Summary
`txsystem/fgp_txsystem.go:166-203` — `FollowerVerify` has two missing safety checks compared to `LeaderPropose`:
1. No monotonic height check
The follower does not verify that the proposed block height is greater than `committedStateHeight`. A malicious leader could propose an already-certified block (at a height ≤ last committed), and the follower would accept it as long as it meets the confirmation depth requirement. The only guard is line 172 which short-circuits if the proposed root equals the committed state hash, but a different block at the same height (after a reorg) would pass through.
2. No fork safety check
`LeaderPropose` (lines 139-153) calls `GetChainTips` and verifies there are no competing forks at the candidate height. `FollowerVerify` does not perform this check. A malicious leader could propose a block during an active fork, and followers would accept it.
Severity
Medium — could allow the system to go backwards or certify a contested block.
Suggested Fix
- Add height check: `if block.Height <= s.committedStateHeight { return error }`
- Add fork check matching `LeaderPropose`'s `GetChainTips` logic
Summary
`txsystem/fgp_txsystem.go:166-203` — `FollowerVerify` has two missing safety checks compared to `LeaderPropose`:
1. No monotonic height check
The follower does not verify that the proposed block height is greater than `committedStateHeight`. A malicious leader could propose an already-certified block (at a height ≤ last committed), and the follower would accept it as long as it meets the confirmation depth requirement. The only guard is line 172 which short-circuits if the proposed root equals the committed state hash, but a different block at the same height (after a reorg) would pass through.
2. No fork safety check
`LeaderPropose` (lines 139-153) calls `GetChainTips` and verifies there are no competing forks at the candidate height. `FollowerVerify` does not perform this check. A malicious leader could propose a block during an active fork, and followers would accept it.
Severity
Medium — could allow the system to go backwards or certify a contested block.
Suggested Fix