Node/Gov: Don't enqueue already signed VAAs #3284
Conversation
bruce-riley
requested review from
kev1n-peters,
claudijd,
tbjump and
evan-gray
as code owners
bruce-riley
force-pushed
the
node/gov_dont_enqueue_already_signed_VAAs
branch
from
828a789
to
96476b3
Compare
There was a problem hiding this comment.
Threat Surface
I agree with the issue that this change is addressing, but I would solve it differently. With the current approach we are adding
- another code path that bypasses the governor
- another place in the code where the guardian private key is being used
That's added threat surface in the two most security critical paths of the codebase, and I would like to avoid that.
I'd prefer if the processor would check if the Guardian had made this observation in the past and if so broadcast the existing signature. That way, the guardian private key doesn't get involved in this new code path at all.
False Negatives
The proposed change checking the stored VAA, which typically only has 13 signatures and even if Guardian g has signed a particular message in the past, g's signature may not be in the locally stored VAA for that message, leading to false negatives in this check. To address this issue, all observations would need to be stored, probably separately from the VAAs.
node/pkg/governor/governor.go
Outdated
| } | ||
|
|
||
| // Generate our signature for this VAA so we can see if we are listed as a signer. | ||
| sig, err := crypto.Sign(v.SigningDigest().Bytes(), gov.gk) |
There was a problem hiding this comment.
Right here I was expecting that we look through v.Signatures to find our index, then recover the public key from that signature (given that we just verified the hashes match above). If the public key matches our guardian's public key, we should be good to proceed. That would avoid needing the private key here, which would be best avoided.
There was a problem hiding this comment.
I like this approach much better! I have changed it to use Ecrecover with the public key rather than the private key.
On the threat surface front, see my comment and perhaps that mitigates the concerns. Ultimately it would be good to bypass the re-observation route that could trigger this issue (and the need for this fix) altogether. That said, I think it important to mitigate the issue affecting production today and leave observation collecting (and re-observation handling) to a new, breakout service in the future. |
|
I agree with @evan-gray. I have changed the code to use |
|
I want to get more clarity on the problem this PR is addressing. So this issue should only affect a the Guardians who are re-syncing their Oasis nodes and the issue goes away by itself ~48h after the re-sync is done, correct? |
|
This problem was solved differently, so this PR is no longer necessary. |
There is currently a problem where old Oasis transactions are being reobserved and they are flooding the governor. This is not really necessary because the transactions have most likely previously reached quorum.
This PR changes the governor to check to see if a transfer has been previously been approved, and if so, allows it to be published immediately, without impacting the notional value of the governor.
The following checks are done to determine if the transfer can be approved immediately:
If the above conditions are met, the VAA can be approved immediately. Additionally, this check is made when pending transfers are reloaded on start up, which should immediately clean up the backlog when a guardian upgrades.