core/validatorapi: check proposal data against consensus one

Instead of blindly accepting VC proposal data, check it for integrity against what we have in DutyDB: if they differ, stop the process.
ObolNetwork · Sep 18, 2024 · 752db23 · 752db23
1 parent c835711
commit 752db23
Show file tree

Hide file tree

Showing 2 changed files with 331 additions and 8 deletions.
diff --git a/core/validatorapi/validatorapi.go b/core/validatorapi/validatorapi.go
@@ -13,8 +13,10 @@ import (
 
 	eth2api "github.com/attestantio/go-eth2-client/api"
 	eth2v1 "github.com/attestantio/go-eth2-client/api/v1"
+	eth2spec "github.com/attestantio/go-eth2-client/spec"
 	"github.com/attestantio/go-eth2-client/spec/altair"
 	eth2p0 "github.com/attestantio/go-eth2-client/spec/phase0"
+	ssz "github.com/ferranbt/fastssz"
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/obolnetwork/charon/app/errors"
@@ -394,19 +396,120 @@ func (c Component) Proposal(ctx context.Context, opts *eth2api.ProposalOpts) (*e
 	return wrapResponse(proposal), nil
 }
 
+// propDataMatchesDuty checks that the VC-signed proposal data and prop are the same.
+func propDataMatchesDuty(opts *eth2api.SubmitProposalOpts, prop *eth2api.VersionedProposal) error {
+	ourPropIdx, err := prop.ProposerIndex()
+	if err != nil {
+		return errors.Wrap(err, "cannot fetch validator index from dutydb proposal")
+	}
+
+	vcPropIdx, err := opts.Proposal.ProposerIndex()
+	if err != nil {
+		return errors.Wrap(err, "cannot fetch validator index from VC proposal")
+	}
+
+	if ourPropIdx != vcPropIdx {
+		return errors.New(
+			"dutydb and VC proposals have different index",
+			z.U64("vc", uint64(vcPropIdx)),
+			z.U64("dutydb", uint64(ourPropIdx)),
+		)
+	}
+
+	if opts.Proposal.Blinded != prop.Blinded {
+		return errors.New(
+			"dutydb and VC proposals have different blinded value",
+			z.Bool("vc", opts.Proposal.Blinded),
+			z.Bool("dutydb", prop.Blinded),
+		)
+	}
+
+	if opts.Proposal.Version != prop.Version {
+		return errors.New(
+			"dutydb and VC proposals have different version",
+			z.Str("vc", opts.Proposal.Version.String()),
+			z.Str("dutydb", prop.Version.String()),
+		)
+	}
+
+	checkHashes := func(d1, d2 ssz.HashRoot) error {
+		ddb, err := d1.HashTreeRoot()
+		if err != nil {
+			return errors.Wrap(err, "hash tree root dutydb")
+		}
+
+		if d2 == nil {
+			return errors.New("validator client proposal data for the associated dutydb proposal is nil")
+		}
+
+		vc, err := d2.HashTreeRoot()
+		if err != nil {
+			return errors.Wrap(err, "hash tree root dutydb")
+		}
+
+		if ddb != vc {
+			return errors.New("dutydb and VC proposal data have different hash tree root")
+		}
+
+		return nil
+	}
+
+	switch prop.Version {
+	case eth2spec.DataVersionPhase0:
+		return checkHashes(prop.Phase0, opts.Proposal.Phase0.Message)
+	case eth2spec.DataVersionAltair:
+		return checkHashes(prop.Altair, opts.Proposal.Altair.Message)
+	case eth2spec.DataVersionBellatrix:
+		switch prop.Blinded {
+		case false:
+			return checkHashes(prop.Bellatrix, opts.Proposal.Bellatrix.Message)
+		case true:
+			return checkHashes(prop.BellatrixBlinded, opts.Proposal.BellatrixBlinded.Message)
+		}
+	case eth2spec.DataVersionCapella:
+		switch prop.Blinded {
+		case false:
+			return checkHashes(prop.Capella, opts.Proposal.Capella.Message)
+		case true:
+			return checkHashes(prop.CapellaBlinded, opts.Proposal.CapellaBlinded.Message)
+		}
+	case eth2spec.DataVersionDeneb:
+		switch prop.Blinded {
+		case false:
+			return checkHashes(prop.Deneb.Block, opts.Proposal.Deneb.SignedBlock.Message)
+		case true:
+			return checkHashes(prop.DenebBlinded, opts.Proposal.DenebBlinded.Message)
+		}
+	case eth2spec.DataVersionUnknown:
+		return errors.New("unexpected block version", z.Str("version", prop.Version.String()))
+	}
+
+	return nil
+}
+
 func (c Component) SubmitProposal(ctx context.Context, opts *eth2api.SubmitProposalOpts) error {
 	slot, err := opts.Proposal.Slot()
 	if err != nil {
 		return err
 	}
 
-	pubkey, err := c.getProposerPubkey(ctx, core.NewProposerDuty(uint64(slot)))
+	duty := core.NewProposerDuty(uint64(slot))
+
+	pubkey, err := c.getProposerPubkey(ctx, duty)
 	if err != nil {
 		return err
 	}
 
+	prop, err := c.awaitProposalFunc(ctx, uint64(slot))
+	if err != nil {
+		return errors.Wrap(err, "could not fetch block definition from dutydb")
+	}
+
+	if err := propDataMatchesDuty(opts, prop); err != nil {
+		return errors.Wrap(err, "consensus proposal and VC-submitted one do not match")
+	}
+
 	// Save Partially Signed Block to ParSigDB
-	duty := core.NewProposerDuty(uint64(slot))
 	ctx = log.WithCtx(ctx, z.Any("duty", duty))
 
 	signedData, err := core.NewPartialVersionedSignedProposal(opts.Proposal, c.shareIdx)
@@ -440,15 +543,34 @@ func (c Component) SubmitBlindedProposal(ctx context.Context, opts *eth2api.Subm
 		return err
 	}
 
-	pubkey, err := c.getProposerPubkey(ctx, core.NewProposerDuty(uint64(slot)))
+	duty := core.NewProposerDuty(uint64(slot))
+	ctx = log.WithCtx(ctx, z.Any("duty", duty))
+
+	pubkey, err := c.getProposerPubkey(ctx, duty)
 	if err != nil {
 		return err
 	}
 
-	// Save Partially Signed Blinded Block to ParSigDB
-	duty := core.NewProposerDuty(uint64(slot))
-	ctx = log.WithCtx(ctx, z.Any("duty", duty))
+	prop, err := c.awaitProposalFunc(ctx, uint64(slot))
+	if err != nil {
+		return errors.Wrap(err, "could not fetch block definition from dutydb")
+	}
+
+	if err := propDataMatchesDuty(&eth2api.SubmitProposalOpts{
+		Common: opts.Common,
+		Proposal: &eth2api.VersionedSignedProposal{
+			Version:          opts.Proposal.Version,
+			Blinded:          true,
+			BellatrixBlinded: opts.Proposal.Bellatrix,
+			CapellaBlinded:   opts.Proposal.Capella,
+			DenebBlinded:     opts.Proposal.Deneb,
+		},
+		BroadcastValidation: opts.BroadcastValidation,
+	}, prop); err != nil {
+		return errors.Wrap(err, "consensus proposal and VC-submitted one do not match")
+	}
 
+	// Save Partially Signed Blinded Block to ParSigDB
 	signedData, err := core.NewPartialVersionedSignedBlindedProposal(opts.Proposal, c.shareIdx)
 	if err != nil {
 		return err