Optional randao verification when producing blocks

[michaelsproul]

Recently I've been speculatively creating blocks using the /eth/v2/validator/blocks/{slot} endpoint, polling the endpoint live at every slot.

Some beacon node implementations verify the randao_reveal signature when this endpoint is used, which causes speculative block proposal to fail (because the private key for the true proposer_index is not known).

A few months ago I added an optional verify_randao parameter to disable the verification in Lighthouse: sigp/lighthouse#3116. Recently I've discovered that Nimbus have started to verify the randao_reveal by default too, so I'd like to implore them to adopt the same parameter.

As far as I know the other clients (Teku/Prysm/Lodestar) don't verify the randao_reveal currently, so I think it would be acceptable for them to delay implementing the verify_randao parameter until they decide to. Alternatively they could maintain the same semantics and accept verify_randao=false/null, and error if verify_randao=true. I would like to impose the minimum burden on implementers, given that this is a relatively niche use case.

More background:

• Blockdreamer: https://github.com/michaelsproul/blockdreamer
• My use for blockdreamer: https://twitter.com/sproulM_/status/1543422741218439170

[michaelsproul]

CI seems to be failing on an unrelated error in the blinded_blocks API, weirdly it doesn't occur locally for me with spectral 6.3.0

[mpetrunic]

CI seems to be failing on an unrelated error in the blinded_blocks API, weirdly it doesn't occur locally for me with spectral 6.3.0

yeah, seems like spectral has some serious bugs. I proposed to replace it #223 but need @djrtwo or someone to merge it

[djrtwo]

looks reasonable but would prefer more client teams to take a look

[ajsutton]

Since Teku isn't validating the randao reveal when creating blocks now so it would be nice if we could just ignore this param and not need to make any changes. As such I'd have a mild preference for rando_reveal remaining required and callers can just fill it with junk.

It would also mean that verify_randao can only be used to disable validation but setting verify_randao=true still wouldn't perform verification in Teku. I'm not sure I see a real need to force the beacon node to verify randao when there are already APIs to get the validator public key and do the verification yourself.

[michaelsproul]

Thanks for the feedback @ajsutton, @djrtwo 🙏

How does this sound moving forward?

• randao_reveal is required but when verify_randao=false must be set to the point at infinity (0xc0..00). This was @arnetheduck's idea here: api: add skip_randao_verification for produceBlockV2 status-im/nimbus-eth2#3837 (comment).
• Implementations which do not verify the randao reveal are free to ignore the verify_randao flag (e.g. Prysm, Teku, Lodestar)

[ajsutton]

Yep that works for me.

[michaelsproul]

Alternatively we could use a value-less ?no_verify_randao flag instead, to make the verify_randao=true case unrepresentable. I think I prefer this actually.

[djrtwo]

Can you rebase with master? redocli is merged

[michaelsproul]

Done!

[djrtwo]

approving. will merge in 2 days unless any additional comments

[michaelsproul]

looks like we're good to merge @djrtwo! thanks!