Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MMR] fix MmrLeaf::next_auth_set for session-boundary blocks #160

Closed
acatangiu opened this issue Jan 25, 2024 · 5 comments
Closed

[MMR] fix MmrLeaf::next_auth_set for session-boundary blocks #160

acatangiu opened this issue Jan 25, 2024 · 5 comments

Comments

@acatangiu
Copy link
Contributor

paritytech/polkadot#6577 implemented paritytech/substrate#11797 in an attempt to decrease light-client complexity, but inadvertently opened up a corner-case that can end up bricking on-chain light clients (such as bridges):

The offending change is:

// contents for leaf index <N-1> added by block <N>
MmrLeaf {
    version: <leaf-data-format-version>,
    (
        parent_num: <N-1>,
        parent_hash: <hash_of_<N-1>>,
    ),
    extra_data: <para_heads_of_<N-1>>,
-   next_auth_set: <next_auth_set_of<N>>,
+   next_auth_set: <next_auth_set_of<N-1>>,
}

Which is a problem when combined with the following property of the BEEFY protocol:

  • BEEFY will finalize at least one block in each session, called "mandatory commitment", this block has been chosen to be the first block of the session (the one that also signals the auth set change).

When combining the two, we see that mandatory block N contains MMR root for MMR with latest leaf providing
next_auth_set: <next_auth_set_of<N-1>>, representing the currently active validator set and not the next validator set as required (in order to know who are the authorities in the next session).
In other, simplified, words: Mandatory BEEFY commitment ends up providing proof for current validator set instead of next one - which is useless in practice.

We need to change MmrLeaf contents (back) to:

// contents for leaf index <N-1> added by block <N>
MmrLeaf {
    version: <leaf-data-format-version>,
    (
        parent_num: <N-1>,
        parent_hash: <hash_of_<N-1>>,
    ),
    extra_data: <para_heads_of_<N-1>>,
-   next_auth_set: <next_auth_set_of<N-1>>,
+   next_auth_set: <next_auth_set_of<N>>,
}

We can implement above fix by reverting paritytech/polkadot#6577 for both Kusama and Polkadot.

@acatangiu
Copy link
Contributor Author

ping @vgeddes and @seunlanlege as the current known users of MMR

@seunlanlege
Copy link

seunlanlege commented Jan 26, 2024

I've written my light client to be independent of all of this

@Lederstrumpf
Copy link
Contributor

Lederstrumpf commented Jan 26, 2024

Context for this issue is bridge deployment stalling this week: paritytech/polkadot-sdk#3080

We might have to investigate this issue and change approach (again ^^), so here are the three possibilities I see for addressing this (more may exist):

  1. revert construct mmr leaf prior to session pallet hook paritytech/polkadot#6577, as mentioned by @acatangiu above
  2. implement pallet-mmr: improve offchain storage, relax LeafData requirements paritytech/substrate#12446 (comment), but now in the client gadget.
  3. change the mandatory block voted on to be the second block of the session. It could also be any other block in the session.

Assessment:

  1. This has the advantage that it reverts to an operation mode we've used in the past, hence is the simplest to implement. Has the disadvantage of mixing state of <N> & <N-1>.
  2. This would be the cleanest solution for consumers of BEEFY commitments (leaf of block<N> only references information about block<N>), but has the overhead mentioned in MMR Leaf Data: off-by-one error in beefy_next_authority_set paritytech/substrate#11797 (comment), hence not worth it.
  3. This would retain the cohesive <N-1> structure, so would be simpler for consumer of BEEFY commitments than 1.. Has the disadvantage that commitments to the previously mandatory blocks (non-mandatory assuming 3. is implemented) would be rejected by Snowfork's current implementation unless the check here is loosened to also allow leaf.nextAuthoritySetID == nextValidatorSet.id (trivial to implement, and we'll likely loosen checks on authority id to be greater than or equal anyway - both for current & next authority set): https://github.com/snowfork/snowbridge/blob/13db09317fad428af4e2bb8faf590cb3f17ad97c/contracts/src/BeefyClient.sol#L362-L364.

@vgeddes
Copy link
Contributor

vgeddes commented Jan 29, 2024

ping vgeddes and seunlanlege as the current known users of MMR

+1 from Snowfork - We've gone over our protocol & code and the fix here will solve the problem for us.

Luckily, we don't need to make any code changes on our side to support the fix either.

Lederstrumpf added a commit to Lederstrumpf/polkadot-sdk that referenced this issue Jan 29, 2024
Moves `pallet_mmr` back behind `pallet_session` to address polkadot-fellows/runtimes#160.
Lederstrumpf added a commit to Lederstrumpf/polkadot-sdk that referenced this issue Jan 30, 2024
Moves `pallet_mmr` back behind `pallet_session` to address polkadot-fellows/runtimes#160.
Lederstrumpf added a commit to Lederstrumpf/runtimes that referenced this issue Jan 30, 2024
Moves `pallet_mmr` back behind `pallet_session` to address polkadot-fellows#160.
github-merge-queue bot pushed a commit to paritytech/polkadot-sdk that referenced this issue Jan 30, 2024
Moves `pallet_mmr` back behind `pallet_session` to address
polkadot-fellows/runtimes#160.

Opening draft for CI - should be merged or closed depending on outcome
of w3f/polkadot-spec#718.

---------

Co-authored-by: Adrian Catangiu <[email protected]>
github-merge-queue bot pushed a commit to paritytech/polkadot-sdk that referenced this issue Jan 30, 2024
Moves `pallet_mmr` back behind `pallet_session` to address
polkadot-fellows/runtimes#160.

Opening draft for CI - should be merged or closed depending on outcome
of w3f/polkadot-spec#718.

---------

Co-authored-by: Adrian Catangiu <[email protected]>
ggwpez pushed a commit that referenced this issue Jan 31, 2024
Moves BEEFY pallets - in particular `pallet_mmr` - back behind
`pallet_session` to address #160.

See paritytech/polkadot-sdk#3108 for the equivalent Rococo change.

---------

Co-authored-by: Bastian Köcher <[email protected]>
ggwpez pushed a commit that referenced this issue Jan 31, 2024
Moves BEEFY pallets - in particular `pallet_mmr` - back behind
`pallet_session` to address #160.

See paritytech/polkadot-sdk#3108 for the equivalent Rococo change.

---------

Co-authored-by: Bastian Köcher <[email protected]>
@acatangiu
Copy link
Contributor Author

fixed in #169

bgallois pushed a commit to duniter/duniter-polkadot-sdk that referenced this issue Mar 25, 2024
Moves `pallet_mmr` back behind `pallet_session` to address
polkadot-fellows/runtimes#160.

Opening draft for CI - should be merged or closed depending on outcome
of w3f/polkadot-spec#718.

---------

Co-authored-by: Adrian Catangiu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants