mirrors/tendermint
1
0
Fork 0
mirror of https://github.com/tendermint/tendermint.git synced 2026-02-07 04:20:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
wb/msg-byte-tests
tendermint/spec/light-client/detection/req-ibc-detection.md
Callum Waters 1f0cf7762b spec: migrate v0.7.1. into v0.34 (#9262) 
* Initial commit

* Add three timeouts and align pseudocode better with existing algorithm

* Align protocol with Tendermint code and add find valid value mechanism

* Prepare to Nuke Develop (#47)

* state -> step

* vote -> v

* New version of the algorithm and the proof

* New version of the algorithm and the proofs

* Added algorithm description

* Add algorithm description

* Add introduction

* Add conclusion

* Add conclusion file

* fix warnings (caption was defined twice)

- only the latter is used anyways (centers captions)
- this makes it possible to autom. building the paper

* Update grammar

* s/state_p/step_p

* Address Ismail's comments

* intro: language fixes

* definitions: language fixes

* consensus: various fixes

* proof: some fixes

* try to improve reviewability

* \eq -> =

* textwrap to 79

* various minor fixes

* proof: fix itemization

* proof: more minor fixes

* proof: timeouts are functions

* proof: fixes to lemma6

* Intro changes and improve title page

* Add Marko and Ming to acks

* add readme

* Format algorithm correctly

Clarify condition semantic and timeouts

Improve descriptions

* patform -> platform

* Ensure that rules are mutually exclusive

- various clarifications and small improvements

* Release v0.6

* small nits for smoother readability

* This PR is to create signed commits to be able to merge (#50)

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* Add consesnus and blockchain specs, (#52)

- Open questions
	- Do  we want to split lite client work from consesnsus
	- From the blockchain spec, is encoding nessecary in the spec

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* Add ABCI SPEC (#51)

- move the abci spec from tendermint to spec repo

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* spec/consensus/signing: add more details about nil and amnesia (#54)

- Add more details about nil votes and about amnesia attacks

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* Add Section for P2P (#53)

* Add Section for P2P

- moved over the section on p2p

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* add some more files

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* Fix model section

* Add non-recursive specification of Bisection algorithm

- Fix timing issues by introducing Delta parameter

* spec: update spec with tendermint updates (#62)

* spec: update spec with tendermint updates

- this in preperation of deleting the spec folder in docs in tendermint/tendermint

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* spec: added in reactors & p2p

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* spec: update readme in spec to comply with docs site

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* docs: addded more changes from tednermint/tendermint

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* reflect breaking changes made to Commit (#63)

* reflect breaking changes made to Commit

PR: https://github.com/tendermint/tendermint/pull/4146
Issue: https://github.com/tendermint/tendermint/issues/1648

* types: rename Commit#Precommits to Signatures

* update BlockIDFlagAbsent comment

* remove iota

* Clean up error conditions and simplify pseudocode

* Apply suggestions from code review

Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>

* Add spec doc about unconditional_peer, persistent_peers_max_dial of ADR-050 (#68)

* Add spec doc about unconditional_peer_ids, persistent_peers_max_dial_period of ADR-050

* Add indefinitely dialing condition

* Add sr25519 amino documentation (#67)

* sr25519 amino

* Update spec/blockchain/encoding.md

Co-Authored-By: Marko <marbar3778@yahoo.com>

* some suggestions for pseuodocode changes

* Improved error handling

* Add explanation on difference between trusted models

* Address reviewer's comments

* Addressing reviewer's comments

* Separating algorithm from proofs

* Intermediate commit (aligning spec with the code)

* Removing Store from API and providing end-to-end timing guarantees

* Address reviewer comment's. Intermediate commit

* light client dir and readmes

* titles

* add redirects

* add diagram

* detection TODO

* fix image

* update readme

* Aligh the correctness arguments with the pseudocode changes

* lite->light

* Fix link in readme

./light -> ./light-client

* p2p: Merlin based malleability fixes (#72)

* Update the secret connection spec with the use of merlin to eliminte handshake malleability

* Update spec/p2p/peer.md

Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com>

* Update spec/p2p/peer.md

Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com>

* Update spec/p2p/peer.md

Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com>

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>

* docs: update specs to remove cmn (#77)

- cmn was remvoed in favor of sub pkgs. cmn.kvpair is now kv.pair

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* evidence: Add time to evidence params (#69)

* evidence: Add time to evidence params

- this pr is grouped together with https://github.com/tendermint/tendermint/pull/4254, once that PR is merged then this one can be as well.

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* remove note

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* Apply suggestions from code review

Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com>

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>

* update link to the pex reactor

* add markdown link checker

* changed tab spacing

* removed folder-path flag

* first attempt at fixing all links

* second attempt at fixing all links

* codeowners: add code owners (#82)

* codeowners: add code owners

- added some codeowners
please comment if youd like to be added as well.

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* remove comment of repo maintainers

* remove .idea dir (#83)

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* RFC-001: configurable block retention (#84)

* Added RFC for truncated block history coordination

* Clarified minimum block retention

* Added hard checks on block retention and snapshot interval, and made some minor tweaks

* Genesis parameters are immutable

* Use local config for snapshot interval

* Reordered parameter descriptions

* Clarified local config option for snapshot-interval

* rewrite for ABCI commit response

* Renamed RFC

* add block retention diagram

* Removed retain_blocks table

* fix image numbers

* resolved open questions

* image quality

* accept RFC-001 (#86)

* abci: add basic description of ABCI Commit.ResponseHeight (#85)

Documentation for block pruning, once it's merged: tendermint/tendermint#4588.

Minimum documentation, for now - we probably shouldn't encourage using this feature too much until we release state sync.

* abci: add MaxAgeNumBlocks/MaxAgeDuration to EvidenceParams (#87)

* abci: update MaxAgeNumBlocks & MaxAgeDuration docs (#88)

* document state sync ABCI interface and P2P protocol (#90)

The corresponding Tendermint PRs are tendermint/tendermint#4704 and tendermint/tendermint#4705.

* Revert "document state sync ABCI interface and P2P protocol (#90)" (#92)

This reverts commit 9842b4b0fb.

* blockchain: change validator set sorting method (#91)

* abci: specify sorting of RequestInitChain.Validators

* blockchain: change validator sorting method

Refs https://github.com/tendermint/tendermint/issues/2478

* reactors/pex: specify hash function (#94)

https://github.com/tendermint/tendermint/pull/4810/files

* document state sync ABCI interface and P2P protocol (#93)

* Revert "Revert "document state sync ABCI interface and P2P protocol (#90)" (#92)"

This reverts commit 90797cef90.

* update with new enum case

* fix links

Co-authored-by: Erik Grinaker <erik@interchain.berlin>

* Update evidence params with MaxNum (#95)

evidence params now includes maxNum which is the maximum number of evidence that can be committed on a single block

* reactors/pex: masked IP is used as group key (#96)

* spec: add ProofTrialPeriod to EvidenceParam (#99)

* spec: modify Header.LastResultsHash (#97)

Refs: https://github.com/tendermint/tendermint/issues/1007
PR: https://github.com/tendermint/tendermint/pull/4845

* spec: link to abci server implementations (#100)

* spec: update evidence in blockchain.md (#108)

now evidence reflects the actual evidence present in the tendermint repo

* abci: add AppVersion to ConsensusParams (#106)

* abci: tweak node sync estimate (#115)

* spec/abci: expand on Validator#Address (#118)

Refs https://github.com/tendermint/tendermint/issues/3732

* blockchain: rename to core (#123)

* blockchain: remove duplicate evidence sections (#124)

* spec/consensus: canonical vs subjective commit

Refs https://github.com/tendermint/tendermint/issues/2769

* Apply suggestions from code review

Co-authored-by: Igor Konnov <igor.konnov@gmail.com>

* update spec with the removal of phantom validator evidence (#126)

* bring blockchain back

* add correct links

* spec: revert event hashing (#132)

* Evidence time is sourced from block time (#138)

* RFC-002: non-zero genesis (#119)

* abci: add ResponseInitChain.app_hash (#140)

* update hashing of empty inputs, and initial block LastResultsHash (#141)

* update evidence verification (#139)

* accept RFC-002 (#142)

* add description of arbitrary initial height (#135)

* update ResponseInitChain.app_hash description (#143)

* remove unused directories and update README (#145)

This change removes unused directories (`papers` and `research`) 
and updates the README to reflect our strategy for merging the 
informalsystems/tendermint-rs specs into this repository.

Partially addresses #121.

* ci: add markdown linter (#146)

* ci: add dependabot config (#148)

* build(deps): bump gaurav-nelson/github-action-markdown-link-check from 0.6.0 to 1.0.7 (#149)

Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 0.6.0 to 1.0.7.

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: add sections to abci (#150)

* spec: update abci events (#151)

* spec: extract light-client to its own directory (#152)

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* spec: remove evidences (#153)

* add a stale bot (#134)

* Current versions of light client specs from tendermint-rs (#158)

* current versions of light client specs from tendermint-rs

* markdown lint

* linting

* links

* links

* links

Co-authored-by: Marko Baricevic <marbar3778@yahoo.com>

* Fastsync spec from tendermint-rs (#157)

* fastsync spec from tendermint-rs

* fixed broken link

* fixed linting

* more fixes

* markdown lint

* move fast_sync to rust-spec

Co-authored-by: Marko Baricevic <marbar3778@yahoo.com>

* Update README.md (#160)

* spec/reactors/mempool: batch txs per peer (#155)

* spec/reactors/mempool: batch txs per peer

Refs https://github.com/tendermint/tendermint/issues/625

* update

* spec: Light client attack detector (#164)

* start with new detection and evidence spec

* more definitions at top

* sketch of functions

* pre post draft

* evidence proof

* typo

* evidence theory polished

* some TODOs resolved

* more TODOs

* links

* second to last revision before PR

* links

* I will read once more and then make a PR

* removed peer handling definitions

* secondary

* ready to review

* detector ready for review

* Update rust-spec/lightclient/detection/detection.md

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* Update rust-spec/lightclient/detection/detection.md

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* Update rust-spec/lightclient/detection/detection.md

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* Update rust-spec/lightclient/detection/detection.md

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* Update rust-spec/lightclient/detection/detection.md

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* Update rust-spec/lightclient/detection/detection.md

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* Update rust-spec/lightclient/detection/detection.md

* skip-trace

* PossibleCommit explained

* Update rust-spec/lightclient/detection/detection.md

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* comments by Zarko

* renamed and changed link in README

Co-authored-by: Zarko Milosevic <zarko@informal.systems>

* fixed an overlooked conflict (#167)

* describe valset sorting according to v0.34 requirements (#169)

* evidence: update data structures (#165)

* fix markdown linter (#172)

* TLA+ specs from MBT revision (#173)

* remove setOption (#181)

* spec: protobuf changes (#156)

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>

* first check latest with secondary (#184)

* Extending the blockchain specification (in the light client) to produce different ratios of faults (#183)

* cleaning unused definitions

* introduced the ratio of faulty processes

* Update README.md (#185)

* build(deps): bump gaurav-nelson/github-action-markdown-link-check from 1.0.7 to 1.0.8 (#188)

Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.7 to 1.0.8.
- [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases)
- [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.7...e3c371c731b2f494f856dc5de7f61cea4d519907)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* spec: update light client verification to match supervisor (#171)

* VDD renaming of verification spec + links fixed

* latest()

* backwards

* added TODOs

* link in old file to new name

* better text

* revision done. needs one more round of reading

* renamed constants in 001 according to TLA+ and impl

* ready for PR

* forgot linting

* Update rust-spec/lightclient/verification/verification_002_draft.md

* Update rust-spec/lightclient/verification/verification_002_draft.md

* added lightstore function needed for supervisor

* added lightstore functions for supervisor

* ident

* Update rust-spec/lightclient/verification/verification_002_draft.md

* github: issue template for proposals (#190)

* Sequential Supervisor (#186)

* move from tendermint-rs but needs discussion

* markdown lint

* TODO links replaced

* links

* links

* links lint

* Update rust-spec/lightclient/supervisor/supervisor.md

* Update rust-spec/lightclient/supervisor/supervisor.md

* Update rust-spec/lightclient/supervisor/supervisor.md

* Update rust-spec/lightclient/supervisor/supervisor.md

* moved peer handling definitions to supervisor

* polishing

* rename

* Update rust-spec/lightclient/supervisor/supervisor_001_draft.md

* Update rust-spec/lightclient/supervisor/supervisor_001_draft.md

* changes to maintain StateVerified again

* ready for changes in verification

* start of supervisor

* module name

* fixed

* more details

* supevisor completed. Now I have to add function to verification

* ready for review

* tla comment

* removed issues

* Update rust-spec/lightclient/supervisor/supervisor_001_draft.md

* intro text fixed

* indentation

* Update rust-spec/lightclient/supervisor/supervisor_001_draft.md

* comment to entry points

Co-authored-by: Marko Baricevic <marbar3778@yahoo.com>

* RFC: adopt zip 215 (#144)

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Core: move validation & data structures together (#176)

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* docs: make blockchain not viewable (#211)

* evidence: update data structures to reflect added support of abci evidence (#213)

* encoding: add secp, ref zip215, tables (#212)

* Detector English Spec ready (#215)

Add detector English spec

* add Ivy proofs (#210)

* add Ivy proofs

* fix docker-compose command

* Light client detector spec in TLA+ and refactoring of light client verification TLA+ spec (#216)

Add light client detector spec in TLA+

* abci: lastcommitinfo.round extra sentence (#221)

* abci: add abci_version to requestInfo (#223)

* BFT requires _less than_ 1/3 faulty validators (#228)

Thanks fo spotting the imprecision in the text, @shahankhatch !

* Draft of evidence handling for discussion (#225)

* start with accountability deliverable

* problem statement

* draft function

* quite complete draft. ready to discuss with Igor

* Update isolate-attackers_001_draft.md

* Update isolate-attackers_001_draft.md

* Update isolate-attackers_001_draft.md

* Update isolate-attackers_001_draft.md

* Update isolate-attackers_001_draft.md

* ready for TLA+ to take over

* isolate

* isolateamnesiatodos

* Update isolate-attackers_001_draft.md

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md

Co-authored-by: Igor Konnov <konnov@forsyte.at>

* The TLA+ specification of the attackers detection (#231)

* the working attackers isolation spec, needs more comments

* the TLA+ spec of the attackers isolation

* build(deps): bump gaurav-nelson/github-action-markdown-link-check (#233)

Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.8 to 1.0.11.
- [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases)
- [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.8...2a60e0fe41b5361f446ccace6621a1a2a5c324cf)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Computing attack types (#232)

Add light attack evidence handling

* Update README.md (#234)

* p2p: update frame size (#235)

Reflect the change made in https://github.com/tendermint/tendermint/pull/5805

The MTU (Maximum Transmission Unit) for Ethernet is 1500 bytes.
The IP header and the TCP header take up 20 bytes each at least (unless
optional header fields are used) and thus the max for (non-Jumbo frame)
Ethernet is 1500 - 20 -20 = 1460
Source: https://stackoverflow.com/a/3074427/820520

* build(deps): bump gaurav-nelson/github-action-markdown-link-check (#239)

Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.11 to 1.0.12.
- [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases)
- [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.11...0fe4911067fa322422f325b002d2038ba5602170)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* layout: add section titles (#240)

* reactors: remove bcv1 (#241)

* abci: rewrite to proto interface (#237)

* Update supervisor_001_draft.md (#243)

* spec: remove reactor section (#242)

Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com>

* non-critical bugfix in the TLA+ spec (found by new version of apalache) (#244)

* params: remove block timeiota (#248)

* proto: add files (#246)

Co-authored-by: Erik Grinaker <erik@interchain.berlin>

* proto: modify height int64 to uint64 (#253)

* abci: note on concurrency (#258)

Co-authored-by: Marko <marbar3778@yahoo.com>

* spec: merge rust-spec (#252)

* Fix list of RFCs (#266)

* readme: cleanup (#262)

* modify readme

* add rfc and proto

* add rust=spec back to avoid breakage

* lint readme

* genesis: Explain fields in genesis file (#270)

* describe the genesis

* Update spec/core/genesis.md

Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* add wording on app_state

* Update spec/core/genesis.md

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com>
Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* p2p: links (#268)

* fix links

* fix more links

* Proposer-based timestamp specification (#261)

* added proposer-based timestamp spec

* Update spec/consensus/proposer-based-timestamp/pbts_001_draft.md

Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>

* Update spec/consensus/proposer-based-timestamp/pbts_001_draft.md

Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>

* Update spec/consensus/proposer-based-timestamp/pbts-algorithm_001_draft.md

Co-authored-by: Marko <marbar3778@yahoo.com>

* Update spec/consensus/proposer-based-timestamp/pbts-algorithm_001_draft.md

* Update spec/consensus/proposer-based-timestamp/pbts-sysmodel_001_draft.md

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* fixes from PR

Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Marko <marbar3778@yahoo.com>
Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* abci: reorder sidebar (#282)

* ABCI++ RFC (#254)

* ABCI++ RFC

This commit adds an RFC for ABCI++, which is a collection of three new phases of communication between the consensus engine and the application.

Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch>

* Fix bugs pointed out by @liamsi

* Update rfc/004-abci++.md

Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com>

* Fix markdown lints

* Update rfc/004-abci++.md

Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com>

* Update rfc/004-abci++.md

Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com>

* Update rfc/004-abci++.md

Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com>

* Add information about the rename in the context section

* Bold RFC

* Add example for self-authenticating vote data

* More exposition of the term IPC

* Update pros / negatives

* Fix sentence fragment

* Add desc for no-ops

Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch>
Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com>
Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com>
Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com>

* RFC: ReverseSync - fetching historical data (#224)

* core: update a few sections  (#284)

* p2p: update state sync messages for reverse sync (#285)

* Update README.md (#286)

* rpc: define spec for RPC (#276)

* add rpc spec and support outline

* add json

* add more routes remove unneeded ones

* add rest of rpc endpoints

* add jsonrpc calls

* add more jsonrpc calls

* fix blockchain

* cleanup unused links and add links to repos

* Update spec/rpc/README.md

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* add missing param from consensus param

* Update spec/rpc/README.md

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* Update spec/rpc/README.md

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* fix cast and add doc to readme

Co-authored-by: Callum Waters <cmwaters19@gmail.com>
Co-authored-by: Marko Baricevic <markobaricevic@Fergalicious.local>

* A few improvements to the Ivy proof (#288)

* Avoid quantifier alternation cycle

The problematic quantifier alternation cycle arose because the
definition of accountability_violation was unfolded.

This commit also restructures the induction proof for clarity.

* add count_lines.sh

* fix typo and add forgotten complete=fo in comment

Co-authored-by: Giuliano <giuliano@eic-61-11.galois.com>

* Fixed a broken link (#291)

* fix message type for block-sync (#298)

* lint: fix lint errors (#301)

* build(deps): bump actions/stale from 3 to 3.0.18 (#300)

Bumps [actions/stale](https://github.com/actions/stale) from 3 to 3.0.18.
- [Release notes](https://github.com/actions/stale/releases)
- [Commits](https://github.com/actions/stale/compare/v3...v3.0.18)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/stale from 3.0.18 to 3.0.19 (#302)

Bumps [actions/stale](https://github.com/actions/stale) from 3.0.18 to 3.0.19.
- [Release notes](https://github.com/actions/stale/releases)
- [Commits](https://github.com/actions/stale/compare/v3.0.18...v3.0.19)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* rename HasVote to ReceivedVote (#289)

* add a changelog to track changes (#303)

* add a changelog to track changes

* Update CHANGELOG.md

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* rpc: clarify timestamps (#304)

* clarify timestamps

* changelog entry

* Update spec/rpc/README.md

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* rpc: add chunked genesis endpoint (#299)

* rpc: add chunked genesis endpoint

* fix lint

* feedback

* add info about error

* fix lint

Co-authored-by: marbar3778 <marbar3778@yahoo.com>

* update ResponseCheckTx (#306)

* rpc: Add totalGasUSed to block_results response (#308)

* Add C++ code generation and test scenario (#310)

* add parameters to byzantine send action

* make net not trusted

it's not necessary since for proofs Ivy will assume that the environment
does not break action preconditions

* use require instead of assume

it seems that assume is not checked when other isolates call!

* add comment

* add comment

* run with random seed

* make domain model extractable to C++

* substitute require for assume

assumes in an action are not checked when the action is called! I.e.
they place no requirement on the caller; we're just assuming that the
caller is going to do the right thing. This wasn't very important here
but it leade to a minor inconsistency slipping through.

* make the net isolate not trusted

there was no need for it

* add tendermint_test.ivy

contains a simple test scenario that show that the specification is no
vacuuous

* update comment

* add comments

* throw if trying to parse nset value in the repl

* add comment

* minor refactoring

* add new pex messages (#312)

* build(deps): bump gaurav-nelson/github-action-markdown-link-check (#313)

Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.12 to 1.0.13.
- [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases)
- [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.12...1.0.13)

---
updated-dependencies:
- dependency-name: gaurav-nelson/github-action-markdown-link-check
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* update spec to reference currently used timestamp type (#317)

* build(deps): bump actions/stale from 3.0.19 to 4 (#319)

Bumps [actions/stale](https://github.com/actions/stale) from 3.0.19 to 4.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v3.0.19...v4)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* address discrepancies between spec and implementation (#322)

* update proto files for release (#318)

* stale bot: ignore issues (#325)

* evidence: add section explaining evidence (#324)

* statesync: new messages for gossiping consensus params (#328)

* rpc: update peer format in specification in NetInfo operation (#331)

* Update supervisor_001_draft.md (#334)

* core: text cleanup (#332)

* abci: clarify what abci stands for (#336)

* abci: clarify what abci stands for

* link to abci type protos.

* abci: clarify connection use in-process (#337)

* abci: clarify connection use in-process

* Update abci.md

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* invert abci explanations

* lint++

* lint++

* lint++

* lint++

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* proto: move proto files under the correct directory related to their package name (#344)

* abci.md fixup (#339)

* abci: points of clarification ahead of v0.1.0

* lint++

* typo

* lint++

* double word score

* grammar

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update spec/abci/abci.md

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* pr feedback

* wip

* update non-zero status code docs

* fix event description

* update CheckTx description

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* Update supervisor_001_draft.md (#333)

* Update supervisor_001_draft.md

If the only node in the *FullNodes* set is the primary, that was just deemed faulty, we can't find honest primary.

* Update supervisor_001_draft.md

* light: update initialization description (#320)

* apps.md fixups (#341)

* wip

* wip

* wip

* remove comments in favor of gh comments

* wip

* udpates to language, should must etc

* Apply suggestions from code review

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* remove tendermint cache description

Co-authored-by: M. J. Fromberger <fromberger@interchain.io>

* proto: add tendermint go changes (#349)

* add missed proto files

* add abci changes

* rename blockchain to blocksync

* Update proto/tendermint/abci/types.proto

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

Co-authored-by: Callum Waters <cmwaters19@gmail.com>

* fix mockery generation script (#9094)

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>
Co-authored-by: Milosevic, Zarko <zare.milosevic@gmail.com>
Co-authored-by: Milosevic, Zarko <zare.milosevic@sicpa.com>
Co-authored-by: Zarko Milosevic <zarko@tendermint.com>
Co-authored-by: Marko <marbar3778@yahoo.com>
Co-authored-by: Zarko Milosevic <zarko@interchain.io>
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com>
Co-authored-by: dongsamb <dongsamb@gmail.com>
Co-authored-by: Sunny Aggarwal <sunnya97@gmail.com>
Co-authored-by: Anca Zamfir <anca@interchain.io>
Co-authored-by: Ethan Buchman <ethan@coinculture.info>
Co-authored-by: Zarko Milosevic <zarko@informal.systems>
Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com>
Co-authored-by: Zaki Manian <zaki@tendermint.com>
Co-authored-by: Erik Grinaker <erik@interchain.berlin>
Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com>
Co-authored-by: Alexander Simmerl <a.simmerl@gmail.com>
Co-authored-by: Igor Konnov <igor.konnov@gmail.com>
Co-authored-by: Sean Braithwaite <brapse@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com>
Co-authored-by: Andrey Kuprianov <59489470+andrey-kuprianov@users.noreply.github.com>
Co-authored-by: Igor Konnov <konnov@forsyte.at>
Co-authored-by: Sam Hart <sam@hxrts.com>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
Co-authored-by: Giuliano <giuliano@losa.fr>
Co-authored-by: Shahan Khatchadourian <shahan.k.code@gmail.com>
Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com>
Co-authored-by: istoilkovska <anili100@gmail.com>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Sam Kleinman <garen@tychoish.com>
Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch>
Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com>
Co-authored-by: Marko Baricevic <markobaricevic@Fergalicious.local>
Co-authored-by: Giuliano <giuliano@eic-61-11.galois.com>
Co-authored-by: Jordan Sexton <jordan@jordansexton.com>
Co-authored-by: MengXiangJian <805442788@qq.com>
Co-authored-by: Yixin Luo <18810541851@163.com>
Co-authored-by: crypto-facs <84574577+crypto-facs@users.noreply.github.com>
Co-authored-by: Giuliano <giuliano@galois.com>
Co-authored-by: William Banfield <4561443+williambanfield@users.noreply.github.com>
Co-authored-by: Mateusz Górski <goral09@users.noreply.github.com>
Co-authored-by: M. J. Fromberger <fromberger@interchain.io>
Co-authored-by: Thane Thomson <connect@thanethomson.com>
2022-08-16 11:07:21 -04:00

14 KiB
Raw Permalink Blame History

Requirements for Fork Detection in the IBC Context

What you need to know about IBC

In the following, I distilled what I considered relevant from

https://github.com/cosmos/ics/tree/master/spec/ics-002-client-semantics

Components and their interface

Tendermint Blockchains

I assume you know what that is.

An IBC/Tendermint correspondence

IBC Term Tendermint-RS Spec Term Comment
CommitmentRoot AppState app hash
ConsensusState Lightblock not all fields are there. NextValidator is definitly needed
ClientState latest light block + configuration parameters (e.g., trusting period + frozenHeight NextValidators missing; what is proofSpecs?
frozenHeight height of fork set when a fork is detected
"would-have-been-fooled" light node fork detection light node may submit proof of fork to IBC component to halt it
Height (no epochs) (epoch,height) pair in lexicographical order (compare)
Header ~signed header validatorSet explicit (no hash); nextValidators missing
Evidence t.b.d. definition unclear "which the light client would have considered valid". Data structure will need to change
verify ValidAndVerified signature does not match perfectly (ClientState vs. LightBlock) + in checkMisbehaviourAndUpdateState it is unclear whether it uses traces or goes to h1 and h2 in one step

Some IBC links

Required Changes in ICS 007

  • assert(height > 0) in definition of initialise doesn't match definition of Height as (epoch,height) pair.

  • initialise needs to be updated to new data structures

  • clientState.frozenHeight semantics seem not totally consistent in document. E.g., min needs to be defined over optional value in checkMisbehaviourAndUpdateState. Also, if you are frozen, why do you accept more evidence.

  • checkValidityAndUpdateState

    • verify: it needs to be clarified that checkValidityAndUpdateState does not perform "bisection" (as currently hinted in the text) but performs a single step of "skipping verification", called, ValidAndVerified
    • assert (header.height > clientState.latestHeight): no old headers can be installed. This might be OK, but we need to check interplay with misbehavior
    • clienstState needs to be updated according to complete data structure

  • checkMisbehaviourAndUpdateState: as evidence will contain a trace (or two), the assertion that uses verify will need to change.

  • ICS 002 states w.r.t. queryChainConsensusState that "Note that retrieval of past consensus states by height (as opposed to just the current consensus state) is convenient but not required." For Tendermint fork detection, this seems to be a necessity.

  • Header should become a lightblock

  • Evidence should become LightNodeProofOfFork [LCV-DATA-POF.1]

  • upgradeClientState what is the semantics (in particular what is height doing?).

  • checkMisbehaviourAndUpdateState(cs: ClientState, PoF: LightNodeProofOfFork) needs to be adapted

Handler

A blockchain runs a handler that passively collects information about other blockchains. It can be thought of a state machine that takes input events.

  • the state includes a lightstore (I guess called ConsensusState in IBC)

  • The following function is used to pass a header to a handler

type checkValidityAndUpdateState = (Header) => Void

For Tendermint, it will perform ValidandVerified, that is, it does the trusting period check and the +1/3 check (+2/3 for sequential headers). If it verifies a header, it adds it to its lightstore, if it does not pass verification it drops it. Right now it only accepts a header more recent then the latest header, and drops older ones or ones that could not be verified.

The above paragraph captures what I believe what is the current logic of checkValidityAndUpdateState. It may be subject to change. E.g., maintain a lightstore with state (unverified, verified)

  • The following function is used to pass "evidence" (this we will need to make precise eventually) to a handler
type checkMisbehaviourAndUpdateState = (bytes) => Void

We have to design this, and the data that the handler can use to check that there was some misbehavior (fork) in order react on it, e.g., flagging a situation and stop the protocol.

  • The following function is used to query the light store (ConsensusState)
type queryChainConsensusState = (height: uint64) => ConsensusState

Relayer

  • The active components are called relayer.

  • a relayer contains light clients to two (or more?) blockchains

  • the relayer send headers and data to the handler to invoke checkValidityAndUpdateState and checkMisbehaviourAndUpdateState. It may also query queryChainConsensusState.

  • multiple relayers may talk to one handler. Some relayers might be faulty. We assume existence of at least single correct relayer.

Informal Problem Statement: Fork detection in IBC

Relayer requirement: Evidence for Handler

  • The relayer should provide the handler with "evidence" that there was a fork.

  • The relayer can read the handler's consensus state. Thus the relayer can feed the handler precisely the information the handler needs to detect a fork. What is this information needs to be specified.

  • The information depends on the verification the handler does. It might be necessary to provide a bisection proof (list of lightblocks) so that the handler can verify based on its local lightstore a header h that is conflicting with a header h' in the local lightstore, that is, h != h' and h.Height = h'.Height

Relayer requirement: Fork detection

Let's assume there is a fork at chain A. There are two ways the relayer can figure that out:

  1. as the relayer contains a light client for A, it also includes a fork detector that can detect a fork.

  2. the relayer may also detect a fork by observing that the handler for chain A (on chain B) is on a different branch than the relayer

  • in both detection scenarios, the relayer should submit evidence to full nodes of chain A where there is a fork. As we assume a fullnode has a complete list of blocks, it is sufficient to send "Bucky's evidence" (https://github.com/tendermint/tendermint/issues/5083), that is,

    • two lightblocks from different branches +
    • a lightblock (perhaps just a height) from which both blocks can be verified.

  • in the scenario 2., the relayer must feed the A-handler (on chain B) a proof of a fork on A so that chain B can react accordingly

Handler requirement

  • there are potentially many relayers, some correct some faulty

  • a handler cannot trust the information provided by the relayer, but must verify (Доверя́й, но проверя́й)

  • in case of a fork, we accept that the handler temporarily stores headers (tagged as verified).

  • eventually, a handler should be informed (checkMisbehaviourAndUpdateState) by some relayer that it has verified a header from a fork. Then the handler should do what is required by IBC in this case (stop?)

Challenges in the handler requirement

  • handlers and relayers work on different lightstores. In principle the lightstore need not intersect in any heights a priori

  • if a relayer sees a header h it doesn't know at a handler (queryChainConsensusState), the relayer needs to verify that header. If it cannot do it locally based on downloaded and verified (trusted?) light blocks, it might need to use VerifyToTarget (bisection). To call VerifyToTarget we might keep h in the lightstore. If verification fails, we need to download the "alternative" header of height h.Height to generate evidence for the handler.

  • we have to specify what precisely queryChainConsensusState returns. It cannot be the complete lightstore. Is the last header enough?

  • we would like to assume that every now and then (smaller than the trusting period) a correct relayer checks whether the handler is on a different branch than the relayer. And we would like that this is enough to achieve the Handler requirement.

    • here the correctness argument would be easy if a correct relayer is based on a light client with a trusted state, that is, a light client who never changes its opinion about trusted. Then if such a correct relayer checks-in with a handler, it will detect a fork, and act in time.

    • if the light client does not provide this interface, in the case of a fork, we need some assumption about a correct relayer being on a different branch than the handler, and we need such a relayer to check-in not too late. Also what happens if the relayer's light client is forced to roll-back its lightstore? Does it have to re-check all handlers?

On the interconnectedness of things

In the broader discussion of so-called "fork accountability" there are several subproblems

  • Fork detection

  • Evidence creation and submission

  • Isolating misbehaving nodes (and report them for punishment over abci)

Fork detection

The preliminary specification ./detection.md formalizes the notion of a fork. Roughly, a fork exists if there are two conflicting headers for the same height, where both are supported by bonded full nodes (that have been validators in the near past, that is, within the trusting period). We distinguish between fork on the chain where two conflicting blocks are signed by +2/3 of the validators of that height, and a light client fork where one of the conflicting headers is not signed by +2/3 of the current height, but by +1/3 of the validators of some smaller height.

In principle everyone can detect a fork

  • ./detection talks about the Tendermint light client with a focus on light nodes. A relayer runs such light clients and may detect forks in this way

  • in IBC, a relayer can see that a handler is on a conflicting branch

    • the relayer should feed the handler the necessary information so that it can halt
    • the relayer should report the fork to a full node

Evidence creation and submission

  • the information sent from the relayer to the handler could be called evidence, but this is perhaps a bad idea because the information sent to a full node can also be called evidence. But this evidence might still not be enough as the full node might need to run the "fork accountability" protocol to generate evidence in the form of consensus messages. So perhaps we should introduce different terms for:

    • proof of fork for the handler (basically consisting of lightblocks)
    • proof of fork for a full node (basically consisting of (fewer) lightblocks)
    • proof of misbehavior (consensus messages)

Isolating misbehaving nodes

  • this is the job of a full node.

  • might be subjective in the future: the protocol depends on what the full node believes is the "correct" chain. Right now we postulate that every full node is on the correct chain, that is, there is no fork on the chain.

  • The full node figures out which nodes are

    • lunatic
    • double signing
    • amnesic; using the challenge response protocol

  • We do not punish "phantom" validators

    • currently we understand a phantom validator as a node that
      • signs a block for a height in which it is not in the validator set
      • the node is not part of the +1/3 of previous validators that are used to support the header. Whether we call a validator phantom might be subjective and depend on the header we check against. Their formalization actually seems not so clear.
    • they can only do something if there are +1/3 faulty validators that are either lunatic, double signing, or amnesic.
    • abci requires that we only report bonded validators. So if a node is a "phantom", we would need the check whether the node is bonded, which currently is expensive, as it requires checking blocks from the last three weeks.
    • in the future, with state sync, a correct node might be convinced by faulty nodes that it is in the validator set. Then it might appear to be "phantom" although it behaves correctly

Next steps

The following points are subject to my limited knowledge of the state of the work on IBC. Some/most of it might already exist and we will just need to bring everything together.

  • "proof of fork for a full node" defines a clean interface between fork detection and misbehavior isolation. So it should be produced by protocols (light client, the relayer). So we should fix that first.

  • Given the problems of not having a light client architecture spec, for the relayer we should start with this. E.g.

    • the relayer runs light clients for two chains
    • the relayer regularly queries consensus state of a handler
    • the relayer needs to check the consensus state
      • this involves local checks
      • this involves calling the light client
    • the relayer uses the light client to do IBC business (channels, packets, connections, etc.)
    • the relayer submits proof of fork to handlers and full nodes

the list is definitely not complete. I think part of this (perhaps all) is covered by what Anca presented recently.

We will need to define what we expect from these components

  • for the parts where the relayer talks to the handler, we need to fix the interface, and what the handler does

  • we write specs for these components.