forkchoice: tighten validate_attestation future-slot bound#682
Open
tcoratger wants to merge 1 commit intoleanEthereum:mainfrom
Open
forkchoice: tighten validate_attestation future-slot bound#682tcoratger wants to merge 1 commit intoleanEthereum:mainfrom
tcoratger wants to merge 1 commit intoleanEthereum:mainfrom
Conversation
The time check used to admit any vote within one full slot of the local clock. That window let an adversary pre-publish next-slot aggregates ~800 ms before any honest validator could produce them, with the next proposer happily including them. The bound is now expressed in interval units against `Store.time` and gated by a new `GOSSIP_DISPARITY_INTERVALS` constant (one interval, the lean analogue of mainnet's `MAXIMUM_GOSSIP_CLOCK_DISPARITY`). Tests reference the constant rather than hardcoding numbers, so future changes propagate automatically. Several existing spec tests gossiped attestations carrying a future data.slot to compress timelines; they have been restructured to follow the natural Lean flow (gossip during the producer's own slot, then tick to migrate). Three new boundary regressions are added to both gossip validation files plus a unit-level `TestValidateAttestationTimeCheck` class. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Store.validate_attestationaccepted votes up to a full slot ahead of the local clock. With 4 s slots that is ~800 ms of free pre-positioning room — an adversary can publish next-slot aggregates before any honest validator could produce them, and the next proposer happily includes them.Store.timeand gated by a newGOSSIP_DISPARITY_INTERVALS = 1constant inchain/config.py(the lean analogue of mainnet'sMAXIMUM_GOSSIP_CLOCK_DISPARITY).data.slotwas one slot in the future to compress their timeline. They have been restructured to follow the natural Lean flow (gossip during the producer's own slot, then tick to migrate). Three new boundary regressions are added to both gossip validation files, plus a unit-levelTestValidateAttestationTimeCheckclass. Tests reference the constant rather than hardcoded numbers, so future tweaks propagate.Test plan
uvx tox -e all-checksuv run pytest tests/lean_spec/subspecs/forkchoice/(86 passed)uv run fill --fork=devnet --clean -n auto tests/consensus/devnet/fc/(81 passed)Notes for reviewers / Zeam
data.slot <= current_slotwas strictly correct for the producer/receiver alignment but did not leave room for clock skew. The new rule allows exactly one interval (~800 ms), so a Zeam node and a leanSpec node tolerate each other under normal NTP drift.build_signed_block_with_storegossips in-body attestations, so block-included votes still validate cleanly under the tighter rule.🤖 Generated with Claude Code