Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

R4R: Multimsg ante handler Jae's proposal #3787

Closed
wants to merge 10 commits into from

Conversation

sunnya97
Copy link
Member

@sunnya97 sunnya97 commented Mar 2, 2019

closes: #3802


  • Targeted PR against correct branch (see CONTRIBUTING.md)

  • Linked to github-issue with discussion and accepted design OR link to spec that describes this work.

  • Wrote tests

  • Updated relevant documentation (docs/)

  • Added entries in PENDING.md with issue #

  • rereviewed Files changed in the github PR explorer


For Admin Use:

  • Added appropriate labels to PR (ex. wip, ready-for-review, docs)
  • Reviewers Assigned
  • Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
@jaekwon jaekwon mentioned this pull request Mar 2, 2019
5 tasks
@codecov
Copy link

codecov bot commented Mar 3, 2019

Codecov Report

Merging #3787 into develop will decrease coverage by 0.09%.
The diff coverage is 18.75%.

@@            Coverage Diff            @@
##           develop   #3787     +/-   ##
=========================================
- Coverage       61%   60.9%   -0.1%     
=========================================
  Files          191     191             
  Lines        14174   14187     +13     
=========================================
- Hits          8647    8641      -6     
- Misses        4973    4993     +20     
+ Partials       554     553      -1

@zmanian
Copy link
Member

zmanian commented Mar 3, 2019

The motivating requirements here are

  1. We want to disincentives transfers during the initial network stand up because of validators set and software instability risks.

  2. It is desirable that users be able to create new accounts that are not in genesis such as multisigs for validator operators.

The goal here is a minimal change that will be undone during a breaking upgrade to enable transfering a small number of atoms to create new validator operator accounts.

@jackzampolin jackzampolin mentioned this pull request Mar 3, 2019
4 tasks
@jackzampolin jackzampolin added this to the v0.33.0 (Launch) milestone Mar 3, 2019
@jaekwon jaekwon changed the title WIP: Multimsg ante handler Jae's proposal R4R: Multimsg ante handler Jae's proposal Mar 4, 2019
Copy link
Contributor

@cwgoes cwgoes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed most of the motivating discussion here - I guess the idea is to allow un-economical transfers to make it possible to create new validators / accounts, like Zaki said? Given that, this approach seems OK to me.

A few comments on implementation, and needs PENDING.md

cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
Copy link
Contributor

@alexanderbez alexanderbez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sunnya97 -- surface changes make sense mostly, but:

  • needs a pending log entry
  • needs a corresponding issue w/ a summary as this is a big change right before launch and there virtually is zero context here
  • comments addressed

switch msg.(type) {
case bank.MsgSend:
// LCD tests requires this to be commented out
// return ctx, bank.ErrSendDisabled(bank.DefaultCodespace).Result(), true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? We should modify those tests, no?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem safe, now we'll allow sends (?)

Copy link
Member Author

@sunnya97 sunnya97 Mar 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I use the Makefile to set an environment variable or something that I can read from in the code? Is that safe?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can't use an env variable but we can use a build flag, i'll do this.

cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
x/bank/keeper.go Show resolved Hide resolved
@alexanderbez alexanderbez added C:baseapp ready-for-review T: State Machine Breaking State machine breaking changes (impacts consensus). labels Mar 4, 2019
@cwgoes
Copy link
Contributor

cwgoes commented Mar 4, 2019

To-do (cc @sunnya97):

  • Actually disable MsgSend in the ante handler
  • Track total supply correctly
  • Add full integration test coverage, and figure out a way to cleanly merge this (maybe a flag)
  • Open an issue with instructions on how to revert this change when we enable transfers and add to the 0.34.0 milestone
  • Document the rationale for this change (Support New Validators at Launch #3802)

@cwgoes cwgoes mentioned this pull request Mar 4, 2019
4 tasks
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
cmd/gaia/app/app.go Outdated Show resolved Hide resolved
@cwgoes
Copy link
Contributor

cwgoes commented Mar 4, 2019

Hey @sunnya97 - do you think we shouldn't track the total supply changes? Please explicate.

@sunnya97
Copy link
Member Author

sunnya97 commented Mar 4, 2019

@cwgoes The bank module doesn't have access to the stake keeper, which currently keeps track of the total supply. It should be done by the bank keeper. There was a PR for this (#2939) but we decided to push it to post launch. This "burn account" method is currently what is also being used with the governance deposit burns.

@cwgoes
Copy link
Contributor

cwgoes commented Mar 4, 2019

Alternatively, burned tokens could be added back as fees or added to the community pool.

@cwgoes
Copy link
Contributor

cwgoes commented Mar 4, 2019

@cwgoes The bank module doesn't have access to the stake keeper, which currently keeps track of the total supply. It should be done by the bank keeper. There was a PR for this (#2939) but we decided to push it to post launch. This "burn account" method is currently what is also being used with the governance deposit burns.

This doesn't prevent altering the staking pool in the ante handler with the staking keeper.

@sunnya97
Copy link
Member Author

sunnya97 commented Mar 4, 2019

Adding it the community pool would require giving the bank keeper access to the distribution keeper (not sure if this doable directly or would need a hook). Adding is as fees is doable, as bank keeper already has access to auth keeper which has access to FeeCollection keeper. However, by using a "burn address" we can just reuse the already written and tested functionality of MultiSend msg without adding any additional functionality to the bank module.

@sunnya97
Copy link
Member Author

sunnya97 commented Mar 4, 2019

This doesn't prevent altering the staking pool in the ante handler with the staking keeper.

We don't process the the MultiSend msg in the ante handler, we just check that it has the right amounts in the outputs. You can think of it as an extra ValidateBasic we do. The actual handling of the MultiSend is done by the normal MultiSend handler. The multisend handler checks to make sure the sending account actually has enough money to do the transfer. We can't deduct from the total supply until we know that the multisend msg actually goes through.

@jaekwon
Copy link
Contributor

jaekwon commented Mar 5, 2019

@cwgoes I don't see why we need to filter SetWithdrawAddress messages. That parameter still exists, and whether it's enabled or not, it's not the same thing as enabling transfers per se, it only applies to rewards AFAIK, so I think we can leave this PR as is.

@cwgoes
Copy link
Contributor

cwgoes commented Mar 5, 2019

This doesn't prevent altering the staking pool in the ante handler with the staking keeper.

We don't process the the MultiSend msg in the ante handler, we just check that it has the right amounts in the outputs. You can think of it as an extra ValidateBasic we do. The actual handling of the MultiSend is done by the normal MultiSend handler. The multisend handler checks to make sure the sending account actually has enough money to do the transfer. We can't deduct from the total supply until we know that the multisend msg actually goes through.

Right, I stand corrected. I guess we would need to add a new message type or override the handler itself. Neither option seems particularly clean (although this isn't either).

We can fix total supply when we hard fork to actually enable transfers (and maybe fix the x/gov burn mechanism then too), so I withdraw my objection.

@cwgoes
Copy link
Contributor

cwgoes commented Mar 5, 2019

@cwgoes I don't see why we need to filter SetWithdrawAddress messages. That parameter still exists, and whether it's enabled or not, it's not the same thing as enabling transfers per se, it only applies to rewards AFAIK, so I think we can leave this PR as is.

It seems like a proxy for (limited) transfers - I could pay someone (a validator) to set their reward address to one I control. We don't require the reward address to sign the SetWithdrawAddress message (so it can be a new account).

MsgSetWithdrawAddress is already separately disabled with a genesis parameter though - we only need to filter in this PR (and remove that logic) if we want to have everything in one place.

@sunnya97
Copy link
Member Author

sunnya97 commented Mar 5, 2019

We don't require the reward address to sign the SetWithdrawAddress message (so it can be a new account).

Although, to do the actual WithdrawTx, won't that account need to have an account in state and some coins to pay the tx fee with?

MsgSetWithdrawAddress is already separately disabled with a genesis parameter though - we only need to filter in this PR (and remove that logic) if we want to have everything in one place.

I do like putting these all in the same spot. Will be easier to activate transfers later then.

@cwgoes
Copy link
Contributor

cwgoes commented Mar 5, 2019

Although, to do the actual WithdrawTx, won't that account need to have an account in state and some coins to pay the tx fee with?

The withdraw transaction is still sent by the delegator, so no - and as soon as the reward recipient receives funds, it will be able to spend them, like after a normal transfer.

(perhaps this should be reworked in the future, it's not actually that useful)

Copy link
Contributor

@alexanderbez alexanderbez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a question and this still warrants a pending log entry.


authAnteHandler := auth.NewAnteHandler(app.accountKeeper, app.feeCollectionKeeper)

filterAnteHandler := func(ctx sdk.Context, tx sdk.Tx, simulate bool) (newCtx sdk.Context, result sdk.Result, abort bool) {
Copy link
Contributor

@alexanderbez alexanderbez Mar 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm maybe I'm missing something glaringly obvious, but why must we have a "filterAnteHandler" in app? Why can't we just use the regular ante handler and have the sendEnabled enabled check? Then we won't need any hacky build stuff for this. Yes, the ante handler would have to be provided a "keeper contract" that implements GetSendEnabled.

What if a bunch of nodes choose to run without this build setup? What if this introduces a spam or DoS vector? (since the entire ante handler is executed first)

Copy link
Contributor

@alexanderbez alexanderbez Mar 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohhh because it needs access to x/bank for message validation....sigh. I still think we can avoid this though. NewAnteHandler can be passed a tx validator function (which is defined in bank, e.g. func(tx sdk.Tx) sdk.Result) . Then we dont need any filter ante handler OR hacky build steps.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because other people are using the bank module rn, and we don't want to add Hub specific functionality to the module. We wanted to isolate this functionality change to just the gaia package.

Really, the proper way to do this is to allow for rerouting subroutes. So the route of the bank module msgs would be:
bank/send
bank/multisend

And then in the router, we route
bank/* to the bank module, but bank/multisend to a special handler defined in the gaia folder.

However, we don't have time to do this rn, as this would involve changes to the router functionality.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we could just temporarily fork the entire bank module and add it as a special bank module in the gaia folder. And then to enable transfers point it back to the SDK bank module. That's actually not a bad idea.....

@cwgoes @jaekwon @zmanian

Copy link
Contributor

@alexanderbez alexanderbez Mar 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah anything to avoid involving the build pipeline would be an ideal solution. Seems trivial to do @sunnya97

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have all of these same concerns about using the build pipeline. I think, while messy, that forking the bank module may be the best way to do this. Looking forward to continuing this discussion in the sdk meeting today.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also this will be a very easy change to revert if we do that (just reimport the normal bank module into app.go)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't know how messy it will be, this is done, lets go with this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternative as suggested by @sunnya97: #3807

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not messy at all. I really don't think we should rely on the build process to enforce business logic (especially since it ties into consensus).

@jackzampolin
Copy link
Member

Current plan is to use the solution in #3807, going to mark this will-close

@cwgoes cwgoes closed this Mar 6, 2019
@cwgoes cwgoes deleted the sunny/multimsg-ante-handler branch March 6, 2019 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C:baseapp T: State Machine Breaking State machine breaking changes (impacts consensus).
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support New Validators at Launch
6 participants