Confirmation Rule#3339

Open

saltiniroberto wants to merge 171 commits intoethereum:masterfrom

saltiniroberto:confirmation_rule

Contributor

saltiniroberto commented Apr 27, 2023 •

edited by hwwhww

Loading

Introduction

The objective of this PR is to introduce a Confirmation Rule for the Ethereum protocol.
A confirmation rule is an algorithm run by nodes, outputting whether a certain block is confirmed. When that is the case, the block is guaranteed to never be reorged, under certain assumptions, primarily about network synchrony and about the percentage of honest stake.

Detailed Explanation

For a detailed explanation of the algorithm, see this article.
The algorithm specified in this PR corresponds to Algorithm 5 in the paper.

TODO

Here is a non-exclusive list of TODOs

Review the spec change for correctness
- Algorithm correctness
- Type correctness (e.g. int vs float or uint64)
Add preconditions (e.g. parameters >= 0, etc..)
Review the naming used for the various functions
Improve the documentation in the spec
Add more tests
Check that the changes to the file setup.py are correct. The current changes allow linting the confirmation rule spec, but they may not be entirely correct.

Last things to do before merging

Revert the changes to linter.ini. These changes have been introduced just to speed up the development process by relaxing the requirement on the maximum line length.
Move fork_choice/confirmation_rule.md to specs/bellatrix and delete the fork_choice folder.
Make sure PR Confirmation rule prerequisite - fork choice filter change #3431 has already been merged
Double check any change to the fork choice tests

saltiniroberto and others added 30 commits

April 12, 2023 12:41


          Change to filter_block_tree required for the confirmation rule

d137dbe


          First draft implementation of the confirmation rule

e04c678


          Rename safe-head.md

0a2e654


          Require to run isConfirmed only on blocks from the current epoch

d51ae0c


          Move get_leaf_block_roots to unused function section

3c145ec


          Compute remaining voting weight starting from current_slot + 1 rather…

124eaba

… than block.slot + 1


          Fix typo

1b3eb7c


          Make mypy happy

da75a4e


          Fix formula in isOneConfirmed

e622582


          Change ffg weight calculation and fix error in other fomula

7cd6f41


          Account for proposer boost

4be510e


          Fix minor issue

be8bfce


          Fix will_block_checkpoint_be_justified_by_end_of_the_current_epoch + …

e4ad646

…use conversion to int to avoid overflows


          Merge branch 'ethereum:dev' into confirmation_rule

9bd335c


          minor updates

f454b99


          Increase style check line length for ease of development

6f56d90


          Use latest_message for computing get_ffg_weight_supporting_checkpoint…

dc95b43

…_for_block


          Add helper function for calculating score

89a2818


          Add functions to calculate score

a68c853


          Use underscore for all function names

c29053b


          Removed files committed by mistake

a6c91b4


          Remove other files committed by mistake

a69530d


          Moved functions for calculating the confirmation score to a separate

5f8e88e

section


          Added very brief explainer

3b6afe5


          Add back get_safe_execution_payload_hash

ad97ef9


          Revert ffg support commputation to use attestations in leaf blocks

bcc1c3f

Doc

4d7b715


          Make mypy happy

c67cf35


          doctoc

c3a0f7f

doc

2493cb3

twoeths mentioned this pull request

Confirmation rule prerequisite ChainSafe/lodestar#6257

Closed

saltiniroberto marked this pull request as draft

January 23, 2024 06:29

adiasg mentioned this pull request

Safe head tracking - confirmation rule OffchainLabs/prysm#13603

Open

6 tasks

saltiniroberto added 2 commits

May 2, 2024 10:40


          Merge 'dev' into confirmation_rule

dff96e3


          Update to match latest paper

c9caf62

saltiniroberto marked this pull request as ready for review

May 2, 2024 13:28

saltiniroberto mentioned this pull request

Consensus-layer Call 133 ethereum/pm#1031

Closed

saltiniroberto added 5 commits

May 3, 2024 00:34


          Fix lint issues

740be9a


          Improve doc

688aa19


          Fix typo

4ad1cc2


          Renaming

be3648d


          Fix lint issues

b89e93b

luluzhou-circle reviewed

View reviewed changes

fork_choice/confirmation-rule.md

+                  return (
+                      end_epoch > start_epoch + 1
+                      or (end_epoch == start_epoch + 1 and start_slot % SLOTS_PER_EPOCH == 0))

luluzhou-circle Jul 22, 2024

If start_slot = 0 and end_slot = 31 (where end_epoch == start_epoch == 0), do we count it as "includes an entire epoch"? If not, should we describe the function as exclusive end_slot?

Contributor Author

saltiniroberto Sep 11, 2024

Another way would be to change the doc to

Returns True if the range from start_slot to end_slot (inclusive of both) includes an entire epoch

In this way, we are not saying that if the range includes an entire epoch, then the function returns True.
Only that whenever the function returns True than the range includes an entire epoch.

The above works with both inclusive and exclusive.

fork_choice/confirmation-rule.md

Comment on lines 211 to 218

+                  if is_full_validator_set_for_block_covered(store, block_root):
+                      return is_one_confirmed(store, block_root)
+                  else:
+                      block = store.blocks[block_root]
+                      return (
+                          is_one_confirmed(store, block_root)
+                          and is_lmd_confirmed(store, block.parent_root)
+                      )

luluzhou-circle Jul 25, 2024

Is it different from the definition 6 (lmd-safety condition) in the paper? The paper require all the ancestors of the block to be is_lmd_confirmed, regardless of whether full validator set is covered or not.

Contributor Author

saltiniroberto Sep 11, 2024

Yes. It is different.
This does not always yield exactly the same result as in the paper, but it does in most cases, and it is quicker to compute.

luluzhou-circle reviewed

View reviewed changes

fork_choice/confirmation-rule.md

+                  current_slot = get_current_slot(store)
+                  block = store.blocks[block_root]
+                  parent_block = store.blocks[block.parent_root]
+                  support = int(get_weight(store, block_root))

luluzhou-circle Jul 25, 2024

Is this the weight from the fork_choice data, which can be queried from the beacon API?

Contributor Author

saltiniroberto Sep 11, 2024

I think so.

fork_choice/confirmation-rule.md


		block_epoch = compute_epoch_at_slot(block.slot)

		# If `block_epoch` is not either the current or previous epoch, then return `store.finalized_checkpoint.root`

luluzhou-circle Jul 25, 2024

What is the confirmation rule for the block between finalized checkpoint and justified checkpoint?

Contributor Author

saltiniroberto Sep 11, 2024

Any block descendant of the latest finalized checkpoint is treated in the same way

luluzhou-circle reviewed

View reviewed changes

fork_choice/confirmation-rule.md

+                  support = int(get_weight(store, block_root))
+                  justified_state = store.checkpoint_states[store.justified_checkpoint]
+                  maximum_support = int(
+                      get_committee_weight_between_slots(justified_state, Slot(parent_block.slot + 1), Slot(current_slot - 1))

luluzhou-circle Aug 7, 2024

Do we assume that we run the protocol at the beginning of each slot, when the block for the current slot is not proposed? Otherwise, for the block proposed in the current slot (with its parent proposed in the previous slot), Slot(parent_block.slot + 1) > Slot(current_slot - 1).

Contributor Author

saltiniroberto Sep 11, 2024

The protocol is run at the beginning of each slot regardless of whether we propose or not a block in that slot. Also, we do not run the protocol on blocks for the current slots regardless.

luluzhou-circle reviewed

View reviewed changes

fork_choice/confirmation-rule.md

Comment on lines 358 to 362

+                      min(
+                          ceil_div(total_active_balance * CONFIRMATION_BYZANTINE_THRESHOLD, 100),
+                          CONFIRMATION_SLASHING_THRESHOLD,
+                          ffg_support_for_checkpoint
+                      )

luluzhou-circle Aug 13, 2024

Is ceil_div(total_active_balance * CONFIRMATION_BYZANTINE_THRESHOLD, 100) always smaller than or equal to CONFIRMATION_SLASHING_THRESHOLD?

luluzhou-circle Aug 15, 2024

In the paper, it is ceil_div((total_active_balance - remaining_ffg_weight) * CONFIRMATION_BYZANTINE_THRESHOLD, 100). I wonder whether it is a typo.

Contributor Author

saltiniroberto Sep 11, 2024

Is ceil_div(total_active_balance * CONFIRMATION_BYZANTINE_THRESHOLD, 100) always smaller than or equal to CONFIRMATION_SLASHING_THRESHOLD

Not necessarily.

Contributor Author

saltiniroberto Sep 11, 2024

Is ceil_div(total_active_balance * CONFIRMATION_BYZANTINE_THRESHOLD, 100) always smaller than or equal to CONFIRMATION_SLASHING_THRESHOLD?

Which paper are you referring to?

hwwhww added 4 commits

September 4, 2024 00:57


          Merge branch 'dev' into pr3339

696e22d


          resolve conflict

ff3daaa


          Fix argument sequence error

e0dc09b


          Move confirmation rule specs to Bellatrix

e6d9150

hwwhww force-pushed the confirmation_rule branch from 1d3f67d to e6d9150 Compare

September 3, 2024 18:34


          Clean up phase0

687fd5c

Mediabs2022 commented Feb 20, 2025

I have show a way to delay the epoch justification delay justification and a way to use the delay of epoch justification to make honest chain not viable for head voting delay attack. Here is the current judgement condition in spec:
if not correct_justified and is_previous_epoch_justified(store): # A
    correct_justified = (
        store.unrealized_justifications[block_root].epoch >= store.justified_checkpoint.epoch and # B
        voting_source.epoch + 2 >= current_epoch # C
    )
The problem is in line B. The honest chain can not justify previous epoch, so unrealized epoch < justified epoch. This makes such a judgement not work, as honest chain is not viable for head as designed.
There is a proposed change (#3431) into the spec that fixes the problem you're describing and that is essential to the confirmation rule correctness
Sorry if I wasn’t clear, but I think there might be a misunderstanding about the code. store.unrealized_justifications[block_root].epoch >= store.justified_checkpoint.epoch requires that the chain must contains enough attestations to justified the previous epoch, but in our attack, the honest chain can not contain enough attestations to justified the previous epoch.
According to the change I have mentioned above the canonical chain will have an entire epoch to include those attestations on chain. There is also related patch allowing for such inclusion: #3360
yes, you are right. sorry for misunderstand the code.

However, I think theoretically this attack can still occur under semi - synchronous conditions (for example, in the case of network partition). It just requires withholding for a longer time.

Mart1i1n commented Feb 21, 2025

I have show a way to delay the epoch justification delay justification and a way to use the delay of epoch justification to make honest chain not viable for head voting delay attack. Here is the current judgement condition in spec:
if not correct_justified and is_previous_epoch_justified(store): # A
    correct_justified = (
        store.unrealized_justifications[block_root].epoch >= store.justified_checkpoint.epoch and # B
        voting_source.epoch + 2 >= current_epoch # C
    )
The problem is in line B. The honest chain can not justify previous epoch, so unrealized epoch < justified epoch. This makes such a judgement not work, as honest chain is not viable for head as designed.
There is a proposed change (#3431) into the spec that fixes the problem you're describing and that is essential to the confirmation rule correctness
Sorry if I wasn’t clear, but I think there might be a misunderstanding about the code. store.unrealized_justifications[block_root].epoch >= store.justified_checkpoint.epoch requires that the chain must contains enough attestations to justified the previous epoch, but in our attack, the honest chain can not contain enough attestations to justified the previous epoch.
According to the change I have mentioned above the canonical chain will have an entire epoch to include those attestations on chain. There is also related patch allowing for such inclusion: #3360
yes, you are right. sorry for misunderstand the code.
However, I think theoretically this attack can still occur under semi - synchronous conditions (for example, in the case of network partition). It just requires withholding for a longer time.

Yeah, even in synchronous conditions, this attack can still be conducted. We have shown such a way in the appendix of our paper eprint. Also, we have designed a solution to address all reorganizations including this attack in this paper.

This comment was marked as spam.

Sign in to view

mkalinin reviewed

View reviewed changes

specs/bellatrix/confirmation-rule.md

+                      # for an explanation of the formula used below.
+                      # First, calculate the number of committees in the end epoch
+                      num_slots_in_end_epoch = int(compute_slots_since_epoch_start(end_slot) + 1)

Contributor

mkalinin Apr 29, 2025

Suggested change

      
                    num_slots_in_end_epoch = int(compute_slots_since_epoch_start(end_slot) + 1)
          
                    num_slots_in_end_epoch = int(compute_slots_since_epoch_start(end_slot))

I think it’s an off-by-one. Consider end_slot=63, SLOTS_PER_EPOCH=32, then num_slots_in_end_epoch = 32 which doesn’t seem correct

Mart1i1n Apr 29, 2025

We have built an elegant and provable solution to solve all known attacks for Ethereum PoS, the EIP can be found in eip.

Contributor Author

saltiniroberto Apr 29, 2025

I think it’s an off-by-one. Consider end_slot=63, SLOTS_PER_EPOCH=32, then num_slots_in_end_epoch = 32 which doesn’t seem correct

This should be correct as, by the function spec, we also want to consider the weights associated with end_slot.

Contributor

mkalinin Apr 30, 2025

Right, and compute_slots_since_epoch_start(end_slot) should already include the end_slot to my observation.

compute_slots_since_epoch_start(end_slot) evaluates to: end_slot - compute_start_slot_at_epoch(compute_epoch_at_slot(end_slot)) = end_slot - epoch_start_slot, what am I missing?

mkalinin mentioned this pull request

Add is_one_confirmed and all the dependencies mkalinin/confirmation-rule#5

Merged

jtraglia changed the base branch from dev to master

July 9, 2025 21:59

mkalinin mentioned this pull request

Fast Confirmation Rule #4747

Open

1 task

jtraglia removed the enhancement label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

mkalinin mkalinin left review comments

hwwhww hwwhww left review comments

fradamt fradamt left review comments

+5 more reviewers

djrtwo djrtwo left review comments

adiasg adiasg left review comments

etan-status etan-status left review comments

Mart1i1n Mart1i1n left review comments

luluzhou-circle luluzhou-circle left review comments

At least 1 approving review is required to merge this pull request.

Labels

None yet