-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handling evidence when you don't have block history #5617
Comments
Another option is the node requests the block needed for verification. This approach would require some sort of cross reactor communication. This is part of the p2p refactor, slated for phase 3 (6 months out). |
Maybe. There was some opposition when we discussed this last time, so it may not happen, or we may not even have channels at all in phase 3 - all items in that phase are highly speculative and uncertain. |
Sorry for the miscommunication. I think in general we will need some sort of way for various modules to request info the node may not have. How its done is uncertain. |
With regards to the block retention height, if we leave this completely to the control of the app, then implementing back fill isn't really going to help because if the app sets a retain height > current height - evidence age then nodes will panic if they see a block with evidence coming from a height that is before the retain height (even if the evidence is invalid). Hence we should either:
|
It seems like option (1) is more robust, but the UX is a bit weird of operators see blocks that are not pruned when they think they should've been. |
You're right but I guess it's better to have blocks that you didn't think you'd have i.e. from pruning to close to the latest height than to not have the blocks that you thought you had. In other words, it's not too detrimental from a UX perspective. |
(1) is the cleaner approach, for now, but it assumes an application wants to handle evidence. How does this issue play into block backfilling? In block backfilling we assume we will backfill to the unbonding height so all nodes will have the history right? |
Do we want to be promoting evidence as an optional feature? If you don't want to handle evidence then set the evidence age to 0 and then you can prune to whatever height and evidence will always be ignored
Correct. Although applications if they wanted to could specify a height even older than the unbonding height that nodes have to retain history for. |
This is in the backfill proposal right? |
Yup |
I do not think so. Apps that no not want to deal with evidence, simply just ignore them. |
We can close this issue. It was solved in #6463 |
Summary
Evidence follows a notion of expiration which gives a window of time that evidence can be submitted. In order to validate evidence a node must have the block and state when the infraction occurred. This all means that any node in consensus must have all the blocks and state (validator sets) from h to h - evidenceAge. If not then there is a chance that the node may panic on seeing valid evidence receiving 2/3 votes.
Proposal
I see two ways of solving this:
By implementing Backfill blocks and state metadata #4629 and enforcing that the retain height be at least the maximum evidence age. This should safely ensure that all nodes participating in consensus have all the necessary blocks. Note1: this restriction is already somewhat enforced by the cosmos SDK. Note2: This would need to be for full nodes, seed nodes and validators
Separating out header validation logic and evidence validation logic where the former is mandatory (the nodes will panic if 2/3 vote on a block with say a different app hash) and the latter is only needed if you are to prevote/precommit for that block. If you see 2/3 vote for it then you skip the validating the evidence and by virtue of consensus (similarly to with txs or consensus param changes), accept it.
For Admin Use
The text was updated successfully, but these errors were encountered: