Audit May 2026#439
Merged
Merged
Conversation
Currently the EL payload is not verified by Simplex. This is an optimization to avoid EL payload execution on the consensus hot path. Instead, the EL payload of notarized/finalized blocks is verified when the blocks are executed by the finalizer actor. If a block contains an invalid EL payload, Reth will reject and skip it. The block stays in Summit's chain in case it was a finalized block. Summit keeps track of Reth's forkchoice. The consequence of this is that Summit's height might be larger than Reth's height. This PR explores an alternative approach, where the EL payload is verified in CertifiableAutomaton::certify. This will prevent finalizations of blocks with invalid EL payload. Benchmarks show that this will reduce the blocks per second by around 5.9%. Changes: - Call check_payload in CertifiableAutomaton::certify - Discard notarized blocks in the finalizer actor if the EL payload is invalid (no chance of finalization) - Throw an error and initiate shutdown in the finalizer actor if a finalized block contains an invalid EL payload
Note: this PR builds on #167 because it addresses a similar edge case, and the code changes are overlapping. This addresses #181. Changes: - Refactors engine client to return errors and remove the expects calls. - In the application and finalizer, where engine client methods are called, handle errors with a graceful shutdown (transport errors are already retried inside of the engine client, only non-transport errors are returned).
…rce-removals (#168) The finalized header for an epoch will be created on the penultimate block of an epoch. This is because the finalized header has to be included in the last block of an epoch, so that the aggregated signature from the finalization certificate can be used to attest to the finalized header. Therefore, all the fields that will be included in the finalized header (including removed_validators) have to be calculated after processing the penultimate block of an epoch. Protocol parameter updates are processed on the last block of an epoch. If MinimumStake is increased, validators whose stake is below the new minimum stake will be removed. However, when the validators are removed on the last block of an epoch, they won't be included in the removed_validators field of the finalized header. Similarly, validators that are scheduled to join in a future epoch won't be removed from the added_validators map. When a joining validator wants to verify a checkpoint, they calculate the validator set for each epoch based on the validator deltas included in the finalized headers. Stake-bound force-removals would be missing from this delta, and pending validators whose participation was aborted before joining will be included wrongfully. Changes: - On the penultimate block of an epoch, it is checked if a protocol parameter change for the maximum or minimum stake is currently pending. If yes, the list of active validators whose stake is below the new minimum stake is calculated and added to removed_validators. The list of joining validators whose stake is below the new minimum stake is calculated and removed from added_validators. The actual handling of the protocol parameter updates is still done at the last block of an epoch to ensure that the protocol parameter updates are only effective for the new epoch. - If a protocol parameter request for MinimumStake arrives with the last block of an epoch, some validators could be removed, but the changes wouldn't be recorded in removed_validators. Therefore, protocol param requests arriving with the last block of an epoch will be buffered until the next epoch. - An e2e test test_removed_validators_at_epoch_boundary_stake_bound is added to verify that the finalized header's removed_validators field will include validators that were forcefully removed due to insufficient stake. - An e2e test test_joining_validator_activation_cancelled_on_stake_bound_force_removal is added to verify that if a joining validator is kicked before becoming active, they won't be included in the finalized header's added_validators field.
Note: this PR builds on #168 because it addresses a similar edge case, and the code changes are overlapping. This addresses #186. Withdrawals that are arriving on the last block of an epoch for joining validators that are awaiting their participation in the validator set have to be postponed until the next epoch. This avoids an edge case where the finalized header still includes them as an added validator for the next epoch, because it was created on the penultimate block of the epoch. Changes: - Buffer withdrawal requests for joining validators that arrive on the last block of an epoch until the next epoch. - Sets the status for validators whose participation was aborted to Inactive. - Adds an e2e test test_joining_validator_withdrawal_on_last_block_keeps_header_consistent that verifies that the finalized header is consistent even when a withdrawal for a joining validator arrives on the last block of an epoch. - Adds an e2e test test_joining_validator_withdrawal_inline_cancel_clears_status that verifies that the status of joining validators whose participation was aborted by a withdrawal request is correctly changed to Inactive.
This addresses #182. Changes: - Creates a new SummitAdminApi trait served on a separate listener bound to 127.0.0.1 and a separate admin port. - Moves the getDepositSignature endpoint to the new trait.
…ecks (#188) Note: this PR builds on #187 because it addresses a similar edge case, and the code changes are overlapping. This addresses #180. Changes: - When checking validator balances after changing MinimumStake, only validators without pending deposits are considered. - An e2e test test_stake_bound_skips_pending_deposit_placeholder is added that verifies that inactive validator accounts with zero balance and has_pending_deposit = true are skipped when enforcing stake bounds - An e2e test test_stake_bound_refunds_top_up_when_max_lowered_before_processing is added that verifies that when a top-up deposit is queued before a max stake reduction makes the post-top-up balance invalid, deposit processing refunds the top-up and leaves the validator's pre-top-up balance and flags untouched.
…ithdrawals (#208) Builds on #188 (which builds on #187). This addresses #204. Changes: - On the last block of an epoch, in case the min or max stake was changed, the pending_execution_requests will be peeked and validators that have an exit scheduled for the next epoch will be skipped when creating partial withdrawals. This ensures that a partial withdrawal won't block the validator exit. - Adds a unit test to verify the behavior.
This addresses #174. Changes: - Adds checks to ensure that a new joining validator can re-use an existing BLS key. - Adds an e2e test test_duplicate_bls_consensus_key_rejected that verifies that a deposit request with a duplicate BLS key is rejected. - Adds checks to ensure that a top-up deposit from an existing validator uses the same BLS key as the initial deposit. - Adds an e2e test test_top_up_deposit_with_mismatched_bls_key_rejected that verifies that a top-up deposit with a different BLS key is rejected.
Adds missing arguments for some tests that got lost in the last merge.
This addresses #183. Changes: -Adds a check to handle_verify to ensure post-boundary blocks have to be re-proposal blocks. -Adds a unit test rejects_non_reproposal_child_after_epoch_terminal_parent that verifies that a non-reproposal child is rejected after the epoch boundary.
Addresses #175. Changes: -Verifies that the prev_epoch_header_hash field on a proposed block matches the expected value. -Removes the unused block_value field from the block header.
…ain loop (#202) Building on #167 and #192. This addresses #197. Changes: -Removes retries of block execution in unbounded loop when the EL is syncing. -Introduces buffers for the notarized and finalized blocks. If the EL returns SYNCING, the block is buffered and the main loop of the finalizer actor can continue. The block buffers are drained periodically. The interval is FINALIZER_DRAIN_INTERVAL, currently set to 5 secs. -The buffers are unbounded. After either one of them reached FINALIZER_BUFFERED_BLOCKS_WARN_THRESHOLD, warnings will be fired through logs and metrics. -Regression tests are added to verify the correct behavior.
Builds on #202 (which builds on #167 and #192). This addresses #201. Changes: -Introduces an enum ParsedExecutionRequest with variants Valid(ExecutionRequest) and MalformedDeposit(MalformedDepositRequest). ExecutionRequest is the already existing execution request type, and MalformedDepositRequest is a new type for a deposit request with invalid keys. pub enum ParsedExecutionRequest { Valid(ExecutionRequest), MalformedDeposit(MalformedDepositRequest), } -Arriving execution requests are parsed into ParsedExecutionRequest first, and then processed. Malformed deposit requests will be rejected and a withdrawal will be initiated similarly to deposit requests that contain invalid signatures. -Unit tests are added to ensure that a malformed deposit request cannot drop valid same-entry deposit requests.
…#278) Addresses #245. Changes: -Split notifier handling for notarized execution vs finalized canonical execution. Keep notarized fork execution scoped to exact (height, digest) waiters. -On finalization, resolve all waiters at finalized heights: canonical digest gets true, losing/stale digests get false, future waiters remain pending. -Add fork-handling regression and edge tests for losing, duplicate, dropped, stale, and future waiters.
Addresses #242. Changes: -Add isolated DynamicEpocher snapshots with copy-on-write schedule storage. Keep actor live handles synchronized by publishing promoted fork schedules back to the canonical shared epocher. -Add regression and edge tests for snapshot isolation, live-handle propagation, and post-replace mutation isolation.
Didn't get updated during the last merge
Addresses #230. Changes: -Reject genesis and decoded consensus states with validator_minimum_stake > validator_maximum_stake -Validate protocol-parameter batches against the final prospective stake interval before applying them -Skip and drain invalid protocol-parameter batches without shutting down the finalizer
Addresses #248. Changes: -Adds explicit ExecutionRequestOrigin for current vs deferred request handling -Marks last-block deferred withdrawals as pending before buffering them -Allows deferred withdrawal replay through its own pending-withdrawal guard -Adds regression coverage for withdrawal-entry-before-deposit-entry ordering -Adds test test_last_block_withdrawal_before_same_block_deposit_not_dropped for verification
Addresses #229. Changes: -Key process-time new-validator deposit refunds with synthetic refund-only keys -Adds regression test test_process_time_invalid_new_validator_refund_does_not_merge_with_reused_pubkey_withdrawal
Addresses #260. Changes: -Preserve one internal proof result per requested key with Option. -Return keyed RPC results[] entries with proof or error. -Add a regression test for mixed valid/missing batched keys. -Update docs and the e2e proof verifier for the new response shape. -Adds unit test test_generate_state_proof_preserves_batch_cardinality_for_missing_keys .
Addresses #240. Changes: -Added --rpc-max-request-body-size. -Added --rpc-max-response-body-size. -Introduced shared default DEFAULT_RPC_BODY_LIMIT_BYTES = 50 MiB. -Applied configured limits to public/admin RPC and genesis RPC startup.
Addresses #241. Changes: -Add summit-deposit-v1 || PROTOCOL_VERSION || genesis_hash deposit domain. -Use the domain for RPC/admin signing and finalizer verification. -Update local deposit tooling and tests/helpers. -Add regression coverage for cross-genesis signature rejection. Note: once this is merged, we have to update seismic-viem and the Python client.
Addresses #259. Changes: -Add PENDING_EXECUTION_REQUESTS_ROOT (leaf 22) to the top-level tree with a subtree rebuilt like the other collections; collection root is mix_in_length(subtree.root(), count). -Each request blob is hashed as an SSZ byte list (hash_byte_list: pack into 32-byte chunks, merkleize, mix in byte length). -Thread through SszStateTree::rebuild and ConsensusState::rebuild_ssz_tree, and keep the subtree in sync on push_pending_execution_request / take_pending_execution_requests so capture_state_root reflects it.
Builds on #291. Addresses #258. Changes: -Add PENDING_CHECKPOINT as a single scalar leaf: the checkpoint digest when present, the zero hash when absent. No subtree or proof support - the field only needs to be bound into the root, not proven on-chain, and the digest already commits the checkpoint data via SHA-256. The tree takes the digest bytes, staying decoupled from the Checkpoint type. -set_pending_checkpoint / take_pending_checkpoint now update the leaf, and rebuild_ssz_tree passes the digest, so capture_state_root reflects it.
Addresses #336. Changes: -Add EngineConfig.observer_network_key: Option: the derived child key, Some only in observer mode -Set it in start_network_and_engine, deriving the child key once and reusing it for the RPC server's observer identity -Engine::new resolves a single effective node identity (child key in observer mode, master key otherwise) and uses it for the resolver me, broadcast buffer attribution, and finalizer self-lookup -Add regression test
Builds on #408. Addresses #348. Changes: -rpc builder: default to BatchRequestConfig::Limit(DEFAULT_RPC_MAX_BATCH_SIZE) in new/new_localhost; add a with_batch_limit setter (0 disables batching, n caps the batch). -RpcBodyLimits: add max_batch_size; thread it through the public, admin, and genesis start paths. -CLI: new --rpc-max-batch-size flag (default 50, 0 = disabled), wired into RpcBodyLimits; add the field to the e2e/testnet RunFlags literals. -test test_oversized_batch_is_rejected: a within-limit batch is served, an over-limit batch is rejected.
Addresses #233. Changes: -types/ssz_state_tree.rs — add KeyedFieldProof + verify(root, key, fields_per_item); add generate_withdrawal_keyed_field_proof_by_key and generate_validator_keyed_field_proof; add StateProofEntry { field, key: Option<_> }. -types/consensus_state_query.rs, finalizer/{actor,ingress}.rs — thread StateProofEntry through the GenerateStateProof response; by-pubkey field requests emit the keyed pair, all others key: None. -types/rpc.rs, rpc/server.rs — add key_proof: Option<SszProof> to StateProofResult (skip_serializing_if → JSON back-compatible). -node/src/bin/verify_consensus_state_proof.rs — TEST E: require key_proof, verify it on-chain, run the binding check, and assert a substituted pubkey is rejected. -docs/ssz-merklization.md — document the binding requirement and key_proof. -tests — new withdrawal_keyed_field_proof_binds_to_requested_pubkey covering honest binding, wrong-pubkey rejection, and the substitution forgery.
Addresses #305. Changes: -application/src/actor.rs (propose): return the digest to consensus first, then dispatch syncer.proposed(...) in a spawned "proposed" task. Delivery is still guaranteed (not lossy), so the block is reliably cached and broadcast, but it no longer sits on the proposal-response path or blocks the application loop. -application/src/actor.rs (verify): send the vote before syncer.verified(...).await (already runs in the spawned verify task), so the bounded send no longer gates the vote response.
#381) Addresses #321. Changes: -Bounds the number of IPC reconnect attempts in the engine client to 200. The engine client waits 100 millis between each attempt, so the total reconnect interval is around 20 seconds. Note: The finalizer is still deadlocked during these reconnect attempts, but that is acceptable. If the finalizer cannot connect to the engine API, it cannot perform meaningful work. Serving RPC requests is secondary in priority.
Addresses #249. Changes: -Track each fork state’s parent digest. -On finalization, keep only retained forks that descend from the finalized block. -Tombstone pruned fork digests so later waiters fail immediately. -Add a regression for A1 -> A2 followed by conflicting B1 finalization. -Added check that a finalized block extends the canonical chain. -Changes the finalization guard to if height != canonical_height + 1 || block.parent() != canonical_head. -The syncer sends finalized blocks in order, so if a finalized block arrived out of order, the finalizer will abort with an error. -Adds test for the scenario: notarize A1 -> A2 -> A3, then conflicting B1 finalizes, and A3 arrives as FinalizedBlock while canonical height is still 1
Addresses #227. Changes: -Add chain_domain(genesis_hash, namespace) in types/src/lib.rs: H("summit-chain-v1" || PROTOCOL_VERSION || genesis_hash || len(ns) || ns), mirroring deposit_signature_domain. -Add Genesis::genesis_hash() to centralize eth_genesis_hash parsing; reuse it in node/src/config.rs. -node/src/engine.rs: derive the consensus domain once in Engine::new and use it for the BLS scheme provider (signer and verifier) and the syncer/orchestrator namespace fields. -node/src/args.rs: derive the same domain for the P2P authentication namespace at both node startup paths. -types/src/checkpoint.rs: reconstruct the same domain in verify_checkpoint_chain so finalization certificates still verify. -Keep the finalizer and RPC namespaces raw, since deposit_signature_domain already folds in the genesis hash separately. -Add unit tests.
Addresses #329. Changes: -syncer store_finalization: reject the write if a different block already occupies the height (immutable archive can't replace, so fail-stop rather than form a half-updated stale-block/fresh-cert pair). -syncer try_dispatch_blocks: verify stored block.digest() == finalization.proposal.payload before reporting a finalized block at an epoch boundary; halt dispatch on mismatch. -finalizer: replace the epoch-boundary debug_assert! with a release-enforced check that fail-stops (cancels the node) before storing a finalized header. -test: test_finalizer_rejects_block_certificate_digest_mismatch — a boundary block paired with a certificate over a different digest must cancel the finalizer instead of storing a misbound header.
Addresses #340. Changes: -types: add pause_signature_domain(genesis_hash, namespace), sharing a new signature_domain(tag, …) helper with deposit_signature_domain (distinct summit-pause-v1 tag; deposit domain bytes unchanged). -rpc/auth: signed message is now summit-pause-v1:{scope_hex}:{action}:{timestamp}; verify_action takes the deployment scope. -rpc/server: SummitRpcServer stores pause_scope (hex of the pause domain), computed in new() from the genesis hash + namespace it already receives. -rpc/auth tests: thread the scope through existing tests; add rejects_other_deployment_scope (a signature for net-a is rejected on net-b). Note: I don't think a nonce is necessary, since the signed pause message contains a timestamp. The timestamp allows replays only in the freshness window. Since the pause is idempoitent, even a replay within the freshness window will not affect the network. The only realistic scenario is if the network is paused and unpaused inside of the freshness window of the pause message.. An attacker could replay the pause message to undo the unpause. However, this can be countered by unpausing the network again. It is also likely, that the intended network pause will outlast the freshness window of the pause message. Cross-deployment replays are an issue, so this PR adds the namespace and genesis hash to the signed message.
Addresses #235. Changes: -types/src/block.rs — Block::read now decodes SSZ directly from the buffer's contiguous chunk (buf.chunk()[..len] + buf.advance(len)) on the hot path (&[u8]/Bytes), instead of first copying the up-to-message-size payload into a temporary Vec. A contiguous-copy fallback is kept for non-contiguous buffers. The existing len > buf.remaining() guard is unchanged. Note: This PR doesn't add any max encoded block/header size enforcement, because we already have max_message_size_bytes. Furthermore, the len > buf.remaining() check rejects an oversized prefix before any allocation.
Addresses #359. Changes: -Updates comments and logs related to height notifications for parent blocks in Message::Certify and Message::Verify.
Addresses #254. Fixes proposer timestamp selection when the parent timestamp is near the verifier future-window limit. Changes: -Wait before building a payload until parent.timestamp + 1 is acceptable under now + allowed_timestamp_future_ms. -Keep child timestamps monotonic by selecting max(now, parent.timestamp + 1) after the wait. -Add focused tests for wait and no-wait timestamp selection. -Abandon proposal when timestamp wait exceeds leader timeout. -Add unit tests.
…276) Builds on #275. Addresses #226 and #234. Changes: -Separates deposit-refund withdrawals from validator withdrawals in scheduling and emission. Refunds now use the refund schedule while validator exits keep priority under their own withdrawal budget, preventing invalid-deposit refunds from consuming validator-exit capacity. -Introduces a protocol parameter InvalidDepositTax. Invalid deposit refunds are now split into a net refund to the depositor withdrawal credentials and a tax amount to the configured treasury address. This removes a ddos vector, where people can spam the network with invalid deposit requests. -Adds validation to the withdrawal queue invariants on decode. -Make max_withdrawals_per_epoch a total cap with exit priority.
Builds on #276 (which builds on #275). Addresses #374. Changes: -Guard the Inactive deposit branch on account.balance > 0 to distinguish a staged-removal validator (still holds a credited balance) from a new-validator placeholder (balance 0). For the former, withdraw the full credited balance (balance_deduction = balance), refund the top-up separately, and let the completion path remove the account. Placeholders and active top-ups are unaffected. -Add regression test test_last_block_topup_does_not_drop_staged_removal_balance. -Refund staged-removal top-up untaxed.
…acts to verified chain (#422) Builds on #402. Addresses #214. Changes: -Require verification by default. run_node_inner now panics when a checkpoint is supplied without a finalized-headers chain to verify against, instead of warning and continuing. -Add --unsafe-skip-checkpoint-verification (RunFlags, requires --checkpoint-path) as the explicit opt-out for importing a checkpoint without verification artifacts; logs a loud UNSAFE warning when used. -Bind last_block to the verified chain. On the verified path, require last_block.digest() == terminal.finalization().proposal.payload (the verified chain terminal), panicking on mismatch. -Use the signature-verified terminal as the completion finalization. Replace the separately-loaded, unverified top-level finalized_header with the chain terminal FinalizedHeader (whose certificate was verified by -verify_checkpoint_chain) before handing it to the syncer. -Cover checkpoint startup policy and harden artifact binding.
Addresses #318. Changes: -node/args.rs: run_node_local now returns Handle<anyhow::Result<()>> and run_node_local_inner returns the supervise_node_tasks outcome instead of logging-and-swallowing it. Still no process::exit there (would orphan the child reth processes) — the caller decides. -e2e scenario binaries (stake_and_checkpoint, stake_and_join_with_outdated_ckpt, withdraw_and_exit, sync_from_genesis, observer, verify_consensus_state_proof, protocol_params): each node spawn closure now fails the scenario (eprintln + exit(1)) when run_node_local returns Err. Safe against the intentionally-exiting withdrawn/stopped nodes, which take a coordinated-shutdown path and return Ok. Required making the spawn closures move (the message captures the Copy node index). -node/bin/testnet.rs: try_join_all now inspects each node's inner Result and logs failures.
Note: this PR builds on #190 because it addresses a similar edge case, and the code changes are overlapping. This addresses #184. We currently don't support blobs, so this PR adds checks that reject blob-bearing transactions. Changes: -Adds checks to handle_verify that ensure that blob_gas_used is 0. -Adds a unit test to ensure that blocks with blob_gas_used > 0 are rejected.
Builds on #191 (which builds on #190). This addresses #200. Changes: -Adds a check for the fee recipient to handle_verify. This check is only performed, if the treasury_address is non-zero. If the treasury_address is set to the zero address, then block proposers may chose any fee recipient. -Adds unit tests for verifying this.
…#417) Addresses #314. Changes: -types/consensus_state.rs — drop the capacity hint for deposit_queue, protocol_param_changes, added_validators inner, removed_validators, pending_execution_requests -types/withdrawal.rs — drop it for the schedule pubkeys queue -types/dynamic_epocher.rs — drop it for segments (kept the existing segments_len == 0 reject) -Collections now grow on push; the loops already bail on the first EndOfBuffer, so only genuinely decoded elements are ever allocated -Bound captured_bytes decode allocation by remaining bytes -Added 3 regression tests asserting a huge nested count fails cheaply without pre-allocating (consensus_state, withdrawal schedule, dynamic_epocher)
#423) Builds on #422 (which builds on #402) Addresses #216. Changes: -types/src/checkpoint.rs: add Step 5 to verify_checkpoint_chain_with_weak_subjectivity binding the decoded queues to the terminal header's committed deltas — require checkpoint_state.get_added_validators(next_epoch) to equal terminal.added_validators() and checkpoint_state.get_removed_validators() to equal terminal.removed_validators() (order-normalized), rejecting mismatches with a new CheckpointVerificationError::CheckpointTransitionQueueMismatch. -Document the inherent residual: pending additions for epochs beyond next_epoch (possible when validator warm-up spans more than one epoch) are committed by finalized headers after the terminal and cannot be authenticated by a chain ending at this epoch; they are bound only once the next epoch's boundary header is verified. -Test: add test_checkpoint_verifier_binds_transition_queues_to_terminal_header (honest empty-queue checkpoint verifies; a checkpoint carrying a pending removed_validators entry while the terminal header commits an empty set is rejected, with hash/membership/position checks still passing). Parameterize checkpoint_verification_fixture with the checkpoint's removed_validators queue and update its callers.
…425) Builds on #423 (which builds on #422 and #402). Addresses #217. Changes: -Step 3 now accumulates a node-key to BLS-key map and requires each checkpoint account's consensus_public_key to equal the BLS key accumulated for that node from the verified history. Mismatch returns the new CheckpointConsensusKeyMismatch error variant. The reverse membership check uses the same map. -Add test_checkpoint_verifier_binds_consensus_keys_to_terminal_header covering both directions: the honest case (accounts carry the real, accumulated consensus keys and verify) and a swapped consensus key (rejected with CheckpointConsensusKeyMismatch). The shared checkpoint_verification_fixture gains a tamper_consensus_key parameter that swaps one active account's stored consensus key while leaving its node key, status, and the accumulated set intact. -Bind checkpoint consensus keys to the verified terminal header.
Builds on #426 (which builds on #425, #423, #422, and #402). Addresses #311. This only adds test coverage, the issue is not reachable. The decoded ConsensusState, including every validator_accounts entry, is committed by checkpoint.data, which verify_checkpoint_chain binds to the terminal finalized header via checkpoint_hash == sha256(checkpoint.data). Appending a Joining account changes the digest, so the tampered checkpoint no longer matches the honest terminal header and is rejected at Step 2. Changes: -types/src/checkpoint.rs: test_checkpoint_verifier_rejects_extra_joining_account — reproduces the attack directly. It decodes the honest checkpoint, injects an extra Joining account (leaving the active signing set untouched), re-encodes, and asserts verify_checkpoint_chain rejects it with CheckpointHashMismatch. -application/src/actor.rs: rejects_block_with_mismatched_checkpoint_hash — the consensus-layer half. It mirrors accepts_ordinary_child_inside_epoch, changing only the block's checkpoint_hash, and asserts handle_verify returns false, isolating the checkpoint_hash check as the sole cause.
…435) Addresses #236. Changes: -Adds test_checkpoint_join_replays_and_seeds_finalized_header, covering the SyncCheckpoint startup-replay path where a checkpoint join carrying last_block + finalized_header seeds the checkpoint epoch's finalized header into finalizer storage, via the syncer's pre-consensus replay of the terminal block, before the consensus loop starts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This branch contains all the fixes from the recent audit.