Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs(adr): ADR-007 pause unbonding period during equivocation proposal #964
docs(adr): ADR-007 pause unbonding period during equivocation proposal #964
Changes from 2 commits
09cad19
78b9e8e
c44afb3
b6f9175
3c963fb
dd353c2
768dfbf
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be described more precisely. For example, unbonding operations that are no longer waiting for this particular consumer chain should probably not be put on hold. Also, if the infraction occurred after the unbonding operation was initiated, there is no reason to pause the unbonding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good points, we'll add them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, for this particular case, I wonder how this is possible. Considering the protocol, how an unbonding period can end on a consumer chain before the provider chain ?
Or maybe when the unbonding period is deliberately configured shorter between consumer and provider ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For
Fixed dd353c2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may lead to unpausing unbonding operations that occurred after the
AfterProposalDeposit
hook was called. As a result, those unbondings would no longer wait for the unbonding period on the consumer to elapse.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, we'll fix that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed dd353c2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, this is the main argument against this proposal. The main reason for pausing unbonding operations is to enable the consumer chains to have shorter unbonding periods and avoid unbonding operations to be delayed. However, reducing the unbonding period on a consumer chain would impact the trusting period of all light clients of that consumer chain (even clients on other chains). This may lead to light clients expiring, which would be a major disruption for the consumer chain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The alternative to this proposal is to enable the provider to verify the evidence of equivocation on consumer chains, i.e., #732.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mpoke I'm not sure I follow. Currently (without this PR, or cryptographic verification), we are in a situation where the trusting period should be
(consumer unbonding - provider voting period) * ~0.75
. With a 20 day consumer unbonding period, that means the trusting period should be about 4-5 days. This is already pretty tough for consumer chains to deal with. If we took the consumer unbonding period down to 14 days like we want to, we'd need a trusting period of 0.With this PR or cryptographic equivocation, we can go back to the trusting period being
consumer unbonding * 0.75
, or 10-11 days. So at least in this respect, it seems that this PR or cryptographic verification both mitigate this issue equivalently.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jtremback Yeah, that’s indeed confusing. Sorry for that.
There are actually two problems we are trying to address here. First, ensuring the correctness of the slashing mechanism of PoS. Second, avoiding delays in the completion of unbonding operations on the provider (which would affect the user experience). Note that the first is a safety concern, while the second is a liveness concern.
For the first, we MUST make sure that the stake of a validator that double signed on a consumer chain is still locked (on the provider) after an equivocation proposal passes. Thus, the following condition MUST hold
consumerTrustingPeriod < consumerUnbondingPeriod - providerVotingPeriod
. In addition, we MUST leave time for the double signing to be detected, a SlashPacket to be relayed and an equivocation proposal to be submitted. Let’s denote this extra time period withdelta1
. Then,consumerTrustingPeriod < consumerUnbondingPeriod - delta1 - providerVotingPeriod
.For the second, the following condition SHOULD hold
consumerUnbondingPeriod < providerUnbondingPeriod
. In addition, we SHOULD leave time to relay bothVSCPackets
andVSCMaturedPackets
, and to account for potential downtimes of the consumer chain (as it happened on Neutron’s launch). Let’s denote this extra time period withdelta2
. Then,consumerUnbondingPeriod + delta2 < providerUnbondingPeriod
.From these two inequalities, we get
consumerTrustingPeriod < providerUnbondingPeriod - delta2 - delta1 - providerVotingPeriod
. For the Hub,providerUnbondingPeriod = 21 days
,providerVotingPeriod = 14 days
, which meansconsumerTrustingPeriod < 7 - delta2 - delta1
. Best case scenario,delta1 = 1 day
anddelta2 = 1day
, which meansconsumerTrustingPeriod < 5 days
. This trusting period must be used for all light clients of the consumer chain, not only the ones on the provider. This means that the chances of a consumer light client expiring are quite high (which would clearly be a very disruptive event). Also, note that these values for the deltas are very low. For example, the network has ~7 days to detect a light client attack on a Hub client (i.e., delta1 ~ 7 days). Also, as we seen with Neutron, havingdelta2=1day
may lead to delays of unbonding operations.The only way to deal with this problem, is to get rid of the
providerVotingPeriod
, i.e.,consumerTrustingPeriod < providerUnbondingPeriod - delta2 - delta1
. This ADR is one way of doing that. The downside is that the suggested approach effectively increases theconsumerUnbondingPeriod
(when an equivocation proposal is submitted), which means that a malicious consumer can break liveness (i.e., delay unbondings). Given that such an event would result in that consumer being removed (via a ConsumerRemovalProposal), I think the risks are minimal. So, we could go ahead with this proposal for now until #732 is done.