You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Every header walked back to genesis ... has its BLS signature, election proof, ticket, parent linkage, and weight re-verified against the local copy of the previous header. The header validator (chain/header/header.go) refuses any header that fails any of these checks.
The code does not deliver all of that on the live path:
chain/header/header.go::ValidateHeader checks structure, signature presence, parent linkage, height — but does not cryptographically verify the election proof (line ~153 only checks ElectionProof == nil, i.e. presence, not VRF validity). There is no VRF / winning-PoSt verification anywhere (correctly — that path needs filecoin-ffi/Rust, which Lantern deliberately does not pull).
The live gossip head path (net/blockingest) calls only the lighter checks (CBOR shape, sig presence, CID re-derive, parent linkage, height fence). The strict ValidateHeader is referenced as a compile-time check but is not the gate on the running head.
So the doc overstates what is verified. This matters because external reviewers (e.g. FilOz) read the trust model against the source.
Fix
Rewrite TRUST-MODEL.md §2.1 to state precisely what is verified vs not:
What IS verified: BLS signature, parent linkage, CID re-derivation, height/shape, F3 cert BLS-aggregate (§2.2), DRAND (§2.3), state-block CIDs (§2.4).
What is NOT verified (by design, no-ffi law): election-proof VRF validity and winning-PoSt — Lantern is an F3-anchored light client, not a full re-executing validator.
Problem
TRUST-MODEL.md§2.1 (Header chain) claims:The code does not deliver all of that on the live path:
chain/header/header.go::ValidateHeaderchecks structure, signature presence, parent linkage, height — but does not cryptographically verify the election proof (line ~153 only checksElectionProof == nil, i.e. presence, not VRF validity). There is no VRF / winning-PoSt verification anywhere (correctly — that path needs filecoin-ffi/Rust, which Lantern deliberately does not pull).net/blockingest) calls only the lighter checks (CBOR shape, sig presence, CID re-derive, parent linkage, height fence). The strictValidateHeaderis referenced as a compile-time check but is not the gate on the running head.So the doc overstates what is verified. This matters because external reviewers (e.g. FilOz) read the trust model against the source.
Fix
Rewrite
TRUST-MODEL.md§2.1 to state precisely what is verified vs not:Acceptance
Context: caught while answering zenground0 (fil-curio-dev, 2026-06-30) on head-agreement / fork selection.