Merge remote-tracking branch 'origin/main' into faddat/remove-depguar…

…d-bump-golangci

.github/pr_labeler.yml

@@ -0,0 +1,29 @@
+"C:x/consumer":
+  - x/ccv/consumer/**/*
+"C:x/democracy":
+  - x/ccv/democracy/**/*
+"C:x/provider":
+  - x/ccv/provider/**/*
+"C:x/types":
+  - x/ccv/types/**/*
+"C:Docs":
+  - docs/docs/**/*
+"C:ADR":
+  - docs/docs/adrs/**/*
+"C:CI":
+  - .github/**/*.yml
+  - buf.work.yaml
+  - .mergify.yml
+  - .golangci.yml
+  - mlc_config.json
+  - sonar-project.properties
+"C:Build":
+  - Makefile
+  - Dockerfile
+  - scripts/*
+"C:Testing":
+  - app/**/*
+  - cmd/**/*
+  - legacy_ibc_testing/**/*
+  - tests/**/*
+  - testutil/**/*

.github/workflows/pr_labeler.yml

@@ -0,0 +1,18 @@
+name: "Pull Request Labeler"
+on:
+  - pull_request_target
+
+permissions:
+  contents: read
+
+jobs:
+  labeler:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@main
+        with:
+          configuration-path: .github/pr_labeler.yml
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/proto-registry.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: bufbuild/buf-setup-action@v1.25.1
+      - uses: bufbuild/buf-setup-action@v1.26.0
       - uses: bufbuild/buf-push-action@v1
         with:
           input: "proto"

.github/workflows/proto.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: bufbuild/buf-setup-action@v1.25.1
+      - uses: bufbuild/buf-setup-action@v1.26.0
       - uses: bufbuild/buf-breaking-action@v1
         with:
           input: "proto"

.golangci.yml

@@ -3,9 +3,6 @@ run:
   timeout: 10m
   sort-results: true
   allow-parallel-runners: true
-  skip-dirs:
-    - 'legacy_ibc_testing'
-    - 'testutil'
 
 linters:
   disable-all: true

CHANGELOG.md

@@ -3,8 +3,9 @@
 ## [Unreleased]
 
 Add an entry to the unreleased section whenever merging a PR to main that is not targeted at a specific release. These entries will eventually be included in a release.
-* `[x/ccv/provider]` (fix) [#1076](https://github.com/cosmos/interchain-security/pull/1076) Add `InitTimeoutTimestamps` and `ExportedVscSendTimestamps` to exported genesis.
 
+* (deps!) [#1196](https://github.com/cosmos/interchain-security/pull/1196) Bump [ibc-go](https://github.com/cosmos/ibc-go) to [v7.2.0](https://github.com/cosmos/ibc-go/releases/tag/v7.2.0).
+* `[x/ccv/provider]` (fix) [#1076](https://github.com/cosmos/interchain-security/pull/1076) Add `InitTimeoutTimestamps` and `ExportedVscSendTimestamps` to exported genesis.
 * (feat!) [#1024](https://github.com/cosmos/interchain-security/pull/1024) throttle with retries, consumer changes  
 * (fix!) revert consumer packet data changes from #1037 [#1150](https://github.com/cosmos/interchain-security/pull/1150)
 * (fix!) proper deletion of pending packets [#1146](https://github.com/cosmos/interchain-security/pull/1146)

CONTRIBUTING.md

@@ -245,17 +245,11 @@ ICS adheres to the [trunk based development branching model](https://trunkbasedd
 
 ### Semantic Versioning
 
-ICS uses a variation of [semantic versioning](https://semver.org/).
+ICS follows [semantic versioning](https://semver.org), but with the following deviations (similar to [IBC-Go](https://github.com/cosmos/ibc-go/blob/main/RELEASES.md)):
 
-Note that state breaking changes are a subset of consensus breaking changes. Therefore we'll only refer to the latter when talking about versioning.
-
-ICS is a distributed, IBC based protocol in which multiple blockchains could be affected by a version bump. Therefore incrementing a MAJOR version number indicates that the PR updates, or is a breaking change to the way that the provider and consumer(s) communicate with one another over IBC. If a PR is consensus breaking to both the provider and consumer(s), then it requires a MAJOR version bump.
-
-Incrementing a MINOR version number indicates that a PR is only consensus breaking to the provider, or only to the consumers, where IBC communication remains unchanged.
-
-Incrementing a PATCH version number indicates that a PR is not consensus breaking to the provider or consumers. This could include node API changes, or other miscellaneous and often rare changes.
-
-Pure documentation, testing, and refactoring PRs do not require a version bump.
+- A library API breaking change will result in an increase of the MAJOR version number (X.y.z | x > 0). 
+- A state breaking change (change requiring coordinated upgrade and/or state migration for the consumer, the provider, or both) will result in an increase of the MINOR version number (x.Y.z | x > 0).
+- Any other changes (including node API breaking changes) will result in an increase of the PATCH version number (x.y.Z | x > 0).
 
 ### Backwards Compatibility
 

docs/docs/adrs/adr-005-cryptographic-equivocation-verification.md

@@ -0,0 +1,105 @@
+---
+sidebar_position: 4
+title: Cryptographic verification of equivocation evidence
+---
+# ADR 005: Cryptographic verification of equivocation evidence
+
+## Changelog
+* 5/1/2023: First draft
+* 7/23/23: Add light client attacks handling
+
+## Status
+
+Accepted
+
+## Context
+
+Currently, we use a governance proposal to slash validators for equivocation (double signing and light client attacks). 
+Every proposal needs to go through a (two weeks) voting period before it can be approved. 
+Given a three-week unbonding period, this means that an equivocation proposal needs to be submitted within one week since the infraction occurred.
+
+This ADR proposes a system to slash validators automatically for equivocation, immediately upon the provider chain's receipt of the evidence. Another thing to note is that we intend to introduce this system in stages, since even the partial ability to slash and/or tombstone is a strict improvement in security.
+For the first stage of this work, we will only handle light client attacks.
+
+### Light Client Attack
+
+In a nutshell, the light client is a process that solely verifies a specific state machine's
+consensus without executing the transactions. The light clients get new headers by querying
+multiple nodes, called primary and witness nodes. 
+
+Light clients download new headers committed on chain from a primary. Headers can be verified in two ways: sequentially,
+where the block height of headers is serial, or using skipping. This second verification method allows light clients to download headers
+with nonconsecutive block height, where some intermediate headers are skipped (see [Tendermint Light Client, Figure 1 and Figure 3](https://arxiv.org/pdf/2010.07031.pdf)).
+Additionally, light clients are cross-checking new headers obtained from a primary with witnesses to ensure all nodes share the same state.
+
+A light client attack occurs when a Byzantine validator sends invalid headers to a light client.
+As the light client doesn't execute transactions, it can be deceived into trusting corrupted application state transitions.
+For instance, if a light client receives header `A` from the primary and header `B` from a witness for the same block height `H`,
+and both headers are successfully verified, it indicates a light client attack.
+Note that in this case, either the primary or the witness or both are malicious.
+
+The types of light client attacks are defined by analyzing the differences between the conflicting headers.
+There are three types of light client attacks: lunatic attack, equivocation attack, and amnesia attack. 
+For details, see the [CometBFT specification](https://github.com/cometbft/cometbft/blob/main/spec/light-client/attacks/notes-on-evidence-handling.md#evidence-handling).
+
+When a light client agent detects two conflicting headers, it will initially verify their traces (see [cometBFT detector](https://github.com/cometbft/cometbft/blob/2af25aea6cfe6ac4ddac40ceddfb8c8eee17d0e6/light/detector.go#L28)) using its primary and witness nodes.
+If these headers pass successful verification, the Byzantine validators will be identified based on the header's commit signatures
+and the type of light client attack. The agent will then transmit this information to its nodes using a [`LightClientAttackEvidence`](https://github.com/cometbft/cometbft/blob/feed0ddf564e113a840c4678505601256b93a8bc/docs/architecture/adr-047-handling-evidence-from-light-client.md) to be eventually voted on and added to a block.
+Note that from a light client agent perspective, it is not possible to establish whether a primary or a witness node, or both, are malicious.
+Therefore, it will create and send two `LightClientAttackEvidence`: one against the primary (sent to the witness), and one against the witness (sent to the primary).
+Both nodes will then verify it before broadcasting it and adding it to the [evidence pool](https://github.com/cometbft/cometbft/blob/2af25aea6cfe6ac4ddac40ceddfb8c8eee17d0e6/evidence/pool.go#L28).
+If a `LightClientAttackEvidence` is finally committed to a block, the chain's evidence module will execute it, resulting in the jailing and the slashing of the validators responsible for the light client attack.
+
+
+Light clients are a core component of IBC. In the event of a light client attack, IBC relayers notify the affected chains by submitting an [IBC misbehavior message](https://github.com/cosmos/ibc-go/blob/2b7c969066fbcb18f90c7f5bd256439ca12535c7/proto/ibc/lightclients/tendermint/v1/tendermint.proto#L79).
+A misbehavior message includes the conflicting headers that constitute a `LightClientAttackEvidence`. Upon receiving such a message,
+a chain will first verify whether these headers would have convinced its light client. This verification is achieved by checking
+the header states against the light client consensus states (see [IBC misbehaviour handler](https://github.com/cosmos/ibc-go/blob/2b7c969066fbcb18f90c7f5bd256439ca12535c7/modules/light-clients/07-tendermint/types/misbehaviour_handle.go#L101)). If the misbehaviour is successfully verified, the chain will then "freeze" the
+light client, halting any further trust in or updating of its states.
+
+
+## Decision
+
+In the first iteration of the feature, we will introduce a new endpoint: `HandleConsumerMisbehaviour(ctx sdk.Context, misbehaviour ibctmtypes.Misbehaviour)`.
+The main idea is to leverage the current IBC misbehaviour handling and update it to solely jail and slash the validators that
+performed a light client attack. This update will be made under the assumption that the chain connected via this light client
+share the same validator set, as it is the case with Replicated Security. 
+
+This endpoint will reuse the IBC client libraries to verify that the misbehaviour headers would have fooled the light client.
+Additionally, it’s crucial that the endpoint logic result in the slashing and jailing of validators under the same conditions
+as a light client agent detector. Therefore, the endpoint will ensure that the two conditions are met:
+the headers in the misbehaviour message have the same block height, and
+the light client isn’t expired.
+
+After having successfully verified a misbehaviour, the endpoint will execute the jailing and slashing of the malicious validators similarly as in the evidence module. 
+
+### Current limitations:
+
+- This only handles light client attacks, not double signing. In the future, we will add the code to also verify double signing.
+
+- We cannot derive an infraction height from the evidence, so it is only possible to tombstone validators, not actually slash them.
+To explain the technical reasons behind this limitation, let's recap the initial consumer initiated slashing logic.
+In a nutshell, consumer heights are mapped to provider heights through VSCPackets, namely through the so called vscIDs.
+When an infraction occurs on the consumer, a SlashPacket containing the vscID obtained from mapping the consumer infraction height
+is sent to the provider. Upon receiving the packet, the provider maps the consumer infraction height to a local infraction height,
+which is used to slash the misbehaving validator. In the context of untrusted consumer chains, all their states, including vscIDs,
+could be corrupted and therefore cannot be used for slashing purposes.
+
+- Currently, the endpoint can only handle "equivocation" light client attacks. This is because the "lunatic" attacks require the endpoint to possess the ability to dissociate which header is conflicted or trusted upon receiving a misbehavior message. Without this information, it's not possible to define the Byzantine validators from the conflicting headers (see [comment](https://github.com/cosmos/interchain-security/pull/826#discussion_r1268668684)).
+
+
+## Consequences
+
+### Positive
+
+- After this ADR is applied, it will be possible for the provider chain to tombstone validators who committed a light client attack.
+
+### Negative
+
+- N/A
+
+
+## References
+
+* [ICS misbehaviour handling PR](https://github.com/cosmos/interchain-security/pull/826)
+* [Architectural diagrams](https://docs.google.com/document/d/1fe1uSJl1ZIYWXoME3Yf4Aodvz7V597Ric875JH-rigM/edit#heading=h.rv4t8i6d6jfn)

docs/docs/adrs/intro.md

@@ -36,6 +36,8 @@ To suggest an ADR, please make use of the [ADR template](./adr-template.md) prov
 | [002](./adr-002-throttle.md) | Jail Throttling | Accepted, Implemented |
 | [003](./adr-003-equivocation-gov-proposal.md) | Equivocation governance proposal | Accepted, Implemented |
 | [004](./adr-004-denom-dos-fixes) | Denom DOS fixes | Accepted, Implemented |
+| [005](./adr-005-cryptographic-equivocation-verification.md) | Cryptographic verification of equivocation evidence | Accepted, In-progress |
 | [007](./adr-007-pause-unbonding-on-eqv-prop.md) | Pause validator unbonding during equivocation proposal | Proposed |
 | [008](./adr-008-throttle-retries.md) | Throttle with retries | Accepted, In-progress |
 | [009](./adr-009-soft-opt-out.md) | Soft Opt-out | Accepted, Implemented |
+| [009](./adr-010-standalone-changeover.md) | Standalone to Consumer Changeover | Accepted, Implemented |

docs/docs/frequently-asked-questions.md

@@ -102,6 +102,7 @@ To become a consumer chain use this [checklist](./consumer-development/onboardin
 Currently supported versions:
 
 - Hermes 1.4.1
+- Support for the CCV module was added to the Go [relayer](https://github.com/cosmos/relayer) in v2.2.0 but v2.4.0 has significant performance fixes which makes it the earliest suggested version to use.
 
 ## How does key delegation work in ICS?
 

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/cometbft/cometbft-db v0.8.0
 	github.com/cosmos/cosmos-sdk v0.47.3
 	github.com/cosmos/gogoproto v1.4.10
-	github.com/cosmos/ibc-go/v7 v7.1.0
+	github.com/cosmos/ibc-go/v7 v7.2.0
 	github.com/cosmos/ics23/go v0.10.0
 	github.com/golang/mock v1.6.0
 	github.com/golang/protobuf v1.5.3
@@ -19,9 +19,9 @@ require (
 	github.com/oxyno-zeta/gomock-extra-matcher v1.1.0
 	github.com/rakyll/statik v0.1.7 // indirect
 	github.com/spf13/cast v1.5.1
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	github.com/tidwall/gjson v1.15.0
+	github.com/tidwall/gjson v1.16.0
 	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc
 	golang.org/x/net v0.12.0 // indirect
@@ -92,7 +92,7 @@ require (
 	github.com/google/orderedcode v0.0.1 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
-	github.com/googleapis/gax-go/v2 v2.7.1 // indirect
+	github.com/googleapis/gax-go/v2 v2.8.0 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
@@ -127,7 +127,7 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mtibben/percent v0.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/petermattis/goid v0.0.0-20230317030725-371a4b8eda08 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -138,7 +138,7 @@ require (
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/rs/cors v1.8.3 // indirect
 	github.com/sasha-s/go-deadlock v0.3.1 // indirect
-	github.com/spf13/afero v1.9.3 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
@@ -156,7 +156,7 @@ require (
 	golang.org/x/term v0.10.0 // indirect
 	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/api v0.114.0 // indirect
+	google.golang.org/api v0.122.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -166,13 +166,14 @@ require (
 )
 
 require (
-	github.com/spf13/viper v1.15.0
+	github.com/spf13/viper v1.16.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e
 )
 
 require (
 	cosmossdk.io/log v1.1.0 // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
+	github.com/google/s2a-go v0.1.3 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/rs/zerolog v1.29.1 // indirect
 	golang.org/x/sync v0.1.0 // indirect