-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
R4R: Multimsg ante handler Jae's proposal #3787
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #3787 +/- ##
=========================================
- Coverage 61% 60.9% -0.1%
=========================================
Files 191 191
Lines 14174 14187 +13
=========================================
- Hits 8647 8641 -6
- Misses 4973 4993 +20
+ Partials 554 553 -1 |
The motivating requirements here are
The goal here is a minimal change that will be undone during a breaking upgrade to enable transfering a small number of atoms to create new validator operator accounts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed most of the motivating discussion here - I guess the idea is to allow un-economical transfers to make it possible to create new validators / accounts, like Zaki said? Given that, this approach seems OK to me.
A few comments on implementation, and needs PENDING.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @sunnya97 -- surface changes make sense mostly, but:
- needs a pending log entry
- needs a corresponding issue w/ a summary as this is a big change right before launch and there virtually is zero context here
- comments addressed
cmd/gaia/app/app.go
Outdated
switch msg.(type) { | ||
case bank.MsgSend: | ||
// LCD tests requires this to be commented out | ||
// return ctx, bank.ErrSendDisabled(bank.DefaultCodespace).Result(), true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? We should modify those tests, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem safe, now we'll allow sends (?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can I use the Makefile to set an environment variable or something that I can read from in the code? Is that safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can't use an env variable but we can use a build flag, i'll do this.
To-do (cc @sunnya97):
|
Co-Authored-By: sunnya97 <[email protected]>
Hey @sunnya97 - do you think we shouldn't track the total supply changes? Please explicate. |
@cwgoes The bank module doesn't have access to the stake keeper, which currently keeps track of the total supply. It should be done by the bank keeper. There was a PR for this (#2939) but we decided to push it to post launch. This "burn account" method is currently what is also being used with the governance deposit burns. |
Alternatively, burned tokens could be added back as fees or added to the community pool. |
This doesn't prevent altering the staking pool in the ante handler with the staking keeper. |
Adding it the community pool would require giving the bank keeper access to the distribution keeper (not sure if this doable directly or would need a hook). Adding is as fees is doable, as bank keeper already has access to auth keeper which has access to FeeCollection keeper. However, by using a "burn address" we can just reuse the already written and tested functionality of MultiSend msg without adding any additional functionality to the bank module. |
We don't process the the MultiSend msg in the ante handler, we just check that it has the right amounts in the outputs. You can think of it as an extra |
@cwgoes I don't see why we need to filter SetWithdrawAddress messages. That parameter still exists, and whether it's enabled or not, it's not the same thing as enabling transfers per se, it only applies to rewards AFAIK, so I think we can leave this PR as is. |
Right, I stand corrected. I guess we would need to add a new message type or override the handler itself. Neither option seems particularly clean (although this isn't either). We can fix total supply when we hard fork to actually enable transfers (and maybe fix the |
It seems like a proxy for (limited) transfers - I could pay someone (a validator) to set their reward address to one I control. We don't require the reward address to sign the
|
Although, to do the actual WithdrawTx, won't that account need to have an account in state and some coins to pay the tx fee with?
I do like putting these all in the same spot. Will be easier to activate transfers later then. |
The withdraw transaction is still sent by the delegator, so no - and as soon as the reward recipient receives funds, it will be able to spend them, like after a normal transfer. (perhaps this should be reworked in the future, it's not actually that useful) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a question and this still warrants a pending log entry.
|
||
authAnteHandler := auth.NewAnteHandler(app.accountKeeper, app.feeCollectionKeeper) | ||
|
||
filterAnteHandler := func(ctx sdk.Context, tx sdk.Tx, simulate bool) (newCtx sdk.Context, result sdk.Result, abort bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm maybe I'm missing something glaringly obvious, but why must we have a "filterAnteHandler" in app
? Why can't we just use the regular ante handler and have the sendEnabled
enabled check? Then we won't need any hacky build stuff for this. Yes, the ante handler would have to be provided a "keeper contract" that implements GetSendEnabled
.
What if a bunch of nodes choose to run without this build setup? What if this introduces a spam or DoS vector? (since the entire ante handler is executed first)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ohhh because it needs access to x/bank
for message validation....sigh. I still think we can avoid this though. NewAnteHandler
can be passed a tx validator function (which is defined in bank, e.g. func(tx sdk.Tx) sdk.Result
) . Then we dont need any filter ante handler OR hacky build steps.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because other people are using the bank module rn, and we don't want to add Hub specific functionality to the module. We wanted to isolate this functionality change to just the gaia package.
Really, the proper way to do this is to allow for rerouting subroutes. So the route of the bank module msgs would be:
bank/send
bank/multisend
And then in the router, we route
bank/*
to the bank module, but bank/multisend
to a special handler defined in the gaia folder.
However, we don't have time to do this rn, as this would involve changes to the router functionality.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah anything to avoid involving the build pipeline would be an ideal solution. Seems trivial to do @sunnya97
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have all of these same concerns about using the build pipeline. I think, while messy, that forking the bank
module may be the best way to do this. Looking forward to continuing this discussion in the sdk meeting today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also this will be a very easy change to revert if we do that (just reimport the normal bank module into app.go
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't know how messy it will be, this is done, lets go with this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not messy at all. I really don't think we should rely on the build process to enforce business logic (especially since it ties into consensus).
Current plan is to use the solution in #3807, going to mark this |
closes: #3802
Targeted PR against correct branch (see CONTRIBUTING.md)
Linked to github-issue with discussion and accepted design OR link to spec that describes this work.
Wrote tests
Updated relevant documentation (
docs/
)Added entries in
PENDING.md
with issue #rereviewed
Files changed
in the github PR explorerFor Admin Use: