feat: add LtHash snapshot integrity verification#242
Open
G0G0S wants to merge 1 commit into
Open
Conversation
Re-compute the lattice hash from all accounts after building AccountsDB and compare against the incremental manifest's LtHash. If they don't match, the snapshot is considered tampered and the build fails with an error. This prevents a DoS vector where a malicious RPC node serves a snapshot with altered account data that would only be detected much later during replay as a bankhash mismatch. - New file: verify_lthash.go (parallelized verification with 32 workers) - Modified: build_db_with_incr.go (call verification after OpenDb)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #149
Adds an integrity check that runs after AccountsDB is built from a snapshot:
we recompute the lattice hash from the loaded accounts and compare it against
the
LtHashfield in the incremental manifest. On a mismatch the snapshotis treated as tampered and the build aborts with an error, rather than
silently carrying on.
The motivation is that today there's no way to catch a corrupted or tampered
snapshot at load time. A misbehaving or malicious RPC node can serve altered
account state and we don't notice until block replay produces a divergent
bank hash hours later, by which point you've paid for a full bootstrap plus
a partial replay and have to start over. Failing fast at load is a far
cheaper signal.
Changes
pkg/snapshot/verify_lthash.go— parallel verification across 32 workerspkg/snapshot/build_db_with_incr.go— invokes the check right afteraccountsDb.OpenDb()The 32-worker count is a heuristic that worked on my hardware; happy to make
it tunable or tie it to
runtime.NumCPU()if that fits better with how therest of the codebase scales.