add additional slash packet checks #619
Conversation
MSalopek
requested review from
jtremback,
mpoke,
sainoe,
danwt and
shaspitz
as code owners
MSalopek
force-pushed
the
masa/544-drop-outdated-slash
branch
2 times, most recently
from
8669281
to
1c3cc20
Compare
tests/e2e/expired_client.go
Outdated
| // try to send slash packet for downtime infraction | ||
| // addr := ed25519.GenPrivKey().PubKey().Address() | ||
| // val := abci.Validator{Address: addr} | ||
| // consumerKeeper.QueueSlashPacket(s.consumerCtx(), val, 2, stakingtypes.Downtime) |
There was a problem hiding this comment.
Sending these packets would cause an error in provider.OnRecvSlashPacket since the slash packet would be considered outdated.
There was a problem hiding this comment.
I was also running into problems with the tests in this file when first attempting to solve #546.
Imo we should change the test behavior instead of commenting out
There was a problem hiding this comment.
Uncomment the tests and use the following reasoning to populate the valsetUpdateID of consumerKeeper.QueueSlashPacket:
// a downtime infraction identified at the current height
// has the infraction height set as follows (cf. SDK slashing module)
infractionHeight := s.consumerCtx().BlockHeight() - sdk.ValidatorUpdateDelay - 1// for a double-sing infraction at consumer height H
// has the infraction height set as follows (cf. SDK evidence module)
infractionHeight := H - sdk.ValidatorUpdateDelayFor both downtime and double-signing, send SlashPackets using the following valsetUpdateID
infractionVSCid := consumerKeeper.GetHeightValsetUpdateID(s.consumerCtx(), uint64(infractionHeight))
tests/e2e/expired_client.go
Outdated
| // try to send slash packet for downtime infraction | ||
| // addr := ed25519.GenPrivKey().PubKey().Address() | ||
| // val := abci.Validator{Address: addr} | ||
| // consumerKeeper.QueueSlashPacket(s.consumerCtx(), val, 2, stakingtypes.Downtime) |
There was a problem hiding this comment.
Uncomment the tests and use the following reasoning to populate the valsetUpdateID of consumerKeeper.QueueSlashPacket:
// a downtime infraction identified at the current height
// has the infraction height set as follows (cf. SDK slashing module)
infractionHeight := s.consumerCtx().BlockHeight() - sdk.ValidatorUpdateDelay - 1// for a double-sing infraction at consumer height H
// has the infraction height set as follows (cf. SDK evidence module)
infractionHeight := H - sdk.ValidatorUpdateDelayFor both downtime and double-signing, send SlashPackets using the following valsetUpdateID
infractionVSCid := consumerKeeper.GetHeightValsetUpdateID(s.consumerCtx(), uint64(infractionHeight))
MSalopek
force-pushed
the
masa/544-drop-outdated-slash
branch
3 times, most recently
from
7c2e475
to
7336dac
Compare
| expSlash bool | ||
| vscID uint64 | ||
| }{ | ||
| {expSlash: true, vscID: vscIDs[0]}, | ||
| {expSlash: true, vscID: vscIDs[1]}, |
There was a problem hiding this comment.
@smarshall-spitzbart I think this needs to be redone on my part. I think the point of the test got lost, right?
In this version, the second slash cannot be applied since the SlashAck for given validator already exists. The slash acks are consumed (deleted) in endblock.
There was a problem hiding this comment.
Hmm it's not completely clear what the original intention of the test was, considering the comment:
The test cases verify that only the unbonding tokens get slashed for the VSC ids mapping to the block heights before and during the undelegation otherwise not.
I think Marius may be more familiar with this functionality. @mpoke do you know what this test is validating?
MSalopek
force-pushed
the
masa/544-drop-outdated-slash
branch
from
dbfcd79
to
1a52576
Compare
There was a problem hiding this comment.
Regarding slash acks as a mechanism to achieve
Drop SlashPackets for downtime infraction for the same validator that were received from the same consumer without the validator having the chance to Unjail itself.
(From #544)
Slash acks are appended for a particular chain only once that slash has been handled. Therefore I don't think slash acks work as a mechanism to achieve the closing criteria defined in the issue.
A malicious consumer could still send a bunch of downtime slash packets that are recv all in block N, those packets would all be queued during block N. During the end blocker of block N, one of the queued downtime slash packets could be handled, which would append the slash ack. Note that if the slash meter is negative in block N, no slash ack would be appended in block N. Even if a slash ack was appended in block N, this would only prevent spam until that slash ack is consumed, and the spam packets would only be dequeued if the slash ack exists at the time of handling.
To prevent spam, we need to be adding logic to ValidateSlashPacket, which runs before the slash packet is added to the queue.
After adding the requested changes I'm setting this to draft since difftests are failing because of the new functionality. Current difftest do not account for the fact that Updating difftests will take will take an unknown amount of time for me to handle. |
MSalopek
force-pushed
the
masa/544-drop-outdated-slash
branch
from
a7ecaf7
to
1a52576
Compare
MSalopek
force-pushed
the
masa/544-drop-outdated-slash
branch
from
151a414
to
f30ecf6
Compare
MSalopek
changed the title
|
Validate basic was removed, PR can be merged if need be. |
|
If this PR will still close #544, it'll need to address the closing criteria of
Otherwise we can make that criteria it's own issue. @MSalopek @mpoke I still do not understand how slash acks accomplish the following behavior in this PR
AFAIK slash acks have nothing to do with unjailing, and slash acks are deleted once included in a VSC packet. It seems this comment still applies, and the current changes prevent spam only in a very small subset of cases, not the cases defined in the issue |
Hi, thanks for the insight.
This PR insures the validator has unjailed itself in case of multiple subsequent downtime requests from the same chain.
|
@smarshall-spitzbart True. Which means that if two |
|
@mpoke @smarshall-spitzbart Thanks for your insights.
After discussing with @smarshall-spitzbart it seems that this requirement cannot be fulfilled with basic checks that are currently proposed in this PR. We would need to keep additional state to achieve that, and that would need to be thoroughly tested. The basic checks may still hold some value, but I am in favor of closing this PR as it stands now. |
Please do not merge
Difftests are not working due to additional slash packet validation (ValidateBasic).
Description
Downtime slash packets will be dropped in
HandleSlashPacketif aSlashAckalready exists for a given chain and given validator. This prevents validators being spammed with downtime infractions without ever unjailing themselves.Linked issues
EDIT: Partial fix for #544
Type of change
If you've checked more than one of the first three boxes, consider splitting this PR into multiple PRs!
Feature: Changes and/or adds code behavior, irrelevant to bug fixes