CBST-03: validate more get header (#188)

* validate header

* url name

Author: ltitanb

Cargo.lock

@@ -32,6 +32,7 @@ alloy = { version = "0.5.4", features = [
     "serde",
     "ssz",
     "getrandom",
+    "providers",
 ] }
 ssz_types = "0.8"
 ethereum_serde_utils = "0.7.0"
@@ -47,6 +48,7 @@ tokio = { version = "1.37.0", features = ["full"] }
 futures = "0.3.30"
 async-trait = "0.1.80"
 dashmap = "5.5.3"
+parking_lot = "0.12.3"
 
 # serialization
 toml = "0.8.13"

Cargo.toml

@@ -52,6 +52,12 @@ relay_monitors = []
 # to force local building and miniminzing the risk of missed slots. See also the timing games section below
 # OPTIONAL, DEFAULT: 2000
 late_in_slot_time_ms = 2000
+# Whether to enable extra validation of get_header responses, if this is enabled you need to set `rpc_url`
+# OPTIONAL, DEFAULT: false
+extra_validation_enabled = false
+# Execution Layer RPC url to use for extra validation
+# OPTIONAL
+rpc_url = "http://abc.xyz"
 
 # The PBS module needs one or more [[relays]] as defined below.
 [[relays]]

config.example.toml

@@ -80,6 +80,11 @@ pub struct PbsConfig {
     /// How late in the slot we consider to be "late"
     #[serde(default = "default_u64::<LATE_IN_SLOT_TIME_MS>")]
     pub late_in_slot_time_ms: u64,
+    /// Enable extra validation of get_header responses
+    #[serde(default = "default_bool::<false>")]
+    pub extra_validation_enabled: bool,
+    /// Execution Layer RPC url to use for extra validation
+    pub rpc_url: Option<Url>,
 }
 
 impl PbsConfig {
@@ -104,6 +109,13 @@ impl PbsConfig {
             format!("min bid is too high: {} ETH", format_ether(self.min_bid_wei))
         );
 
+        if self.extra_validation_enabled {
+            ensure!(
+                self.rpc_url.is_some(),
+                "rpc_url is required if extra_validation_enabled is true"
+            );
+        }
+
         Ok(())
     }
 }

crates/common/src/config/pbs.rs

@@ -69,4 +69,13 @@ pub enum ValidationError {
 
     #[error("failed signature verification: {0:?}")]
     Sigverify(#[from] BlstErrorWrapper),
+
+    #[error("wrong timestamp: expected {expected} got {got}")]
+    TimestampMismatch { expected: u64, got: u64 },
+
+    #[error("wrong block number: parent: {parent} header: {header}")]
+    BlockNumberMismatch { parent: u64, header: u64 },
+
+    #[error("invalid gas limit: parent: {parent} header: {header}")]
+    GasLimit { parent: u64, header: u64 },
 }

crates/common/src/pbs/error.rs

@@ -25,9 +25,11 @@ use crate::{
 
 const MILLIS_PER_SECOND: u64 = 1_000;
 
+pub fn timestamp_of_slot_start_sec(slot: u64, chain: Chain) -> u64 {
+    chain.genesis_time_sec() + slot * chain.slot_time_sec()
+}
 pub fn timestamp_of_slot_start_millis(slot: u64, chain: Chain) -> u64 {
-    let slot_start_seconds = chain.genesis_time_sec() + slot * chain.slot_time_sec();
-    slot_start_seconds * MILLIS_PER_SECOND
+    timestamp_of_slot_start_sec(slot, chain) * MILLIS_PER_SECOND
 }
 pub fn ms_into_slot(slot: u64, chain: Chain) -> u64 {
     let slot_start_ms = timestamp_of_slot_start_millis(slot, chain);

crates/common/src/utils.rs

@@ -21,6 +21,7 @@ tokio.workspace = true
 futures.workspace = true
 async-trait.workspace = true
 dashmap.workspace = true
+parking_lot.workspace = true
 
 # serialization
 serde_json.workspace = true
@@ -37,4 +38,4 @@ thiserror.workspace = true
 eyre.workspace = true
 url.workspace = true
 uuid.workspace = true
-lazy_static.workspace = true
+lazy_static.workspace = true