feat: slash for invalid checkpoint proposals

Author: alexghr

yarn-project/slasher/README.md

@@ -129,9 +129,9 @@ List of all slashable offenses in the system:
 **Time Unit**: Slot-based offense.
 
 ### BROADCASTED_INVALID_CHECKPOINT_PROPOSAL
-**Description**: A proposer broadcast a checkpoint proposal that terminates before a higher-index block proposal signed by the same proposer in the same slot.
-**Detection**: BroadcastedInvalidCheckpointProposalWatcher scans retained P2P proposals and compares checkpoint archive roots to signed block proposals from the same slot and signer.
-**Target**: Proposer who broadcast the truncated checkpoint proposal.
+**Description**: A proposer broadcast an invalid checkpoint proposal, either one that terminates before a higher-index block proposal signed by the same proposer in the same slot, one whose signed header does not match deterministic validator recomputation, or one with a malformed fee asset price modifier.
+**Detection**: BroadcastedInvalidCheckpointProposalWatcher scans retained P2P proposal evidence and compares checkpoint archive roots to signed block proposals from the same slot and signer. ValidatorClient also validates checkpoint proposals during the all-nodes callback and emits this offense when checkpoint header recomputation fails or the signed fee asset price modifier is malformed.
+**Target**: Proposer who broadcast the invalid checkpoint proposal.
 **Time Unit**: Slot-based offense.
 
 ## Configuration

yarn-project/stdlib/src/interfaces/validator.ts

@@ -87,6 +87,7 @@ export type ValidatorClientFullConfig = ValidatorClientConfig &
   Pick<
     SlasherConfig,
     | 'slashBroadcastedInvalidBlockPenalty'
+    | 'slashBroadcastedInvalidCheckpointProposalPenalty'
     | 'slashDuplicateProposalPenalty'
     | 'slashDuplicateAttestationPenalty'
     | 'slashAttestInvalidCheckpointProposalPenalty'
@@ -124,6 +125,7 @@ export const ValidatorClientFullConfigSchema = zodFor<Omit<ValidatorClientFullCo
     broadcastInvalidBlockProposal: z.boolean().optional(),
     maxBlocksPerCheckpoint: z.number().positive().optional(),
     slashBroadcastedInvalidBlockPenalty: schemas.BigInt,
+    slashBroadcastedInvalidCheckpointProposalPenalty: schemas.BigInt,
     slashDuplicateProposalPenalty: schemas.BigInt,
     slashDuplicateAttestationPenalty: schemas.BigInt,
     slashAttestInvalidCheckpointProposalPenalty: schemas.BigInt,

yarn-project/stdlib/src/slashing/types.ts

@@ -24,7 +24,7 @@ export enum OffenseType {
   DUPLICATE_ATTESTATION = 9,
   /** A committee member attested to a checkpoint proposal in a slot with an invalid block proposal */
   ATTESTED_TO_INVALID_CHECKPOINT_PROPOSAL = 10,
-  /** A proposer broadcast a checkpoint proposal truncated before a higher-index block proposal in the same slot */
+  /** A proposer broadcast an invalid checkpoint proposal, detected by retained evidence or deterministic recomputation */
   BROADCASTED_INVALID_CHECKPOINT_PROPOSAL = 11,
 }
 

yarn-project/validator-client/README.md

@@ -156,15 +156,16 @@ Time | Proposer                     | Validator
 
 ## Configuration
 
-| Flag                                  | Purpose                                                                                |
-| ------------------------------------- | -------------------------------------------------------------------------------------- |
-| `fishermanMode`                       | Validate proposals but don't broadcast attestations (monitoring only)                  |
-| `alwaysReexecuteBlockProposals`       | Force re-execution even when not in committee                                          |
-| `slashBroadcastedInvalidBlockPenalty` | Penalty amount for invalid proposals (0 = disabled)                                    |
-| `slashDuplicateProposalPenalty`       | Penalty amount for duplicate proposals (0 = disabled)                                  |
-| `slashDuplicateAttestationPenalty`    | Penalty amount for duplicate attestations (0 = disabled)                               |
-| `attestationPollingIntervalMs`        | How often to poll for attestations when collecting                                     |
-| `disabledValidators`                  | Validator addresses to exclude from duties                                             |
+| Flag                                               | Purpose                                                              |
+| -------------------------------------------------- | -------------------------------------------------------------------- |
+| `fishermanMode`                                    | Validate proposals but don't broadcast attestations (monitoring only) |
+| `alwaysReexecuteBlockProposals`                    | Force re-execution even when not in committee                         |
+| `slashBroadcastedInvalidBlockPenalty`              | Penalty amount for invalid proposals (0 = disabled)                   |
+| `slashBroadcastedInvalidCheckpointProposalPenalty` | Penalty amount for invalid checkpoint proposals (0 = disabled)        |
+| `slashDuplicateProposalPenalty`                    | Penalty amount for duplicate proposals (0 = disabled)                 |
+| `slashDuplicateAttestationPenalty`                 | Penalty amount for duplicate attestations (0 = disabled)              |
+| `attestationPollingIntervalMs`                     | How often to poll for attestations when collecting                    |
+| `disabledValidators`                               | Validator addresses to exclude from duties                            |
 
 ### High Availability (HA) Keystore
 

yarn-project/validator-client/src/proposal_handler.ts

@@ -82,9 +82,39 @@ export type BlockProposalValidationFailureResult = {
 
 export type BlockProposalValidationResult = BlockProposalValidationSuccessResult | BlockProposalValidationFailureResult;
 
+export type CheckpointProposalValidationFailureReason =
+  | 'invalid_signature'
+  | 'invalid_fee_asset_price_modifier'
+  | 'last_block_not_found'
+  | 'block_fetch_error'
+  | 'checkpoint_already_published'
+  | 'no_blocks_for_slot'
+  | 'last_block_archive_mismatch'
+  | 'too_many_blocks_in_checkpoint'
+  | 'checkpoint_header_mismatch'
+  | 'archive_mismatch'
+  | 'out_hash_mismatch'
+  | 'checkpoint_validation_failed';
+
+export type CheckpointProposalValidationSuccessResult = {
+  isValid: true;
+  checkpointNumber: CheckpointNumber;
+};
+
+export type CheckpointProposalValidationFailureResult = {
+  isValid: false;
+  reason: CheckpointProposalValidationFailureReason;
+};
+
 export type CheckpointProposalValidationResult =
-  | { isValid: true; checkpointNumber: CheckpointNumber }
-  | { isValid: false; reason: string };
+  | CheckpointProposalValidationSuccessResult
+  | CheckpointProposalValidationFailureResult;
+
+export type CheckpointProposalValidationFailureCallback = (
+  proposal: CheckpointProposalCore,
+  result: CheckpointProposalValidationFailureResult,
+  proposalInfo: LogData,
+) => void | Promise<void>;
 
 type CheckpointComputationResult =
   | { checkpointNumber: CheckpointNumber; reason?: undefined }
@@ -108,6 +138,8 @@ export class ProposalHandler {
   /** Returns current validator addresses for own-proposal detection. Set via register(). */
   private getOwnValidatorAddresses?: () => string[];
 
+  private checkpointProposalValidationFailureCallback?: CheckpointProposalValidationFailureCallback;
+
   constructor(
     private checkpointsBuilder: FullNodeCheckpointsBuilder,
     private worldState: WorldStateSynchronizer,
@@ -130,6 +162,14 @@ export class ProposalHandler {
     this.tracer = telemetry.getTracer('ProposalHandler');
   }
 
+  public updateConfig(config: Partial<ValidatorClientFullConfig>): void {
+    this.config = { ...this.config, ...config };
+  }
+
+  public setCheckpointProposalValidationFailureCallback(callback?: CheckpointProposalValidationFailureCallback): void {
+    this.checkpointProposalValidationFailureCallback = callback;
+  }
+
   /**
    * Registers handlers for block and checkpoint proposals on the p2p client.
    * Block proposals are registered for non-validator nodes (validators register their own enhanced handler).
@@ -192,6 +232,19 @@ export class ProposalHandler {
           proposer: proposal.getSender()?.toString(),
         };
 
+        if (this.config.skipCheckpointProposalValidation) {
+          this.log.warn(`Skipping checkpoint proposal validation for slot ${proposal.slotNumber}`, proposalInfo);
+          return undefined;
+        }
+
+        if (await this.epochCache.isEscapeHatchOpenAtSlot(proposal.slotNumber)) {
+          this.log.warn(
+            `Escape hatch open for slot ${proposal.slotNumber}, skipping checkpoint proposal validation`,
+            proposalInfo,
+          );
+          return undefined;
+        }
+
         // For own proposals, skip validation — the proposer already built and validated the checkpoint
         const proposer = proposal.getSender();
         const ownAddresses = this.getOwnValidatorAddresses?.();
@@ -214,7 +267,9 @@ export class ProposalHandler {
         }
 
         const result = await this.handleCheckpointProposal(proposal, proposalInfo);
-        if (result.isValid && this.archiver && this.epochCache.isProposerPipeliningEnabled()) {
+        if (!result.isValid) {
+          await this.checkpointProposalValidationFailureCallback?.(proposal, result, proposalInfo);
+        } else if (this.archiver && this.epochCache.isProposerPipeliningEnabled()) {
           const set = await this.setProposedCheckpointFromValidation(proposal);
           if (set) {
             this.metrics?.recordCheckpointProposalToPipelinedStateDuration(pipeliningTimer.ms());

yarn-project/validator-client/src/validator.ha.integration.test.ts

@@ -137,6 +137,7 @@ describe('ValidatorClient HA Integration', () => {
       Pick<
         SlasherConfig,
         | 'slashBroadcastedInvalidBlockPenalty'
+        | 'slashBroadcastedInvalidCheckpointProposalPenalty'
         | 'slashDuplicateProposalPenalty'
         | 'slashDuplicateAttestationPenalty'
         | 'slashAttestInvalidCheckpointProposalPenalty'
@@ -146,6 +147,7 @@ describe('ValidatorClient HA Integration', () => {
       disableValidator: false,
       disabledValidators: [],
       slashBroadcastedInvalidBlockPenalty: 1n,
+      slashBroadcastedInvalidCheckpointProposalPenalty: 1n,
       rollupAddress,
       l1ChainId: TEST_COORDINATION_SIGNATURE_CONTEXT.chainId,
       slashDuplicateProposalPenalty: 1n,
@@ -194,6 +196,7 @@ describe('ValidatorClient HA Integration', () => {
       Pick<
         SlasherConfig,
         | 'slashBroadcastedInvalidBlockPenalty'
+        | 'slashBroadcastedInvalidCheckpointProposalPenalty'
         | 'slashDuplicateProposalPenalty'
         | 'slashDuplicateAttestationPenalty'
         | 'slashAttestInvalidCheckpointProposalPenalty'

yarn-project/validator-client/src/validator.integration.test.ts

@@ -177,6 +177,7 @@ describe('ValidatorClient Integration', () => {
         disableValidator: false,
         disabledValidators: [],
         slashBroadcastedInvalidBlockPenalty: 10n,
+        slashBroadcastedInvalidCheckpointProposalPenalty: 10n,
         slashDuplicateProposalPenalty: 10n,
         slashDuplicateAttestationPenalty: 10n,
         slashAttestInvalidCheckpointProposalPenalty: 10n,