Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ICS28: Set initH in onChanOpenConfirm #705

Merged
merged 89 commits into from
Apr 20, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
89 commits
Select commit Hold shift + click to select a range
604b3ae
Create README.md
mpoke Jan 17, 2022
a9b6dad
Add files with CCV spec
mpoke Jan 17, 2022
312d108
fix links to ICS 4
mpoke Jan 17, 2022
4f2b2f8
fix links to ICS 7
mpoke Jan 17, 2022
0f826ac
add ICS 28 to main README.md
mpoke Jan 17, 2022
4c4550a
adding tech spec for unbonding delegations
mpoke Jan 18, 2022
106afe0
add context on unbonding operations
mpoke Jan 18, 2022
06a2eb2
add unbonding operation diagram
mpoke Jan 19, 2022
6085697
Update spec/app/ics-028-cross-chain-validation/overview_and_basic_con…
mpoke Jan 25, 2022
d2b7377
Update spec/app/ics-028-cross-chain-validation/overview_and_basic_con…
mpoke Jan 25, 2022
b132122
Update spec/app/ics-028-cross-chain-validation/system_model_and_prope…
mpoke Jan 25, 2022
e470c84
Update spec/app/ics-028-cross-chain-validation/technical_specificatio…
mpoke Jan 25, 2022
28e7131
Update spec/app/ics-028-cross-chain-validation/README.md
mpoke Jan 25, 2022
4bdcd8b
Update spec/app/ics-028-cross-chain-validation/README.md
mpoke Jan 25, 2022
dee8d30
minor, remove confusing phrasing
mpoke Jan 25, 2022
db69640
child -> consumer; parent -> provider
mpoke Jan 25, 2022
35cdcd8
clarify which staking module
mpoke Jan 25, 2022
ab41f91
extend staking assumptions, remove redundant inv, prove staking props…
mpoke Jan 25, 2022
45b038c
modify staking hooks spec to cover other unbonding ops
mpoke Jan 20, 2022
faac42c
Merge branch 'marius/ccv-init-and-vsc' into marius/ccv-staking-hooks
mpoke Jan 25, 2022
9631aba
provider Staking module
mpoke Jan 25, 2022
4c3f2db
Merge branch 'marius/ccv-staking-hooks' of github.com:cosmos/ibc into…
mpoke Jan 25, 2022
9ef5aef
break long lines
mpoke Jan 25, 2022
bdf3c48
break long lines
mpoke Jan 25, 2022
0d9edad
remove dependecies to Cosmos SDK
mpoke Jan 26, 2022
6afb942
Merge branch 'marius/ccv-init-and-vsc' into marius/ccv-staking-hooks
mpoke Jan 26, 2022
08ceb8a
changes in the security model
mpoke Jan 27, 2022
5c7da62
specify multiple consumer chains
mpoke Jan 27, 2022
9d25746
channel init overview
mpoke Jan 27, 2022
270cae8
Merge branch 'marius/ccv-init-and-vsc' into marius/ccv-staking-hooks
mpoke Jan 27, 2022
69b0a1f
address issues #27 and #33 from cosmos/interchain-security repo
mpoke Feb 10, 2022
01b7a3b
Merge branch 'marius/ccv-staking-hooks' of github.com:cosmos/ibc into…
mpoke Feb 10, 2022
495c8db
resolve merge conflict
mpoke Feb 10, 2022
ff8c173
extend consumer InitGenesis
mpoke Feb 14, 2022
69763bc
describe mechanism to disseminate genesis state
mpoke Feb 15, 2022
7db4308
describe mapping heights provider <> consumer
mpoke Feb 15, 2022
5b0302b
remove ExportGenesis and restarted chains
mpoke Feb 16, 2022
fccb14d
add overview of consumer initiated slashing
mpoke Feb 16, 2022
51872a6
add slashing invariant
mpoke Feb 17, 2022
cb1707a
add assumptions needed by evidence
mpoke Feb 17, 2022
a09d008
Update spec/app/ics-028-cross-chain-validation/overview_and_basic_con…
mpoke Feb 17, 2022
9982f76
draft CCV props for slashing
mpoke Feb 17, 2022
744ea88
replace time w/ height; add HtoVSC and VSCtoH
mpoke Feb 17, 2022
16dc913
replace time with height in invariants and properties
mpoke Feb 17, 2022
5a873e1
validate channel IDs on provider genesis
mpoke Feb 21, 2022
263d890
prove Slashing Invariant
mpoke Feb 21, 2022
29babea
enable mapping from consumer to provider heights
mpoke Feb 21, 2022
5977701
fix conflic: merge with marius/ccv-init-genesis
mpoke Feb 21, 2022
4166744
technical spec for slashing
mpoke Feb 22, 2022
fcc1c14
minor changes
mpoke Feb 22, 2022
9902ecd
fix links to tendermint spec
mpoke Feb 23, 2022
0484d32
clarify Staking vs Slashing modules
mpoke Feb 23, 2022
bda9108
replace VSC acks w/ VSCMaturedPackets
mpoke Feb 23, 2022
ee33c48
fix some TODOs
mpoke Feb 23, 2022
c983620
fix properties
mpoke Feb 24, 2022
7283049
Merge branch 'marius/ccv' into marius/ccv-staking-hooks
mpoke Feb 24, 2022
078fa97
Merge branch 'marius/ccv-staking-hooks' into marius/ccv-init-genesis
mpoke Feb 24, 2022
44b058a
Merge branch 'marius/ccv-init-genesis' into marius/ccv-evidence
mpoke Feb 24, 2022
3221e79
HtoVSC and VSCtoH from () to []
mpoke Feb 25, 2022
7ecb10e
fix infraction height and add intuition diagram
mpoke Feb 28, 2022
110e799
resolve merge conflict
mpoke Feb 28, 2022
8b0915b
keep ValidatorSet in consumer CCV module state
mpoke Mar 7, 2022
c904c21
remove CCV channel status
mpoke Mar 7, 2022
6889441
add outstanding downtime flag and decouple from validatorSet
mpoke Mar 8, 2022
72ae68f
adressing Josef's comment
mpoke Mar 8, 2022
e4aac3e
update init methods and ics26 methods
mpoke Mar 9, 2022
754aefd
fix merge conflicts
mpoke Mar 10, 2022
4608ab5
updating ValSet Update methods
mpoke Mar 10, 2022
4b20b7a
Merge branch 'marius/ccv-evidence' into marius/668-ccv-channel-state
mpoke Mar 10, 2022
d0293b4
updating Consumer Initiated Slashing methods
mpoke Mar 10, 2022
f2fbb66
fix issues pointed by Simon
mpoke Mar 11, 2022
e0401ee
dealing with downtime slashing atomicity
mpoke Mar 11, 2022
974224c
Merge branch 'marius/ccv-evidence' into marius/668-ccv-channel-state
mpoke Mar 11, 2022
cabc738
resolve merge conflict
mpoke Mar 11, 2022
9791e36
resolve conflicts when merging base
mpoke Mar 23, 2022
1328fa4
handle pending proposals
mpoke Mar 23, 2022
31c4568
remove genesis hash
mpoke Mar 23, 2022
4f7652b
remove details of genesis state dissemination
mpoke Mar 30, 2022
b098826
add overview of reward distribution
mpoke Mar 31, 2022
043d7d9
add CCVHandshakeMetadata and update channel handshake methods signatures
mpoke Mar 31, 2022
5692d8d
initiate opening handshake for transfer channel
mpoke Mar 31, 2022
8a321e1
add DistributeRewards() method
mpoke Apr 4, 2022
2499584
resolve merge conflict
mpoke Apr 4, 2022
11b93c5
set initH in onChanOpenConfirm
mpoke Apr 4, 2022
ef06edd
address review comments
mpoke Apr 6, 2022
2a15d41
add distribution invariant
mpoke Apr 7, 2022
ed461e5
Merge branch 'marius/ccv-distribution' into marius/702-ccv-inith
mpoke Apr 7, 2022
c1e5de5
resolve merge conflict
mpoke Apr 20, 2022
abd0aa5
replace initH with initialHeights
mpoke Apr 20, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,9 @@ Thus, although the infractions are committed on the consumer chains and evidence

The following figure shows the intuition behind such a mapping using the provided VSCs.
The four unbonding operations (i.e., undelegations) occur on the provider chain and, as a consequence, the provider chain provides VSCs to the consumer chain, e.g., `undelegate-3` results in `VSC3` being provided.
The four colors (i.e., red, blue, green, and yellow) indicate the mapping of consumer chain heights to provider chain heights (note that on the provider chain there is only one block of a given color).
The four colors (i.e., red, blue, green, and yellow) indicate the mapping of consumer chain heights to provider chain heights.
Note that on the provider chain there is only one block of a given color.
Also, note that the three white blocks between the green and the yellow blocks on the provider chain have the same validator set.
As a result, a validator misbehaving on the consumer chain, e.g., in either of the two green blocks, is slashed the same as if misbehaving on the provider chain, e.g., in the green block.
This ensures that once unbonding operations are initiated, the corresponding unbonding tokens are not slashed for infractions committed in the subsequent blocks, e.g., the tokens unbonding due to `undelegate-3` are not slashed for infractions committed in or after the green blocks.

Expand All @@ -263,8 +265,9 @@ For clarity, we use `Hp*` and `Hc*` to denote block heights on the provider chai
> **Note**: It is possible for multiple VSCs to be received by the consumer chain within the same block. For more details, take a look at the [Validator sets, validator updates and VSCs](./system_model_and_properties.md#validator-sets-validator-updates-and-vscs) section.
- By default, every consumer CCV module maps any block height to `0` (i.e., VSC IDs start from `1`).
Intuitively, this means that the voting power on the consumer chain at height `Hc` with `HtoVSC(Hc) = 0` was setup at genesis during Channel Initialization.
- For every consumer chain, the provider CCV module sets `VSCtoH[0]` to the height at which the first VSC was provided to this consumer chain.
Intuitively, this means that the validator set on the provider chain at height `VSCtoH[0]` matches the validator set on the consumer chain at all heights `Hc` with `HtoVSC[Hc] = 0`.
- For every consumer chain, the provider CCV module sets `VSCtoH[0]` to the height when it establishes the CCV channel to this consumer chain.
Note that the validator set on the provider chain at height `VSCtoH[0]` matches the validator set at the height when the first VSC is provided to this consumer chain.
This means that this validator set on the provider chain matches the validator set on the consumer chain at all heights `Hc` with `HtoVSC[Hc] = 0`.

The following figure shows an overview of the Consumer Initiated Slashing operation of CCV.

Expand All @@ -277,7 +280,7 @@ The following figure shows an overview of the Consumer Initiated Slashing operat
- The provider CCV module receives at (slashing) height `Hp1` the `SlashPacket` with `vscId = HtoVSC[Hc1]`.
As a result, it requests the provider Slashing module to slash `V`, but it set the infraction height to `VSCtoH[vscId]`, i.e.,
- if `vscId != 0`, the height on the provider chain where the voting power was updated by the VSC with ID `vscId`;
- otherwise, the height at which the first VSC was provided to this consumer chain.
- otherwise, the height at which the CCV channel to this consumer chain was established.
> **Note**: As a consequence of slashing (and potentially jailing) `V`, the Staking module updates accordingly `V`'s voting power. This update MUST be visible in the next VSC provided to the consumer chains.

For a more detailed description of Consumer Initiated Slashing, take a look at the [technical specification](./technical_specification.md#consumer-initiated-slashing).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,10 @@ CCV provides the following system properties.
- `T` (equivalent) tokens MUST be eventually minted on the provider chain and then distributed among the validators that are part of the validator set;
- the total supply of tokens MUST be preserved, i.e., the `T` (original) tokens are escrowed on the consumer chain.

- ***Distribution Invariant***: If a consumer chain sends to the provider chain an amount `T` of tokens as reward for providing security, then
- `T` (equivalent) tokens are eventually minted on the provider chain and then distributed among the validators that are part of the validator set;
- the total supply of tokens is preserved, i.e., the `T` (original) tokens are escrowed on the consumer chain.

### CCV Channel
[&uparrow; Back to Outline](#outline)

Expand Down Expand Up @@ -230,7 +234,7 @@ The following properties define the guarantees of CCV on *registering* on the pr

- ***Provider Slashing Warranty***: If the provider CCV module receives at height `hs` from a consumer chain `cc` a `SlashPacket` containing a validator `val` and a VSC ID `vscId`,
then it MUST make at height `hs` *exactly one* request to the provider Slashing module to slash `val` for misbehaving at height `h`, such that
- if `vscId = 0`, `h` is the height of the block when the provider chain provided to `cc` the first VSC;
- if `vscId = 0`, `h` is the height of the block when the provider chain established a CCV channel to `cc`;
- otherwise, `h` is the height of the block immediately subsequent to the block when the provider chain provided to `cc` the VSC with ID `vscId`.

- ***VSC Maturity and Slashing Order***: If a consumer chain sends to the provider chain a `SlashPacket` before a maturity notification of a VSC, then the provider chain MUST NOT receive the maturity notification before the `SlashPacket`.
Expand Down Expand Up @@ -387,4 +391,4 @@ i.e., we informally prove the properties described in the [previous section](#de
This means that *exactly* the amount of tokens `Token(Power(cc,hi,val))` is slashed on the provider chain.

- ***Consumer Rewards Distribution***: The first part of the *Consumer Rewards Distribution* property (i.e., the tokens are eventually minted on the provider chain and then distributed among the validators) follows directly from *Distribution Liveness* and *Distribution Warranty*.
The second part of the *Consumer Rewards Distribution* property (i.e., the total supply of tokens is preserved) follows directly from the *Supply* property of the Fungible Token Transfer protocol (see [ICS 20](../ics-020-fungible-token-transfer/README.md)).
The second part of the *Consumer Rewards Distribution* property (i.e., the total supply of tokens is preserved) follows directly from the *Supply* property of the Fungible Token Transfer protocol (see [ICS 20](../ics-020-fungible-token-transfer/README.md)).
21 changes: 10 additions & 11 deletions spec/app/ics-028-cross-chain-validation/technical_specification.md
Original file line number Diff line number Diff line change
Expand Up @@ -269,8 +269,9 @@ This section describes the internal state of the CCV module. For simplicity, the
}
- `vscId: uint64` is a monotonic strictly increasing and positive ID that is used to uniquely identify the VSCs sent to the consumer chains.
Note that `0` is used as a special ID for the mapping from consumer heights to provider heights.
- `initH: Map<string, Height>` is a mapping from consumer chain IDs to the heights on the provider chain.
For every consumer chain, the mapping stores the height when the first VSC was provided to that consumer chain.
- `initialHeights: Map<string, Height>` is a mapping from consumer chain IDs to the heights on the provider chain.
For every consumer chain, the mapping stores the height when the CCV channel to that consumer chain is established.
Note that the provider validator set at this height matches the validator set at the height when the first VSC is provided to that consumer chain.
It enables the mapping from consumer heights to provider heights.
- `VSCtoH: Map<uint64, Height>` is a mapping from VSC IDs to heights on the provider chain. It enables the mapping from consumer heights to provider heights,
i.e., the voting power at height `VSCtoH[id]` on the provider chain was last updated by the validator updates contained in the VSC with ID `id`.
Expand Down Expand Up @@ -633,6 +634,8 @@ function onChanOpenConfirm(
// set channel mappings
chainToChannel[clientState.chainId] = channelIdentifier
channelToChain[channelIdentifier] = clientState.chainId
// set initialHeights for this consumer chain
initialHeights[chainId] = getCurrentHeight()
}
```
- **Caller**
Expand All @@ -645,7 +648,9 @@ function onChanOpenConfirm(
- If a CCV channel for this consumer chain already exists, then
- the channel closing handshake is initiated for the underlying channel;
- the transaction is aborted.
- Otherwise, the channel mappings are set, i.e., `chainToChannel` and `channelToChain`.
- Otherwise,
- the channel mappings are set, i.e., `chainToChannel` and `channelToChain`;
- `initialHeights[chainId]` is set to the current height.
- **Error Condition**
- None.

Expand Down Expand Up @@ -1213,11 +1218,6 @@ function EndBlock(): [ValidatorUpdate] {

// check whether there is an established CCV channel to the consumer chain
if chainId IN chainToChannel.Keys() {
// set initH for this consumer chain (if not done already)
if chainId NOT IN initH.Keys() {
initH[chainId] = getCurrentHeight()
}

// get the channel ID for the given consumer chain ID
channelId = chainToChannel[chainId]

Expand Down Expand Up @@ -1259,7 +1259,6 @@ function EndBlock(): [ValidatorUpdate] {
- `slashRequests[chainId]` is emptied;
- `packetData` is appended to the list of pending `VSCPacket`s associated to `chainId`, i.e., `pendingVSCPackets[chainId]`.
- If there is an established CCV channel for the the consumer chain with `chainId`, then
- if `initH[chainId]` is not already set, then `initH[chainId]` is set to the current height;
- for each `VSCPacketData` in the list of pending VSCPackets associated to `chainId`
- a packet with the `VSCPacketData` is sent on the channel associated with the consumer chain with `chainId`;
- all the pending VSCPackets associated to `chainId` are removed.
Expand Down Expand Up @@ -1745,7 +1744,7 @@ function onRecvSlashPacket(packet: Packet): bytes {
if packet.data.vscId == 0 {
// the infraction happened before sending any VSC to this chain
chainId = channelToChain[packet.getDestinationChannel()]
infractionHeight = initH[chainId]
infractionHeight = initialHeights[chainId]
}
else {
infractionHeight = VSCtoH[packet.data.vscId]
Expand Down Expand Up @@ -1779,7 +1778,7 @@ function onRecvSlashPacket(packet: Packet): bytes {
- the channel closing handshake is initiated;
- an error acknowledgment is returned.
- Otherwise,
- if `packet.data.vscId == 0`, `infractionHeight` is set to `initH[chainId]`, with `chainId = channelToChain[packet.getDestinationChannel()]`, i.e., the height when the first VSC was provided to this consumer chain;
- if `packet.data.vscId == 0`, `infractionHeight` is set to `initialHeights[chainId]`, with `chainId = channelToChain[packet.getDestinationChannel()]`, i.e., the height when the CCV channel to this consumer chain is established;
- otherwise, `infractionHeight` is set to `VSCtoH[packet.data.vscId]`, i.e., the height at which the voting power was last updated by the validator updates in the VSC with ID `packet.data.vscId`;
- a request is made to the Slashing module to slash the validator with address `packet.data.valAddress` for misbehaving at height `infractionHeight`;
- a request is made to the Slashing module to jail the validator with address `packet.data.valAddress` for a period `data.jailTime`;
Expand Down