-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(lightclient): removed the need for next stateInfo for valiadition #1467
base: main
Are you sure you want to change the base?
refactor(lightclient): removed the need for next stateInfo for valiadition #1467
Conversation
#1406) Co-authored-by: keruch <53012408+keruch@users.noreply.github.com> Co-authored-by: zale144 <aleksandar.sukovic@gmail.com> Co-authored-by: Daniel T <30197399+danwt@users.noreply.github.com> Co-authored-by: Omri <omritoptix@gmail.com> Co-authored-by: Sergi Rene <sergi@dymension.xyz> Co-authored-by: Itzhak Bokris <jzak300@gmail.com>
Co-authored-by: danwt <30197399+danwt@users.noreply.github.com>
refactor canonical client check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cleanups are great, but the bit about iterating descending doesn't make sense.
dymension/x/lightclient/keeper/canonical_client.go
Lines 97 to 125 in 1deed9f
IterateConsensusStateDescending(csStore, func(h exported.Height) bool { | |
// skip future heights | |
if h.GetRevisionHeight() >= maxHeight { | |
return false | |
} | |
// iterate until we pass the fraud height | |
if h.GetRevisionHeight() < minHeight { | |
return true // break | |
} | |
consensusState, ok := k.ibcClientKeeper.GetClientConsensusState(ctx, clientID, h) | |
if !ok { | |
return false | |
} | |
tmConsensusState, ok := consensusState.(*ibctm.ConsensusState) | |
if !ok { | |
return false | |
} | |
err = k.ValidateUpdatePessimistically(ctx, sInfo, tmConsensusState, h.GetRevisionHeight()) | |
if err != nil { | |
err = errorsmod.Wrapf(err, "validate pessimistic h: %d", h.GetRevisionHeight()) | |
return true // break | |
} | |
atLeastOneMatch = true | |
return true // break | |
}) |
You're only checking the consensus states with heights in the state info, which isn't right. I'm sorry I should've thought about it more when you initially asked me on slack.
Now it's not secure; why? Because there can be invalid consensus states below the ones you check, which are opening a security hole by having a wrong nextValidatorsHash.
We need to iterate through all the consensus states and check that they're valid. In fact, we just need to check that there is a valid prefix . The reason it was implemented the way it was to begin with was because it's just simpler: if we check all up to and including the ones in the state info, then (in the previous design where a mismatch in state update would automatically trigger fraud handler) then we would be guaranteed to catch a wrong one.
I would really suggest to just keep it as it was before. You can still change it to be an iterator though (I think why Spoorthi made it fetch all before was because iterator was not publicly exposed).
The rest of the PR is good
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1467 +/- ##
==========================================
- Coverage 22.69% 22.69% -0.01%
==========================================
Files 575 575
Lines 124579 124516 -63
==========================================
- Hits 28273 28257 -16
+ Misses 92528 92494 -34
+ Partials 3778 3765 -13 ☔ View full report in Codecov by Sentry. |
x/lightclient/ante/ibc_msg_update_client.go:
DRY state update callback:
FIX:
iterate over the state info heights instead