consensus: peer can be marked good after a single message

[ebuchman]

Reported by an auditor.

PeerState.Stats are used to track how many votes/blockparts for a unique height a peer has given us. When they hit 10k, we mark the peer as "good" and preferentially connect to it.

We initialize PeerState.Stats with zeros, and then only update if the Height of the vote/blockpart is higher than the latest:

tendermint/consensus/reactor.go

Lines 1089 to 1095 in 05a76fb

	func (ps *PeerState) RecordVote(vote *types.Vote) int {
	ps.mtx.Lock()
	defer ps.mtx.Unlock()
	if ps.Stats.LastVoteHeight >= vote.Height {
	return ps.Stats.Votes
	}

Problem is we don't validate that votes/parts contain non-negative values for height. If the first msg from a peer is a vote with negative height, we'll return the latest value, which is 0. But when we check the return value, we check % 10000 == 0, which passes for 0, so we mark the peer good right away!

Note we want to use % and not > because peers can become "ungood" probabilistically if there's lots of good peers and they should have a chance to keep proving themselves. Alternatively we could use > 10000 and just reset the counter to 0 every time a peer is marked good.

Main thing we need to fix is validating the reactor messages so we don't have negative numbers. But we should also make sure the logic is more defensive, like a modulus guarding a "marked good" should be smarter about accidentally being triggered right away.

[ValarDragon]

I don't understand why we don't validate that its a valid vote (i.e. for an existing validator), or a valid block part before improving the peers score.
Alternatively we could use > 10000 and just reset the counter to 0 every time a peer is marked good.
This sounds good to me. I don't like the idea that the amount you have to "reprove" yourself isn't strictly correlated to your overall "score" if you were previously proven. Removing the periodicity here seems like a good first step in that regard!

EDIT: I thought the above thing I quoted was "reset the counter to 0 every time a peer is marked bad". I don't understand why we'd reset when it hits 10000, that seems weird. What makes more sense to me is to knock the score down to Min(cur_score - 10000, 5000) when the peer is marked bad.

[ebuchman]

I don't understand why we don't validate that its a valid vote (i.e. for an existing validator), or a valid block part before improving the peers score.

Uh, that's a very fine point. Looks like the current code is all kinds of broken. Not only do we need to verify that it's valid, but that's its unique information we haven't already seen. That's supposed to be the point of the mechanism (according to the spec). We'll need the RecordXxx to be called from within the ConsensusState, where the info is actually validated and added to the vote set or part set.

@xla and I were discussing some improvements to the ConsensusState that would involve splitting out the piece that collects votes and parts into something like a ConsensusExecutor so that the ConsensusState can more directly reflect the formal spec. Calling RecordXxx would then happen in the ConsensusExecutor

[ValarDragon]

@xla and I were discussing some improvements to the ConsensusState that would involve splitting out the piece that collects votes and parts into something like a ConsensusExecutor so that the ConsensusState can more directly reflect the formal spec. Calling RecordXxx would then happen in the ConsensusExecutor

This sounds like a great idea to me! This seems like a good way to split up the logic. I suppose this should first be written up into an ADR?

[melekes]

We'll need the RecordXxx to be called from within the ConsensusState

not necessary #2388 (comment). I'd recommend being careful about boundaries between software components (consensus state shouldn't know what address book is).

[milosevic]

I'd recommend being careful about boundaries between software components (consensus state shouldn't know what address book is).

Fully agree here @melekes . That's why I wanted to open the discussion in PR. Even passing Peer feels wrong as consensus state doesn't care about Peer and probably shouldn't have possibility to directly send messages.

[xla]

This sounds like a great idea to me! This seems like a good way to split up the logic. I suppose this should first be written up into an ADR?

Dropped the ball on this, it's coming.

[ebuchman]

Simple proposal: #2388 (comment)

Ie. open a new channel between reactor/state just for the state to communicate successful unique adds of parts and votes. reactor has a new routine to read off this channel and update the peer states