ChainSafe · dapplion · May 3, 2023 · May 1, 2023 · nflaig · May 2, 2023
@@ -5,13 +5,29 @@ import {SurroundAttestationError, SurroundAttestationErrorCode} from "./errors.j
 // surround vote checking with min-max surround
 // https://github.com/protolambda/eth2-surround#min-max-surround
 
+/**
+ * Number of epochs in the past to check for surrounding attestations.
+ *
+ * This value can be limited to a reasonable high amount as Lodestar does not solely rely on this strategy but also
+ * implements the minimal strategy which has been formally proven to be safe (https://github.com/michaelsproul/slashing-proofs).
 // Refuse to sign any attestation with: 
 // - source.epoch < min(att.source_epoch for att in data.signed_attestations if att.pubkey == attester_pubkey), OR 
 // - target_epoch <= min(att.target_epoch for att in data.signed_attestations if att.pubkey == attester_pubkey) 
 // (spec v4, Slashing Protection Database Interchange Format) 
 const attestationLowerBound = await this.attestationLowerBound.get(pubKey); 
 if (attestationLowerBound) { 
   const {minSourceEpoch, minTargetEpoch} = attestationLowerBound; 
   if (attestation.sourceEpoch < minSourceEpoch) { 
     throw new InvalidAttestationError({ 
       code: InvalidAttestationErrorCode.SOURCE_LESS_THAN_LOWER_BOUND, 
       sourceEpoch: attestation.sourceEpoch, 
       minSourceEpoch, 
     }); 
   } 
   if (attestation.targetEpoch <= minTargetEpoch) { 
     throw new InvalidAttestationError({ 
       code: InvalidAttestationErrorCode.TARGET_LESS_THAN_OR_EQ_LOWER_BOUND, 
       targetEpoch: attestation.targetEpoch, 
       minTargetEpoch, 
     }); 
   } 
 } 
 // Refuse to sign any attestation with: 
 // - source.epoch < min(att.source_epoch for att in data.signed_attestations if att.pubkey == attester_pubkey), OR 
 // - target_epoch <= min(att.target_epoch for att in data.signed_attestations if att.pubkey == attester_pubkey) 
 // (spec v4, Slashing Protection Database Interchange Format) 
 const attestationLowerBound = await this.attestationLowerBound.get(pubKey); 
 if (attestationLowerBound) { 
   const {minSourceEpoch, minTargetEpoch} = attestationLowerBound; 
   if (attestation.sourceEpoch < minSourceEpoch) { 
     throw new InvalidAttestationError({ 
       code: InvalidAttestationErrorCode.SOURCE_LESS_THAN_LOWER_BOUND, 
       sourceEpoch: attestation.sourceEpoch, 
       minSourceEpoch, 
     }); 
   } 
  
   if (attestation.targetEpoch <= minTargetEpoch) { 
     throw new InvalidAttestationError({ 
       code: InvalidAttestationErrorCode.TARGET_LESS_THAN_OR_EQ_LOWER_BOUND, 
       targetEpoch: attestation.targetEpoch, 
       minTargetEpoch, 
     }); 
   } 
 } 
+ *
+ * Limiting this value is required due to practical reasons as otherwise there would be a min-span DB read and write
+ * for each validator from current epoch until genesis which massively increases DB size and causes I/O lag, resulting in
+ * instability on first startup with an empty DB. See https://github.com/ChainSafe/lodestar/issues/5356 for more details.
+ *
+ * The value 4096 has been chosen as it is the default used by slashers (https://lighthouse-book.sigmaprime.io/slasher.html#history-length)
+ * and is generally higher than the weak subjectivity period. However, it would still be risky if we just relied on min-max surround
+ * for slashing protection, as slashers can be configured to collect slashable attestations over a longer period.
+ */
+const DEFAULT_MAX_EPOCH_LOOKBACK = 4096;
+
 export class MinMaxSurround implements IMinMaxSurround {
   private store: IDistanceStore;
   private maxEpochLookback: number;
 
   constructor(store: IDistanceStore, options?: {maxEpochLookback?: number}) {
     this.store = store;
-    this.maxEpochLookback = options?.maxEpochLookback ?? Infinity;
+    this.maxEpochLookback = options?.maxEpochLookback ?? DEFAULT_MAX_EPOCH_LOOKBACK;
   }
 
   async assertNoSurround(pubKey: BLSPubkey, attestation: MinMaxSurroundAttestation): Promise<void> {