-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip mandatory commitment when beefy authorities not changed #1215
base: main
Are you sure you want to change the base?
Conversation
Changes the validator set successions to still be sequential, but non-consecutive. For bridge security against collusion by validators, it's important that these validators are still bonded, but the timing of the signature itself is secondary. As such, even if some validators have rotated out, this change permits keeping the bridge alive so long as 2/3rds of the `currentValidatorSet` are still bonded and sign the commitment. Co-authored-by: bhargavbh <[email protected]> Co-authored-by: Alistair Stewart <[email protected]>
Co-authored-by: bhargavbh <[email protected]>
…eases-in-validator-set' into ron/skip-mandatory-commitment-when-authorities-not-changed
Sync beefy checkpoint from Log as follows shows all handover commitments from 20919030 to 20926196(range of 3 sessions) are skipped since no authorities changes.
Based upon the analysis #1137 (comment) will decrease the maintainance cost about 4 times less. |
@@ -260,7 +260,7 @@ contract BeefyClient { | |||
signatureUsageCount = currentValidatorSet.usageCounters.get(proof.index); | |||
currentValidatorSet.usageCounters.set(proof.index, signatureUsageCount.saturatingAdd(1)); | |||
vset = currentValidatorSet; | |||
} else if (commitment.validatorSetID == nextValidatorSet.id) { | |||
} else if (commitment.validatorSetID >= nextValidatorSet.id) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need some tests in the solidity that skips a mandatory commitment.
Example scenario:
We are in validator set id 6 (next validator set 7), we skip 7 and 8 and then import 9. After importing 9 the current validator set will be 7 and the next validator set will be 10.
We also need to make sure that a future commit does not commit to a block number in the past and a test that covers it.
Context:
#1137 (comment)
#1137 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch Alistair, yeah, we need more unit tests for this work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, so in this case the current&next validatorId pair will be (7,10) and latestBeefyBlock
is in session 9.
I would expect a minor change here
snowbridge/contracts/src/BeefyClient.sol
Line 259 in 40f9592
if (commitment.validatorSetID == currentValidatorSet.id) { |
from
if (commitment.validatorSetID == currentValidatorSet.id)
to if (commitment.validatorSetID == currentValidatorSet.id) || commitment.validatorSetID == nextValidatorSet.id - 1
will just work but I'll definetely do more tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yrong @alistair-singh One thing to consider in the greater scheme of things: This optimization will greatly reduce costs for long-range catch up if the relayer is out of action for a few days. However, if my thinking is correct, it won't actually reduce costs if the relayer is caught up, and users are actively sending messages to Ethereum, because, we still need to update the MMR root so that the Gateway can verify user messages. And in order to update the MMR root, we need to sync a signed commitment that can be used to verify the new MMR root. I still think its a worthwhile change to include, but we need more testing to be certain. |
This PR is not only for long-range catch up case, it's supposed to work together with #1217 to furthurly decrease the cost. Here is my test flow based on polkadot relaychain.
As we can see the sync is success because the authorities in validatorSetID 619 are the same as 618 so it's possible to use the keys in validatorSetID 618 to verify the commitment in validatorSetID 619, and after that the current&next validatorSetID pair is still (618,620).
As we can see after that the current&next validatorSetID pair becomes (620,621) which is back to normal as before. |
…owfork/snowbridge into ron/skip-mandatory-commitment
* Sync beefy commitment on demand * Minor fix * More comments * More refactoring * Fix for skip mandatory commitment * Some refactoring * Find for next beefy block * Improve log * Remove check unrelated
More context in #1137 authored by @Lederstrumpf and @bhargavbh, many thanks.
Revamp the relayer to skip mandatory commitment when beefy authorities not changed.