Move up slot range check in beacon attestation propagation

[terencechain]

I'm suggesting to move the ATTESTATION_PROPAGATION_SLOT_RANGE check to the top for beacon_attestation_{subnet_id} validations.

From:

[REJECT] The attestation is for the correct subnet -- i.e. compute_subnet_for_attestation(committees_per_slot, attestation.data.slot, attestation.data.index) == subnet_id, where committees_per_slot = get_committee_count_per_slot(state, attestation.data.target.epoch), which may be pre-computed along with the committee information for the signature check.
[IGNORE] attestation.data.slot is within the last ATTESTATION_PROPAGATION_SLOT_RANGE slots (within a MAXIMUM_GOSSIP_CLOCK_DISPARITY allowance) -- i.e. attestation.data.slot + ATTESTATION_PROPAGATION_SLOT_RANGE >= current_slot >= attestation.data.slot (a client MAY queue future attestations for processing at the appropriate slot)

To:

[IGNORE] attestation.data.slot is within the last ATTESTATION_PROPAGATION_SLOT_RANGE slots (within a MAXIMUM_GOSSIP_CLOCK_DISPARITY allowance) -- i.e. attestation.data.slot + ATTESTATION_PROPAGATION_SLOT_RANGE >= current_slot >= attestation.data.slot (a client MAY queue future attestations for processing at the appropriate slot)
[REJECT] The attestation is for the correct subnet -- i.e. compute_subnet_for_attestation(committees_per_slot, attestation.data.slot, attestation.data.index) == subnet_id, where committees_per_slot = get_committee_count_per_slot(state, attestation.data.target.epoch), which may be pre-computed along with the committee information for the signature check.

Reasons:

1. slot range check is a stateless check, it's slightly cheaper
2. subnet check may open up to dos attack in situation where long period without finality and this mostly depends on client implementation detail. The slot range check can be used to prevent such attack

More info on the attack:
In Prysm's DB scheme, we only hold up to certain hot (post finalization) states in memory. When there's long period without finality, a node could get attacked by receiving attestation that's outside of slot range. Given it's outside of the slot range (eg. >2epochs behind), that's very likely the receiving node will have to do extra computations to compute for the beacon state to satisfy the committee validation and that is committees_per_slot = get_committee_count_per_slot(state, attestation.data.target.epoch) We have observed this pattern in the Onyx testnet when 200 epochs since finality

Reference fix in Prysm: OffchainLabs/prysm#6755

[lsankar4033]

Is the subnet check (potentially) expensive because of the need to check for active validators at the epoch? Otherwise it seems like O(1)

[terencechain]

Is the subnet check (potentially) expensive because of the need to check for active validators at the epoch? Otherwise it seems like O(1)

The cost is getting the state. Say current epoch is 200 and last finalized epoch is 100. Clients might have frequent states cached in the 197-200 region and less frequent states cached in the 100-197 region. Bad peers could send attestations with slot outside of the invalid slot range and cause receiving peer to oversubscribe the CPU by computing states with no useful purpose

[lsankar4033]

got it, this makes sense. putting the slot-range check first and keeping it there seems like a good idea in general; opens up other validations that we can add later without worries about dos-ing clients (i.e. #2002)

[hwwhww]

Look good to me. Hmm, I think although the validation sequence is not strict as the consensus validation sequence, an optimized process is still good for other teams to learn about.

/cc @djrtwo @protolambda

[metatron1973]

Thanks for the 411

[dapplion]

Good suggestion, but order of checks is not strictly spec'ed and up to clients.