Implement Doppelganger Check

[nisdas]

What type of PR is this?

Feature Implementation

What does this PR do? Why is it needed?

• Checks for validator balances in the last N epochs, and determines if there is a positive change.
• Add tests for the feature.
• Gate it behind a flag.

Which issues(s) does this PR fix?

Fixes #7985

Other notes for review

[potuz]

Haven't checked the syntax of the PR, but the design of the protection looks good to me, simple to read and effective.

[codecov]

Codecov Report

Merging #9120 (4b74efa) into develop (2df024a) will decrease coverage by 0.25%.
The diff coverage is 54.54%.

@@             Coverage Diff             @@
##           develop    #9120      +/-   ##
===========================================
- Coverage    60.36%   60.10%   -0.26%     
===========================================
  Files          550      550              
  Lines        39123    39142      +19     
===========================================
- Hits         23616    23526      -90     
- Misses       12141    12221      +80     
- Partials      3366     3395      +29     

[jmozah]

"Could not get older state" would be appropriate.

[ahadda5]

For my benefit. why this change?

[nisdas]

Simply changes it from a struct to an interface, this allows us to mock it correctly for tests. *stategen.State fulfills the state manager interface.

[yorickdowne]

config.go and flags.go misspell "doppelganger" as "doppleganger". Correct spelling is "doppelganger" (well, anglicized, never mind the lack of umlauts :)).

[prestonvanloon]

A few comments. There are a few typos with Doppelganger vs Doppleganger. Correct is Doppelganger.

I have some concerns about the implied safety of this feature. Please correct me if these assumptions are wrong.

• It seems that if a validator was online and attesting, but did not increase in balance, then this implementation could return a false negative.
• A quick restart, the check is ignored.

Why does a validator need to provide the last known attested epoch?
Is it so that restarts would be quick?
If this is the case and that's the trade off we want to make to prevent a 2 epoch mandatory delay on every restart, then we ought to log to the user "WARNING: Validator was running within the last 2 epochs and doppelganger detection will be skipped."

[prestonvanloon]

Formatting

[prestonvanloon]

Why is this the case? It isn't clear to the reader why a request within the last 2 epochs will be marked as false or safe to proceed without actually checking.

[prestonvanloon]

Typo with Dopple

[potuz]

I have some concerns about the implied safety of this feature. Please correct me if these assumptions are wrong.

• It seems that if a validator was online and attesting, but did not increase in balance, then this implementation could return a false negative.

This is correct. The odds of this happening are less than 10^{-5} already conditional to being running a doppelganger as I showed in the issue originally. We can do better than this by checking that the balance increased more than certain negative multiple of the base_reward but the gain is minimal (if any). Notice that attesting and getting a negative reward for 2 epochs can only happen if the validator was assigned two epochs in a row to a slot 0 and missed target and head in both votes in a row. This is incredibly rare.

• A quick restart, the check is ignored.

Correct again

Why does a validator need to provide the last known attested epoch?
Is it so that restarts would be quick?
If this is the case and that's the trade off we want to make to prevent a 2 epoch mandatory delay on every restart, then we ought to log to the user "WARNING: Validator was running within the last 2 epochs and doppelganger detection will be skipped."

I agree with the warning.

But let me stress something that passes without notice in all the approaches waiting, like the one implemented in Lighthouse: the point is that the 2 epochs mandatory delay is completely useless in the case that this method fails to find a doppelganger, namely. In the rare event that the user starts two validators simultaneously, then if the mandatory two epochs delay is implemented, then both validators will wait two epochs, not find anything and then start happily validating at the same time and get slashed.

So yes, this method will not find a doppelganger if both instances are launched together, but neither will waiting 2 epochs.

[prestonvanloon]

This is much more clear! 👍

[prestonvanloon]

Looks good!

[prestonvanloon]

Could you add the actual requests for all test cases? This will add a bit more rigidity to these tests

[nisdas]

So this is actually not trivial, I tried to do it previously, however the mock key manager actually uses a map underneath to store all the keys. When you request for all validating pubkeys, the ordering is non-deterministic, therefore any request mocked in here will be non deterministic too and basically only succeed 1/10 times. If needed I can create a new deterministic key manager to mock this.

[prestonvanloon]

Added a custom matcher that will help with this.

[prestonvanloon]

Blocked until #9135 merges

[prestonvanloon]

This needed to be updated after updating gomock

[prestonvanloon]

Added this as a sanity check. It may not be necessary but it was some assurance that we received the correct record.