Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add fault resolution ADR #2051

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

doc: add fault resolution ADR #2051

wants to merge 27 commits into from

Conversation

sainoe
Copy link
Contributor

@sainoe sainoe commented Jul 17, 2024

Description

Add ADR proposing a Fault Resolutions solution to address the risk of validators collusion in Opt-In chains.

Closes: #XXXX


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct docs: prefix in the PR title
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • reviewed "Files changed" and left comments if necessary
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • Confirmed the correct docs: prefix in the PR title
  • Confirmed all author checklist items have been addressed
  • Confirmed that this PR only changes documentation
  • Reviewed content for consistency
  • Reviewed content for spelling and grammar
  • Tested instructions (if applicable)
  • Checked that the documentation website can be built and deployed successfully (run make build-docs)

Summary by CodeRabbit

  • Documentation
    • Introduced an Architecture Decision Record (ADR) for handling fault resolutions in a blockchain context, addressing risks from validator misconduct.
    • Added a new governance proposal type, consumer-fault-resolution, for slashing validators who misbehave on consumer chains.

@sainoe sainoe requested a review from a team as a code owner July 17, 2024 08:43
Copy link
Contributor

coderabbitai bot commented Jul 17, 2024

Note

Reviews paused

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.
Walkthrough

Walkthrough

The changes introduce an Architecture Decision Record (ADR) aimed at managing fault resolutions within a blockchain framework. It establishes a governance-based slashing mechanism to penalize validators for misbehavior on Opt-in consumer chains. The ADR introduces a new proposal type, consumer-fault-resolution, which requires a submission fee, enhancing accountability among validators and providing a structured method for addressing faults.

Changes

File Path Change Summary
docs/docs/adrs/adr-018-fault-resolutions.md Introduces an ADR addressing validator collusion risks in blockchain, proposing a governance-gated slashing mechanism with a new proposal type consumer-fault-resolution that includes submission criteria and a fee.
docs/docs/adrs/intro.md Adds a new ADR titled "Fault Resolutions" to the list of ADRs.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant ConsumerChain
    participant ProviderChain
    participant Governance

    User->>ConsumerChain: Detect fault by validator(s)
    User->>ProviderChain: Submit consumer-fault-resolution proposal
    ProviderChain->>Governance: Forward proposal for voting
    Governance->>Governance: Vote on fault resolution proposal
    alt Proposal Approved
        Governance->>ProviderChain: Approve fault resolution
        ProviderChain->>ConsumerChain: Slash misbehaving validator(s)
    else Proposal Rejected
        Governance->>ProviderChain: Reject fault resolution
    end
Loading

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share
Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai generate interesting stats about this repository and render them as a table.
    • @coderabbitai show all the console.log statements in this repository.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions github-actions bot added C:Docs Assigned automatically by the PR labeler C:ADR Assigned automatically by the PR labeler labels Jul 17, 2024
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 10

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@mpoke mpoke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @sainoe. See my comments below.

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
However, this is a complex technology, and there is no framework that works for Cosmos chains to this day.


To address this risk in PSS, a governance-gated slashing solution can be used until fraud proof technology matures.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that the fraud proofs will only work for incorrect execution.

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
This ADR proposes a fault resolution mechanism, which is a type of governance proposal that victims of faults can use to vote on the
slashing of validators that misbehave on Opt-in consumer chains.

In what follows, we describe the implementation of a fault resolution mechanism that handles incorrect executions on consumer chains,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why only incorrect executions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we only provide a guideline for incorrect execution fault definition in the intersubjective faults CHIPs. The handling for other types of faults will be implemented iteratively.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but that will not need any new implementation effort, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend making this a bit more general. From a code perspective, this handles arbitrary fault resolutions

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
The submission of a fault resolution fails if any of the following conditions are not met:

- the consumer chain is an Opt-in chain
- all listed validators were opted-in to the consumer chain in the past unbonding-period
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- all listed validators were opted-in to the consumer chain in the past unbonding-period
- the provided validator set matches one of the consumer validator sets from the previous unbonding period
- all the listed validators are part of the provided validator set

Copy link
Contributor Author

@sainoe sainoe Jul 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The provided validator set shouldn't necessarily match one of the consumer validator sets completely, right? i.e. it can be a subset.

Copy link
Contributor

@jtremback jtremback Jul 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sainoe yes this is right. Perhaps only a few validators committed the fault.

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@p-offtermatt p-offtermatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be careful not to do too much technical work for new types of fault resolutions. In general, I think we should assume that all evidence is in the description, and not add extra fields for this.

Since incorrect execution is a bit special, I do agree with Marius that we can have an extra field for e.g. the invalid state root or the infraction height.

However, I don't think we should do something like this for each type; just let people use the description field to outline the evidence in whatever way they deem suitable.

Copy link
Contributor

@p-offtermatt p-offtermatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I just added one comment about the sentence that says that the ADR only has the implementation for incorrect execution... I don't understand what extra technical work is required for other types. I think it should be no extra implementation work, and the same type of proposal should be used for all resolutions, and because of this I'd suggest rewording the sentence a bit. But maybe I'm overlooking something

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

Outside diff range, codebase verification and nitpick comments (3)
docs/docs/adrs/adr-018-fault-resolutions.md (3)

16-20: Review the context section for clarity and completeness.

The context provided about Partial Set Security and the subset problem is well-explained. However, consider adding a comma after "Opt-in chains" for better readability.

- This threat is particularly relevant for Opt-in chains since they might be secured by a relatively small subset of the provider's validator set.
+ This threat is particularly relevant for Opt-in chains, since they might be secured by a relatively small subset of the provider's validator set.

24-26: Simplify language to enhance clarity.

Consider using simpler alternatives to avoid wordiness, such as replacing "in order to" with "to".

- * Incorrect executions to break protocol rules in order to steal funds.
+ * Incorrect executions to break protocol rules to steal funds.
- * Liveness attacks to halt the chain or censor transactions.
+ * Liveness attacks to halt the chain or censor transactions.
- * Oracle attacks to falsify information used by the chain logic.
+ * Oracle attacks to falsify information used by the chain logic.
Tools
LanguageTool

[style] ~24-~24: Consider a shorter alternative to avoid wordiness.
Context: ...rect executions to break protocol rules in order to steal funds. * Liveness attacks to halt...

(IN_ORDER_TO_PREMIUM)


59-59: Simplify language to enhance clarity.

Consider using simpler alternatives to avoid wordiness, such as replacing "in order to" with "to".

- In addition, in order to prevent spamming, users must pay a default fee of `100ATOM` to submit a fault resolution to the provider.
+ Additionally, to prevent spamming, users must pay a default fee of `100ATOM` to submit a fault resolution to the provider.
Tools
LanguageTool

[style] ~59-~59: Consider a shorter alternative to avoid wordiness.
Context: ...validators to be slashed. In addition, in order to prevent spamming, users must pay a defa...

(IN_ORDER_TO_PREMIUM)

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Outside diff range, codebase verification and nitpick comments (2)
docs/docs/adrs/adr-018-fault-resolutions.md (2)

7-8: Ensure proper spacing around lists and headings.

Headings and lists should be surrounded by blank lines for proper markdown formatting.

- * 17th July 2024: Initial draft
+ 
+ * 17th July 2024: Initial draft
+ 
Tools
Markdownlint

7-7: Expected: 1; Actual: 0; Below
Headings should be surrounded by blank lines

(MD022, blanks-around-headings)


8-8: null
Lists should be surrounded by blank lines

(MD032, blanks-around-lists)


20-20: Add a comma for better readability.

Consider adding a comma after "Opt-in chains" for better readability.

- This threat is particularly relevant for Opt-in chains since they might be secured by a relatively small subset of the provider's validator set.
+ This threat is particularly relevant for Opt-in chains, since they might be secured by a relatively small subset of the provider's validator set.

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
docs/docs/adrs/adr-018-fault-resolutions.md Outdated Show resolved Hide resolved
@MSalopek
Copy link
Contributor

MSalopek commented Jul 23, 2024

@coderabbitai pause


The proposal has the following fields:

- **Consumer Chain**: The consumer chain ID that the fault was related to.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is not merged yet, it could be updated to reflect Permissionless and use "consumer id" here.

Each fault type is mapped to a fault definition that precisely describes an intersubjective fault, such as an incorrect execution, and explains why it qualifies as a slashable fault. Refer to the [fault definitions section](https://forum.cosmos.network/t/preventing-intersubjective-faults-in-ics/14103#fault-definitions-4) in "Preventing Intersubjective faults in ICS" for more details. Note that the text of each fault definition is stored as a string constant in the provider code.


In addition, to prevent spamming, users must pay a default fee of `100ATOM` to submit a fault resolution to the provider.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the normal proposal fee, right?

```protobuf
messsage {
// timestamp recording the last time a validator opted in to the consumer chain
google.protobuf.Timestamp join_time = 1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a sentence on why join_time is needed. The way I see it, we could simply get by using the leave_time. If the validator is currently opted in, then the leave_time is irrelevant. If the validator is not currently opted in, then we can see if they left before unbonding period or not.

sidebar_position: 20
title: Fault Resolutions
---
# ADR 019: Fault Resolutions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should fault resolutions be optional (?) and a consumer chain can choose whether to use them or not when issuing a MsgCreateConsumer or a MsgUpdateConsumer. What's the relation with docs: ADR for Customizable Slashing and Jailing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C:ADR Assigned automatically by the PR labeler C:Docs Assigned automatically by the PR labeler
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants