Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(lightclient): removed the need for next stateInfo for valiadition #1467

Draft
wants to merge 88 commits into
base: main
Choose a base branch
from

Conversation

mtsitrin
Copy link
Contributor

@mtsitrin mtsitrin commented Nov 13, 2024

DRY out the validation methods into 2:
ValidateHeaderAgainstStateInfo - validates LC updated against existing state info
ValidateStateInfoAgainstConsensusStates - validates State Info against existing consensus states

main changes:

  • on HandleMsgUpdateClient

    • refactor validation to use single state info, instead of checking state info for H+1
  • on SetCanonicalClient

    • changed iteration key: instead of iterating all the consensus states, we iterate over state infos
    • each state info is validated

mtsitrin and others added 30 commits October 22, 2024 13:54
#1406)

Co-authored-by: keruch <[email protected]>
Co-authored-by: zale144 <[email protected]>
Co-authored-by: Daniel T <[email protected]>
Co-authored-by: Omri <[email protected]>
Co-authored-by: Sergi Rene <[email protected]>
Co-authored-by: Itzhak Bokris <[email protected]>
@mtsitrin mtsitrin requested a review from a team as a code owner November 13, 2024 13:00
@mtsitrin mtsitrin requested a review from danwt November 13, 2024 14:36
Copy link
Contributor

@danwt danwt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cleanups are great, but the bit about iterating descending doesn't make sense.

IterateConsensusStateDescending(csStore, func(h exported.Height) bool {
// skip future heights
if h.GetRevisionHeight() >= maxHeight {
return false
}
// iterate until we pass the fraud height
if h.GetRevisionHeight() < minHeight {
return true // break
}
consensusState, ok := k.ibcClientKeeper.GetClientConsensusState(ctx, clientID, h)
if !ok {
return false
}
tmConsensusState, ok := consensusState.(*ibctm.ConsensusState)
if !ok {
return false
}
err = k.ValidateUpdatePessimistically(ctx, sInfo, tmConsensusState, h.GetRevisionHeight())
if err != nil {
err = errorsmod.Wrapf(err, "validate pessimistic h: %d", h.GetRevisionHeight())
return true // break
}
atLeastOneMatch = true
return true // break
})

You're only checking the consensus states with heights in the state info, which isn't right. I'm sorry I should've thought about it more when you initially asked me on slack.

Now it's not secure; why? Because there can be invalid consensus states below the ones you check, which are opening a security hole by having a wrong nextValidatorsHash.

We need to iterate through all the consensus states and check that they're valid. In fact, we just need to check that there is a valid prefix . The reason it was implemented the way it was to begin with was because it's just simpler: if we check all up to and including the ones in the state info, then (in the previous design where a mismatch in state update would automatically trigger fraud handler) then we would be guaranteed to catch a wrong one.

I would really suggest to just keep it as it was before. You can still change it to be an iterator though (I think why Spoorthi made it fetch all before was because iterator was not publicly exposed).

The rest of the PR is good

x/lightclient/keeper/canonical_client.go Outdated Show resolved Hide resolved
x/lightclient/keeper/canonical_client.go Show resolved Hide resolved
x/lightclient/keeper/hook_listener.go Outdated Show resolved Hide resolved
Base automatically changed from mtsitrin/937-rollapp-hard-fork-hub-side to main November 14, 2024 14:29
@mtsitrin mtsitrin marked this pull request as draft November 15, 2024 06:30
@mtsitrin mtsitrin linked an issue Nov 17, 2024 that may be closed by this pull request
Copy link

codecov bot commented Nov 17, 2024

Codecov Report

Attention: Patch coverage is 91.75258% with 8 lines in your changes missing coverage. Please review.

Project coverage is 22.69%. Comparing base (a308fd0) to head (4d50d9c).
Report is 5 commits behind head on main.

Files with missing lines Patch % Lines
x/lightclient/keeper/canonical_client.go 90.69% 3 Missing and 1 partial ⚠️
x/lightclient/keeper/hook_listener.go 92.59% 1 Missing and 1 partial ⚠️
x/lightclient/ante/ibc_msg_update_client.go 90.00% 1 Missing ⚠️
x/rollapp/types/state_info.go 87.50% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1467      +/-   ##
==========================================
- Coverage   22.69%   22.69%   -0.01%     
==========================================
  Files         575      575              
  Lines      124579   124516      -63     
==========================================
- Hits        28273    28257      -16     
+ Misses      92528    92494      -34     
+ Partials     3778     3765      -13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mtsitrin mtsitrin marked this pull request as ready for review November 17, 2024 17:54
@mtsitrin mtsitrin requested review from danwt and omritoptix November 18, 2024 07:38
@mtsitrin mtsitrin marked this pull request as draft December 3, 2024 21:00
@mtsitrin mtsitrin marked this pull request as ready for review December 4, 2024 08:30
@danwt danwt marked this pull request as draft December 4, 2024 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

x/lightclient redundent call for FindStateInfoByHeight
3 participants