From 09cad1932848dfd8594d0d1494fe2856492b41d2 Mon Sep 17 00:00:00 2001 From: Thomas Bruyelle Date: Thu, 11 May 2023 16:29:13 +0200 Subject: [PATCH 1/4] docs(adr): pause unbonding period during equivocation proposal Co-authored-by: Albert Le Batteux Co-authored-by: Giuseppe Natale --- .../adr-007-pause-unbonding-on-eqv-prop.md | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md diff --git a/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md new file mode 100644 index 0000000000..bf789b4c3a --- /dev/null +++ b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md @@ -0,0 +1,89 @@ +--- +sidebar_position: 2 +title: ADR Template +--- +# ADR 007: Pause validator unbonding during equivocation proposal + +## Changelog +* 2023-05-16: Initial Draft + +## Status + +Proposed + +## Context + +(Copied from [#747](https://github.com/cosmos/interchain-security/issues/747)) + +Currently, if an equivocation slashing proposal is created after more than one +week has passed since the equivocation, it is possible that the validator in +question could unbond and get away without being slashed, since the unbonding +period is 3 weeks, and the voting period is 3 weeks. For this reason, it might +be good to pause unbondings for validators named in an equivocation slashing +proposal until the proposal's voting period is over. + +## Decision + +### How + +Pausing the unbonding period is already possible thanks to the changes in the +`staking` module of the cosmos-sdk: +- `stakingKeeper.PutUnbondingOnHold` pauses an unbonding period +- `stakingKeeper.UnbondingCanComplete` unpauses an unbonding period + +These methods use a counter under the hood, which means we can use them without +conflicts with the *Completion of Unbonding Operations* system. Giving an +unbonding period (already paused by definition because of the *Completion of +Unbonding Operations* system), an additional pause will just increase the +counter, so when this unbonding period has reached its maturity on provider +and all consumer chains, it will remain paused. + +### When pause + +The unbonding period (if there is any unbonding) should be paused once an +equivocation proposal enters the voting period. For that, the `gov` module's +hook `AfterProposalDeposit` can be used. + +If the hook is triggered with a an equivocation proposal in voting period, then +for each equivocation of the proposal, the related unbonding operations of the +related validator must be paused. + +Note that even after the voting period has started, a proposal can receive +additional deposits. The hook is triggered however at arrival of a deposit, so +a check to verify that the proposal is not already in voting period is +required. + +### When unpause + +We can use a `gov` module's hook also here and it is +`AfterProposalVotingPeriodEnded`. + +If the hook is triggered with an equivocation proposal, then for each +equivocation, unpause all unbonding operations of the related validator. + +## Consequences + +### Positive + +- Validators subject to an equivocation proposal cannot finish unbonding + their tokens before the end of the voting period. + +### Negative + +- A malicious consumer chain could forge slash packets enabling submission of + an equivocation proposal on the provider chain, resulting in the freezing of + validator's unbondings for an undeterminated amount of time. +- Misbehavior on a consumer chain can potentially go unpunished, if no one + submits an equivocation proposal in time, or if the proposal doesn't pass. + +### Neutral + +- This feature can't be used for social slashing, because an equivocation + proposal is only accepted if there's a slash log for the related + validator(s), meaning the consumer chain has reported the equivocation to + the provider chain. + +## References + +* https://github.com/cosmos/interchain-security/issues/747 +* https://github.com/cosmos/interchain-security/pull/791 From c44afb3bf077736a3eda12b2bc9b1a50533762a2 Mon Sep 17 00:00:00 2001 From: Thomas Bruyelle Date: Fri, 26 May 2023 11:35:07 +0200 Subject: [PATCH 2/4] fix voting period duration --- docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md index bf789b4c3a..d2a208061a 100644 --- a/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md +++ b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md @@ -18,7 +18,7 @@ Proposed Currently, if an equivocation slashing proposal is created after more than one week has passed since the equivocation, it is possible that the validator in question could unbond and get away without being slashed, since the unbonding -period is 3 weeks, and the voting period is 3 weeks. For this reason, it might +period is 3 weeks, and the voting period is 2 weeks. For this reason, it might be good to pause unbondings for validators named in an equivocation slashing proposal until the proposal's voting period is over. From b6f91753d5fdeb970552e31e18278ce4a720d6ed Mon Sep 17 00:00:00 2001 From: Thomas Bruyelle Date: Fri, 26 May 2023 11:40:58 +0200 Subject: [PATCH 3/4] remove issue reference --- docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md index d2a208061a..804775af81 100644 --- a/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md +++ b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md @@ -13,8 +13,6 @@ Proposed ## Context -(Copied from [#747](https://github.com/cosmos/interchain-security/issues/747)) - Currently, if an equivocation slashing proposal is created after more than one week has passed since the equivocation, it is possible that the validator in question could unbond and get away without being slashed, since the unbonding From dd353c29df93d8e7940098516bce5da9fe0cee64 Mon Sep 17 00:00:00 2001 From: Thomas Bruyelle Date: Mon, 29 May 2023 11:21:54 +0200 Subject: [PATCH 4/4] docs: filter out unbonding operations before pause/unpause Co-authored-by: Albert Le Batteux Co-authored-by: Giuseppe Natale --- .../adr-007-pause-unbonding-on-eqv-prop.md | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md index 804775af81..bf3a761704 100644 --- a/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md +++ b/docs/docs/adrs/adr-007-pause-unbonding-on-eqv-prop.md @@ -29,12 +29,14 @@ Pausing the unbonding period is already possible thanks to the changes in the - `stakingKeeper.PutUnbondingOnHold` pauses an unbonding period - `stakingKeeper.UnbondingCanComplete` unpauses an unbonding period -These methods use a counter under the hood, which means we can use them without -conflicts with the *Completion of Unbonding Operations* system. Giving an -unbonding period (already paused by definition because of the *Completion of -Unbonding Operations* system), an additional pause will just increase the -counter, so when this unbonding period has reached its maturity on provider -and all consumer chains, it will remain paused. +These methods use a reference counter under the hood, that gets incremented +every time `PutUnbondingOnHold` is called, and decreased when +`UnbondingCanComplete` is called instead. A specific unbonding is considered +fully unpaused when its underlying reference counter reaches 0. Therefore, as +long as we safeguard consistency - i.e. we make sure we eventually decrement +the reference counter for each time we have incremented it - we can safely use +this existing mechanism without conflicts with the *Completion of Unbonding +Operations* system. ### When pause @@ -43,8 +45,9 @@ equivocation proposal enters the voting period. For that, the `gov` module's hook `AfterProposalDeposit` can be used. If the hook is triggered with a an equivocation proposal in voting period, then -for each equivocation of the proposal, the related unbonding operations of the -related validator must be paused. +for each equivocation of the proposal, the unbonding operations of the related +validator that were initiated after the equivocation block time must be paused +- i.e. the underlying reference counter has to be increased. Note that even after the voting period has started, a proposal can receive additional deposits. The hook is triggered however at arrival of a deposit, so @@ -57,7 +60,10 @@ We can use a `gov` module's hook also here and it is `AfterProposalVotingPeriodEnded`. If the hook is triggered with an equivocation proposal, then for each -equivocation, unpause all unbonding operations of the related validator. +associated equivocation, the unbonding operations of the related validator that +were initiated between the equivocation block time and the start of the +proposal voting period must be unpaused - i.e. decrease the underlying +reference counter - regardless of the proposal outcome. ## Consequences