github.com/ari-anchor/sei-tendermint@v0.0.0-20230519144642-dc826b7b56bb/docs/architecture/adr-051-double-signing-risk-reduction.md

github.com/ari-anchor/sei-tendermint@v0.0.0-20230519144642-dc826b7b56bb/docs/architecture/adr-051-double-signing-risk-reduction.md (about)

     1  # ADR 051: Double Signing Risk Reduction
     2  
     3  ## Changelog
     4  
     5  * 27-11-2019: Initial draft
     6  * 13-01-2020: Separate into 2 ADR, This ADR will only cover Double signing Protection and ADR-052 handle Tendermint Mode
     7  * 22-01-2020: change the title from "Double signing Protection" to "Double Signing Risk Reduction"
     8  
     9  ## Context
    10  
    11  To provide a risk reduction method for double signing incidents mistakenly executed by validators
    12  - Validators often mistakenly run duplicated validators to cause double-signing incident
    13  - This proposed feature is to reduce the risk of mistaken double-signing incident by checking recent N blocks before voting begins
    14  - When we think of such serious impact on double-signing incident, it is very reasonable to have multiple risk reduction algorithm built in node daemon
    15  
    16  ## Decision
    17  
    18  We would like to suggest a double signing risk reduction method.
    19  
    20  - Methodology : query recent consensus results to find out whether node's consensus key is used on consensus recently or not
    21  - When to check
    22      - When the state machine starts `ConsensusReactor` after fully synced
    23      - When the node is validator ( with privValidator )
    24      - When `cs.config.DoubleSignCheckHeight > 0`
    25  - How to check
    26      1. When a validator is transformed from syncing status to fully synced status, the state machine check recent N blocks (`latest_height - double_sign_check_height`) to find out whether there exists consensus votes using the validator's consensus key
    27      2. If there exists votes from the validator's consensus key, exit state machine program
    28  - Configuration
    29      - We would like to suggest by introducing `double_sign_check_height` parameter in `config.toml` and cli, how many blocks state machine looks back to check votes
    30      - <span v-pre>`double_sign_check_height = {{ .Consensus.DoubleSignCheckHeight }}`</span> in `config.toml`
    31      - `tendermint node --consensus.double_sign_check_height` in cli
    32      - State machine ignore checking procedure when `double_sign_check_height == 0`
    33  
    34  ## Status
    35  
    36  Implemented
    37  
    38  ## Consequences
    39  
    40  ### Positive
    41  
    42  - Validators can avoid double signing incident by mistakes. (eg. If another validator node is voting on consensus, starting new validator node with same consensus key will cause panic stop of the state machine because consensus votes with the consensus key are found in recent blocks)
    43  - We expect this method will prevent majority of double signing incident by mistakes.
    44  
    45  ### Negative
    46  
    47  - When the risk reduction method is on, restarting a validator node will panic because the node itself voted on consensus with the same consensus key. So, validators should stop the state machine, wait for some blocks, and then restart the state machine to avoid panic stop.
    48  
    49  ### Neutral
    50  
    51  ## References
    52  
    53  - Issue [#4059](https://github.com/tendermint/tendermint/issues/4059) : double-signing protection