flaw with >2 validators and current follower tick algorithm

[Ivshti]

The issue is as follows:

Let's say that:

• A is the last ApproveState message by a follower node N, approving some state S(n)
• B is >2/3 ApproveState messages for some state S(m)
• C is a NewState message for some state S(m+1) generated by validator Q
• N has fallen behind, and it's m is significantly higher than n: m>n
• now, sending a NewState message C to node N, will make it compare the transition from S(n) to S(m+1); the correct thing to do is compare S(m) to S(m+1); that way, we allow Q to trick N into signing a malicious state transition where the balance has been reduced compared to S(m) but is still higher compared to S(n), making it a valid state transition from the point of view of N

in other words:

// we compare only OUR last approved state to the NewState
// instead, we must compare from the latest state approved by any >=2/3 validators
// otherwise, the leader may perform an invalid state transition from latest approved to a NewState, and trick us into signing it cause we'd be comparing with our own (presumably old)

[Ivshti]

the best solution here would be to restrict this stack to 2 validators only

higher number of validators would require a pBFT process to ensure this can't happen

[samparsky]

@Ivshti Since the current design proposition is a validator set that contains a publisher, an arbiter and an advertiser. Wouldn't this be an issue?

[Ivshti]

@samparsky a few parts of adex-protocol say that the minimal setup is 2 validators; this reference implementation will only support this case initially

the arbitor is not that important with the notion of health, as underreporting will be punished by not delivering impressions anymore

the arbitor has advantages (described in https://github.com/adexnetwork/adex-protocol#validator-consensus) but for now 2 validators is the easiest

[Ivshti]

Closing sine it's just now part of the design to strictly run with 2 validators. It's simpler, has less failure cases and clear game theory.