fix(consensus): fail-closed quorum in permissionless mode (GHSA-rprp-wjrh-hx7g)

UltraDAGcom · Claude Opus 4.6 (1M context) · UltraDAGcom · commit d09391eb4e7b · 2026-04-15T14:37:10.000+02:00
The prior adaptive-quorum patch (181b2e8) only neutralized registration-only phantoms. Producer-backed phantoms — fresh keys each signing one vertex — were still counted by active_validator_count() and, in unconfigured mode, the adaptive upper_bound still derived from validators.len(). An attacker with 3 fresh keys against 4 honest validators raised the threshold to ceil(2*7/3)=5, stalling finality forever in honest-only rounds. Root cause: any "count signed producers" scheme is sybil-gameable without stake-weighted gating, because signing is free with a fresh keypair. Fix: ValidatorSet::quorum_threshold and adaptive_quorum_threshold now return usize::MAX when neither configured_validators nor allowed_validators is set. adaptive_quorum_threshold's upper_bound derives ONLY from declared topology — never from validators.len() — so producer-backed phantoms cannot raise the ceiling. Production paths were never exposed: main.rs always sets either --validators N or --validator-key <file>. This change converts a latent liveness bug in undeclared mode into a fail-stop config error. Regression test: producer_backed_phantom_cannot_stall_finality replays the reporter's 4-honest + 3-phantom PoC and asserts last_finalized_round advances past the attack round. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/crates/ultradag-coin/src/consensus/finality.rs b/crates/ultradag-coin/src/consensus/finality.rs
@@ -380,14 +380,16 @@ mod tests {
         let mut ft = FinalityTracker::new(3);
         assert_eq!(ft.finality_threshold(), usize::MAX);
 
+        // Permissionless mode stays fail-closed even after registrations
+        // (GHSA-rprp-wjrh-hx7g).
         ft.register_validator(SecretKey::generate().address());
         ft.register_validator(SecretKey::generate().address());
         assert_eq!(ft.finality_threshold(), usize::MAX);
 
-        ft.register_validator(SecretKey::generate().address());
+        ft.set_configured_validators(3);
         assert_eq!(ft.finality_threshold(), 2);
 
-        ft.register_validator(SecretKey::generate().address());
+        ft.set_configured_validators(4);
         assert_eq!(ft.finality_threshold(), 3);
     }
 
@@ -401,6 +403,7 @@ mod tests {
     fn finality_with_three_validators() {
         let mut dag = BlockDag::new();
         let mut ft = FinalityTracker::new(2);
+        ft.set_configured_validators(3);
 
         let sk1 = SecretKey::generate();
         let sk2 = SecretKey::generate();
@@ -432,6 +435,7 @@ mod tests {
     fn transitive_descendant_counts() {
         let mut dag = BlockDag::new();
         let mut ft = FinalityTracker::new(2);
+        ft.set_configured_validators(3);
 
         let sk1 = SecretKey::generate();
         let sk2 = SecretKey::generate();
@@ -460,6 +464,7 @@ mod tests {
     fn find_newly_finalized_batch() {
         let mut dag = BlockDag::new();
         let mut ft = FinalityTracker::new(2);
+        ft.set_configured_validators(3);
 
         let sk1 = SecretKey::generate();
         let sk2 = SecretKey::generate();
diff --git a/crates/ultradag-coin/src/consensus/validator_set.rs b/crates/ultradag-coin/src/consensus/validator_set.rs
@@ -101,38 +101,47 @@ impl ValidatorSet {
         self.validators.is_empty()
     }
 
+    /// Returns true when the validator topology has been declared by the
+    /// operator — either a fixed configured count or an explicit allowlist.
+    ///
+    /// SECURITY: Fully permissionless mode (neither set) is unsafe. In that
+    /// mode an attacker can mint fresh keys, sign a single vertex per key,
+    /// and inflate both `validators.len()` and the "active producer" count,
+    /// manipulating the quorum threshold (GHSA-rprp-wjrh-hx7g). Without a
+    /// declared topology there is no sybil-resistant way to count validators,
+    /// so the thresholds fail closed (return `usize::MAX`).
+    pub fn is_topology_configured(&self) -> bool {
+        self.configured_validators.is_some() || self.allowed_validators.is_some()
+    }
+
     /// BFT quorum threshold: ceil(2n/3).
-    /// 
-    /// SECURITY: When `configured_validators` is set, uses that as `n` to prevent
-    /// phantom registrations from inflating the threshold (VULN-02 fix).
-    /// 
-    /// Returns usize::MAX if fewer than min_validators are known.
-    /// When `configured_validators` is set, uses that count for the min check
-    /// (the operator has declared the expected validator count).
-    /// 
-    /// # Panics
-    /// This function should not panic under normal operation. If arithmetic overflow
-    /// occurs, it indicates a critical bug and the node should halt.
+    ///
+    /// SECURITY: Fails closed (`usize::MAX`) when the validator topology is
+    /// not declared via `configured_validators` or `allowed_validators`.
+    /// Dynamic mode was exploitable: producer-backed phantom validators
+    /// inflated the threshold and stalled finality (GHSA-rprp-wjrh-hx7g).
+    /// Operators MUST set `--validators N` or `--validator-key <file>`.
+    ///
+    /// When `configured_validators` is set, uses that as `n`. Otherwise,
+    /// when only an allowlist is set, uses the allowlist size as `n`
+    /// (allowlisted addresses cannot be forged).
+    ///
+    /// Returns `usize::MAX` if fewer than `min_validators` are known.
     pub fn quorum_threshold(&self) -> usize {
-        let effective_count = match self.configured_validators {
-            Some(configured) => {
-                // Use configured count to prevent attacker from inflating threshold
-                // by registering fake validators (VULN-02 fix)
-                configured
-            }
-            None => {
-                // Dynamic count mode: vulnerable to phantom validator inflation
-                // Operators should always use configured_validators in production
-                self.validators.len()
+        let effective_count = match (self.configured_validators, &self.allowed_validators) {
+            (Some(configured), _) => configured,
+            (None, Some(allowed)) => allowed.len(),
+            (None, None) => {
+                // Fail closed: permissionless mode cannot distinguish real
+                // validators from phantoms. See `is_topology_configured`.
+                return usize::MAX;
             }
         };
-        
-        // Enforce minimum validator requirement
+
         if effective_count < self.min_validators {
             return usize::MAX;
         }
-        
-        // ceil(2n/3) calculation with overflow protection
+
         (2 * effective_count).div_ceil(3)
     }
 
@@ -171,7 +180,22 @@ impl ValidatorSet {
     /// (those who have signed vertices) count toward the active set. Phantom
     /// registrations cannot reduce the quorum.
     pub fn adaptive_quorum_threshold(&self, current_round: u64) -> usize {
-        let upper_bound = self.configured_validators.unwrap_or_else(|| self.validators.len());
+        // SECURITY: Fail closed in permissionless mode. Without a declared
+        // topology, an attacker can mint keys and produce signed vertices
+        // to inflate `active_validator_count`, manipulating the threshold
+        // (GHSA-rprp-wjrh-hx7g).
+        if !self.is_topology_configured() {
+            return usize::MAX;
+        }
+
+        // Upper bound derives ONLY from operator-declared topology, never
+        // from the on-the-fly `validators.len()`. Producer-backed phantoms
+        // cannot raise this ceiling.
+        let upper_bound = match (self.configured_validators, &self.allowed_validators) {
+            (Some(configured), _) => configured,
+            (None, Some(allowed)) => allowed.len(),
+            (None, None) => unreachable!("guarded by is_topology_configured above"),
+        };
         let active = self.active_validator_count(current_round);
 
         // Compute the static threshold as the safety baseline.
@@ -237,6 +261,10 @@ mod tests {
         for _ in 0..4 {
             vs.register(SecretKey::generate().address());
         }
+        // Permissionless mode fails closed.
+        assert_eq!(vs.quorum_threshold(), usize::MAX);
+
+        vs.set_configured_validators(4);
         // ceil(8/3) = 3
         assert_eq!(vs.quorum_threshold(), 3);
         assert!(vs.has_quorum(3));
@@ -246,13 +274,43 @@ mod tests {
     #[test]
     fn threshold_with_3_validators() {
         let mut vs = ValidatorSet::new(3);
+        vs.set_configured_validators(3);
         for _ in 0..3 {
             vs.register(SecretKey::generate().address());
         }
         // ceil(6/3) = 2
         assert_eq!(vs.quorum_threshold(), 2);
     }
 
+    #[test]
+    fn permissionless_mode_fails_closed() {
+        // SECURITY: without configured count or allowlist, thresholds must
+        // return usize::MAX so finality cannot progress. Registering and/or
+        // "producing" phantom validators must not unstall the network.
+        let mut vs = ValidatorSet::new(3);
+        for _ in 0..10 {
+            let addr = SecretKey::generate().address();
+            vs.register(addr);
+            vs.record_production(addr, 42);
+        }
+        assert_eq!(vs.quorum_threshold(), usize::MAX);
+        assert_eq!(vs.adaptive_quorum_threshold(42), usize::MAX);
+        assert!(!vs.has_quorum(100));
+    }
+
+    #[test]
+    fn allowlist_alone_enables_threshold() {
+        let mut vs = ValidatorSet::new(3);
+        let sks: Vec<SecretKey> = (0..4).map(|_| SecretKey::generate()).collect();
+        let allowed: HashSet<Address> = sks.iter().map(|s| s.address()).collect();
+        vs.set_allowed_validators(allowed);
+        for sk in &sks {
+            vs.register(sk.address());
+        }
+        // Allowlist size 4 -> ceil(8/3) = 3
+        assert_eq!(vs.quorum_threshold(), 3);
+    }
+
     #[test]
     fn register_is_idempotent() {
         let mut vs = ValidatorSet::new(1);
diff --git a/crates/ultradag-coin/tests/phantom_validator.rs b/crates/ultradag-coin/tests/phantom_validator.rs
@@ -142,64 +142,95 @@ fn phantom_validator_does_not_break_finality_with_configured_count() {
 }
 
 #[test]
-fn without_configured_count_phantom_breaks_finality() {
-    // This test shows the bug: without configured_validators,
-    // phantom registrations inflate the threshold beyond reach.
+fn permissionless_mode_refuses_finality() {
+    // SECURITY (GHSA-rprp-wjrh-hx7g): in fully permissionless mode (no
+    // configured_validators, no allowlist), finality must fail closed.
+    // An attacker minting fresh keys and producing signed vertices cannot
+    // be distinguished from honest validators, so any threshold derived
+    // from "validators we've seen" is sybil-gameable. The tracker now
+    // returns threshold=usize::MAX in this mode — operators must set
+    // --validators or --validator-key.
     let sks: Vec<SecretKey> = (0..4).map(|_| SecretKey::generate()).collect();
 
     let mut dag = BlockDag::new();
     let mut finality = FinalityTracker::new(3);
-    // NO set_configured_validators — dynamic mode
+    // NO set_configured_validators, NO set_allowed_validators — permissionless.
 
     for sk in &sks {
         finality.register_validator(sk.address());
     }
 
     build_dag(&sks, 20, &mut dag);
 
+    let mut total = 0;
     loop {
         let newly = finality.find_newly_finalized(&dag);
         if newly.is_empty() { break; }
+        total += newly.len();
     }
-    let finalized_before = finality.finalized_count();
-    assert!(finalized_before > 0);
 
-    // Register 4 phantom validators (simulating stale persistence load)
-    for _ in 0..4 {
-        finality.register_validator(SecretKey::generate().address());
+    assert_eq!(finality.finality_threshold(), usize::MAX);
+    assert_eq!(total, 0, "permissionless mode must not finalize anything");
+}
+
+#[test]
+fn producer_backed_phantom_cannot_stall_finality() {
+    // Regression test for GHSA-rprp-wjrh-hx7g (Sumitshah00, 2026-04-13).
+    //
+    // BEFORE FIX: with 4 honest validators + unconfigured mode, an attacker
+    // that produces 3 signed vertices from 3 fresh keys inflated the
+    // adaptive threshold to ceil(2*7/3)=5. Only 4 honest producers remained,
+    // so finality stalled forever at round < attack_round.
+    //
+    // AFTER FIX: operators must declare topology. With set_configured_validators(4),
+    // the upper bound is pinned at 4, phantoms cannot raise the threshold, and
+    // honest-only rounds finalize cleanly past the attack round.
+    let honest: Vec<SecretKey> = (0..4).map(|_| SecretKey::generate()).collect();
+    let mut dag = BlockDag::new();
+    let mut finality = FinalityTracker::new(3);
+    finality.set_configured_validators(4);
+    for sk in &honest {
+        finality.register_validator(sk.address());
+    }
+
+    build_dag(&honest, 20, &mut dag);
+    loop {
+        if finality.find_newly_finalized(&dag).is_empty() { break; }
+    }
+    let finalized_before = finality.last_finalized_round();
+    assert!(finalized_before > 0, "baseline rounds should finalize");
+
+    // Attack: 3 phantom producers each sign exactly one vertex in round 20.
+    let phantoms: Vec<SecretKey> = (0..3).map(|_| SecretKey::generate()).collect();
+    let attack_round = 20u64;
+    let attack_parents = dag.tips();
+    let mut nonce = 10_000u64;
+    for sk in &phantoms {
+        nonce += 1;
+        dag.insert(make_vertex(nonce, attack_round, attack_parents.clone(), sk));
+        finality.register_validator(sk.address());
     }
 
-    // Now validator_count=8, threshold=ceil(16/3)=6
-    assert_eq!(finality.validator_count(), 8);
-    assert_eq!(finality.finality_threshold(), 6);
+    // Threshold stays pinned to configured count (4) -> ceil(8/3) = 3.
+    assert_eq!(finality.finality_threshold(), 3,
+        "configured topology must pin threshold despite phantom producers");
 
-    // Continue with only 4 real validators
-    let mut nonce = 2000u64;
-    for round in 20..30 {
+    // Honest-only rounds after the attack.
+    for round in (attack_round + 1)..(attack_round + 11) {
         let tips = dag.tips();
-        for sk in &sks {
+        for sk in &honest {
             nonce += 1;
-            let v = make_vertex(nonce, round, tips.clone(), sk);
-            dag.insert(v);
+            dag.insert(make_vertex(nonce, round, tips.clone(), sk));
         }
     }
-
-    // Finality CANNOT progress — only 4 validators can produce descendants,
-    // but threshold requires 6
-    let mut new_finalized = 0;
     loop {
-        let newly = finality.find_newly_finalized(&dag);
-        if newly.is_empty() { break; }
-        new_finalized += newly.len();
+        if finality.find_newly_finalized(&dag).is_empty() { break; }
     }
 
-    // UPDATE (adaptive quorum fix): the adaptive quorum threshold now mitigates
-    // this phantom inflation attack even WITHOUT set_configured_validators. The
-    // adaptive threshold uses the count of validators who have actually produced
-    // vertices (4), not the inflated registration count (8). So finality progresses
-    // normally despite the phantom registrations.
-    //
-    // Phantom validators cannot degrade finality because they cannot produce
-    // cryptographically-signed vertices.
-    assert!(new_finalized > 0, "adaptive quorum should allow finality despite phantom registrations");
+    assert!(
+        finality.last_finalized_round() > attack_round,
+        "finality must progress past attack_round={} (got {})",
+        attack_round,
+        finality.last_finalized_round()
+    );
 }
diff --git a/crates/ultradag-network/tests/adversarial_integration_tests.rs b/crates/ultradag-network/tests/adversarial_integration_tests.rs
@@ -31,11 +31,13 @@ impl AdversarialNode {
         let address = sk.address();
         let mut state = StateEngine::new();
         state.set_configured_validator_count(total_validators);
+        let mut finality = FinalityTracker::new(3);
+        finality.set_configured_validators(total_validators as usize);
         Self {
             id,
             state,
             dag: BlockDag::new(),
-            finality: FinalityTracker::new(3),
+            finality,
             secret_key: sk,
             address,
         }
@@ -193,6 +195,7 @@ async fn test_crash_restart_state_convergence() {
     nodes[3].state = fresh_state;
     nodes[3].dag = BlockDag::new();
     nodes[3].finality = FinalityTracker::new(3);
+    nodes[3].finality.set_configured_validators(4);
 
     // Replay all vertices from node 0's DAG into node 3
     let all_addresses: Vec<Address> = nodes.iter().map(|n| n.address).collect();
