validator set changes before 2/3 validators confirm

[qinglin89]

Currently validator set will be changed after 1/2 validators confirms the epoch block, but under BFT assumption(with f Byzantine nodes out of more than 3f+1 total nodes), 1/2 would allow Byzantine nodes to split the network with different validator sets.

toltal(f=2, 3f+1=7): h1,h2,h3,h4,b1,b2,b3

: b1, b2, b3, h1, h2, h3 : b1, b2, b3*, h4, h5, h6

[buddh0]

suppose block 200 carrying infos about new validator set, then validator set change will happen at 210, and indate that there are 11 validator have accpeted the block 200

let f = 7, to split the network, a evil validator should propose an evil block 200, if there are only 7 valitors accept the evil block 200, then validator set change will not happen

[qinglin89]

That's not what byzantine nodes can do. In a non-permission/public blockchain, a fault node indicates byzantine nodes, which means they are not only possible to be offline, but also able to mislead the honest nodes. like this example, set f=7, when 11 validators have confirmed on the 200 block, check these two parts: p1: b1, b2, b3, b4, b5, b6, b7, h1, h2, h3, h4 (11), p2: b1, b2, b3, b4, b5, b6, b7, h5, h6, h7, h8 (11), at this moment, {h1, h2, h3, h4}, and {h5, h6, h7, h8} have been confirmed and changed to 2 different validator set, with the malicious message built by byzantine nodes(bx being malicious doesn't mean they can only impact themselves). According to BFT theory, we can verify that 2f+1 is the minimum number required to guarantee safety. Using this example, '2f+1' requires 15 nodes to reach an agreement, and you can split the network any way that results in on more than one part having 15 consensus.

[NathanBSC]

In an extreme case, one bad validator is enough to divide the network into 2 parts, that is so called Clone Attack. to avoid these, a double sign slash mechanism has been added: 10000BNB will be slashed to mitigate this problem

[qinglin89]

That's not the case. 1/2, 1/3 is talking about the distributed system consensus (as for the clone attack here, you can even change the set immediately without waiting for %epoch==1/2), the difference is how to define the quorum under different assumptions . check this to see the difference between 'fail-stop' and 'malicious'(bft), they also provide the verification about f/3f+1. https://dl.acm.org/doi/pdf/10.1145/4221.214134

[buddh0]

That's not what byzantine nodes can do. In a non-permission/public blockchain, a fault node indicates byzantine nodes, which means they are not only possible to be offline, but also able to mislead the honest nodes. like this example, set f=7, when 11 validators have confirmed on the 200 block, check these two parts: p1: b1, b2, b3, b4, b5, b6, b7, h1, h2, h3, h4 (11), p2: b1, b2, b3, b4, b5, b6, b7, h5, h6, h7, h8 (11), at this moment, {h1, h2, h3, h4}, and {h5, h6, h7, h8} have been confirmed and changed to 2 different validator set, with the malicious message built by byzantine nodes(bx being malicious doesn't mean they can only impact themselves). According to BFT theory, we can verify that 2f+1 is the minimum number required to guarantee safety. Using this example, '2f+1' requires 15 nodes to reach an agreement, and you can split the network any way that results in on more than one part having 15 consensus.

P1 ,P2 both include b1, so they will change to same new validator set every validator parse new validator set by itself, if b1 contains wrong valiator set, they will refuse it

[qinglin89]

b: byzantine/malicious: p1: b1(msg_1), ... p2: b1(msg_2), ...

CFT: 1/2 BFT: 1/3+

[buddh0]

1) even we set the offset to 100, clone attack is still can't be avoid this means in extreme case, one validator can spilt the network

2) even if we set the offset to 100, these 100 blocks may be produced by only 11 validators

3) we have acknowledge the "clone attack", and to against it a. introduce double sign slash b. enhance network topology, this means, every validator connect not one, but many other validators

[buddh0]

this issue will be closed for now any more suggestion is welcome and please open a new issue