Implement weak subjectivity safety checks (#7347)

Closes #7273 https://github.com/ethereum/consensus-specs/pull/4179 Co-Authored-By: Eitan Seri-Levi <eserilev@ucsc.edu> Co-Authored-By: Eitan Seri- Levi <eserilev@gmail.com> Co-Authored-By: Michael Sproul <michaelsproul@users.noreply.github.com> Co-Authored-By: dapplion <35266934+dapplion@users.noreply.github.com>
2026-05-30 20:57:10 +00:00 · 2026-02-10 13:52:52 -08:00
parent a1176e77be
commit 56eb81a5e0
12 changed files with 222 additions and 15 deletions
--- a/beacon_node/beacon_chain/src/builder.rs
+++ b/beacon_node/beacon_chain/src/builder.rs
@@ -41,7 +41,7 @@ use std::sync::Arc;
 use std::time::Duration;
 use store::{Error as StoreError, HotColdDB, ItemStore, KeyValueStoreOp};
 use task_executor::{ShutdownReason, TaskExecutor};
-use tracing::{debug, error, info};
+use tracing::{debug, error, info, warn};
 use tree_hash::TreeHash;
 use types::data::CustodyIndex;
 use types::{
@@ -848,6 +848,33 @@ where
            ));
        }

+        // Check if the head snapshot is within the weak subjectivity period
+        let head_state = &head_snapshot.beacon_state;
+        let Ok(ws_period) = head_state.compute_weak_subjectivity_period(&self.spec) else {
+            return Err(format!(
+                "Unable to compute the weak subjectivity period at the head snapshot slot: {:?}",
+                head_state.slot()
+            ));
+        };
+        if current_slot.epoch(E::slots_per_epoch())
+            > head_state.slot().epoch(E::slots_per_epoch()) + ws_period
+        {
+            if self.chain_config.ignore_ws_check {
+                warn!(
+                    head_slot=%head_state.slot(),
+                    %current_slot,
+                    "The current head state is outside the weak subjectivity period. You are currently running a node that is susceptible to long range attacks. \
+                    It is highly recommended to purge your db and checkpoint sync. For more information please \
+                    read this blog post: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity"
+                )
+            }
+            return Err(
+                "The current head state is outside the weak subjectivity period. A node in this state is susceptible to long range attacks. You should purge your db and \
+                checkpoint sync. For more information please read this blog post: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity \
+                If you understand the risks, it is possible to ignore this error with the --ignore-ws-check flag.".to_string()
+            );
+        }
+
        let validator_pubkey_cache = self
            .validator_pubkey_cache
            .map(|mut validator_pubkey_cache| {
--- a/beacon_node/beacon_chain/src/chain_config.rs
+++ b/beacon_node/beacon_chain/src/chain_config.rs
@@ -117,6 +117,8 @@ pub struct ChainConfig {
    /// On Holesky there is a block which is added to this set by default but which can be removed
    /// by using `--invalid-block-roots ""`.
    pub invalid_block_roots: HashSet<Hash256>,
+    /// When set to true, the beacon node can be started even if the head state is outside the weak subjectivity period.
+    pub ignore_ws_check: bool,
    /// Disable the getBlobs optimisation to fetch blobs from the EL mempool.
    pub disable_get_blobs: bool,
    /// The node's custody type, determining how many data columns to custody and sample.
@@ -160,6 +162,7 @@ impl Default for ChainConfig {
            block_publishing_delay: None,
            data_column_publishing_delay: None,
            invalid_block_roots: HashSet::new(),
+            ignore_ws_check: false,
            disable_get_blobs: false,
            node_custody_type: NodeCustodyType::Fullnode,
        }
--- a/beacon_node/beacon_chain/tests/payload_invalidation.rs
+++ b/beacon_node/beacon_chain/tests/payload_invalidation.rs
@@ -6,7 +6,7 @@ use beacon_chain::{
    INVALID_JUSTIFIED_PAYLOAD_SHUTDOWN_REASON, NotifyExecutionLayer, OverrideForkchoiceUpdate,
    StateSkipConfig, WhenSlotSkipped,
    canonical_head::{CachedHead, CanonicalHead},
-    test_utils::{BeaconChainHarness, EphemeralHarnessType},
+    test_utils::{BeaconChainHarness, EphemeralHarnessType, test_spec},
 };
 use execution_layer::{
    ExecutionLayer, ForkchoiceState, PayloadAttributes,
@@ -42,14 +42,11 @@ struct InvalidPayloadRig {

 impl InvalidPayloadRig {
    fn new() -> Self {
-        let spec = E::default_spec();
+        let spec = test_spec::<E>();
        Self::new_with_spec(spec)
    }

-    fn new_with_spec(mut spec: ChainSpec) -> Self {
-        spec.altair_fork_epoch = Some(Epoch::new(0));
-        spec.bellatrix_fork_epoch = Some(Epoch::new(0));
-
+    fn new_with_spec(spec: ChainSpec) -> Self {
        let harness = BeaconChainHarness::builder(MainnetEthSpec)
            .spec(spec.into())
            .chain_config(ChainConfig {
--- a/beacon_node/beacon_chain/tests/store_tests.rs
+++ b/beacon_node/beacon_chain/tests/store_tests.rs
@@ -117,6 +117,7 @@ fn get_harness_import_all_data_columns(
 ) -> TestHarness {
    // Most tests expect to retain historic states, so we use this as the default.
    let chain_config = ChainConfig {
+        ignore_ws_check: true,
        reconstruct_historic_states: true,
        ..ChainConfig::default()
    };
--- a/beacon_node/beacon_chain/tests/tests.rs
+++ b/beacon_node/beacon_chain/tests/tests.rs
@@ -15,7 +15,8 @@ use state_processing::EpochProcessingError;
 use state_processing::{per_slot_processing, per_slot_processing::Error as SlotProcessingError};
 use std::sync::LazyLock;
 use types::{
-    BeaconState, BeaconStateError, BlockImportSource, Checkpoint, EthSpec, Hash256, MinimalEthSpec,
+    BeaconState, BeaconStateError, BlockImportSource, ChainSpec, Checkpoint,
+    DEFAULT_PRE_ELECTRA_WS_PERIOD, EthSpec, ForkName, Hash256, MainnetEthSpec, MinimalEthSpec,
    RelativeEpoch, Slot,
 };

@@ -38,6 +39,27 @@ fn get_harness(validator_count: usize) -> BeaconChainHarness<EphemeralHarnessTyp
    )
 }

+fn get_harness_with_spec(
+    validator_count: usize,
+    spec: &ChainSpec,
+) -> BeaconChainHarness<EphemeralHarnessType<MainnetEthSpec>> {
+    let chain_config = ChainConfig {
+        reconstruct_historic_states: true,
+        ..Default::default()
+    };
+    let harness = BeaconChainHarness::builder(MainnetEthSpec)
+        .spec(spec.clone().into())
+        .chain_config(chain_config)
+        .keypairs(KEYPAIRS[0..validator_count].to_vec())
+        .fresh_ephemeral_store()
+        .mock_execution_layer()
+        .build();
+
+    harness.advance_slot();
+
+    harness
+}
+
 fn get_harness_with_config(
    validator_count: usize,
    chain_config: ChainConfig,
@@ -1083,3 +1105,28 @@ async fn pseudo_finalize_with_lagging_split_update() {
    let expect_true_migration = false;
    pseudo_finalize_test_generic(epochs_per_migration, expect_true_migration).await;
 }
+
+#[tokio::test]
+async fn test_compute_weak_subjectivity_period() {
+    type E = MainnetEthSpec;
+    let expected_ws_period_pre_electra = DEFAULT_PRE_ELECTRA_WS_PERIOD;
+    let expected_ws_period_post_electra = 256;
+
+    // test Base variant
+    let spec = ForkName::Altair.make_genesis_spec(E::default_spec());
+    let harness = get_harness_with_spec(VALIDATOR_COUNT, &spec);
+    let head_state = harness.get_current_state();
+
+    let calculated_ws_period = head_state.compute_weak_subjectivity_period(&spec).unwrap();
+
+    assert_eq!(calculated_ws_period, expected_ws_period_pre_electra);
+
+    // test Electra variant
+    let spec = ForkName::Electra.make_genesis_spec(E::default_spec());
+    let harness = get_harness_with_spec(VALIDATOR_COUNT, &spec);
+    let head_state = harness.get_current_state();
+
+    let calculated_ws_period = head_state.compute_weak_subjectivity_period(&spec).unwrap();
+
+    assert_eq!(calculated_ws_period, expected_ws_period_post_electra);
+}