feat!: Cryptographic verification of equivocation (#1287)

* feat!: add ICS misbehaviour handling (#826) * define msg to submit misbehaviour to provider implement msg handling logic e2e test msg handling logic * wip: get byzantine validators in misbehavioiur handling * add tx handler * format HandleConsumerMisbehaviour * add tx handler * add debugging stuff * Add misbehaviour handler * create message for consumer double voting evidence * add DRAFT double vote handler * Add cli cmd for submit consumer double voting * Add double-vote handler * add last update * fix jailing * pass first jailing integration test * format tests * doc * save * update e2e tests' * fix typo and improve docs * remove unwanted tm evidence protofile * fix typos * update submit-consumer-misbehaviour cli description * check that header1 and header2 have the same TrustedValidators * feat: add e2e tests for ICS misbehaviour (#1118) * remove unwanted changes * fix hermes config with assigned key * revert unwanted changes * revert local setup * remove log file * typo * update doc * update ICS misbehaviour test * update ICS misbehaviour test * revert mixed commits * add doc * lint * update to handle only equivocations * improve doc * update doc * update E2E tests comment * optimize signatures check * doc * update e2e tests * linter * remove todo * Feat: avoid race condition in ICS misbehaviour handling (#1148) * remove unwanted changes * fix hermes config with assigned key * revert unwanted changes * revert local setup * remove log file * typo * update doc * update ICS misbehaviour test * update ICS misbehaviour test * revert mixed commits * update ICS misbehaviour test * update ICS misbehaviour test * Add test for MsgSubmitConsumerMisbehaviour parsing * fix linter * save progress * add CheckMisbehaviourAndUpdateState * update integration tests * typo * remove e2e tests from another PRs * cleaning' * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * update integration tests * save * save * nits * remove todo * lint * Update x/ccv/provider/keeper/misbehaviour.go --------- Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: Marius Poke <marius.poke@posteo.de> * Update x/ccv/provider/client/cli/tx.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/client/cli/tx.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * add attributes to EventTypeSubmitConsumerMisbehaviour * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * apply review suggestions * fix docstring * Update x/ccv/provider/keeper/misbehaviour.go Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> * fix link * apply review suggestions * update docstring --------- Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: Marius Poke <marius.poke@posteo.de> * feat: improve ICS misbehaviour E2E testing coverage (#1225) * update e2e tests * update the chain halt assertion * refactor: address comments of ICS Misbehaviour PRs #826 and #1148 (#1223) * remove interface * improve comment * update godoc * address last comments * feat: add handler for consumer double voting (#1232) * create new endpoint for consumer double voting * add first draft handling logic * first iteration of double voting * draft first mem test * error handling * refactor * add unit test of double voting verification * remove evidence age checks * document * doc * protogen * reformat double voting handling * logger nit * nits * check evidence age duration * move verify double voting evidence to ut * fix nit * nits * fix e2e tests * improve double vote testing coverage * remove TODO * lint * add UT for JailAndTombstoneValidator * nits * nits * remove tombstoning and evidence age check * lint * typo * improve godoc * fix: tiny bug in `NewSubmitConsumerDoubleVotingCmd` (#1247) * fix double voting cli * fix bug double signing handler * godoc * nits * revert wrong push of lasts commits * fix: make `HandleConsumerDoubleVoting` works with provider pubkeys (#1254) * fix double voting cli * fix bug double signing handler * godoc * nits * lint * nit * fix: verify equivocation using validator pubkey in `SubmitConsumerDoubleVoting` msg (#1264) * verify dv evidence using malicious validator pubkey in infraction block header * nits * nits * refactor: update the E2E tests to work with Hermes relayer v1.6.0 (#1278) * save changes * fix hermes config * fist successful run * nit * nits * nits * doc and nits * lint * test: add E2E tests for double voting evidence handling (#1256) * fix double voting cli * add double-signing e2e test * refortmat e2e double voting test * godoc, revert unwanted changes * nit * verify dv evidence using malicious validator pubkey in infraction block header * save changes * fix hermes config * fist successful run * nit * nits * nits * doc and nits * lint * refactor * typo * change hermes docker image * nits * Update tests/e2e/steps.go Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com> * address PR comments * nits --------- Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com> * save * fix nits * update changelog and fix nits --------- Co-authored-by: Simon Noetzlin <simon.ntz@gmail.com> Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: Philip Offtermatt <57488781+p-offtermatt@users.noreply.github.com>
cosmos · Sep 14, 2023 · b1a6f31 · b1a6f31
1 parent 494c4d2
commit b1a6f31
Show file tree

Hide file tree

Showing 36 changed files with 3,581 additions and 81 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,13 @@ Add an entry to the unreleased section whenever merging a PR to main that is not
 ## v2.1.0-lsm-provider
 
 * (feature!) [#1280](https://github.com/cosmos/interchain-security/pull/1280) provider proposal for changing reward denoms
+* (feature!) [#826](https://github.com/cosmos/interchain-security/pull/826) add new endpoint to provider to handle consumer light client attacks
+* (feature!) [#1227](https://github.com/cosmos/interchain-security/pull/1227) add new endpoint to provider to handle consumer double signing attacks
+
+
+### Cryptographic verification of equivocation
+* New feature enabling the provider chain to verify equivocation evidence on its own instead of trusting consumer chains, see [EPIC](https://github.com/cosmos/interchain-security/issues/732).
+
 
 ## v2.0.0-lsm
 

diff --git a/Dockerfile b/Dockerfile
@@ -28,7 +28,7 @@ RUN go mod tidy
 RUN make install
 
 # Get Hermes build
-FROM ghcr.io/informalsystems/hermes:1.4.1 AS hermes-builder
+FROM otacrew/hermes-ics:evidence-cmd AS hermes-builder
 
 # Get CometMock
 FROM informalofftermatt/cometmock:latest as cometmock-builder

diff --git a/docs/docs/features/slashing.md b/docs/docs/features/slashing.md
@@ -34,3 +34,19 @@ The offending validator will effectively get slashed and tombstoned on all consu
 
 <!-- markdown-link-check-disable-next-line -->
 You can find instructions on creating `EquivocationProposal`s [here](./proposals#equivocationproposal).
+
+# Cryptographic verification of equivocation
+The Cryptographic verification of equivocation allows external agents to submit evidences of light client and double signing attack observed on a consumer chain. When a valid evidence is received, the malicious validators will be permanently jailed on the provider.
+
+The feature is outlined in this [ADR-005](../adrs/adr-005-cryptographic-equivocation-verification.md)
+
+By sending a `MsgSubmitConsumerMisbehaviour` or a `MsgSubmitConsumerDoubleVoting` transaction, the provider will
+ verify the reported equivocation and, if successful, jail the malicious validator.
+
+:::info
+Note that this feature can only lead to the jailing of the validators responsible for an attack on a consumer chain. However, an [equivocation proposal](#double-signing-equivocation) can still be submitted to execute the slashing and the tombstoning of the a malicious validator afterwards. 
+:::
+
+
+
+
diff --git a/proto/interchain_security/ccv/provider/v1/tx.proto b/proto/interchain_security/ccv/provider/v1/tx.proto
@@ -7,10 +7,15 @@ import "google/api/annotations.proto";
 import "gogoproto/gogo.proto";
 import "cosmos_proto/cosmos.proto";
 import "google/protobuf/any.proto";
+import "ibc/lightclients/tendermint/v1/tendermint.proto";
+import "tendermint/types/evidence.proto";
+
 
 // Msg defines the Msg service.
 service Msg {
  rpc AssignConsumerKey(MsgAssignConsumerKey) returns (MsgAssignConsumerKeyResponse);
+ rpc SubmitConsumerMisbehaviour(MsgSubmitConsumerMisbehaviour) returns (MsgSubmitConsumerMisbehaviourResponse);
+ rpc SubmitConsumerDoubleVoting(MsgSubmitConsumerDoubleVoting) returns (MsgSubmitConsumerDoubleVotingResponse);
 }
 
 message MsgAssignConsumerKey {
@@ -28,3 +33,33 @@ message MsgAssignConsumerKey {
 }
 
 message MsgAssignConsumerKeyResponse {}
+
+
+// MsgSubmitConsumerMisbehaviour defines a message that reports a light client attack,
+// also known as a misbehaviour, observed on a consumer chain
+message MsgSubmitConsumerMisbehaviour {
+ option (gogoproto.equal) = false;
+ option (gogoproto.goproto_getters) = false;
+ string submitter = 1;
+ // The Misbehaviour of the consumer chain wrapping 
+ // two conflicting IBC headers 
+ ibc.lightclients.tendermint.v1.Misbehaviour misbehaviour = 2;
+}
+
+message MsgSubmitConsumerMisbehaviourResponse {}
+
+
+// MsgSubmitConsumerDoubleVoting defines a message that reports 
+// a double signing infraction observed on a consumer chain
+message MsgSubmitConsumerDoubleVoting {
+ option (gogoproto.equal) = false;
+ option (gogoproto.goproto_getters) = false;
+ string submitter = 1;
+ // The equivocation of the consumer chain wrapping 
+ // an evidence of a validator that signed two conflicting votes
+ tendermint.types.DuplicateVoteEvidence duplicate_vote_evidence = 2;
+ // The light client header of the infraction block
+ ibc.lightclients.tendermint.v1.Header infraction_block_header = 3;
+}
+
+message MsgSubmitConsumerDoubleVotingResponse {}
diff --git a/tests/e2e/actions.go b/tests/e2e/actions.go
@@ -63,7 +63,7 @@ type StartChainAction struct {
  validators []StartChainValidator
  // Genesis changes specific to this action, appended to genesis changes defined in chain config
  genesisChanges string
- skipGentx  bool
+ isConsumer bool
 }
 
 type StartChainValidator struct {
@@ -133,7 +133,7 @@ func (tr TestRun) startChain(
  cmd := exec.Command("docker", "exec", tr.containerConfig.instanceName, "/bin/bash",
  "/testnet-scripts/start-chain.sh", chainConfig.binaryName, string(vals),
  string(chainConfig.chainId), chainConfig.ipPrefix, genesisChanges,
- fmt.Sprint(action.skipGentx),
+ fmt.Sprint(action.isConsumer),
  // override config/config.toml for each node on chain
  // usually timeout_commit and peer_gossip_sleep_duration are changed to vary the test run duration
  // lower timeout_commit means the blocks are produced faster making the test run shorter
@@ -170,6 +170,7 @@ func (tr TestRun) startChain(
  tr.addChainToRelayer(addChainToRelayerAction{
  chain: action.chain,
  validator: action.validators[0].id,
+ consumer: action.isConsumer,
  }, verbose)
 }
 
@@ -280,6 +281,8 @@ func (tr TestRun) submitConsumerAdditionProposal(
  if err != nil {
  log.Fatal(err, "\n", string(bz))
  }
+
+ tr.waitBlocks(action.chain, 1, 5*time.Second)
 }
 
 type submitConsumerRemovalProposalAction struct {
@@ -565,7 +568,7 @@ func (tr TestRun) startConsumerChain(
  chain: action.consumerChain,
  validators: action.validators,
  genesisChanges: consumerGenesis,
- skipGentx:  true,
+ isConsumer: true,
  }, verbose)
 }
 
@@ -699,6 +702,7 @@ func (tr TestRun) startChangeover(
 type addChainToRelayerAction struct {
  chain chainID
  validator validatorID
+ consumer bool
 }
 
 const hermesChainConfigTemplate = `
@@ -715,7 +719,8 @@ rpc_addr = "%s"
 rpc_timeout = "10s"
 store_prefix = "ibc"
 trusting_period = "14days"
-websocket_addr = "%s"
+event_source = { mode = "push", url = "%s", batch_delay = "50ms" }
+ccv_consumer_chain = %v
 
 [chains.gas_price]
  denom = "stake"
@@ -814,7 +819,7 @@ func (tr TestRun) addChainToHermes(
  keyName,
  rpcAddr,
  wsAddr,
- // action.consumer,
+ action.consumer,
  )
 
  bashCommand := fmt.Sprintf(`echo '%s' >> %s`, chainConfig, "/root/.hermes/config.toml")
@@ -828,7 +833,15 @@ func (tr TestRun) addChainToHermes(
  }
 
  // Save mnemonic to file within container
- saveMnemonicCommand := fmt.Sprintf(`echo '%s' > %s`, tr.validatorConfigs[action.validator].mnemonic, "/root/.hermes/mnemonic.txt")
+ var mnemonic string
+ if tr.validatorConfigs[action.validator].useConsumerKey && action.consumer {
+ mnemonic = tr.validatorConfigs[action.validator].consumerMnemonic
+ } else {
+ mnemonic = tr.validatorConfigs[action.validator].mnemonic
+ }
+
+ saveMnemonicCommand := fmt.Sprintf(`echo '%s' > %s`, mnemonic, "/root/.hermes/mnemonic.txt")
+ fmt.Println("Add to hermes", action.validator)
  //#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments.
  bz, err = exec.Command("docker", "exec", tr.containerConfig.instanceName, "bash", "-c",
  saveMnemonicCommand,
@@ -1716,7 +1729,7 @@ func (tr TestRun) submitChangeRewardDenomsProposal(action submitChangeRewardDeno
  //#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments.
  // CHANGE REWARDS DENOM PROPOSAL
  bz, err = exec.Command("docker", "exec", tr.containerConfig.instanceName, providerChain.binaryName,
- "tx", "gov", "submit-legacy-proposal", "change-reward-denoms", "/change-reward-denoms-proposal.json",
+ "tx", "gov", "submit-proposal", "change-reward-denoms", "/change-reward-denoms-proposal.json",
  `--from`, `validator`+fmt.Sprint(action.from),
  `--chain-id`, string(providerChain.chainId),
  `--home`, tr.getValidatorHome(providerChain.chainId, action.from),
@@ -1864,6 +1877,8 @@ func (tr TestRun) assignConsumerPubKey(action assignConsumerPubKeyAction, verbos
  valCfg.useConsumerKey = true
  tr.validatorConfigs[action.validator] = valCfg
  }
+
+ time.Sleep(1 * time.Second)
 }
 
 // slashThrottleDequeue polls slash queue sizes until nextQueueSize is achieved
@@ -1925,3 +1940,26 @@ func (tr TestRun) GetPathNameForGorelayer(chainA, chainB chainID) string {
 
  return pathName
 }
+
+// Run an instance of the Hermes relayer using the "evidence" command,
+// which detects evidences committed to the blocks of a consumer chain.
+// Each infraction detected is reported to the provider chain using
+// either a SubmitConsumerDoubleVoting or a SubmitConsumerMisbehaviour message.
+type startConsumerEvidenceDetectorAction struct {
+ chain chainID
+}
+
+func (tr TestRun) startConsumerEvidenceDetector(
+ action startConsumerEvidenceDetectorAction,
+ verbose bool,
+) {
+ chainConfig := tr.chainConfigs[action.chain]
+ // run in detached mode so it will keep running in the background
+ //#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments.
+ bz, err := exec.Command("docker", "exec", "-d", tr.containerConfig.instanceName,
+ "hermes", "evidence", "--chain", string(chainConfig.chainId)).CombinedOutput()
+ if err != nil {
+ log.Fatal(err, "\n", string(bz))
+ }
+ tr.waitBlocks("provi", 10, 2*time.Minute)
+}
diff --git a/tests/e2e/actions_consumer_misbehaviour.go b/tests/e2e/actions_consumer_misbehaviour.go
@@ -0,0 +1,119 @@
+package main
+
+import (
+ "bufio"
+ "fmt"
+ "log"
+ "os/exec"
+ "strconv"
+ "time"
+)
+
+// forkConsumerChainAction forks the consumer chain by cloning of a validator node
+// Note that the chain fork is running in an different network
+type forkConsumerChainAction struct {
+ consumerChain chainID
+ providerChain chainID
+ validator validatorID
+ relayerConfig string
+}
+
+func (tr TestRun) forkConsumerChain(action forkConsumerChainAction, verbose bool) {
+ valCfg := tr.validatorConfigs[action.validator]
+
+ //#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments.
+ configureNodeCmd := exec.Command("docker", "exec", tr.containerConfig.instanceName, "/bin/bash",
+ "/testnet-scripts/fork-consumer.sh", tr.chainConfigs[action.consumerChain].binaryName,
+ string(action.validator), string(action.consumerChain),
+ tr.chainConfigs[action.consumerChain].ipPrefix,
+ tr.chainConfigs[action.providerChain].ipPrefix,
+ valCfg.mnemonic,
+ action.relayerConfig,
+ )
+
+ if verbose {
+ log.Println("forkConsumerChain - reconfigure node cmd:", configureNodeCmd.String())
+ }
+
+ cmdReader, err := configureNodeCmd.StdoutPipe()
+ if err != nil {
+ log.Fatal(err)
+ }
+ configureNodeCmd.Stderr = configureNodeCmd.Stdout
+
+ if err := configureNodeCmd.Start(); err != nil {
+ log.Fatal(err)
+ }
+
+ scanner := bufio.NewScanner(cmdReader)
+
+ for scanner.Scan() {
+ out := scanner.Text()
+ if verbose {
+ log.Println("fork consumer validator : " + out)
+ }
+ if out == done {
+ break
+ }
+ }
+ if err := scanner.Err(); err != nil {
+ log.Fatal(err)
+ }
+
+ time.Sleep(5 * time.Second)
+}
+
+type updateLightClientAction struct {
+ chain chainID
+ hostChain chainID
+ relayerConfig string
+ clientID string
+}
+
+func (tr TestRun) updateLightClient(
+ action updateLightClientAction,
+ verbose bool,
+) {
+ // retrieve a trusted height of the consumer light client
+ trustedHeight := tr.getTrustedHeight(action.hostChain, action.clientID, 2)
+
+ //#nosec G204 -- Bypass linter warning for spawning subprocess with cmd arguments.
+ cmd := exec.Command("docker", "exec", tr.containerConfig.instanceName, "hermes",
+ "--config", action.relayerConfig,
+ "update",
+ "client",
+ "--client", action.clientID,
+ "--host-chain", string(action.hostChain),
+ "--trusted-height", strconv.Itoa(int(trustedHeight.RevisionHeight)),
+ )
+ if verbose {
+ log.Println("updateLightClientAction cmd:", cmd.String())
+ }
+
+ bz, err := cmd.CombinedOutput()
+ if err != nil {
+ log.Fatal(err, "\n", string(bz))
+ }
+
+ tr.waitBlocks(action.hostChain, 5, 30*time.Second)
+}
+
+type assertChainIsHaltedAction struct {
+ chain chainID
+}
+
+// assertChainIsHalted verifies that the chain isn't producing blocks
+// by checking that the block height is still the same after 20 seconds
+func (tr TestRun) assertChainIsHalted(
+ action assertChainIsHaltedAction,
+ verbose bool,
+) {
+ blockHeight := tr.getBlockHeight(action.chain)
+ time.Sleep(20 * time.Second)
+ if blockHeight != tr.getBlockHeight(action.chain) {
+ panic(fmt.Sprintf("chain %v isn't expected to produce blocks", action.chain))
+ }
+ if verbose {
+ log.Printf("assertChainIsHalted - chain %v was successfully halted\n", action.chain)
+ }
+}