Merge the valid_bundles, invalid_bundles, and block_extrinsics_roots fields of the ER into one bundles field and add more precise fraud detection
#1995
Conversation
NingLin-P
requested review from
vedhavyas,
nazar-pc and
rg3l3dr
as code owners
…undleValidity from sp-domains Minor refactoring to avoid naming conflicy with incoming changes Signed-off-by: linning <linningde25@gmail.com>
…ields into the bundles field in ER The bundles field have type of Vec<InboxedBundle>, the InboxedBundle contains all the data of the previous three fields and addtionally the invalid extrinsic index is added to InvalidBundleType which will be used to detect the bundles mismatch in the next commit Signed-off-by: linning <linningde25@gmail.com>
This version of find_inboxed_bundles_mismatch not only updated with changes of the ER fields but also consider more cases that not are considered before like: a bundle can contains multiple invalid extrinsics and an extrinsic can be considered as invalid due to multiple invalid_type at the same time, and handle these case properly. Signed-off-by: linning <linningde25@gmail.com>
NingLin-P
force-pushed
the
ER-refactoring
branch
from
7366e3c
to
3836bd6
Compare
This commit fix the test test_invalid_domain_extrinsic_root_proof, before this commit it is not a legitimate test at all since it try to generate valid fraud proof for a valid receipt. Signed-off-by: linning <linningde25@gmail.com>
| @@ -47,6 +47,11 @@ type DomainBlockElements<CBlock> = ( | |||
| MaybeNewRuntime, | |||
| ); | |||
|
|
|||
| enum BundleValidity<Extrinsic> { | |||
There was a problem hiding this comment.
it is weird seeing some of the type in sp-domains and some in here. Not sure I understand why this is needed ?
There was a problem hiding this comment.
Naming conflict unfortunately, would be great if you suggest a better name for this.
| @@ -118,11 +118,6 @@ where | |||
| )) | |||
| })?; | |||
|
|
|||
| if local_receipt.invalid_bundles != receipt.invalid_bundles { | |||
There was a problem hiding this comment.
shouldn't this check be done for inboxed_bundles correct ?
There was a problem hiding this comment.
inboxed_bundles is checked in the domain_block_processor but not the ReceiptValidator which is used in the block-preprocessor since we don't consider bundle as invalid due to invalid ER anymore. And you remind me that ReceiptValidator should be removed completely.
| } | ||
| // TODO: update test | ||
| // #[test] | ||
| // fn invalid_bundles_fraud_proof_detection() { |
There was a problem hiding this comment.
Why comment them? You can just ignore them instead
| // constructed/imported thus the `external_receipt` must have the same `bundles_extrinsics_roots` | ||
| // | ||
| // NOTE: this also check `local_receipt.bundles` and `external_receipt.bundles` have the same length | ||
| if local_receipt.bundles_extrinsics_roots() != external_receipt.bundles_extrinsics_roots() { |
There was a problem hiding this comment.
isn't this another type of invalid ER and should be proved on the consensus or is this already checked as part of bundle submission?
There was a problem hiding this comment.
It has already been checked as part of bundle submission, but I want to add the check here to make it more robust and also give more context about why the following expect/unreachable is unreachable.
| /// pointing to first mismatch in invalid bundles array. | ||
| pub(crate) fn verify_invalid_bundles_field<Block, CBlock>( | ||
| // Find the first mismatch of the `InboxedBundle` in the `ER::bundles` list | ||
| pub(crate) fn find_inboxed_bundles_mismatch<Block, CBlock>( |
There was a problem hiding this comment.
It would be nice to have removed the commented code instead. Git diff after uncommenting and updating is painful to review TBH.
There was a problem hiding this comment.
Thanks for letting me know! will do that next time.
| // The `local_bundle` and `external_bundle` are checked to have the same `extrinsic_root` | ||
| // thus they must being mismatch due to bundle validity | ||
| let mismatch_type = match (local_bundle.bundle.clone(), external_bundle.bundle.clone()) { | ||
| ( |
There was a problem hiding this comment.
Please do not use nestings like. I have no clue how to process this function. Would be ideal if fucntionality to check a single bundle mismatch would be easier and does not hurt readability. Also Git diff from commented code to uncommented code is not helping either
There was a problem hiding this comment.
Please do not use nestings like. I have no clue how to process this function. Would be ideal if fucntionality to check a single bundle mismatch would be easier and does not hurt readability.
Could you be more specific? I use match to handle each mismatch case in a dedicated branch which should be straightforward and clean IMHO, commented/uncommented code could hurt readability when reviewing though.
Signed-off-by: linning <linningde25@gmail.com>
This PR merges the
valid_bundles,invalid_bundles, andblock_extrinsics_rootsfields of the ER into onebundlesfield, this simplifies the verification and fraud detection of the ER.This PR also brings more precise fraud detection of the
ER::bundles, with cases unconsidered before handled properly:invalid_typeof the bundle, but the malicious operator can construct fraud proof to prove the bundle is invalid of a different type due to another invalid extrinsic, the fraud proof will be accept and pruning the valid ERextrinsic_indexis added to theinvalid_type, thus the verifier can get the exact extrinsic when verifying the proofextrinsic_indexadded, a single extrinsic can beOutOfRangeTxandInvalidXDMat the same time, thus the malicious operator can still construct valid fraud proof to prune the valid ERinvalid_type(like the order in the invalid ER fraud proof), thus the honest operator can know the exact invalidation to prove/verify according the mismatch ofinvalid_typeIntroducing an
extrinsic_indexalso means the invalid bundle fraud proof doesn't need to carry the whole bundle instead just a single invalid extrinsic with a storage proof of thebundle_extrinsic_rootcc @ParthDesaiCode contributor checklist: