Fork Choice Bugfix Disclosure

Brief description

Starting in April 2022, EF researchers and client teams began investigating a class of fork choice attacks that were able to cause long reorgs. In general, these attacks exploited the fact that FFG information is processed on-chain only at epoch boundaries. Two types of attacks were found: unrealized justification reorgs & justification withholding reorgs (description in changelog below).

The fixes for these attacks were proposed by June 2022, and the security analysis was conducted over the next ~7 months. Subsequently, the specification, client implementation, and testing was conducted in early 2023. Notably, the merge-ready releases of all clients implemented a version of the fixes that addressed unrealized justification reorgs.

In addition to the efforts of CL client teams and various EF researchers, ConsenSys’ Dependable Distributed Systems team (led by @saltiniroberto) was engaged for research, specification, and security analysis of the fixes.

Changelog

Acknowledgements

This release marks the culmination of R&D around a lineage of bugs, which have been worked on for the past ~1 year. A lot of time & effort has been spent on this release by many people, and we thank you for your hard work!

Appendix

Proofs

For increased confidence in the bugfixes, we provide these attached proofs describing the safety properties of the spec changes.