Detect light client attacks and report them to both the chain and the…

… RPC node (informalsystems#3224) * Prepare for generating light client attacks * Remove redundant message * Improve script * Use tendermint-rs with new misbehavior detector * Small refactor in client worker * Cleanup and notes in ForeignClient * Some more cleanup * Call to the new attack detector * Build evidence to report to the chain * Fix client updates * It's working, I think * Move create_fork.sh to scripts folder * Use tendermint-rs branch * Use new light client detector crate * Remove explicit dependency on `tendermint-light-client-verifier` * Update to latest detector * Add integration test for misbehavior detection * Fix clippy warnings * Print Hermes logs * Update to latest detector * Update to latest detector * Remove unused `headers_compatible` * Remove unused import * Get current time from chain's sync status * Compute proper supporting headers * Infallible height conversions * Refactor to include trusted and target headers in supporting headers but omit them from minimal set * Always omit target header from supporting set * Use trusted height and not height of last supporting header * Use target header of new round of verification to get trusted height and validators * Update tendermint-rs to v0.31.1 * Update `ibc-proto` to v0.30.0 * Compilation fixes after detector update * Use witness trace computed by the detector instead of verifying again (informalsystems#3277) * Fix merge issues * Update to latest detector * Ensure trusted validator set matches the fetched one * Update to latest detector * Update to tendermint-rs v0.32.0 and `ibc-proto` v0.31.0-alpha.2 * Add changelog entry --------- Signed-off-by: Romain Ruetschi <romain@informal.systems> Co-authored-by: Anca Zamfir <zamfiranca@gmail.com>
pratikbin · May 24, 2023 · 64c5793 · 64c5793
1 parent c8cca91
commit 64c5793
Show file tree

Hide file tree

Showing 41 changed files with 1,927 additions and 862 deletions.
diff --git a/.changelog/unreleased/features/ibc-relayer/3224-light-attacks-detector.md b/.changelog/unreleased/features/ibc-relayer/3224-light-attacks-detector.md
@@ -0,0 +1,7 @@
+- When enabled for misbehaviour (ie. when `mode.misbehaviour.enabled = true`),
+  Hermes will now monitors on-chain client updates and verify the submitted
+  headers comparing with headers it retrieves from its RPC node.
+  If it detects conflicting headers, it will now submit a `MisbehaviourMsg`
+  to the chain hosting the IBC client.
+  In addition, Hermes will also submit the evidence to the reference chain.
+  ([\#3224](https://github.com/informalsystems/hermes/issues/3224))
diff --git a/.github/workflows/misbehaviour.yml b/.github/workflows/misbehaviour.yml
@@ -0,0 +1,96 @@
+name: Misbehaviour
+on:
+  pull_request:
+    paths:
+      - .github/workflows/misbehaviour.yaml
+      - Cargo.toml
+      - Cargo.lock
+      - flake.nix
+      - flake.lock
+      - ci/**
+      - scripts/**
+      - crates/**
+  push:
+    branches: master
+    paths:
+      - .github/workflows/misbehaviour.yaml
+      - Cargo.toml
+      - Cargo.lock
+      - flake.nix
+      - flake.lock
+      - ci/**
+      - scripts/**
+      - crates/**
+
+env:
+  CARGO_INCREMENTAL: 0
+  CARGO_PROFILE_DEV_DEBUG: 1
+  CARGO_PROFILE_RELEASE_DEBUG: 1
+  RUST_BACKTRACE: short
+  CARGO_NET_RETRY: 10
+  RUSTUP_MAX_RETRIES: 10
+
+# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  misbehaviour:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        chain:
+          - package: gaia8
+            command: gaiad
+            account_prefix: cosmos
+          - package: gaia9
+            command: gaiad
+            account_prefix: cosmos
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install Nix
+        uses: cachix/install-nix-action@v20
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+      - name: Use cachix cache
+        uses: cachix/cachix-action@v12
+        with:
+          name: cosmos
+      - name: Install sconfig
+        uses: jaxxstorm/action-install-gh-release@v1.10.0
+        with:
+          repo: freshautomations/sconfig
+          platform: linux
+          arch: amd64
+          extension-matching: disable
+          rename-to: sconfig
+          chmod: 0755
+      - name: Install stoml
+        uses: jaxxstorm/action-install-gh-release@v1.10.0
+        with:
+          repo: freshautomations/stoml
+          platform: linux
+          arch: amd64
+          extension-matching: disable
+          rename-to: stoml
+          chmod: 0755
+      - name: Install Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          override: true
+      - name: Use Rust cache
+        uses: Swatinem/rust-cache@v1
+      - name: Build Hermes
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+      - name: Run test
+        working-directory: ci/misbehaviour
+        run: |
+          nix shell .#${{ matrix.chain.package }} -c bash misbehaviour_test.sh
+