Fix cross-block false double-sign detection in sequential consensus

0xZunia · 0xZunia · commit 3f66fea351ed · 2026-02-20T21:45:19.000+01:00
The _proposalsByView dictionary was keyed by (view, proposer) without
block number. After a view change bumps view to V for block N-1, and
then StartRound(N) sets view = N where N == V, the old entry from
block N-1 collides with the new proposal for block N. This causes false
double-sign detection because the hashes differ (different blocks).

Fix: include block number in the key → (view, block, proposer). Proposals
for different blocks at the same view no longer collide. Genuine double-
signs (same view + same block + same proposer + different hashes) are
still detected correctly.
diff --git a/src/node/Basalt.Node/NodeCoordinator.cs b/src/node/Basalt.Node/NodeCoordinator.cs
@@ -98,9 +98,12 @@ public sealed class NodeCoordinator : IAsyncDisposable
     // N-14: Cap block request count to prevent resource exhaustion
     private const int MaxBlockRequestCount = 100;
 
-    // N-17: Thread-safe double-sign detection: keyed by (view, proposer) to avoid false positives
-    // when different proposers propose for the same view after a view change.
-    private readonly ConcurrentDictionary<(ulong View, PeerId Proposer), Hash256> _proposalsByView = new();
+    // N-17: Thread-safe double-sign detection: keyed by (view, block, proposer).
+    // Block number is included because view numbers can collide across blocks:
+    // after a view change bumps view to V, and then StartRound(V) reuses the same
+    // view number for the next block, old entries from the previous block would
+    // cause false double-sign detection without the block dimension.
+    private readonly ConcurrentDictionary<(ulong View, ulong Block, PeerId Proposer), Hash256> _proposalsByView = new();
 
     // Identity
     private byte[] _privateKey = [];
@@ -1146,7 +1149,7 @@ private void HandleConsensusProposal(PeerId sender, ConsensusProposalMessage pro
 
         if (proposal.BlockNumber == currentBlock)
         {
-            var proposalKey = (proposal.ViewNumber, proposal.SenderId);
+            var proposalKey = (proposal.ViewNumber, proposal.BlockNumber, proposal.SenderId);
             if (_slashingEngine != null && _proposalsByView.TryGetValue(proposalKey, out var existingHash))
             {
                 if (existingHash != proposal.BlockHash)
@@ -1155,8 +1158,8 @@ private void HandleConsensusProposal(PeerId sender, ConsensusProposalMessage pro
                     if (proposerInfo != null)
                     {
                         _slashingEngine.SlashDoubleSign(proposerInfo.Address, proposal.BlockNumber, existingHash, proposal.BlockHash);
-                        _logger.LogWarning("Double-sign detected from validator {Address} at view {View}",
-                            proposerInfo.Address, proposal.ViewNumber);
+                        _logger.LogWarning("Double-sign detected from validator {Address} at view {View} block {Block}",
+                            proposerInfo.Address, proposal.ViewNumber, proposal.BlockNumber);
                     }
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -98,9 +98,12 @@ public sealed class NodeCoordinator : IAsyncDisposable`
`98`	`98`	`// N-14: Cap block request count to prevent resource exhaustion`
`99`	`99`	`private const int MaxBlockRequestCount = 100;`
`100`	`100`
`101`		`- // N-17: Thread-safe double-sign detection: keyed by (view, proposer) to avoid false positives`
`102`		`- // when different proposers propose for the same view after a view change.`
`103`		`- private readonly ConcurrentDictionary<(ulong View, PeerId Proposer), Hash256> _proposalsByView = new();`
	`101`	`+ // N-17: Thread-safe double-sign detection: keyed by (view, block, proposer).`
	`102`	`+ // Block number is included because view numbers can collide across blocks:`
	`103`	`+ // after a view change bumps view to V, and then StartRound(V) reuses the same`
	`104`	`+ // view number for the next block, old entries from the previous block would`
	`105`	`+ // cause false double-sign detection without the block dimension.`
	`106`	`+ private readonly ConcurrentDictionary<(ulong View, ulong Block, PeerId Proposer), Hash256> _proposalsByView = new();`
`104`	`107`
`105`	`108`	`// Identity`
`106`	`109`	`private byte[] _privateKey = [];`
`@@ -1146,7 +1149,7 @@ private void HandleConsensusProposal(PeerId sender, ConsensusProposalMessage pro`
`1146`	`1149`
`1147`	`1150`	`if (proposal.BlockNumber == currentBlock)`
`1148`	`1151`	`{`
`1149`		`- var proposalKey = (proposal.ViewNumber, proposal.SenderId);`
	`1152`	`+ var proposalKey = (proposal.ViewNumber, proposal.BlockNumber, proposal.SenderId);`
`1150`	`1153`	`if (_slashingEngine != null && _proposalsByView.TryGetValue(proposalKey, out var existingHash))`
`1151`	`1154`	`{`
`1152`	`1155`	`if (existingHash != proposal.BlockHash)`
`@@ -1155,8 +1158,8 @@ private void HandleConsensusProposal(PeerId sender, ConsensusProposalMessage pro`
`1155`	`1158`	`if (proposerInfo != null)`
`1156`	`1159`	`{`
`1157`	`1160`	`_slashingEngine.SlashDoubleSign(proposerInfo.Address, proposal.BlockNumber, existingHash, proposal.BlockHash);`
`1158`		`- _logger.LogWarning("Double-sign detected from validator {Address} at view {View}",`
`1159`		`- proposerInfo.Address, proposal.ViewNumber);`
	`1161`	`+ _logger.LogWarning("Double-sign detected from validator {Address} at view {View} block {Block}",`
	`1162`	`+ proposerInfo.Address, proposal.ViewNumber, proposal.BlockNumber);`
`1160`	`1163`	`}`
`1161`	`1164`	`}`
`1162`	`1165`	`}`