-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: blockhash mismatch #913
base: feat/sync-directly-from-da
Are you sure you want to change the base?
Conversation
…er fields file, verify its hash and download it. Also implement a Reader to read the file's format and provide the requested information to Manager
…tead of full requested bytes (65 in this case)
downloadCtx, downloadCtxCancel := context.WithTimeout(m.ctx, timeoutDownload) | ||
defer downloadCtxCancel() | ||
|
||
req, err := http.NewRequestWithContext(downloadCtx, http.MethodGet, m.downloadURL, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Risk: Affected versions of golang.org/x/net, golang.org/x/net/http2, and net/http are vulnerable to Uncontrolled Resource Consumption. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
Fix: Upgrade this library to at least version 0.23.0 at go-ethereum/go.mod:103.
Reference(s): GHSA-4v7x-pqxf-cx7m, CVE-2023-45288
Ignore this finding from ssc-46663897-ab0c-04dc-126b-07fe2ce42fb2.…and use it to reconstruct correct block hashes
… before execution
38f46ed
to
26dbf42
Compare
1. Purpose or design rationale of this PR
This PR fixes the problem of mismatching block hashes due to the missing header fields
difficulty
andextraData
in DA. It should be reviewed in conjunction with #903, which provides a way to prepare this missing data and describes the format in more detail.Specifically, this PR implements a missing header fields manager that:
Tested on mainnet:
https://scrollscan.com/block/64500:
0xd229dc5edaebccff15987f42bb5c23060b3f0372251e19e843f1bb69742bfab1
2. PR title
Your PR title must follow conventional commits (as we are doing squash merge for each PR), so it must start with one of the following types:
3. Deployment tag versioning
Has the version in
params/version.go
been updated?4. Breaking change label
Does this PR have the
breaking-change
label?