// Copyright 2017 The go-ethereum Authors // This file is part of the go-ethereum library. // // The go-ethereum library is free software: you can redistribute it and/or modify // it under the terms of the GNU Lesser General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // The go-ethereum library is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with the go-ethereum library. If not, see . // Package clique implements the proof-of-authority consensus engine. package clique import ( "bytes" "context" "errors" "io" "math/big" "math/rand" "sync" "time" "github.com/goccy/go-json" lru "github.com/hashicorp/golang-lru" "github.com/ledgerwatch/erigon-lib/kv" "golang.org/x/crypto/sha3" libcommon "github.com/ledgerwatch/erigon-lib/common" "github.com/ledgerwatch/erigon/common" "github.com/ledgerwatch/erigon/common/dbutils" "github.com/ledgerwatch/erigon/common/debug" "github.com/ledgerwatch/erigon/common/hexutil" "github.com/ledgerwatch/erigon/consensus" "github.com/ledgerwatch/erigon/core/state" "github.com/ledgerwatch/erigon/core/types" "github.com/ledgerwatch/erigon/core/types/accounts" "github.com/ledgerwatch/erigon/crypto" "github.com/ledgerwatch/erigon/params" "github.com/ledgerwatch/erigon/rlp" "github.com/ledgerwatch/erigon/rpc" "github.com/ledgerwatch/log/v3" ) const ( epochLength = uint64(30000) // Default number of blocks after which to checkpoint and reset the pending votes ExtraVanity = 32 // Fixed number of extra-data prefix bytes reserved for signer vanity ExtraSeal = crypto.SignatureLength // Fixed number of extra-data suffix bytes reserved for signer seal warmupCacheSnapshots = 20 wiggleTime = 500 * time.Millisecond // Random delay (per signer) to allow concurrent signers ) // Clique proof-of-authority protocol constants. var ( NonceAuthVote = hexutil.MustDecode("0xffffffffffffffff") // Magic nonce number to vote on adding a new signer nonceDropVote = hexutil.MustDecode("0x0000000000000000") // Magic nonce number to vote on removing a signer. uncleHash = types.CalcUncleHash(nil) // Always Keccak256(RLP([])) as uncles are meaningless outside of PoW. DiffInTurn = big.NewInt(2) // Block difficulty for in-turn signatures diffNoTurn = big.NewInt(1) // Block difficulty for out-of-turn signatures ) // Various error messages to mark blocks invalid. These should be private to // prevent engine specific errors from being referenced in the remainder of the // codebase, inherently breaking if the engine is swapped out. Please put common // error types into the consensus package. var ( // errUnknownBlock is returned when the list of signers is requested for a block // that is not part of the local blockchain. errUnknownBlock = errors.New("unknown block") // errInvalidCheckpointBeneficiary is returned if a checkpoint/epoch transition // block has a beneficiary set to non-zeroes. errInvalidCheckpointBeneficiary = errors.New("beneficiary in checkpoint block non-zero") // errInvalidVote is returned if a nonce value is something else that the two // allowed constants of 0x00..0 or 0xff..f. errInvalidVote = errors.New("vote nonce not 0x00..0 or 0xff..f") // errInvalidCheckpointVote is returned if a checkpoint/epoch transition block // has a vote nonce set to non-zeroes. errInvalidCheckpointVote = errors.New("vote nonce in checkpoint block non-zero") // errMissingVanity is returned if a block's extra-data section is shorter than // 32 bytes, which is required to store the signer vanity. errMissingVanity = errors.New("extra-data 32 byte vanity prefix missing") // errMissingSignature is returned if a block's extra-data section doesn't seem // to contain a 65 byte secp256k1 signature. errMissingSignature = errors.New("extra-data 65 byte signature suffix missing") // errExtraSigners is returned if non-checkpoint block contain signer data in // their extra-data fields. errExtraSigners = errors.New("non-checkpoint block contains extra signer list") // errInvalidCheckpointSigners is returned if a checkpoint block contains an // invalid list of signers (i.e. non divisible by 20 bytes). errInvalidCheckpointSigners = errors.New("invalid signer list on checkpoint block") // errMismatchingCheckpointSigners is returned if a checkpoint block contains a // list of signers different than the one the local node calculated. errMismatchingCheckpointSigners = errors.New("mismatching signer list on checkpoint block") // errInvalidMixDigest is returned if a block's mix digest is non-zero. errInvalidMixDigest = errors.New("non-zero mix digest") // errInvalidUncleHash is returned if a block contains an non-empty uncle list. errInvalidUncleHash = errors.New("non empty uncle hash") // errInvalidDifficulty is returned if the difficulty of a block neither 1 or 2. errInvalidDifficulty = errors.New("invalid difficulty") // errWrongDifficulty is returned if the difficulty of a block doesn't match the // turn of the signer. errWrongDifficulty = errors.New("wrong difficulty") // errInvalidTimestamp is returned if the timestamp of a block is lower than // the previous block's timestamp + the minimum block period. errInvalidTimestamp = errors.New("invalid timestamp") // errInvalidVotingChain is returned if an authorization list is attempted to // be modified via out-of-range or non-contiguous headers. errInvalidVotingChain = errors.New("invalid voting chain") // ErrUnauthorizedSigner is returned if a header is signed by a non-authorized entity. ErrUnauthorizedSigner = errors.New("unauthorized signer") // ErrRecentlySigned is returned if a header is signed by an authorized entity // that already signed a header recently, thus is temporarily not allowed to. ErrRecentlySigned = errors.New("recently signed") ) // SignerFn hashes and signs the data to be signed by a backing account. type SignerFn func(signer common.Address, mimeType string, message []byte) ([]byte, error) // ecrecover extracts the Ethereum account address from a signed header. func ecrecover(header *types.Header, sigcache *lru.ARCCache) (common.Address, error) { // If the signature's already cached, return that hash := header.Hash() // hitrate while straight-forward sync is from 0.5 to 0.65 if address, known := sigcache.Peek(hash); known { return address.(common.Address), nil } // Retrieve the signature from the header extra-data if len(header.Extra) < ExtraSeal { return common.Address{}, errMissingSignature } signature := header.Extra[len(header.Extra)-ExtraSeal:] // Recover the public key and the Ethereum address pubkey, err := crypto.Ecrecover(SealHash(header).Bytes(), signature) if err != nil { return common.Address{}, err } var signer common.Address copy(signer[:], crypto.Keccak256(pubkey[1:])[12:]) sigcache.Add(hash, signer) return signer, nil } // Clique is the proof-of-authority consensus engine proposed to support the // Ethereum testnet following the Ropsten attacks. type Clique struct { chainConfig *params.ChainConfig config *params.CliqueConfig // Consensus engine configuration parameters snapshotConfig *params.ConsensusSnapshotConfig // Consensus engine configuration parameters db kv.RwDB // Database to store and retrieve snapshot checkpoints signatures *lru.ARCCache // Signatures of recent blocks to speed up mining recents *lru.ARCCache // Snapshots for recent block to speed up reorgs proposals map[common.Address]bool // Current list of proposals we are pushing signer common.Address // Ethereum address of the signing key signFn SignerFn // Signer function to authorize hashes with lock sync.RWMutex // Protects the signer and proposals fields // The fields below are for testing only FakeDiff bool // Skip difficulty verifications exitCh chan struct{} } // New creates a Clique proof-of-authority consensus engine with the initial // signers set to the ones provided by the user. func New(cfg *params.ChainConfig, snapshotConfig *params.ConsensusSnapshotConfig, cliqueDB kv.RwDB) *Clique { config := cfg.Clique // Set any missing consensus parameters to their defaults conf := *config if conf.Epoch == 0 { conf.Epoch = epochLength } // Allocate the snapshot caches and create the engine recents, _ := lru.NewARC(snapshotConfig.InmemorySnapshots) signatures, _ := lru.NewARC(snapshotConfig.InmemorySignatures) exitCh := make(chan struct{}) c := &Clique{ chainConfig: cfg, config: &conf, snapshotConfig: snapshotConfig, db: cliqueDB, recents: recents, signatures: signatures, proposals: make(map[common.Address]bool), exitCh: exitCh, } // warm the cache snapNum, err := lastSnapshot(cliqueDB) if err != nil { if !errors.Is(err, ErrNotFound) { log.Error("on Clique init while getting latest snapshot", "err", err) } } else { snaps, err := c.snapshots(snapNum, warmupCacheSnapshots) if err != nil { log.Error("on Clique init", "err", err) } for _, sn := range snaps { c.recentsAdd(sn.Number, sn.Hash, sn) } } return c } // Type returns underlying consensus engine func (c *Clique) Type() params.ConsensusType { return params.CliqueConsensus } // Author implements consensus.Engine, returning the Ethereum address recovered // from the signature in the header's extra-data section. func (c *Clique) Author(header *types.Header) (common.Address, error) { return ecrecover(header, c.signatures) } // VerifyHeader checks whether a header conforms to the consensus rules. func (c *Clique) VerifyHeader(chain consensus.ChainHeaderReader, header *types.Header, _ bool) error { return c.verifyHeader(chain, header, nil) } type VerifyHeaderResponse struct { Results chan error Cancel func() } func (c *Clique) recentsAdd(num uint64, hash common.Hash, s *Snapshot) { c.recents.Add(hash, s.copy()) } // VerifyUncles implements consensus.Engine, always returning an error for any // uncles as this consensus mechanism doesn't permit uncles. func (c *Clique) VerifyUncles(chain consensus.ChainReader, header *types.Header, uncles []*types.Header) error { if len(uncles) > 0 { return errors.New("uncles not allowed") } return nil } // VerifySeal implements consensus.Engine, checking whether the signature contained // in the header satisfies the consensus protocol requirements. func (c *Clique) VerifySeal(chain consensus.ChainHeaderReader, header *types.Header) error { snap, err := c.Snapshot(chain, header.Number.Uint64(), header.Hash(), nil) if err != nil { return err } return c.verifySeal(chain, header, snap) } // Prepare implements consensus.Engine, preparing all the consensus fields of the // header for running the transactions on top. func (c *Clique) Prepare(chain consensus.ChainHeaderReader, header *types.Header, state *state.IntraBlockState) error { // If the block isn't a checkpoint, cast a random vote (good enough for now) header.Coinbase = common.Address{} header.Nonce = types.BlockNonce{} number := header.Number.Uint64() // Assemble the voting snapshot to check which votes make sense snap, err := c.Snapshot(chain, number-1, header.ParentHash, nil) if err != nil { return err } c.lock.RLock() if number%c.config.Epoch != 0 { // Gather all the proposals that make sense voting on addresses := make([]common.Address, 0, len(c.proposals)) for address, authorize := range c.proposals { if snap.validVote(address, authorize) { addresses = append(addresses, address) } } // If there's pending proposals, cast a vote on them if len(addresses) > 0 { header.Coinbase = addresses[rand.Intn(len(addresses))] // nolint: gosec if c.proposals[header.Coinbase] { copy(header.Nonce[:], NonceAuthVote) } else { copy(header.Nonce[:], nonceDropVote) } } } // Copy signer protected by mutex to avoid race condition signer := c.signer c.lock.RUnlock() // Set the correct difficulty header.Difficulty = calcDifficulty(snap, signer) // Ensure the extra data has all its components if len(header.Extra) < ExtraVanity { header.Extra = append(header.Extra, bytes.Repeat([]byte{0x00}, ExtraVanity-len(header.Extra))...) } header.Extra = header.Extra[:ExtraVanity] if number%c.config.Epoch == 0 { for _, signer := range snap.GetSigners() { header.Extra = append(header.Extra, signer[:]...) } } header.Extra = append(header.Extra, make([]byte, ExtraSeal)...) // Mix digest is reserved for now, set to empty header.MixDigest = common.Hash{} // Ensure the timestamp has the correct delay parent := chain.GetHeader(header.ParentHash, number-1) if parent == nil { return consensus.ErrUnknownAncestor } header.Time = parent.Time + c.config.Period now := uint64(time.Now().Unix()) if header.Time < now { header.Time = now } return nil } func (c *Clique) Initialize(config *params.ChainConfig, chain consensus.ChainHeaderReader, e consensus.EpochReader, header *types.Header, txs []types.Transaction, uncles []*types.Header, syscall consensus.SystemCall) { } // Finalize implements consensus.Engine, ensuring no uncles are set, nor block // rewards given. func (c *Clique) Finalize(config *params.ChainConfig, header *types.Header, state *state.IntraBlockState, txs types.Transactions, uncles []*types.Header, r types.Receipts, e consensus.EpochReader, chain consensus.ChainHeaderReader, syscall consensus.SystemCall, ) (types.Transactions, types.Receipts, error) { // No block rewards in PoA, so the state remains as is and uncles are dropped header.UncleHash = types.CalcUncleHash(nil) return txs, r, nil } // FinalizeAndAssemble implements consensus.Engine, ensuring no uncles are set, // nor block rewards given, and returns the final block. func (c *Clique) FinalizeAndAssemble(chainConfig *params.ChainConfig, header *types.Header, state *state.IntraBlockState, txs types.Transactions, uncles []*types.Header, receipts types.Receipts, e consensus.EpochReader, chain consensus.ChainHeaderReader, syscall consensus.SystemCall, call consensus.Call, ) (*types.Block, types.Transactions, types.Receipts, error) { // No block rewards in PoA, so the state remains as is and uncles are dropped header.UncleHash = types.CalcUncleHash(nil) // Assemble and return the final block for sealing return types.NewBlock(header, txs, nil, receipts), txs, receipts, nil } // Authorize injects a private key into the consensus engine to mint new blocks // with. func (c *Clique) Authorize(signer common.Address, signFn SignerFn) { c.lock.Lock() defer c.lock.Unlock() c.signer = signer c.signFn = signFn } // Seal implements consensus.Engine, attempting to create a sealed block using // the local signing credentials. func (c *Clique) Seal(chain consensus.ChainHeaderReader, block *types.Block, results chan<- *types.Block, stop <-chan struct{}) error { header := block.Header() // Sealing the genesis block is not supported number := header.Number.Uint64() if number == 0 { return errUnknownBlock } // For 0-period chains, refuse to seal empty blocks (no reward but would spin sealing) if c.config.Period == 0 && len(block.Transactions()) == 0 { log.Info("Sealing paused, waiting for transactions") return nil } // Don't hold the signer fields for the entire sealing procedure c.lock.RLock() signer, signFn := c.signer, c.signFn c.lock.RUnlock() // Bail out if we're unauthorized to sign a block snap, err := c.Snapshot(chain, number-1, header.ParentHash, nil) if err != nil { return err } if _, authorized := snap.Signers[signer]; !authorized { return ErrUnauthorizedSigner } // If we're amongst the recent signers, wait for the next block for seen, recent := range snap.Recents { if recent == signer { // Signer is among RecentsRLP, only wait if the current block doesn't shift it out if limit := uint64(len(snap.Signers)/2 + 1); number < limit || seen > number-limit { log.Info("Signed recently, must wait for others") return nil } } } // Sweet, the protocol permits us to sign the block, wait for our time delay := time.Unix(int64(header.Time), 0).Sub(time.Now()) // nolint: gosimple if header.Difficulty.Cmp(diffNoTurn) == 0 { // It's not our turn explicitly to sign, delay it a bit wiggle := time.Duration(len(snap.Signers)/2+1) * wiggleTime delay += time.Duration(rand.Int63n(int64(wiggle))) // nolint: gosec log.Trace("Out-of-turn signing requested", "wiggle", common.PrettyDuration(wiggle)) } // Sign all the things! sighash, err := signFn(signer, accounts.MimetypeClique, CliqueRLP(header)) if err != nil { return err } copy(header.Extra[len(header.Extra)-ExtraSeal:], sighash) // Wait until sealing is terminated or delay timeout. log.Trace("Waiting for slot to sign and propagate", "delay", common.PrettyDuration(delay)) go func() { defer debug.LogPanic() select { case <-stop: return case <-time.After(delay): } select { case results <- block.WithSeal(header): default: log.Warn("Sealing result is not read by miner", "sealhash", SealHash(header)) } }() return nil } func (c *Clique) GenerateSeal(chain consensus.ChainHeaderReader, currnt, parent *types.Header, call consensus.Call) []rlp.RawValue { return nil } // CalcDifficulty is the difficulty adjustment algorithm. It returns the difficulty // that a new block should have: // * DIFF_NOTURN(2) if BLOCK_NUMBER % SIGNER_COUNT != SIGNER_INDEX // * DIFF_INTURN(1) if BLOCK_NUMBER % SIGNER_COUNT == SIGNER_INDEX func (c *Clique) CalcDifficulty(chain consensus.ChainHeaderReader, _, _ uint64, _ *big.Int, parentNumber uint64, parentHash, _ common.Hash, _ []rlp.RawValue) *big.Int { snap, err := c.Snapshot(chain, parentNumber, parentHash, nil) if err != nil { return nil } c.lock.RLock() signer := c.signer c.lock.RUnlock() return calcDifficulty(snap, signer) } func calcDifficulty(snap *Snapshot, signer common.Address) *big.Int { if snap.inturn(snap.Number+1, signer) { return new(big.Int).Set(DiffInTurn) } return new(big.Int).Set(diffNoTurn) } // SealHash returns the hash of a block prior to it being sealed. func (c *Clique) SealHash(header *types.Header) common.Hash { return SealHash(header) } // Close implements consensus.Engine. It's a noop for clique as there are no background threads. func (c *Clique) Close() error { libcommon.SafeClose(c.exitCh) return nil } // APIs implements consensus.Engine, returning the user facing RPC API to allow // controlling the signer voting. func (c *Clique) APIs(chain consensus.ChainHeaderReader) []rpc.API { return []rpc.API{ //{ //Namespace: "clique", //Version: "1.0", //Service: &API{chain: chain, clique: c}, //Public: false, //} } } // SealHash returns the hash of a block prior to it being sealed. func SealHash(header *types.Header) (hash common.Hash) { hasher := sha3.NewLegacyKeccak256() encodeSigHeader(hasher, header) hasher.Sum(hash[:0]) return hash } // CliqueRLP returns the rlp bytes which needs to be signed for the proof-of-authority // sealing. The RLP to sign consists of the entire header apart from the 65 byte signature // contained at the end of the extra data. // // Note, the method requires the extra data to be at least 65 bytes, otherwise it // panics. This is done to avoid accidentally using both forms (signature present // or not), which could be abused to produce different hashes for the same header. func CliqueRLP(header *types.Header) []byte { b := new(bytes.Buffer) encodeSigHeader(b, header) return b.Bytes() } func encodeSigHeader(w io.Writer, header *types.Header) { enc := []interface{}{ header.ParentHash, header.UncleHash, header.Coinbase, header.Root, header.TxHash, header.ReceiptHash, header.Bloom, header.Difficulty, header.Number, header.GasLimit, header.GasUsed, header.Time, header.Extra[:len(header.Extra)-crypto.SignatureLength], // Yes, this will panic if extra is too short header.MixDigest, header.Nonce, } if header.Eip1559 { enc = append(enc, header.BaseFee) } if err := rlp.Encode(w, enc); err != nil { panic("can't encode: " + err.Error()) } } func (c *Clique) snapshots(latest uint64, total int) ([]*Snapshot, error) { if total <= 0 { return nil, nil } blockEncoded := dbutils.EncodeBlockNumber(latest) tx, err := c.db.BeginRo(context.Background()) if err != nil { return nil, err } defer tx.Rollback() cur, err1 := tx.Cursor(kv.CliqueSeparate) if err1 != nil { return nil, err1 } defer cur.Close() res := make([]*Snapshot, 0, total) for k, v, err := cur.Seek(blockEncoded); k != nil; k, v, err = cur.Prev() { if err != nil { return nil, err } s := new(Snapshot) err = json.Unmarshal(v, s) if err != nil { return nil, err } s.config = c.config res = append(res, s) total-- if total == 0 { break } } return res, nil }