Add sanity check for registered entities' stake #2748
Conversation
tjanez
added
c:registry
tjanez
requested review from
kostko,
peterjgilbert,
pro-wh and
Yawning
as code owners
|
I guess? What's the planned resolution for this when the sanity check fails? And what's up with the (likely unrelated) CI failure? |
|
ah yeah we are supposed to deregister them if they get slashed below the threshold |
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
3 times, most recently
from
bb6fed5
to
de55cb2
Compare
|
This is ready for another review. Updating various tests made this PR a bit larger, but I tried to split things down into commits, so I suggest reviewing by commits. |
Codecov Report
@@ Coverage Diff @@
## master #2748 +/- ##
==========================================
- Coverage 67.64% 67.59% -0.05%
==========================================
Files 350 350
Lines 33970 34036 +66
==========================================
+ Hits 22980 23008 +28
- Misses 8037 8080 +43
+ Partials 2953 2948 -5
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
ah now we're not sure after all, if we want to delete an entity if it gets slashed below the threshold. cc @peterjgilbert @ravenac95
code-wise though: this doesn't do a full accumulation. could this check miss cases where the amount escrowed is enough, but there isn't enough overall for the entity plus, for example, some nodes?
Hmm... are you worried about a potentially invalid state dump (i.e. genesis file)? Do we currently de-register entities that fall below the staking thresholds when they are slashed?
Good catch! Indeed, the current check, e.g. misses the case when an entity has enough stake to be registered itself, but not enough stake to also register its nodes. We could augment the sanity checks to create a map of |
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
2 times, most recently
from
3042ea3
to
6897300
Compare
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
from
6897300
to
4976ddc
Compare
|
|
||
| for _, node := range nodes { | ||
| // Add node stake claims. | ||
| generatedEscrows[node.EntityID].StakeAccumulator.AddClaimUnchecked(StakeClaimForNode(node.ID), StakeThresholdsForNode(node)) |
There was a problem hiding this comment.
it's already checked that node.EntityID is a valid entity ID, right?
There was a problem hiding this comment.
Yes, it is already checked by SanityCheckEntities() which in turn calls VerifyRegisterEntityArgs() for each signed entity which finally checks the ID in:
https://github.com/oasislabs/oasis-core/blob/b9fe8b7e4ea570b9aa69ec549ec1f3da5ffdcd70/go/registry/api/api.go#L363-L370
go/registry/api/sanity_check.go
Outdated
| if err == nil { | ||
| expected = expectedQty.String() | ||
| } | ||
| return fmt.Errorf("insufficient stake for account %s (expected: %s got: %s)", entity.ID, expected, generatedEscrow.Active.Balance) |
There was a problem hiding this comment.
could we %w the error from CheckStateClaims?
or explain why we'd rather throw away that info
There was a problem hiding this comment.
Good catch. I've added %w to the fmt.Errorf() call.
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
3 times, most recently
from
9ec669c
to
7d6507a
Compare
I've implemented that, please take a look. |
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
from
7d6507a
to
0c50b3c
Compare
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
2 times, most recently
from
4ea95db
to
5187ebf
Compare
| // SanityCheckStake ensures entities' stake accumulator claims are consistent | ||
| // with general state and entities have enough stake for themselves and all | ||
| // their registered nodes and runtimes. | ||
| func SanityCheckStake( |
There was a problem hiding this comment.
We may need to reconsider the location of this sanity check if there are any other places that can have stake claims, but this is ok for now.
I've filled a follow-up issue that will address this: #2886. |
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
from
5187ebf
to
7698eee
Compare
|
@pro-wh, could you take another look? |
Formally define Nodes() and AllRuntimes() methods that were already implemented by go/consensus/tendermint/apps/registry/state.ImmutableState struct. Implement Nodes() and AllRuntimes() methods for the go/registry/api.sanityCheckRuntimeLookup struct.
Extract and generalize registry's staking sanity checks in go/consensus/tendermint/apps/supplementarysanity.checkStakeClaims() and move them to go/registry/api.SanityCheckStake() function. Augment the checks to check if an entity has enough stake for all stake claims in the Genesis document to prevent panics at oasis-node start-up due to entities not having enough stake in the escrow to satisfy all their stake claims.
tjanez
force-pushed
the
tjanez/check-entities-stake
branch
from
7698eee
to
d8d03ab
Compare
tjanez
dismissed
pro-wh’s stale review
@pro-wh, I think your comments were addressed. If there's anything else, please follow up.
Extract and generalize registry's staking sanity checks in
go/consensus/tendermint/apps/supplementarysanity.checkStakeClaims()and move them togo/registry/api.SanityCheckStake()function.Augment the checks to check if an entity has enough stake for all stake claims in the Genesis document to prevent panics at oasis-node start-up due to entities not having enough stake in the escrow to satisfy all their stake claims.
Example panic when an entity doesn't have enough stake to be registered:
Example panic when an entity doesn't have enough stake to have a node registered: