Skip to content

fix: enforce finalized block/certificate binding#405

Merged
matthias-wright merged 3 commits into
audit-may-2026from
m/finalization-binding
Jun 25, 2026
Merged

fix: enforce finalized block/certificate binding#405
matthias-wright merged 3 commits into
audit-may-2026from
m/finalization-binding

Conversation

@matthias-wright

Copy link
Copy Markdown
Collaborator

Addresses #329.

Changes:

  • syncer store_finalization: reject the write if a different block already occupies the height (immutable archive can't replace, so fail-stop rather than form a half-updated stale-block/fresh-cert pair).
  • syncer try_dispatch_blocks: verify stored block.digest() == finalization.proposal.payload before reporting a finalized block at an epoch boundary; halt dispatch on mismatch.
  • finalizer: replace the epoch-boundary debug_assert! with a release-enforced check that fail-stops (cancels the node) before storing a finalized header.
  • test: test_finalizer_rejects_block_certificate_digest_mismatch — a boundary block paired with a certificate over a different digest must cancel the finalizer instead of storing a misbound header.

@sebastian-osec

Copy link
Copy Markdown

This looks like it fixes the main #329 path in the syncer: store_finalization now refuses to store a finalization if a different block already exists at that height, and dispatch also checks finalization.proposal.payload == block.digest() before reporting the pair.

One small concern: the finalizer fallback check happens after the block has already been executed, forkchoice committed, finalized height notified, and the syncer acked. Since the check is meant to prevent a block/certificate mismatch, should it run before execute_block(...) instead?

The normal syncer path should now prevent this case, so I don’t think this is the original issue still being open. But as defense-in-depth, the finalizer should probably reject the mismatched pair before applying any state changes.

@matthias-wright matthias-wright force-pushed the m/finalization-binding branch from dcea243 to 5f30f5d Compare June 22, 2026 07:45
@matthias-wright

Copy link
Copy Markdown
Collaborator Author

Update(5f30f5d):

  • Bind finalized block to certificate before executing it

@sebastian-osec

Copy link
Copy Markdown

This looks good to me now

@matthias-wright matthias-wright force-pushed the m/finalization-binding branch from 5f30f5d to 8621be5 Compare June 24, 2026 14:51
@matthias-wright matthias-wright force-pushed the m/finalization-binding branch from 8621be5 to cecf9c1 Compare June 24, 2026 15:48
@matthias-wright matthias-wright merged commit 208ba01 into audit-may-2026 Jun 25, 2026
4 checks passed
@matthias-wright matthias-wright deleted the m/finalization-binding branch June 25, 2026 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants