Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Broken-Invariant-Evidence Tx #2935

Closed
rigelrozanski opened this issue Nov 28, 2018 · 14 comments · Fixed by #3656
Closed

Broken-Invariant-Evidence Tx #2935

rigelrozanski opened this issue Nov 28, 2018 · 14 comments · Fixed by #3656
Assignees
Milestone

Comments

@rigelrozanski
Copy link
Contributor

Rather than running all invariants on-chain (which will likely end up being quite computationally expensive), we could develop a simple tool for a full-node to run invariant checks and further submit evidence of a broken invariant to the chain, which would at that point force-halt the system.

  • we could even provide an incentive for finding a broken invariant (however I don't think this requires an incentive, enough systems will just want to be running this no matter what)
@rigelrozanski
Copy link
Contributor Author

CC @cwgoes

@cwgoes
Copy link
Contributor

cwgoes commented Nov 28, 2018

I think it might require an incentive, since the gas cost will be quite high, but given one this seems incentive-compatible, saves computation time, and could be safely kept around for a long time.

Great idea! I think we should strongly consider this pre-transfers.

@cwgoes
Copy link
Contributor

cwgoes commented Nov 28, 2018

cc @ValarDragon, also @gamarin2 - I think this might address much the same goals as the circuit breaker proposal, and is much simpler.

@cwgoes
Copy link
Contributor

cwgoes commented Nov 28, 2018

Only concern is if the invariants exceeded the block gas limit.

@rigelrozanski
Copy link
Contributor Author

Yeah the block gas limit would have to be priced accordingly - otherwise it could potentially be a special type of authenticated transaction... for instance we could require something to be at stake to submit this transaction for which you would get slashed if it ended up not being an invariant.

@ValarDragon
Copy link
Contributor

ValarDragon commented Nov 29, 2018

This is an awesome idea! I'm totally for this. At minimum we should refund the gas cost if an invariant was broken, but I think rewards on top are good.

These invariants should be itemized, i.e. it shouldn't be one "run all invariants" message, but instead a sub-listing of which invariant to run. (This can be implemented as a "run invariant" message type, followed by an invariant index) That just reduces gas cost.

I am opposed to increasing the block gas limit to accomodate this though. We should only do this for invariants that fit within the gas limit, and defer to the circuit breaker otherwise. (I am opposed to opening us up to attacks that slow down consensus despite paying the fair gas amount for that computation. (e.g. bogus long invariants))

I think the circuit breaker is still good, that is a more general solution. There would be no need for the circuit breaker if the invariants covered the space of all possible faults, but that just seems unlikely to ever be the case.

@ValarDragon
Copy link
Contributor

Actually on second thought, I don't think this should ever halt, but should only defer to going into the circuit breaker state. The issue with halting is that the conditions for coming back online is always going to be a hard fork. (And therefore we either have to create a new genesis, which is massive and foregoes proofs of upgrade procedure due to IAVL, or create an upgrade script which directly modifies state, again a bit ... sketchy) We still get our social consensus tally on chain in the circuit breaker, which is quite nice.

@rigelrozanski
Copy link
Contributor Author

hmm are you suggesting some kind of a pause state - which doesn't allow sends but governance is still active?

@ValarDragon
Copy link
Contributor

ValarDragon commented Nov 29, 2018

Yeah! Thats essentially what the state in circuit breaker mode is AFAIU. Its not clear to me if fees should / block rewards should be enabled during this paused state. (I think thats a great name for it :))

@rigelrozanski
Copy link
Contributor Author

cool! Yeah I'm really into the pause state - we could have the allowed functionality during the pause state be configurable at genesis

@jackzampolin
Copy link
Member

cc @cwgoes Circut breaker?

@cwgoes
Copy link
Contributor

cwgoes commented Jan 29, 2019

Yes, this is quite excellent, we should implement it post-launch pre-transfers.

@rigelrozanski
Copy link
Contributor Author

As a first instance of this implementation we could still have a halt state - once circuit breaker is implemented we can integrate the two together

@cwgoes
Copy link
Contributor

cwgoes commented Jan 30, 2019

As a first instance of this implementation we could still have a halt state - once circuit breaker is implemented we can integrate the two together

At the moment I think it is fine if the broken-invariant-tx just halts the chain (i.e. panics) if the invariants are broken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants