A relocated node can create arbitrary number of new identities and sign them with their old key and then pretend they are all different nodes joining the destination section. If the node is old enough, it can easily take control of the dst section this way.
Idea for a fix:
We record the previous name as part of the MemberInfo in the SectionPeers container. Then when inserting an entry into the container, we check whether an entry with the same previous_name already exists there. If so, we vote Offline for both of them.
Alternatively (less harsh): we use some deterministic rule to pick one and discard the other.
A relocated node can create arbitrary number of new identities and sign them with their old key and then pretend they are all different nodes joining the destination section. If the node is old enough, it can easily take control of the dst section this way.
Idea for a fix:
We record the previous name as part of the
MemberInfo
in theSectionPeers
container. Then when inserting an entry into the container, we check whether an entry with the sameprevious_name
already exists there. If so, we voteOffline
for both of them.Alternatively (less harsh): we use some deterministic rule to pick one and discard the other.