Simulate transactions by default to set gas automatically

[alessio]

Relevant issue: #1246

• Change --gas=0 semantic in order to enable gas auto estimate.
• REST clients have been modified to simulate the execution of the tx first to then populate the context with the estimated gas amount returned by the simulation.
• The simulation returns both an unadjusted gas estimate and an adjusted one. The adjustment is required to ensure that the ensuing execution doesn't fail due to state changes that might have occurred. Gas adjustment can be controlled via the CLI's --gas-adjustment flag.

Closes: #1246

• Linked to github-issue with discussion and accepted design OR link to spec that describes this work.
• Updated all relevant documentation (docs/)
• Updated all relevant code comments
• Wrote tests
• Added entries in PENDING.md that include links to the relevant issue or PR that most accurately describes the change.
• Updated cmd/gaia and examples/

---

For Admin Use:

• Added appropriate labels to PR (ex. wip, ready-for-review, docs)
• Reviewers Assigned
• Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

[alessio]

This could be avoid by introducing a dry-run ante handler that, othen than simulating sig verification, would use an infinite gas meter as well.

[alessio]

Logged all calls to ConsumeGas, when the tx is executed ante handler is called twice - possibly due to checkTx:

alessio@bizet:~/.../github.com/cosmos/cosmos-sdk$ i && go test -v ./client/lcd/ 
go install -tags "netgo ledger" -ldflags "-X github.com/cosmos/cosmos-sdk/version.GitCommit=7a92f913" ./cmd/gaia/cmd/gaiad
go install -tags "netgo ledger" -ldflags "-X github.com/cosmos/cosmos-sdk/version.GitCommit=7a92f913" ./cmd/gaia/cmd/gaiacli
=== RUN   TestCoinSend
LADDR tcp://0.0.0.0:36885
E[08-21|05:52:03.173] Couldn't connect to any seeds                module=p2p 
REQUEST GET http://localhost:39161/accounts/cosmosaccaddr137n2k4addpc0dddju4mntuu09ucww09k8vp0n4
REQUEST GET http://localhost:39161/accounts/cosmosaccaddr1q5x4j9xk3wylpvuywvqxdzf0zduwh8dlngh5f8
REQUEST GET http://localhost:39161/accounts/cosmosaccaddr1q5x4j9xk3wylpvuywvqxdzf0zduwh8dlngh5f8
REQUEST POST http://localhost:39161/accounts/cosmosaccaddr150n2lj9cyrhmqpnq7zs0y5g2zwm7mtz7j2ks2q/send
[START EXECUTION]
[START SIMULATION]
[ConsumeGas] [memo] amount: 0 - consumed: 0
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 10
[ConsumeGas] [ReadPerByte] amount: 42 - consumed: 52
[ConsumeGas] [ante verify] amount: 100 - consumed: 152
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 162
[ConsumeGas] [WritePerByte] amount: 840 - consumed: 1002
[ConsumeGas] [subtractCoins] amount: 10 - consumed: 1012
[ConsumeGas] [getCoins] amount: 10 - consumed: 1022
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 1032
[ConsumeGas] [ReadPerByte] amount: 84 - consumed: 1116
[ConsumeGas] [setCoins] amount: 100 - consumed: 1216
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 1226
[ConsumeGas] [ReadPerByte] amount: 84 - consumed: 1310
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 1320
[ConsumeGas] [WritePerByte] amount: 830 - consumed: 2150
[ConsumeGas] [addCoins] amount: 10 - consumed: 2160
[ConsumeGas] [getCoins] amount: 10 - consumed: 2170
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 2180
[ConsumeGas] [ReadPerByte] amount: 0 - consumed: 2180
[ConsumeGas] [setCoins] amount: 100 - consumed: 2280
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 2290
[ConsumeGas] [ReadPerByte] amount: 0 - consumed: 2290
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 2300
[ConsumeGas] [ReadPerByte] amount: 2 - consumed: 2302
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 2312
[ConsumeGas] [WritePerByte] amount: 20 - consumed: 2332
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 2342
[ConsumeGas] [WritePerByte] amount: 400 - consumed: 2742
gas: estimated=2742
[START EXECUTION]
[ConsumeGas] [memo] amount: 0 - consumed: 0
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 10
[ConsumeGas] [ReadPerByte] amount: 42 - consumed: 52
[ConsumeGas] [ante verify] amount: 100 - consumed: 152
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 162
[ConsumeGas] [WritePerByte] amount: 840 - consumed: 1002
[START EXECUTION]
[ConsumeGas] [memo] amount: 0 - consumed: 0
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 10
[ConsumeGas] [ReadPerByte] amount: 42 - consumed: 52
[ConsumeGas] [ante verify] amount: 100 - consumed: 152
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 162
[ConsumeGas] [WritePerByte] amount: 840 - consumed: 1002
[ConsumeGas] [subtractCoins] amount: 10 - consumed: 1012
[ConsumeGas] [getCoins] amount: 10 - consumed: 1022
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 1032
[ConsumeGas] [ReadPerByte] amount: 84 - consumed: 1116
[ConsumeGas] [setCoins] amount: 100 - consumed: 1216
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 1226
[ConsumeGas] [ReadPerByte] amount: 84 - consumed: 1310
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 1320
[ConsumeGas] [WritePerByte] amount: 830 - consumed: 2150
[ConsumeGas] [addCoins] amount: 10 - consumed: 2160
[ConsumeGas] [getCoins] amount: 10 - consumed: 2170
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 2180
[ConsumeGas] [ReadPerByte] amount: 0 - consumed: 2180
[ConsumeGas] [setCoins] amount: 100 - consumed: 2280
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 2290
[ConsumeGas] [ReadPerByte] amount: 0 - consumed: 2290
[ConsumeGas] [ReadFlat] amount: 10 - consumed: 2300
[ConsumeGas] [ReadPerByte] amount: 2 - consumed: 2302
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 2312
[ConsumeGas] [WritePerByte] amount: 20 - consumed: 2332
[ConsumeGas] [WriteFlat] amount: 10 - consumed: 2342
[ConsumeGas] [WritePerByte] amount: 400 - consumed: 2742
REQUEST GET http://localhost:39161/accounts/cosmosaccaddr1q5x4j9xk3wylpvuywvqxdzf0zduwh8dlngh5f8
REQUEST GET http://localhost:39161/accounts/cosmosaccaddr150n2lj9cyrhmqpnq7zs0y5g2zwm7mtz7j2ks2q
E[08-21|05:52:04.286] RPC HTTP server stopped                      module=rpc-server err="accept tcp [::]:36885: use of closed network connection"
E[08-21|05:52:04.287] RPC HTTP server stopped                      err="accept tcp [::]:39161: use of closed network connection"
--- PASS: TestCoinSend (1.41s)
PASS
ok  	github.com/cosmos/cosmos-sdk/client/lcd	1.478s

[cwgoes]

Thanks; left a few comments. Can we also list the parts we're intentionally saving for a later PR (looks like skipping the signature check isn't in this yet?)

[cwgoes]

Why do we need this at all? If the user doesn't want to simulate the transaction I think we should force them to manually specify gas.

[alessio]

Makes sense, I will change it accordingly.
I was thinking to drop the --gas-auto flag in favor of having --gas value set to 0 by default, which would enable the auto gas feature.

[cwgoes]

I don't think a limit makes sense here either, can we use an InfiniteGasMeter on simulation?

[alessio]

Addressed, please review

[cwgoes]

Can this be a CLI flag (1.2 is probably a fine default value)?

[alessio]

How about --gas-adjustment?

[cwgoes]

Sounds good

[cwgoes]

Hmm I'm not sure this is the optimal way to structure this function set, now there seems to be some duplicate code in simulateTx.

[alessio]

Addressing this now, expect a commit soon

[fedekunze]

Setting the --gas flag value to 0 triggers a simulation of the tx before the actual execution

Could we change it to an independent flag (e.g --with-simulation) so that the user can get information from the --help command as well ?

Setting --gas=0 looks more like an easter egg to me... (specially if we lack the necessary documentation for the simulation)

[fedekunze]

@alessio left a review. If you still want to keep --gas=0 logic, please add docs for it in the client section of the SDK docs :)

[alessio]

Users may be led to think that they could run a simulation with a custom amount of gas by appending both `--with-simulation` and `--gas=$amount`. Thus I'd rather document the special case `--gas=0`, considering that an extra `--dry-run/--simulate` flag too will become available shortly.

…

On Thu, 23 Aug 2018, 13:18 Federico Kunze, ***@***.***> wrote: @alessio <https://github.com/alessio> left a review, if you still want to keep --gas=0 logic, please add docs for it in the client section of the SDK docs :) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2047 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN_7PXXGxomy9f1c07VhhxcUjPc5Xinks5uTp2RgaJpZM4V-cqW> .

[fedekunze]

@alessio Ok, makes sense to me then. Please add the instructions on the documentation and --gas flag as well. Then you can dismiss my review and I'll approve your PR

[alessio]

ACKed and incorporated. Thanks

…

On Thu, Aug 23, 2018 at 1:33 PM, Federico Kunze ***@***.***> wrote: @alessio <https://github.com/alessio> Ok, makes sense to me then. Please add the instructions on the documentation and --gas flag as well. Then you can dismiss my review and I'll approve your PR — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2047 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN_7ADjNgB671ucnQMdQtaGhQoGS7zeks5uTqEngaJpZM4V-cqW> .

-- Alessio Treglia | [email protected] 0416 0004 A827 6E40 BB98 90FB E8A4 8AE5 311D 765A

ack

[fedekunze]

Rename to TestParseQueryResponse

[alessio]

It was automatically generated by VSCode. Happy to amend it though

…

On Thu, 23 Aug 2018, 19:08 Federico Kunze, ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In client/utils/utils_test.go <#2047 (comment)>: > @@ -0,0 +1,20 @@ +package utils + +import ( + "testing" + + "github.com/cosmos/cosmos-sdk/cmd/gaia/app" + sdk "github.com/cosmos/cosmos-sdk/types" + "github.com/stretchr/testify/assert" +) + +func Test_parseQueryResponse(t *testing.T) { Rename to TestParseQueryResponse — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2047 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN_7E_O2-U7eur0W-nrXS89KTeJKoPqks5uTu-ygaJpZM4V-cqW> .

[fedekunze]

typo here initialize

[fedekunze]

Don't we need to add the --gas-adjustement flag as well ?

[alessio]

Done

[alessio]

Screw British English, happy to amend it

…

On Thu, 23 Aug 2018, 19:10 Federico Kunze, ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In cmd/gaia/cli_test/cli_test.go <#2047 (comment)>: > @@ -277,10 +286,29 @@ func getTestingHomeDirs() (string, string) { return gaiadHome, gaiacliHome } +func initialiseFixtures(t *testing.T) (chainID, servAddr, port string) { typo here initiali*z*e — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2047 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN_7BR-xZ9TKm7KUnIUToqx2vL2x4nBks5uTvAYgaJpZM4V-cqW> .

[fedekunze]

Cool ! could we move this to another pkg and export it ?

[fedekunze]

use your writeErr function

[fedekunze]

use writeErr

[fedekunze]

same

[fedekunze]

utACK. Left a few comments but LGTM ! Thanks @alessio !

[alessio]

Refactored into `github.com/cosmos/cosmos-sdk/x/gov/client/rest/util.WriteErrorResponse`

…

On Thu, Aug 23, 2018 at 7:17 PM, Federico Kunze ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In x/slashing/client/rest/tx.go <#2047 (comment)>: > @@ -81,6 +82,15 @@ func unjailRequestHandlerFn(cdc *wire.Codec, kb keys.Keybase, cliCtx context.CLI msg := slashing.NewMsgUnjail(validatorAddr) + if m.Gas == 0 { + txCtx, err = utils.EnrichTxContextWithGas(txCtx, cliCtx, m.LocalAccountName, m.Password, []sdk.Msg{msg}) + if err != nil { + w.WriteHeader(http.StatusUnauthorized) use writeErr — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2047 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN_7O6AUTpHWI4Y8x0WSltZtYaiFMrQks5uTvGkgaJpZM4V-cqW> .

-- Alessio Treglia | [email protected] 0416 0004 A827 6E40 BB98 90FB E8A4 8AE5 311D 765A

[ValarDragon]

Lets move the write header stuff / error stuff into a seperate PR. Its easier to review code if the refactors are seperated from actual code changes. Also some of the cases with gas = 0 checks seem unclear to me.

[ValarDragon]

Lets add some comment here about what the intended result of this is under each mode.

I agree with the code change, however this code is hard to grok, especially now that we've removed the reference to check/simulate.

[alessio]

Incorporated, thanks

[ValarDragon]

Why is this called applyTxMode if it only does stuff for simulate? It seems confusing imo to generalize this when there is only one case. We're also not really applying the tx mode imo, its just initializing the context.

Perhaps rename this to initializeTxMode?

[alessio]

How about initializeContext()?

[ValarDragon]

Perhaps indicate that this is a multiplicative factor being multiplied against the estimate (vs additive).

[alessio]

ACK'd

[ValarDragon]

Lets test success with sufficient, manually specified gas as well?

[alessio]

ACKd

[ValarDragon]

We can eliminate some of the code duplication here by just making the line "gas":"%v" a fmt string arg, and just set that at the top, and pass that in. (so if gas > 0, that argument would be set to "gas":"\n", otherwise it would be set to "".

[alessio]

ACKd

[ValarDragon]

Should we write up into an issue to make this configurable per tx type in a config somewhere? The reason for considering it would be that a bank send tx probably is going to be most common tx, and also shouldn't have an increased cost due to other state changes, so it shouldn't have the same adjustment as staking txs.

[alessio]

Makes sense. Please fork it into a new issue 👍

[cwgoes]

Yeah, this is definitely something to consider because the user pays for the allocated gas, not the consumed gas.

[ValarDragon]

#2140

[ValarDragon]

Why is this here? Using an infinite gas meter here seems odd to me.

[alessio]

When running in simulation mode, we want no gas capping whatsoever - CC'ing @cwgoes

[cwgoes]

We don't need to cap gas in a simulation, we just need to measure it - is there a reason you think we would need to cap it @ValarDragon?

[ValarDragon]

I don't like switching on gas equals 0. This feels like it could cause more bugs / increase the attack surface. I think we should find another way of communicating that were in simulation mode.

[alexanderbez]

Could it not be set in the context somewhere upstream?

[alessio]

What if we use a default gas limit (some sort of sane default, e.g. 200000 - which is the current default value) and switch back to use a capped GasMeter?

[alessio]

Re:

simulations shouldn't be verifying signatures

That too is tricky. Simulations go through the query interface, which requires messages to be signed.

[ValarDragon]

That still doesn't really alleviate my concern. (That does limit the situation though)

I do think switching on 0 gas is less safe, as we now have to make sure that a tx on the network with 0 gas is stopped before getting to this line. Its prefferrable to just have a separate method to flag simulations, and have the normal gas logic prevent a 0 gas tx imo.

[alessio]

Do you reckon the following could mitigate the risk?

diff --git a/client/utils/utils.go b/client/utils/utils.go
index fb5d6198..49258b86 100644
--- a/client/utils/utils.go
+++ b/client/utils/utils.go
@@ -1,6 +1,7 @@
 package utils
 
 import (
+       "errors"
        "fmt"
        "os"
 
@@ -108,6 +109,10 @@ func CalculateGas(queryFunc func(string, common.HexBytes) ([]byte, error), cdc *
        if err != nil {
                return
        }
+       if estimate <= 0 {
+               err = errors.New("simulation returned gas=0")
+               return
+       }
        adjusted = adjustGasEstimate(estimate, adjustment)
        fmt.Fprintf(os.Stderr, "gas: [estimated = %v] [adjusted = %v]\n", estimate, adjusted)
        return

[ValarDragon]

I think I'm not conveying my concern well. This doesn't really alleviate it.

Right now the current code is saying "If tx.fee.Gas = 0, I get infinite gas". I think this is a bad design for it, even if we add checks in other places. As now were opening more holes, where are a complex series of conditionals could lead to this gas=0, get infinite gas, or a change may happen later that forgets that this could be the case. Instead we should signal directly that we want simulation mode, so this is no longer a fear. (As a tx itself cannot signal simulation mode, so theres no safety risk there)

I agree that this isn't a simple change, but I think its necessary for this to go through. I also think requiring that simulation not take in the private key / a signature is necessary, even if it requires another AnteHandler constructor. You don't want to increase the amount of things a private key has to sign / increase the amount of exposure a private key has if you don't have to.

[ValarDragon]

Why can't 0 be used for the fee here?

[alessio]

0 gas triggers the simulation

[ValarDragon]

Lets move this refactor into a seperate PR.

[alessio]

requested by @fedekunze - I'd keep it if you don't mind as IMHO it does more good than bad

[alessio]

yet I'll refrain in future to tackle technical debt while working on a specific issue 👍

[ValarDragon]

EnrichTxContextWithGas feels like an odd name for whats happening here. I think it should be renamed to use the word Calculate. Also this should be refactored to not depend on the password imo. (We should not increase the surface area that gets password access) We can charge gas purely on signature type. (As simulation shouldn't spend the signature verification time anyway)

[alessio]

How about the following?

// BuildAndSignTxWithZeroGas builds transactions with GasWanted set to 0.
func BuildAndSignTxWithZeroGas(txCtx authctx.TxContext, name, passphrase string, msgs []sdk.Msg) ([]byte, error) {
	return txCtx.WithGas(0).BuildAndSign(name, passphrase, msgs)
}

// EnrichTxContextWithGas simulates the execution of a transaction to
// then populate the relevant TxContext.Gas field with the estimate
// obtained by the query.
func EnrichTxContextWithGas(txCtx authctx.TxContext, cliCtx context.CLIContext, txBytes []byte) (authctx.TxContext, error) {
	// run a simulation (via /app/simulate query) to
	// estimate gas and update TxContext accordingly
	rawRes, err := cliCtx.Query("/app/simulate", txBytes)
	if err != nil {
		return txCtx, err
	}
	estimate, err := parseQueryResponse(cliCtx.Codec, rawRes)
	if err != nil {
		return txCtx, err
	}
	adjusted := adjustGasEstimate(estimate, cliCtx.GasAdjustment)
	fmt.Fprintf(os.Stderr, "gas: [estimated = %v] [adjusted = %v]\n", estimate, adjusted)
	return txCtx.WithGas(adjusted), nil
}

[ValarDragon]

I disagree with needing a signature here. We don't want simulations to depend on the private key. (Extra computation time, inconvenience, etc. Especially if your signing from a ledger)

[cwgoes]

A few questions/comments.

[cwgoes]

(nit) Writing this with an if mode == runTxModeSimulate is a bit more obvious (that we're doing something special for simulation).

[alessio]

Incorporated, thanks.

[cwgoes]

(nit) Writing this with if mode == runTxModeDelvier is a bit more obvious (that we're doing something special for delivertx)

[alessio]

Incorporated, thanks

[cwgoes]

I thought this was 1.2 (below)?

[cwgoes]

Might be slightly clearer to put this conditional outside of the function, and only call the function if cliCtx.Gas == 0

[alessio]

As long as linter doesn't complain yes, that was my intent

[cwgoes]

Yeah, this is definitely something to consider because the user pays for the allocated gas, not the consumed gas.

[cwgoes]

Can we deduplicate this function (put it in a common file)?

[alessio]

Dedup'd, though left it there for now if that is OK for you

[cwgoes]

Can we deduplicate this function?

[alessio]

Refactored, it now uses utils.EnrichCtxWithGas()

[cwgoes]

Can we deduplicate this function?

[alessio]

ditto

[cwgoes]

Can we deduplicate this function? This really shouldn't need to be in the module-specific REST files anyways I think.

[alessio]

ditto

[alexanderbez]

Huh -- looks like test_cover failed due to an already binded address. I thought this was fixed?

[cwgoes]

utACK, thanks @alessio!

Try merging develop, might fix CI.

[ValarDragon]

Just realized one of my comments was hidden, so I'll repost down here:

I disagree with needing a signature / passphrase in the simulation. We don't want simulations to depend on the private key. (Extra computation time for signing / verifying, inconvenience, etc. Especially if your signing from a ledger)

[cwgoes]

I disagree with needing a signature / passphrase in the simulation. We don't want simulations to depend on the private key. (Extra computation time for signing / verifying, inconvenience, etc. Especially if your signing from a ledger)

I think we're agreed on this, but it was a point for a future PR (@alessio ?)

[alessio]

Correct

…

On Fri, Aug 24, 2018 at 5:41 PM, Christopher Goes ***@***.***> wrote: I disagree with needing a signature / passphrase in the simulation. We don't want simulations to depend on the private key. (Extra computation time for signing / verifying, inconvenience, etc. Especially if your signing from a ledger) I think we're agreed on this, but it was a point for a future PR ***@***.*** <https://github.com/alessio> ?) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2047 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN_7GTr_jAGzPEfrigomgx_esNtk9W4ks5uUCzJgaJpZM4V-cqW> .

-- Alessio Treglia | [email protected] 0416 0004 A827 6E40 BB98 90FB E8A4 8AE5 311D 765A

[ValarDragon]

I think that is something that should absolutely be prelaunch. I'm opposed to having us have private keys create signatures they don't have to. (There are many classes of sidechannel attacks, and they all only get more feasible the more signature / msg pairs you have)

I'm fine with merging this without that then, though I really would prefer that being done here. I do think the Gas=0 concern should be addressed before merge.

[ValarDragon]

If we're going to merge this without removing the privkey dependency in simulation, lets make the default not to simulate, and only switch the default once we fix this. I really dislike the idea of having every client signing an extra message, just because thats unnecessary side channel leakage for something that could have tons of money behind it. (I fear we may forget to fix this prelaunch / decide to punt to postlaunch for quicker launch)

[alessio]

It's easy to skip sig verification or replace gas=0 with something else. It's far from easy to estimate gas consumption, with a certain degree of accuracy, needed to verify the signature when you don't have a public key/signature attached to the transaction - unless we change the tx struct radically. Simulation will not return reliable gas estimate. In the end, quite a big share of ante handler's job is to handle accounts validation and sigs verification.

[ValarDragon]

I'm suggesting just have the public key. The AnteHandler determines verification gas cost from just the pubkey. https://github.com/cosmos/cosmos-sdk/blob/develop/x/auth/ante.go#L202

The pubkey is derived from the account in the message. Account validation is independent of knowledge of private key as well.

I think having an alternate Simulation AnteHandler would be preferrable though than conditionals on simulation mode, but conditions on simulation mode are safe as long as simulation mode can never be set from information inside of the tx.

[alessio]

gaia's GenesisAccounts don't have public keys, and many test cases use genesis accounts to perform ops: // GenesisAccount doesn't need pubkey or sequence type GenesisAccount struct { Address sdk.AccAddress `json:"address"` Coins sdk.Coins `json:"coins"` } I'm on it though.

…

On Sat, Aug 25, 2018 at 7:00 PM, Dev Ojha ***@***.***> wrote: I'm suggesting just have the public key. The AnteHandler determines verification gas cost from just the pubkey. https://github.com/cosmos/ cosmos-sdk/blob/develop/x/auth/ante.go#L202 The pubkey is derived from the account in the message iirc. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2047 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN_7L79tdMB5NShuWAzChEMXKL-Jrivks5uUZCwgaJpZM4V-cqW> .

-- Alessio Treglia | [email protected] 0416 0004 A827 6E40 BB98 90FB E8A4 8AE5 311D 765A

[alessio]

I'm suggesting just have the public key. The AnteHandler determines verification gas cost from just the pubkey. https://github.com/cosmos/cosmos-sdk/blob/develop/x/auth/ante.go#L202

I am aware of that. Yet no signature, no public key is attached to the tx.

[ValarDragon]

In those cases the pubkey is supplied in the tx. I agree with inclusion of pubkey when necessary, I'm only opposed to calculation of a signature on a message you don't want broadcasted, and privkey dependency.

[ValarDragon]

This can be saved for later pr, I just don't think simulation should be default until this is done though.

[alessio]

In those cases the pubkey is supplied in the tx.
No signature, no pubkey really.

I agree with inclusion of pubkey when necessary, I'm only opposed to calculation of a signature on a message you don't want broadcasted, and privkey dependency.

Don't get me wrong, I believe you've got quite a point, yet txs need to be enriched with more information re: keys the msgs will be signed with to go through a simulation which could lead to potentially helpful gas estimates. And REST endpoints too are in scope here, therefore passing information via CLIContext is not a viable option.

[ValarDragon]

In those cases the pubkey is supplied in the tx.

No signature, no pubkey really.

This cannot be the case. Unlike Ethereum, we don't do pubkey recovery, so in order to ever have the pubkey, it must have been explicitly provided.

Don't get me wrong, I believe you've got quite a point, yet txs need to be enriched with more information re: keys the msgs will be signed with to go through a simulation which could lead to potentially helpful gas estimates. And REST endpoints too are in scope here, therefore passing information via CLIContext is not a viable option.

I don't really understand what your suggesting here. The simulation fundamentally requires no dependency on the private key, or the signature. The gas cost relating to the signature is determined from the pubkey type. (Signatures are just []byte now, they no longer have types)

I agree CLIContext doesn't make sense here. As @alexanderbez suggested here, we should be able to use the normal context to carry information about "are we in simulation mode". (Note this refers to sdk.Context, not the CLIContext. The number of contexts is confusing)

For purposes of this PR, I think making simulation non-default suffices.

[ValarDragon]

LGTM

I'll write up making simulation independent of the private key in another issue.

I think refactoring the API to put simulation mode in context would be more ideal. We can definitely handle that in a separate issue / postlaunch though.

[alexanderbez]

Good dialogue here folks! Yes, indeed, I was referring to the application's context 👍

[cwgoes]

Thanks @alessio - if we could get that future PR with no-sign simulation in before 0.25, that would be 💯.

[ValarDragon]

I don't understand the push for this to be prelaunch, let alone next release. (Note this contradicts what I said earlier, but upon further thought I think it can be postlaunch) Its a nice to have (and a really cool thing at that), but something we can roll out in a non-breaking manner. The more features we keep trying to add prelaunch that aren't necessary, the longer it will take to launch.

[cwgoes]

I think it will be very hard for users to estimate gas otherwise, and since we charge for gas allocated, not gas used, estimating gas is pretty essential.

If there's another way to address that concern, open to it!