Snowbridge v2 - Inbound Queue

[claravanstaden]

Description

Implements the Inbound Queue for Snowbridge v2.

Integration

This PR adds:

• A new pallet called EthereumInboundQueueV2 with a submit extrinsic.
• A new runtime API called InboundQueueApiV2 with a method dry_run, that takes an Ethereum command and converts it to Xcm and provides the execution fee on BH and static fee part of the AH execution.

Since this is a new pallet, no breaking changes are made to the EthereumInboundQueue pallet.

Review Notes

The Inbound Queue v2 pallet expects an abi-encoded envelope from Ethereum. Once decoded, the payload parameter is SCALE decoded into a v2::Message. The message contains:

• origin: The origin address of the user on Ethereum
• assets: A vector of assets that will be placed in the holding on AH. Can be a native ERC-20 or a foreign ERC-20 (Polkadot native assets). The XCM instructions that are used differ per asset type (ReserveAssetDeposited for native ERC-20 tokens and WithdrawAsset for Polkadot native assets). The user on Ethereum specifies additional xcm deposit the asset into a beneficiary account.
• xcm: User provided xcms, to deposit the asset to a beneficiary, provide further fees or other instructions such as Transact (for example, to register a token)
• claimer: The claimer on AH, in case funds are trapped so it can be claimed.

The relayer pays a DOT fee that covers:

• The execution fees on BH
• The static xcm part of the message on AH

The DOT fee is burnt from the relayer account and teleported to AH.

Messages may be processed out of order. Nonces are stored in a sparse bitmap for space-efficient storage.

[franciscoaguirre]

You're not charging the delivery fee here, is that intended?
I know this fee should be included in the relayer reward, but that's because it's charged here, right? Else it's just more reward for the relayer.

[claravanstaden]

@yrong @vgeddes the delivery fee is charged from the BridgeHub sovereign account, right? Do we need to deduct it from the relayer account on BH?

[yrong]

I prefer to deduct it from the relayer account. Ideally in V2 we don't need to prefund BridgeHub sovereign account any more.

UI can estimate it off-chain with the runtime api

[acatangiu]

During v2 design I remember we found alternatives to remove all cases where v1 uses BH/AH SA accounts for covering costs.

So yes, let's charge the relayer directly. Either charge their account or better UX would be to subtract from the reward.

[vgeddes]

Good catch Francisco. @claravanstaden this delivery fee needs to be deducted from the relayer's account.

Its the responsibility of the user initiating the bridge transfer to provide a relayer reward that covers the delivery fee.

[vgeddes]

Also the delivery fee also needs to be included in the fee returned by the dry-run API

[vgeddes]

Fixed in 6f769cc

Delivery fee is deducted from relayers account on BH.

[franciscoaguirre]

/cmd fmt

[franciscoaguirre]

When will this be uncommented? Do we need to create a tracking issue?

[claravanstaden]

The reward functionality is added in #6578. Once that is merged, we can uncomment this. Added tracking issue: #7356

[vgeddes]

In the interim, I've added a dummy trait until the new pallet is ready: 6f769cc

[acatangiu]

Suggested change

	Reads messages from Ethereum and sends it to intended destination on Polkadot, using XCM.
	Reads messages from Ethereum and sends them to intended destination on Polkadot, using XCM.

This could also use more details like architecture overview, APIs, usage patterns, etc.

[acatangiu]

please also add at least some example(s) - how it can/should be used

[acatangiu]

I only see the submit() cost here, where is the "XCM execution prologue fee" added?

[vgeddes]

Turns out this runtime api implementation was incorrect. We don't need to estimate any fees here, since there are already other runtime-apis that can estimate the cost of calling submit()

Instead we actually only need a runtime api to convert the inbound message to an XCM that can be dry-run on AH.

New implemention in 6f769cc where is renamed to convert_message

[acatangiu]

you can replace this fn with a bound on AccountIdOf<T>: Into<Location> as convertors already exist.

[acatangiu]

During v2 design I remember we found alternatives to remove all cases where v1 uses BH/AH SA accounts for covering costs.

So yes, let's charge the relayer directly. Either charge their account or better UX would be to subtract from the reward.

[acatangiu]

I personally found this file confusing/obfuscating.

I would rather define pub type Nonce<T> = SparseBitmapImpl<crate::NonceBitmap<T>>; in the main inbound-queue-v2/src/lib.rs file where NonceBitmap<T> is also defined.

Seeing how this file doesn't define other types needed externally, it could then be dropped.

[acatangiu]

Suggested change

	/// The nonce of the message been processed or not
	/// StorageMap used for encoding a [SparseBitmapImpl](<link-to-SparseBitmapImpl-file>) that tracks whether a specific nonce has been processed or not. Message nonces are unique and never repeated.

[acatangiu]

any error will in practice revert/rollback storage changes, but let's be paranoid and mark nonce as processed only on certainty of success:

Suggested change

	// Set nonce flag to true
	log::info!(target: "snowbridge-inbound-queue:v2","💫 setting nonce to {:?}", envelope.nonce);
	Nonce::<T>::set(envelope.nonce.into());
	// Attempt to forward XCM to AH
	let message_id = Self::send_xcm(xcm, T::AssetHubParaId::get())?;
	// Attempt to forward XCM to AH
	let message_id = Self::send_xcm(xcm, T::AssetHubParaId::get())?;
	// Set nonce flag to true
	log::info!(target: "snowbridge-inbound-queue:v2","💫 setting nonce to {:?}", envelope.nonce);
	Nonce::<T>::set(envelope.nonce.into());

[vgeddes]

fixed in 6f769cc

[claravanstaden]

@yrong mentioned if we increment the nonce after the send we risk re-entrancy attacks.

[acatangiu]

maybe add another attempt here after the successful one and verify nonce verification fails

[acatangiu]

can we move these weights under mock.rs or tests.rs? I don't want them to be usable outside of tests.

[acatangiu]

this is not used anywhere in this PR

you should call it in inbound_queue_v2::submit() before or within Self::send_xcm()

it could also be used in inbound-queue-v1 and you can remove old fn burn_fees()

[vgeddes]

Good catch, this was obsolete code. Deleted in 33f8e6d

In V2, we don't need to burn any asset for teleporting. No sovereign accounts, etc.

[acatangiu]

yes, with fees paid exclusively using eth, there are no more teleports involved so no need to locally burn anything on BH

[acatangiu]

another note about it:

since it is defined in primitives, maybe make it less opinionated:

Suggested change

	/// Burns the fees embedded in the XCM for teleports.
	pub fn burn_fees<AssetTransactor, Balance>(dest: Location, fee: Balance) -> DispatchResult
	/// Burns the fees embedded in the XCM for teleports.
	pub fn burn_assets_for_teleport<AssetTransactor>(dest: Location, assets: Assets) -> DispatchResult

this way you can use it for various types of asset(s)

[acatangiu]

you don't need to take direct dependency to penpal-emulated-chain here, it is already included in rococo-westend-system-emulated-network

[acatangiu]

Suggested change

	use penpal_emulated_chain::PARA_ID_B;
	use rococo_westend_system_emulated_network::penpal_emulated_chain::PARA_ID_B;

[acatangiu]

This should be benchmarked eventually, but it's fine like this for Westend - it will get benchmarked outside of this PR at a later point

[acatangiu]

this is not used anywhere

Suggested change

pub WethAddress: H160 = H160(hex_literal::hex!("fff9976782d46cc05630d1f6ebab18b2324d6b14"));

[acatangiu]

can you add more info here? what is the full value of the assets?

There's an assets field above that can hold arbitrary number of different tokens with arbitrary amounts of each.
Is that field related to this value: u128 field? If yes, how? What is the relationship between them? If not, then what is this value?

pseudo-random guess: does it represent an estimate of the eth value of all assets above?

[vgeddes]

Oops, that comment is very incorrect - I should have picked it up in my reviews.

message.value is the amount of native ether that was bridged from Ethereum.

message.assets holds other kind of assets, ERC20, NFTs, etc.

[acatangiu]

Suggested change

	let xcm_string = hex::encode(message.xcm.clone());
	log::info!(target: LOG_TARGET,"found xcm payload: {:x?}", xcm_string);

[acatangiu]

failing this should fail the whole conversion, no?

short-form suggestion:

Suggested change

	if let Ok(versioned_xcm) = VersionedXcm::<()>::decode_with_depth_limit(
	MAX_XCM_DECODE_DEPTH,
	&mut message.xcm.as_ref(),
	) {
	if let Ok(decoded_xcm) = versioned_xcm.try_into() {
	message_xcm = decoded_xcm;
	} else {
	log::error!(target: LOG_TARGET,"unable to decode xcm");
	}
	} else {
	log::error!(target: LOG_TARGET,"unable to decode versioned xcm");
	}
	if let Ok(decoded_xcm) = VersionedXcm::<()>::decode_with_depth_limit(
	MAX_XCM_DECODE_DEPTH,
	&mut message.xcm.as_ref(),
	).map(|versioned_xcm| versioned_xcm.try_into()) {
	message_xcm = decoded_xcm;
	} else {
	let xcm_string = hex::encode(message.xcm);
	log::debug!(target: LOG_TARGET, "unable to decode xcm: {:x?}", xcm_string);
	return Err(ConvertMessageError::InvalidXcm);
	}

[claravanstaden]

@acatangiu should we not rather fail silent on invalid xcm, so that assets can be trapped on AH? Otherwise the funds will be locked on Ethereum but not claimable on Polkadot. This was @alistair-singh 's idea.

[acatangiu]

Suggested change

	log::info!(target: LOG_TARGET,"xcm decoded as {:?}", message_xcm);
	log::trace!(target: LOG_TARGET,"xcm decoded as {:?}", message_xcm);

[acatangiu]

nit:

Suggested change

	let fee_asset = Location::new(2, [GlobalConsensus(EthereumNetwork::get())]);
	let fee_asset_id = Location::new(2, [GlobalConsensus(EthereumNetwork::get())]);

[acatangiu]

rather than InboundQueuePalletInstance: Get<u8> as generic on this fn, I would use the full location InboundQueueLocation: Get<InteriorLocation> and here:

Suggested change

	DescendOrigin(PalletInstance(InboundQueuePalletInstance::get()).into()),
	DescendOrigin(InboundQueueLocation::get()),

[acatangiu]

yes, not clear if we should fail the whole thing or just continue with default claimer...

[acatangiu]

I have an idea of a more general solution for any type of failures on inbound queue that are caused by protocol incompatibilities (bridge's fault, not the user's):

the inbound queue verifies the authenticity and exact validity of the message through the prover, so if it fails on some decoding step we can consider the message invalid, it will always fail, and hopefully we can revert it the Ethereum side.
So maybe we can mark it in some other InvalidMessage: SparseBitmap storage item or simply emit an InvalidMessage(nonce) event that can be proved back to Ethereum so that it can be rolled back there in case of these kinds of bridge protocol issues.

This is a further enhancement idea to be done outside of this PR, but worth exploring.

[vgeddes]

This makes sense 👍

[claravanstaden]

Same comment as here: #6697 (comment) It might be better to allow the invalid claimer, so that the funds can be trapped on AH.

The future improvement sounds cool!

[acatangiu]

why is the claimer just a Junction / InteriorLocation? seems like a gratuitous limitation. You should leave it as full Location specifiable on Ethereum side.

Could be a local account (just a Junction like now) or it could be a remote location that will be derived into a sov acc.

[acatangiu]

TODO what? :)

[acatangiu]

using instructions.push() for each of the appendix elements would avoid allocating another intermediary appendix vec

[acatangiu]

Suggested change

pub AssetHubLocation: InteriorLocation = Parachain(1000).into();

[acatangiu]

Suggested change

	let instructions = vec![
	DepositAsset { assets: Wild(AllCounted(1).into()), beneficiary },
	let instructions = vec![
	RefundSurplus,
	DepositAsset { assets: Wild(AllCounted(1).into()), beneficiary },

[acatangiu]

nice test! please also add checks for the inner xcm instructions being included

[acatangiu]

why use this account as the token admin?

this account is AH's sov acc as derived on BH (has meaning of SA in BH context); then this is used as local account on AH (account has no meaning on AH, it's just a "random account").

[acatangiu]

you can drop this function and use this existing one instead

[acatangiu]

check asset id - also check for all assets

example here how to use this macro to also check inner values

[acatangiu]

check for all assets including their IDs

[acatangiu]

you should just make ETH (and maybe WETH) part of AH genesis for these tests and not have to register for every test: e.g.

polkadot-sdk/cumulus/parachains/integration-tests/emulated/chains/parachains/assets/asset-hub-westend/src/genesis.rs

Line 78 in 698d9ae

assets: vec![

[acatangiu]

Suggested change

	let instructions = vec![DepositAsset { assets: Wild(AllCounted(2)), beneficiary }];
	let instructions = vec![RefundSurplus, DepositAsset { assets: Wild(AllCounted(2)), beneficiary }];

[acatangiu]

why is it burned from ethereum_sovereign?

[claravanstaden]

@yrong correct me if I am wrong, but Polkadot native assets are locked in the Ethereum sovereign account, and when sent back to Ethereum it is then burnt.