mirrors/tendermint
1
0
Fork 0
mirror of https://github.com/tendermint/tendermint.git synced 2026-01-07 13:55:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
42be5331299944821be75222a2b930d7eba02078
tendermint/CHANGELOG_PENDING.md
Anton Kaliaev 42be533129 types: verify commit fully 
Since the light client work introduced in v0.33 it appears full nodes
are no longer fully verifying commit signatures during block execution -
they stop after +2/3. See in VerifyCommit:
0c7fd316eb/types/validator_set.go (L700-L703)

This means proposers can propose blocks that contain valid +2/3
signatures and then the rest of the signatures can be whatever they
want. They can claim that all the other validators signed just by
including a CommitSig with arbitrary signature data. While this doesn't
seem to impact safety of Tendermint per se, it means that Commits may
contain a lot of invalid data. This is already true of blocks, since
they can include invalid txs filled with garbage, but in that case the
application knows they they are invalid and can punish the proposer. But
since applications dont verify commit signatures directly (they trust
tendermint to do that), they won't be able to detect it.

This can impact incentivization logic in the application that depends on
the LastCommitInfo sent in BeginBlock, which includes which validators
signed. For instance, Gaia incentivizes proposers with a bonus for
including more than +2/3 of the signatures. But a proposer can now claim
that bonus just by including arbitrary data for the final -1/3 of
validators without actually waiting for their signatures. There may be
other tricks that can be played because of this.

In general, the full node should be a fully verifying machine. While
it's true that the light client can avoid verifying all signatures by
stopping after +2/3, the full node can not. Thus the light client and
full node should use distinct VerifyCommit functions if one is going to
stop after +2/3 or otherwise perform less validation (for instance light
clients can also skip verifying votes for nil while full nodes can not).

See a commit with a bad signature that verifies here: 56367fd. From what
I can tell, Tendermint will go on to think this commit is valid and
forward this data to the app, so the app will think the second validator
actually signed when it clearly did not.
2020-07-02 15:41:49 +02:00

8.4 KiB
Raw Blame History

v0.33.6

**

Special thanks to external contributors on this release:

Friendly reminder, we have a bug bounty program.

BREAKING CHANGES:

  • CLI/RPC/Config

    • [consensus] #4582 RoundState: Round, LockedRound & CommitRound are now int32
    • [consensus] #4582 HeightVoteSet: round is now int32
    • [evidence] #4725 Remove Pubkey from DuplicateVoteEvidence
    • [evidence] #4959 Add json tags to DuplicateVoteEvidence
    • [crypto] #4940 All keys have become []byte instead of [<size>]byte. The byte method no longer returns the marshaled value but just the []byte form of the data.
    • [crypto] \4988 Removal of key type multisig
    • [crypto] #4989 Remove Simple prefixes from SimpleProof, SimpleValueOp & SimpleProofNode.
      • merkle.Proof has been renamed to ProofOps.
      • Protobuf messages Proof & ProofOp has been moved to proto/crypto/merkle
      • SimpleHashFromByteSlices has been renamed to HashFromByteSlices
      • SimpleHashFromByteSlicesIterative has been renamed to HashFromByteSlicesIterative
      • SimpleProofsFromByteSlices has been renamed to ProofsFromByteSlices
    • [crypto] #4941 Remove suffixes from all keys.
      • ed25519: type PrivKeyEd25519 is now PrivKey
      • ed25519: type PubKeyEd25519 is now PubKey
      • secp256k1: typePrivKeySecp256k1 is now PrivKey
      • secp256k1: typePubKeySecp256k1 is now PubKey
      • sr25519: type PrivKeySr25519 is now PrivKey
      • sr25519: type PubKeySr25519 is now PubKey
      • multisig: type PubKeyMultisigThreshold is now PubKey
    • [light] #4946 Rename lite2 pkg to light, the lite cmd has also been renamed to light. Remove lite implementation.
    • [rpc] #4792 /validators are now sorted by voting power (@melekes)
    • [rpc] #4937 Return an error when page pagination param is 0 in /validators, tx_search (@melekes)
    • [rpc] #4968 JSON encoding is now handled by libs/json, not Amino
    • [privval] #4582 round in private_validator_state.json is no longer a string in json it is now a number.
    • [proto] #5025 All proto files have been moved to /proto directory.
    • [state] #4679 TxResult is a Protobuf type defined in abci types directory
    • [types] #4939 SignedMsgType has moved to a Protobuf enum types
    • [types] #4939 Total in Parts & PartSetHeader has been changed from a int to a uint32
    • [types] #4939 Vote: ValidatorIndex & Round are now int32
    • [types] #4939 Proposal: POLRound & Round are now int32
    • [types] #4939 Block: Round is now int32
    • [types] #4962 ConsensusParams, BlockParams, EvidenceParams, ValidatorParams & HashedParams are now Protobuf types
    • [types] #4852 Vote & Proposal SignBytes is now func VoteSignBytes & ProposalSignBytes
    • [types] #5029 Rename all values from PartsHeader to PartSetHeader to have consistency

  • Apps

    • [abci] #4704 Add ABCI methods ListSnapshots, LoadSnapshotChunk, OfferSnapshot, and ApplySnapshotChunk for state sync snapshots. ABCIVersion bumped to 0.17.0.
    • [abci] #4989 Proof within ResponseQuery has been renamed to ProofOps

  • P2P Protocol

  • Go API

    • [crypto] #4721 Remove SimpleHashFromMap() and SimpleProofsFromMap() (@erikgrinaker)
    • [libs] #4831 Remove Bech32 pkg from Tendermint. This pkg now lives in the cosmos-sdk
    • [rpc/client] #4947 Validators, TxSearch page/per_page params become pointers (@melekes) UnconfirmedTxs limit param is a pointer
    • [types] #4798 Simplify VerifyCommitTrusting func + remove extra validation (@melekes)
    • [types] #4845 Remove ABCIResult

  • Blockchain Protocol

    • [blockchain] #4637 Migrate blockchain reactor(s) to Protobuf encoding
    • [evidence] #4780 Cap evidence to an absolute number (@cmwaters) Add max_num to consensus evidence parameters (default: 50 items).
    • [evidence] #4949 Migrate evidence reactor to Protobuf encoding
    • [mempool] #4940 Migrate mempool from to Protobuf encoding
    • [light] #4964 Migrate light reactor migration to Protobuf encoding
    • [p2p/pex] #4973 Migrate p2p/pex reactor to Protobuf encoding
    • [privval] #4985 Migrate privval reactor to Protobuf encoding
    • [statesync] #4943 Migrate statesync reactor to Protobuf encoding
    • [state] #4845 Include BeginBlock#Events, EndBlock#Events, DeliverTx#Events, GasWanted and GasUsed into LastResultsHash (@melekes)
    • [state] #4679 Migrate state reactor to Protobuf encoding
      • BlockStoreStateJSON is now BlockStoreState and is encoded as binary in the database
    • [store] #4778 Migrate store module to Protobuf encoding
    • [types] #4792 Sort validators by voting power to enable faster commit verification (@melekes)
    • [mempool] Add RemoveTxByKey() exported function for custom mempool cleaning (@p4u)

FEATURES:

  • [abci] #5031 Add AppVersion to consensus parameters (@james-ray) ... making it possible to update your ABCI application version via EndBlock response
  • [evidence] #4532 Handle evidence from light clients (@melekes)
  • [evidence] #4821 Amnesia evidence can be detected, verified and committed (@cmwaters)
  • [light] #4532 Submit conflicting headers, if any, to a full node & all witnesses (@melekes)
  • [p2p] #4981 Expose SaveAs func on NodeKey (@melekes)
  • [rpc] #4532 Support BlockByHash query (@fedekunze)
  • [rpc] #4979 Support EXISTS operator in /tx_search query (@melekes)
  • [rpc] #5017 Add /check_tx endpoint to check transactions without executing them or adding them to the mempool (@melekes)
  • [statesync] Add state sync support, where a new node can be rapidly bootstrapped by fetching state snapshots from peers instead of replaying blocks. See the [statesync] config section.

IMPROVEMENTS:

  • [consensus] #4578 Attempt to repair the consensus WAL file (data/cs.wal/wal) automatically in case of corruption (@alessio)
  • [evidence] #4722 Improved evidence db (@cmwaters)
  • [evidence] #4839 Reject duplicate evidence from being proposed (@cmwaters)
  • [evidence] #4892 Remove redundant header from phantom validator evidence (@cmwaters)
  • [light] #4935 Fetch and compare a new header with witnesses in parallel (@melekes)
  • [light] #4929 compare header w/ witnesses only when doing bisection (@melekes)
  • [light] #4916 validate basic for inbound validator sets and headers before further processing them (@cmwaters)
  • [p2p/conn] #4795 Return err on signChallenge() instead of panic
  • [state] #4781 Export InitStateVersion for the initial state version (@erikgrinaker)
  • [txindex] #4466 Allow to index an event at runtime (@favadi)
    • abci.EventAttribute replaces KV.Pair
  • [types] #4905 Add ValidateBasic to validator and validator set (@cmwaters) The original WAL file will be backed up to data/cs.wal/wal.CORRUPTED.

BUG FIXES:

  • [blockchain/v2] Correctly set block store base in status responses (@erikgrinaker)
  • [consensus] #4895 Cache the address of the validator to reduce querying a remote KMS (@joe-bowman)
  • [consensus] #4970 Stricter on LastCommitRound check (@cuonglm)