Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Ethereum is migrating to the newest fork Pectra. In order to make sure it's secure, the Ethereum foundation is hosting an attackathon on all Pectra-specific changes on Cantina with most Ethereum clients in scope, including the Ethereum Consensus client Lighthouse. The vulnerability would lead to a split of Lighthouse nodes from Ethereum, breaking consensus.

Lighthouse had paralleled validator updates because changes made to one validator did not affect the other. In the Electra upgrade, consolidations were introduced that allow for exits straight to another validator. Naturally, these two things collide and it was noticed by the development team.

To make this work with the parallelization strategy called single-pass epoch processing, the function process_effective_balance_updates was rerun on each validator index. Unfortunately, there are other functions with side effects run between these runs. This leads to different results when ran multiple times! Word of the day: hysteresis - a property lagging behind the changes in the effect causing it.

There is a very detailed situation that is described that makes Lighthouse differ from the specification. By using the multiple updates, a node would have a different effective balance than they should. If Lighthouse was the only software used, this wouldn't be a huge deal. However, since it has to be perfectly aligned with the other clients, this is a problem.

To fix the vulnerability, single-pass epoch processing only happens on validators unaffected by the consolidations. All nodes affected by consolidations are processed before updating their effective balances. They also mention the adding of specification and fault injection tests around this to try to find other variants of it. Overall a great find and an amazing write up about it.