feat(p2p/sensor): validate block signer before rebroadcast#946
feat(p2p/sensor): validate block signer before rebroadcast#946minhd-vu wants to merge 5 commits into
Conversation
When block rebroadcasting is enabled, the sensor now only rebroadcasts blocks whose recovered signer is in the current Heimdall validator set. Blocks from unknown signers are still persisted and their bodies are still requested; they are simply not propagated to peers. - Add ValidatorSet (p2p/validators.go): fetches /stake/validators-set from Heimdall, blocking initial load + periodic refresh, IsAuthorized. - Add Conns.IsKnownSigner to gate rebroadcast by recovered signer. - Gate handleNewBlock; defer block-hash rebroadcast from handleNewBlockHashes to handleBlockHeaders so the fetched header can be validated first (body requests stay ungated). - Consolidate util.Ecrecover to take *types.Header. - Add --heimdall-url and --validator-set-refresh sensor flags.
b028f73 to
60d7cc3
Compare
Refine the block signer validation feature: - Rename SignerSet -> ValidatorSet and IsAuthorized -> HasSigner; add RecoverSigner which returns the recovered address so skip paths can log it. - Add --validate-block-signer (default true) to toggle signer validation. - Add --cache-only-validated-blocks (default true): unknown-signer blocks are still recorded to the database but are no longer retained in or served from the in-memory cache (GetBlockHeaders/GetBlockBodies/RPC), and cannot evict legitimate blocks. - Make block-hash rebroadcast conditional: immediate when validation is off, deferred to handleBlockHeaders (validate first) when on. - Emit rich debug logs (signer, peer, block info) when a block is not rebroadcast.
Extract helpers to bring handleBlockHeaders, handleBlockBodies, and handleNewBlock under the SonarQube cognitive-complexity threshold, without changing behavior: - cacheAndAnnounceHeader: per-header caching + deferred hash rebroadcast. - buildBlockBody: RLP decode/re-encode of a block body. - cacheFullBlock: validated full-block cache store + first-seen write.
|
Please correct me if I'm missing something, but from my understanding, the silent drops for unknown-signer blocks is the intended behavior, which seems to make sense. I'm not sure if this would be an issue though but, it seems like there could be very rare cases where if the body response arrives first before the header, it might get dropped even from a known validator:
|
jhkimqd
left a comment
There was a problem hiding this comment.
+1 lgtm overall, left comment above about possible edge case
Under --cache-only-validated-blocks, the body was cached only if a header was already present, so a body response arriving before its header (eth does not guarantee ordering) was dropped and never re-fetched — leaving a header-only entry even for valid-validator blocks, which then couldn't be served on GetBlockBodies. - handleBlockBodies: retain the body whenever a cache entry exists (the announcement marker), holding a body-first response provisionally instead of dropping it. - cacheAndAnnounceHeader: evict the entry when the header's signer is unknown, dropping any provisionally-held body. - handleGetBlockBodies: serve a body only when its (validated) header is also cached, so provisional bodies are never served before validation. DB persistence is unchanged; bodies are still written for every block.
|



Description
When block rebroadcasting is enabled, the sensor now only rebroadcasts blocks whose recovered signer is in the current Heimdall validator set. Blocks from unknown signers are still persisted and their bodies are still requested; they are simply not propagated to peers.
ValidatorSet(p2p/validators.go): fetches/stake/validators-setfrom Heimdall, blocking initial load + periodic refresh, IsAuthorized.Conns.IsKnownSignerto gate rebroadcast by recovered signer.handleNewBlock; defer block-hash rebroadcast fromhandleNewBlockHashestohandleBlockHeadersso the fetched header can be validated first (body requests stay ungated).util.Ecrecoverto take*types.Header.--heimdall-urland--validator-set-refreshsensor flags.Jira / Linear Tickets
Testing