Skip to content

fix: require checkpoint verification at startup and bind import artifacts to verified chain#422

Merged
matthias-wright merged 6 commits into
audit-may-2026from
m/unverified-ckpt-artifacts
Jun 29, 2026
Merged

fix: require checkpoint verification at startup and bind import artifacts to verified chain#422
matthias-wright merged 6 commits into
audit-may-2026from
m/unverified-ckpt-artifacts

Conversation

@matthias-wright

Copy link
Copy Markdown
Collaborator

Builds on #402.

Addresses #214.

Changes:

  • Require verification by default. run_node_inner now panics when a checkpoint is supplied without a finalized-headers chain to verify against, instead of warning and continuing.
  • Add --unsafe-skip-checkpoint-verification (RunFlags, requires --checkpoint-path) as the explicit opt-out for importing a checkpoint without verification artifacts; logs a loud UNSAFE warning when used.
  • Bind last_block to the verified chain. On the verified path, require last_block.digest() == terminal.finalization().proposal.payload (the verified chain terminal), panicking on mismatch.
  • Use the signature-verified terminal as the completion finalization. Replace the separately-loaded, unverified top-level finalized_header with the chain terminal FinalizedHeader (whose certificate was verified by verify_checkpoint_chain) before handing it to the syncer.

@sebastian-osec

Copy link
Copy Markdown

Mostly LGTM. The main #214 fix looks right to me: checkpoint startup now requires verification by default, binds last_block to the verified chain terminal, and uses the verified terminal finalized header instead of trusting the separately loaded top-level finalized_header.

A couple of nits / follow-ups:

  • I’d add direct regression tests for the startup cases: standalone checkpoint rejected without finalized_headers/, accepted only with --unsafe-skip-checkpoint-verification, directory checkpoint rejected when last_block does not match the verified terminal finalization payload, and mismatched top-level finalized_header being ignored/replaced by the verified terminal header.
  • The invariant is enforced in run_node_inner, but EngineConfig / SyncCheckpoint and the syncer still accept checkpoint_last_block and checkpoint_finalized_header independently. That does not look like a bypass for the current CLI checkpoint startup path, but enforcing or asserting the same binding closer to SyncCheckpoint / store_finalization would make the boundary harder to misuse later.

@matthias-wright

Copy link
Copy Markdown
Collaborator Author

Update(416b5bd):

  • Cover checkpoint startup policy and harden artifact binding

@sebastian-osec

Copy link
Copy Markdown

Looks good to me after the latest commits.

@matthias-wright matthias-wright force-pushed the m/unverified-ckpt-artifacts branch from 6d81633 to 4557280 Compare June 29, 2026 06:12
@matthias-wright matthias-wright merged commit e87b88f into audit-may-2026 Jun 29, 2026
4 checks passed
@matthias-wright matthias-wright deleted the m/unverified-ckpt-artifacts branch June 29, 2026 06:30
matthias-wright added a commit that referenced this pull request Jun 30, 2026
#423)

Builds on #422 (which builds on #402)

Addresses #216.

Changes:
-types/src/checkpoint.rs: add Step 5 to verify_checkpoint_chain_with_weak_subjectivity binding the decoded queues to the terminal header's committed deltas — require checkpoint_state.get_added_validators(next_epoch) to equal terminal.added_validators() and checkpoint_state.get_removed_validators() to equal terminal.removed_validators() (order-normalized), rejecting mismatches with a new CheckpointVerificationError::CheckpointTransitionQueueMismatch.
-Document the inherent residual: pending additions for epochs beyond next_epoch (possible when validator warm-up spans more than one epoch) are committed by finalized headers after the terminal and cannot be authenticated by a chain ending at this epoch; they are bound only once the next epoch's boundary header is verified.
-Test: add test_checkpoint_verifier_binds_transition_queues_to_terminal_header (honest empty-queue checkpoint verifies; a checkpoint carrying a pending removed_validators entry while the terminal header commits an empty set is rejected, with hash/membership/position checks still passing). Parameterize checkpoint_verification_fixture with the checkpoint's removed_validators queue and update its callers.
matthias-wright added a commit that referenced this pull request Jul 2, 2026
…425)

Builds on #423 (which builds on #422 and #402).

Addresses #217.

Changes:
-Step 3 now accumulates a node-key to BLS-key map and requires each checkpoint account's consensus_public_key to equal the BLS key accumulated for that node from the verified history. Mismatch returns the new CheckpointConsensusKeyMismatch error variant. The reverse membership check uses the same map.
-Add test_checkpoint_verifier_binds_consensus_keys_to_terminal_header covering both directions: the honest case (accounts carry the real, accumulated consensus keys and verify) and a swapped consensus key (rejected with CheckpointConsensusKeyMismatch). The shared checkpoint_verification_fixture gains a tamper_consensus_key parameter that swaps one active account's stored consensus key while leaving its node key, status, and the accumulated set intact.
-Bind checkpoint consensus keys to the verified terminal header.
matthias-wright added a commit that referenced this pull request Jul 2, 2026
Builds on #425 (which builds on #423, #422, and #402).

Addresses #310.

This issue was already solved by #170 and #286.

This PR just adds a regression test.

Changes:
-Add regression for finalized-header epoch-replay rejection
matthias-wright added a commit that referenced this pull request Jul 2, 2026
Builds on #426 (which builds on #425, #423, #422, and #402).

Addresses #311.

This only adds test coverage, the issue is not reachable.
The decoded ConsensusState, including every validator_accounts entry, is committed by checkpoint.data, which verify_checkpoint_chain binds to the terminal finalized header via checkpoint_hash == sha256(checkpoint.data). Appending a Joining account changes the digest, so the tampered checkpoint no longer matches the honest terminal header and is rejected at Step 2.

Changes:
-types/src/checkpoint.rs: test_checkpoint_verifier_rejects_extra_joining_account — reproduces the attack directly. It decodes the honest checkpoint, injects an extra Joining account (leaving the active signing set untouched), re-encodes, and asserts verify_checkpoint_chain rejects it with CheckpointHashMismatch.
-application/src/actor.rs: rejects_block_with_mismatched_checkpoint_hash — the consensus-layer half. It mirrors accepts_ordinary_child_inside_epoch, changing only the block's checkpoint_hash, and asserts handle_verify returns false, isolating the checkpoint_hash check as the sole cause.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants