Unauthorized to sign block at reset level

[spalmer25]

Currently, the app cannot sign block at reset level.

Is this an expected behaviour ?

See: https://github.com/trilitech/ledger-app-tezos-baking/pull/18#discussion_r1474029889

[spalmer25]

Accusing

Here is my understanding of when an operation/block can be accused:

Operations

If an accuser retrieves, at any time, from the same attester, two attestations (resp. two pre-attestations) with :

• the same chain_id, level and round and
• different payload_hash, slot or branch

Then the accuser can accuse the attester with a Double Attestation Evidence (resp. Double Pre-Attestation Evidence).

This happens no matter if the accuser retrieves the operation from the mempool or from a block.

Block

If an accuser retrieves, at any time, from the same baker, two block with :

• the same chain_id, level and round and
• different hash

Then the accuser can accuse the baker with a Double Baking Evidence.

In our app

We choose : 1) to only check chain_id, level and round :

• this allowed to make fewer checks without authorizing non-valid operations/blocks.
• but prevents to sign some valid operations/blocks from the same chain_id, level and round. 2) to only keep one chain_id : see https://github.com/trilitech/ledger-app-tezos-baking/issues/19. 3) from a same chain_id, to check if the level/round is not lower than the last level/round seen :
• this allowed us to only retain one level/round without authorizing non-valid operations/blocks.
• but prevents to sign older operations/blocks that are still valid. 4) from a same chain_id/level/round, to prevent : 1) signing an attestation if another attestation has already been seen. 2) signing a pre-attestation if another pre-attestation or an attestation has already been seen. 3) signing a block.

See baking_auth.c

Each condition reduction, which we apply with 1., 2., 3. and 4., continues to prevent signing non-valid operations/blocks but also prevents signing valid operations/blocks.

The issue we encounter is because of the rules 4.i: When we reset the level, we set the chain_id/level/round. So by the rule 4.iii, we can't sign a block to that same chain_id/level/round.

Do we want to stick with each of these condition reductions as they currently stand?

[spalmer25]

Proposal: Change 4.iii into:

• prevent signing a block if another block or an attestation/pre-attestation has already been seen.

  Implementation: https://github.com/trilitech/ledger-app-tezos-baking/pull/30

[spalmer25]

Proposal: Keep the conditions as they are, but prevent signing at the same level as the reset (whatever the round). This implicitly implies the previous proposal.

[spalmer25]

Final decision: Do not change the current behaviour, as the baker most often resets at level 0 and does not bake at level 0.