You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow-up tracker for risk items left open by PR #825 (snapshot bootstrap + genesis-baked validators + consensus shard enforcement). Parent: DEM-713.
Open items
Audit production env vars. Confirm every mainnet/staging operator has DEMOS_REQUIRE_VALIDATORS=true set. Currently the default is permissive-with-warning; if any production node misses this, its consensus shard falls back to legacy behavior where any peer can mine. Consider making strict mode the default (or hard-fail at boot when running on a real chain id).
Close the verify → restore TOCTOU.verifySnapshot and restoreSnapshot run as two sequential async ops over the same filesystem. Adversary model is narrow (operator already trusted, FS write between two ops), but the docs acknowledge the gap. Refactor to verify-then-buffer or verify-then-stream-with-rolling-sha so the bytes consumed by restoreSnapshot are the same bytes hashed by verifySnapshot.
Byzantine 3-validator rehearsal. Currently deferred because mnemonics for the other two baked validator pubkeys (0x24c664… node3, 0xc8bc58… node2) are not yet available. Was tracked as Mycelium EVM Balances for ETH (and WETH), USDC, USDT #156 (closed/deferred) — need to either obtain mnemonics + rehearse, or scope a multi-mnemonic dev/devnet swap.
Snapshot distribution path. The ~20 MB JSONL is committed to the repo for reproducibility. Long-term plan was IPFS/CDN distribution post-clone — re-scope when comfortable.
Follow-up tracker for risk items left open by PR #825 (snapshot bootstrap + genesis-baked validators + consensus shard enforcement). Parent: DEM-713.
Open items
DEMOS_REQUIRE_VALIDATORS=trueset. Currently the default is permissive-with-warning; if any production node misses this, its consensus shard falls back to legacy behavior where any peer can mine. Consider making strict mode the default (or hard-fail at boot when running on a real chain id).verifySnapshotandrestoreSnapshotrun as two sequential async ops over the same filesystem. Adversary model is narrow (operator already trusted, FS write between two ops), but the docs acknowledge the gap. Refactor to verify-then-buffer or verify-then-stream-with-rolling-sha so the bytes consumed byrestoreSnapshotare the same bytes hashed byverifySnapshot.0x24c664…node3,0xc8bc58…node2) are not yet available. Was tracked as Mycelium EVM Balances for ETH (and WETH), USDC, USDT #156 (closed/deferred) — need to either obtain mnemonics + rehearse, or scope a multi-mnemonic dev/devnet swap.References
forking/restore/RUNBOOK.md§2.4 (DEMOS_REQUIRE_VALIDATORS)forking/restore/PLAN.mdFiled by Nesy-Claude per KYN-192.