Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with processing evidences too late #21

Closed
angbrav opened this issue Aug 19, 2022 · 5 comments
Closed

Problem with processing evidences too late #21

angbrav opened this issue Aug 19, 2022 · 5 comments

Comments

@angbrav
Copy link
Collaborator

angbrav commented Aug 19, 2022

There might be an issue that allows users to withdraw tokens without being slashed even when the misbehaving validator is caught on time. Here is an execution:

  • Assume that user has a1 tokens delegated to val
  • Assume that user undelegates a1 tokens from val at e. This creates an unbond u1 record s.t. u1.start < e && u1.end = e+unbonding_length. Note that the validator's total_deltas includes the a1 tokens from user until e+unbonding_length
  • Assume now that some evidence is found for an action val did at epoch e+1.
  • The evidence is scheduled to be processed by the end of e+unbonding_length+1
  • Assume that user withdraws by e+unbonding_length.
  • By that epoch, evidence has not been processed, therefore user withdraw a1 tokens (without slashing)

I think we need to consider ongoing unbonds to decide when to process evidences. Also, this will impact the solution for #7
@angbrav angbrav changed the title Problem with processing slashes too late Problem with processing evidences too late Aug 19, 2022
@angbrav
Copy link
Collaborator Author

angbrav commented Aug 22, 2022
edited
Loading

The issue manifests even if the slash is processed at the end of the found epoch.

  • Assume that user has a1 tokens delegated to val
  • Assume that user undelegates a1 tokens from val at e. This creates an unbond u1 record s.t. u1.start < e && u1.end = e+unbonding_length. Note that the validator's total_deltas includes the a1 tokens from user until e+unbonding_length
  • Assume now that some evidence is found for an action val did at epoch e+2.
  • The evidence is found at epoch e+unbonding_length+1.
  • Assume that user withdraws by e+unbonding_length.
  • By that epoch, evidence has not been processed, therefore user withdraw a1 tokens (without slashing)

Is this expected?

@tzemanovic
Copy link
Collaborator

ah, I think this is the same issue as what we also uncovered in anoma/namada#366 :)

@angbrav
Copy link
Collaborator Author

angbrav commented Aug 24, 2022

Yes, that was my impression as well.

@angbrav angbrav mentioned this issue Sep 1, 2022
Merged
@angbrav
Copy link
Collaborator Author

angbrav commented Sep 1, 2022

To fix this issue, we have agreed to make the following changes:

  • total_deltas is updated at cur_epoch+pipeline_length. It cannot be done earlier due to integration constraints. This also applies to total_unbonds, voting_power, total_voting_power and validator_sets.
  • the unbond record created ends at cur_epoch+pipline_length+unbonding_length

@angbrav
Copy link
Collaborator Author

angbrav commented Sep 6, 2022
edited
Loading

Updated execution with the above changes. Assume that a piece of evidence is processed at the end of the epoch in which it is found.

  • Assume that user has a1 tokens delegated to val
  • Assume that user undelegates a1 tokens from val at e. This creates an unbond u1 record s.t. u1.start < e && u1.end = e+pipeline_length+unbonding_length. Note that the validator's total_deltas includes the a1 tokens from user until e+pipeline_length
  • Assume now that some evidence is found for an action val did at epoch e+pipeline_lenght-1. This is the last epoch in which user's tokens count for val's total_deltas.
  • The evidence is found at epoch e+pipeline_lenght-1+unbonding_length (the latest possible). The evidence will be processed by the end of this epoch, so that at the end ofe+pipeline_lenght-1+unbonding_length
  • Assume that user withdraws by e+pipeline_length+unbonding_length.
  • By that epoch, evidence has been processed, therefore user is slashed.

Assume now that a piece of evidence is processed by the evidence epoch + unbonding_length. This is how it works currently.

  • Assume that user has a1 tokens delegated to val
  • Assume that user undelegates a1 tokens from val at e. This creates an unbond u1 record s.t. u1.start < e && u1.end = e+pipeline_length+unbonding_length. Note that the validator's total_deltas includes the a1 tokens from user until e+pipeline_length
  • Assume now that some evidence is found for an action val did at epoch e+pipeline_lenght-1. This is the last epoch in which user's tokens count for val's total_deltas.
  • The evidence is found at epoch e+pipeline_lenght-1+unbonding_length (the latest possible). The evidence will be processed by the end of e+pipeline_lenght-1+unbonding_length
  • Assume that user withdraws by e+pipeline_length+unbonding_length.
  • By that epoch, evidence has been processed, therefore user is slashed.

These executions seem to imply that the fix solves the issue and that slashing is guaranteed if the evidence is found within the unbonding_lenght period, as required.

@angbrav angbrav closed this as completed Nov 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tzemanovic @angbrav