Peerplays_Blockchain/peerplays_migrated
1
0
Fork 0
Code Issues 35 Pull requests 4 Projects Releases 20 Packages Wiki Activity Actions

Double-precision math should be avoided in consensus - (nft_lottery_token_purchase) #421

New issue
Closed
opened 2022-08-29 16:49:09 +00:00 by christophersanborn · 9 comments
christophersanborn commented 2022-08-29 16:49:09 +00:00 (Migrated from gitlab.com)
Copy link

To avoid difficult-to-anticipate edge cases, consensus logic should avoid floating-point math.

A search turns up a handful of uses of floating-point match for consensus logic. One in particular is in the nft_lottery_token_purchase_evaluator:

nft_lottery_evaluator.cpp#L33:

    auto lottery_options = lottery_md_obj.lottery_data->lottery_options;
    FC_ASSERT(lottery_options.ticket_price.asset_id == op.amount.asset_id);
    FC_ASSERT((double)op.amount.amount.value / lottery_options.ticket_price.amount.value == (double)op.tickets_to_buy);

Here it is used to check that the amount of asset provided in the ticket purchase operation is correct for the purchase of tickets_to_buy NFT lotto tickets.

Recommendation:

The check should be replaced by a two-step check that:

  • (1) checks equivalency using integer multiplication (instead of division), and
  • (2) checks for overflow.

Instead of:

    FC_ASSERT((double)op.amount.amount.value / lottery_options.ticket_price.amount.value == (double)op.tickets_to_buy);

Recommend:

    share_type tickets_to_buy(op.tickets_to_buy);  // (cast to safe<int64>)
    FC_ASSERT(tickets_to_buy >= 0);  // (catch overflow in uint64 -> int64)
    FC_ASSERT(tickets_to_buy * lottery_options.ticket_price.amount.value == op.amount.amount.value);

This actually achieves BOTH objectives, due to bounds-checking already in share_type.

Overflow check:

Note that share_type is typedef'd in types.hpp as:

   typedef safe<int64_t>           share_type;

And that multiplication of two share_type's is therefore already overloaded to check for overflows. (see: safe.hpp)

However, note that op.tickets_to_buy is not already a share_type, but rather a uint64. Casting it to share_type should effectively turn on the bounds checking. But note also that we will need to reject values of op.tickets_to_buy with the high-bit set because they will wrap-around and become negative. This means rejecting a value which is allowed (albeit erroneously, imho) by protocol. However in practice this is not a problem because ticket purchases this large would not be realizable because they exceed the number of object IDs available for NFT objects. So it should be OK to reject these.

Tests:

The test suite should include a test that confirms rejection of a purchase operation that overflows.

Additional Suggestion:

To avoid the awkwardness of having to cast op.tickets_to_buy to a share_type, it would be better if nft_lottery_token_purchase_operation::tickets_to_buy were already share_type instead of uint64_t. (See definition in nft_lottery.hpp#L21.)

In general, protocol should NOT be modified after deployment, but in this case it may be worthwhile, if done carefully. IMHO a separate ticket should be created for this revision.

Suggestion would be to change the type from uint64_t to share_type and ensure validation rejects negative values and values exceeding the number of available object IDs.

To avoid difficult-to-anticipate edge cases, consensus logic should avoid floating-point math. A search turns up a handful of uses of floating-point match for consensus logic. One in particular is in the nft_lottery_token_purchase_evaluator: [nft_lottery_evaluator.cpp#L33](https://gitlab.com/PBSA/peerplays/-/blob/develop/libraries/chain/nft_lottery_evaluator.cpp#L33): ```cpp auto lottery_options = lottery_md_obj.lottery_data->lottery_options; FC_ASSERT(lottery_options.ticket_price.asset_id == op.amount.asset_id); FC_ASSERT((double)op.amount.amount.value / lottery_options.ticket_price.amount.value == (double)op.tickets_to_buy); ``` Here it is used to check that the amount of asset provided in the ticket purchase operation is correct for the purchase of `tickets_to_buy` NFT lotto tickets. ### Recommendation: The check should be replaced by a two-step check that: - (1) checks equivalency using integer multiplication (instead of division), and - (2) checks for overflow. Instead of: ```cpp FC_ASSERT((double)op.amount.amount.value / lottery_options.ticket_price.amount.value == (double)op.tickets_to_buy); ``` Recommend: ```cpp share_type tickets_to_buy(op.tickets_to_buy); // (cast to safe<int64>) FC_ASSERT(tickets_to_buy >= 0); // (catch overflow in uint64 -> int64) FC_ASSERT(tickets_to_buy * lottery_options.ticket_price.amount.value == op.amount.amount.value); ``` This actually achieves BOTH objectives, due to bounds-checking already in `share_type`. #### Overflow check: Note that `share_type` is typedef'd in [types.hpp](https://gitlab.com/PBSA/peerplays/-/blob/develop/libraries/chain/include/graphene/chain/protocol/types.hpp#L370) as: ```cpp typedef safe<int64_t> share_type; ``` And that multiplication of two `share_type`'s is therefore already overloaded to check for overflows. (see: [safe.hpp](https://gitlab.com/PBSA/tools-libs/peerplays-fc/-/blob/156b0c4e41c9215eadb2af8009b05e0f38c16dda/include/fc/safe.hpp#L52)) However, note that `op.tickets_to_buy` is not already a `share_type`, but rather a `uint64`. Casting it to `share_type` should effectively turn on the bounds checking. But note also that we will need to reject values of `op.tickets_to_buy` with the high-bit set because they will wrap-around and become negative. This means rejecting a value which is allowed (albeit erroneously, imho) by protocol. However in practice this is not a problem because ticket purchases this large would not be realizable because they exceed the number of object IDs available for NFT objects. So it should be OK to reject these. ### Tests: The test suite should include a test that confirms rejection of a purchase operation that overflows. ### Additional Suggestion: To avoid the awkwardness of having to cast `op.tickets_to_buy` to a `share_type`, it would be better if `nft_lottery_token_purchase_operation::tickets_to_buy` were already `share_type` instead of `uint64_t`. (See definition in [nft_lottery.hpp#L21](https://gitlab.com/PBSA/peerplays/-/blob/develop/libraries/chain/include/graphene/chain/protocol/nft_lottery.hpp#L21).) In general, protocol should NOT be modified after deployment, but in this case it may be worthwhile, if done carefully. IMHO a separate ticket should be created for this revision. Suggestion would be to change the type from `uint64_t` to `share_type` and ensure validation rejects negative values and values exceeding the number of available object IDs.
serkixenos commented 2022-10-11 00:14:19 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @mkhan17

assigned to @mkhan17
serkixenos commented 2022-10-14 18:44:09 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @milo_peerplays

assigned to @milo_peerplays
milo_peerplays commented 2023-02-07 12:45:19 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in merge request !205

mentioned in merge request !205
milo_peerplays commented 2023-02-10 14:50:24 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in commit e44ed0cfe5

mentioned in commit e44ed0cfe5df825f2fe264b68be382b559ebb609
serkixenos commented 2023-02-10 14:50:24 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in commit 80d168e5b6

mentioned in commit 80d168e5b62bc445b202cc44649aa2ee24a7175c
serkixenos commented 2023-02-10 14:51:12 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @prandnum and @wsalloum

assigned to @prandnum and @wsalloum
prandnum commented 2023-02-23 17:54:32 +00:00 (Migrated from gitlab.com)
Copy link

@milo_peerplays please provide the test steps required to validate this issue.

CC: @serkixenos

@milo_peerplays please provide the test steps required to validate this issue. CC: @serkixenos
milo_peerplays commented 2023-02-23 18:01:16 +00:00 (Migrated from gitlab.com)
Copy link

The fix is covered by a unit test. You could additionally verify it by confirming that the witness_node can sync with the mainnet.

The fix is covered by a unit test. You could additionally verify it by confirming that the witness_node can sync with the mainnet.
prandnum commented 2023-02-28 13:26:48 +00:00 (Migrated from gitlab.com)
Copy link

Able to sync with mainnet and also do a replay. Closing the bug.

Able to sync with mainnet and also do a replay. Closing the bug.
prandnum (Migrated from gitlab.com) closed this issue 2023-02-28 13:26:49 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
feature/579-enable-hardfork-check
develop
beatrice
feature/577-sidechain-plugin
hotfix/bookie2024
feature/568-static-libbitcoin
567-update-dockerfile
docs/readme-build-subdirectory
local_dev_subscribe_address
feature/release-automation-changelogs
feature/remove-image-e2e-tests
feature/installer-script
local_dev_manual_zmq_socet
local_test_block_events
develop-clang17-wip
feature/python-e2e-tests
bug/501-on_connection_closed
bug/513-num_son_init
bug/513-num_son_extension
docker-build-fix
libbitcoin-build-dependencies-cicd
feature/cicd-deployments-and-upgrades
feature/limit-NFT-objs-returned
sonarcloud-coverage
bug/api-doc-generation-hotfix
test/hot-fix-hardfork-changed
mint-testnet-sidechain-address-fix
hotfix/sidechain-address
feature/limits-for-nft_get_all_tokens
debug-transaction-signing
feature/libbitcoin-son
revert-1a160275
revert-f7aab6a8
peerup-clang14-new
feature/son-for-ethereum
peerup-clang14
feature/420-ethereum-unit-tests
bug/issue416_corrected
bug/issue-416
cicd-test
test/enable_disconnect_non_compatible_witness_nodes
395-verify-delayed_node-plugin
431-verify-debug_witness-plugin
461-handle-boost-system-system_error-exception
local_enable_logs_for_irona
merge-develop-to-beatrice-2022-06
bug/378/fix_for_restarting_node_without_replay_option
feature/368/implement_the_witness_capability_to_overwrite_last_hardfork
bug/issue317
issue317-traces
dapp-support
feature/274/redirect_transaction_fees_to_dividends
bug/issue34
bug/issue229
bug-235-update-2
Feature-Enable-parallel-build-testnet-mainnet-cmake
231-docker-with-artifacts
325-refactor-importing-btc-addresses-into-son-wallet
bug/235-stop_corrupts_chain_file-1
bug/empty-json-parsing-failure-2
bug/failure-on-son-related-test-1
bug/issue50
230-docker-image-from-ci-should-be-pushed-to-gitlab-registry-2
bug/issue-50-4
bug/issue50-trace-tid
bug/issue-50-2
bug/issue-50-3
bug/94-docker-build
bug/issue-50
bug/empty-json-parsing-failure
bug/rpc-client-crashes-on-empty-response
bug_fix_warnings
feature/all-in-one-build
feature/cli-activate-deregistered-son
hotfix/fix-sidechain-address-generation
revert-b875f0b8
hotfix/fix-memo-field-encryption
issue/son-for-hive-rpc-connection
hotfix/fix-plugin-cli-option
bug/35-blockchain_replay
merge-beatrice-to-master-2021-11
feature/son-for-hive
feature/son-for-hive-https-support
revert-b806eb85
feature/rel-mainnet-jul21
feature/mainnet-release-jul21
feature/reserve-tokens
feature/beatrice-changes-to-develop
feature/testnet-release-jun2021
feature/add-cliwallet-version
feature/son-wrong-weights
support/sonarcloud
feature/add-get-blocks
feature/sidechain-throttling
63-doc-son-docker-mainnet
issue/dex-crash
feature/port-dex-fixes
feature/hf-btc-flags-change
hotfix/build-warnings-210210
hotfix/master-son-vb-checks
hotfix/check-vesting-balances-for-son
feature/nft_lottery
hotfix/master-hotfixes
hotfix/gitlab
support/ci
hotfix/fix-get-full-accounts
feature/flush-db-during-replay
feature/cli-change-account-keys
feature/gpos-vesting-performance-decay-test
bugfix/374
hotfix/fix-witness-sons-multiple-ids-reading
feature/es-improvements
hotfix/cli-buy-sell-fix
merge_beatrice_to_develop_202012
merge_beatrice_to_master_202012
merge/master-to-beatrice-20201203
tests/code-coverage
feature/build-optimizations
hotfix/build-executables
merge/beatrice2develop
feature/sync-fc-OCT
hotfix/remove_fc_smart_ref
hotfix/remove_smart_ref
hotfix/remove_fc_smart_ref_develop
feature/api_limit_error_msg
hotfix/beatrice_compilation
feature/rl-editline
hotfix/release_build_fix_develop
hotfix/release_build_fix
feature/editline
hotfix/son_maxcount_fix
hotfix/son_fixes
hotfix/son_chain_params
merge/develop2beatrice
feature/SONs-base
feature/bts-210
feature/account_roles
issue375/public_key_type_fix
ws-updates
feature/rng
feature/beatrice_nft_merge
feature/marketplace
issue/mainnet_chain_halt_5050
issue/gpos_rolling_period_issue
issue/beatrice_chain_halt_gpos
feature/nft_market_rbac
feature/nft
feature/rbac
feature/GRPH-45
lottery_crash_reproduction
master_chain_halt_issue
son_deposit_address_enhancements
bitcoin_networktype_fix
SON-314
SON-363
SON-359
fix_tests
hotfix-rawtransaction
feature/SON-135
SON-215_SigningFix
issue_a_gitlab
SON-315
feature/SON-349
SON-BTCPxPlex-Tryouts
feature/SON-347
feature/SON-354
feature/SON-349_SON-350
feature/SON-353
beatrice_master_mar19
feature/SON-134-v4
feature/SON-333-gladcow
feature/beatrice_winner_id
feature/nh5050_winner_id
SON-337
SON-333-v2-sk
feature/SON-333-v2
feature/SON-348
feature/SON-346
feature/SON-344
feature/SON-341
feature/SON-325
feature/SON-320
feature/SON-322_SON-324
SON-291
SON-339
feature/SON-333
feature/SON-305
SON-297_SON-336
feature/SON-307
SON-313
feature/SON-134-alternate
son_account_fix_SON329
feature/SON-332
gitlab_test_clean_build
feature/SON-321_SON-323
feature/SON-288-update
feature/SON-271
feature/SON-311
SON-318_SON-319
feature/SON-312
feature/SON-304
feature/SON-295
SON-122
revert-312-sons_gpos_merge_mar19
SON-24
feature/SON-134
sons_gpos_merge_mar19
sons_gpos_merge_mar18
sons_gpos_merge_mar2
SON127
release/1.5.02
feature/SON-49
SON276
SON275
sync_fc_beatrice
plugins_enable_fix1
SON202_Update
SON118_Add_tx_metrics
feature/SON-270
SON269
SON200_Fix
es_update1
GRPH-160/fix
sync_fc_dev
feature/SON-264
SON261
feature/SON-260
feature/SON-242
unit_test_fixes
feature/SON-209-add
feature/SON-209
feature/SON-238
feature/snapshot
feature/GRPH-155
feature/GRPH-163
updates_from_mainnet
SON131
issue_github_277
2020_1_sync_fix
mainnet-sync-fix
mainet-sync
feature/SON-231
feature/SON-202-fix
SON214
feature/SON-98
SON233
SON232
SON165
SON206_Plugin_CrashFix_Reorg
GPOS-66
feature/SON-214
SON199-TestFailureFix
pbattu123-patch-1
feature/SON-202
feature/GRPH-205
support/gitlab-SONs-base
SON217
SON212_SON213_BuildError
SON212
SON206
SON194
sync-develop
hf-update
feature/SON-208
GPOS-1
beatrice_hf_1.4.1
SON207
feature/SON-203
GRPH-170
feature/GRPH-166
feature/SON-205
feature/BLOCKBACK-186-Bug-Fix
feature/GRPH-169
SON193
BLOCKBACK-186
feature/GRPH-152
BLOCKBACK-183
BLOCKCBACK-187
BLOCKBACK-187
feature/GRPH-168
feature/GRPH-167
feature/SON-196
203
feature/SON-195
feature/SON-158
GRPH-46
feature/GRPH-92
feature/GRPH-162
GRPH-159
feature/GRPH-160
update-submodule
BLOCKBACK-181
feature/BLOCKBACK-182
feature/GRPH-49-test-case
support/gitlab-develop
BLOCKBACK-177
GRPH-81
SON130
feature/GRPH-150
feature/SON-167
feature/SON-150
fc-commit-update
GRPH134
feature/GRPH-99
GRPH134_#198-HighCPU_Usage
qa_gpos_18.04
feature/BLOCKBACK-162
son_165
feature/SON-113-fix
feature/SON-160-fix
son_168
BLOCKBACK-155
feature/SON-142
BLOCKBACK-174
fix_flag
feature/BLOCKBACK-166
BLOCKBACK_164
feature/BLOCKBACK-165
SON126
feature/SON-113
BLOCKBACK-164
BLOCKBACK--164
oxarbitrage-patch-1
feature/SON-17
son_vesting
feature/GRPH-131
support/docker
SON118
feature/SON-115
son_wallet_clean
feature/GRPH-126
feature/GRPH-127
son_objects_operations
feature/SON-109
feature/SON-108
feature/SON-110
feature/SON-operations
feature/SON-137-GitModule-Update
feature/SON-83
feature/SON-107
feature/GRPH-2-GitModule-Update
jira-163-fix
153/fix-add-on
feature/GRPH-2-Git-Module-Update
feature/GRPH-79-Bug-Fix
feature/GRPH-3
feature/GRPH-117
gpos-testfix
feature/GRPH-90
feature/SON-84
feature/GRPH-114
feature/GRPH-95
118
feature/GRPH-112
issue/154-fix
GRPH-50-network_broadcast_api-fix-v2
BLOCKBACK-153
BLOCKBACK-154
feature/GRPH-94
feature/GRPH-111
feature/GRPH-83
feature/SON-5
feature/GRPH-93-v2
feature/GRPH-106
feature/GRPH-64
feature/GRPH-86
SON11
graphene-release1
GRPH-75
feature/GRPH-79
GRPH-73-fix-block-id-forks
feature/GRPH-88
pbsa-github-patch-1
feature/GRPH-80
feature/GRPH-93
feature/GRPH-87
feature/test-grph-3
feature/SON-83-plugins-option
GRPH-89
feature/SON-83-SON-plugin
support/gitlab-master
feature/SONs-base-build-1804
support/gitlab-beatrice
GRPH-4-update-submodule
feature/tweakes-README
GRPH-56-implement-tx-size-check-18.04
GRPH-56-implement-tx-size-check-master
github-issue-template1
support/gitlab
review-fixes
hardfork-50/50
cli_wallet_tests
rng_api
feature/GRPH-76
feature/GRPH-78
GRPH-59-Proposal-failure-handling
GRPH-71
feature/GRPH-61
feature/GRPH-77
issue-154
feature/GRPH-63
GRPH-3-cli-tests-18.04
GRPH-63-Authorize-Tx-Bug-18.04
GRPH-70
GRPH-51
pp_travis
WASM-49
GRPH-4
GRPH-53
feature/GRPH-54
GRPH-60
feature/GRPH-48
GRPH-48-Object-Database-18.04
GRPH-66
qa_gpos_18.04_gcc7_fix
GRPH-60-ProposalNestedRecursionGuard
GRPH-64-Variable-fix-18.04
GRPH-57-CompilerWarningFixesDBTests
GRPH-54-sign-transaction-fix-master
GRPH-54-sign-transaction-fix-18.04
qa_gpos_18.04_docker_img
GRPH-50-network_broadcast_api-fix
beatrice-5050-merge
Issue23-check-transaction-size
issue23-check-transaction-size
feature/5050
hotfix/readme
hotfix/readme-branch-from-gitlab
hotfix/docker
hotfix/docker-branch-from-gitlab
hotfix/unit-tests
hotfix/unit-tests-branch-from-gitlab
feature/manager-for-sports-and-underlying
feature-sidechain
1.6.1
1.6.0
1.5.25-beta
1.5.24-beta
1.5.23-beta
1.5.22-alpha
1.5.21-alpha
1.5.20-alpha
1.5.19
1.5.18
1.5.17
1.5.16
1.5.15
1.5.14
1.5.13
1.5.12
test-1.5.5
test-1.5.4
test-1.5.3
1.5.11
1.5.10
test-1.5.2
test-1.5.1
test-1.5.0
test-1.4.5
1.4.4
1.4.3
test-1.4.4
1.5.05
1.5.04
1.5.03
1.5.02
test-1.4.3
SON0.0.1
1.5.01
1.4.2
test-1.4.2
1.4.2-alpha
test-1.4.1
1.4.1-alpha
test-1.4.0
1.3.1
Ignore
1.3.0
1.2.0
1.1.0
1.0.0
Labels
Clear labels   
confirmed

   
DevOps

   
documentation

   
enhancement

   
incident

Denotes a disruption to IT services and the associated issues require immediate attention

  
Medium

   
priority::Critical

(optional) Issues that are marked as critical priority. Should be taken care of ASAP.

  
priority::High

(optional) Issues that are marked as high priority.

  
priority::Low

(optional) Issues that are marked as low priority.

  
priority::Medium

(optional) Issues that are marked as medium priority.

  
QA-TestCases::Done

QA-Labels

  
QA-TestCases::InProgress

QA-Labels

  
RNG

   
security

(optional) Issues that relate to the security of the project.

  
severity:: Critical

   
severity:: High

   
severity:: Low

   
severity:: Medium

   
state:: Accepted

Issues that are newly created and have been accepted after review.

  
state:: Blocked

Issues that cannot be worked on due to other factors linked to it.

  
state:: Done

Issues that are closed with a working solution.

  
state:: in progress

Issues that are currently being worked on.

  
state:: in review

Issues that require a proposed solution to be reviewed.

  
state:: on hold

Issues that were at least accepted, that should not be worked on at the moment.

  
state:: Pending

Issues that are newly created and haven't been reviewed.

  
state:: Pushed to Prod

Tickets are verified in the stage infra and needs to be deployed in the production

  
state:: Revision Needed

Issues that need to be revised before being accepted.

  
state::out-of-scope

Task and issues which are out of scope due to change in requirements

  
suggestion

   
support

   
To Do

   
type :: Discussion

   
type :: Duplicate

(optional) Issues that are duplicates of existing issues in the same project.

  
type:: interaction-design

   
type:: New Feature

Issues that bring new functionality to the project.

  
type::bug

BUG

  
type::documentation

Issues that relate to the documentation of the project.

  
type::incident

severe issues that require immediate response

  
type::maintenance

Issues that require maintenance on the project.

  
type::question

Issues that are questions related to the project.

  
type::recurring-tasks

This label is used to track recurring tasks which may repeat daily, weekly or monthly.

  
vulnerability
No labels
confirmed
DevOps
documentation
enhancement
incident
Medium
priority::Critical
priority::High
priority::Low
priority::Medium
QA-TestCases::Done
QA-TestCases::InProgress
RNG
security
severity:: Critical
severity:: High
severity:: Low
severity:: Medium
state:: Accepted
state:: Blocked
state:: Done
state:: in progress
state:: in review
state:: on hold
state:: Pending
state:: Pushed to Prod
state:: Revision Needed
state::out-of-scope
suggestion
support
To Do
type :: Discussion
type :: Duplicate
type:: interaction-design
type:: New Feature
type::bug
type::documentation
type::incident
type::maintenance
type::question
type::recurring-tasks
vulnerability
Milestone
Clear milestone
No items
No milestone
Peerplays Improvements and Bugfixes 2023-02 (v1.5.22-alpha) ?
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Peerplays_Blockchain/peerplays_migrated#421
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?