feat: create foundation for fraudulent block production #1992
Conversation
evan-forbes
changed the base branch from
main
to
evan/refactor-testnode-appcreator
| ErrInvalidNodeNamespaceOrder = errors.New("invalid NMT node namespace order") | ||
| ) | ||
|
|
||
| type Hasher struct { |
There was a problem hiding this comment.
had to copy paste fork this from nmt in order to remove all of the protections against leafs that are out of order
There was a problem hiding this comment.
As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself
There was a problem hiding this comment.
As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself
Just a note on this, there are two hashers: one is the base hasher e.g., sha256, and one is the nmt hasher, or the namespace hasher, that utilizes the base hasher. The latter actually is aware of the format of the leaves and the nodes i.e., their min and max namespace, their ordering. Due to this, all the functions associated with the namespace hasher validate the format of inputs accordingly. However, the former, i.e., the basehasher, is completely unaware and is only responsible for the digest calculation. I am not sure, but I think you might be referring to the base-hasher, which, as you suggested, should be and is clueless about the namespace-related logic.
| func NewAppServer(logger log.Logger, db dbm.DB, traceStore io.Writer, appOpts servertypes.AppOptions) servertypes.Application { | ||
| var cache sdk.MultiStorePersistentCache |
There was a problem hiding this comment.
this function allows us to use the existing infrastructure (testnode, and even the create a new binary if need be), all while keeping the malicious code separate. Meaning, as long as we're using the normal application, we can't accidentally trigger the malicious logic.
test/util/malicious/tree.go
Outdated
| // NewTree creates a new rsmt2d.Tree using the malicious | ||
| // wrapper.ErasuredNamespacedMerkleTree with predefined square size and | ||
| // nmt.Options. | ||
| func (c constructor) NewTree(_ rsmt2d.Axis, axisIndex uint) rsmt2d.Tree { | ||
| hasher := NewBlindHasher(appconsts.NewBaseHashFunc(), appconsts.NamespaceSize, true) | ||
| opts := []nmt.Option{ | ||
| nmt.CustomHasher(hasher), | ||
| nmt.NamespaceIDSize(appconsts.NamespaceSize), | ||
| nmt.IgnoreMaxNamespace(true), | ||
| } | ||
| c.opts = append(c.opts, opts...) | ||
| nmtTree := nmt.New(appconsts.NewBaseHashFunc(), opts...) | ||
| maliciousTree := &BlindTree{nmtTree} | ||
| newTree := wrapper.NewErasuredNamespacedMerkleTree(c.squareSize, axisIndex, c.opts...) | ||
| newTree.SetTree(maliciousTree) | ||
| return &newTree | ||
| } |
There was a problem hiding this comment.
apologies, I hate this too... we're wrapping the nmt wrapper to overwrite the push method and use our own malicious hasher
we can use this to commit to rows and cols that are out of lexicographical order
Codecov Report
@@ Coverage Diff @@
## main #1992 +/- ##
==========================================
+ Coverage 21.54% 22.08% +0.54%
==========================================
Files 126 130 +4
Lines 14283 14479 +196
==========================================
+ Hits 3077 3198 +121
- Misses 10913 10981 +68
- Partials 293 300 +7
|
There was a problem hiding this comment.
This seems all good to me.
From a high level architecture perspective I see a bit of an anti-pattern here. For me, rsmt2d should just be a eds package within core-app. I don't know who else would want to use it and I'm not sure we should really look to cater to them over serving something purpose built for the celestia network. nmt is different because it's more self standing as it's own system whereas rsmt2d is kind glue between nmt, the square package and an erasure coding library. The fact that we have this wrapper package is a bit of a giveaway.
I would also prefer a design that has greater separation between the extended data square and the nmt that is built on top of this.
I've heard prior conversations about extracting out shares, square, blobs and eds into their own repo. This is something we could look to do
go.mod
Outdated
| @@ -3,7 +3,7 @@ module github.com/celestiaorg/celestia-app | |||
| go 1.20 | |||
|
|
|||
| require ( | |||
| github.com/celestiaorg/nmt v0.16.0 | |||
| github.com/celestiaorg/nmt v0.16.1-0.20230626222946-6dc07a6c7a35 // v0.16.0 | |||
There was a problem hiding this comment.
since upgraded to v0.17.0
| ErrInvalidNodeNamespaceOrder = errors.New("invalid NMT node namespace order") | ||
| ) | ||
|
|
||
| type Hasher struct { |
There was a problem hiding this comment.
As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself
| @@ -0,0 +1,67 @@ | |||
| package malicious | |||
There was a problem hiding this comment.
nit: I'd prefer to call this package faulty for capturing general faulty behaviour but YMMV
go.mod
Outdated
| @@ -27,7 +27,7 @@ require ( | |||
| require ( | |||
| cosmossdk.io/errors v1.0.0-beta.7 | |||
| cosmossdk.io/math v1.0.0-rc.0 | |||
| github.com/celestiaorg/rsmt2d v0.9.0 | |||
| github.com/celestiaorg/rsmt2d v0.9.1-0.20230623202902-25e11e517e4c | |||
There was a problem hiding this comment.
[optional] should we cut an rsmt2d release so that this line can depend on an official release?
There was a problem hiding this comment.
whoops, this doesn't actually require any changes to rsmt2d, this was just the recent codec changes, which we probably won't have to use
| // Write writes the namespaced data to be hashed. | ||
| // | ||
| // Requires data of fixed size to match leaf or inner NMT nodes. Only a single | ||
| // write is allowed. | ||
| // It panics if more than one single write is attempted. | ||
| // If the data does not match the format of an NMT non-leaf node or leaf node, an error will be returned. |
There was a problem hiding this comment.
[no change needed] maintainers should consider enabling a linter that auto wraps comment length
| ErrInvalidNodeNamespaceOrder = errors.New("invalid NMT node namespace order") | ||
| ) | ||
|
|
||
| type Hasher struct { |
There was a problem hiding this comment.
As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself
Just a note on this, there are two hashers: one is the base hasher e.g., sha256, and one is the nmt hasher, or the namespace hasher, that utilizes the base hasher. The latter actually is aware of the format of the leaves and the nodes i.e., their min and max namespace, their ordering. Due to this, all the functions associated with the namespace hasher validate the format of inputs accordingly. However, the former, i.e., the basehasher, is completely unaware and is only responsible for the digest calculation. I am not sure, but I think you might be referring to the base-hasher, which, as you suggested, should be and is clueless about the namespace-related logic.
evan-forbes
dismissed stale reviews from staheri14, rootulp, and cmwaters
The base branch was changed.
Co-authored-by: Rootul P <[email protected]>
evan-forbes
force-pushed
the
evan/bad-blocks
branch
from
461be6a
to
f4f88db
Compare
|
|
|
cc @cmwaters
I agree completely! imo there are many potential ways we can organize or use the eds (one experiment from forever ago celestiaorg/rsmt2d#9 (comment)). wrapping and embedding all these different types and |
## Overview creates a malicious package that allows for minimal changes to the rest of the application while also keeping the malicious portion of the code as separate as possible as to not accidentally trigger the malicious logic. part of #1953 ## Checklist - [x] New and updated code has appropriate documentation - [x] New and updated code has new and/or updated testing - [x] Required CI checks are passing - [x] Visual proof for any user facing features like CLI or documentation updates - [ ] Linked issues closed with keywords --------- Co-authored-by: Rootul P <[email protected]>
## Overview creates a malicious package that allows for minimal changes to the rest of the application while also keeping the malicious portion of the code as separate as possible as to not accidentally trigger the malicious logic. part of #1953 ## Checklist - [x] New and updated code has appropriate documentation - [x] New and updated code has new and/or updated testing - [x] Required CI checks are passing - [x] Visual proof for any user facing features like CLI or documentation updates - [ ] Linked issues closed with keywords --------- Co-authored-by: Rootul P <[email protected]>
This reverts commit 14c24b0.
Overview
creates a malicious package that allows for minimal changes to the rest of the application while also keeping the malicious portion of the code as separate as possible as to not accidentally trigger the malicious logic.
part of #1953
Checklist