Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADR 004: IBC Whitelisting #696

Closed
wants to merge 6 commits into from
Closed

ADR 004: IBC Whitelisting #696

wants to merge 6 commits into from

Conversation

rahulghangas
Copy link
Contributor

ADR version of #235

  • poc implementation once we have finalized on approach

evan-forbes
evan-forbes reviewed Sep 12, 2022
View reviewed changes
Copy link
Member

@evan-forbes evan-forbes left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great and concise info!

While I think increasing the amount of gas used by that tx is undesirable, as blocks with those txs would be arbitrarily small, is there a way to require the gas price to be really high for createClient transactions?

edit: that might not be a good solution either, as the fees would have to be burned or something, otherwise validators could still include a createClient transaction for free as the fee would go to themselves.

docs/architecture/ADR-004-IBC-whitelist.md Outdated

## Proposal

Fork IBC, and create a store of whitelisted public keys. Only `createClient` txns that are signed by private keys corresponding to whitelisted/stored public keys are deemed valid, and the rest are invalidated. Specific keys will only be required for client creation, and rest of IBC will work as is.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

while a list of keys would probably be simplest, I'm guessing that it's also possible to rely strictly on governance?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is possible. Creation of clients can be strictly restricted to governance

Copy link
Contributor Author

@rahulghangas rahulghangas Sep 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this still requires us having to fork IBC (iiuc)

docs/architecture/ADR-004-IBC-whitelist.md Outdated

## Alternative approaches

1. Simplest solution is fork to IBC, and add a small change to disallow creation/registration of new clients. Then we can create clients for the chains that we want to allow at genesis, and effectively create a whitelist. However, adding new clients or removing clients is not feasible under this.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree that relying on hardforks for any changes isn't desirable imo. Not being able to move tokens for a few weeks if something weird happens seems like a non-starter.

rootulp
rootulp reviewed Sep 13, 2022
View reviewed changes
docs/architecture/ADR-004-IBC-whitelist.md Outdated Show resolved Hide resolved
docs/architecture/ADR-004-IBC-whitelist.md Outdated Show resolved Hide resolved
docs/architecture/ADR-004-IBC-whitelist.md Outdated Show resolved Hide resolved
rahulghangas and others added 3 commits September 15, 2022 14:23
@rahulghangas @rootulp
chore: remove markdown lint
70b7f6e 
Co-authored-by: Rootul P <rootulp@gmail.com>
@rahulghangas @rootulp
chore: typo
ffabfbd 
Co-authored-by: Rootul P <rootulp@gmail.com>
@rahulghangas @rootulp
chore: typo
b407e4b 
Co-authored-by: Rootul P <rootulp@gmail.com>
@evan-forbes evan-forbes mentioned this pull request Sep 19, 2022
Closed
rootulp
rootulp reviewed Sep 23, 2022
View reviewed changes
docs/architecture/ADR-004-IBC-whitelist.md Outdated
@@ -0,0 +1,27 @@
# ADR 004: IBC Whitelist/Allowlist
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[optional] one term is sufficient to describe this. Slight preference for Allowlist because rails/rails#33677

Suggested change
# ADR 004: IBC Whitelist/Allowlist
# ADR 004: IBC Allowlist

Note: accepting this suggestion implies updating the filename too. Preferably: adr-004-ibc-allowlist.md to conform to #772

@evan-forbes evan-forbes mentioned this pull request Sep 27, 2022
Merged
liamsi
liamsi reviewed Oct 25, 2022
View reviewed changes
docs/architecture/ADR-004-IBC-allowlist.md

1. Simplest solution is fork to IBC, and add a small change to disallow creation/registration of new clients. Then we can create clients for the chains that we want to allow at genesis, and effectively create a whitelist. However, adding new clients or removing clients is not feasible under this.

2. Add a middleware to revert packets from non-whitelisted chains. This still adds state bloat since clients and corresponding connections are allowed to be established, but adds economic incentive in terms of lost gas from the malicious user/actor
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another approach that @zmanian mentioned a while ago, is to allow only transfers with Celestia tokens as denomination.

liamsi
liamsi reviewed Oct 25, 2022
View reviewed changes
docs/architecture/ADR-004-IBC-allowlist.md

## Context

While enabling IBC, we want to connect, and allow messages from selected chains. However, we don't want the ability for an arbitrary entity to create an IBC connection with a zone. This is so that we can keep the state machine as minimal and focused as possible.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we first need to fully understand the overhead in the state machine of IBC and its pricing.

@evan-forbes evan-forbes mentioned this pull request Dec 14, 2022
Closed
5 tasks
@rootulp rootulp mentioned this pull request Dec 21, 2022
Merged
@cmwaters
Copy link
Contributor

Given that we opted to only allow Celestia tokens (ref: #1219), do we want to repurpose this ADR towards that or should we simply close this?

@evan-forbes
Copy link
Member

do we want to repurpose this ADR towards that or should we simply close this?

good question, I don't have a strong opinion. I don't think its of the highest priority either way.

The most important thing ofc is that we will have to document the IBC decision somewhere where users/UI implementers/relayers will see it, and it certainly wouldn't hurt to quickly document it internally like in an ADR. The error/event thrown by the token filter is also very nice, so even those who don't read the docs will likely see something.

@cmwaters
Copy link
Contributor

Ok I think we can close this and I will open a small ADR documenting the decision

@cmwaters cmwaters closed this Jan 19, 2023
@rootulp
Copy link
Collaborator

rootulp commented Nov 15, 2023
edited
Loading

@cmwaters can you link the ADR on why we have a token filter? I couldn't find it

Update: nvm, I did find #1125 (comment) which may be the next closest thing

@rootulp rootulp mentioned this pull request Nov 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evan-forbes evan-forbes evan-forbes left review comments

@liamsi liamsi liamsi left review comments

@rootulp rootulp rootulp left review comments

Assignees

@rahulghangas rahulghangas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rahulghangas @cmwaters @evan-forbes @rootulp @liamsi