Currently, consensus messages from the future (i.e. with higher round/iteration number) are stored/relayed without any verification. This is due to the inability of foreseeing future committees (which can only be computed with the previous-block seed).
However, the provisioner set of the current and next epoch is bound to those provisioners that staked in the past epoch.
While some provisioners might get excluded from the set, due to unstaking or slashing, it is not possible to have new unforeseen provisioners.
This DIP proposes to introduce a sanity check (or pre-verification) of consensus messages by checking if their signatures are from provisioners in the current and next provisioner set, according to stake operations.
While this check will not be 100% secure (it would still consider as valid signature from provisioners that have unstaked or have been inactivated due to slashing), it is still enough to exclude all signatures from provisioners that are not possibly part of the current/next epoch set.
In addition, it proposes to punish, where possible, those provisioners sending messages that turn out to be spam/attacks.
This, however, has to take into account the existence of forks.
Summary
Currently, consensus messages from the future (i.e. with higher round/iteration number) are stored/relayed without any verification. This is due to the inability of foreseeing future committees (which can only be computed with the previous-block seed).
However, the provisioner set of the current and next epoch is bound to those provisioners that staked in the past epoch. While some provisioners might get excluded from the set, due to unstaking or slashing, it is not possible to have new unforeseen provisioners.
This DIP proposes to introduce a sanity check (or pre-verification) of consensus messages by checking if their signatures are from provisioners in the current and next provisioner set, according to stake operations.
While this check will not be 100% secure (it would still consider as valid signature from provisioners that have unstaked or have been inactivated due to slashing), it is still enough to exclude all signatures from provisioners that are not possibly part of the current/next epoch set.
In addition, it proposes to punish, where possible, those provisioners sending messages that turn out to be spam/attacks. This, however, has to take into account the existence of forks.