-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sanity check for registered entities' stake #2748
Conversation
I guess? What's the planned resolution for this when the sanity check fails? And what's up with the (likely unrelated) CI failure? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this really an invariant? do we, for example, remove a registration if an entity gets slashed to below the threshold?
ah yeah we are supposed to deregister them if they get slashed below the threshold |
bb6fed5
to
de55cb2
Compare
This is ready for another review. Updating various tests made this PR a bit larger, but I tried to split things down into commits, so I suggest reviewing by commits. |
Codecov Report
@@ Coverage Diff @@
## master #2748 +/- ##
==========================================
- Coverage 67.64% 67.59% -0.05%
==========================================
Files 350 350
Lines 33970 34036 +66
==========================================
+ Hits 22980 23008 +28
- Misses 8037 8080 +43
+ Partials 2953 2948 -5
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah now we're not sure after all, if we want to delete an entity if it gets slashed below the threshold. cc @peterjgilbert @ravenac95
code-wise though: this doesn't do a full accumulation. could this check miss cases where the amount escrowed is enough, but there isn't enough overall for the entity plus, for example, some nodes?
Hmm... are you worried about a potentially invalid state dump (i.e. genesis file)? Do we currently de-register entities that fall below the staking thresholds when they are slashed?
Good catch! Indeed, the current check, e.g. misses the case when an entity has enough stake to be registered itself, but not enough stake to also register its nodes. We could augment the sanity checks to create a map of |
3042ea3
to
6897300
Compare
6897300
to
4976ddc
Compare
|
||
for _, node := range nodes { | ||
// Add node stake claims. | ||
generatedEscrows[node.EntityID].StakeAccumulator.AddClaimUnchecked(StakeClaimForNode(node.ID), StakeThresholdsForNode(node)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's already checked that node.EntityID
is a valid entity ID, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is already checked by SanityCheckEntities()
which in turn calls VerifyRegisterEntityArgs()
for each signed entity which finally checks the ID in:
https://github.com/oasislabs/oasis-core/blob/b9fe8b7e4ea570b9aa69ec549ec1f3da5ffdcd70/go/registry/api/api.go#L363-L370
go/registry/api/sanity_check.go
Outdated
if err == nil { | ||
expected = expectedQty.String() | ||
} | ||
return fmt.Errorf("insufficient stake for account %s (expected: %s got: %s)", entity.ID, expected, generatedEscrow.Active.Balance) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we %w
the error from CheckStateClaims
?
or explain why we'd rather throw away that info
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. I've added %w
to the fmt.Errorf()
call.
9ec669c
to
7d6507a
Compare
I've implemented that, please take a look. |
7d6507a
to
0c50b3c
Compare
4ea95db
to
5187ebf
Compare
// SanityCheckStake ensures entities' stake accumulator claims are consistent | ||
// with general state and entities have enough stake for themselves and all | ||
// their registered nodes and runtimes. | ||
func SanityCheckStake( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may need to reconsider the location of this sanity check if there are any other places that can have stake claims, but this is ok for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed 👍.
I've filled a follow-up issue that will address this: #2886. |
5187ebf
to
7698eee
Compare
@pro-wh, could you take another look? |
Formally define Nodes() and AllRuntimes() methods that were already implemented by go/consensus/tendermint/apps/registry/state.ImmutableState struct. Implement Nodes() and AllRuntimes() methods for the go/registry/api.sanityCheckRuntimeLookup struct.
Extract and generalize registry's staking sanity checks in go/consensus/tendermint/apps/supplementarysanity.checkStakeClaims() and move them to go/registry/api.SanityCheckStake() function. Augment the checks to check if an entity has enough stake for all stake claims in the Genesis document to prevent panics at oasis-node start-up due to entities not having enough stake in the escrow to satisfy all their stake claims.
7698eee
to
d8d03ab
Compare
@pro-wh, I think your comments were addressed. If there's anything else, please follow up.
Extract and generalize registry's staking sanity checks in
go/consensus/tendermint/apps/supplementarysanity.checkStakeClaims()
and move them togo/registry/api.SanityCheckStake()
function.Augment the checks to check if an entity has enough stake for all stake claims in the Genesis document to prevent panics at oasis-node start-up due to entities not having enough stake in the escrow to satisfy all their stake claims.
Example panic when an entity doesn't have enough stake to be registered:
Example panic when an entity doesn't have enough stake to have a node registered: