Panic triggered by incorrect logic in finality module’s EndBlock
Description
A panic can occur due to incorrect logic in the BeginBlock
and EndBlock
functions of the finality module when the FinalitySigTimeout
parameter is set to a value greater than zero. On the testnet, this parameter was observed to be set to 3.
The issue arises in a scenario where a finality provider (FP) is temporarily removed from the vote-disk cache due to insufficient voting power and then later reincluded after acquiring additional voting power. If the FinalitySigTimeout
parameter is 3 and the block height is 5, the computation of heightToExamine
results in 2. However, since the StartHeight
for the re-added FP is set to 5, a panic is triggered when the condition↗ in liveness.go is evaluated.
Impact
This issue causes an unexpected node panic, disrupting block processing. If exploited intentionally or encountered in production, it could lead to network instability or downtime.
Recommendations
Modify the logic in liveness.go to ensure that the height condition does not cause unintended panics when an FP is re-added to the active set. A more precise condition should be implemented to handle cases where StartHeight
is greater than heightToExamine
, preventing invalid access to uninitialized data.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 4b833eb7↗.
A fix was implemented to not cause a panic.