Implement LLMQ based ChainLocks#2643
Conversation
|
See dashpay/dips#39 for the fixes in DIP8 |
codablock
force-pushed
the
pr_llmq_chainlocks
branch
from
7964a31 to
49fb7e4
Compare
There was a problem hiding this comment.
We should limit this to a certain height, otherwise a bug in CL code etc could invalidate the entire chain or something crazy like that
There was a problem hiding this comment.
Hmm not sure if that would really help. If such a bug happens and we stop the invalidation at some point (e.g. -100 blocks)...how would this help the user of the node? In that case the node is in an undefined state nevertheless and you can't continue using that node.
There was a problem hiding this comment.
I'm thinking of more of a network wide error, instead of a single client
|
I know with relaying txs we have a delay for privacy reasons. Is there any delay for relaying CL messages? I would think there shouldn't be (also applies to IS lock messages) |
|
@PastaPastaPasta No there is no delay for relaying CLSIG messages. The trickle logic only applies to TXs and only for non-MN nodes. |
|
Handled review comments and pushed new version. |
codablock
force-pushed
the
pr_llmq_chainlocks
branch
from
0d3b532 to
2dcab73
Compare
UdjinM6
left a comment
UdjinM6
left a comment
There was a problem hiding this comment.
Looks good 👍
I have just one question #2643 (comment) i.e. do we need smth like 7c3f311 or should we just store the best chainlock only since this seems to be enough.
codablock
force-pushed
the
pr_llmq_chainlocks
branch
from
d06496a to
4fd48ae
Compare
|
@UdjinM6 @PastaPastaPasta After the discussion in the comments and the discussion we had on Slack, I decided to reimplement I also added a changes so that quorum selection happens based on a block that 8 blocks in the past. Otherwise receivers of CLSIG would not be able to verify the CLSIG before the header for that block arrives, which is not guaranteed to happen in a consistent order. I will squash the changes into the initial commits to get a clean history after getting approvals. As I'll not do a rebase at the same time, it should then be easy to verify that no other changes came in so that re-ACKs can be given shortly after that. I'll also update DIP8 later. |
There was a problem hiding this comment.
Should this increase misbehaving score?
There was a problem hiding this comment.
I decided to not increase DoS score here as you don't know if it's the new CLSIG or the old CLSIG that's the misbehaving one. The peer that sends the bad CLSIG might just be unlucky and accepted it because it didn't know better (e.g. after start or because it missed the other one)
There was a problem hiding this comment.
Shouldn't it be fairly easy to tell if it's a valid but old CLSIG or malicious?
There was a problem hiding this comment.
Not really. Let's say there are 2 sigs for the same height, but both for different blocks. Node A receives S1 first, node B receives S2 first. Both will now propagate their sig to the other node, resulting in BOTH nodes believing that the other one is malicious. In such cases, it's better to not increase DoS score.
There was a problem hiding this comment.
But there should never be two different CLSIGs for the same height... unless there is a fork eight blocks back (since that is what the quorum is based on)
There was a problem hiding this comment.
Even such a small fork should not create conflicting CLSIGs. The fork would have to be at least as long as a quorum interval for the ChainLocks quorum is. That would have to be a 288 (12 hours) blocks long fork. And even then, the chance is only 25% to get a conflicting CLSIG (because 3 out of the 4 active quorums are still the same).
So yes, in practice there should never be 2 conflicting CLSIGs.
There was a problem hiding this comment.
I mean, if it would take a fork of over 12 hours to get a conflicting CLSIG I think it is safe to assume anyone who sends one is malicious (or you are messed up locally)
|
@UdjinM6 applied your suggestions |
codablock
force-pushed
the
pr_llmq_chainlocks
branch
from
bf96814 to
828872c
Compare
|
I've just squashed all changes which I've done after the initial PR into the original commits to get a clean history again. You can verify that the code has no changes by running: |
codablock
force-pushed
the
pr_llmq_chainlocks
branch
from
828872c to
bcff200
Compare
Otherwise nodes might already fail to verify sigs when just 1 block away from the tip.
Allows to cheaply find all possible children of a block.
Also don't set indexDummy.phashBlock in TestBlockValidity anymore.
codablock
force-pushed
the
pr_llmq_chainlocks
branch
from
7177391 to
3237668
Compare
|
Rebased on develop to include #2652 and added 2 more commits to handle #2643 (comment) and partially #2643 (comment) |
|
|
codablock
force-pushed
the
pr_llmq_chainlocks
branch
from
954a882 to
ad4b3cd
Compare
UdjinM6
left a comment
UdjinM6
left a comment
There was a problem hiding this comment.
utACK, the test failure is (most likely) not related
3 participants
This implements DIP8 - ChainLocks.
It currently only supports a single attempt and either fails or succeeds. Support for multiple attempts as described in the DIP will be added later.
Turned out there were also some errors in DIP8, which I'm going to fix in a few minutes. For example,
attemptNumshould not have been part ofCLSIGand the verification of the signature inCLSIGis described wrong.