consensus: prevent unjustified view-change from transmitted dummy blocks (using NEWVIEW signatures)

[sdbondi]

Background

Currently, once NEWVIEW messages reach a quorum, we discard them and propose a block with one or more dummy parents.

When performing catch-up, we send dummy blocks to force the syncing node to move the view forward without having to wait for a view change from a leader timeout. This is a vulnerability because a dummy can be sent at any time. In general, there should be no need to send a dummy (or alternatively a dummy should contain some proof of quorum).

Proposal 1

Add a new field to blocks that contains NEWVIEW signatures. These are required when proposing dummy block parents (i.e. block.justify().block != block.parent).

These are validated and will force a change to the next view.

Protocol modifications:

• Catch-up should no longer send dummy blocks
• Dummy block bool should be removed from the message proto
• if any dummy blocks are received, they should be rejected (this is implicitly the case as the proposer signature will either be missing or the incorrect proposer for the height will be on the block).
• NEWVIEW signatures MUST be present and valid if the justify does not justify the parent block
• NEWVIEW signatures MUST be empty if the block justifies the parent block
• NEWVIEW justification MUST be committed in the block id (hash)

Implementation: A new QC type that contains all the signatures (e.g NewViewQc) used in the block as an optional field.

Acceptance:

1. Start a swarm with >= 4 nodes.
2. Shut down one of the nodes
3. Wait for one or more leader failures and committed dummy blocks
4. Restart the node
5. The node quickly caches up to the tip and includes the required dummy blocks