Description
A test needs to be conducted in order to understand if the digest of a snapshot could be computed only from the immutables:
What happens if the ledger state distributed with the snapshot is tampered (but the immutables are genuine)?
- Try to restore a testnet Cardano node with a testnet past ledger state
Works OK: the Cardano node computes the delta of the ledger state
- Try to restore a testnet Cardano node with a testnet future ledger state
Does not work: the Cardano node triggers a full computation of the ledger state and logs this error
[85038f23:cardano.node.ChainDB:Error:5] [2022-04-25 13:25:33.58 UTC] Invalid snapshot DiskSnapshot {dsNumber = 56109414, dsSuffix = Nothing}InitFailureTooRecent (RealPoint (SlotNo 56109414) 70996020c4cc169dc6da6d6d19c5b26d67920b52254591218d4386d8e7f81e46)
- Try to restore a testnet Cardano node with a mainnet future ledger state
Does not work: the Cardano node triggers a full computation of the ledger state and logs this error
[c5051d58:cardano.node.ChainDB:Error:5] [2022-04-25 15:10:17.94 UTC] Invalid snapshot DiskSnapshot {dsNumber = 57720569, dsSuffix = Nothing}InitFailureTooRecent (RealPoint (SlotNo 57720569) c0fc8ac29639e7d34cd5b05b6a86b2072df7b8256bd26c31e0c031855bc2878f)
- Try to restore a mainnet Cardano node with a testnet past ledger state (with 2 tampered ledger states)
Does not work: the Cardano node triggers a full computation of the ledger state and logs these errors
[259ce309:cardano.node.ChainDB:Error:5] [2022-04-25 16:23:15.25 UTC] Invalid snapshot DiskSnapshot {dsNumber = 56109414, dsSuffix = Nothing}InitFailureTooRecent (RealPoint (SlotNo 56109414) 70996020c4cc169dc6da6d6d19c5b26d67920b52254591218d4386d8e7f81e46) [259ce309:cardano.node.ChainDB:Error:5] [2022-04-25 16:23:39.07 UTC] Invalid snapshot DiskSnapshot {dsNumber = 56104955, dsSuffix = Nothing}InitFailureTooRecent (RealPoint (SlotNo 56104955) 543dfd002edd69ab356474ddefe8188705c25e5f32dd4ec50a545c4e50554f64)
- Determine if signing only the
immutablesis enough to securely bootstrap a Cardano Node
- It looks like the Cardano node will not accept ledger state that is tampered or not compliant with the immutables. It will simply ignore the ledger state in these cases and re-compute them from scratch using the immutables only.
- This behavior may provide a way to compute a deterministic digest from the immutables only for a snapshot. A ledger state pre computed by the aggregator would be embedded in the snapshot, but not in the signed digest.
- This would enable the Cardano node to start faster by taking advantage of the ledger state, but without the 'burden' of modifying its snapshot creation module.
⚠️ This solution should be validated by the Consensus team in charge of the Cardano node.