Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update fee middleware docs to be more explicit about reasoning for removing invariant checks #1705

Merged
merged 26 commits into from
Aug 12, 2022

Conversation

charleenfei
Copy link
Contributor

Description

closes: #XXXX


Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

  • Targeted PR against correct branch (see CONTRIBUTING.md)
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
  • Code follows the module structure standards.
  • Wrote unit and integration tests
  • Updated relevant documentation (docs/) or specification (x/<module>/spec/)
  • Added relevant godoc comments.
  • Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
  • Re-reviewed Files changed in the Github PR explorer
  • Review Codecov Report in the comment section below once CI passes

@charleenfei charleenfei marked this pull request as ready for review July 15, 2022 11:19
@@ -27,7 +27,7 @@ If a counterparty payee is not registered for the forward relayer on the destina
A transaction must be submitted to the destination chain including a `CounterpartyPayee` address of an account on the source chain.
The transaction must be signed by the `Relayer`.

Note: If a module account address is used as the `CounterpartyPayee` it is recommended to [turn off invariant checks](https://github.com/cosmos/ibc-go/blob/71d7480c923f4227453e8a80f51be01ae7ee845e/testing/simapp/app.go#L659) for that module.
Note: If a module account address is used as the `CounterpartyPayee` it may be necessary to [turn off invariant checks](https://github.com/cosmos/ibc-go/blob/71d7480c923f4227453e8a80f51be01ae7ee845e/testing/simapp/app.go#L659) for that module, if the module has been set as a blocked address in the `BankKeeper`. This is because many modules use invariants to compare internal tracking of module account balances against the actual balance of the account stored in the `BankKeeper`. If a token transfer to the module account occurs without going through this module and updating the account balance of the module on the `BankKeeper`, then invariants may break and unknown behaviour could occur depending on the module implementation. Therefore, it is suggested that either invariant checks are turned off, or the module is removed from the blocked address list on the `BankKeeper` with the understanding that this may result in consequences for module balance accounting.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that this was already there, so not part of your PR, but I just realized that the code that is linked in the text turn off invariant checks is for not adding the module account to the list of blocked addresses, right? It's not pointing to code that shows how to turn off invariants, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if I understand it correctly, there are two options here described that the use could choose from:

  1. Either to turn off invariants.
  2. Or to remove the module account from the list of blocked addresses.

If option 1 is chosen, is it still possible to use the module account as counterparty payee? Because in our code all the operations to transfer funds are using the bank keeper methods, so if the module is still in the list of blocked addresses, these operations will fail, right?

Copy link
Contributor Author

@charleenfei charleenfei Jul 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct, the code that is linked is for the blocked addresses

regarding your second question, yes it is possible to use the module account as the counterparty payee. each chain handles blocked addresses differently, so the operation may or may not fail depending on if the module is in the blocked address.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct, the code that is linked is for the blocked addresses

So should we link instead to code that shows how to turn off invariants instead?

Copy link
Contributor

@colin-axner colin-axner Jul 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I disagree with the recommended approach. If a module requires strict internal accounting (as shown by their usage of invariants), I don't think we can safely suggest to ignore that functionality. In my opinion, given the current state of SDK invariants/interaction with the bank keeper, we should say that a module which is blocked cannot be used as a counterparty payee

Copy link
Contributor

@colin-axner colin-axner Jul 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lack of checks preventing payment to the community pool has led to multiple security releases. I think it is more sustainable to request changes to the SDK to support payment to modules without disrupting their internal tracking

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issues on the SDK, #10811, #11369, and #11388 would all help make the requested functionality possible. Essentially you only want modules and their sub functionality blocked if it is a strict requirement for security. Currently some modules might be overly secure (too strict invariants) or may have sub-functionality that doesn't need to follow the same invariant checking (community pool)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i see. one problem with waiting on the SDK to fix this though is that i think the usecase we have pinned down for the first deployments of fee middleware use module accounts as the payee, so it would be an issue if we somehow now technically block it.

the other approach, where we don't technically block it but just STRONGLY recommend against and explain why module accounts are risky to use, still allows this usecase.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Module accounts can be used, just module accounts which are blocked cannot be used

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@crodriguezvega is correct that turning off invariants is not sufficient to allow a blocked module to be used with ics29. The module account must be unblocked. Could we recommend that only module accounts which are not blocked can be used with ics29?

Copy link
Contributor

@colin-axner colin-axner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, thanks for applying my suggestions. Appreciate the willingness to go back and forth

Copy link
Contributor

@crodriguezvega crodriguezvega left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @charleenfei!

@crodriguezvega crodriguezvega merged commit 7f3d71b into main Aug 12, 2022
@crodriguezvega crodriguezvega deleted the charly/update_docs_invariants branch August 12, 2022 08:36
mergify bot pushed a commit that referenced this pull request Aug 12, 2022
… for removing invariant checks (#1705)

* fix broken link

* fix: rm AllowUpdateAfter... check (#1118)

* update code & test

* update proto and adr026

* update CHANGELOG

* update cli docs

* update broken milestone link

* updated fee middleware docs wrt invariants

* second review

* update docs to remove language about removing invariants

* update docs/middleware/ics29-fee/fee-distribution.md

Co-authored-by: colin axnér <[email protected]>

Co-authored-by: colin axnér <[email protected]>
Co-authored-by: Carlos Rodriguez <[email protected]>
(cherry picked from commit 7f3d71b)
mergify bot pushed a commit that referenced this pull request Aug 12, 2022
… for removing invariant checks (#1705)

* fix broken link

* fix: rm AllowUpdateAfter... check (#1118)

* update code & test

* update proto and adr026

* update CHANGELOG

* update cli docs

* update broken milestone link

* updated fee middleware docs wrt invariants

* second review

* update docs to remove language about removing invariants

* update docs/middleware/ics29-fee/fee-distribution.md

Co-authored-by: colin axnér <[email protected]>

Co-authored-by: colin axnér <[email protected]>
Co-authored-by: Carlos Rodriguez <[email protected]>
(cherry picked from commit 7f3d71b)
crodriguezvega pushed a commit that referenced this pull request Aug 12, 2022
… for removing invariant checks (#1705) (#1994)

* fix broken link

* fix: rm AllowUpdateAfter... check (#1118)

* update code & test

* update proto and adr026

* update CHANGELOG

* update cli docs

* update broken milestone link

* updated fee middleware docs wrt invariants

* second review

* update docs to remove language about removing invariants

* update docs/middleware/ics29-fee/fee-distribution.md

Co-authored-by: colin axnér <[email protected]>

Co-authored-by: colin axnér <[email protected]>
Co-authored-by: Carlos Rodriguez <[email protected]>
(cherry picked from commit 7f3d71b)

Co-authored-by: Charly <[email protected]>
crodriguezvega pushed a commit that referenced this pull request Aug 12, 2022
… for removing invariant checks (#1705) (#1995)

* fix broken link

* fix: rm AllowUpdateAfter... check (#1118)

* update code & test

* update proto and adr026

* update CHANGELOG

* update cli docs

* update broken milestone link

* updated fee middleware docs wrt invariants

* second review

* update docs to remove language about removing invariants

* update docs/middleware/ics29-fee/fee-distribution.md

Co-authored-by: colin axnér <[email protected]>

Co-authored-by: colin axnér <[email protected]>
Co-authored-by: Carlos Rodriguez <[email protected]>
(cherry picked from commit 7f3d71b)

Co-authored-by: Charly <[email protected]>
ulbqb pushed a commit to ulbqb/ibc-go that referenced this pull request Jul 27, 2023
… for removing invariant checks (cosmos#1705) (cosmos#1994)

* fix broken link

* fix: rm AllowUpdateAfter... check (cosmos#1118)

* update code & test

* update proto and adr026

* update CHANGELOG

* update cli docs

* update broken milestone link

* updated fee middleware docs wrt invariants

* second review

* update docs to remove language about removing invariants

* update docs/middleware/ics29-fee/fee-distribution.md

Co-authored-by: colin axnér <[email protected]>

Co-authored-by: colin axnér <[email protected]>
Co-authored-by: Carlos Rodriguez <[email protected]>
(cherry picked from commit 7f3d71b)

Co-authored-by: Charly <[email protected]>
ulbqb pushed a commit to ulbqb/ibc-go that referenced this pull request Jul 31, 2023
… for removing invariant checks (cosmos#1705) (cosmos#1994)

* fix broken link

* fix: rm AllowUpdateAfter... check (cosmos#1118)

* update code & test

* update proto and adr026

* update CHANGELOG

* update cli docs

* update broken milestone link

* updated fee middleware docs wrt invariants

* second review

* update docs to remove language about removing invariants

* update docs/middleware/ics29-fee/fee-distribution.md

Co-authored-by: colin axnér <[email protected]>

Co-authored-by: colin axnér <[email protected]>
Co-authored-by: Carlos Rodriguez <[email protected]>
(cherry picked from commit 7f3d71b)

Co-authored-by: Charly <[email protected]>
ulbqb pushed a commit to ulbqb/ibc-go that referenced this pull request Jul 31, 2023
… for removing invariant checks (cosmos#1705) (cosmos#1994)

* fix broken link

* fix: rm AllowUpdateAfter... check (cosmos#1118)

* update code & test

* update proto and adr026

* update CHANGELOG

* update cli docs

* update broken milestone link

* updated fee middleware docs wrt invariants

* second review

* update docs to remove language about removing invariants

* update docs/middleware/ics29-fee/fee-distribution.md

Co-authored-by: colin axnér <[email protected]>

Co-authored-by: colin axnér <[email protected]>
Co-authored-by: Carlos Rodriguez <[email protected]>
(cherry picked from commit 7f3d71b)

Co-authored-by: Charly <[email protected]>
@ulbqb ulbqb mentioned this pull request Jul 31, 2023
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants