p2p: Don't process mutated blocks #29412

dergoegge · 2024-02-08T17:18:35Z

This PR proposes to check for mutated blocks early as a defense-in-depth mitigation against attacks leveraging mutated blocks.

We introduce IsBlockMutated which catches all known forms of block malleation and use it to do an early mutation check whenever we receive a block message.

We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. #27608 for which a regression test is included in this PR).

DrahtBot · 2024-02-08T17:18:38Z

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	maflcko, fjahr, sr-gi, achow101
Concept ACK	TheCharlatan, epiccurious, instagibbs, glozow, naumenkogs

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

No conflicts as of last run.

DrahtBot · 2024-02-08T18:22:12Z

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the
documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being
incompatible with the current code in the target branch). If so, make sure to rebase on the latest
commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

_{Debug: https://github.com/bitcoin/bitcoin/runs/21374346056}

epiccurious · 2024-02-09T03:38:10Z

How do you define a mutated block? What are the known forms of mutated blocks?

dergoegge · 2024-02-09T10:05:00Z

How do you define a mutated block? What are the known forms of mutated blocks?

Looking at IsBlockMutated in this PR should provide the answers for these questions, but to recap:

When we receive a block it contains a header and a list of transactions. The header contains a merkle root hash (CBlock::hashMerkleRoot) which should commit to the list of transactions but if it doesn't the block is considered mutated.
The coinbase transaction (post segwit) contains a commitment (very similar to the merkle root in the header) to the witness data in a block. If that commitment does not actually commit to the witnesses that were received, the block is considered mutated.
Our merkle root algorithm has several flaws which allow for further malleation, see here for a great overview.

TheCharlatan · 2024-02-09T13:36:26Z

Concept ACK

epiccurious · 2024-02-09T14:28:28Z

Concept ACK.

instagibbs · 2024-02-09T14:37:47Z

concept ACK

might be good to recap why it was only added in BLOCK processing but not other ProcessBlocks: In every other case we already don't punish the sender of compact blocks for failing these higher level checks, while full blocks allow for punishment.

dergoegge · 2024-02-09T16:12:43Z

might be good to recap why it was only added in BLOCK processing but not other ProcessBlocks: In every other case we already don't punish the sender of compact blocks for failing these higher level checks, while full blocks allow for punishment.

We call ProcessBlock when we receive a block message (handled in this PR) or as the result of a compact block reconstruction. Compact blocks are relayed before full validation occurs, therefore we don't punish peers for sending us invalid blocks through compact block relay. Block mutation might also occur randomly during compact bock relay due to short-id collisions, which is another reason not to punish.

src/net_processing.cpp

sr-gi

Concept ACK

src/validation.cpp

src/net_processing.cpp

test/functional/p2p_mutated_blocks.py

glozow

concept ACK, I agree with the approach of catching and dropping these earlier rather than later

dergoegge · 2024-02-20T11:32:39Z

I would like to see this in v27, can we add it to the milestone?

src/validation.cpp

fjahr

Concept ACK

"CBlock::GetHash() is a foot-gun without a prior mutation check", I hadn't felt this strongly about but I get it. I think it makes sense to rename it. I have drafted it here: fjahr@8e11e9c If it sounds valuable I will open a PR.

src/validation.cpp

naumenkogs · 2024-02-22T08:05:09Z

Concept ACK. Looking forward to addressing already pending comments, then i review.

src/test/validation_tests.cpp

instagibbs · 2024-02-22T14:40:52Z

src/validation.cpp

@@ -3758,6 +3814,40 @@ bool HasValidProofOfWork(const std::vector<CBlockHeader>& headers, const Consens
            [&](const auto& header) { return CheckProofOfWork(header.GetHash(), header.nBits, consensusParams);});
 }

+bool IsBlockMutated(const CBlock& block, bool check_witness_root)


have you thought about having this function return an optional error string so unit tests can check expected failure reason?

(reply to #29412 (comment))

note: unit tests may use the ASSERT_DEBUG_LOG, as an alternative.

have you thought about having this function return an optional error string so unit tests can check expected failure reason?

I'm considering returning the mutation type but I will not be asserting logs...

src/validation.cpp

test/functional/p2p_mutated_blocks.py

glozow · 2024-02-22T17:28:55Z

test/functional/p2p_mutated_blocks.py

+            get_block_txn = honest_relayer.last_message['getblocktxn']
+            return get_block_txn.block_txn_request.blockhash == block.sha256 and \
+                   get_block_txn.block_txn_request.indexes == [1]
+        honest_relayer.wait_until(self_transfer_requested, timeout=5)


in e2d1eb2
does this need a with p2p_lock?

Does it? None of the other wait_for_* helpers require it.

0xB10C · 2024-02-23T09:58:35Z

I'm running this PR on my mainnet monitoring infrastructure as I was looking at the currently broadcast mutated blocks (bad-witness-nonce-size) in detail anyway. Can report back in a few days (currently, I receive only 1 or 2 per week).

0xB10C · 2024-02-23T13:15:59Z

Received two bad-witness-nonce-size blocks from a mining pools custom client shortly after my last comment. In both cases I my node had reconstructed a cmpctblock two seconds before the mutated block arrived. In this case, the block is "mutated" because the coinbase witness is empty. That's probably a bug on the mining pool side. I have the IPs of the pool clients as noban-peers, so I didn't actually see them getting disconnected.

2024-02-23T10:33:55Z [msghand] [blockencodings.cpp:217] [FillBlock] [cmpctblock] Successfully reconstructed block 000000000000000000017f8957106aae020ce65f69f3ee189559d97fc0f974bb with 1 txn prefilled, 2936 txn from mempool (incl at least 5 from extra pool) and 45 txn requested
2024-02-23T10:33:55Z [msghand] [validationinterface.cpp:273] [NewPoWValidBlock] [validation] NewPoWValidBlock: block hash=000000000000000000017f8957106aae020ce65f69f3ee189559d97fc0f974bb
2024-02-23T10:33:55Z [msghand] [validationinterface.cpp:267] [BlockChecked] [validation] BlockChecked: block hash=000000000000000000017f8957106aae020ce65f69f3ee189559d97fc0f974bb state=Valid
2024-02-23T10:33:55Z [msghand] [validationinterface.cpp:243] [MempoolTransactionsRemovedForBlock] [validation] Enqueuing MempoolTransactionsRemovedForBlock: block height=831673 txs removed=2931
2024-02-23T10:33:55Z [msghand] [validation.cpp:2738] [UpdateTipLog] UpdateTip: new best=000000000000000000017f8957106aae020ce65f69f3ee189559d97fc0f974bb height=831673 version=0x2bc70000 log2_work=94.750438 tx=968653267 date='2024-02-23T10:33:34Z' progress=1.000000 cache=87.0MiB(713889txo)

...

2024-02-23T10:33:57Z [msghand] [net_processing.cpp:3396] [ProcessMessage] [net] received: block (1519889 bytes) peer=153
2024-02-23T10:33:57Z [msghand] [net_processing.cpp:4728] [ProcessMessage] [net] received block 000000000000000000017f8957106aae020ce65f69f3ee189559d97fc0f974bb peer=153
2024-02-23T10:33:57Z [msghand] [validation.cpp:3862] [IsBlockMutated] [validation] IsBlockMutated: bad-witness-nonce-size, CheckWitnessCommitment : invalid witness reserved value size
2024-02-23T10:33:57Z [msghand] [net_processing.cpp:4734] [ProcessMessage] [net] Received mutated block from peer=153
2024-02-23T10:33:57Z [msghand] [net_processing.cpp:1791] [Misbehaving] [net] Misbehaving: peer=153 (0 -> 100) DISCOURAGE THRESHOLD EXCEEDED: mutated block
2024-02-23T10:33:57Z [msghand] [net_processing.cpp:5037] [MaybeDiscourageAndDisconnect] Warning: not punishing noban peer 153!

2024-02-23T11:17:32Z [msghand] [blockencodings.cpp:217] [FillBlock] [cmpctblock] Successfully reconstructed block 0000000000000000000345e15958b691f5079b84a6d5a3f959a8d84ee7989659 with 1 txn prefilled, 1024 txn from mempool (incl at least 0 from extra pool) and 5 txn requested
2024-02-23T11:17:32Z [msghand] [validationinterface.cpp:273] [NewPoWValidBlock] [validation] NewPoWValidBlock: block hash=0000000000000000000345e15958b691f5079b84a6d5a3f959a8d84ee7989659
2024-02-23T11:17:32Z [msghand] [validationinterface.cpp:267] [BlockChecked] [validation] BlockChecked: block hash=0000000000000000000345e15958b691f5079b84a6d5a3f959a8d84ee7989659 state=Valid
2024-02-23T11:17:32Z [msghand] [net.cpp:3784] [PushMessage] [net] sending sendcmpct (9 bytes) peer=117
2024-02-23T11:17:32Z [msghand] [validationinterface.cpp:243] [MempoolTransactionsRemovedForBlock] [validation] Enqueuing MempoolTransactionsRemovedForBlock: block height=831677 txs removed=1024
2024-02-23T11:17:32Z [msghand] [validation.cpp:2738] [UpdateTipLog] UpdateTip: new best=0000000000000000000345e15958b691f5079b84a6d5a3f959a8d84ee7989659 height=831677 version=0x2fffe000 log2_work=94.750499 tx=968663963 date='2024-02-23T11:17:27Z' progress=1.000000 cache=78.7MiB(689008txo)

...

2024-02-23T11:17:34Z [msghand] [net_processing.cpp:3396] [ProcessMessage] [net] received: block (1509042 bytes) peer=20
2024-02-23T11:17:34Z [msghand] [net_processing.cpp:4728] [ProcessMessage] [net] received block 0000000000000000000345e15958b691f5079b84a6d5a3f959a8d84ee7989659 peer=20
2024-02-23T11:17:34Z [msghand] [validation.cpp:3862] [IsBlockMutated] [validation] IsBlockMutated: bad-witness-nonce-size, CheckWitnessCommitment : invalid witness reserved value size
2024-02-23T11:17:34Z [msghand] [net_processing.cpp:4734] [ProcessMessage] [net] Received mutated block from peer=20
2024-02-23T11:17:34Z [msghand] [net_processing.cpp:1791] [Misbehaving] [net] Misbehaving: peer=20 (0 -> 100) DISCOURAGE THRESHOLD EXCEEDED: mutated block
2024-02-23T11:17:34Z [msghand] [net_processing.cpp:5037] [MaybeDiscourageAndDisconnect] Warning: not punishing noban peer 20!
2024-02-23T11:17:34Z [msghand] [net_processing.cpp:3396] [ProcessMessage] [net] received: getdata (37 bytes) peer=20
2024-02-23T11:17:34Z [msghand] [net_processing.cpp:3998] [ProcessMessage] [net] received getdata (1 invsz) peer=20
2024-02-23T11:17:34Z [msghand] [net_processing.cpp:4001] [ProcessMessage] [net] received getdata for: witness-block 0000000000000000000345e15958b691f5079b84a6d5a3f959a8d84ee7989659 peer=20
2024-02-23T11:17:34Z [msghand] [net.cpp:3784] [PushMessage] [net] sending block (1509078 bytes) peer=20

maflcko

left some initial nits/questions

0f356b0 💬

Show signature

Signature:

untrusted comment: signature from minisign secret key on empty file; verify via: minisign -Vm "${path_to_any_empty_file}" -P RWTRmVTMeKV5noAMqVlsMugDDCyyTSbA3Re5AkUrhvLVln0tSaFWglOw -x "${path_to_this_whole_four_line_signature_blob}"
RUTRmVTMeKV5npGrKx1nqXCw5zeVHdtdYURB/KlyA/LMFgpNCs+SkW9a8N95d+U4AP1RJMi+krxU1A3Yux4bpwZNLvVBKy0wLgM=
trusted comment: 0f356b0b2fb23aef96ed7396890aa36410aa1d59 💬
kBfK9UKECARIswfAVfqnH6nAuO9mA7Tcad0J1J6aCTeTkHT4VK7z3GpY/0Wz6H0SeVaxH2Thgu3Qvz87+QF6CA==

src/validation.cpp

maflcko · 2024-02-23T13:25:37Z

src/validation.cpp

@@ -3758,6 +3814,40 @@ bool HasValidProofOfWork(const std::vector<CBlockHeader>& headers, const Consens
            [&](const auto& header) { return CheckProofOfWork(header.GetHash(), header.nBits, consensusParams);});
 }

+bool IsBlockMutated(const CBlock& block, bool check_witness_root)


(reply to #29412 (comment))

note: unit tests may use the ASSERT_DEBUG_LOG, as an alternative.

src/validation.cpp

src/test/validation_tests.cpp

instagibbs · 2024-02-23T19:14:59Z

src/validation.cpp

+
+            // The malleation check is ignored; as the transaction tree itself
+            // already does not permit it, it is impossible to trigger in the
+            // witness tree.


future work nit: the mutated arg is never non-nullptr and has no test coverage it seems.

future work nit: the mutated arg is never non-nullptr and has no test coverage it seems.

I presume the reason is that it can't be mutated and all callers are expected to pass nullptr? Seems fine to remove the arg, but should be fine either way.

d8087ad [test] IsBlockMutated unit tests (dergoegge) 1ed2c98 Add transaction_identifier::size to allow Span conversion (dergoegge) 1ec6bbe [validation] Cache merkle root and witness commitment checks (dergoegge) 5bf4f5b [test] Add regression test for bitcoin#27608 (dergoegge) 49257c0 [net processing] Don't process mutated blocks (dergoegge) 2d8495e [validation] Merkle root malleation should be caught by IsBlockMutated (dergoegge) 66abce1 [validation] Introduce IsBlockMutated (dergoegge) e7669e1 [refactor] Cleanup merkle root checks (dergoegge) 95bddb9 [validation] Isolate merkle root checks (dergoegge) Pull request description: This PR proposes to check for mutated blocks early as a defense-in-depth mitigation against attacks leveraging mutated blocks. We introduce `IsBlockMutated` which catches all known forms of block malleation and use it to do an early mutation check whenever we receive a `block` message. We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608 for which a regression test is included in this PR). ACKs for top commit: achow101: ACK d8087ad maflcko: ACK d8087ad 🏄 fjahr: Code review ACK d8087ad sr-gi: Code review ACK bitcoin@d8087ad Tree-SHA512: 618ff4ea7f168e10f07504d3651290efbb1bb2ab3b838ffff3527c028caf6c52dedad18d04d3dbc627977479710930e200f2dfae18a08f627efe7e64a57e535f

DrahtBot added the P2P label Feb 8, 2024

dergoegge force-pushed the 2024-01-mut-blocks branch from 56ed5bd to d028bb1 Compare February 8, 2024 18:22

DrahtBot added the CI failed label Feb 8, 2024

DrahtBot removed the CI failed label Feb 8, 2024

DrahtBot mentioned this pull request Feb 9, 2024

Remove the legacy wallet and BDB dependency #28710

Merged

instagibbs reviewed Feb 9, 2024

View reviewed changes

src/net_processing.cpp Show resolved Hide resolved

sr-gi reviewed Feb 9, 2024

View reviewed changes

src/validation.cpp Outdated Show resolved Hide resolved

src/validation.cpp Outdated Show resolved Hide resolved

src/net_processing.cpp Show resolved Hide resolved

test/functional/p2p_mutated_blocks.py Outdated Show resolved Hide resolved

glozow reviewed Feb 9, 2024

View reviewed changes

maflcko added this to the 27.0 milestone Feb 20, 2024

sipa reviewed Feb 20, 2024

View reviewed changes

src/validation.cpp Show resolved Hide resolved

maflcko reviewed Feb 20, 2024

View reviewed changes

src/validation.cpp Show resolved Hide resolved

fjahr reviewed Feb 20, 2024

View reviewed changes

src/validation.cpp Outdated Show resolved Hide resolved

src/validation.cpp Show resolved Hide resolved

dergoegge force-pushed the 2024-01-mut-blocks branch from d028bb1 to 0f356b0 Compare February 22, 2024 11:54

instagibbs reviewed Feb 22, 2024

View reviewed changes

glozow reviewed Feb 22, 2024

View reviewed changes

maflcko reviewed Feb 23, 2024

View reviewed changes

dergoegge force-pushed the 2024-01-mut-blocks branch from 0f356b0 to 8c18b70 Compare February 23, 2024 18:36

instagibbs reviewed Feb 23, 2024

View reviewed changes

DashCoreAutoGuix mentioned this pull request Aug 9, 2025

Merge bitcoin/bitcoin#29412: p2p: Don't process mutated blocks DashCoreAutoGuix/dash#1107

Closed

p2p: Don't process mutated blocks #29412

p2p: Don't process mutated blocks #29412

Uh oh!

Conversation

dergoegge commented Feb 8, 2024

Uh oh!

DrahtBot commented Feb 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Coverage

Reviews

Conflicts

Uh oh!

DrahtBot commented Feb 8, 2024

Uh oh!

epiccurious commented Feb 9, 2024

Uh oh!

dergoegge commented Feb 9, 2024

Uh oh!

TheCharlatan commented Feb 9, 2024

Uh oh!

epiccurious commented Feb 9, 2024

Uh oh!

instagibbs commented Feb 9, 2024

Uh oh!

dergoegge commented Feb 9, 2024

Uh oh!

Uh oh!

sr-gi left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

glozow left a comment

Choose a reason for hiding this comment

Uh oh!

dergoegge commented Feb 20, 2024

Uh oh!

Uh oh!

Uh oh!

fjahr left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

naumenkogs commented Feb 22, 2024

Uh oh!

Uh oh!

instagibbs Feb 22, 2024

Choose a reason for hiding this comment

Uh oh!

maflcko Feb 23, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dergoegge Feb 23, 2024

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

glozow Feb 22, 2024

Choose a reason for hiding this comment

Uh oh!

dergoegge Feb 23, 2024

Choose a reason for hiding this comment

Uh oh!

0xB10C commented Feb 23, 2024

Uh oh!

0xB10C commented Feb 23, 2024

Uh oh!

maflcko left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

maflcko Feb 23, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DrahtBot commented Feb 8, 2024 •

edited

Loading

maflcko Feb 23, 2024 •

edited

Loading

maflcko Feb 23, 2024 •

edited

Loading