Skip to content

Validator Set Dynamic Reorganization During Epoch Boundary Produces Inconsistent Committee Roots #8

Description

@JamesEjembi

Problem Statement / Feature Objective

When the validator set is dynamically reorganized mid-epoch (triggered by an irregular exit or a late-inclusion activation), the committee root computed from get_beacon_committee() diverges between the pre-reorg and post-reorg view. This causes attestation verification to fail spuriously for validators assigned to different shard committees before and after the boundary.

Technical Invariants & Bounds

  • Epoch length: 32 slots (SHARD_COMMITTEE_PERIOD = 256 epochs).
  • Validator set size: bounded by 2^19 (~524k) entries.
  • Committee root is SHA-256 over the sorted list of validator indices.
  • Reorg window: slots where state.slot % SLOTS_PER_EPOCH < 4.
  • Cross-reorg attestations must be verifiable under both pre and post committee root.

Codebase Navigation Guide

  • src/validator/committee-assignment.rs - get_beacon_committee() and committee root derivation.
  • src/validator/validator-set.rs - reorg_validator_set() entry point for dynamic changes.
  • src/attestation/verifier.rs - attestation verification that consumes committee root.
  • src/state/epoch-transition.rs - epoch boundary state recalculation.
  • src/db/committee-cache.rs - cached committee root store.

Implementation Blueprint

  1. In src/validator/validator-set.rs, introduce a PendingReorg struct that records the slot range during which a reorg is active.
  2. Modify get_beacon_committee() to check the PendingReorg - if the current slot falls in the reorg window, compute the committee root from both the old and new set and return a CommitteeView::Ambiguous(old_root, new_root).
  3. In src/attestation/verifier.rs, accept an Ambiguous committee view and verify the attestation against either root; if one matches, accept.
  4. After the reorg window closes (slot >= reorg_end), finalize to the new committee root and evict the old cache entry.
  5. Write integration tests that simulate a mid-epoch exit and verify cross-boundary attestations still pass.

Metadata

Metadata

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions