Incorrect Default Configuration Leading to Dead Code
Description
Discussions with the Shardeum team revealed that certain key features of the Archiver are currently unused. This suggests that the default configuration is incorrect, preventing critical functionality from being executed.
Example
When receiving receipt data from validators, storeReceiptData is triggered. Depending on the Archiver's configuration, several execution flows are possible. The most important one involves calling Utils.robustQuery to verify that the receipt matches on at least five nodes within the execution group.
However, in the current default configuration, this flow is inaccessible due to the following reasons:
config.newPOQReceipt === false
During verifyReceiptData, execution enters the if (config.newPOQReceipt === false) block, preventing it from reaching verifyReceiptMajority.
Even if config.newPOQReceipt === true, execution does reach verifyReceiptMajority, but another issue arises:
Since config.useRobustQueryForReceipt is undefined, !undefined evaluates to true, leading to verifyReceiptOffline being executed instead of verifyReceiptWithValidators.
As a result, robustQuery is never called, making it effectively dead code.
Impact
By skipping a crucial step in receipt verification, attackers gain more flexibility to bypass validation checks and exploit vulnerabilities. For instance, similar issues were demonstrated in report #39872.
Proposed Fix
Update the default configuration to align with the intended behavior of the Archiver, ensuring robustQuery is executed as expected.
Proof of Concept
Proof of Concept
Apply the following git diff on the Archiver, we'll check the logs to see that this code isn't reached:
Add the following wallet to the genesis.json file:
Run the following code to execute a transaction which will yield a receipt
Inspect the Archiver logs and search for "BLOCKIAN". No logs will be found indicating the code is unreachable in the current state.
