-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ADR 016: Validator consensus key rotation #5233
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dlguddus. Can you reference the ADR in ## ADR Table of Contents
in docs/architecture/README.MD
?
Co-Authored-By: Alexander Bezobchuk <[email protected]>
Co-Authored-By: Alexander Bezobchuk <[email protected]>
Co-Authored-By: Alexander Bezobchuk <[email protected]>
Co-Authored-By: Alexander Bezobchuk <[email protected]>
Co-Authored-By: Alexander Bezobchuk <[email protected]>
Co-Authored-By: Alexander Bezobchuk <[email protected]>
done! |
Looks good @dlguddus and @dongsam. Look forward to seeing the changes. |
Co-Authored-By: Alexander Bezobchuk <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, pending conflicts resolved and suggested default params added to the ADR.
Codecov Report
@@ Coverage Diff @@
## master #5233 +/- ##
==========================================
+ Coverage 54.46% 54.51% +0.05%
==========================================
Files 313 311 -2
Lines 18892 18740 -152
==========================================
- Hits 10289 10217 -72
+ Misses 7812 7743 -69
+ Partials 791 780 -11
|
add suggested default value for genesis parameters
all additional features will be implemented on `staking` module
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, this needs some kind of language about costs validator key rotation imposes on light clients and IBC and potentially some solutions to rate limit or charge fees based on that cost.
how about this in Considerations section
|
2. The validator generates and signs a `MsgRotateConsPubKey` tx with their operator key and new ConsPubKey | ||
|
||
```go | ||
type MsgRotateConsPubKey struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Who is the signer of this message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The validator account key is the signer of MsgRotateConsPubKey
} | ||
``` | ||
|
||
5. `ApplyAndReturnValidatorSetUpdates` checks if there is `ConsPubKeyRotationHistory` with `ConsPubKeyRotationHistory.RotatedHeight == ctx.BlockHeight()` and if so, generates 2 `ValidatorUpdate` , one for a remove validator and one for create new validator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this change the priority of the validator in the RoundRobin proposer selection in Tendermint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new rotated key will have the lowest accum because it is seen as a new validator. So it is a slight disadvantage to the key rotated validator
Co-Authored-By: Aditya <[email protected]>
Sounds good to me. It just means that we always need to track how many times a validator rotated keys in the period so we can charge them appropriately. Another point might be to charge more for validators to rotate keys if they have more voting power. |
your last sentence seems accurately describe the reasoning factor of
Now How do you like the suggestion? |
Perfect. |
….,.. - add "key rotation costs related to LCD and IBC" in considerations - fix `KeyRotationFee` formula.
done! |
@zmanian mind giving an ACK? |
@zmanian Could you confirm the update? Thank you! |
@zmanian please don't block our process if you dont have any further request. It has been too long time. |
- Validators can immediately or periodically rotate their consensus key to have better security policy | ||
- improved security against Long-Range attacks (https://nearprotocol.com/blog/long-range-attacks-and-a-new-fork-choice-rule) given a validator throws away the old consensus key(s) | ||
|
||
### Negative |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing an important negative of it allows a validator to effectively sell their entity, in a way that before would require hardware assumptions. (They can change their key to give it to new management, without any oversight from their delegators)
ref: #5231
Targeted PR against correct branch (see CONTRIBUTING.md)
Linked to github-issue with discussion and accepted design OR link to spec that describes this work.
Wrote tests
Updated relevant documentation (
docs/
)Added a relevant changelog entry to the
Unreleased
section inCHANGELOG.md
Re-reviewed
Files changed
in the github PR explorerFor Admin Use: