Add warp contract implementation #718
Conversation
aaronbuchwald
requested review from
anusha-ctrl,
ceyonur and
darioush
as code owners
aaronbuchwald
force-pushed
the
warp-contract
branch
from
3fa2983
to
81520a5
Compare
|
|
||
| func TestParseAddressedPayloadJunk(t *testing.T) { | ||
| _, err := ParseAddressedPayload(utils.RandomBytes(1024)) | ||
| require.Error(t, err) |
There was a problem hiding this comment.
can we keep the tests consistent with TestAddressedPayload by adding this line require := require.New(t)
There was a problem hiding this comment.
I'd prefer a two line to a three line test here since it's not going to be re-used at all.
| if readOnly { | ||
| return nil, remainingGas, vmerrs.ErrWriteProtection | ||
| } | ||
| // unpack the arguments |
There was a problem hiding this comment.
should readOnly be moved up the function so we don't have to deduct gas from remainingGas
There was a problem hiding this comment.
We could save gas in the case that someone calls this incorrectly in a readOnly state. I don't think this is a necessary change because the caller should not call this function, when it's in a readOnly state.
| 1. Read the SourceChainID of the signed message (C-Chain) | ||
| 2. Look up the SubnetID that validates C-Chain: Primary Network | ||
| 3. Look up the validator set of Subnet B (instead of the Primary Network) and the registered BLS Public Keys of Subnet B at the P-Chain height specified by the ProposerVM header | ||
| 4. Filter the validators of Subnet B to include only the validators that the signed message claims as signers |
There was a problem hiding this comment.
Do we assume that they signed the message already? I.e if there are too many validators, do we guarantee that the message related to a particular subnet will be relayed to validators of that subnet and they will sign it?
There was a problem hiding this comment.
yes, at this point we are verifying a signature, so we assume they have all already signed it. I'm not sure I follow the second part of the question, could you re-phrase? We do not guarantee message delivery at this level in any case.
There was a problem hiding this comment.
I see. I was trying to say if it would be practical to assume "everyone" has signed it or do we guarantee that B validators will receive those messages (as priority). But I don't think this is in the scope at the moment?
There was a problem hiding this comment.
We do not require everyone has signed it only a threshold of stake. That threshold is configurable by the receiving VM, so if it is set to 67%, the VM makes no distinction between 70% and 100% of stake signing a message. Both are considered valid.
|
|
||
| It returns the message if present and a boolean indicating if a message is present. | ||
|
|
||
| To use this function, the transaction must include the signed Avalanche Warp Message encoded in the [predicate](#predicate-encoding) of the transaction. Prior to executing a block, the VM iterates through transactions and pre-verifies all predicates. If a transaction's predicate is invalid, then it is considered invalid to include in the block and dropped. |
There was a problem hiding this comment.
Does this mean we allow only 1 warp message per block?
There was a problem hiding this comment.
No this is encoded on a per transaction basis, so there can only be one warp message per transaction currently.
| if err != nil { | ||
| return fmt.Errorf("failed to parse warp log data into unsigned message (TxHash: %s, LogIndex: %d): %w", txHash, logIndex, err) | ||
| } | ||
| log.Info("Accepted warp unsigned message", "txHash", txHash, "logIndex", logIndex, "logData", common.Bytes2Hex(logData)) |
There was a problem hiding this comment.
Isn't this signed and verified by VerifyPredicate at this point?
There was a problem hiding this comment.
No. When you send a message it produces a log. When you verify a message, it verifies a predicate and makes it read-able throughout the transaction's execution.
|
Creating this GitHub issue to ensure that the Warp README provides sufficient documentation for the target audiences: #754. |
| // within [predicateContext]. | ||
| func (c *Config) verifyWarpMessage(predicateContext *precompileconfig.ProposerPredicateContext, warpMsg *warp.Message) error { | ||
| // Use default quorum numerator unless config specifies a non-default option | ||
| quorumNumerator := params.WarpDefaultQuorumNumerator |
There was a problem hiding this comment.
instead of this, can we configure the default in module.go/#Configure and set to c.QuorumNumerator?
There was a problem hiding this comment.
related to #718 (comment)
There was a problem hiding this comment.
I think it's simpler to keep this entirely in-memory on the config for warp itself and provide that from the config during verification, so that we don't need to write it into the state. I think writing it in the state makes sense when we want it to be mutable via on-chain events.
| DestinationAddress ids.ID `serialize:"true"` | ||
| Payload []byte `serialize:"true"` | ||
| SourceAddress common.Address `serialize:"true"` | ||
| DestinationChainID common.Hash `serialize:"true"` |
There was a problem hiding this comment.
why do we change this from ids.ID to common.Hash?
There was a problem hiding this comment.
It's a no-op change from one alias to the other, but changed it to common.Hash to stick with using the common package instead of one from each.
There was a problem hiding this comment.
Hey, Daniel from LimeChain here. Thanks for providing a thorough explanation of the design of the Warp protocol. Here are some of my considerations that popped up while I was reading the README. Sorry if some of those questions seem off / not relevant.
Disclaimer:
- I do not have a deep understanding of the finality guarantees and configuration options for Subnets
- I've gone through the specification and not the actual implementation
Thoughts:
-
Minimum Enforced Latency - How would the
receivingsubnet guard against reorgs on thedestinationsubnet? Is there aminimum_delayfor messages that would cover the cases where thesourcesubnet changes its state (due to not being finalised). The protocol must guardreceivingsubnets from applying messages from asendersubnet before being “finalised”, otherwise they risk their own finalisation. Applying a message from a network, which gets reorged after the message is delivered must trigger the receiving network to reorgs as-well and re-apply all state transitions at the point where the message was “applied”. However, if the receiving network indeed re-applies the state, that can be an attack vector for malicious Subnets to disturb the finalisation of the receiving networks. A solution to this problem might be a configuration for a minimal enforced latency/delay on messages for each subnet that the given subnet accepts messages from. -
DDoS Protection
- How is the C-Chain protected against malicious subnets DDoS-ing it by sending lots of Warp messages? Is there an economic security that would guard the receiving networks against DDoS attacks from malicious subnets that would create lots of messages which would need to be verified by receiving subnets? This becomes even harder if the message is multicast and gets to multiple subnets. Ideally, there should be something that the receiving network gets in exchange for “verifying” the message. Gas costs in the straightforward implementation do not count. They are security guarantees for the validators in the
sendingsubnet to guard against malicious users that want to DDoS the sending subnet, however they do not protectreceivingsubnet validators from malicioussendingvalidators. - I am not sure whether a maximum number of messages that can get applied (queue) in the receiving network per block has been considered. Ideally this number would be configurable similar to the block’s
gas limit.
- How is the C-Chain protected against malicious subnets DDoS-ing it by sending lots of Warp messages? Is there an economic security that would guard the receiving networks against DDoS attacks from malicious subnets that would create lots of messages which would need to be verified by receiving subnets? This becomes even harder if the message is multicast and gets to multiple subnets. Ideally, there should be something that the receiving network gets in exchange for “verifying” the message. Gas costs in the straightforward implementation do not count. They are security guarantees for the validators in the
-
Syncing the network - It seems that the P chain cannot be used to provide the data (validator sets) so that new nodes can sync the network trustlessly, meaning verify the authenticity of messages on their own. I am not quite sure how the issue has been resolved using transaction predicates. My assumption on how transaction predicates work might not be correct, however as far as I understand, the “message bytes” are added as data in the access list of the EOA transaction. If that is the case, there would be DevEx trade-offs such as:
- How would the EOA know what the message required for the TX is?
- What if the EOA interacts with a dApp that interacts with a second dApp that uses the Warp protocol. How would the UI of the first dApp know that the warp message should be placed within the access list?
In general I think that it would be great if additional information on how the Warp protocol will ensure that new nodes will be able to follow / sync the network ideally (although it might not be technically possible) without trusting the consensus at the time of message inclusion but rather being able to compute / deduce the same facts themselves.
If the syncing nodes are relying on the “facts” that a message _was considered valid at block
Xthat would mean that the full chain history afterblock Xbecomes trusted and not computed by the syncing node. -
Misc
- Latency - Developers would be interested in message latency, meaning how long it would take to deliver a message on a destination subnet.
- Costs - Developers would be interested in gas costs for
sendWarpMessageandgetVerifiedMessage
|
Thanks for taking a look!
Avalanche Subnets offer fast finality after a few seconds, such that there are no reorgs after a block has been accepted. Subnets only sign warp messages after a block has been accepted, so receiving subnets do not need to worry about handling reorgs.
The cost for sending a message is paid fully on the source subnet and the cost of verifying/receiving a message is paid fully on the destination subnet. In other words, you can send as many messages as you want from a Subnet to the C-Chain or between any two Subnets, which may create a surplus of outstanding messages to be delivered to the C-Chain, but delivering each one requires paying the full cost of verifying/receiving that message on the C-Chain.
Yes, we assume that the message was verified at the time it was verified by the Subnet. We make the same assumption in order to make bootstrapping faster in a few other places. To perform full verification for all Avalanche Warp Messages, we could either rely on fast archival lookups on the P-Chain to verify historical messages or switching to including proofs of the validator sets used to verify messages at a specific point in time. For now, we use the assumption that the network correctly verified warp messages when it was accepted by the network. It would be a reasonable feature request to add an option to fully verify every operation during a full sync.
Warp is planned to be used as a primitive to build cross-chain communication protocols on top of. A relayer would listen for Avalanche Warp Messages and deliver them to the recipient chain.
Great question, a communication layer built on top of Warp could handle this by delivering messages across multiple transactions and storing those messages in the state to be read all at once later. Alternatively, you could build a communication on top by verifying signed block hashes and proving the contents of the block, all of its ancestors, and any transactions/messages sent based off of that information.
The latency depends on how fast the relayer is able to aggregate signatures from the validator set of the sending Subnet and how quickly it can deliver the transaction on the receiving Subnet. In general, the latency should be dominated by the time for a block to be accepted on the source subnet (cannot aggregate signatures until this point) + the latency of confirming the transaction on the destination, which will be approximately two block confirmations one on each of the source and receiver.
The gas costs are present in the Warp contract code. We can add documentation to break down the gas costs for |
* Rename test_ to step_ for clarity (ava-labs#636) * Codeowners fix (specific dir overrides global) (ava-labs#639) * rename state upgrade test (ava-labs#641) * plugin/evm: fix godoc typo (ava-labs#647) Signed-off-by: Gyuho Lee <gyuho.lee@avalabs.org> * plugin/evm: remove unncessary tx.Hash op in map iter (ava-labs#648) Signed-off-by: Gyuho Lee <gyuho.lee@avalabs.org> * deployExampleRewardManager.ts hardhat script fixed (ava-labs#650) * Migrate HardHat tests to DS-tests (Solidity tests) (ava-labs#601) * Increase trie dirty default cache size to 512MB (ava-labs#656) * export gingkgo suites (ava-labs#659) * export gingkgo suites * remove precompiles description from ping tests * update package.json * fix url in package json * change package name * Publish npm module for contract-examples (ava-labs#663) * export gingkgo suites * remove precompiles description from ping tests * update package.json * fix url in package json * change package name * prepare for module publishing * use npm ci * preload ethers * nits * Fix broken path to docs in README. (ava-labs#665) * Fix contract examples package json (ava-labs#672) * rename contract-examples to contracts & fix pack issue * allow custom CMD to be run on blockchains for e2e tests * move default hardhat test to utils * fix comment * add more comments * change folder reference * Bump got and ethereum-waffle in /contracts (ava-labs#680) Removes [got](https://github.com/sindresorhus/got). It's no longer used after updating ancestor dependency [ethereum-waffle](https://github.com/EthWorks/Waffle). These dependencies need to be updated together. Removes `got` Updates `ethereum-waffle` from 3.4.4 to 4.0.10 - [Release notes](https://github.com/EthWorks/Waffle/releases) - [Commits](https://github.com/EthWorks/Waffle/compare/ethereum-waffle@3.4.4...ethereum-waffle@4.0.10) --- updated-dependencies: - dependency-name: got dependency-type: indirect - dependency-name: ethereum-waffle dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump flat and hardhat in /contracts (ava-labs#679) Bumps [flat](https://github.com/hughsk/flat) to 5.0.2 and updates ancestor dependency [hardhat](https://github.com/nomiclabs/hardhat). These dependencies need to be updated together. Updates `flat` from 4.1.1 to 5.0.2 - [Commits](hughsk/flat@4.1.1...5.0.2) Updates `hardhat` from 2.6.1 to 2.15.0 - [Release notes](https://github.com/nomiclabs/hardhat/releases) - [Commits](https://github.com/nomiclabs/hardhat/compare/hardhat-core-v2.6.1...hardhat@2.15.0) --- updated-dependencies: - dependency-name: flat dependency-type: indirect - dependency-name: hardhat dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix core benchmarks (ava-labs#697) * remove unused line in test (ava-labs#695) * bump version to v0.5.2 (ava-labs#681) * bump version to v0.5.2 * downgrade avalanchego to 1.10.2 * update compatibility * Remove unused ethereum-waffle and ethereumjs-tx pkgs (ava-labs#685) * move state upgrade related functions to own file (ava-labs#684) * Update load test to use ANR for network setup (ava-labs#579) * Update load test to use ANR for network setup * Remove ToWebsocketURI that relies on strings feature added in go1.20 * Update load test to use ENV var from CI if populated * Move env var logic into NewDefaultANRConfig * Add init functions and clean up comments * Remove unnecessary helper * Remove unneeded cmd * Cleanup * Address PR comments * Move 2 min timeout for SetupNetwork to the start of the function * Turn list of txs into tx sequence (ava-labs#683) * Turn list of txs into tx sequence * Add agent comments * Remove unused code and address comments * add some more comments * address more comments' * lint * Remove :::warning --------- Co-authored-by: Anusha <anushachillara@gmail.com> * Minor simulator fixes (ava-labs#703) * add benchmark to template (ava-labs#705) * add benchmark to template * fix comment * Add metrics for gas price / usage (ava-labs#700) Co-authored-by: aaronbuchwald <aaron.buchwald56@gmail.com> * added config setting to prune warpdb (ava-labs#702) * added config setting to prune warpdb * refactored warp prune uint test * message * fixed up nits * fixed nits * fixed nits * Update plugin/evm/config.go * Add wrapped validator state for primary to subnet warp messages (ava-labs#708) * Add wrapped validator state for primary to subnet warp message verification * Address PR comment * upload network runner artifact after e2e test run (ava-labs#709) * Differentiate mandatory/optional Subnet-EVM Network Upgrades (ava-labs#640) * remove network upgrades from upgrade configs and enforce them in vm init * fix tests * remove unused var * remove extra shutdown * copy test chain config when modify * use SimulatedTestChainConfig for simulated tests * copy modified test chain config * add optional upgrades * Add tests * fix comments * use unmarshal in test * unexport functions * add commented out test * add TODO comment * add blockchain.Stop as defer to test (ava-labs#714) Co-authered-by: najeal <haim.nathan@icloud.com> Co-authored-by: Ceyhun Onur <ceyhun.onur@avalabs.org> * Add support for predicate gas into IntrinsicGas (ava-labs#713) * Add support for predicate gas * Address review * Fix test and add test for PredicateGas * Address comments * Add signature aggregation helpers (ava-labs#711) * Add signature aggregation helpers * Fix * Move WarpQuorumDenominator into new file * Address comments * fix var rename * Improve comments * Address comments * Add predicate packing helper (ava-labs#710) * Add predicate packing helper * move predicate code and add readme * fix moved import * fix merge * Run ginkgo precompile tests in parallel (ava-labs#712) Use SynchronizedBeforeSuite to create the node and all the subnet that are needed to run tests. Pass the blockchainID to each work processor and run the tests in parallel to reduce runtime * Fix BlockContext comment (ava-labs#731) * precompile accepter should take logIdx (ava-labs#728) * precompile accepter should take logIdx * minimize mock * copyright yr * add comments * Improve tests (ava-labs#733) Improve tests based on feedback from ava-labs#712 * Fix precompile test gen template (ava-labs#737) * fix Benchmark * fix spelling/references in Benchmark * Clean up gossip (ava-labs#744) * Remove call from precompile (ava-labs#748) * Fix nil types tmpl (ava-labs#751) * add more nil types and fix int types * readd hash type * remove convertToNil * Sync coreth v0.12.4 rc0 (ava-labs#694) * apply diff to rc0 * replace coreth with subnet-evm * go mod tidy * remove must commit * remove apricots * replace coreth with subnet-evm * rename banff and cortina * test memory db * add dUpgrade * fix errors * sync with v0.12.4-rc0 * more diffs * change templates * readd preparePredicateSlots * run goimports * readd tx allow list check to txpool * Fix tests * readd subnet evm check for tests * fix tests * add gas limit & coinbase fakers * Fix timestamp types * check error from newblockchain * fix gas limit in simulated genesis * downgrade ci to go 1.19 * gofmt files * rebump go to 1.20 * bump anr to latest * bump anr to latest * prepare predicate storage slots in Subnet-EVM * uncomment tests * change order of airdrop memory cleanup * add utils import * Coreth 0.12.4 x apply (ava-labs#720) Co-authored-by: Darioush Jalali <darioush.jalali@avalabs.org> * move instruction sets * revert unpack changes * reduce diffs * move genesis verify to vm (ava-labs#753) * move genesis verify to vm * fix comment * set a correct default from genesis * fix log * revert change to vm.go --------- Co-authored-by: Darioush Jalali <darioush.jalali@avalabs.org> * avoid adding/removing GasLimits in tests (ava-labs#755) * move genesis verify to vm * fix comment * set a correct default from genesis * fix log * revert change to vm.go * avoid adding/removing GasLimits in tests * nit --------- Co-authored-by: Ceyhun Onur <ceyhun.onur@avalabs.org> --------- Co-authored-by: Darioush Jalali <darioush.jalali@avalabs.org> * Bump avalanchego to v1.10.5 and bump Subnet-EVM for v0.5.3 release (ava-labs#757) * Bump avalanchego to v1.10.5 and bump Subnet-EVM for v0.5.3 release * bump anr version to v1.7.1 * Migrate ABI unpack fix (ava-labs#750) * change sprintf verb and use values (ava-labs#760) * Generalize precompile test suite (ava-labs#759) * restore old functions, generalize paths in sync subnet creation * add subnet suit struct and methods * move constants * fix reviews * add comment * Update subnet.go Signed-off-by: Ceyhun Onur <ceyhun.onur@avalabs.org> --------- Signed-off-by: Ceyhun Onur <ceyhun.onur@avalabs.org> * Add warp contract implementation (ava-labs#718) * Add warp contract implementation * Cleanup predicate test * Fix new function signature * Replace invalid fuzz test with unit test * Add chain config to enable warp API for warp e2e test * remove unused var * Add experimental warning and move warp precompile to x/ package * fix warning label * Fix warning * vm test nits * Improve sendWarpMessenger sol comment * more vm warp test nits * Move warp params into params package * More vm warp test nits * Address more PR comments * Remove triggerTx2 * Add check for expected topics from sendWarpMessage log * Fix config test * Fix incorrect replace * remove unnecessary echo * Address comments * Address comments * Address PR comments * Improve comments * Convert [32]byte type to common.Hash * Add base cost for getVerifiedWarpMessage * fix require equal type check * Fix updated awm message format * Update warp message format * Move IWarpMessenger.sol to interfaces/ * Add newline to warp genesis * uncomment assertion * Fix broken links in README * Add metrics to simulator (ava-labs#706) * add tps * get block build metrics * Add issuance time, confirmed time, issued-> acceptance time, verify time * Log times at end of batch * cleaner * address comments * remove unused code block * avoids taking len of channel * nits * pass in stringID * move to loader * remove unused field * revert file back * cleaner * lint * make it work for ws or for rpc * protect * endpoint * no return on defer * sep to a funciton * have blockchainidstr passed in * typo * pass in metrics through config * address comments * address more comments and edit err policy of metrics functions * add more logging to load_test * typo * better check * fix endpoints * typo: * individual * histogram * address feedback: * remove metrics from default * address comments * simplify time metrics * better explanation * address comments * address comments * cleanup * more cleanup * rename vars for clarity * ws * cleanup * address comments * ws * expose metrics add flag * fix blocking issue of http server and gracefully stop it * cleanup * use constant * add issuance to confirmation metrics * ws * simplify metrics server * Bump avalanchego to v1.10.5 and bump Subnet-EVM for v0.5.3 release (ava-labs#757) * Bump avalanchego to v1.10.5 and bump Subnet-EVM for v0.5.3 release * bump anr version to v1.7.1 * handle control c * print out output * clean up * clean up * remove go routines to close client * address comments * memory leak * fix * print * e2e test: connect to appropriate chain (ava-labs#771) * Bump avalanchego dep and update version for next release (ava-labs#770) * Bump avalanchego dep and update version for next release * Update cache sizes * Update flag in run script to replace staking-enabled=false * Update block builder to enforce predicate one tx at a time (ava-labs#773) * Update block builder to enforce predicate one tx at a time * remove dead code * Update miner/worker.go Co-authored-by: Darioush Jalali <darioush.jalali@avalabs.org> Signed-off-by: aaronbuchwald <aaron.buchwald56@gmail.com> --------- Signed-off-by: aaronbuchwald <aaron.buchwald56@gmail.com> Co-authored-by: Darioush Jalali <darioush.jalali@avalabs.org> * update iocorders address * remove state-sync-enabled from chain config * 1s block ticker * flush hubbleFeed when len > 512 * fix compilation err --------- Signed-off-by: Gyuho Lee <gyuho.lee@avalabs.org> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Ceyhun Onur <ceyhun.onur@avalabs.org> Signed-off-by: aaronbuchwald <aaron.buchwald56@gmail.com> Co-authored-by: Richard Pringle <rpring9@gmail.com> Co-authored-by: Darioush Jalali <darioush.jalali@avalabs.org> Co-authored-by: Ceyhun Onur <ceyhun.onur@avalabs.org> Co-authored-by: Gyuho Lee <gyuho.lee@avalabs.org> Co-authored-by: İzzet Emre Demir <izzetemredemir@gmail.com> Co-authored-by: aaronbuchwald <aaron.buchwald56@gmail.com> Co-authored-by: Gabriel Cardona <gabriel@avalabs.org> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anusha <anushachillara@gmail.com> Co-authored-by: Cesar <137245636+nytzuga@users.noreply.github.com> Co-authored-by: morrisettjohn <60852062+morrisettjohn@users.noreply.github.com> Co-authored-by: nathan haim <nathan.haim@free.fr> Co-authored-by: Martin Eckardt <m.eckardt@outlook.com> Co-authored-by: rodrigo <77309055+RodrigoVillar@users.noreply.github.com> Co-authored-by: Anusha <63559942+anusha-ctrl@users.noreply.github.com>
Why this should be merged
This PR implements the warp precompile with experimental support. Addresses #440
This PR replaces #586
Future TODOs before production readiness are:
How this works
This PR adds a warp precompile to integrate warp messaging into Subnet-EVM. This includes a Solidity interface for contracts that want to send a message via warp here.
How this was tested
This code has been tested through precompile unit tests, an e2e VM level test for the VM's handling of verification and acceptance of warp interactions, and an e2e ginkgo test that sends a warp message from subnet A to subnet B where the validator sets of subnet A and B are disjoint.
How is this documented
https://github.com/ava-labs/subnet-evm/blob/warp-e2e/precompile/contracts/warp/README.md