Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: Cryptographic verification of equivocation #1287

Merged
merged 13 commits into from
Sep 14, 2023

Conversation

mpoke
Copy link
Contributor

@mpoke mpoke commented Sep 12, 2023

Description

Closes: #732


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • Included the correct type prefix in the PR title
  • Added ! to the type prefix if state-machine breaking change (i.e., requires coordinated upgrade)
  • Confirmed this PR does not introduce changes requiring state migrations, OR migration code has been added to consumer and/or provider modules
  • Targeted the correct branch (see PR Targeting)
  • Provided a link to the relevant issue or specification
  • Followed the guidelines for building SDK modules
  • Included the necessary unit and integration tests
  • Added a changelog entry to CHANGELOG.md
  • Included comments for documenting Go code
  • Updated the relevant documentation or specification
  • Reviewed "Files changed" and left comments if necessary
  • Confirmed all CI checks have passed
  • If this PR is library API breaking, bump the go.mod version string of the repo, and follow through on a new major release for both the consumer and provider

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed this PR does not introduce changes requiring state migrations, OR confirmed migration code has been added to consumer and/or provider modules
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage

sainoe and others added 9 commits August 14, 2023 23:24
* define msg to submit misbehaviour to provider

implement msg handling logic

e2e test msg handling logic

* wip: get byzantine validators in misbehavioiur handling

* add tx handler

* format HandleConsumerMisbehaviour

* add tx handler

* add debugging stuff

* Add misbehaviour handler

* create message for consumer double voting evidence

* add DRAFT double vote handler

* Add cli cmd for submit consumer double voting

* Add double-vote handler

* add last update

* fix jailing

* pass first jailing integration test

* format tests

* doc

* save

* update e2e tests'

* fix typo and improve docs

* remove unwanted tm evidence protofile

* fix typos

* update submit-consumer-misbehaviour cli description

* check that header1 and header2 have the same TrustedValidators

* feat: add e2e tests for ICS misbehaviour (#1118)

* remove unwanted changes

* fix hermes config with assigned key

* revert unwanted changes

* revert local setup

* remove log file

* typo

* update doc

* update ICS misbehaviour test

* update ICS misbehaviour test

* revert mixed commits

* add doc

* lint

* update to handle only equivocations

* improve doc

* update doc

* update E2E tests comment

* optimize signatures check

* doc

* update e2e tests

* linter

* remove todo

* Feat: avoid race condition in ICS misbehaviour handling (#1148)

* remove unwanted changes

* fix hermes config with assigned key

* revert unwanted changes

* revert local setup

* remove log file

* typo

* update doc

* update ICS misbehaviour test

* update ICS misbehaviour test

* revert mixed commits

* update ICS misbehaviour test

* update ICS misbehaviour test

* Add test for MsgSubmitConsumerMisbehaviour parsing

* fix linter

* save progress

* add CheckMisbehaviourAndUpdateState

* update integration tests

* typo

* remove e2e tests from another PRs

* cleaning'

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* update integration tests

* save

* save

* nits

* remove todo

* lint

* Update x/ccv/provider/keeper/misbehaviour.go

---------

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>
Co-authored-by: Marius Poke <marius.poke@posteo.de>

* Update x/ccv/provider/client/cli/tx.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* Update x/ccv/provider/client/cli/tx.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* add attributes to EventTypeSubmitConsumerMisbehaviour

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* apply review suggestions

* fix docstring

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* fix link

* apply review suggestions

* update docstring

---------

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>
Co-authored-by: Marius Poke <marius.poke@posteo.de>
* update e2e tests

* update the chain halt assertion
)

* remove interface

* improve comment

* update godoc

* address last comments
* create new endpoint for consumer double voting

* add first draft handling logic

* first iteration of double voting

* draft first mem test

* error handling

* refactor

* add unit test of double voting verification

* remove evidence age checks

* document

* doc

* protogen

* reformat double voting handling

* logger nit

* nits

* check evidence age duration

* move verify double voting evidence to ut

* fix nit

* nits

* fix e2e tests

* improve double vote testing coverage

* remove TODO

* lint

* add UT for JailAndTombstoneValidator

* nits

* nits

* remove tombstoning and evidence age check

* lint

* typo

* improve godoc
* fix double voting cli

* fix bug double signing handler

* godoc

* nits

* revert wrong push of lasts commits
…1254)

* fix double voting cli

* fix bug double signing handler

* godoc

* nits

* lint

* nit
…bleVoting` msg (#1264)

* verify dv evidence using malicious validator pubkey in infraction block header

* nits

* nits
)

* save changes

* fix hermes config

* fist successful run

* nit

* nits

* nits

* doc and nits

* lint
* fix double voting cli

* add double-signing e2e test

* refortmat e2e double voting test

* godoc, revert unwanted changes

* nit

* verify dv evidence using malicious validator pubkey in infraction block header

* save changes

* fix hermes config

* fist successful run

* nit

* nits

* nits

* doc and nits

* lint

* refactor

* typo

* change hermes docker image

* nits

* Update tests/e2e/steps.go

Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>

* address PR comments

* nits

---------

Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>
@mpoke mpoke requested a review from a team as a code owner September 12, 2023 11:04
// observed on a consumer chain
// Note that the misbheaviour' headers must contain the same trusted states
message MsgSubmitConsumerMisbehaviour {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

explain it's about light client attacks

// MsgSubmitConsumerDoubleVoting defines a message that reports an equivocation
// observed on a consumer chain
message MsgSubmitConsumerDoubleVoting {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

emphasize it's about double signing attacks

@@ -133,7 +133,7 @@ func (tr TestRun) startChain(
cmd := exec.Command("docker", "exec", tr.containerConfig.instanceName, "/bin/bash",
"/testnet-scripts/start-chain.sh", chainConfig.binaryName, string(vals),
string(chainConfig.chainId), chainConfig.ipPrefix, genesisChanges,
fmt.Sprint(action.skipGentx),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

check that the sovereign tests are not broken @MSalopek


saveMnemonicCommand := fmt.Sprintf(`echo '%s' > %s`, mnemonic, "/root/.hermes/mnemonic.txt")
fmt.Println("Add to hermes", action.validator)
fmt.Println(mnemonic)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove it or log it

// which detects evidences committed to the blocks of a consumer chain.
// Each infraction detected is reported to the provider chain using
// either a SubmitConsumerDoubleVoting or a SubmitConsumerMisbehaviour message.
type detectConsumerEvidenceAction struct {
Copy link
Contributor

@sainoe sainoe Sep 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rename to startConsumerEvidenceDetectorAction

) {
chainConfig := tr.chainConfigs[action.chain]
//#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments.
bz, err := exec.Command("docker", "exec", "-d", tr.containerConfig.instanceName,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a comment that it will keep running on the background

Copy link
Contributor

@p-offtermatt p-offtermatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review session, helped a lot to get context. Some more comments. I will approve because the core logic we went over looks good and we want this to be merged asap

Dockerfile Outdated
@@ -28,7 +28,7 @@ RUN go mod tidy
RUN make install

# Get Hermes build
FROM ghcr.io/informalsystems/hermes:1.4.1 AS hermes-builder
FROM otacrew/hermes-ics:latest AS hermes-builder
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe change this from latest to a specific tag

@@ -521,7 +524,7 @@ func (tr TestRun) voteGovProposal(
}

wg.Wait()
time.Sleep(time.Duration(tr.chainConfigs[action.chain].votingWaitTime) * time.Second)
time.Sleep((time.Duration(tr.chainConfigs[action.chain].votingWaitTime)) * time.Second)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: extra brackets

"time"
)

type forkConsumerChainAction struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you comment somewhere what we can expect when calling this?


func NewSubmitConsumerDoubleVotingCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "submit-consumer-double-voting [evidence] [infraction_header]",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a long version here, like for the misbehaviour

@@ -36,6 +36,11 @@ func RegisterInterfaces(registry codectypes.InterfaceRegistry) {
&EquivocationProposal{},
)

registry.RegisterImplementations(
(*sdk.Msg)(nil),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pattern matching: Should the MsgSubmitConsumerDoubleVoting also have something like this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch

// Note that since we're only jailing validators for double voting on a consumer chain,
// the age of the evidence is irrelevant and therefore isn't checked.

// TODO: check the age of the evidence once we slash
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this TODO (?)
Even the current approach we intend for following on slashing won't check the age.

evidence.VoteB.Height, evidence.VoteB.Round, evidence.VoteB.Type)
}

// Address must be the same
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: s/Address/addresses

)

// HandleConsumerMisbehaviour checks if the given IBC misbehaviour corresponds to an equivocation light client attack,
// and in this case, jails and tombstones the Byzantine validators
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove "tombstones"


// Since the misbehaviour packet was received within the trusting period
// w.r.t to the trusted consensus states the infraction age
// isn't too old. see ibc-go/modules/light-clients/07-tendermint/types/misbehaviour_handle.go
Copy link
Contributor

@insumity insumity Sep 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: do we want to refer to a specific ibc-go version here?
At a later point in misbehaviour.go, you have a full link // see https://github.com/cosmos/ibc-go/blob/v4.2.0/modules/light-clients/07-tendermint/types/misbehaviour_handle.go#L120 instead of just the suffix. We can remove the https://github.com/ below to be consistent.


provAddrs := make([]types.ProviderConsAddress, len(byzantineValidators))

// jail and tombstone the Byzantine validators
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove "tombstone"

}

// CheckMisbehaviourAndUpdateState verifies the misbehaviour against the trusted consensus states
// but does NOT update the light client state.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I see here the client state might be updated in the sense of getting frozen.
Is that not the case?

Why do we care that the light client is not having its state updated?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line cs.FrozenHeight = FrozenHeight updates the cs variable in memory which isn't persisted to the store in CheckMisbehaviourAndUpdateState.

We care because the IBC misbehaviour handler is already freezing the client.
Please check #1147.

func (k msgServer) SubmitConsumerMisbehaviour(goCtx context.Context, msg *types.MsgSubmitConsumerMisbehaviour) (*types.MsgSubmitConsumerMisbehaviourResponse, error) {
ctx := sdk.UnwrapSDKContext(goCtx)
if err := k.Keeper.HandleConsumerMisbehaviour(ctx, *msg.Misbehaviour); err != nil {
return &types.MsgSubmitConsumerMisbehaviourResponse{}, err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: return nil, err to be consistent with what we do in SubmitConsumerDoubleVoting

var _ sdk.Msg = &MsgAssignConsumerKey{}
var (
_ sdk.Msg = &MsgAssignConsumerKey{}
_ sdk.Msg = &MsgSubmitConsumerMisbehaviour{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

similar to Philip's comment above ... do we need MsgSubmitConsumerDoubleVoting here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch

return fmt.Errorf("signed header in infraction block header cannot be nil")
}

if msg.InfractionBlockHeader.SignedHeader.Header == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to check InfractionBlockHeader.ValidatorSet here as well?


ctx.EventManager().EmitEvents(sdk.Events{
sdk.NewEvent(
ccvtypes.EventTypeSubmitConsumerMisbehaviour,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a different type for double voting events?

@@ -25,4 +25,5 @@ var (
ErrClientNotFound = errorsmod.Register(ModuleName, 18, "client not found")
ErrDuplicateConsumerChain = errorsmod.Register(ModuleName, 19, "consumer chain already exists")
ErrConsumerChainNotFound = errorsmod.Register(ModuleName, 20, "consumer chain not found")
ErrInvalidEvidence = errorsmod.Register(ModuleName, 21, "invalid consumer double voting evidence")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to call this ErrInvalidDoubleVotingEvidence?

From what I understand, we do not have an error type for misbehaviour because you use IBC error types such as ibcclienttypes.ErrInvalidMisbehaviour already?

Copy link
Contributor

@insumity insumity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left comments.
Didn't go thoroughly through the E2E/integration tests of this PR itself but I looked more into the actual code. Looks good to me for merging due to its time sensitivity and we could do any updates later on (?)

@sainoe sainoe linked an issue Sep 14, 2023 that may be closed by this pull request
@sainoe sainoe merged commit b1a6f31 into release/v2.1.x-lsm Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

EPIC: Cryptographic verification of equivocation
4 participants