Skip to content

Commit

Permalink
fix merge conflicts
Browse files Browse the repository at this point in the history
  • Loading branch information
mpoke committed Nov 5, 2024
2 parents f8a62f0 + b3a2781 commit 4581c86
Show file tree
Hide file tree
Showing 47 changed files with 1,620 additions and 524 deletions.
2 changes: 2 additions & 0 deletions .changelog/unreleased/bug-fixes/2363-zero-rewards.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- `[x/provider]` Add check for zero rewards to the rewards distribution logic.
([\#2363](https://github.com/cosmos/interchain-security/pull/2363))
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- `[x/provider]` Fixed pagination in the list consumer chains query.
([\#2377](https://github.com/cosmos/interchain-security/pull/2377))
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- Allow consumer chains to specify a list of priority validators that are included in the validator set before other validators are considered
([\#2101](https://github.com/cosmos/interchain-security/pull/2101))
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- Allow consumer chains to specify a list of priority validators that are included in the validator set before other validators are considered
([\#2101](https://github.com/cosmos/interchain-security/pull/2101))
2 changes: 2 additions & 0 deletions .changelog/unreleased/state-breaking/2363-zero-rewards.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- `[x/provider]` Add check for zero rewards to the rewards distribution logic.
([\#2363](https://github.com/cosmos/interchain-security/pull/2363))
10 changes: 10 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,13 @@ updates:
open-pull-requests-limit: 0
labels:
- dependencies

- package-ecosystem: gomod
directory: "/"
schedule:
interval: daily
target-branch: "release/v6.3.x"
# Only allow automated security-related dependency updates on release branches.
open-pull-requests-limit: 0
labels:
- dependencies
17 changes: 17 additions & 0 deletions .github/workflows/nightly-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,22 @@ jobs:
go-version: "1.22" # The Go version to download (if necessary) and use.
- name: E2E partial set security denylist
run: go run ./tests/e2e/... --tc partial-set-security-validators-denylisted
partial-set-security-validators-prioritylisted-test:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/setup-go@v5
with:
go-version: "1.22"
- uses: actions/checkout@v4
- name: Checkout LFS objects
run: git lfs checkout
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: "1.22" # The Go version to download (if necessary) and use.
- name: E2E partial set security prioritylist
run: go run ./tests/e2e/... --tc partial-set-security-validators-prioritylisted
partial-set-security-modification-proposal:
runs-on: ubuntu-latest
timeout-minutes: 20
Expand Down Expand Up @@ -376,6 +392,7 @@ jobs:
- partial-set-security-validators-power-cap-test
- partial-set-security-validators-allowlisted-test
- partial-set-security-validators-denylisted-test
- partial-set-security-validators-prioritylisted-test
- partial-set-security-modification-proposal
- active-set-changes-test
- permissionless-basic-test
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/proto-registry.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: bufbuild/buf-setup-action@v1.45.0
- uses: bufbuild/buf-setup-action@v1.46.0
- uses: bufbuild/buf-push-action@v1
with:
input: "proto"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/proto.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: bufbuild/buf-setup-action@v1.45.0
- uses: bufbuild/buf-setup-action@v1.46.0
- uses: bufbuild/buf-breaking-action@v1
with:
input: "proto"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
**/go.sum
**/Makefile
Makefile
- uses: actions/[email protected].0
- uses: actions/[email protected].2
with:
path: |
~/.cache/go-build
Expand Down
10 changes: 9 additions & 1 deletion .mergify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,4 +57,12 @@ pull_request_rules:
actions:
backport:
branches:
- release/v6.2.x
- release/v6.2.x
- name: Backport patches to the release/v6.3.x branch
conditions:
- base=main
- label=A:backport/v6.3.x
actions:
backport:
branches:
- release/v6.3.x
3 changes: 2 additions & 1 deletion contrib/local-testnet.sh
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,8 @@ tee ${PROV_NODE_DIR}/consumer_prop.json<<EOF
"allowlist": [],
"denylist": [],
"min_stake": 1000,
"allow_inactive_vals": true
"allow_inactive_vals": true,
"prioritylist": []
}
}
],
Expand Down
185 changes: 185 additions & 0 deletions docs/docs/adrs/adr-020-cutomizable_slashing_and_jailing.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
---
sidebar_position: 21
title: Customizable Slashing and Jailing
---
# ADR 020: Customizable Slashing and Jailing

## Changelog
* 2024-07-19: Initial draft of ADR
* 2024-08-23: Generalize ADR to make slashing and jailing customizable

## Status

Proposed

## Context

Interchain Security (ICS) is a cross-chain staking protocol -- it uses the stake on the provider chain as collateral for the Proof of Stake (PoS) on the consumer chains.
This means that the voting power of validators validating (aka producing blocks) on the consumer chains is a function of their stake on the provider.
Moreover, if these validators misbehave on the consumer chains, they get punished on the provider chain.
ICS is currently differentiating between two types of infractions -- equivocation and downtime.
Depending on the infraction type, the misbehaving validators might be jailed (i.e., removed from the provider validator set) and / or slashed (i.e., a portion of their stake on the provider is being burned).
For example, validators double signing on consumer chains get slashed and are permanently jailed,
while validators not validating sufficient blocks are temporarily jailed.

This means that ICS consumer chains get their economical security from the provider.
However, this might come at a high cost.

### The Cost of PoS

One of the cost of validating on the consumer chains is operational -- validators need to run and monitor full nodes of every consumer chain they opt in for.
Although this cost varies from validator team to validator team (depending on how efficiently they can run their infrastructure), it doesn't depend on the total stake (or voting power) of the validators, so we can think of it as constant.
The other cost of validating comes from the risk of getting slashed or jailed.

Most chains in Cosmos (including the Cosmos Hub) use delegated PoS -- users delegate their tokens to validators, which stake them in return for voting power.
Therefore, validators act as representatives chosen by their delegators to represent their interests.
However, delegators share the risk of their validators getting slashed or jailed:

* When validators get slashed, a portion of their stake is being burned, including a portion of the tokens delegated by users.
As validators don't need to have their own stake, it is possible that delegators take all the risk of validators misbehaving.
* When validators get jailed, they no longer receive block rewards (neither from the provider nor from the consumer chains).
This also applies to their delegators.
As a result, delegators might choose to restake their tokens with another validator.
The longer the validators are jailed, the more likely is that delegators will restake.
Thus, by getting jailed, validators risk damaging their reputation.

Misbehaviors don't need to be malicious, e.g., most cases of double signing infractions are due to misconfiguration.
This means that, by opting in on multiple consumer chains, validators and their delegators incur a higher risk.
As a result, validators and their delegators want to be compensated for this additional risk, which makes the current design of ICS expensive.

This ADR addresses the high cost of ICS by allowing consumer chains to customize the slashing and jailing conditions.
Basically, every consumer chain can decide the punishment for every type of infraction.
This enables consumer chains to tradeoff economical security against cost.

## Decision

To reduce the cost of ICS, consumer chains will be able to customize the slashing and jailing for every type of infraction.
As a result, consumer chains can decide on the amount of economic security they want and validators (and their delegators) can decide on the amount of additional risk they want to incur.

For every consumer chain, we introduce the following slashing and jailing parameters:
```proto
message InfractionParameters {
SlashJailParameters double_sign = 1;
SlashJailParameters downtime = 2;
}
message SlashJailParameters {
bytes slash_fraction = 1 [
(cosmos_proto.scalar) = "cosmos.Dec",
(gogoproto.customtype) = "cosmossdk.io/math.LegacyDec",
(gogoproto.nullable) = false,
(amino.dont_omitempty) = true
];
// use time.Unix(253402300799, 0) for permanent jailing
google.protobuf.Duration jail_duration = 2;
}
```
Currently, we consider only two infraction types -- double signing and downtime.

By default, every consumer chain will have the following slashing and jailing parameters:
```go
double_sign.slash_fraction: 0.05 // same as on the provider
double_sign.jail_duration: time.Unix(253402300799, 0) // permanent jailing, same as on the provider
downtime.slash_fraction: 0 // no slashing for downtime on the consumer
downtime.jail_duration: 600s // same as on the provider
```
These parameters can be updated by the consumer chain owner at any given time (via `MsgCreateConsumer` or `MsgUpdateConsumer`).
However, the changes will come into effect after a period equal to the staking module's unbonding period elapses.
This will allow validators that don't agree with the changes to opt out and not be affected by them.
Also, to avoid malicious chains attacking the provider validator set, these params will be bounded by the values on the provider chain:
```go
double_sign.slash_fraction <= 0.05 // 5%
downtime.slash_fraction <= 0.0001 // 0.1%
downtime.jail_duration <= 600s // 10 minutes
```

Although consumer chains can set any values to these parameters (within the allowed bounds), we recommend the following settings, depending on the type of consumer chain.

* **Proof-of-Stake (PoS) Consumer Chains.** These are chains that have the full economical security of the provider validators that opted in. This means that all slashing and jailing parameters are the same as on the provider.

```go
double_sign.slash_fraction: 0.05
double_sign.jail_duration: time.Unix(253402300799, 0)
downtime.slash_fraction: 0.0001
downtime.jail_duration: 600s
```

* **Proof-of-Reputation (PoR) Consumer Chains.**

```go
double_sign.slash_fraction: 0 // no slashing
double_sign.jail_duration: time.Unix(253402300799, 0)
downtime.slash_fraction: 0 // no slashing
downtime.jail_duration: 600s
```

This means that when validators that opt in misbehave on PoR consumer chains, their stake on the provider is not being slashed, instead they are just jailed on the provider.
As a result, delegators incur (almost) no risk if their validators opt in on multiple PoR consumer chains.
If their validators are jailed, then the delegators can redelegate to other validators.
Note though that delegators cannot redelegate multiple times, which means that if the new validators also get permanently jailed, the delegators need to wait for the unbonding period to elapse.
* **Testnet Consumer Chains.**

```go
double_sign.slash_fraction: 0 // no slashing
double_sign.jail_duration: 0 // no jailing
downtime.slash_fraction: 0 // no slashing
downtime.jail_duration: 0 // no jailing
```

This means that validators are not punished for infractions on consumer chains.
This setting is ideal for testing consumer chains before going in production, as neither validators nor their delegators incur any risk from the validators opting in on these consumer chains.

This means that both PoR and testnet consumer chains need only to cover the operational costs of the validators that opt in.
For example, if we take `$600` as the cost of running a validator node, a budget of `$3000` will be sufficient to cover the cost of four validators running such a consumer chain and have `$150` profit per validator as incentive.
In practice, this can be implemented via the per-consumer-chain commission rate that allows validators to have different commission rates on different consumer chains.

### Implementation

The implementation of this feature involves the following steps:

* Add the `InfractionParameters` to `MsgCreateConsumer`.
* On slashing events (for either downtime or double signing infractions), use the corresponding `slash_fraction` set by the consumer chain.
* On jailing events (for either downtime or double signing infractions), use the corresponding `jail_duration` set by the consumer chain.
* Cryptographic equivocation evidence received for PoR chains results in the misbehaving validators only being tombstoned and not slashed.
* (Optional) Add the `InfractionParameters` to `MsgUpdateConsumer`, i.e., allow consumer chains to update the slashing and jailing parameters, but the changes will come into effect after a period equal to the staking module's unbonding period elapses to allow for validators to opt out.

## Consequences

### Positive

* Reduce the cost of ICS by removing the risk of slashing delegators.

### Negative

* Reduce the economical security of consumer chains with weaker slashing conditions.

#### Economic Security Model without Slashing

The economic security model of most Cosmos chains relies on the following properties:

* validators are not anonymous, which means that they could be legally liable if they are malicious;
* the delegated PoS mechanism creates a reputation-based network of validators;
* most validators have most of their stake coming from delegations (i.e., nothing at stake, besides reputation);
* it is relatively difficult to enter the active validator set and even more so to climb the voting power ladder.

These properties enable us to make the following assumption:

* Being permanently removed from the provider validator set is strong enough of a deterrent to misbehaving on consumer chains.

The additional economical security a consumer gets from slashing is limited:
Since most of the stake is delegated, slashing punishes delegators more than validators.

One benefit of slashing is that it acts as a deterrent for someone buying a large amount of staking tokens in order to attack a consumer chain.
For example, an attacker could get `$15,000,000` worth of ATOM, which would give them around `1%` voting power on the Cosmos Hub (at the time of this writing).
On a consumer chain, this voting power could be amplified depending on the other validators that opt in.
However, by having the right [power shaping](https://cosmos.github.io/interchain-security/features/power-shaping) settings, the voting power of validators can be capped.
This means that even if the attacker manages to double sign without getting slashed, as long as they don't have 1/3+ of the voting power, they cannot benefit from the attack.
Moreover, the attacker might lose due to other factors, such as [token toxicity](https://forum.cosmos.network/t/enabling-opt-in-and-mesh-security-with-fraud-votes/10901).

### Neutral

NA

## References


15 changes: 12 additions & 3 deletions docs/docs/build/modules/02-provider.md
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,12 @@ Format: `byte(37) | len(consumerId) | []byte(consumerId) | addr -> []byte{}`, wi

Format: `byte(40) | len(consumerId) | []byte(consumerId) -> uint64`

#### Prioritylist

`Prioritylist` is the list of provider validators that have priority to validate a given consumer chain.

Format: `byte(56) | len(consumerId) | []byte(consumerId) | addr -> []byte{}`, with `addr` the validator's consensus address on the provider chain.

### Validator Set Updates

#### ValidatorSetUpdateId
Expand Down Expand Up @@ -1089,6 +1095,7 @@ Output:
chains:
- allow_inactive_vals: true
allowlist: []
prioritylist: []
chain_id: pion-1
client_id: 07-tendermint-0
consumer_id: "0"
Expand Down Expand Up @@ -1554,6 +1561,7 @@ power_shaping_params:
top_N: 100
validator_set_cap: 0
validators_power_cap: 0
prioritylist: []
```

</details>
Expand Down Expand Up @@ -1683,7 +1691,7 @@ where `update-consumer-msg.json` contains:
"initialization_parameters":{
"initial_height":{
"revision_number": 1,
"revision_height": 0
"revision_height": 1
},
"genesis_hash": "",
"binary_hash": "",
Expand All @@ -1702,8 +1710,9 @@ where `update-consumer-msg.json` contains:
"validator_set_cap": 50,
"allowlist":["cosmosvalcons1l9qq4m300z8c5ez86ak2mp8znftewkwgjlxh88"],
"denylist":[],
"min_stake": 1000,
"allow_inactive_vals":true
"min_stake": "1000",
"allow_inactive_vals":true,
"prioritylist":[]
},
"allowlisted_reward_denoms": {
"denoms": ["ibc/0025F8A87464A471E66B234C4F93AEC5B4DA3D42D7986451A059273426290DD5"]
Expand Down
3 changes: 1 addition & 2 deletions docs/docs/consumer-development/app-integration.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
sidebar_position: 1
sidebar_position: 2
---
# Developing an ICS consumer chain

Expand Down Expand Up @@ -31,4 +31,3 @@ With these modules enabled, the consumer chain can mint its own governance token
## Standalone chain to consumer chain changeover

See the [standalone chain to consumer chain changeover guide](./changeover-procedure.md) for more information on how to transition your standalone chain to a consumer chain.

2 changes: 1 addition & 1 deletion docs/docs/consumer-development/changeover-procedure.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
sidebar_position: 5
sidebar_position: 6
---

# Changeover Procedure
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
sidebar_position: 2
sidebar_position: 3
---

# Consumer Chain Governance
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
sidebar_position: 6
sidebar_position: 7
---

# Consumer Genesis Transformation
Expand Down
Loading

0 comments on commit 4581c86

Please sign in to comment.