feat(sequencer, bridge-withdrawer)!: enforce withdrawals consumed #1391
Conversation
github-actions
bot
added
proto
joroshiba
force-pushed
the
joroshiba/start-event-consumption
branch
from
7a1c32c
to
64bcc9a
Compare
| @@ -106,6 +112,37 @@ async fn establish_withdrawal_target<S: StateRead>( | |||
| impl ActionHandler for action::Ics20Withdrawal { | |||
| async fn check_stateless(&self) -> Result<()> { | |||
| ensure!(self.timeout_time() != 0, "timeout time must be non-zero",); | |||
| ensure!(self.amount() > 0, "amount must be greater than zero",); | |||
| if self.bridge_address.is_some() { | |||
| let parsed_bridge_memo: Ics20WithdrawalFromRollupMemo = | |||
There was a problem hiding this comment.
We're JSON-encoding a PB version of this type, whereas here we're decoding straight into our domain type. The serde try_from = "raw::Ics20WithdrawalFromRollup" on the domain type handles that ok, but I still keep feeling uneasy when I see this.
There was a problem hiding this comment.
I could either remove the domain type or modify the serialization on the other end, it uses the pb::name property when serializing for errors which is why it uses the raw type
There was a problem hiding this comment.
It's certainly not a blocker, and maybe I'm being overly pedantic. But I guess I'd prefer if the domain type didn't derive serde traits, forcing us to always use the pb type for encoding to/decoding from JSON, and we use the domain type in the business logic.
No probs if you prefer to leave as is - I think we're doing similar things elsewhere. We can always try and get more strict on the separation of pb and domain types in the future.
There was a problem hiding this comment.
I went ahead and went back to how the memos were defined in domain type as reexporting, less code changes here a bit cleaner I think.
There was a problem hiding this comment.
IMO this check_stateless (and the other deseriailzation in check_and_execute) shows that using validated domain types that establish invariants is preferable over doing the validation here.
There was a problem hiding this comment.
I have created an issue here for follow up
Co-authored-by: Fraser Hutchison <[email protected]>
proto/protocolapis/astria/protocol/transactions/v1alpha1/types.proto
Outdated
Show resolved
Hide resolved
| transaction::StateReadExt as _, | ||
| }; | ||
|
|
||
| #[async_trait::async_trait] | ||
| impl ActionHandler for BridgeUnlockAction { | ||
| async fn check_stateless(&self) -> Result<()> { | ||
| ensure!(self.amount > 0, "amount must be greater than zero",); |
There was a problem hiding this comment.
What would be so bad if it was 0?
There was a problem hiding this comment.
It's just kinda pointless? I would prefer not wasting compute time on pointless actions :)
| @@ -106,6 +112,37 @@ async fn establish_withdrawal_target<S: StateRead>( | |||
| impl ActionHandler for action::Ics20Withdrawal { | |||
| async fn check_stateless(&self) -> Result<()> { | |||
| ensure!(self.timeout_time() != 0, "timeout time must be non-zero",); | |||
| ensure!(self.amount() > 0, "amount must be greater than zero",); | |||
| if self.bridge_address.is_some() { | |||
| let parsed_bridge_memo: Ics20WithdrawalFromRollupMemo = | |||
There was a problem hiding this comment.
IMO this check_stateless (and the other deseriailzation in check_and_execute) shows that using validated domain types that establish invariants is preferable over doing the validation here.
Co-authored-by: Richard Janis Goldschmidt <[email protected]>
Co-authored-by: Richard Janis Goldschmidt <[email protected]>
* main: chore: ibc e2e smoke test (#1284) chore(metrics): restrict `metrics` crate usage to `astria-telemetry` (#1192) fix(charts)!: sequencer-relayer chart correct startup env var (#1437) chore(bridge-withdrawer): Add instrumentation (#1324) chore(conductor): Add instrumentation (#1330) fix(cli, bridge-withdrawer): dont fail entire block due to bad withdraw event (#1409) feat(sequencer, bridge-withdrawer)!: enforce withdrawals consumed (#1391)
) ## Summary Adds state for bridge events and consumes the events as they occur. Updates proto for bridge unlock to no longer use memo for rollup information and instead include on main action. Renames `rollup_transaction_hash` to `rollup_withdrawal_event_id`. ## Background There was only implicit stop against reusing a withdrawal event, this adds consumption of withdrawal events. While this is not strictly security enhancing, consuming the event adds in protocol protection against accidental double spend by the bridge operator. ## Changes - Proto updates for `BridgeUnlockAction` + `ICS20WithdrawalMemo` - Add stateless checks on bridging unlock and withdrawals of correct information filled out - Added state to enforce rollup event cannot be consumed twice. - Enforce that `Ics20WithdrawalAction` must have `bridge_address` set if making a bridge withdrawal ## Testing smoke test + minor test updates ## Breaking Changelist - New stateful information about rollup withdrawal events - Adds new fields to `BridgeUnlockAction` ## Related Issues closes #1430 --------- Co-authored-by: Fraser Hutchison <[email protected]> Co-authored-by: Richard Janis Goldschmidt <[email protected]>
) ## Summary Adds state for bridge events and consumes the events as they occur. Updates proto for bridge unlock to no longer use memo for rollup information and instead include on main action. Renames `rollup_transaction_hash` to `rollup_withdrawal_event_id`. ## Background There was only implicit stop against reusing a withdrawal event, this adds consumption of withdrawal events. While this is not strictly security enhancing, consuming the event adds in protocol protection against accidental double spend by the bridge operator. ## Changes - Proto updates for `BridgeUnlockAction` + `ICS20WithdrawalMemo` - Add stateless checks on bridging unlock and withdrawals of correct information filled out - Added state to enforce rollup event cannot be consumed twice. - Enforce that `Ics20WithdrawalAction` must have `bridge_address` set if making a bridge withdrawal ## Testing smoke test + minor test updates ## Breaking Changelist - New stateful information about rollup withdrawal events - Adds new fields to `BridgeUnlockAction` ## Related Issues closes #1430 --------- Co-authored-by: Fraser Hutchison <[email protected]> Co-authored-by: Richard Janis Goldschmidt <[email protected]>
Summary
Adds state for bridge events and consumes the events as they occur. Updates proto for bridge unlock to no longer use memo for rollup information and instead include on main action. Renames
rollup_transaction_hashtorollup_withdrawal_event_id.Background
There was only implicit stop against reusing a withdrawal event, this adds consumption of withdrawal events. While this is not strictly security enhancing, consuming the event adds in protocol protection against accidental double spend by the bridge operator.
Changes
BridgeUnlockAction+ICS20WithdrawalMemoIcs20WithdrawalActionmust havebridge_addressset if making a bridge withdrawalTesting
smoke test + minor test updates
Breaking Changelist
BridgeUnlockActionRelated Issues
closes #1430