-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: update fee middleware docs to be more explicit about reasoning for removing invariant checks #1705
Conversation
* update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link
@@ -27,7 +27,7 @@ If a counterparty payee is not registered for the forward relayer on the destina | |||
A transaction must be submitted to the destination chain including a `CounterpartyPayee` address of an account on the source chain. | |||
The transaction must be signed by the `Relayer`. | |||
|
|||
Note: If a module account address is used as the `CounterpartyPayee` it is recommended to [turn off invariant checks](https://github.com/cosmos/ibc-go/blob/71d7480c923f4227453e8a80f51be01ae7ee845e/testing/simapp/app.go#L659) for that module. | |||
Note: If a module account address is used as the `CounterpartyPayee` it may be necessary to [turn off invariant checks](https://github.com/cosmos/ibc-go/blob/71d7480c923f4227453e8a80f51be01ae7ee845e/testing/simapp/app.go#L659) for that module, if the module has been set as a blocked address in the `BankKeeper`. This is because many modules use invariants to compare internal tracking of module account balances against the actual balance of the account stored in the `BankKeeper`. If a token transfer to the module account occurs without going through this module and updating the account balance of the module on the `BankKeeper`, then invariants may break and unknown behaviour could occur depending on the module implementation. Therefore, it is suggested that either invariant checks are turned off, or the module is removed from the blocked address list on the `BankKeeper` with the understanding that this may result in consequences for module balance accounting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know that this was already there, so not part of your PR, but I just realized that the code that is linked in the text turn off invariant checks
is for not adding the module account to the list of blocked addresses, right? It's not pointing to code that shows how to turn off invariants, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if I understand it correctly, there are two options here described that the use could choose from:
- Either to turn off invariants.
- Or to remove the module account from the list of blocked addresses.
If option 1 is chosen, is it still possible to use the module account as counterparty payee? Because in our code all the operations to transfer funds are using the bank keeper methods, so if the module is still in the list of blocked addresses, these operations will fail, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, the code that is linked is for the blocked addresses
regarding your second question, yes it is possible to use the module account as the counterparty payee. each chain handles blocked addresses differently, so the operation may or may not fail depending on if the module is in the blocked address.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, the code that is linked is for the blocked addresses
So should we link instead to code that shows how to turn off invariants instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I disagree with the recommended approach. If a module requires strict internal accounting (as shown by their usage of invariants), I don't think we can safely suggest to ignore that functionality. In my opinion, given the current state of SDK invariants/interaction with the bank keeper, we should say that a module which is blocked cannot be used as a counterparty payee
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The lack of checks preventing payment to the community pool has led to multiple security releases. I think it is more sustainable to request changes to the SDK to support payment to modules without disrupting their internal tracking
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issues on the SDK, #10811, #11369, and #11388 would all help make the requested functionality possible. Essentially you only want modules and their sub functionality blocked if it is a strict requirement for security. Currently some modules might be overly secure (too strict invariants) or may have sub-functionality that doesn't need to follow the same invariant checking (community pool)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i see. one problem with waiting on the SDK to fix this though is that i think the usecase we have pinned down for the first deployments of fee middleware use module accounts as the payee, so it would be an issue if we somehow now technically block it.
the other approach, where we don't technically block it but just STRONGLY recommend against and explain why module accounts are risky to use, still allows this usecase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Module accounts can be used, just module accounts which are blocked cannot be used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@crodriguezvega is correct that turning off invariants is not sufficient to allow a blocked module to be used with ics29. The module account must be unblocked. Could we recommend that only module accounts which are not blocked can be used with ics29?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work, thanks for applying my suggestions. Appreciate the willingness to go back and forth
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, @charleenfei!
… for removing invariant checks (#1705) * fix broken link * fix: rm AllowUpdateAfter... check (#1118) * update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link * updated fee middleware docs wrt invariants * second review * update docs to remove language about removing invariants * update docs/middleware/ics29-fee/fee-distribution.md Co-authored-by: colin axnér <[email protected]> Co-authored-by: colin axnér <[email protected]> Co-authored-by: Carlos Rodriguez <[email protected]> (cherry picked from commit 7f3d71b)
… for removing invariant checks (#1705) * fix broken link * fix: rm AllowUpdateAfter... check (#1118) * update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link * updated fee middleware docs wrt invariants * second review * update docs to remove language about removing invariants * update docs/middleware/ics29-fee/fee-distribution.md Co-authored-by: colin axnér <[email protected]> Co-authored-by: colin axnér <[email protected]> Co-authored-by: Carlos Rodriguez <[email protected]> (cherry picked from commit 7f3d71b)
… for removing invariant checks (#1705) (#1994) * fix broken link * fix: rm AllowUpdateAfter... check (#1118) * update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link * updated fee middleware docs wrt invariants * second review * update docs to remove language about removing invariants * update docs/middleware/ics29-fee/fee-distribution.md Co-authored-by: colin axnér <[email protected]> Co-authored-by: colin axnér <[email protected]> Co-authored-by: Carlos Rodriguez <[email protected]> (cherry picked from commit 7f3d71b) Co-authored-by: Charly <[email protected]>
… for removing invariant checks (#1705) (#1995) * fix broken link * fix: rm AllowUpdateAfter... check (#1118) * update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link * updated fee middleware docs wrt invariants * second review * update docs to remove language about removing invariants * update docs/middleware/ics29-fee/fee-distribution.md Co-authored-by: colin axnér <[email protected]> Co-authored-by: colin axnér <[email protected]> Co-authored-by: Carlos Rodriguez <[email protected]> (cherry picked from commit 7f3d71b) Co-authored-by: Charly <[email protected]>
… for removing invariant checks (cosmos#1705) (cosmos#1994) * fix broken link * fix: rm AllowUpdateAfter... check (cosmos#1118) * update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link * updated fee middleware docs wrt invariants * second review * update docs to remove language about removing invariants * update docs/middleware/ics29-fee/fee-distribution.md Co-authored-by: colin axnér <[email protected]> Co-authored-by: colin axnér <[email protected]> Co-authored-by: Carlos Rodriguez <[email protected]> (cherry picked from commit 7f3d71b) Co-authored-by: Charly <[email protected]>
… for removing invariant checks (cosmos#1705) (cosmos#1994) * fix broken link * fix: rm AllowUpdateAfter... check (cosmos#1118) * update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link * updated fee middleware docs wrt invariants * second review * update docs to remove language about removing invariants * update docs/middleware/ics29-fee/fee-distribution.md Co-authored-by: colin axnér <[email protected]> Co-authored-by: colin axnér <[email protected]> Co-authored-by: Carlos Rodriguez <[email protected]> (cherry picked from commit 7f3d71b) Co-authored-by: Charly <[email protected]>
… for removing invariant checks (cosmos#1705) (cosmos#1994) * fix broken link * fix: rm AllowUpdateAfter... check (cosmos#1118) * update code & test * update proto and adr026 * update CHANGELOG * update cli docs * update broken milestone link * updated fee middleware docs wrt invariants * second review * update docs to remove language about removing invariants * update docs/middleware/ics29-fee/fee-distribution.md Co-authored-by: colin axnér <[email protected]> Co-authored-by: colin axnér <[email protected]> Co-authored-by: Carlos Rodriguez <[email protected]> (cherry picked from commit 7f3d71b) Co-authored-by: Charly <[email protected]>
Description
closes: #XXXX
Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
docs/
) or specification (x/<module>/spec/
)godoc
comments.Unreleased
section inCHANGELOG.md
Files changed
in the Github PR explorerCodecov Report
in the comment section below once CI passes