feat!: Add a block validity rule that all PFB transactions must have valid signatures #1300
Conversation
evan-forbes
added
consensus breaking
MSevey
requested review from
a team and
MSevey
and removed request for
a team
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1300 +/- ##
==========================================
- Coverage 49.20% 48.17% -1.04%
==========================================
Files 76 77 +1
Lines 4292 4384 +92
==========================================
Hits 2112 2112
- Misses 2004 2096 +92
Partials 176 176 ☔ View full report in Codecov by Sentry. |
testutil/manual_blobtx_gen.go
Outdated
| // RandBlobTxsWithAccounts will create random blob transactions using the | ||
| // provided configuration. The account info is queried directly from the | ||
| // application. One blob transaction is generated per account provided. | ||
| func RandBlobTxsWithAccounts( |
There was a problem hiding this comment.
adding to our testing technical debt a bit by continuing to copy paste minor alterations of this function. #1114
we have to keep this in the testutil pkg instead of blob factory because we're importing the app to query directly, and don't want to cause an import cycle in blobfactory
There was a problem hiding this comment.
Everything here makes sense to me.
Valid signatures don't mean valid PFBs. I'm not sure how important the distinction is for the users that requested this. But just want to make sure that they're aware that although all PFBs have valid signatures they may be missing other things.
yes good point this is definitely true. In this case, we only want to be able to make an honest majority assumption that the signatures are valid, because it dramatically reduces the proving time of some zk proofs. This is only the minimum to close #979,
if we want other features such as fee burning, that will essentially require executing the transactions in full before we progress |
|
I believe the default implementation of the SDK v0.47 (i.e. with the introduction of PrepareProposal and ProcessProposal) by default calls something similar to CheckTx on all transactions in |
|
to clarify things a bit, we are also already enforcing the validate basic checks, that only a single MsgPFB is in a PFB transaction, and that the share commitment is valid. Therefore, I believe the only other way an invalid PFB can be introduced is if the account does not have enough funds to pay for gas. |
Or because of an incorrect nonce |
I believe we are checking for that in this PR since that is required to verify the signature via the SigVerifyAnteDecorator edit: link to save a search https://github.com/celestiaorg/cosmos-sdk/blob/472f7a7633c16835145381c4effc31dc8c99f738/x/auth/ante/sigverify.go#L267-L273 |
I see, but is the cached state tracked and updated? Take the following scenarios:
|
…and Process Proposal
…res in prepare proposal
app/prepare_proposal.go
Outdated
| sdkCtx, err := app.NewProcessProposalQueryContext() | ||
| if err != nil { | ||
| panic(err) | ||
| } | ||
|
|
||
| // increment the sequences of the standard cosmos-sdk transactions. Panics | ||
| // from the anteHandler are caught and logged. | ||
| isHandler := incrementSequenceAnteHandler(&app.AccountKeeper) | ||
| normalTxs, sdkCtx = filterStdTxs(app.Logger(), app.txConfig.TxDecoder(), sdkCtx, isHandler, normalTxs) | ||
|
|
||
| // check the signatures and increment the sequences of the blob transations, | ||
| // and filter out any that fail. Panics from the anteHandler are caught and | ||
| // logged. | ||
| svHandler := sigVerifyAnteHandler(&app.AccountKeeper, app.txConfig) | ||
| blobTxs, _ = filterBlobTxs(app.Logger(), app.txConfig.TxDecoder(), sdkCtx, svHandler, blobTxs) |
There was a problem hiding this comment.
here is where we add stateful checks to prepare proposal. notice that we are incrementing the nonce of the normal txs first before we are checking the signatures of the PFB txs.
| {"many small single share single blob transactions", 10000, 1, 400}, | ||
| {"many small single share single blob transactions", 1000, 1, 400}, |
There was a problem hiding this comment.
reduced the length of this first test because it takes so long that sometimes we don't even run it once. changing this means that, at least in this test, are no longer testing for the weird things that can happen when using a bunch of small PFBs occasionally. We might still want to do that in the future, but I'm less worried now that we are limiting the number of txs to 5000.
| // create 100 send transactions | ||
| sendTxs := testutil.SendTxsWithAccounts( | ||
| t, | ||
| testApp, | ||
| encConf.TxConfig.TxEncoder(), | ||
| kr, | ||
| 1000, | ||
| accounts[0], | ||
| accounts[len(accounts)-100:], | ||
| "", | ||
| ) |
There was a problem hiding this comment.
this refactor was needed cause now we need access to state to query for account info before we can create the txs
| // verify the signatures of the prepared txs | ||
| sdata, err := signer.GetSignerData() | ||
| require.NoError(t, err) | ||
|
|
||
| dec := encoding.IndexWrapperDecoder(encCfg.TxConfig.TxDecoder()) | ||
| for _, tx := range res.BlockData.Txs { |
There was a problem hiding this comment.
this portion of this test was leftover from when we were malleating txs for multiple square sizes, so we can remove. It no longer works since this portion of the test only works when we don't need access to state.
| accnts := testfactory.GenerateAccounts(numBlobTxs + numNormalTxs) | ||
| testApp, kr := testutil.SetupTestAppWithGenesisValSet(accnts...) |
There was a problem hiding this comment.
all of our prepare/process proposal tests need to sign txs with correct nonces and account numbers, therefore we have to change most of the tests to account for this
| @@ -154,59 +270,6 @@ func TestProcessProposal(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func TestProcessProposalWithParityShareNamespace(t *testing.T) { | |||
There was a problem hiding this comment.
moved this test up to the other test, see comment there to see why we probably don't even need this test unless we have some code that let's us bypass these checks in prepare proposal #233
| require.Equal(t, abci.ResponseProcessProposal_REJECT, res.Result) | ||
| } | ||
|
|
||
| func TestProcessProposalWithTamperedSequenceStart(t *testing.T) { |
There was a problem hiding this comment.
consolidated this test in the above test
| // recoverHandler will simply wrap the caught panic in an error containing the | ||
| // stack trace. | ||
| func recoverHandler(recoveryObj interface{}) error { | ||
| return sdkerrors.Wrap( | ||
| sdkerrors.ErrPanic, fmt.Sprintf( | ||
| "recovered: %v\nstack:\n%v", recoveryObj, string(debug.Stack()), | ||
| ), | ||
| ) | ||
| } |
There was a problem hiding this comment.
the nonce increment decorator panics if the account isn't present, so we have to add this. It should never get hit if block producers are honest and are running check tx
| // RandBlobTxsWithAccounts will create random blob transactions using the | ||
| // provided configuration. The account info is queried directly from the | ||
| // application. One blob transaction is generated per account provided. | ||
| func RandBlobTxsWithAccounts( | ||
| t *testing.T, | ||
| capp *app.App, |
There was a problem hiding this comment.
We need to sign txs with valid sequences and account numbers, and have to query for those w/o grpc if we want to use the testapp, so I created even more testing functions (that we should consolidate in #1114) to query the app directly
There was a problem hiding this comment.
I don't have any blocking feedback. I do have a question: IIUC the motivation for this PR was to verify the validity of signatures on PFB transactions so that once a transaction is included in a block, we know that its signature was valid.
Now that prepare proposal and process proposal are verifying the sequence number and signature of PFB transactions, should we consider (at a later date) extending that to apply to all types of transactions?
Co-authored-by: Rootul P <[email protected]>
Co-authored-by: Rootul P <[email protected]>
Co-authored-by: Rootul P <[email protected]>
…valid signatures (#1300) ## Overview This PR adds a signature check in ProcessProposal for PFB transactions. blocked by celestiaorg/cosmos-sdk#296 closes #979 ## Checklist - [x] New and updated code has appropriate documentation - [x] New and updated code has new and/or updated testing - [x] Required CI checks are passing - [x] Visual proof for any user facing features like CLI or documentation updates - [x] Linked issues closed with keywords --------- Co-authored-by: Rootul P <[email protected]>
Overview
This PR adds a signature check in ProcessProposal for PFB transactions.
blocked by celestiaorg/cosmos-sdk#296
closes #979
Checklist