feat(syncing): detect sequencer double-signs and halt

block/internal/cache/generic_cache.go

@@ -113,6 +113,13 @@ func (c *Cache) setSeenBatch(hashes []string, height uint64) {
 	}
 }
 
+func (c *Cache) getHashByHeight(height uint64) (string, bool) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	h, ok := c.hashByHeight[height]
+	return h, ok
+}
+
 func (c *Cache) getDAIncluded(hash string) (uint64, bool) {
 	c.mu.RLock()
 	defer c.mu.RUnlock()

block/internal/cache/generic_cache_test.go

@@ -391,3 +391,26 @@ func TestCache_DeleteAllForHeight_CleansHashAndDA(t *testing.T) {
 	_, ok = c.getDAIncludedByHeight(2)
 	assert.True(t, ok)
 }
+
+func TestCache_getHashByHeight(t *testing.T) {
+	c := NewCache(nil, "")
+
+	h, ok := c.getHashByHeight(42)
+	assert.False(t, ok)
+	assert.Empty(t, h)
+
+	c.setSeen("abc", 42)
+	h, ok = c.getHashByHeight(42)
+	assert.True(t, ok)
+	assert.Equal(t, "abc", h)
+
+	// setDAIncluded also maintains hashByHeight.
+	c.setDAIncluded("def", 7, 100)
+	h, ok = c.getHashByHeight(100)
+	assert.True(t, ok)
+	assert.Equal(t, "def", h)
+
+	c.deleteAllForHeight(42)
+	_, ok = c.getHashByHeight(42)
+	assert.False(t, ok)
+}

block/internal/cache/manager.go

@@ -38,6 +38,7 @@ type CacheManager interface {
 	// Header operations
 	IsHeaderSeen(hash string) bool
 	SetHeaderSeen(hash string, blockHeight uint64)
+	GetHeaderHashByHeight(blockHeight uint64) (string, bool)
 	GetHeaderDAIncludedByHash(hash string) (uint64, bool)
 	GetHeaderDAIncludedByHeight(blockHeight uint64) (uint64, bool)
 	SetHeaderDAIncluded(hash string, daHeight uint64, blockHeight uint64)
@@ -157,6 +158,11 @@ func (m *implementation) SetHeaderSeen(hash string, blockHeight uint64) {
 	m.headerCache.setSeen(hash, blockHeight)
 }
 
+// GetHeaderHashByHeight returns the first-seen header hash at the given height.
+func (m *implementation) GetHeaderHashByHeight(blockHeight uint64) (string, bool) {
+	return m.headerCache.getHashByHeight(blockHeight)
+}
+
 func (m *implementation) GetHeaderDAIncludedByHash(hash string) (uint64, bool) {
 	return m.headerCache.getDAIncluded(hash)
 }

block/internal/common/metrics.go

@@ -68,6 +68,9 @@ type Metrics struct {
 	ForcedInclusionTxsInGracePeriod metrics.Gauge   // Number of forced inclusion txs currently in grace period
 	ForcedInclusionTxsMalicious     metrics.Counter // Total number of forced inclusion txs marked as malicious
 
+	// Double-sign detection
+	DoubleSignsDetected metrics.Counter // Distinct (height, alternate-hash) pairs observed
+
 	// Syncer metrics
 	BlocksSynchronized map[EventSource]metrics.Counter // Blocks synchronized by source (P2P or DA)
 }
@@ -189,6 +192,13 @@ func PrometheusMetrics(namespace string, labelsAndValues ...string) *Metrics {
 		Help:      "Total number of forced inclusion transactions marked as malicious (past grace boundary)",
 	}, labels).With(labelsAndValues...)
 
+	m.DoubleSignsDetected = prometheus.NewCounterFrom(stdprometheus.CounterOpts{
+		Namespace: namespace,
+		Subsystem: MetricsSubsystem,
+		Name:      "double_signs_detected_total",
+		Help:      "Total number of distinct (height, alternate-hash) double-sign events observed",
+	}, labels).With(labelsAndValues...)
+
 	// DA Submitter metrics
 	m.DASubmitterPendingBlobs = prometheus.NewGaugeFrom(stdprometheus.GaugeOpts{
 		Namespace: namespace,
@@ -269,6 +279,9 @@ func NopMetrics() *Metrics {
 		ForcedInclusionTxsInGracePeriod: discard.NewGauge(),
 		ForcedInclusionTxsMalicious:     discard.NewCounter(),
 
+		// Double-sign detection
+		DoubleSignsDetected: discard.NewCounter(),
+
 		// Syncer metrics
 		BlocksSynchronized: make(map[EventSource]metrics.Counter),
 	}

block/internal/syncing/da_retriever.go

@@ -35,6 +35,10 @@ type daRetriever struct {
 	genesis genesis.Genesis
 	logger  zerolog.Logger
 
+	// reportInBatchDoubleSign halts/warns on two distinct sequencer-signed
+	// headers seen at the same height before either is applied. Set by the syncer.
+	reportInBatchDoubleSign inBatchDoubleSignReporter
+
 	mu sync.Mutex
 	// transient cache, only full event need to be passed to the syncer
 	// on restart, will be refetch as da height is updated by syncer
@@ -46,21 +50,23 @@ type daRetriever struct {
 	strictMode bool
 }
 
-// NewDARetriever creates a new DA retriever
+// NewDARetriever creates a new DA retriever.
 func NewDARetriever(
 	client da.Client,
 	cache cache.CacheManager,
 	genesis genesis.Genesis,
 	logger zerolog.Logger,
+	reportInBatchDoubleSign inBatchDoubleSignReporter,
 ) *daRetriever {
 	return &daRetriever{
-		client:         client,
-		cache:          cache,
-		genesis:        genesis,
-		logger:         logger.With().Str("component", "da_retriever").Logger(),
-		pendingHeaders: make(map[uint64]*types.SignedHeader),
-		pendingData:    make(map[uint64]*types.Data),
-		strictMode:     false,
+		client:                  client,
+		cache:                   cache,
+		genesis:                 genesis,
+		logger:                  logger.With().Str("component", "da_retriever").Logger(),
+		reportInBatchDoubleSign: reportInBatchDoubleSign,
+		pendingHeaders:          make(map[uint64]*types.SignedHeader),
+		pendingData:             make(map[uint64]*types.Data),
+		strictMode:              false,
 	}
 }
 
@@ -172,9 +178,19 @@ func (r *daRetriever) processBlobs(ctx context.Context, blobs [][]byte, daHeight
 		}
 
 		if header := r.tryDecodeHeader(bz, daHeight); header != nil {
-			if _, ok := r.pendingHeaders[header.Height()]; ok {
-				// a (malicious) node may have re-published valid header to another da height (should never happen)
-				// we can already discard it, only the first one is valid
+			// First-write-wins per height. A second, distinct header for a height
+			// already in flight is in-flight equivocation when both are provably
+			// sequencer-authored from their DA envelope signatures (verified in
+			// tryDecodeHeader; execution-independent, so no need to wait for block
+			// n-1). Cross-batch and already-applied alternates are handled
+			// centrally in Syncer.checkDoubleSign.
+			if existing, ok := r.pendingHeaders[header.Height()]; ok {
+				if r.reportInBatchDoubleSign != nil &&
+					!bytes.Equal(existing.Hash(), header.Hash()) &&
+					r.envelopeAuthoredBySequencer(existing) &&
+					r.envelopeAuthoredBySequencer(header) {
+					r.reportInBatchDoubleSign(header.Height(), existing, header)
+				}
 				r.logger.Debug().Uint64("height", header.Height()).Uint64("da_height", daHeight).Msg("header blob already exists for height, discarding")
 				continue
 			}
@@ -324,6 +340,11 @@ func (r *daRetriever) tryDecodeHeader(bz []byte, daHeight uint64) *types.SignedH
 	return header
 }
 
+// envelopeAuthoredBySequencer reports whether h is proven to be authored by the genesis sequencer
+func (r *daRetriever) envelopeAuthoredBySequencer(h *types.SignedHeader) bool {
+	return r.strictMode && bytes.Equal(h.Signer.Address, h.ProposerAddress)
+}
+
 // tryDecodeData attempts to decode a blob as signed data
 func (r *daRetriever) tryDecodeData(bz []byte, daHeight uint64) *types.Data {
 	var signedData types.SignedData

block/internal/syncing/da_retriever_test.go

@@ -52,7 +52,7 @@ func newTestDARetriever(t *testing.T, mockClient *mocks.MockClient, cfg config.C
 	mockClient.On("GetForcedInclusionNamespace").Return([]byte(nil)).Maybe()
 	mockClient.On("HasForcedInclusionNamespace").Return(false).Maybe()
 
-	return NewDARetriever(mockClient, cm, gen, zerolog.Nop())
+	return NewDARetriever(mockClient, cm, gen, zerolog.Nop(), nil)
 }
 
 // makeSignedDataBytes builds SignedData containing the provided Data and returns its binary encoding

block/internal/syncing/doublesign.go

@@ -0,0 +1,34 @@
+package syncing
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/evstack/ev-node/types"
+)
+
+// inBatchDoubleSignReporter reports two distinct, sequencer-signed headers observed at the same height
+type inBatchDoubleSignReporter func(height uint64, canonical, alt *types.SignedHeader)
+
+// doubleSignDedup collapses repeated (height, altHash) sightings so the same equivocation
+// arriving from multiple batches or sources is only warned and counted once.
+type doubleSignDedup struct {
+	mu   sync.Mutex
+	seen map[string]struct{}
+}
+
+func newDoubleSignDedup() *doubleSignDedup {
+	return &doubleSignDedup{seen: make(map[string]struct{})}
+}
+
+// markSeen records (height, altHash) and returns true on first sight.
+func (d *doubleSignDedup) markSeen(height uint64, altHash string) bool {
+	key := fmt.Sprintf("%d/%s", height, altHash)
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	if _, ok := d.seen[key]; ok {
+		return false
+	}
+	d.seen[key] = struct{}{}
+	return true
+}