Skip to content

Commit

Permalink
feat!: backport cryptographic equivocation to SDKv45 (#1360)
Browse files Browse the repository at this point in the history
* feat!: add ICS misbehaviour handling (#826)

* define msg to submit misbehaviour to provider

implement msg handling logic

e2e test msg handling logic

* wip: get byzantine validators in misbehavioiur handling

* add tx handler

* format HandleConsumerMisbehaviour

* add tx handler

* add debugging stuff

* Add misbehaviour handler

* create message for consumer double voting evidence

* add DRAFT double vote handler

* Add cli cmd for submit consumer double voting

* Add double-vote handler

* add last update

* fix jailing

* pass first jailing integration test

* format tests

* doc

* save

* update e2e tests'

* fix typo and improve docs

* remove unwanted tm evidence protofile

* fix typos

* update submit-consumer-misbehaviour cli description

* check that header1 and header2 have the same TrustedValidators

* feat: add e2e tests for ICS misbehaviour (#1118)

* remove unwanted changes

* fix hermes config with assigned key

* revert unwanted changes

* revert local setup

* remove log file

* typo

* update doc

* update ICS misbehaviour test

* update ICS misbehaviour test

* revert mixed commits

* add doc

* lint

* update to handle only equivocations

* improve doc

* update doc

* update E2E tests comment

* optimize signatures check

* doc

* update e2e tests

* linter

* remove todo

* Feat: avoid race condition in ICS misbehaviour handling (#1148)

* remove unwanted changes

* fix hermes config with assigned key

* revert unwanted changes

* revert local setup

* remove log file

* typo

* update doc

* update ICS misbehaviour test

* update ICS misbehaviour test

* revert mixed commits

* update ICS misbehaviour test

* update ICS misbehaviour test

* Add test for MsgSubmitConsumerMisbehaviour parsing

* fix linter

* save progress

* add CheckMisbehaviourAndUpdateState

* update integration tests

* typo

* remove e2e tests from another PRs

* cleaning'

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* update integration tests

* save

* save

* nits

* remove todo

* lint

* Update x/ccv/provider/keeper/misbehaviour.go

---------

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>
Co-authored-by: Marius Poke <marius.poke@posteo.de>

* Update x/ccv/provider/client/cli/tx.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* Update x/ccv/provider/client/cli/tx.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* add attributes to EventTypeSubmitConsumerMisbehaviour

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* apply review suggestions

* fix docstring

* Update x/ccv/provider/keeper/misbehaviour.go

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>

* fix link

* apply review suggestions

* update docstring

---------

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>
Co-authored-by: Marius Poke <marius.poke@posteo.de>

* feat: improve ICS misbehaviour E2E testing coverage (#1225)

* update e2e tests

* update the chain halt assertion

* refactor: address comments of ICS Misbehaviour PRs #826 and #1148  (#1223)

* remove interface

* improve comment

* update godoc

* address last comments

* feat: add handler for consumer double voting (#1232)

* create new endpoint for consumer double voting

* add first draft handling logic

* first iteration of double voting

* draft first mem test

* error handling

* refactor

* add unit test of double voting verification

* remove evidence age checks

* document

* doc

* protogen

* reformat double voting handling

* logger nit

* nits

* check evidence age duration

* move verify double voting evidence to ut

* fix nit

* nits

* fix e2e tests

* improve double vote testing coverage

* remove TODO

* lint

* add UT for JailAndTombstoneValidator

* nits

* nits

* remove tombstoning and evidence age check

* lint

* typo

* improve godoc

* fix: tiny bug in `NewSubmitConsumerDoubleVotingCmd` (#1247)

* fix double voting cli

* fix bug double signing handler

* godoc

* nits

* revert wrong push of lasts commits

* fix: make `HandleConsumerDoubleVoting` works with provider pubkeys (#1254)

* fix double voting cli

* fix bug double signing handler

* godoc

* nits

* lint

* nit

* fix: verify equivocation using validator pubkey in `SubmitConsumerDoubleVoting` msg (#1264)

* verify dv evidence using malicious validator pubkey in infraction block header

* nits

* nits

* refactor: update the E2E tests to work with Hermes relayer v1.6.0 (#1278)

* save changes

* fix hermes config

* fist successful run

* nit

* nits

* nits

* doc and nits

* lint

* test: add E2E tests for double voting evidence handling (#1256)

* fix double voting cli

* add double-signing e2e test

* refortmat e2e double voting test

* godoc, revert unwanted changes

* nit

* verify dv evidence using malicious validator pubkey in infraction block header

* save changes

* fix hermes config

* fist successful run

* nit

* nits

* nits

* doc and nits

* lint

* refactor

* typo

* change hermes docker image

* nits

* Update tests/e2e/steps.go

Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>

* address PR comments

* nits

---------

Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>

* feat!: provider proposal for changing reward denoms (backport #1280) (#1291)

* feat!: provider proposal for changing reward denoms (#1280)

* new provider prop type

* add methods and tests for new prop, update docs

* remove old tx, fix tests

* e2e handling

* fix command type

* boilerplate

* fix e2e tests

* Update CHANGELOG.md

* lint

* validate denoms

* Update proposal.go

* rm msg string

* fix tests

* rm chain in change denom action

* lint

* test for invalid denom

* events for both add and remove

* Update proposal_test.go

(cherry picked from commit 48a2186)

# Conflicts:
#	CHANGELOG.md
#	app/provider/app.go
#	proto/interchain_security/ccv/provider/v1/provider.proto
#	proto/interchain_security/ccv/provider/v1/tx.proto
#	tests/e2e/actions.go
#	tests/integration/distribution.go
#	x/ccv/provider/client/cli/tx.go
#	x/ccv/provider/client/proposal_handler.go
#	x/ccv/provider/keeper/distribution.go
#	x/ccv/provider/keeper/distribution_test.go
#	x/ccv/provider/proposal_handler_test.go
#	x/ccv/provider/types/codec.go
#	x/ccv/provider/types/proposal.go
#	x/ccv/provider/types/provider.pb.go
#	x/ccv/provider/types/tx.pb.go

* fix conflicts

* fix rest handler

* Update CHANGELOG.md

* rm uneeded tx proto

---------

Co-authored-by: Shawn <44221603+smarshall-spitzbart@users.noreply.github.com>

* save

* fix nits

* update changelog and fix nits

* feat: implement slashing functionality on the provider chain (ADR-013) (#1275)

Implementing the slashing functionality, as described in ADDR, on the provider chain.

* remove equivocation proposal

* bring back evidencekeeper

* go.sum added

* rebase and fix lint issues

* fix mocks

* clean up protos & delete unecessary file

* fix E2E test

* fix Dockerfile

* more fixes

* increase wait attempt

* increase wait attempt

* wait 1 block in gov proposal

* fix numbers

* fix double voting security hole

* fix error logging

* fix nit

* fix first comments

* add hermes comment

* update changelog

* changes misbehavour logging

* update double vote and mem test

* change misb error flow

* add debug call

* add redelegations testings

* fix nit in mem test

* add comment

---------

Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>
Co-authored-by: Marius Poke <marius.poke@posteo.de>
Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Shawn <44221603+smarshall-spitzbart@users.noreply.github.com>
Co-authored-by: insumity <insumity@users.noreply.github.com>
Co-authored-by: Karolos Antoniadis <karolos@informal.systems>
  • Loading branch information
8 people authored Oct 17, 2023
1 parent 60c31aa commit 208eb68
Show file tree
Hide file tree
Showing 56 changed files with 4,739 additions and 1,308 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@

Add an entry to the unreleased section whenever merging a PR to main that is not targeted at a specific release. These entries will eventually be included in a release.

### Cryptographic verification of equivocation
* New feature enabling the provider chain to verify equivocation evidence on its own instead of trusting consumer chains, see [EPIC](https://github.com/cosmos/interchain-security/issues/732).

## v2.1.0-provider-lsm

* (feature!) [#1280](https://github.com/cosmos/interchain-security/pull/1280) provider proposal for changing reward denoms
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ RUN go mod tidy
RUN make install

# Get Hermes build
FROM ghcr.io/informalsystems/hermes:1.4.1 AS hermes-builder
FROM otacrew/hermes-ics:evidence-cmd AS hermes-builder

# Get CometMock
FROM informalofftermatt/cometmock:latest as cometmock-builder
Expand Down
4 changes: 0 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,6 @@ SDK_QUERY = third_party/proto/cosmos/base/query/v1beta1
SDK_BASE = third_party/proto/cosmos/base/v1beta1
SDK_UPGRADE = third_party/proto/cosmos/upgrade/v1beta1
SDK_STAKING = third_party/proto/cosmos/staking/v1beta1
SDK_EVIDENCE = third_party/proto/cosmos/evidence/v1beta1

GOGO_PROTO_TYPES = third_party/proto/gogoproto
CONFIO_TYPES = third_party/proto/confio
Expand All @@ -186,9 +185,6 @@ proto-update-deps:
@mkdir -p $(SDK_STAKING)
@curl -sSL $(SDK_PROTO_URL)/staking/v1beta1/staking.proto > $(SDK_STAKING)/staking.proto

@mkdir -p $(SDK_EVIDENCE)
@curl -sSL $(SDK_PROTO_URL)/evidence/v1beta1/evidence.proto > $(SDK_EVIDENCE)/evidence.proto

## Importing of tendermint protobuf definitions currently requires the
## use of `sed` in order to build properly with cosmos-sdk's proto file layout
## (which is the standard Buf.build FILE_LAYOUT)
Expand Down
23 changes: 12 additions & 11 deletions app/provider/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ import (
"os"
"path/filepath"

evidencekeeper "github.com/cosmos/cosmos-sdk/x/evidence/keeper"

appparams "github.com/cosmos/interchain-security/v2/app/params"

"github.com/cosmos/cosmos-sdk/baseapp"
Expand Down Expand Up @@ -48,7 +50,6 @@ import (
distrkeeper "github.com/cosmos/cosmos-sdk/x/distribution/keeper"
distrtypes "github.com/cosmos/cosmos-sdk/x/distribution/types"
"github.com/cosmos/cosmos-sdk/x/evidence"
evidencekeeper "github.com/cosmos/cosmos-sdk/x/evidence/keeper"
evidencetypes "github.com/cosmos/cosmos-sdk/x/evidence/types"
"github.com/cosmos/cosmos-sdk/x/genutil"
genutiltypes "github.com/cosmos/cosmos-sdk/x/genutil/types"
Expand Down Expand Up @@ -139,7 +140,6 @@ var (
ibcclientclient.UpgradeProposalHandler,
ibcproviderclient.ConsumerAdditionProposalHandler,
ibcproviderclient.ConsumerRemovalProposalHandler,
ibcproviderclient.EquivocationProposalHandler,
ibcproviderclient.ChangeRewardDenomsProposalHandler,
),
params.AppModuleBasic{},
Expand Down Expand Up @@ -390,14 +390,6 @@ func New(
scopedIBCKeeper,
)

// create evidence keeper with router
app.EvidenceKeeper = *evidencekeeper.NewKeeper(
appCodec,
keys[evidencetypes.StoreKey],
app.StakingKeeper,
app.SlashingKeeper,
)

app.ProviderKeeper = ibcproviderkeeper.NewKeeper(
appCodec,
keys[providertypes.StoreKey],
Expand All @@ -410,7 +402,6 @@ func New(
app.StakingKeeper,
app.SlashingKeeper,
app.AccountKeeper,
app.EvidenceKeeper,
app.DistrKeeper,
app.BankKeeper,
authtypes.FeeCollectorName,
Expand Down Expand Up @@ -459,6 +450,16 @@ func New(
ibcRouter.AddRoute(providertypes.ModuleName, providerModule)
app.IBCKeeper.SetRouter(ibcRouter)

// create evidence keeper with router
evidenceKeeper := evidencekeeper.NewKeeper(
appCodec,
keys[evidencetypes.StoreKey],
app.StakingKeeper,
app.SlashingKeeper,
)

app.EvidenceKeeper = *evidenceKeeper

skipGenesisInvariants := cast.ToBool(appOpts.Get(crisis.FlagSkipGenesisInvariants))

// NOTE: Any module instantiated in the module manager that is later modified
Expand Down
105 changes: 105 additions & 0 deletions docs/docs/adrs/adr-005-cryptographic-equivocation-verification.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
---
sidebar_position: 4
title: Cryptographic verification of equivocation evidence
---
# ADR 005: Cryptographic verification of equivocation evidence

## Changelog
* 5/1/2023: First draft
* 7/23/23: Add light client attacks handling

## Status

Accepted

## Context

Currently, we use a governance proposal to slash validators for equivocation (double signing and light client attacks).
Every proposal needs to go through a (two weeks) voting period before it can be approved.
Given a three-week unbonding period, this means that an equivocation proposal needs to be submitted within one week since the infraction occurred.

This ADR proposes a system to slash validators automatically for equivocation, immediately upon the provider chain's receipt of the evidence. Another thing to note is that we intend to introduce this system in stages, since even the partial ability to slash and/or tombstone is a strict improvement in security.
For the first stage of this work, we will only handle light client attacks.

### Light Client Attack

In a nutshell, the light client is a process that solely verifies a specific state machine's
consensus without executing the transactions. The light clients get new headers by querying
multiple nodes, called primary and witness nodes.

Light clients download new headers committed on chain from a primary. Headers can be verified in two ways: sequentially,
where the block height of headers is serial, or using skipping. This second verification method allows light clients to download headers
with nonconsecutive block height, where some intermediate headers are skipped (see [Tendermint Light Client, Figure 1 and Figure 3](https://arxiv.org/pdf/2010.07031.pdf)).
Additionally, light clients are cross-checking new headers obtained from a primary with witnesses to ensure all nodes share the same state.

A light client attack occurs when a Byzantine validator sends invalid headers to a light client.
As the light client doesn't execute transactions, it can be deceived into trusting corrupted application state transitions.
For instance, if a light client receives header `A` from the primary and header `B` from a witness for the same block height `H`,
and both headers are successfully verified, it indicates a light client attack.
Note that in this case, either the primary or the witness or both are malicious.

The types of light client attacks are defined by analyzing the differences between the conflicting headers.
There are three types of light client attacks: lunatic attack, equivocation attack, and amnesia attack.
For details, see the [CometBFT specification](https://github.com/cometbft/cometbft/blob/main/spec/light-client/attacks/notes-on-evidence-handling.md#evidence-handling).

When a light client agent detects two conflicting headers, it will initially verify their traces (see [cometBFT detector](https://github.com/cometbft/cometbft/blob/2af25aea6cfe6ac4ddac40ceddfb8c8eee17d0e6/light/detector.go#L28)) using its primary and witness nodes.
If these headers pass successful verification, the Byzantine validators will be identified based on the header's commit signatures
and the type of light client attack. The agent will then transmit this information to its nodes using a [`LightClientAttackEvidence`](https://github.com/cometbft/cometbft/blob/feed0ddf564e113a840c4678505601256b93a8bc/docs/architecture/adr-047-handling-evidence-from-light-client.md) to be eventually voted on and added to a block.
Note that from a light client agent perspective, it is not possible to establish whether a primary or a witness node, or both, are malicious.
Therefore, it will create and send two `LightClientAttackEvidence`: one against the primary (sent to the witness), and one against the witness (sent to the primary).
Both nodes will then verify it before broadcasting it and adding it to the [evidence pool](https://github.com/cometbft/cometbft/blob/2af25aea6cfe6ac4ddac40ceddfb8c8eee17d0e6/evidence/pool.go#L28).
If a `LightClientAttackEvidence` is finally committed to a block, the chain's evidence module will execute it, resulting in the jailing and the slashing of the validators responsible for the light client attack.


Light clients are a core component of IBC. In the event of a light client attack, IBC relayers notify the affected chains by submitting an [IBC misbehavior message](https://github.com/cosmos/ibc-go/blob/2b7c969066fbcb18f90c7f5bd256439ca12535c7/proto/ibc/lightclients/tendermint/v1/tendermint.proto#L79).
A misbehavior message includes the conflicting headers that constitute a `LightClientAttackEvidence`. Upon receiving such a message,
a chain will first verify whether these headers would have convinced its light client. This verification is achieved by checking
the header states against the light client consensus states (see [IBC misbehaviour handler](https://github.com/cosmos/ibc-go/blob/2b7c969066fbcb18f90c7f5bd256439ca12535c7/modules/light-clients/07-tendermint/types/misbehaviour_handle.go#L101)). If the misbehaviour is successfully verified, the chain will then "freeze" the
light client, halting any further trust in or updating of its states.


## Decision

In the first iteration of the feature, we will introduce a new endpoint: `HandleConsumerMisbehaviour(ctx sdk.Context, misbehaviour ibctmtypes.Misbehaviour)`.
The main idea is to leverage the current IBC misbehaviour handling and update it to solely jail and slash the validators that
performed a light client attack. This update will be made under the assumption that the chain connected via this light client
share the same validator set, as it is the case with Replicated Security.

This endpoint will reuse the IBC client libraries to verify that the misbehaviour headers would have fooled the light client.
Additionally, it’s crucial that the endpoint logic result in the slashing and jailing of validators under the same conditions
as a light client agent detector. Therefore, the endpoint will ensure that the two conditions are met:
the headers in the misbehaviour message have the same block height, and
the light client isn’t expired.

After having successfully verified a misbehaviour, the endpoint will execute the jailing and slashing of the malicious validators similarly as in the evidence module.

### Current limitations:

- This only handles light client attacks, not double signing. In the future, we will add the code to also verify double signing.

- We cannot derive an infraction height from the evidence, so it is only possible to tombstone validators, not actually slash them.
To explain the technical reasons behind this limitation, let's recap the initial consumer initiated slashing logic.
In a nutshell, consumer heights are mapped to provider heights through VSCPackets, namely through the so called vscIDs.
When an infraction occurs on the consumer, a SlashPacket containing the vscID obtained from mapping the consumer infraction height
is sent to the provider. Upon receiving the packet, the provider maps the consumer infraction height to a local infraction height,
which is used to slash the misbehaving validator. In the context of untrusted consumer chains, all their states, including vscIDs,
could be corrupted and therefore cannot be used for slashing purposes.

- Currently, the endpoint can only handle "equivocation" light client attacks. This is because the "lunatic" attacks require the endpoint to possess the ability to dissociate which header is conflicted or trusted upon receiving a misbehavior message. Without this information, it's not possible to define the Byzantine validators from the conflicting headers (see [comment](https://github.com/cosmos/interchain-security/pull/826#discussion_r1268668684)).


## Consequences

### Positive

- After this ADR is applied, it will be possible for the provider chain to tombstone validators who committed a light client attack.

### Negative

- N/A


## References

* [ICS misbehaviour handling PR](https://github.com/cosmos/interchain-security/pull/826)
* [Architectural diagrams](https://docs.google.com/document/d/1fe1uSJl1ZIYWXoME3Yf4Aodvz7V597Ric875JH-rigM/edit#heading=h.rv4t8i6d6jfn)
Loading

0 comments on commit 208eb68

Please sign in to comment.