-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: Cryptographic verification of equivocation #1287
Conversation
* define msg to submit misbehaviour to provider implement msg handling logic e2e test msg handling logic * wip: get byzantine validators in misbehavioiur handling * add tx handler * format HandleConsumerMisbehaviour * add tx handler * add debugging stuff * Add misbehaviour handler * create message for consumer double voting evidence * add DRAFT double vote handler * Add cli cmd for submit consumer double voting * Add double-vote handler * add last update * fix jailing * pass first jailing integration test * format tests * doc * save * update e2e tests' * fix typo and improve docs * remove unwanted tm evidence protofile * fix typos * update submit-consumer-misbehaviour cli description * check that header1 and header2 have the same TrustedValidators * feat: add e2e tests for ICS misbehaviour (#1118) * remove unwanted changes * fix hermes config with assigned key * revert unwanted changes * revert local setup * remove log file * typo * update doc * update ICS misbehaviour test * update ICS misbehaviour test * revert mixed commits * add doc * lint * update to handle only equivocations * improve doc * update doc * update E2E tests comment * optimize signatures check * doc * update e2e tests * linter * remove todo * Feat: avoid race condition in ICS misbehaviour handling (#1148) * remove unwanted changes * fix hermes config with assigned key * revert unwanted changes * revert local setup * remove log file * typo * update doc * update ICS misbehaviour test * update ICS misbehaviour test * revert mixed commits * update ICS misbehaviour test * update ICS misbehaviour test * Add test for MsgSubmitConsumerMisbehaviour parsing * fix linter * save progress * add CheckMisbehaviourAndUpdateState * update integration tests * typo * remove e2e tests from another PRs * cleaning' * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * update integration tests * save * save * nits * remove todo * lint * Update x/ccv/provider/keeper/misbehaviour.go --------- Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: Marius Poke <marius.poke@posteo.de> * Update x/ccv/provider/client/cli/tx.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/client/cli/tx.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * add attributes to EventTypeSubmitConsumerMisbehaviour * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * apply review suggestions * fix docstring * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * fix link * apply review suggestions * update docstring --------- Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: Marius Poke <marius.poke@posteo.de>
* update e2e tests * update the chain halt assertion
* create new endpoint for consumer double voting * add first draft handling logic * first iteration of double voting * draft first mem test * error handling * refactor * add unit test of double voting verification * remove evidence age checks * document * doc * protogen * reformat double voting handling * logger nit * nits * check evidence age duration * move verify double voting evidence to ut * fix nit * nits * fix e2e tests * improve double vote testing coverage * remove TODO * lint * add UT for JailAndTombstoneValidator * nits * nits * remove tombstoning and evidence age check * lint * typo * improve godoc
* fix double voting cli * fix bug double signing handler * godoc * nits * revert wrong push of lasts commits
…1254) * fix double voting cli * fix bug double signing handler * godoc * nits * lint * nit
…bleVoting` msg (#1264) * verify dv evidence using malicious validator pubkey in infraction block header * nits * nits
* fix double voting cli * add double-signing e2e test * refortmat e2e double voting test * godoc, revert unwanted changes * nit * verify dv evidence using malicious validator pubkey in infraction block header * save changes * fix hermes config * fist successful run * nit * nits * nits * doc and nits * lint * refactor * typo * change hermes docker image * nits * Update tests/e2e/steps.go Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com> * address PR comments * nits --------- Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>
// observed on a consumer chain | ||
// Note that the misbheaviour' headers must contain the same trusted states | ||
message MsgSubmitConsumerMisbehaviour { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
explain it's about light client attacks
// MsgSubmitConsumerDoubleVoting defines a message that reports an equivocation | ||
// observed on a consumer chain | ||
message MsgSubmitConsumerDoubleVoting { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
emphasize it's about double signing attacks
@@ -133,7 +133,7 @@ func (tr TestRun) startChain( | |||
cmd := exec.Command("docker", "exec", tr.containerConfig.instanceName, "/bin/bash", | |||
"/testnet-scripts/start-chain.sh", chainConfig.binaryName, string(vals), | |||
string(chainConfig.chainId), chainConfig.ipPrefix, genesisChanges, | |||
fmt.Sprint(action.skipGentx), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check that the sovereign tests are not broken @MSalopek
tests/e2e/actions.go
Outdated
|
||
saveMnemonicCommand := fmt.Sprintf(`echo '%s' > %s`, mnemonic, "/root/.hermes/mnemonic.txt") | ||
fmt.Println("Add to hermes", action.validator) | ||
fmt.Println(mnemonic) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove it or log it
tests/e2e/actions.go
Outdated
// which detects evidences committed to the blocks of a consumer chain. | ||
// Each infraction detected is reported to the provider chain using | ||
// either a SubmitConsumerDoubleVoting or a SubmitConsumerMisbehaviour message. | ||
type detectConsumerEvidenceAction struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename to startConsumerEvidenceDetectorAction
) { | ||
chainConfig := tr.chainConfigs[action.chain] | ||
//#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments. | ||
bz, err := exec.Command("docker", "exec", "-d", tr.containerConfig.instanceName, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add a comment that it will keep running on the background
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review session, helped a lot to get context. Some more comments. I will approve because the core logic we went over looks good and we want this to be merged asap
Dockerfile
Outdated
@@ -28,7 +28,7 @@ RUN go mod tidy | |||
RUN make install | |||
|
|||
# Get Hermes build | |||
FROM ghcr.io/informalsystems/hermes:1.4.1 AS hermes-builder | |||
FROM otacrew/hermes-ics:latest AS hermes-builder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe change this from latest to a specific tag
tests/e2e/actions.go
Outdated
@@ -521,7 +524,7 @@ func (tr TestRun) voteGovProposal( | |||
} | |||
|
|||
wg.Wait() | |||
time.Sleep(time.Duration(tr.chainConfigs[action.chain].votingWaitTime) * time.Second) | |||
time.Sleep((time.Duration(tr.chainConfigs[action.chain].votingWaitTime)) * time.Second) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: extra brackets
"time" | ||
) | ||
|
||
type forkConsumerChainAction struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you comment somewhere what we can expect when calling this?
|
||
func NewSubmitConsumerDoubleVotingCmd() *cobra.Command { | ||
cmd := &cobra.Command{ | ||
Use: "submit-consumer-double-voting [evidence] [infraction_header]", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a long version here, like for the misbehaviour
@@ -36,6 +36,11 @@ func RegisterInterfaces(registry codectypes.InterfaceRegistry) { | |||
&EquivocationProposal{}, | |||
) | |||
|
|||
registry.RegisterImplementations( | |||
(*sdk.Msg)(nil), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pattern matching: Should the MsgSubmitConsumerDoubleVoting also have something like this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch
x/ccv/provider/keeper/double_vote.go
Outdated
// Note that since we're only jailing validators for double voting on a consumer chain, | ||
// the age of the evidence is irrelevant and therefore isn't checked. | ||
|
||
// TODO: check the age of the evidence once we slash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this TODO (?)
Even the current approach we intend for following on slashing won't check the age.
x/ccv/provider/keeper/double_vote.go
Outdated
evidence.VoteB.Height, evidence.VoteB.Round, evidence.VoteB.Type) | ||
} | ||
|
||
// Address must be the same |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: s/Address/addresses
) | ||
|
||
// HandleConsumerMisbehaviour checks if the given IBC misbehaviour corresponds to an equivocation light client attack, | ||
// and in this case, jails and tombstones the Byzantine validators |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove "tombstones"
|
||
// Since the misbehaviour packet was received within the trusting period | ||
// w.r.t to the trusted consensus states the infraction age | ||
// isn't too old. see ibc-go/modules/light-clients/07-tendermint/types/misbehaviour_handle.go |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: do we want to refer to a specific ibc-go version here?
At a later point in misbehaviour.go
, you have a full link // see https://github.com/cosmos/ibc-go/blob/v4.2.0/modules/light-clients/07-tendermint/types/misbehaviour_handle.go#L120
instead of just the suffix. We can remove the https://github.com/
below to be consistent.
|
||
provAddrs := make([]types.ProviderConsAddress, len(byzantineValidators)) | ||
|
||
// jail and tombstone the Byzantine validators |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove "tombstone"
} | ||
|
||
// CheckMisbehaviourAndUpdateState verifies the misbehaviour against the trusted consensus states | ||
// but does NOT update the light client state. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I see here the client state might be updated in the sense of getting frozen.
Is that not the case?
Why do we care that the light client is not having its state updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
x/ccv/provider/keeper/msg_server.go
Outdated
func (k msgServer) SubmitConsumerMisbehaviour(goCtx context.Context, msg *types.MsgSubmitConsumerMisbehaviour) (*types.MsgSubmitConsumerMisbehaviourResponse, error) { | ||
ctx := sdk.UnwrapSDKContext(goCtx) | ||
if err := k.Keeper.HandleConsumerMisbehaviour(ctx, *msg.Misbehaviour); err != nil { | ||
return &types.MsgSubmitConsumerMisbehaviourResponse{}, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: return nil, err
to be consistent with what we do in SubmitConsumerDoubleVoting
var _ sdk.Msg = &MsgAssignConsumerKey{} | ||
var ( | ||
_ sdk.Msg = &MsgAssignConsumerKey{} | ||
_ sdk.Msg = &MsgSubmitConsumerMisbehaviour{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
similar to Philip's comment above ... do we need MsgSubmitConsumerDoubleVoting
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch
return fmt.Errorf("signed header in infraction block header cannot be nil") | ||
} | ||
|
||
if msg.InfractionBlockHeader.SignedHeader.Header == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to check InfractionBlockHeader.ValidatorSet
here as well?
x/ccv/provider/keeper/msg_server.go
Outdated
|
||
ctx.EventManager().EmitEvents(sdk.Events{ | ||
sdk.NewEvent( | ||
ccvtypes.EventTypeSubmitConsumerMisbehaviour, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need a different type for double voting events?
x/ccv/types/errors.go
Outdated
@@ -25,4 +25,5 @@ var ( | |||
ErrClientNotFound = errorsmod.Register(ModuleName, 18, "client not found") | |||
ErrDuplicateConsumerChain = errorsmod.Register(ModuleName, 19, "consumer chain already exists") | |||
ErrConsumerChainNotFound = errorsmod.Register(ModuleName, 20, "consumer chain not found") | |||
ErrInvalidEvidence = errorsmod.Register(ModuleName, 21, "invalid consumer double voting evidence") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to call this ErrInvalidDoubleVotingEvidence
?
From what I understand, we do not have an error type for misbehaviour because you use IBC error types such as ibcclienttypes.ErrInvalidMisbehaviour
already?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left comments.
Didn't go thoroughly through the E2E/integration tests of this PR itself but I looked more into the actual code. Looks good to me for merging due to its time sensitivity and we could do any updates later on (?)
…ics-misbehaviour-handling
Description
Closes: #732
Author Checklist
All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.
I have...
!
to the type prefix if state-machine breaking change (i.e., requires coordinated upgrade)CHANGELOG.md
Reviewers Checklist
All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.
I have...
!
in the type prefix if API or client breaking change