feat!: Cryptographic verification of equivocation #1287
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* define msg to submit misbehaviour to provider implement msg handling logic e2e test msg handling logic * wip: get byzantine validators in misbehavioiur handling * add tx handler * format HandleConsumerMisbehaviour * add tx handler * add debugging stuff * Add misbehaviour handler * create message for consumer double voting evidence * add DRAFT double vote handler * Add cli cmd for submit consumer double voting * Add double-vote handler * add last update * fix jailing * pass first jailing integration test * format tests * doc * save * update e2e tests' * fix typo and improve docs * remove unwanted tm evidence protofile * fix typos * update submit-consumer-misbehaviour cli description * check that header1 and header2 have the same TrustedValidators * feat: add e2e tests for ICS misbehaviour (#1118) * remove unwanted changes * fix hermes config with assigned key * revert unwanted changes * revert local setup * remove log file * typo * update doc * update ICS misbehaviour test * update ICS misbehaviour test * revert mixed commits * add doc * lint * update to handle only equivocations * improve doc * update doc * update E2E tests comment * optimize signatures check * doc * update e2e tests * linter * remove todo * Feat: avoid race condition in ICS misbehaviour handling (#1148) * remove unwanted changes * fix hermes config with assigned key * revert unwanted changes * revert local setup * remove log file * typo * update doc * update ICS misbehaviour test * update ICS misbehaviour test * revert mixed commits * update ICS misbehaviour test * update ICS misbehaviour test * Add test for MsgSubmitConsumerMisbehaviour parsing * fix linter * save progress * add CheckMisbehaviourAndUpdateState * update integration tests * typo * remove e2e tests from another PRs * cleaning' * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * update integration tests * save * save * nits * remove todo * lint * Update x/ccv/provider/keeper/misbehaviour.go --------- Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: Marius Poke <marius.poke@posteo.de> * Update x/ccv/provider/client/cli/tx.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/client/cli/tx.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * add attributes to EventTypeSubmitConsumerMisbehaviour * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * apply review suggestions * fix docstring * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * fix link * apply review suggestions * update docstring --------- Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: Marius Poke <marius.poke@posteo.de>
* update e2e tests * update the chain halt assertion
* create new endpoint for consumer double voting * add first draft handling logic * first iteration of double voting * draft first mem test * error handling * refactor * add unit test of double voting verification * remove evidence age checks * document * doc * protogen * reformat double voting handling * logger nit * nits * check evidence age duration * move verify double voting evidence to ut * fix nit * nits * fix e2e tests * improve double vote testing coverage * remove TODO * lint * add UT for JailAndTombstoneValidator * nits * nits * remove tombstoning and evidence age check * lint * typo * improve godoc
* fix double voting cli * fix bug double signing handler * godoc * nits * revert wrong push of lasts commits
…1254) * fix double voting cli * fix bug double signing handler * godoc * nits * lint * nit
…bleVoting` msg (#1264) * verify dv evidence using malicious validator pubkey in infraction block header * nits * nits
* fix double voting cli * add double-signing e2e test * refortmat e2e double voting test * godoc, revert unwanted changes * nit * verify dv evidence using malicious validator pubkey in infraction block header * save changes * fix hermes config * fist successful run * nit * nits * nits * doc and nits * lint * refactor * typo * change hermes docker image * nits * Update tests/e2e/steps.go Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com> * address PR comments * nits --------- Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>
sainoe
reviewed
Sep 13, 2023
| // observed on a consumer chain | ||
| // Note that the misbheaviour' headers must contain the same trusted states | ||
| message MsgSubmitConsumerMisbehaviour { |
There was a problem hiding this comment.
explain it's about light client attacks
sainoe
reviewed
Sep 13, 2023
| // MsgSubmitConsumerDoubleVoting defines a message that reports an equivocation | ||
| // observed on a consumer chain | ||
| message MsgSubmitConsumerDoubleVoting { |
There was a problem hiding this comment.
emphasize it's about double signing attacks
sainoe
reviewed
Sep 13, 2023
| @@ -133,7 +133,7 @@ func (tr TestRun) startChain( | |||
| cmd := exec.Command("docker", "exec", tr.containerConfig.instanceName, "/bin/bash", | |||
| "/testnet-scripts/start-chain.sh", chainConfig.binaryName, string(vals), | |||
| string(chainConfig.chainId), chainConfig.ipPrefix, genesisChanges, | |||
| fmt.Sprint(action.skipGentx), | |||
There was a problem hiding this comment.
check that the sovereign tests are not broken @MSalopek
sainoe
reviewed
Sep 13, 2023
tests/e2e/actions.go
Outdated
|
|
||
| saveMnemonicCommand := fmt.Sprintf(`echo '%s' > %s`, mnemonic, "/root/.hermes/mnemonic.txt") | ||
| fmt.Println("Add to hermes", action.validator) | ||
| fmt.Println(mnemonic) |
sainoe
reviewed
Sep 13, 2023
tests/e2e/actions.go
Outdated
| // which detects evidences committed to the blocks of a consumer chain. | ||
| // Each infraction detected is reported to the provider chain using | ||
| // either a SubmitConsumerDoubleVoting or a SubmitConsumerMisbehaviour message. | ||
| type detectConsumerEvidenceAction struct { |
There was a problem hiding this comment.
rename to startConsumerEvidenceDetectorAction
sainoe
reviewed
Sep 13, 2023
| ) { | ||
| chainConfig := tr.chainConfigs[action.chain] | ||
| //#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments. | ||
| bz, err := exec.Command("docker", "exec", "-d", tr.containerConfig.instanceName, |
There was a problem hiding this comment.
add a comment that it will keep running on the background
p-offtermatt
approved these changes
Sep 13, 2023
Dockerfile
Outdated
| @@ -28,7 +28,7 @@ RUN go mod tidy | |||
| RUN make install | |||
|
|
|||
| # Get Hermes build | |||
| FROM ghcr.io/informalsystems/hermes:1.4.1 AS hermes-builder | |||
| FROM otacrew/hermes-ics:latest AS hermes-builder | |||
There was a problem hiding this comment.
maybe change this from latest to a specific tag
tests/e2e/actions.go
Outdated
| @@ -521,7 +524,7 @@ func (tr TestRun) voteGovProposal( | |||
| } | |||
|
|
|||
| wg.Wait() | |||
| time.Sleep(time.Duration(tr.chainConfigs[action.chain].votingWaitTime) * time.Second) | |||
| time.Sleep((time.Duration(tr.chainConfigs[action.chain].votingWaitTime)) * time.Second) | |||
| "time" | ||
| ) | ||
|
|
||
| type forkConsumerChainAction struct { |
There was a problem hiding this comment.
Could you comment somewhere what we can expect when calling this?
|
|
||
| func NewSubmitConsumerDoubleVotingCmd() *cobra.Command { | ||
| cmd := &cobra.Command{ | ||
| Use: "submit-consumer-double-voting [evidence] [infraction_header]", |
There was a problem hiding this comment.
Please add a long version here, like for the misbehaviour
| @@ -36,6 +36,11 @@ func RegisterInterfaces(registry codectypes.InterfaceRegistry) { | |||
| &EquivocationProposal{}, | |||
| ) | |||
|
|
|||
| registry.RegisterImplementations( | |||
| (*sdk.Msg)(nil), | |||
There was a problem hiding this comment.
Pattern matching: Should the MsgSubmitConsumerDoubleVoting also have something like this?
insumity
reviewed
Sep 13, 2023
x/ccv/provider/keeper/double_vote.go
Outdated
| // Note that since we're only jailing validators for double voting on a consumer chain, | ||
| // the age of the evidence is irrelevant and therefore isn't checked. | ||
|
|
||
| // TODO: check the age of the evidence once we slash |
There was a problem hiding this comment.
Remove this TODO (?)
Even the current approach we intend for following on slashing won't check the age.
insumity
reviewed
Sep 13, 2023
x/ccv/provider/keeper/double_vote.go
Outdated
| evidence.VoteB.Height, evidence.VoteB.Round, evidence.VoteB.Type) | ||
| } | ||
|
|
||
| // Address must be the same |
insumity
reviewed
Sep 13, 2023
| ) | ||
|
|
||
| // HandleConsumerMisbehaviour checks if the given IBC misbehaviour corresponds to an equivocation light client attack, | ||
| // and in this case, jails and tombstones the Byzantine validators |
insumity
reviewed
Sep 13, 2023
|
|
||
| // Since the misbehaviour packet was received within the trusting period | ||
| // w.r.t to the trusted consensus states the infraction age | ||
| // isn't too old. see ibc-go/modules/light-clients/07-tendermint/types/misbehaviour_handle.go |
There was a problem hiding this comment.
nit: do we want to refer to a specific ibc-go version here?
At a later point in misbehaviour.go, you have a full link // see https://github.com/cosmos/ibc-go/blob/v4.2.0/modules/light-clients/07-tendermint/types/misbehaviour_handle.go#L120 instead of just the suffix. We can remove the https://github.com/ below to be consistent.
insumity
reviewed
Sep 13, 2023
|
|
||
| provAddrs := make([]types.ProviderConsAddress, len(byzantineValidators)) | ||
|
|
||
| // jail and tombstone the Byzantine validators |
insumity
reviewed
Sep 13, 2023
| } | ||
|
|
||
| // CheckMisbehaviourAndUpdateState verifies the misbehaviour against the trusted consensus states | ||
| // but does NOT update the light client state. |
There was a problem hiding this comment.
From what I see here the client state might be updated in the sense of getting frozen.
Is that not the case?
Why do we care that the light client is not having its state updated?
insumity
reviewed
Sep 13, 2023
x/ccv/provider/keeper/msg_server.go
Outdated
| func (k msgServer) SubmitConsumerMisbehaviour(goCtx context.Context, msg *types.MsgSubmitConsumerMisbehaviour) (*types.MsgSubmitConsumerMisbehaviourResponse, error) { | ||
| ctx := sdk.UnwrapSDKContext(goCtx) | ||
| if err := k.Keeper.HandleConsumerMisbehaviour(ctx, *msg.Misbehaviour); err != nil { | ||
| return &types.MsgSubmitConsumerMisbehaviourResponse{}, err |
There was a problem hiding this comment.
nit: return nil, err to be consistent with what we do in SubmitConsumerDoubleVoting
insumity
reviewed
Sep 13, 2023
| var _ sdk.Msg = &MsgAssignConsumerKey{} | ||
| var ( | ||
| _ sdk.Msg = &MsgAssignConsumerKey{} | ||
| _ sdk.Msg = &MsgSubmitConsumerMisbehaviour{} |
There was a problem hiding this comment.
similar to Philip's comment above ... do we need MsgSubmitConsumerDoubleVoting here?
insumity
reviewed
Sep 13, 2023
| return fmt.Errorf("signed header in infraction block header cannot be nil") | ||
| } | ||
|
|
||
| if msg.InfractionBlockHeader.SignedHeader.Header == nil { |
There was a problem hiding this comment.
Do we need to check InfractionBlockHeader.ValidatorSet here as well?
insumity
reviewed
Sep 13, 2023
x/ccv/provider/keeper/msg_server.go
Outdated
|
|
||
| ctx.EventManager().EmitEvents(sdk.Events{ | ||
| sdk.NewEvent( | ||
| ccvtypes.EventTypeSubmitConsumerMisbehaviour, |
There was a problem hiding this comment.
Do we need a different type for double voting events?
insumity
reviewed
Sep 13, 2023
x/ccv/types/errors.go
Outdated
| @@ -25,4 +25,5 @@ var ( | |||
| ErrClientNotFound = errorsmod.Register(ModuleName, 18, "client not found") | |||
| ErrDuplicateConsumerChain = errorsmod.Register(ModuleName, 19, "consumer chain already exists") | |||
| ErrConsumerChainNotFound = errorsmod.Register(ModuleName, 20, "consumer chain not found") | |||
| ErrInvalidEvidence = errorsmod.Register(ModuleName, 21, "invalid consumer double voting evidence") | |||
There was a problem hiding this comment.
Would it make sense to call this ErrInvalidDoubleVotingEvidence?
From what I understand, we do not have an error type for misbehaviour because you use IBC error types such as ibcclienttypes.ErrInvalidMisbehaviour already?
insumity
approved these changes
Sep 13, 2023
…ics-misbehaviour-handling
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Closes: #732
Author Checklist
All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.
I have...
!to the type prefix if state-machine breaking change (i.e., requires coordinated upgrade)CHANGELOG.mdReviewers Checklist
All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.
I have...
!in the type prefix if API or client breaking change