staking: force the ultimate definition upload to disable a validator (#…

…4178) ## Describe your changes This PR adds a **new consensus rule** which forces validators with `sequence_number = u32::MAX` to be in the state `enabled = false`. This reduces the incentive to steal validator identity signing keys, because it means that it's impossible to "lock" a validator in the `enabled` state; the operator can always permanently disable their validator, cutting off profits for the attacker. ## Issue ticket number and link This is an implementation of issue #4170; see its description for more details about the risk this mitigates. ## Checklist before requesting a review - [X] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label. Otherwise, I declare my belief that there are not consensus-breaking changes, for the following reason: > **This is a consensus-breaking change**: it rejects validator definitions which would previously have been accepted by the chain. Co-authored-by: finch <[email protected]>
penumbra-zone · Apr 8, 2024 · 34d27f3 · 34d27f3
1 parent 5584241
commit 34d27f3
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/crates/core/component/stake/src/component/action_handler/validator_definition.rs b/crates/core/component/stake/src/component/action_handler/validator_definition.rs
@@ -35,6 +35,15 @@ impl ActionHandler for validator::Definition {
             anyhow::bail!("validators can declare at most 8 funding streams")
         }
 
+        // This prevents an attacker who compromises a validator identity signing key from locking
+        // the validator in an enabled state permanently, instead making it so that the original
+        // operator always has the option of disabling the validator permanently, regardless of what
+        // the attacker does. This reduces the incentive to steal compromise validator signing keys,
+        // because it reduces the expected payoff of such a compromise.
+        if self.validator.sequence_number == u32::MAX && self.validator.enabled {
+            anyhow::bail!("validators must be disabled when their lifetime is over")
+        }
+
         // Then, we check the signature:
         let definition_bytes = self.validator.encode_to_vec();
         VerificationKey::try_from(self.validator.identity_key.0)