I have a very very basic question about how the IC guarantees replicated execution.
I understand that consensus is used to agree on the order of inputs that each replica will execute. That prevents a malicious or faulty replica from manufacturing a fake ingress message, for example.
So all of the replicas execute the agreed upon ordered inputs on their current states. But what if one replica decides to execute differently than the others? For example, what if it runs a version of wasmtime that is buggy or has injected malicious code? It doesn’t seem like consensus is run on the new replicas’ states. Won’t a faulty replica’s state continues to deviate unchecked from its peers, even though it is technically processing the same inputs?
Apologies if this is answered in the IC for Geeks whitepaper, but I couldn’t find it.
You are right that faulty/byzantine replicas might not follow the output of consensus and from what I know there is no way of preventing it (?).
However, the important guarantee of the consensus algorithm is that all honest replicas agree on the current state. Byzantine nodes might do whatever they want, and even try to make the honest ones disagree, but as long as there are not enough bad nodes, all honest replicas will execute the same inputs in the same order.
Hope it helps
There are threshold signatures formed on the state as well. If there is disagreement on the state that will be noticed and the symptom will be that the subnet will stop making progress, I.e. it will stop even finalizing new input blocks. Since the approach is pipelining consensus and execution it will happen with a little bit of delay but the whole subnet will eventually stop (even input block making).
If only a small portion of nodes disagree, it must be less than a 1/3, then the subnet can still make progress and the deviating nodes will get ignored. But the subnet might be slowed down by this.
Thank you! I just found the section on certified state in the whitepaper.