Solo machine proof height verificaiton & timeout bug #562
Comments
colin-axner
changed the title
colin-axner
changed the title
|
Upon further investigation, I'm wondering whether proof height needs to be verified. Also, I believe the spec incorrectly supports timeouts. In 04-channel timeouts we obtain the timeout timestamp using the proof height, but the solo machine doesn't store consensus states (as it is stored in the client state). It also doesn't set the timestamp until after the proof is verified |
|
@cwgoes @AdityaSripal could I get a response on whether proof height needs to be verified? If it doesn't, then I can fix the solo machine implementation and just note for now that timeouts do not work. I believe this is blocking development/usage of the solo machine |
|
I do not believe proof height needs to be verified for solo machine, as the solo machine should always be signing in sequence, and must sign something specific in order for the absence of a packet receipt to be checked.
I see - it looks like timestamp-based timeouts will not work for the solo machine unless we alter this logic. It should be possible in principle, though, for solo machines there can be no past proof heights, so it's just the timestamp on the signature itself. |
My only concern is that core IBC has no way of knowing that the current sequence is equivalent to that noted in the proof height. That is, my solo machine could sign sequence 10, pass in a signature which signs 10 and pass in a proof height of 3. I think disabling timeouts for solo machines is fine, but if we discard the proof height (in solo machine), it'd be best to know that core IBC will not now, or in the future rely on the value of the proof height (outside of timeouts). If this is the case then I think the specs should be updated to indicate that proof height is only to be optionally used by clients in verification The alternative is to require proof height to be meaningful and structure the verify client/consensus states such that they increase the proof height received by 1 or 2 (depending on their ordering) I think this question goes a little outside the immediate necessity of fixing the solo machine. What is the scope of |
Oh - can we just assert that proof height is equal to the sequence? I mean "not verify" in the sense of "doesn't need to be signed over as a separate field" - I think we should probably assert that the sequence is equal to the proof height - if that's not already done, just an oversight on the part of the specification.
Yes, I agree. Proof height is a bit of an implicit assumption about the structure and behaviour of clients beyond the explicit interface, if we can make it clearer that would be helpful. |
The assertion is currently the problem. During connection handshake lets say 3 verify calls happen:
The proof height is set once entering into this handshake and is not incremented throughout. So solo machine would get sequence X for all 3 verify functions despite the fact that verify client and verify consensus might be expected X + 1 and X + 2. It sounds like this +1 and +2 should just be hardcoded? In which case there should be a spec update as well |
|
I will open a pr to fix the +1, +2 parts as that seems like the most sensible solution. #569 should fix timeouts which can be unsupported for now |
|
@colin-axner Can this be closed now? |
|
Yes, there's one remaining issue with the solo machine timeouts, but that can be tackled in #569 (I added a note to my comment on that issue) |
The height argument in the
Verifyfunctions of the solo machine is never used, but the specification doesn't make this clear. An inline comment should be added that this argument is never used and should be discardedThis likely would have avoided implementation issue outlined here
The text was updated successfully, but these errors were encountered: