Domains: Freeze, Unfreeze, and Prune Execution receipt of Domain through Sudo #2896
Conversation
…ciept of a given domain through Sudo
I'm not quite sure about this, if the FP can't be submitted due to:
Then it is a bug of the FP system we need to fix before unfreezing the domain. While pruning the bad ER is just a temporary workaround the issue can still happen again. Also, this puts the burden of manually validating the bad ER on the Sudo while the FP system is broken. cc @jfrank-summit |
That is actual reason why we have this dispatch. If the fraud proof is not able to be submitted for any reason. Then there will be some sort of offchain process to verify the actual fraud proof validity and then root will prune the bad ER. Maybe @dariolina can confirm here |
|
I think you're both right. The flow I imagine is:
|
|
I think we both agree that freeze and unfreeze domains are necessary but the controversy is how to prune the bad ER. What I imagine is after the fix is applied (either to the prover or the verifier) the FP flow should work again and an FP will generate and submit successfully to prune the bad ER, this should happen automatically without manually validating the FP/bad ER offchain. |
|
But assume we need to do domain runtime upgrade for the fix then the ER in question will go out of challenge period by the time new code kicks in. Right? |
The domain runtime code that derives the bad ER will be used during FP verification, not the latest runtime code. Even if there is a necessary hack required for the fix, the hack should be part of the fix and present in the code rather than offchain IMHO. |
Okay, let assume a edge case scenario where FP did not make it into Consensus block due to multiple reasons. Malicious operators can continue to submit fraud proofs while honest operators continue to submit FP. As long as the bad ER does not go out of challenge period, this is fine. But it is possible for the bad ER to be confirmed due to above FP not making into Consensus block. At this point, governance can make a call to prune the first bad er, upgrade the domain runtime, wait for runtime to be enacted on consensus chain, then proceed to unfreeze the domain. The next domain block will contain the new runtime and honest operators will with domain block imports. There could a pelthora such scenarios and the list might not even be exhaustive. This dispatch is essentially a way for us to ensure such guards are in place |
What the team will do is deploy a complete fix (which contains a hack if necessary) that allows the prover to generate the FP and the verifier to accept the FP, no matter whether it is a domain runtime bug or not, to prune the existing and any new bad ER.
I really don't see how "governance can make a call to prune the first bad er" helps in this case:
After the fix is deployed the honest operator will produce/submit FP to prune the bad ER, and then we can unfreeze the domain, I don't see why we need to manually prune the bad ER beforehand.
The only safeguard, from my understanding, is the ability to freeze the domain and deploy the fix, what the fix will be depends on the issue. |
| pub fn max_prune_domain_execution_receipt() -> Weight { | ||
| T::WeightInfo::handle_bad_receipt(MAX_BUNLDE_PER_BLOCK) | ||
| .saturating_add(T::DbWeight::get().reads_writes(3, 1)) | ||
| } |
There was a problem hiding this comment.
The extrinsic weights are not just the database write & read but also a base weight, thus would prefer to have proper benchmarking like submit_fraud_proof, though non-blocker for this PR.
vanhauser-thc
added
audited
This PR add new dispatches for Sudo on Consensus to
This dispatches are generally used but in case if the Fraud proof does not fit into the Consensus block due to incorrect weight/size limits. Then through social consensus, Sudo/Governance would freeze the domain for time being, prune any Bad ERs and unfreeze the domain to enable to normal execution.
Will update the spec with these changes.Spec updates: subspace/protocol-specs#44
cc: @dariolina
Code contributor checklist: