-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: introduce ADR on slashing on the provider chain #1252
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Partial review.
eeeaa31
to
82ab5c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work @insumity. See my comment bellow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One small comment, otherwise LGMT
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, a few comments, mostly asking for extra references.
**Evidence expiration:** Additionally, because we cannot infer the actual time of the evidence (i.e., the timestamp of the evidence cannot be trusted), we do not consider _evidence expiration_ and hence old evidence is never ignored (e.g., the provider would act on 3 year-old evidence of equivocation on a consumer). | ||
Additionally, we do not need to store equivocation evidence to avoid slashing a validator more than once, because we [do not slash](https://github.com/cosmos/cosmos-sdk/blob/v0.47.0/x/evidence/keeper/infraction.go#L94) tombstoned validators and we [tombstone](https://github.com/cosmos/cosmos-sdk/blob/v0.47.0/x/evidence/keeper/infraction.go#L138) a validator when slashed. | ||
|
||
We do not act on evidence that was signed by a validator [consensus key](https://tutorials.cosmos.network/tutorials/9-path-to-prod/3-keys.html#what-validator-keys) that is _pruned_ when we receive the evidence. We prune a validator's consensus key if the validator has assigned a new consumer key (using `MsgAssignConsumerKey`) and an unbonding period on the consumer chain has elapsed (see [key assignment ADR](https://github.com/cosmos/interchain-security/blob/main/docs/docs/adrs/adr-001-key-assignment.md)). Note that the provider chain is informed that the unbonding period has elapsed on the consumer when the provider receives a `VSCMaturedPacket` and because of this, if the consumer delays the sending of a `VSCMaturedPacket`, we would delay the pruning of the key as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you mention here that a malicious consumer chain can not delay sending VSCMaturedPackets forever? (This should hold true due to the VSCTimeout) I know this is mentioned in the ICS protocol, but might be good to have it here too for context
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe a malicious consumer chain can delay a VSCMaturedPacket
forever. If the consumer chain is malicious, it could never write the VSCMaturedPacket
packet in its store for the packet to be sent. In my view, the timeout assumption holds if the consumer chain tries to actually send the packet and this is not received on the other end.
* build(deps): bump actions/checkout from 3 to 4 (#1257) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps)!: bump github.com/cosmos/ibc-go/v7 from 7.2.0 to 7.3.0 (#1258) * build(deps): bump github.com/cosmos/ibc-go/v7 from 7.2.0 to 7.3.0 Bumps [github.com/cosmos/ibc-go/v7](https://github.com/cosmos/ibc-go) from 7.2.0 to 7.3.0. - [Release notes](https://github.com/cosmos/ibc-go/releases) - [Changelog](https://github.com/cosmos/ibc-go/blob/main/CHANGELOG.md) - [Commits](cosmos/ibc-go@v7.2.0...v7.3.0) --- updated-dependencies: - dependency-name: github.com/cosmos/ibc-go/v7 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * add changelog entries --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mpoke <[email protected]> * build(deps): bump github.com/cosmos/cosmos-sdk from 0.47.4 to 0.47.5 (#1259) * build(deps): bump github.com/cosmos/cosmos-sdk from 0.47.3 to 0.47.5 Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.47.3 to 0.47.5. - [Release notes](https://github.com/cosmos/cosmos-sdk/releases) - [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md) - [Commits](cosmos/cosmos-sdk@v0.47.3...v0.47.5) --- updated-dependencies: - dependency-name: github.com/cosmos/cosmos-sdk dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * add changelog entries --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mpoke <[email protected]> * chore: Separate semver (#1217) separate semver * docs: cleanup changelog (#1260) fix changelog * fix!: validate MsgTransfer before calling Transfer() (#1244) * validate MsgTransfer * add TestSendRewardsToProvider * update DefaultConsumerUnbondingPeriod to 14 days * update changelog * fix linter * fix test * apply review suggestions * update changelog * docs: Create adr-012-separate-releasing.md (#1229) * Create adr-011-separate-releasing.md * Update docs/docs/adrs/adr-011-separate-releasing.md Co-authored-by: Philip Offtermatt <[email protected]> * adr 12 not 11 * correct that we use postfix not prefix * explanation on example release flow --------- Co-authored-by: Philip Offtermatt <[email protected]> * fix: remove addr validation for provider fee pool addr param (#1262) * fix: remove validation for provider chain address since we cannot validate it properly on consumer * add changelog entry * docs: update CHANGELOG.md for `v3.2.0-consumer` release (#1268) * Update CHANGELOG.md * Update CHANGELOG.md * chore: remove legacy_ibc_testing (rebased on main) (#1185) * chore: remove legacy_ibc_testing * fix import * introduce provider.UnmarshalConsumerPacketData * use patched ibc-go * fix annoying import order * test: ignore key ordering Seems like ibctesting.GenerateKeys can returns keys in different orders when test cover is enabled. * fix after rebase * replace allinbits/ibc-go with patched cosmos/ibc-go Also fix panic in TestRedelegationNoConsumer * fix lint * use released ibc-go 7.3.0 * add newPacketFromConsumer/Provider helper funcs * constructPacket method return ccv type instead of []byte * tests: increase timeout in nightly e2e for multiconsumer (#1272) * test: Add light client attack to e2e tests (#1249) * Add light client attack to e2e tests * Add details about the attack types * Rename validatorAddress to validatorPrivateKeyAddress * Add URL to CometMock to flag * Improve wording for light client attack run * Add submitting equivocation proposals and change consu->consumerName * build(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#1284) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.57.0 to 1.58.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.57.0...v1.58.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: update mergify and dependabot for v2.x-lsm (#1281) update mergify and dependabot for v2.x-lsm * build(deps): bump github.com/oxyno-zeta/gomock-extra-matcher from 1.1.0 to 1.2.0 (#1286) build(deps): bump github.com/oxyno-zeta/gomock-extra-matcher Bumps [github.com/oxyno-zeta/gomock-extra-matcher](https://github.com/oxyno-zeta/gomock-extra-matcher) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/oxyno-zeta/gomock-extra-matcher/releases) - [Changelog](https://github.com/oxyno-zeta/gomock-extra-matcher/blob/master/release.config.js) - [Commits](oxyno-zeta/gomock-extra-matcher@v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: github.com/oxyno-zeta/gomock-extra-matcher dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat!: provider proposal for changing reward denoms (#1280) * new provider prop type * add methods and tests for new prop, update docs * remove old tx, fix tests * e2e handling * fix command type * boilerplate * fix e2e tests * Update CHANGELOG.md * lint * validate denoms * Update proposal.go * rm msg string * fix tests * rm chain in change denom action * lint * test for invalid denom * events for both add and remove * Update proposal_test.go * docs: introduce ADR on slashing on the provider chain (#1252) * initial draft of the adr * small change on intro.md to avoid huge diff * clean up * take into account Marius' comments * rewrite v0.47 Cosmos SDK link because it was returning 404 and redirecting * more cleaning up * update based on comments * removed confusing sentence on voting power * add missing ADRs in the intro file * add tokens to power conversion * add paragraph on key pruning and references to light-client attacks code * Update template title * Took into account comments. * augment pseudocode to skip redelegation/undelegation entries * fix identation issue --------- Co-authored-by: Karolos Antoniadis <[email protected]> * ci: update mergify and dependabot for v3.2.x-consumer (#1297) * update ymls * add newline --------- Co-authored-by: mpoke <[email protected]> * ci: update bots for v2.1.x-provider-lsm (#1305) update bots for v2.1.x-provider-lsm * Fix `build` in makefile (#1303) fix build in makefile * refactor: Vaguely named consumer structs (#1288) * Rename GenesisState proto * make proto-gen * proto rename: Params -> ConsumerParams * make proto-gen * App, fix type change for Param renaming * App, fix type change for GenesisState renaming * Fix unit-tests for GenesisState renaming * Fix unit-tests for Params renaming * Addressed review comments * Fix linter issues * build(deps): bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#1306) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.0 to 1.58.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.0...v1.58.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: increment consensus ver and register migration (#1295) * increment consensus ver and register migration * Update CHANGELOG.md * Update migration.go * Update module.go * tests: Export struct fields in the e2e tests (#1313) * Make struct fields in e2e exported * Un-capitalize binary name * Remove prop type * Channel to channel in comments --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mpoke <[email protected]> Co-authored-by: Philip Offtermatt <[email protected]> Co-authored-by: Dmitry Kolupaev <[email protected]> Co-authored-by: Thomas Bruyelle <[email protected]> Co-authored-by: MSalopek <[email protected]> Co-authored-by: insumity <[email protected]> Co-authored-by: Karolos Antoniadis <[email protected]> Co-authored-by: Simon Noetzlin <[email protected]> Co-authored-by: bernd-m <[email protected]>
Description
Closes: #1222
Introduce an ADR that describes a first approach on slashing on the provider chain.
Author Checklist
All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.
I have...
docs:
prefix in the PR titleReviewers Checklist
All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.
I have...
docs:
prefix in the PR titlemake build-docs
)