Slash and prove membership of prior sessions

[rphmeier]

Fixes #1810

Background

We want Substrate chains to have a property known as "accountable safety": that misbehavior leads to a slash of bonded funds. The srml-staking library keeps those funds bonded for a certain number of eras.

Storing all historical validator sets and session keys for the bonding period would be expensive. So instead we only keep a trie root which can be used to prove historical ownership of keys. These trie roots are pruned after some time.

When we slash a validator, we want to also slash their nominators. Furthermore, we want to slash only the nominators at the time of misbehavior. And only for the amount that they were nominated on the misbehaving validator at that time.

Implementation

The staking module decides how many prior sessions we keep, but prior sessions themselves are managed by a session::historical module. Pruning is O(n) in the number of sessions to prune.

What the session::historical trie roots reference is a mapping of (KeyTypeId, Vec<u8>) -> FullIdentification. It is populated with all the of session keys of that session and the FullIdentification of the owning validator.

The FullIdentification in practice is a staking::Exposure object that tells us who to slash when this key has misbehaved. This lets us slash the correct group of people for the right amounts.

I moved session key deduplication to use raw storage APIs so we could make sure all trie keys were prefixed with a constant. This means that they no longer interfere with the growth of the rest of the trie.

There is a generic trait KeyOwnerProofSystem for key ownership proofs. Consensus modules should use something along these lines (pseudocode):

trait Trait {
    // if your key type implements `AsRef<[u8]>` _and_ the `AsRef` value is the same as the encoded
    // then use that instead of `Vec<u8>`.
    type KeyOwnerSystem: KeyOwnerProofSystem<(KeyTypeId, Vec<u8>)>;
}

impl<T: Trait> Module<Trait> {
    // called off-chain.
    fn generate_misbehavior_report_call() -> MyMisbehaviorReportCall {
        // invoke `KeyOwnerSystem::prove((key_type_id, key_data))` and put the proof in the call.
    }

    // called on-chain.
    fn check_misbehavior(call: MyMisbehaviorReportCall) {
         let session_key = call.misbehaving_key;
         let proof = call.membership_proof;

         let to_punish = match KeyOwnerSystem::check_proof((key_type_id, session_key), proof) {
             None => return,
             Some(x) => x,
         };

         // check that the key really did misbehave.

         // if so, invoke something like `slashing::slash(to_punish, misbehavior_id)`.
    }
}

[bkchr]

Ohh :D
At least format it better:

	fn get_raw(&self, _: KeyTypeId) -> &[u8] { 
		unsafe {
			std::slice::from_raw_parts(&self.0 as *const _ as *const u8, std::mem::size_of::<u64>())
		}
	}

[bkchr]

Suggested change

	pub use hash_db::{HashDB as HashDBT};
	pub use hash_db::HashDB as HashDBT;

[bkchr]

let (new_validators, old_exposures) = <I as OnSessionEnding<_, _>>::on_session_ending(ending, applied_at);

// every session from `ending+1 .. applied_at` now has obsolete `FullIdentification`
// now that a new validator election has occurred.
// we cache these in the trie until those sessions themselves end.
for obsolete in (ending + 1) .. applied_at {
 <CachedObsolete<T>>::insert(obsolete, &old_exposures);
}
			
Some(new_validators)

Is maybe a little bit better at reading?

[rphmeier]

let (new_validators, old_exposures) = <I as OnSessionEnding<_, _>>::on_session_ending(ending, applied_at)

I assume you wanted a ? there?

[bkchr]

Ohh, yes.

[dvc94ch]

LGTM

[cheme]

I put a few safety check remarks (I do not know everything well).
Regarding trie stuff, the mechanism seems pretty heavy, but I do not see a reason with this implementation that will make a future switch to child_trie impossible, it really depend on the size of this trie (if it is a few entry the system here seems fine).

In srml/session/src/lib.rs , I wonder if the DEDUP_KEY prefixed storage couldn't simply be a traditional mapping srml storage (the code seems pretty close to what the macro produce).

[cheme]

Can it lead to issue in scenario where we got a combination of wasm execution and native exectution in a test case (for native envt not in le (wasm is le, i am not sure anymore))?
Or is get_raw only use locally to one of those execution?

[rphmeier]

well, not any more so than the old code

[cheme]

wonder if non cloned iter is possible here and could be more flexible? (totally not sure just wondering).

[rphmeier]

we could do an iter::Once chain but I don't see why it matters. it should be fast regardless

[cheme]

yes it is just the key type id, please forget about that

[niklasad1]

Could be replaced by std::iter::Copied

[cheme]

Does the &owner == who condition means that we allow exchanging key (probably a very corner case)?

[rphmeier]

what it means is that we're allowed to set key A without changing key B.

[cheme]

I understand this code as update ownership only if key change.

[rphmeier]

right, needs to be moved up a bit

[cheme]

Do we need to hash the key (are validatorId unique or keytypeid unique)?

[rphmeier]

well, we don't strictly-speaking have to hash the key. but it may make it harder to bias the tree

[cheme]

yes really depends on the nature of the keys.

[cheme]

this is pretty heavy redundancy over old_exposures but I have no idea if the case where there is multiple index is frequent. If frequent, maybe an intermeediate maping 'session->range' and 'range->cacheobsolet' can be good.

[rphmeier]

see other comment -- in practice here it shouldn't be an issue because (ending + 1) .. applied_at will have only 1 item in the current runtime. The range thing is a bit harder to GC.

[cheme]

If I understand correctly, cachedobsolete needs to have the session to prove something, it contains key value needed to rebuild the trie with generate trie for either building a proof (may use current validators also) or verifying a proof.
So for other comments I expect a cached obsolete to be rather big in content.

[rphmeier]

it should really only ever hold one or zero items, since we buffer at most 1 validator set in the current implementation. it only ever needs to hold something when we've done a validator election

[rphmeier]

I do not see a reason with this implementation that will make a future switch to child_trie impossible, it really depend on the size of this trie (if it is a few entry the system here seems fine).

we need trie proofs for child trie, basically. other than that we could migrate it over.

[cheme]

Do https://github.com/paritytech/substrate/pull/2209/files#r300701049 reply to this need (before that the proof was using parent + child query, after this pr the proof will be parent proof and child proof in two time)?

[rphmeier]

I don't think it helps really. We'd need a method to generate merkle proofs of a child storage within the runtime.

[cheme]

Oh yes this is not creating the proof from within the runtime, would need some ext function, certainly more work than it seems indeed. Does not seems doable if we need to generate for current block (uncommited block).

[rphmeier]

Does not seems doable if we need to generate for current block (uncommited block).

well, it would have to force a root computation. and we would then kill the child trie right after. but TBH the MemoryDB approach isn't that bad and will scale a little.

[andresilva]

changes lgtm, but I'm not very familiar with these modules.

[andresilva]

Suggested change

	return // out of bounds. harmless.
	return; // out of bounds. harmless.

[rphmeier]

it's fine to omit, no?

[andresilva]

yeah nitpick, I just like to have statements terminate with ;

[gavofyork]

compile error should go once #2819 is merged.