current global chain tip.
  2. Attacker performs an eclipse attack against a node undergoing IBD, and supplies these 10 blocks. Attacker may or may not manipulate DAA to add more blocks on top with low difficulty.
  3. Attacker prevents other block headers from being seen during this time, causing the node in question to download those 10 blocks.
  4. Victim finalizes the first of those blocks. Victim is stuck until manual intervention is used.

This code assumes that the eclipse attack cannot be maintained consistently for 2 hours, and that during that time at least some blocks from the true global best chain will filter through and displace the attacker's blocks, allowing the victim to escape the attack. That seems like a reasonable assumption to me.

Vulnerabilities: Compared to the status quo, the only new error that this code can make is an error of omission, failing to finalize a block that others honestly finalize. Specifically, a node that finished IBD within 2 hours of a deep reorg attack occurring will follow the deep reorg attack instead of the honest (minority) chain. This seems like an acceptable and unavoidable risk to me.

Concept ACK.

I'd like to see some mocktime tests, but overall this looks a lot cleaner than the other approach.

jasonbcox requested changes to this revision.Sat, Nov 24, 03:00
jasonbcox added a subscriber: jasonbcox.

What does delaying finalization until some time after IBD accomplish? It's not clear from the diff and the summary is empty.

This revision now requires changes to proceed.Sat, Nov 24, 03:00
schancel edited the summary of this revision. (Show Details)Sat, Nov 24, 05:30
schancel edited the summary of this revision. (Show Details)
schancel abandoned this revision.Tue, Nov 27, 19:08