Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a non-destructive way to check invariants #11389

Closed
4 tasks
yihuang opened this issue Mar 16, 2022 · 6 comments
Closed
4 tasks

Add a non-destructive way to check invariants #11389

yihuang opened this issue Mar 16, 2022 · 6 comments
Labels
C:x/crisis T:feature-request

Comments

@yihuang
Copy link
Collaborator

yihuang commented Mar 16, 2022

Summary

The design of the crisis module is to halt the chain when invariant check fails, it's useful to provide a way to check invariant without halt the chain, like in a grpc query handler.

Problem Definition

Proposal

For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate contributors tagged
  • Contributor assigned/self-assigned
@peterbourgon
Copy link

Is it not the case that if an invariant fails, the chain is by definition unsound?

@faddat
Copy link
Contributor

faddat commented Mar 16, 2023

He's right though.

Also, how to check invariants at all?

@yihuang
Copy link
Collaborator Author

yihuang commented Mar 16, 2023

Is it not the case that if an invariant fails, the chain is by definition unsound?

Sometimes, the invariant is just too strict.
Or there's a benign bug that breaks an invariant, but crisis module will make a a serious bug and could be exploit by attacker to halt the chain. There was an old example that attack might find a way to send tokens to some module addresses which breaks a invariant, but having some tokens in module address is not a serious issue in itself.

@peterbourgon
Copy link

Sometimes, the invariant is just too strict.
Or there's a benign bug that breaks an invariant, but crisis module will make a a serious bug and could be exploit by attacker to halt the chain. There was an old example that attack might find a way to send tokens to some module addresses which breaks a invariant, but having some tokens in module address is not a serious issue in itself.

If an invariant is "too strict" and can be violated by "a benign bug" without needing to halt the chain, then it isn't actually an invariant (as defined by x/crisis) and should be fixed, or removed altogether, right?

@alexanderbez
Copy link
Contributor

alexanderbez commented Mar 20, 2023
edited
Loading

Invariants are stringent checks against application state that are used to determine if the state is what it "should" be. "Too strict" isn't really a thing. They can be violated by any sort of bug, and if so, should be dealt with immediately.

E.g. staking_pool_balance == unbonded_pool + bonded_pool + unbonding_pool. If this is untrue at any point, your app has a serious problem. How this problem, for example, came to be, is for you to debug and figure out.

Invariants used in conjunction with the simulator were absolutely paramount to testing the initial Hub and SDK code and allowed us to launch quickly.

@julienrbrt
Copy link
Member

Given #15706 I think this can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C:x/crisis T:feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peterbourgon @yihuang @alexanderbez @faddat @tac0turtle @julienrbrt