Open
Conversation
- Increase secondary client USDFC deposit from 0.06 to 0.5 (minimum lockup + sybilFee = 0.12) - Increase f4 actor gas fund from 0.001 to 1 FIL (EVM txs need ~0.03 FIL) - Fix curio-init miner detection: grep -v t01000|t01001 | tail -1 (handles stale miners) - Fix curio-init temp node layers: seal,post,gui without pdp-only (avoids no-api-keys chicken-and-egg) - Non-fatal pdptool ping during PDP setup (port 80 not available without pdp-only layer) - Griefing weight 8, reorg weight 0 (validate griefing first)
parthshah1
added
the
antithesis-test-foc
parthshah1
removed
the
antithesis-test-foc
Restructured FOC security testing from flat probe functions into coherent scenario-driven state machines and independent dispatch probes. Fixed multiple critical bugs found during code audit. Security scenarios (new files): - foc_piece_security.go: 5-phase piece lifecycle (add→verify→delete→check→attack) with 5 attack probes (nonce replay, cross-dataset injection, double deletion, nonexistent deletion, post-termination addition) - foc_payment_security.go: 7 independent payment/rail probes (settlement lockup L01, double-settle, withdrawTo redirect, unauthorized deposit L04, direct rail terminate, settle-terminated escape hatch, full withdrawal #288) - foc_resilience.go: Curio HTTP stress barrage + orphan rail billing check Bug fixes: - C1: piece security stuck in infinite attack loop (state transition to self) - C2: piece security cleanup corrupted shared griefing state - H1: unified log tags to [foc-*] pattern across all FOC files - H5: DoFOCWithdraw computed from total funds instead of available (funds-lockup) - H7: DoFOCDeletePiece lost piece from state on tx failure (no rollback) - H8: insolvency refund ignored errors, permanently draining secondary client Griefing improvements: - First dispatch forced to EmptyDatasetFee (sets LastOnChainDSID for other scenarios) - After initial dataset, only non-destructive probes run (CrossPayerReplay, BurstCreation) - Cooldown between dispatches (200 epochs) prevents fund starvation - Removed unused griefRuntime fields, dead code (buildCreateDataSetCalldata) Sidecar additions: - checkLockupNeverExceedsFunds: assert.Always lockup <= funds for all payers - checkDeletedDatasetRailTerminated: verify deleted dataset rails have endEpoch set Infrastructure: - New selectors: SigTerminateRail, SigWithdrawTo, SigSettleTerminatedRailNoValidation, SigModifyRailLockup, SigAllowance - New helpers: ReadAllowance, ReadRailFull in eth.go - Fork monitor poll interval configurable via FORK_POLL_INTERVAL_SECS (30s for FOC runs) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Piece security: skip to attack phase on deletion tx failure instead of retrying forever. schedulePieceDeletions through FWSS callback chain costs ~29.7M of 30M gas on FVM (known issue, already reported). Added Sometimes assertion to track when/if this gets fixed. - Resilience: cap at 2 cycles (was unlimited). Each cycle creates an orphan dataset costing ~0.06 USDFC sybil fee, draining the secondary client's funds and causing subsequent scenarios to fail. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sidecar: 4 new continuous invariants (15 total): - checkSettlementMonotonicity: settledUpTo never goes backwards on any rail. Regression guard for filecoin-pay#134 (settlement halt on zero-rate segment). - checkDeletedDatasetFullySettled: deleted datasets have settledUpTo >= endEpoch. Regression guard for filecoin-services#375 (delete without full settlement). - checkOperatorApprovalConsistency: operator rateUsage <= rateAllowance and lockupUsage <= lockupAllowance. Regression guard for filecoin-pay#137/#274 (operator lockup leak, #274 still OPEN). - checkLockupIncreasesOnPieceAdd: when activePieceCount increases, payer lockup must also increase. Regression guard for filecoin-services#350 (underfunding window on piecesAdded). Stress-engine: payProbeSettleMidPeriod — attempts settlement during an open proving period (before deadline). Verifies settledUpTo does not advance past the period boundary. Regression for filecoin-services#416. Helpers: ReadOperatorApprovals in eth.go for sidecar operator checks. Debug: revert reason capture via eth_call replay on settle and deletion failures. Confirmed settleRail revert is RailInactiveOrSettled (wrong rail — burn rail vs PDP rail). Confirmed piece deletion revert via Curio HTTP is ExtraDataRequired (client signature not provided). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
parthshah1
added
antithesis-test-foc
Restore all consensus, steady-state, and security vectors to production weights. Previously zeroed for isolated new-vector testing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PDP griefing and sybil fee regression vectors.