From 1313dc9a0d6e52bf254e3f1890324004ebdd3edf Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 18:01:23 +0200 Subject: [PATCH] Update CLI to recover expired client for SDK 46 updates to gov module (backport #2301) (#2359) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update CLI to recover expired client for SDK 46 updates to gov module (#2301) * Update CLI commands to recover expired client for SDK 46 updates to gov module * Fix alignment * Add proposal json, fix alginment * Apply suggestions from code review Co-authored-by: Carlos Rodriguez Co-authored-by: Carlos Rodriguez (cherry picked from commit daac435d9b8740b6c158127aacaece9f67388375) # Conflicts: # docs/ibc/proposals.md * fix conflicts * remove documentation Co-authored-by: tmsdkeys <98807841+tmsdkeys@users.noreply.github.com> Co-authored-by: Colin Axnér <25233464+colin-axner@users.noreply.github.com> --- docs/ibc/proposals.md | 93 ++++++++++++++++++++++++++++++------------- 1 file changed, 66 insertions(+), 27 deletions(-) diff --git a/docs/ibc/proposals.md b/docs/ibc/proposals.md index f6bf351a705..94c8f45edcc 100644 --- a/docs/ibc/proposals.md +++ b/docs/ibc/proposals.md @@ -4,7 +4,7 @@ order: 5 # Governance Proposals -In uncommon situations, a highly valued client may become frozen due to uncontrollable +In uncommon situations, a highly valued client may become frozen due to uncontrollable circumstances. A highly valued client might have hundreds of channels being actively used. Some of those channels might have a significant amount of locked tokens used for ICS 20. @@ -12,41 +12,45 @@ If the one third of the validator set of the chain the client represents decides they can sign off on two valid but conflicting headers each signed by the other one third of the honest validator set. The light client can now be updated with two valid, but conflicting headers at the same height. The light client cannot know which header is trustworthy and therefore -evidence of such misbehaviour is likely to be submitted resulting in a frozen light client. +evidence of such misbehaviour is likely to be submitted resulting in a frozen light client. Frozen light clients cannot be updated under any circumstance except via a governance proposal. -Since a quorum of validators can sign arbitrary state roots which may not be valid executions +Since a quorum of validators can sign arbitrary state roots which may not be valid executions of the state machine, a governance proposal has been added to ease the complexity of unfreezing or updating clients which have become "stuck". Without this mechanism, validator sets would need -to construct a state root to unfreeze the client. Unfreezing clients, re-enables all of the channels -built upon that client. This may result in recovery of otherwise lost funds. +to construct a state root to unfreeze the client. Unfreezing clients, re-enables all of the channels +built upon that client. This may result in recovery of otherwise lost funds. -Tendermint light clients may become expired if the trusting period has passed since their +Tendermint light clients may become expired if the trusting period has passed since their last update. This may occur if relayers stop submitting headers to update the clients. -An unplanned upgrade by the counterparty chain may also result in expired clients. If the counterparty -chain undergoes an unplanned upgrade, there may be no commitment to that upgrade signed by the validator -set before the chain-id changes. In this situation, the validator set of the last valid update for the -light client is never expected to produce another valid header since the chain-id has changed, which will -ultimately lead the on-chain light client to become expired. +An unplanned upgrade by the counterparty chain may also result in expired clients. If the counterparty +chain undergoes an unplanned upgrade, there may be no commitment to that upgrade signed by the validator +set before the chain-id changes. In this situation, the validator set of the last valid update for the +light client is never expected to produce another valid header since the chain-id has changed, which will +ultimately lead the on-chain light client to become expired. In the case that a highly valued light client is frozen, expired, or rendered non-updateable, a -governance proposal may be submitted to update this client, known as the subject client. The +governance proposal may be submitted to update this client, known as the subject client. The proposal includes the client identifier for the subject and the client identifier for a substitute -client. Light client implementations may implement custom updating logic, but in most cases, +client. Light client implementations may implement custom updating logic, but in most cases, the subject will be updated to the latest consensus state of the substitute client, if the proposal passes. -The substitute client is used as a "stand in" while the subject is on trial. It is best practice to create -a substitute client *after* the subject has become frozen to avoid the substitute from also becoming frozen. -An active substitute client allows headers to be submitted during the voting period to prevent accidental expiry -once the proposal passes. +The substitute client is used as a "stand in" while the subject is on trial. It is best practice to create +a substitute client _after_ the subject has become frozen to avoid the substitute from also becoming frozen. +An active substitute client allows headers to be submitted during the voting period to prevent accidental expiry +once the proposal passes. # How to recover an expired client with a governance proposal See also the relevant documentation: [ADR-026, IBC client recovery mechanisms](../architecture/adr-026-ibc-client-recovery-mechanisms.md) -### Preconditions +> **Who is this information for?** +> Although technically anyone can submit the governance proposal to recover an expired client, often it will be **relayer operators** (at least coordinating the submission). + +### Preconditions + - The chain is updated with ibc-go >= v1.1.0. -- The client identifier of an active client for the same counterparty chain. +- There exists an active client (with a known client identifier) for the same counterparty chain as the expired client. - The governance deposit. ## Steps @@ -70,18 +74,53 @@ The client is attached to the expected Akash `chain-id`. Note that although the ### Step 2 -If the chain has been updated to ibc-go >= v1.1.0, anyone can submit the governance proposal to recover the client by executing this via cli: +If the chain has been updated to ibc-go >= v1.1.0, anyone can submit the governance proposal to recover the client by executing this via CLI. -``` - tx gov submit-proposal update-client -``` +> Note that the Cosmos SDK has updated how governance proposals are submitted in SDK v0.46, now requiring to pass a .json proposal file + +- From SDK v0.46.x onwards + + ``` + tx gov submit-proposal [path-to-proposal-json] + ``` + + where `proposal.json` contains: + + ```json + { + "messages": [ + { + "@type": "/ibc.core.client.v1.ClientUpdateProposal", + "title": "title_string", + "description": "description_string", + "subject_client_id": "expired_client_id_string", + "substitute_client_id": "active_client_id_string" + } + ], + "metadata": "", + "deposit": "10stake" + } + ``` + + Alternatively there's a legacy command (that is no longer recommended though): + + ``` + tx gov submit-legacy-proposal update-client + ``` + +- Until SDK v0.45.x + ``` + tx gov submit-proposal update-client + ``` + +The `` identifier is the proposed client to be updated. This client must be either frozen or expired. -The `` should be a client identifier on the same chain as the expired or frozen client. This client identifier should connect to the same chain as the expired or frozen client. This means: use the active client that is currently being used to relay packets between the two chains as the replacement client. +The `` represents a substitute client. It carries all the state for the client which may be updated. It must have identical client and chain parameters to the client which may be updated (except for latest height, frozen height, and chain ID). It should be continually updated during the voting period. -After this, it is just a question of who funds the governance deposit and if the chain in question votes yes. +After this, all that remains is deciding who funds the governance deposit and ensuring the governance proposal passes. If it does, the client on trial will be updated to the latest state of the substitute. -## Important considerations +## Important considerations Please note that from v1.0.0 of ibc-go it will not be allowed for transactions to go to expired clients anymore, so please update to at least this version to prevent similar issues in the future. -Please also note that if the client on the other end of the transaction is also expired, that client will also need to update. This process updates only one client. \ No newline at end of file +Please also note that if the client on the other end of the transaction is also expired, that client will also need to update. This process updates only one client.