You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
REVERT v17 IP-anchor gate from gossip-relayed handlers
─────────────────────────────────────────────────────────
The v17 IP-anchor check ran on 12 P2P handlers that receive
gossip-propagated messages: ProducerHeartbeat, BlockRejection,
ProducerReady, ReadyAck, ConsensusCommit, ConsensusReveal,
VrfLeaderClaim, TimeoutVote, BlockAttestation,
EmptySlotAttestationMsg, VrfKeyAnnounce, ActiveNodeAnnouncement.
For gossip-relayed messages, from_peer carries the relay's IP,
NOT the originator's signed identity. Anchoring the relay to
the genesis IP rejected legitimate cross-genesis traffic and
broke 2f+1 quorum (testnet symptom: macroblock #2 stuck,
heights diverged 119/210/220/207/222, log floods of
genesis_ip_mismatch ... REJECTED).
Identity binding is enforced cryptographically by
verify_consensus_signature against CONSENSUS_PK_REGISTRY
(immutable, pre-pinned at startup from genesis_anchors.json).
Fix#2/#3 from v17 close the legacy fallback and TOFV-on-
genesis paths, so the signature gate is the canonical,
gossip-safe security boundary.
The check_genesis_ip_gate helper is preserved with
#[allow(dead_code)] for any future point-to-point message
type where IP anchoring is sound.
ADD bootstrap race guard for genesis nodes
──────────────────────────────────────────
A genesis node started without genesis_anchors.json enters
trust-on-first-verify mode for VrfKeyAnnounce — whichever
peer announces first locks the genesis identity to its PK.
Operator-unaware anchor loss between restarts is exactly
how a squat-on-bootstrap attack succeeds.
install_genesis_anchors_at_startup now refuses to start when
QNET_BOOTSTRAP_ID is set but anchors are missing, unless
QNET_BOOTSTRAP_FRESH=1 explicitly opts into the race window
(legitimate for first-ever boot or full-state cleanup).
Super-nodes are unaffected — they bind identity via signed
NodeRegistration TX.
Added 4 regression tests covering the boot-decision truth
table (super/genesis × no-opt-in/opt-in).
Files: 2 modified, +307 / -148 lines.
Tests: 22/22 v17 regression tests pass (was 18, +4 new).
Build: cargo check --release clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0 commit comments