Disallow Syncing From Genesis By Default

paulhauner · Jan 3, 2024 · b7ff1c1 · b7ff1c1
1 parent 01994c4
commit b7ff1c1
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/beacon_node/src/cli.rs b/beacon_node/src/cli.rs
@@ -955,6 +955,14 @@ pub fn cli_app<'a, 'b>() -> App<'a, 'b> {
                 .takes_value(true)
                 .default_value("180")
         )
+        .arg(
+            Arg::with_name("allow-insecure-genesis-sync")
+                .long("allow-insecure-genesis-sync")
+                .help("Enable syncing from genesis. This is insecure after Capella due to long-range attacks. This should only be used for testing. DO NOT use on mainnet!")
+                .conflicts_with("checkpoint-sync-url")
+                .conflicts_with("checkpoint-state")
+                .takes_value(false)
+        )
         .arg(
             Arg::with_name("reconstruct-historic-states")
                 .long("reconstruct-historic-states")

diff --git a/beacon_node/src/config.rs b/beacon_node/src/config.rs
@@ -518,8 +518,15 @@ pub fn get_config<E: EthSpec>(
                 .map_err(|e| format!("Invalid checkpoint sync URL: {:?}", e))?;
 
             ClientGenesis::CheckpointSyncUrl { url }
-        } else {
+        } else if cli_args.is_present("allow-insecure-genesis-sync") {
             ClientGenesis::GenesisState
+        } else {
+            return Err(
+                    "Syncing from genesis is not secure post-Capella! \
+                    You should instead perform a checkpoint sync from a trusted node using the --checkpoint-sync-url option. \
+                    For a list of public endpoints, see:\nhttps://eth-clients.github.io/checkpoint-sync-endpoints/"
+                        .to_string(),
+                );
         }
     } else {
         if cli_args.is_present("checkpoint-state") || cli_args.is_present("checkpoint-sync-url") {