Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ICS28: Enable the removal of a consumer chain from the provider #707

Merged
merged 93 commits into from
May 10, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
93 commits
Select commit Hold shift + click to select a range
604b3ae
Create README.md
mpoke Jan 17, 2022
a9b6dad
Add files with CCV spec
mpoke Jan 17, 2022
312d108
fix links to ICS 4
mpoke Jan 17, 2022
4f2b2f8
fix links to ICS 7
mpoke Jan 17, 2022
0f826ac
add ICS 28 to main README.md
mpoke Jan 17, 2022
4c4550a
adding tech spec for unbonding delegations
mpoke Jan 18, 2022
106afe0
add context on unbonding operations
mpoke Jan 18, 2022
06a2eb2
add unbonding operation diagram
mpoke Jan 19, 2022
6085697
Update spec/app/ics-028-cross-chain-validation/overview_and_basic_con…
mpoke Jan 25, 2022
d2b7377
Update spec/app/ics-028-cross-chain-validation/overview_and_basic_con…
mpoke Jan 25, 2022
b132122
Update spec/app/ics-028-cross-chain-validation/system_model_and_prope…
mpoke Jan 25, 2022
e470c84
Update spec/app/ics-028-cross-chain-validation/technical_specificatio…
mpoke Jan 25, 2022
28e7131
Update spec/app/ics-028-cross-chain-validation/README.md
mpoke Jan 25, 2022
4bdcd8b
Update spec/app/ics-028-cross-chain-validation/README.md
mpoke Jan 25, 2022
dee8d30
minor, remove confusing phrasing
mpoke Jan 25, 2022
db69640
child -> consumer; parent -> provider
mpoke Jan 25, 2022
35cdcd8
clarify which staking module
mpoke Jan 25, 2022
ab41f91
extend staking assumptions, remove redundant inv, prove staking props…
mpoke Jan 25, 2022
45b038c
modify staking hooks spec to cover other unbonding ops
mpoke Jan 20, 2022
faac42c
Merge branch 'marius/ccv-init-and-vsc' into marius/ccv-staking-hooks
mpoke Jan 25, 2022
9631aba
provider Staking module
mpoke Jan 25, 2022
4c3f2db
Merge branch 'marius/ccv-staking-hooks' of github.com:cosmos/ibc into…
mpoke Jan 25, 2022
9ef5aef
break long lines
mpoke Jan 25, 2022
bdf3c48
break long lines
mpoke Jan 25, 2022
0d9edad
remove dependecies to Cosmos SDK
mpoke Jan 26, 2022
6afb942
Merge branch 'marius/ccv-init-and-vsc' into marius/ccv-staking-hooks
mpoke Jan 26, 2022
08ceb8a
changes in the security model
mpoke Jan 27, 2022
5c7da62
specify multiple consumer chains
mpoke Jan 27, 2022
9d25746
channel init overview
mpoke Jan 27, 2022
270cae8
Merge branch 'marius/ccv-init-and-vsc' into marius/ccv-staking-hooks
mpoke Jan 27, 2022
69b0a1f
address issues #27 and #33 from cosmos/interchain-security repo
mpoke Feb 10, 2022
01b7a3b
Merge branch 'marius/ccv-staking-hooks' of github.com:cosmos/ibc into…
mpoke Feb 10, 2022
495c8db
resolve merge conflict
mpoke Feb 10, 2022
ff8c173
extend consumer InitGenesis
mpoke Feb 14, 2022
69763bc
describe mechanism to disseminate genesis state
mpoke Feb 15, 2022
7db4308
describe mapping heights provider <> consumer
mpoke Feb 15, 2022
5b0302b
remove ExportGenesis and restarted chains
mpoke Feb 16, 2022
fccb14d
add overview of consumer initiated slashing
mpoke Feb 16, 2022
51872a6
add slashing invariant
mpoke Feb 17, 2022
cb1707a
add assumptions needed by evidence
mpoke Feb 17, 2022
a09d008
Update spec/app/ics-028-cross-chain-validation/overview_and_basic_con…
mpoke Feb 17, 2022
9982f76
draft CCV props for slashing
mpoke Feb 17, 2022
744ea88
replace time w/ height; add HtoVSC and VSCtoH
mpoke Feb 17, 2022
16dc913
replace time with height in invariants and properties
mpoke Feb 17, 2022
5a873e1
validate channel IDs on provider genesis
mpoke Feb 21, 2022
263d890
prove Slashing Invariant
mpoke Feb 21, 2022
29babea
enable mapping from consumer to provider heights
mpoke Feb 21, 2022
5977701
fix conflic: merge with marius/ccv-init-genesis
mpoke Feb 21, 2022
4166744
technical spec for slashing
mpoke Feb 22, 2022
fcc1c14
minor changes
mpoke Feb 22, 2022
9902ecd
fix links to tendermint spec
mpoke Feb 23, 2022
0484d32
clarify Staking vs Slashing modules
mpoke Feb 23, 2022
bda9108
replace VSC acks w/ VSCMaturedPackets
mpoke Feb 23, 2022
ee33c48
fix some TODOs
mpoke Feb 23, 2022
c983620
fix properties
mpoke Feb 24, 2022
7283049
Merge branch 'marius/ccv' into marius/ccv-staking-hooks
mpoke Feb 24, 2022
078fa97
Merge branch 'marius/ccv-staking-hooks' into marius/ccv-init-genesis
mpoke Feb 24, 2022
44b058a
Merge branch 'marius/ccv-init-genesis' into marius/ccv-evidence
mpoke Feb 24, 2022
3221e79
HtoVSC and VSCtoH from () to []
mpoke Feb 25, 2022
7ecb10e
fix infraction height and add intuition diagram
mpoke Feb 28, 2022
110e799
resolve merge conflict
mpoke Feb 28, 2022
8b0915b
keep ValidatorSet in consumer CCV module state
mpoke Mar 7, 2022
c904c21
remove CCV channel status
mpoke Mar 7, 2022
6889441
add outstanding downtime flag and decouple from validatorSet
mpoke Mar 8, 2022
72ae68f
adressing Josef's comment
mpoke Mar 8, 2022
e4aac3e
update init methods and ics26 methods
mpoke Mar 9, 2022
754aefd
fix merge conflicts
mpoke Mar 10, 2022
4608ab5
updating ValSet Update methods
mpoke Mar 10, 2022
4b20b7a
Merge branch 'marius/ccv-evidence' into marius/668-ccv-channel-state
mpoke Mar 10, 2022
d0293b4
updating Consumer Initiated Slashing methods
mpoke Mar 10, 2022
f2fbb66
fix issues pointed by Simon
mpoke Mar 11, 2022
e0401ee
dealing with downtime slashing atomicity
mpoke Mar 11, 2022
974224c
Merge branch 'marius/ccv-evidence' into marius/668-ccv-channel-state
mpoke Mar 11, 2022
cabc738
resolve merge conflict
mpoke Mar 11, 2022
9791e36
resolve conflicts when merging base
mpoke Mar 23, 2022
1328fa4
handle pending proposals
mpoke Mar 23, 2022
31c4568
remove genesis hash
mpoke Mar 23, 2022
4f7652b
remove details of genesis state dissemination
mpoke Mar 30, 2022
b098826
add overview of reward distribution
mpoke Mar 31, 2022
043d7d9
add CCVHandshakeMetadata and update channel handshake methods signatures
mpoke Mar 31, 2022
5692d8d
initiate opening handshake for transfer channel
mpoke Mar 31, 2022
8a321e1
add DistributeRewards() method
mpoke Apr 4, 2022
2499584
resolve merge conflict
mpoke Apr 4, 2022
11b93c5
set initH in onChanOpenConfirm
mpoke Apr 4, 2022
ef06edd
address review comments
mpoke Apr 6, 2022
2a15d41
add distribution invariant
mpoke Apr 7, 2022
ed461e5
Merge branch 'marius/ccv-distribution' into marius/702-ccv-inith
mpoke Apr 7, 2022
24acf57
stopping a consumer chain
mpoke Apr 7, 2022
9ed8e8b
resolve merge conflict
mpoke Apr 20, 2022
ea6919b
deal with timeouts on the consumer side
mpoke Apr 20, 2022
704e9de
fix typo
mpoke Apr 29, 2022
e5e79aa
add note on how to shut down the consumer
mpoke Apr 29, 2022
3f24b4b
add note on safety implication of lockUnbondingOnTimeout
mpoke May 2, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@ furthermore, the *Correct Relayer* assumption relies on both *Safe Blockchain* a
The following properties are concerned with **one provider chain** providing security to **multiple consumer chains**.
Between the provider chain and each consumer chain, a separate (unique) CCV channel is established.

> **Note**: Except for liveness properties -- *Channel Liveness*, *Apply VSC Liveness*, *Register Maturity Liveness*, and *Distribution Liveness* -- none of the properties of CCV require the *Correct Relayer* assumption to hold.
> Nonetheless, the *Correct Relayer* assumption is necessary to guarantee the systems properties (except for *Validator Set Replication*) -- *Bond-Based Consumer Voting Power*, *Slashable Consumer Misbehavior*, and *Consumer Rewards Distribution*.

### System Properties
[&uparrow; Back to Outline](#outline)

Expand Down Expand Up @@ -138,10 +141,6 @@ CCV provides the following system properties.
- `T` (equivalent) tokens MUST be eventually minted on the provider chain and then distributed among the validators that are part of the validator set;
- the total supply of tokens MUST be preserved, i.e., the `T` (original) tokens are escrowed on the consumer chain.

- ***Distribution Invariant***: If a consumer chain sends to the provider chain an amount `T` of tokens as reward for providing security, then
- `T` (equivalent) tokens are eventually minted on the provider chain and then distributed among the validators that are part of the validator set;
- the total supply of tokens is preserved, i.e., the `T` (original) tokens are escrowed on the consumer chain.

### CCV Channel
[&uparrow; Back to Outline](#outline)

Expand Down Expand Up @@ -217,8 +216,6 @@ The following properties define the guarantees of CCV on *registering* on the pr
- ***Register Maturity Order***: If a VSC `vsc1` was provided by the provider chain before another VSC `vsc2`, then the provider chain MUST NOT register the maturity notification of `vsc2` before the maturity notification of `vsc1`.
- ***Register Maturity Liveness***: If the provider chain provides a VSC `vsc` to the consumer chain, then the provider chain MUST eventually register a maturity notification of `vsc` from the consumer chain.

> Note that, except for *Apply VSC Liveness* and *Register Maturity Liveness*, none of the properties of CCV require the *Correct Relayer* assumption to hold.

### Consumer Initiated Slashing
[&uparrow; Back to Outline](#outline)

Expand Down Expand Up @@ -251,16 +248,16 @@ The following properties define the guarantees of CCV on *registering* on the pr
In this section we argue the correctness of the CCV protocol described in the [Technical Specification](./technical_specification.md),
i.e., we informally prove the properties described in the [previous section](#desired-properties).

- ***Channel Uniqueness*:** The provider chain side of the CCV channel is established when the provider CCV module receives the first `ChanOpenConfirm` message; all subsequent `ChanOpenConfirm` messages result in the underlying channel being closed (cf. *Safe Blockchain*).
- ***Channel Uniqueness***: The provider chain side of the CCV channel is established when the provider CCV module receives the first `ChanOpenConfirm` message; all subsequent `ChanOpenConfirm` messages result in the underlying channel being closed (cf. *Safe Blockchain*).
Similarly, the consumer chain side of the CCV channel is established when the consumer CCV module receives the first `VSCPacket` and ignores any packets received on different channels (cf. *Safe Blockchain*).

- ***Channel Validity*:** Follows directly from the *Safe Blockchain* assumption.
- ***Channel Validity***: Follows directly from the *Safe Blockchain* assumption.

- ***Channel Order*:** The provider chain accepts only ordered channels when receiving a `ChanOpenTry` message (cf. *Safe Blockchain*).
- ***Channel Order***: The provider chain accepts only ordered channels when receiving a `ChanOpenTry` message (cf. *Safe Blockchain*).
Similarly, the consumer chain accepts only ordered channels when receiving `ChanOpenInit` messages (cf. *Safe Blockchain*).
Thus, the property follows directly from the fact that the CCV channel is ordered.

- ***Channel Liveness*:** The property follows from the *Correct Relayer* assumption.
- ***Channel Liveness***: The property follows from the *Correct Relayer* assumption.

- ***Validator Update To VSC Validity***: The provider CCV module provides only VSCs that contain validator updates obtained from the Staking module,
i.e., by calling the `GetValidatorUpdates()` method (cf. *Safe Blockchain*).
Expand All @@ -277,11 +274,11 @@ i.e., we informally prove the properties described in the [previous section](#de
However, at height `h`, the provider CCV module tries to obtain a new batch of validator updates from the provider Staking module (cf. *Safe Blockchain*).
Thus, this batch of validator updates MUST contain all validator updates applied to the validator set of the provider chain at the end of block `B`, including `U` (cf. *Validator Update Provision*), which contradicts the initial assumption.

- ***Apply VSC Validity*:** The property follows from the following two assertions.
- ***Apply VSC Validity***: The property follows from the following two assertions.
- The consumer chain only applies VSCs received in `VSCPacket`s through the CCV channel (cf. *Safe Blockchain*).
- The provider chain only sends `VSCPacket`s containing provided VSCs (cf. *Safe Blockchain*).

- ***Apply VSC Order*:** We prove the property through contradiction.
- ***Apply VSC Order***: We prove the property through contradiction.
Given two VSCs `vsc1` and `vsc2` such that the provider chain provides `vsc1` before `vsc2`, we assume the consumer chain applies the validator updates included in `vsc2` before the validator updates included in `vsc1`.
The following sequence of assertions leads to a contradiction.
- The provider chain could not have sent a `VSCPacket` `P2` containing `vsc2` before a `VSCPacket` `P1` containing `vsc1` (cf. *Safe Blockchain*).
Expand All @@ -293,7 +290,7 @@ i.e., we informally prove the properties described in the [previous section](#de
Then, it applies the validator updates included in both `vsc1` and `vsc2` at the end of the block.
Thus, it could not have apply the validator updates included in `vsc2` before.

- ***Apply VSC Liveness*:** The provider chain eventually sends over the CCV channel a `VSCPacket` containing `vsc` (cf. *Safe Blockchain*, *Life Blockchain*).
- ***Apply VSC Liveness***: The provider chain eventually sends over the CCV channel a `VSCPacket` containing `vsc` (cf. *Safe Blockchain*, *Life Blockchain*).
As a result, the consumer chain eventually receives this packet (cf. *Channel Liveness*).
Then, the consumer chain aggregates all received VSCs at the end of the block and applies all the aggregated updates (cf. *Safe Blockchain*, *Life Blockchain*).
As a result, the consumer chain applies all validator updates in `vsc` (cf. *Validator Update Inclusion*).
Expand All @@ -305,7 +302,7 @@ i.e., we informally prove the properties described in the [previous section](#de
- The consumer chain receives on the CCV channel only packets sent by the provider chain (cf. *Channel Validity*).
- The provider chain only sends `VSCPacket`s containing provided VSCs (cf. *Safe Blockchain*).

- ***Register Maturity Timeliness*:** We prove the property through contradiction.
- ***Register Maturity Timeliness***: We prove the property through contradiction.
Given a VSC `vsc` provided by the provider chain to the consumer chain, we assume that the provider chain registers a maturity notification of `vsc` before `UnbondingPeriod` has elapsed on the consumer chain since the consumer chain applied `vsc`.
The following sequence of assertions leads to a contradiction.
- The provider chain could not have register a maturity notification of `vsc` before receiving on the CCV channel a `VSCMaturedPacket` `P` with `P.id = vsc.id` (cf. *Safe Blockchain*).
Expand All @@ -316,15 +313,15 @@ i.e., we informally prove the properties described in the [previous section](#de
- The provider chain could not have sent `P'` before providing `vsc`.
- Since the duration of sending packets through the CCV channel cannot be negative, the provider chain could not have registered a maturity notification of `vsc` before `UnbondingPeriod` has elapsed on the consumer chain since the consumer chain applied `vsc`.

- ***Register Maturity Order*:** We prove the property through contradiction. Given two VSCs `vsc1` and `vsc2` such that the provider chain provides `vsc1` before `vsc2`, we assume the provider chain registers the maturity notification of `vsc2` before the maturity notification of `vsc1`.
- ***Register Maturity Order***: We prove the property through contradiction. Given two VSCs `vsc1` and `vsc2` such that the provider chain provides `vsc1` before `vsc2`, we assume the provider chain registers the maturity notification of `vsc2` before the maturity notification of `vsc1`.
The following sequence of assertions leads to a contradiction.
- The provider chain could not have sent a `VSCPacket` `P2`, with `P2.updates = C2`, before a `VSCPacket` `P1`, with `P1.updates = C1` (cf. *Safe Blockchain*).
- The consumer chain could not have received `P2` before `P1` (cf. *Channel Order*).
- The consumer chain could not have sent a `VSCMaturedPacket` `P2'`, with `P2'.id = P2.id`, before a `VSCMaturedPacket` `P1'`, with `P1'.id = P1.id` (cf. *Safe Blockchain*).
- The provider chain could not have received `P2'` before `P1'` (cf. *Channel Order*).
- The provider chain could not have registered the maturity notification of `vsc2` before the maturity notification of `vsc1` (cf. *Safe Blockchain*).

- ***Register Maturity Liveness*:** The property follows from the following sequence of assertions.
- ***Register Maturity Liveness***: The property follows from the following sequence of assertions.
- The provider chain eventually sends on the CCV channel a `VSCPacket` `P`, with `P.updates = C` (cf. *Safe Blockchain*, *Life Blockchain*).
- The consumer chain eventually receives `P` on the CCV channel (cf. *Channel Liveness*).
- The consumer chain eventually sends on the CCV channel a `VSCMaturedPacket` `P'`, with `P'.id = P.id` (cf. *Safe Blockchain*, *Life Blockchain*).
Expand Down
Loading