Context:
Recently, snowbridge was bricked on the Rococo-Sepolia testnets. The issue is described here by Snowbridge team. There are two main points of provenance for the bug:
BEEFY hitting an off-set-by-one error on the Polakdot Node side, where the first block of every session (mandatory BEEFY block) cannot be verified by the light client if there are no other BEEFY finalised blocks between two sessions.
The light client is too strict in requiring the validatosetID to be consecutive. This does not bring any added security gurantees and hopefully can be relaxed to just being monotone, and in the process providing an escape route for unbridging the brick in case unexpected errors like above arise.
Description:
This issue focusses on point-1. In the spec, we have an invariant which states that for every block, the authority set of GRANDPA justification and BEEFY justification are the same. In GRANPDPA, the justification of the first block of every session is signed by the validatorSet of the previous session (due to a technical reason that there could be possible forks). Clearly, this behaviour is not reflected in BEEFY (since there is no issue of possible forks to be evaluated in BEEFY), else the offset-by-one issue would not arise. So, the validator set of the current session sign the first block of the session (which is also a mandatory block).
It remains to be discussed if we would want BEEFY to mimic GRANDPA behaviour with regard to previous authority signing the first block. Just to avoid such edge cases. This might be a cleaner approach at a deeper level than the one proposed here.
Context: Recently, snowbridge was bricked on the Rococo-Sepolia testnets. The issue is described here by Snowbridge team. There are two main points of provenance for the bug:
Description: This issue focusses on point-1. In the spec, we have an invariant which states that for every block, the authority set of GRANDPA justification and BEEFY justification are the same. In GRANPDPA, the justification of the first block of every session is signed by the validatorSet of the previous session (due to a technical reason that there could be possible forks). Clearly, this behaviour is not reflected in BEEFY (since there is no issue of possible forks to be evaluated in BEEFY), else the offset-by-one issue would not arise. So, the validator set of the current session sign the first block of the session (which is also a mandatory block). It remains to be discussed if we would want BEEFY to mimic GRANDPA behaviour with regard to previous authority signing the first block. Just to avoid such edge cases. This might be a cleaner approach at a deeper level than the one proposed here.