github.com/pokt-network/tendermint@v0.32.11-0.20230426215212-59310158d3e9/docs/architecture/adr-051-double-signing-risk-reduction.md (about) 1 # ADR 051: Double Signing Risk Reduction 2 3 ## Changelog 4 5 * 27-11-2019: Initial draft 6 * 13-01-2020: Separate into 2 ADR, This ADR will only cover Double signing Protection and ADR-052 handle Tendermint Mode 7 * 22-01-2020: change the title from "Double signing Protection" to "Double Signing Risk Reduction" 8 9 ## Context 10 11 To provide a risk reduction method for double signing incidents mistakenly executed by validators 12 - Validators often mistakenly run duplicated validators to cause double-signing incident 13 - This proposed feature is to reduce the risk of mistaken double-signing incident by checking recent N blocks before voting begins 14 - When we think of such serious impact on double-signing incident, it is very reasonable to have multiple risk reduction algorithm built in node daemon 15 16 ## Decision 17 18 We would like to suggest a double signing risk reduction method. 19 20 - Methodology : query recent consensus results to find out whether node's consensus key is used on consensus recently or not 21 - When to check 22 - When the state machine starts `ConsensusReactor` after fully synced 23 - When the node is validator ( with privValidator ) 24 - When `cs.config.DoubleSignCheckHeight > 0` 25 - How to check 26 1. When a validator is transformed from syncing status to fully synced status, the state machine check recent N blocks (`latest_height - double_sign_check_height`) to find out whether there exists consensus votes using the validator's consensus key 27 2. If there exists votes from the validator's consensus key, exit state machine program 28 - Configuration 29 - We would like to suggest by introducing `double_sign_check_height` parameter in `config.toml` and cli, how many blocks state machine looks back to check votes 30 - <span v-pre>`double_sign_check_height = {{ .Consensus.DoubleSignCheckHeight }}`</span> in `config.toml` 31 - `tendermint node --double_sign_check_height` in cli 32 - State machine ignore checking procedure when `vote-check-height == 0` 33 34 ## Status 35 36 Proposed 37 38 ## Consequences 39 40 ### Positive 41 42 - Validators can avoid double signing incident by mistakes. (eg. If another validator node is voting on consensus, starting new validator node with same consensus key will cause panic stop of the state machine because consensus votes with the consensus key are found in recent blocks) 43 - We expect this method will prevent majority of double signing incident by mistakes. 44 45 ### Negative 46 47 - When the risk reduction method is on, restarting a validator node will panic because the node itself voted on consensus with the same consensus key. So, validators should stop the state machine, wait for some blocks, and then restart the state machine to avoid panic stop. 48 49 ### Neutral 50 51 ## References 52 53 - Issue [#4059](https://github.com/tendermint/tendermint/issues/4059) : double-signing protection