New staking - part 1 and 2 - SWIP-19 and 20 combined #252
Conversation
… add one more scenario
0xCardinalError
changed the title
There was a problem hiding this comment.
fundamental issues with how stake is queried, in its current form allows for a critical exploit: it is possible to play with several overlays derived from the same address simultaneously while using only one stake. This is easily fixable by passing the overlay as well as an argument (to functions called from redis contract to validate stake of a node) and checking the overlay against the one recorded to the address currently.
The chosen implementation (see discussion on research internal) is probably the best option but it requires extensive changes in the interfaces therefore the most work for the bee team. Also it needs a thorough change to the SWIP-19
zelig
changed the title
zelig
changed the title
0xCardinalError
force-pushed
the
new_staking
branch
from
bfc493e to
ad14c60
Compare
There was a problem hiding this comment.
i took back the attack story, the overlay is checked here
storage-incentives/src/Redistribution.sol
Line 303 in 25e7b18
but still issues left
src/Staking.sol
Outdated
|
|
||
| stakes[msg.sender].overlay = overlay; | ||
| stakes[msg.sender].lastUpdatedBlockNumber = block.number; | ||
| emit OverlayChanged(msg.sender, overlay); |
There was a problem hiding this comment.
overlay can be changed in depositStake function as well, but this event is not omitted. I would remove this function and if overlay changes in depositStake this event should be emitted. having two function to do the same and only one keeping track with one specific change leads to confusion.
| uint64 cr = currentRound(); | ||
| bytes32 _overlay = Stakes.overlayOfAddress(msg.sender); |
I made response on this earlier but seems it been missed so I will copy paste it here also at @nugaon @zelig "Did some measurements... |
…act, so there is no msg.sender
…ngs, remove overlay change
|
First, is there going to be a migration of the existing stakes from overlay-based to owner-based? And if so, has anyone given thought (or better yet, a test) to what happens with multiple abandoned overlay-based stakes that are all owned by a single account? This happens when people keep their keys, but delete the rest of their data-dir causing a new overlay to be generated from the original account. See this (short) conversation in Discord. Start at the link and follow the replies backwards in time. |
yes, there will be migration but basically it will be from users/operators side and we will need to write instructions on that and communicate them. Basically old contract would be paused, nodes would be taking funds out and could put them in new contract for staking. About abandoned overlays, if the user has private key of the address used for that node he should be able to take funds out, if he knows the overlay, he can just input it and take funds out. |
0xCardinalError
changed the title
0xCardinalError
changed the title
This implements the feature allowing staked nodes to change their overlay without restaking (called neighbourhood hopping, see SWIP-19)
Implemented by changing stake registry to be keyed with node address instead of node overlay.