Skip to content

Make attestation expiry 7 days by default, shorten to 1 day only on verifier rotation #3734

Description

@barakeinav1

Background

Design doc #3376 (docs/design/attestation-verifier-contract.md, §Governance and upgrades) — and the implementation in #3626 — bound trust in attestations wrongly accepted by a buggy verifier by permanently lowering DEFAULT_EXPIRATION_DURATION_SECONDS from 7 days to 1 day (crates/mpc-attestation/src/attestation.rs:28). After a verifier rotation, a wrongly-accepted entry then ages out within ~1 day instead of 7.

The problem: a permanent 1-day expiry is a liveness risk. Attestation freshness depends on Intel's PCCS/PCS collateral being reachable at resubmit time. A global PCCS outage (Intel's servers down) lasting ≥ 1 day could expire every node's attestation roughly simultaneously and knock out the whole MPC cluster. The 7-day window exists precisely to give operators/nodes slack across transient connectivity issues, races, and upstream outages; 1 day is too tight to be the steady-state default.

The 1-day containment window is only needed right after a verifier rotation — the moment we stop trusting entries the old (possibly buggy) verifier produced. Outside that window, the extra availability margin of 7 days is worth keeping.

User Story

As an MPC node operator, I need attestations to stay valid long enough to survive a transient global PCCS/collateral outage, so that my node (and the cluster) is not evicted during an Intel-side incident — while still allowing the protocol to quickly age out attestations produced by a verifier we've just rotated away from.

Acceptance Criteria

Change the design and implementation so that:

  • DEFAULT_EXPIRATION_DURATION_SECONDS is restored to 7 days — the default expiry stamped on every newly submitted attestation, including under the new verifier contract.
  • On each verifier rotation (a vote_tee_verifier_change that crosses threshold and updates tee_verifier_account_id), the contract shortens the expiry of all currently stored attestations to 1 day from that point — i.e. cap each stored entry's expiry_timestamp_seconds at min(existing, now + 1 day) (never extend).
  • Attestations submitted after the rotation are stamped with the normal 7-day expiry again (nodes resubmit hourly, so honest nodes refresh well within the shortened window).
  • The design doc §Governance and upgrades is updated to describe this rotation-triggered shortening instead of the permanent 1-day constant, including the PCCS-outage rationale, and the "no sweep / no per-entry bookkeeping" claim is corrected (see note below).
  • Prerequisite: the Attestation freshness check breaks under node/contract version skew, causing a submit_participant_info retry storm #3686 root cause is fixed first — the node's submit-confirmation must not reconstruct attestation age as stored_expiry − DEFAULT_EXPIRATION_DURATION_SECONDS (crates/node/src/indexer/tx_sender.rs:269-290). This rotation-cap design makes that reconstruction invalid regardless of version skew (see note below).

Resources & Additional Notes

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions