Current network gossip protocol allows an easy-to-launch spam attack whereby an adversary can publish an unlimited amount of PoET proofs which are not associated by any ATX.
Creating valid PoET proofs is permissionless and cheapest-as-possible by design, in addition to not having gurantees on having a higher cost for creating multiple proofs in parallel or slightly different variations thereof. So from security perspective, the cost of creating a valid PoET proof should be thought of as zero, and cannot be considered as means to prevent such an attack.
In addition, every PoET proof contains a list of members associated with it, as an arbitrary-size byte array, which also not necessarily associated with actual ATXs.
The mitigation
Don’t allow the propagation of PoET proofs which don’t have an associated ATX costs. This means that PoET proofs cannot be gossiped prior to their associated ATXs, like they currently do.
ATX-publishing nodes would be responsible for obtaining these proofs from the PoET service (in an off-chain fashion). Assuming one proof will be associated with many ATXs, they should only contain a reference to it, like currently.
The actual proof should be retained locally and published upon demand, when a node receiving the ATX learns about it for the first time and is missing the full object in order to complete the ATX validation.
In addition, ATX-publishing nodes should obtain their distinct Merkle path from the PoET service, for proving their challenge's membership in the shared proof. The path should be included in the ATX.
[x] Remove gossip listeners for handling incoming PoET proofs.
[ ] spacemeshos/go-spacemesh#3887
[x] spacemeshos/go-spacemesh#3814
[x] Make sure that the serving of persisted PoET proofs to peers which are missing it works properly.
[x] spacemeshos/go-spacemesh#3929[^1]
[^1]: A future potential local optimization could be to construct a sparse tree out of the distinct Merkle proofs for a given PoET proof, in order to avoid having to store duplicated tree nodes data.
noamnelke
commented
2 years ago
The problem
Current network gossip protocol allows an easy-to-launch spam attack whereby an adversary can publish an unlimited amount of PoET proofs which are not associated by any ATX.
Creating valid PoET proofs is permissionless and cheapest-as-possible by design, in addition to not having gurantees on having a higher cost for creating multiple proofs in parallel or slightly different variations thereof. So from security perspective, the cost of creating a valid PoET proof should be thought of as zero, and cannot be considered as means to prevent such an attack.
In addition, every PoET proof contains a list of members associated with it, as an arbitrary-size byte array, which also not necessarily associated with actual ATXs.
The mitigation
Don’t allow the propagation of PoET proofs which don’t have an associated ATX costs. This means that PoET proofs cannot be gossiped prior to their associated ATXs, like they currently do.
ATX-publishing nodes would be responsible for obtaining these proofs from the PoET service (in an off-chain fashion). Assuming one proof will be associated with many ATXs, they should only contain a reference to it, like currently. The actual proof should be retained locally and published upon demand, when a node receiving the ATX learns about it for the first time and is missing the full object in order to complete the ATX validation.
In addition, ATX-publishing nodes should obtain their distinct Merkle path from the PoET service, for proving their challenge's membership in the shared proof. The path should be included in the ATX.
Implementation
https://github.com/spacemeshos/poet
https://github.com/spacemeshos/go-spacemesh
[^1]: A future potential local optimization could be to construct a sparse tree out of the distinct Merkle proofs for a given PoET proof, in order to avoid having to store duplicated tree nodes data.