Closed anorth closed 3 years ago
Stebalien
commented
3 years ago This reasoning makes me uneasy. There is no restriction on operations per block since each window post submission checks the limit independently.
The issue is the dispute. I need to be able to submit a dispute somehow, even if I can't fit them all into a single block. That means each post needs to be independently disputable.
@anorth I'm slightly concerned about sector termination, but that's probably fine.
ZenGround0
commented
3 years ago @anorth I think this is going to break your test here. I'm planning to merge that PR first and then leave the fix for this PR.
ZenGround0
commented
3 years ago @anorth I'm slightly concerned about sector termination, but that's probably fine.
Suggestion: we could maintain current levels of safety without thinking more about this using two separate constants one for max sectors accessed by post one for max addressed by other methods.
anorth
commented
3 years ago @Stebalien I infer your concern about terminating sectors to be the explicit TerminateSectors exported method. Sector termination does not happen in the DisputeWindowPost call tree. I do think this is ok since it is a directly-invoked method, where the caller will pay all gas.
It may be that mismatches between gas cost and true computational cost make this a place to target chain validation attacks. It would be a good place for us to profile a workload targeting this (probably in Lotus, cc @magik6k).
This number bounds the amount of memory used or state loaded in a number of operations such as declaring faults. A critical need is to limit the number of sectors that may be addressed by a single WindowPoSt sumbission to ensure it can be safely disputed later if fraudulent.
25000 sectors permits submitting (and disputing) up to 10 partitions at once for both 32GiB (25,000/2,349 ~= 10.6) and 64GiB (25,000/2,300 ~= 10.8) sectors.
Empirically, disputing 10 partitions fits within the block gas limit >= 3 times over.
Closes #1415