docs(adr): ADR-007 pause unbonding period during equivocation proposal #964
Conversation
Co-authored-by: Albert Le Batteux <[email protected]> Co-authored-by: Giuseppe Natale <[email protected]>
There was a problem hiding this comment.
Thanks @tbruyelle. I left some comments below. In general, I'm not sure that this proposal solves the main problem: Maintain the correctness of PoS (and the slashing mechanism), while avoiding delays of unbonding operations (e.g., undelegations) on the Hub.
| We can use a `gov` module's hook also here and it is | ||
| `AfterProposalVotingPeriodEnded`. | ||
|
|
||
| If the hook is triggered with an equivocation proposal, then for each |
There was a problem hiding this comment.
This may lead to unpausing unbonding operations that occurred after the AfterProposalDeposit hook was called. As a result, those unbondings would no longer wait for the unbonding period on the consumer to elapse.
There was a problem hiding this comment.
Good catch, we'll fix that.
| hook `AfterProposalDeposit` can be used. | ||
|
|
||
| If the hook is triggered with a an equivocation proposal in voting period, then | ||
| for each equivocation of the proposal, the related unbonding operations of the |
There was a problem hiding this comment.
the related unbonding operations of the related validator must be paused.
This needs to be described more precisely. For example, unbonding operations that are no longer waiting for this particular consumer chain should probably not be put on hold. Also, if the infraction occurred after the unbonding operation was initiated, there is no reason to pause the unbonding.
There was a problem hiding this comment.
good points, we'll add them.
There was a problem hiding this comment.
For example, unbonding operations that are no longer waiting for this particular consumer chain should probably not be put on hold.
Actually, for this particular case, I wonder how this is possible. Considering the protocol, how an unbonding period can end on a consumer chain before the provider chain ?
Or maybe when the unbonding period is deliberately configured shorter between consumer and provider ?
There was a problem hiding this comment.
|
|
||
| ### Negative | ||
|
|
||
| - A malicious consumer chain could forge slash packets enabling submission of |
There was a problem hiding this comment.
IMO, this is the main argument against this proposal. The main reason for pausing unbonding operations is to enable the consumer chains to have shorter unbonding periods and avoid unbonding operations to be delayed. However, reducing the unbonding period on a consumer chain would impact the trusting period of all light clients of that consumer chain (even clients on other chains). This may lead to light clients expiring, which would be a major disruption for the consumer chain.
There was a problem hiding this comment.
The alternative to this proposal is to enable the provider to verify the evidence of equivocation on consumer chains, i.e., #732.
There was a problem hiding this comment.
@mpoke I'm not sure I follow. Currently (without this PR, or cryptographic verification), we are in a situation where the trusting period should be (consumer unbonding - provider voting period) * ~0.75. With a 20 day consumer unbonding period, that means the trusting period should be about 4-5 days. This is already pretty tough for consumer chains to deal with. If we took the consumer unbonding period down to 14 days like we want to, we'd need a trusting period of 0.
With this PR or cryptographic equivocation, we can go back to the trusting period being consumer unbonding * 0.75, or 10-11 days. So at least in this respect, it seems that this PR or cryptographic verification both mitigate this issue equivalently.
There was a problem hiding this comment.
@jtremback Yeah, that’s indeed confusing. Sorry for that.
There are actually two problems we are trying to address here. First, ensuring the correctness of the slashing mechanism of PoS. Second, avoiding delays in the completion of unbonding operations on the provider (which would affect the user experience). Note that the first is a safety concern, while the second is a liveness concern.
For the first, we MUST make sure that the stake of a validator that double signed on a consumer chain is still locked (on the provider) after an equivocation proposal passes. Thus, the following condition MUST hold consumerTrustingPeriod < consumerUnbondingPeriod - providerVotingPeriod. In addition, we MUST leave time for the double signing to be detected, a SlashPacket to be relayed and an equivocation proposal to be submitted. Let’s denote this extra time period with delta1. Then, consumerTrustingPeriod < consumerUnbondingPeriod - delta1 - providerVotingPeriod.
For the second, the following condition SHOULD hold consumerUnbondingPeriod < providerUnbondingPeriod. In addition, we SHOULD leave time to relay both VSCPackets and VSCMaturedPackets, and to account for potential downtimes of the consumer chain (as it happened on Neutron’s launch). Let’s denote this extra time period with delta2. Then, consumerUnbondingPeriod + delta2 < providerUnbondingPeriod.
From these two inequalities, we get consumerTrustingPeriod < providerUnbondingPeriod - delta2 - delta1 - providerVotingPeriod. For the Hub, providerUnbondingPeriod = 21 days, providerVotingPeriod = 14 days, which means consumerTrustingPeriod < 7 - delta2 - delta1. Best case scenario, delta1 = 1 day and delta2 = 1day, which means consumerTrustingPeriod < 5 days. This trusting period must be used for all light clients of the consumer chain, not only the ones on the provider. This means that the chances of a consumer light client expiring are quite high (which would clearly be a very disruptive event). Also, note that these values for the deltas are very low. For example, the network has ~7 days to detect a light client attack on a Hub client (i.e., delta1 ~ 7 days). Also, as we seen with Neutron, having delta2=1day may lead to delays of unbonding operations.
The only way to deal with this problem, is to get rid of the providerVotingPeriod, i.e., consumerTrustingPeriod < providerUnbondingPeriod - delta2 - delta1. This ADR is one way of doing that. The downside is that the suggested approach effectively increases the consumerUnbondingPeriod (when an equivocation proposal is submitted), which means that a malicious consumer can break liveness (i.e., delay unbondings). Given that such an event would result in that consumer being removed (via a ConsumerRemovalProposal), I think the risks are minimal. So, we could go ahead with this proposal for now until #732 is done.
tbruyelle
changed the title
Co-authored-by: Albert Le Batteux <[email protected]> Co-authored-by: Giuseppe Natale <[email protected]>
|
@tbruyelle we now got the two approvals 👍 could you update your fork and then we can merge this PR, thanks |
|
@smarshall-spitzbart done! I was wondering, shouldn't we change the ADR status before the merge ? Currently it's draft. |
|
@tbruyelle let's discuss in a separate PR / issue / discussion if we want to go ahead and implement this solution. cc @jtremback |
* build(deps): bump gaurav-nelson/github-action-markdown-link-check from 1.0.13 to 1.0.15 (#928) build(deps): bump gaurav-nelson/github-action-markdown-link-check Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.13 to 1.0.15. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](gaurav-nelson/github-action-markdown-link-check@1.0.13...1.0.15) --- updated-dependencies: - dependency-name: gaurav-nelson/github-action-markdown-link-check dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump hermes (#921) * bump the version of hermes used in docs and images * use the multiplatform ghcr.io build of hermes * build(deps): bump github.com/spf13/cast from 1.5.0 to 1.5.1 (#961) Bumps [github.com/spf13/cast](https://github.com/spf13/cast) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/spf13/cast/releases) - [Commits](spf13/cast@v1.5.0...v1.5.1) --- updated-dependencies: - dependency-name: github.com/spf13/cast dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * refactor: adopt the errors module to reduce the changeset for 47 (#920) adopt the errors module to reduce the changeset for 47 Co-authored-by: Shawn <[email protected]> * fix!: prevent denom DOS (#931) * Merge pull request from GHSA-chqw-ff63-95r8 * squash commit of multisig fix + everything involving denom fix * rebuild proto * fix todos --------- Co-authored-by: Jehan Tremback <[email protected]> * regen proto * fix cherrypick issues * lint * cleans * gosec * restore param, remove tech debt from tests * ibc denom as const * add check for consumer reward denom already registered * lint * remove unneeded expect --------- Co-authored-by: Jehan Tremback <[email protected]> Co-authored-by: Marius Poke <[email protected]> * fix: all feature branches should have CI (#958) * Update automated-tests.yml * Update build.yml * all feature branches will now run all ci jobs relevant to them --------- Co-authored-by: Shawn <[email protected]> * fix!: consumer key prefix order to avoid complex migrations (#963) proper order matching v1.0.0 Co-authored-by: Marius Poke <[email protected]> * docs: update changelog to prep for v1.3.0 release (#953) * wip * Update CHANGELOG.md * small comment * comment * progress save * another progress save * progress save * done * Update CHANGELOG.md * add denom dos entry * remove extraneous changelog entries * restore a couple entries * Changes from PR review * add entry for 963 * fix: mitigate e2e tests relaying and non-determinism (#968) * fix: mitigate e2e tests relaying non-determinism * fix: bump signed blocks windows in e2e test configs * deps: bump cometbft to v0.34.28 (#906) this bumps only cometbft Co-authored-by: MSalopek <[email protected]> * fix!: Remove panics on failure to send IBC packets (#876) * provider: replace panic with StopConsumerChain * provider: replace panic with error message * Info logging on client expiration * add test for consumer * add test for provider * linter * Update CHANGELOG.md --------- Co-authored-by: Shawn <[email protected]> * build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#969) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Shawn <[email protected]> * build(deps): bump slackapi/slack-github-action from 1.23.0 to 1.24.0 (#971) Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 1.23.0 to 1.24.0. - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Commits](slackapi/slack-github-action@v1.23.0...v1.24.0) --- updated-dependencies: - dependency-name: slackapi/slack-github-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * refactor!: upgrade ICS imports to v2 (#974) * v2 imports * Update CHANGELOG.md * docs: update PR template to consider migrations (#976) Update PULL_REQUEST_TEMPLATE.md * fix: v2 imports proto go_package option (#978) * add v2 to proto files, adjust protocgen scripts * regen proto * fix: partially revert key assignment type safety PR (#980) * use bytes in place where possible * fix tests * add v2 to proto files, adjust protocgen scripts * regen proto * change protos, define custom types, fix references * Update key_assignment_test.go * Update key_assignment.go * format * Update CHANGELOG.md * nit for better diff * docs: update top level readme for repo (#981) * Update base.css * Update README.md * smol --------- Co-authored-by: Marius Poke <[email protected]> * ci: makefile target for checking if protos are updated (#979) * proto-check makefile target * comment * add to GH actions workflow * put proto check before other tests * gotta regenerate protos --------- Co-authored-by: Marius Poke <[email protected]> * build(deps): bump github.com/cosmos/ibc-go/v4 from 4.4.0 to 4.4.2 (#982) * build(deps): bump github.com/cosmos/ibc-go/v4 from 4.4.0 to 4.4.2 Bumps [github.com/cosmos/ibc-go/v4](https://github.com/cosmos/ibc-go) from 4.4.0 to 4.4.2. - [Release notes](https://github.com/cosmos/ibc-go/releases) - [Changelog](https://github.com/cosmos/ibc-go/blob/main/CHANGELOG.md) - [Commits](cosmos/ibc-go@v4.4.0...v4.4.2) --- updated-dependencies: - dependency-name: github.com/cosmos/ibc-go/v4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * update changelog --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mpoke <[email protected]> Co-authored-by: Shawn <[email protected]> * build(deps): bump JamesIves/github-pages-deploy-action from 4.4.1 to 4.4.2 (#983) build(deps): bump JamesIves/github-pages-deploy-action Bumps [JamesIves/github-pages-deploy-action](https://github.com/JamesIves/github-pages-deploy-action) from 4.4.1 to 4.4.2. - [Release notes](https://github.com/JamesIves/github-pages-deploy-action/releases) - [Commits](JamesIves/github-pages-deploy-action@v4.4.1...v4.4.2) --- updated-dependencies: - dependency-name: JamesIves/github-pages-deploy-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Shawn <[email protected]> * build(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#985) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.3 to 1.8.4. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.3...v1.8.4) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Marius Poke <[email protected]> * feat: v2 migrations (#975) * v2 imports * Squashed commit of the following: commit a4c9224 Author: Shawn <[email protected]> Date: Wed May 24 10:13:10 2023 -0700 Revert "Merge branch 'shawn/v2-imports' into shawn/ccv-migrations" This reverts commit 53e3362, reversing changes made to 9c3f338. commit 6885ad1 Author: Shawn <[email protected]> Date: Wed May 24 10:12:49 2023 -0700 Revert "Merge branch 'shawn/v2-imports' into shawn/ccv-migrations" This reverts commit 45d74c7, reversing changes made to 53e3362. commit 9589144 Author: Shawn <[email protected]> Date: Tue May 23 14:48:06 2023 -0700 provider migration boilerplate commit 9521ecb Author: Shawn <[email protected]> Date: Tue May 23 12:25:14 2023 -0700 lint commit fc3f273 Author: Shawn <[email protected]> Date: Tue May 23 12:20:33 2023 -0700 old default params commit 80a490c Author: Shawn <[email protected]> Date: Tue May 23 12:15:30 2023 -0700 naming commit 45d74c7 Merge: 53e3362 8e6bdfb Author: Shawn <[email protected]> Date: Tue May 23 12:12:03 2023 -0700 Merge branch 'shawn/v2-imports' into shawn/ccv-migrations commit 8e6bdfb Author: Shawn <[email protected]> Date: Tue May 23 12:10:22 2023 -0700 proto name for gov prop registration commit 53e3362 Merge: 9c3f338 5ca68d1 Author: Shawn <[email protected]> Date: Tue May 23 12:05:39 2023 -0700 Merge branch 'shawn/v2-imports' into shawn/ccv-migrations commit 5ca68d1 Author: Shawn <[email protected]> Date: Tue May 23 11:53:12 2023 -0700 fix e2e tests commit aa6bd0c Author: Shawn <[email protected]> Date: Tue May 23 11:42:47 2023 -0700 rm bad files commit 6e3dc88 Author: Shawn <[email protected]> Date: Tue May 23 11:42:14 2023 -0700 correct generation commit 056ef7a Author: Shawn <[email protected]> Date: Tue May 23 11:29:45 2023 -0700 proto upgrade too commit 9c3f338 Author: Shawn <[email protected]> Date: Tue May 23 10:57:25 2023 -0700 remove hardcoded old code commit 1e73173 Merge: dbf9ded 8769fd5 Author: Shawn <[email protected]> Date: Tue May 23 10:07:31 2023 -0700 Merge branch 'shawn/v2-imports' into shawn/ccv-migrations commit 8769fd5 Author: Shawn <[email protected]> Date: Tue May 23 09:58:28 2023 -0700 v2 imports commit dbf9ded Author: Shawn <[email protected]> Date: Mon May 22 16:10:05 2023 -0700 provider migration commit 2d95e2e Author: Shawn <[email protected]> Date: Mon May 22 15:01:47 2023 -0700 improve consumer test commit 85f4cfd Author: Shawn <[email protected]> Date: Mon May 22 14:03:20 2023 -0700 consumer params * rm old code * go.mod restore * better naming of hardcodes * consumer boilerplate * comments * migrate consumer genesis states * test and cleans * lint * migration and partial test * cleans * finish test * comments and doc * Update migration_test.go * Update CHANGELOG.md * expand in changelog * increment consensus ver * set key table on construction * rm semver migration funcs * comment explaining consensus version * docs: cleanup changelog for v2.0.0 on main (#988) cleans * chore: Hardcode golangci-lint version (#990) * Hardcode golangci-lint version * Hardcode version in CI config * docs: Increase the validator set of cosmos hub to 180 from 175 (#999) Updated number of validators to 180 * fix: proper consumer key prefix ordering (#991) * Update keys.go * tests * fix another bug * fix comments * feat: Remove consumer genesis migration on provider (#997) * Update keys.go * tests * fix another bug * remove consumer genesis deletion, link to test * remove unused bond denom method * Revert "remove unused bond denom method" This reverts commit f930eca. * remove test too * update changelog * docs: Update reward-distribution.md (#994) * Update reward-distribution.md * docs: add instructions for registering denoms * Update docs/docs/features/reward-distribution.md Co-authored-by: Marius Poke <[email protected]> * Update reward-distribution.md * Update docs/docs/features/reward-distribution.md Co-authored-by: Shawn <[email protected]> --------- Co-authored-by: MSalopek <[email protected]> Co-authored-by: Marius Poke <[email protected]> * chore: update workflow re. issues and PRs (#1002) * update PR workflow * update issue workflow * rename other.md to others.md * fix typo --------- Co-authored-by: Shawn <[email protected]> * docs(adr): ADR-007 pause unbonding period during equivocation proposal (#964) * docs(adr): pause unbonding period during equivocation proposal Co-authored-by: Albert Le Batteux <[email protected]> Co-authored-by: Giuseppe Natale <[email protected]> * fix voting period duration * remove issue reference * docs: filter out unbonding operations before pause/unpause Co-authored-by: Albert Le Batteux <[email protected]> Co-authored-by: Giuseppe Natale <[email protected]> --------- Co-authored-by: Albert Le Batteux <[email protected]> Co-authored-by: Giuseppe Natale <[email protected]> * docs: Add type prefix link to CONTRIBUTING.md (#1007) Update CONTRIBUTING.md * chore: enable mergify (#1009) * add config for mergify * enable security dependecies for v2.0.x * Markdownlint (#907) markdownlint Co-authored-by: Jacob Gadikian <[email protected]> * fix: limit vsc matured packets handled per endblocker (#1004) * initial implementation, still need tests * UTs * integration test * linter * Update CHANGELOG.md * make vsc matured handled this block a var * comment * feat: integrate cometmock (#989) * Add gorelayer and CometMock to Dockerfile * Add option to start with cometmock in start-chain script * Start adding support for rly * Adjust relayer start action * Add entrypoint for short happy path steps * Add . nosec G204 and waiting for blocks * Adjust rly config: Gas is free * Remove optout steps from short happy path * Use separate redelegate step for short happy path * Wait for blocks after unbonding * Make naming more descriptive and add comments * Add comment to chain name sorting and improve comments * Update start-chain.sh Address comments form joint review session with @MSalopek * Fix typo * docs: Create adr-004-denom-dos-fixes.md (#934) * Create adr-006-denom-dos-fixes * Update docs/docs/adrs/adr-006-denom-dos-fixes Co-authored-by: Shawn <[email protected]> * Update docs/docs/adrs/adr-006-denom-dos-fixes Co-authored-by: Shawn <[email protected]> * Update docs/docs/adrs/adr-006-denom-dos-fixes Co-authored-by: Marius Poke <[email protected]> * Update docs/docs/adrs/adr-006-denom-dos-fixes * Update docs/docs/adrs/adr-006-denom-dos-fixes * rename to adr 004 * remove extra file * add entry to Table of Contents * add ADR 7 to ToC --------- Co-authored-by: Shawn <[email protected]> Co-authored-by: Marius Poke <[email protected]> * docs: Fix link to template (#1027) Fix link to template Fixes typo in contributing.md * feat!: Add DistributionTransmissionChannel to ConsumerAdditionProposal (#965) * update proto * remove transfer_channel_id from consumer genesis * ConsumerAdditionProposal: transfer_channel_id -> distribution_transmission_channel * send updated ConsumerAdditionProposal * validate consumer genesis param * remove StandaloneTransferChannelID from store * fix TestOnChanOpenAck * remove state breaking change * finalize merge and fix issues * chore: update docs and changelog * chore: regenerate protos * re-add integrationt tests around changeover * mv entry in changelog * test: add sovereign to consumer changeover e2e (#1025) * tests: add sovereign to consumer e2e test * rm unused bash scripts * partially address review comments * apply remaining review comments * chore: apply formatting rules --------- Co-authored-by: MSalopek <[email protected]> * docs: ADR for throttle with retries (#1005) * all of ADR is filled out except design portion * design * Update adr-008-throttle-retries.md * Update adr-008-throttle-retries.md * Update adr-008-throttle-retries.md * Apply suggestions from code review Co-authored-by: Marius Poke <[email protected]> * nit formatting * describe consumer changes first * add comment on rareness of throttling being triggered * split out paragraph * hopefully better explanation * Update adr-008-throttle-retries.md * accepted * TOC entry --------- Co-authored-by: Marius Poke <[email protected]> * Add time and block advancement integration for CometMock (#1017) * Add time and block advancement * Adhere to gocritic: use += * Remove extra debug output * Fix: use correct key when consumer key is not assigned * Correct private key address field * Clarify comment for WaitTime * Use bool instead of *bool type * Add review comments * refactor: first batch of post-merge changes * refactor: batch sovereign changes with v47 * refactor: another batch of post-merge changes * changes to go.mod * refactor: final batch of changes post-merge * refactor: rebuild protos for v47 * refactor: rebuild mocks for v47 * refactor: testing changes * refactor: update proto tooling and rebuild protos * lint: appease gosec * chore: rm unused string from Makefile * chore: rm unused in makefile .phony * temporarily disable proto-check to run automated tests --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jacob Gadikian <[email protected]> Co-authored-by: Shawn <[email protected]> Co-authored-by: Jehan Tremback <[email protected]> Co-authored-by: Marius Poke <[email protected]> Co-authored-by: Philip Offtermatt <[email protected]> Co-authored-by: Milan Mulji <[email protected]> Co-authored-by: Thomas Bruyelle <[email protected]> Co-authored-by: Albert Le Batteux <[email protected]> Co-authored-by: Giuseppe Natale <[email protected]> Co-authored-by: Ruslan Akhtariev <[email protected]> Co-authored-by: Jehan <[email protected]>
Description
Link: #747 #791
Author Checklist
All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.
I have...
!to the type prefix if API or client breaking changeCHANGELOG.mdReviewers Checklist
All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.
I have...
!in the type prefix if API or client breaking change