-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathverify-settlements.yml
151 lines (136 loc) · 6.12 KB
/
verify-settlements.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
agents:
queue: "snapshots"
env:
gs_bucket: gs://marinade-validator-bonds-mainnet
# This pipeline is responsible for verifying the settlements of the past epochs
# It will download the past settlements from gcloud and checks their existence on-chain
# If unknown Settlement is found it may mean a mallicious actor stolen operator keypair and tries to withdraw funds.
# If that happens we need to act fast as the Validator Bonds emergency or operator authority may cancel any Settlement at any time.
# The Settlement cannot be claimed immediately but it takes several slots (~ 1/2 of epoch) to get it permitted for claiming.
# See
# * Config.slots_to_start_settlement_claiming
# * programs/validator-bonds/src/instructions/settlement/claim_settlement.rs
# * programs/validator-bonds/src/instructions/settlement/cancel_settlement.rs
steps:
- label: ":closed_lock_with_key: Concurrency gate lock"
command: echo "--> Start of concurrency gate"
concurrency_group: 'validator-bonds/verify-settlements'
concurrency: 1
- wait: ~
- label: ":hammer_and_wrench: :rust: Build"
commands:
- '. "$HOME/.cargo/env"'
- 'cargo build --release --bin list-settlement'
- 'cargo build --release --bin verify-settlement'
artifact_paths:
- target/release/verify-settlement
- target/release/list-settlement
- label: " Loading past settlements json files"
env:
past_epochs_to_load: 10
commands:
- |
current_epoch=$(curl --silent "$$RPC_URL" -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","id":1, "method":"getEpochInfo"}' | jq '.result.epoch')
start_epoch=$((current_epoch - past_epochs_to_load))
- 'mkdir ./merkle-trees/'
- |
echo "Sequence printing: $(seq $$start_epoch $$current_epoch)"
for epoch in $(seq $$start_epoch $$current_epoch); do
for merkle_tree_file in $(gcloud storage ls "$gs_bucket/$$epoch/*settlement-merkle-trees.json"); do
base_name=$(basename "$$merkle_tree_file")
gcloud storage cp "$$merkle_tree_file" "./merkle-trees/$${epoch}_$${base_name}"
done
done
artifact_paths:
- "./merkle-trees/*"
- wait: ~
- label: ":campfire: List past settlements"
env:
RUST_LOG: info,solana_transaction_builder_executor=debug,solana_transaction_builder=debug,solana_transaction_executor=debug,list_settlement=debug
commands:
- '. "$HOME/.cargo/env"'
- 'buildkite-agent artifact download --include-retried-jobs "merkle-trees/*" .'
- 'buildkite-agent artifact download --include-retried-jobs target/release/list-settlement .'
- 'chmod +x target/release/list-settlement'
- './target/release/list-settlement -u $$RPC_URL -m ./merkle-trees/* --out ./past-settlements.json'
artifact_paths:
- "./past-settlements.json"
- wait: ~
- label: ":campfire::arrow_right: Verify settlements"
env:
RUST_LOG: info,solana_transaction_builder_executor=debug,solana_transaction_builder=debug,solana_transaction_executor=debug,verify_settlement=debug
commands:
- . "$HOME/.cargo/env"
- command_name="verify-settlement"
- |
echo "#ATTEMPT VERIFY SETTLEMENTS $((BUILDKITE_RETRY_COUNT+1))" | tee -a "./execution-report.$$command_name.$$BUILDKITE_RETRY_COUNT"
- buildkite-agent artifact download --include-retried-jobs target/release/verify-settlement .
- buildkite-agent artifact download --include-retried-jobs past-settlements.json .
- chmod +x target/release/verify-settlement
- |
set -o pipefail
./target/release/verify-settlement \
--rpc-url $$RPC_URL \
--past-settlements ./past-settlements.json | tee -a "./execution-report.$$command_name.$$BUILDKITE_RETRY_COUNT"
key: 'verify-settlement'
artifact_paths:
- "./execution-report.*"
retry:
automatic:
- exit_status: 100
limit: 3
- label: ":memo: Notification setup: Verify Settlements"
commands:
- mkdir ./reports
- command_name='verify-settlement'
- buildkite-agent artifact download --include-retried-jobs "execution-report.$$command_name.*" ./reports/ || echo "[\"No report ERROR\"]" > ./reports/execution-report.$$command_name.error
- report_path="./reports/$(ls -v1 reports/ | tail -n 1)"
- |
ATTEMPT_COUNT=$(grep -c ATTEMPT "$$report_path" | sed 's/.*ATTEMPT //g')
buildkite-agent meta-data set attempts_count "$${ATTEMPT_COUNT:-0}"
- 'cat "$$report_path" | grep -v "ATTEMPT" > ./verify-report.json'
artifact_paths:
- "./verify-report.json"
key: 'notification'
depends_on: "verify-settlement"
allow_dependency_failure: true
- wait: ~
- label: ":mega: Notification settlements verification"
commands:
- 'buildkite-agent artifact download --include-retried-jobs verify-report.json .'
- 'build_result=$(buildkite-agent step get "outcome" --step "verify-settlement")'
- |
if [[ -z "$$build_result" || "$$build_result" =~ "failed" ]]; then
echo "Failure at process of settlements verification"
cat ./verify-report.json
exit 42
fi
- 'echo "--- Verify report: ---"'
- 'cat ./verify-report.json'
- |
number_unknown_settlements=$(jq '. | length' ./verify-report.json)
if [ $$number_unknown_settlements -gt 0 ]; then
echo " => $$number_unknown_settlements unknown Settlements found"
unknown_settlements=$(jq -rc '. | join(", ")' ./verify-report.json)
curl "$$DISCORD_WEBHOOK_VALIDATOR_BONDS" \
-F 'payload_json={
"embeds":[{
"title": "🚨❗🚨 Unknown settlements :: <<'"$$number_unknown_settlements"'>>",
"url": "'"$$BUILDKITE_BUILD_URL"'",
"color": "15158332",
"fields": [{
"name": "Unknown settlements",
"value": "'"$$unknown_settlements"'",
"inline": true
}]
}]
}'
exit 2
fi
depends_on: "notification"
allow_dependency_failure: true
- wait: ~
- label: ":unlock: Concurrency gate unlock"
command: echo "End of concurrency gate <--"
concurrency_group: 'validator-bonds/verify-settlements'
concurrency: 1