consensus: how to handle blocks with invalid txs

[ebuchman]

Currently, we will commit blocks that may have invalid txs in them. This is done on purpose, to avoid requiring the block to be executed before consensus can go to work. This is a performance optimization, but comes at some UX cost, and led at least one user to raise an issue (#2162).

Txs return results that include a status code, which can be non-zero indicating an invalid tx. We don't currently store this information anywhere in the blockchain itself (just indexed on disk). So long as we allow this, we should probably include a bit-array of valid/invalid txs in the header.

Another alternative is to just run CheckTx on all txs when we validate the block before prevoting. This would eliminate invalid txs (assuming CheckTx is implemented correctly), but would add some performance overhead.

Finally, we might want to consider a mechanism for detecting bad proposals and punishing for them, though this is a harder and less-immediate problem.

[ValarDragon]

I think it is advantageous to be able to include invalid txs in a block. The reason is, if we don't this may lead to validators electing certain message types due to them having a greater computational cost. (i.e. they fear if its invalid, they have more to lose)

However we should have the p2p layer reject invalid txs. I also agree with the bitarray in the header, that seems like a good decision. (However we may need to add slashing conditions for marking a tx as invalid when it actually should have been valid)

[ebuchman]

The reason is, if we don't this may lead to validators electing certain message types due to them having a greater computational cost. (i.e. they fear if its invalid, they have more to lose)

Validators should be running CheckTx in their mempool before proposing a block of txs so this shouldnt be an issue. It's only a problem if a validator is trying to sneak txs into the block before validating them ...

However we should have the p2p layer reject invalid txs.

It does at the mempool level. But if an invalid tx gets into a block via a malicious proposer, then we won't know until after the block is committed and executed, unless we do checktx before prevoting.

Note currently the expected logic is that the only way an invalid tx gets into a block is via a malicious proposer. Otherwise, all txs in a block should have had CheckTx run on them in the correct sequence. If CheckTx is implemented incorrectly, that's a separate issue.

However we may need to add slashing conditions for marking a tx as invalid when it actually should have been valid

It would go in the next block and would be part of the validity check before prevoting for block H+1 to ensure that it has a correct results bit array for the txs in block H

[ValarDragon]

Validators should be running CheckTx in their mempool before proposing a block of txs so this shouldnt be an issue. It's only a problem if a validator is trying to sneak txs into the block before validating them ...

I'm not sure. Suppose I am a validator solely concerned with maximizing my short term profit. Then I would want to propose txs with the maximum fee / byte ratio. (Or fee / gas in a computationally bounded chain) If an invalid tx has an extremely high fee and extremely large assoc. computational cost it may be advantageous for the validator to include it even though it was invalid. (Unless they get no reward for including it, in which case why allow it in the first place?)

It does at the mempool level. But if an invalid tx gets into a block via a malicious proposer, then we won't know until after the block is committed and executed, unless we do checktx before prevoting.

Oh cool! Do we also lower the peers score in the address book if it was bad? (This may not make sense to do, since each block may change tx validity)

It would go in the next block and would be part of the validity check before prevoting for block H+1 to ensure that it has a correct results bit array for the txs in block H

Doesn't that mess with instant finality? We want a block to be finalized as soon as it is published with 2/3rds votes right? We don't want to wait until the subsequent block to validate the previous block

[ebuchman]

f an invalid tx has an extremely high fee and extremely large assoc. computational cost it may be advantageous for the validator to include it even though it was invalid.

Right, I was just saying the code as written will always CheckTx before proposal. OF course validators could choose to include whatever they want, but they have to write that code.

Also note, CheckTx is supposed to be cheap, and txs passing CheckTx are not supposed to fail deliver tx. So the example might be a bit contrived.

Oh cool! Do we also lower the peers score in the address book if it was bad? (This may not make sense to do, since each block may change tx validity)

No. It might be bad because we already have it too (eg. nonce is wrong now). Unless we change a lot about the mempool design, we can't punish for bad txs. Though, potentially, we could use ABCI codes more intelligently to eg. punish for txs that have encoding errors or something.

Doesn't that mess with instant finality? We want a block to be finalized as soon as it is published with 2/3rds votes right? We don't want to wait until the subsequent block to validate the previous block

the finality technically comes when the commit is made - once you've seen the commit, you know its final. This is still the case, but in Tendermint the commit doesn't actually get included in the blockchain until the next block. hence we have a concept of canonical and non-canonical commits. The former being what get's included in the next block, the latter being what you actually saw that got you to save and execute the block.

[ValarDragon]

Also note, CheckTx is supposed to be cheap, and txs passing CheckTx are not supposed to fail deliver tx. So the example might be a bit contrived.

You're right. The only avenue to make the checkTx take forever is to make a large multisig with one invalid signature, but we can't take fees from a tx with an invalid signature. We probably want to add some sort of consensus parameter to bound the number of keys in a multisig, and to evaluate multisig pubkey count recursively. (As we want to support a multisig of multisig pubkeys)

However if we go with the original suggestion:

Another alternative is to just run CheckTx on all txs when we validate the block before prevoting.

I think it will be inevitable that CheckTx can't be both fast and have no discrepancies between its result and the success of deliver tx. With that in mind, I think we should still allow txs that fail deliver tx. (Though I do agree with making it passing check tx, as long as check tx remains in its current fast variant. This only puts multisig txs at risk of being censored, due to higher risk at the same fee per byte or fee per gas levels. I think this is a fine trade-off, and may not be big enough to cause censorship.)

Though, potentially, we could use ABCI codes more intelligently to eg. punish for txs that have encoding errors or something.

This sounds like an awesome thing for us to do #postlaunch. Perhaps we should create another issue for this?

This is still the case, but in Tendermint the commit doesn't actually get included in the blockchain until the next block. hence we have a concept of canonical and non-canonical commits.

Thank you! I didn't know that the commit is published in the following block. You're right then, slashing conditions seem unnecessary.

[melekes]

but would add some performance overhead.

can we measure this? so we know what're talking about

we should probably include a bit-array of valid/invalid txs in the header.

sounds OK

[kansi]

Note currently the expected logic is that the only way an invalid tx gets into a block is via a malicious proposer. Otherwise, all txs in a block should have had CheckTx run on them in the correct sequence. If CheckTx is implemented incorrectly, that's a separate issue.

Is CheckTx supposed to be stateful? or is CheckTx just expected to validate the current transaction against only committed transaction in the blockchain (excluding the ones already checked and stored in mempool)?

If the CheckTx is just supposed to validate transaction by looking at committed transactions then there could be scenarios wherein an honest proposer might end up including invalid transactions for eg. consider a case wherein an honest node receives an valid transaction t1 which spends some tokens allocated by a previously commited txn t0. At this point t1 resides inside the mempool, now this node again receives t1' which also spends the same tokens from t0. Since t1 hasn't been commited yet t1' would be valid and be considered for being included in a block. Needless to say, both t1 and t1' can be included in the same block and get rejected in DeliverTx.

[ebuchman]

Is CheckTx supposed to be stateful

Yes, but minimally. For instance in the Cosmos-SDK, CheckTx updates account balances and nonces with each tx so that we can make sequences of txs that depend on each other.

[srmo]

I disagree.
“Another alternative is to just run CheckTx on all txs when we validate the block before prevoting.”
From my understanding, it is perfectly valid to have two mutually exclusive tx A and B. Now depending on which node sees which tx first, you might end up with two validators X and Y where X had accepted A in the mempool, and Y accepted B.
Now depending on who becomes the validator, either of them would reject A or B on a mempool precheck as checkTx always works against an ephemeral state since last state (at least that’s what we do). In such a scenario, it would need to be a special checkTx call which doesn’t assume an ephemeral state but always works against the last commited state.

Please correct me if I’m wrong or if I should elaborate more on the use case.