Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update ADR-005 on cryptographic equivocation verifcation #1022

Merged
merged 3 commits into from
Jun 16, 2023
Merged

docs: update ADR-005 on cryptographic equivocation verifcation #1022

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cd177a8
save first gist
sainoe Jun 14, 2023
8282a1f
add first draft
sainoe Jun 15, 2023
189038f
Update docs/docs/adrs/adr-005-cryptographic-equivocation-verification.md
sainoe Jun 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/docs/adrs/adr-005-cryptographic-equivocation-verification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ Current limitations:

- This only handles light client attacks, not double signing. In the future, we will add the code to also verify double signing.
- Since a special endpoint must be used to submit the evidence, the evidence is not automatically submitted by Hermes. In the future, we may make Hermes submit the evidence, or use a hook provided by IBC to run the code automatically when evidence is submitted to the IBC client. In the current state, someone will need to submit the evidence manually in the 3 weeks after a light client attack has occured.
- We currently can't derive an infraction height from the evidence, so it is only possible to tombstone validators, not actually slash them.
- We currently can't derive an infraction height from the evidence, so it is only possible to tombstone validators, not actually slash them. To explain the technical reasons behind this limitation, let's recap the initial consumer initiated slashing logic. In the previous implementation, Validator Set Update IDs (VSCIDs) were used to derive the infraction height from evidences. Each VSCID was mapped to a block height and stored on both the provider and consumer chains. When an infraction occurred on a consumer chain, a IBC slashing packet was sent to the provider chain along with a VSCID obtained from mapping the evidence's infraction height. Upon receiving the packet, the provider could derive its own local infraction height to execute the slashing. In the context of untrusted consumer chains, all their states, including VSCIDs, could be corrupted and therefore cannot be used for slashing purposes. To address this, we explored a solution using the IBC misbehavior type, which includes the validator set active during the light client attack.By mapping each validator set hash to a block height, the provider would be able to derive an infraction height from an evidence again. However, this solution fails to consider that non-consecutive blocks can have the exact same validator set. In this scenario the validator set hashes would be identical for different unique block height making the mapping obsolete.
sainoe marked this conversation as resolved.
Show resolved Hide resolved
sainoe marked this conversation as resolved.
Show resolved Hide resolved


## Consequences

Expand Down
Loading