Doppelganger detection (#2230)

## Issue Addressed Resolves #2069 ## Proposed Changes - Adds a `--doppelganger-detection` flag - Adds a `lighthouse/seen_validators` endpoint, which will make it so the lighthouse VC is not interopable with other client beacon nodes if the `--doppelganger-detection` flag is used, but hopefully this will become standardized. Relevant Eth2 API repo issue: https://github.com/ethereum/eth2.0-APIs/issues/64 - If the `--doppelganger-detection` flag is used, the VC will wait until the beacon node is synced, and then wait an additional 2 epochs. The reason for this is to make sure the beacon node is able to subscribe to the subnets our validators should be attesting on. I think an alternative would be to have the beacon node subscribe to all subnets for 2+ epochs on startup by default. ## Additional Info I'd like to add tests and would appreciate feedback. TODO: handle validators started via the API, potentially make this default behavior Co-authored-by: realbigsean <seananderson33@gmail.com> Co-authored-by: Michael Sproul <michael@sigmaprime.io> Co-authored-by: Paul Hauner <paul@paulhauner.com>
2026-03-21 13:54:44 +00:00 · 2021-07-31 03:50:52 +00:00
parent 834ee98bc2
commit c5786a8821
38 changed files with 2302 additions and 201 deletions
--- a/validator_client/src/lib.rs
+++ b/validator_client/src/lib.rs
@@ -13,6 +13,7 @@ mod key_cache;
 mod notifier;
 mod validator_store;

+mod doppelganger_service;
 pub mod http_api;

 pub use cli::cli_app;
@@ -23,6 +24,7 @@ use monitoring_api::{MonitoringHttpClient, ProcessType};
 use crate::beacon_node_fallback::{
    start_fallback_updater_service, BeaconNodeFallback, CandidateBeaconNode, RequireSynced,
 };
+use crate::doppelganger_service::DoppelgangerService;
 use account_utils::validator_definitions::ValidatorDefinitions;
 use attestation_service::{AttestationService, AttestationServiceBuilder};
 use block_service::{BlockService, BlockServiceBuilder};
@@ -61,9 +63,12 @@ const WAITING_FOR_GENESIS_POLL_TIME: Duration = Duration::from_secs(12);
 /// This can help ensure that proper endpoint fallback occurs.
 const HTTP_ATTESTATION_TIMEOUT_QUOTIENT: u32 = 4;
 const HTTP_ATTESTER_DUTIES_TIMEOUT_QUOTIENT: u32 = 4;
+const HTTP_LIVENESS_TIMEOUT_QUOTIENT: u32 = 4;
 const HTTP_PROPOSAL_TIMEOUT_QUOTIENT: u32 = 2;
 const HTTP_PROPOSER_DUTIES_TIMEOUT_QUOTIENT: u32 = 4;

+const DOPPELGANGER_SERVICE_NAME: &str = "doppelganger";
+
 #[derive(Clone)]
 pub struct ProductionValidatorClient<T: EthSpec> {
    context: RuntimeContext<T>,
@@ -71,7 +76,8 @@ pub struct ProductionValidatorClient<T: EthSpec> {
    fork_service: ForkService<SystemTimeSlotClock, T>,
    block_service: BlockService<SystemTimeSlotClock, T>,
    attestation_service: AttestationService<SystemTimeSlotClock, T>,
-    validator_store: ValidatorStore<SystemTimeSlotClock, T>,
+    doppelganger_service: Option<Arc<DoppelgangerService>>,
+    validator_store: Arc<ValidatorStore<SystemTimeSlotClock, T>>,
    http_api_listen_addr: Option<SocketAddr>,
    http_metrics_ctx: Option<Arc<http_metrics::Context<T>>>,
    config: Config,
@@ -254,6 +260,7 @@ impl<T: EthSpec> ProductionValidatorClient<T> {
                    Timeouts {
                        attestation: slot_duration / HTTP_ATTESTATION_TIMEOUT_QUOTIENT,
                        attester_duties: slot_duration / HTTP_ATTESTER_DUTIES_TIMEOUT_QUOTIENT,
+                        liveness: slot_duration / HTTP_LIVENESS_TIMEOUT_QUOTIENT,
                        proposal: slot_duration / HTTP_PROPOSAL_TIMEOUT_QUOTIENT,
                        proposer_duties: slot_duration / HTTP_PROPOSER_DUTIES_TIMEOUT_QUOTIENT,
                    }
@@ -313,14 +320,27 @@ impl<T: EthSpec> ProductionValidatorClient<T> {
            .log(log.clone())
            .build()?;

-        let validator_store: ValidatorStore<SystemTimeSlotClock, T> = ValidatorStore::new(
-            validators,
-            slashing_protection,
-            genesis_validators_root,
-            context.eth2_config.spec.clone(),
-            fork_service.clone(),
-            log.clone(),
-        );
+        let doppelganger_service = if config.enable_doppelganger_protection {
+            Some(Arc::new(DoppelgangerService::new(
+                context
+                    .service_context(DOPPELGANGER_SERVICE_NAME.into())
+                    .log()
+                    .clone(),
+            )))
+        } else {
+            None
+        };
+
+        let validator_store: Arc<ValidatorStore<SystemTimeSlotClock, T>> =
+            Arc::new(ValidatorStore::new(
+                validators,
+                slashing_protection,
+                genesis_validators_root,
+                context.eth2_config.spec.clone(),
+                fork_service.clone(),
+                doppelganger_service.clone(),
+                log.clone(),
+            ));

        info!(
            log,
@@ -339,7 +359,6 @@ impl<T: EthSpec> ProductionValidatorClient<T> {
        let duties_service = Arc::new(DutiesService {
            attesters: <_>::default(),
            proposers: <_>::default(),
-            indices: <_>::default(),
            slot_clock: slot_clock.clone(),
            beacon_nodes: beacon_nodes.clone(),
            validator_store: validator_store.clone(),
@@ -369,7 +388,7 @@ impl<T: EthSpec> ProductionValidatorClient<T> {

        let attestation_service = AttestationServiceBuilder::new()
            .duties_service(duties_service.clone())
-            .slot_clock(slot_clock)
+            .slot_clock(slot_clock.clone())
            .validator_store(validator_store.clone())
            .beacon_nodes(beacon_nodes.clone())
            .runtime_context(context.service_context("attestation".into()))
@@ -381,12 +400,16 @@ impl<T: EthSpec> ProductionValidatorClient<T> {
        // of making too many changes this close to genesis (<1 week).
        wait_for_genesis(&beacon_nodes, genesis_time, &context).await?;

+        // Ensure all validators are registered in doppelganger protection.
+        validator_store.register_all_in_doppelganger_protection_if_enabled()?;
+
        Ok(Self {
            context,
            duties_service,
            fork_service,
            block_service,
            attestation_service,
+            doppelganger_service,
            validator_store,
            config,
            http_api_listen_addr: None,
@@ -419,6 +442,20 @@ impl<T: EthSpec> ProductionValidatorClient<T> {
            .start_update_service(&self.context.eth2_config.spec)
            .map_err(|e| format!("Unable to start attestation service: {}", e))?;

+        if let Some(doppelganger_service) = self.doppelganger_service.clone() {
+            DoppelgangerService::start_update_service(
+                doppelganger_service,
+                self.context
+                    .service_context(DOPPELGANGER_SERVICE_NAME.into()),
+                self.validator_store.clone(),
+                self.duties_service.beacon_nodes.clone(),
+                self.duties_service.slot_clock.clone(),
+            )
+            .map_err(|e| format!("Unable to start doppelganger service: {}", e))?
+        } else {
+            info!(log, "Doppelganger protection disabled.")
+        }
+
        spawn_notifier(self).map_err(|e| format!("Failed to start notifier: {}", e))?;

        let api_secret = ApiSecret::create_or_open(&self.config.validator_dir)?;