Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disclosure log to record ICS3 liveness problems #83

Merged
merged 10 commits into from
Jul 3, 2020
Merged

Disclosure log to record ICS3 liveness problems #83

Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
3294a43
Added disclosure log with 2 items.
adizere Jun 2, 2020
ebe97ec
Fixed deadlock confusion; more details for each record
adizere Jun 15, 2020
8c6ff3f
More explanation for the second record in the disclosure log
adizere Jun 15, 2020
4653f0c
Apply suggestions from code review
adizere Jun 15, 2020
76029a5
More thorough explanation and aligned record 2 with the default TLA+ …
adizere Jun 23, 2020
2a84438
Aligned the trace w/ the most recent version of the spec.
adizere Jun 25, 2020
19e9186
Apply suggestions from code review
adizere Jul 1, 2020
6e4c1ad
Update docs/disclosure-log.md
adizere Jul 1, 2020
c3115aa
Removed explicit reference to proofs (at h-1 vs. h) from item 2.
adizere Jul 1, 2020
1fa60bc
Update docs/disclosure-log.md
adizere Jul 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/disclosure-log.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Disclosure Log for IBC Protocols

This document is a record of all the bugs or issues we uncovered while specifying & formally verifying the IBC protocols.


##### 1. ICS3 liveness problem due to ICS018 relayer algorithm

The algorithm for relaying connection handshake datagrams of type `ConnOpenTry`does not handle the situation when both chains are in state `INIT`.
The current relayer algorithm in [ICS018](https://github.com/cosmos/ics/tree/master/spec/ics-018-relayer-algorithms) specifies that the `ConnOpenTry` datagram should be relayed only if one of the chains is in state `INIT` and the other chain is uninitialized (see the snippet below); this is not enough for guaranteeing liveness of the connection handshake protocol (ICS04).

```
if (localEnd.state === INIT && remoteEnd === null)
```

The correct code should include both the cases when a single chain is in state `INIT`, as well as the case when both chains are in state `INIT`, as specified here: [Relayer.tla](https://github.com/informalsystems/ibc-rs/blob/master/docs/spec/relayer/Relayer.tla#L174)
This fix only concerns the relayer algorithm ICS018.

###### Channel handshake (ICS4) liveness problem

The same issue (and fix) seems to exist for the channel handshake datagrams.

##### 2. ICS3 liveness problem due to `UpdateClient` semantics

Related issues: [#71](https://github.com/informalsystems/ibc-rs/issues/71) and [#61](https://github.com/informalsystems/ibc-rs/issues/61).

Code for obtaining an execution trace in TLA+: [#73](https://github.com/informalsystems/ibc-rs/pull/73).
Briefly, this trace comprises the following sequence of actions, assuming two chains `A` and `B` and a relayer (as a simplification, the chains in this model are in charge of creating messages, a responsibility that the relayer typically implements):
adizere marked this conversation as resolved.
Show resolved Hide resolved


0. Chain `A` creates a message `M` that has a proof for height `h`, chain `A` also advances its height to `h+1`.
adizere marked this conversation as resolved.
Show resolved Hide resolved

1. The relayer updates the client on chain `B` with the latest height of chain A, namely `h+1` (call to `UpdateClient`).
adizere marked this conversation as resolved.
Show resolved Hide resolved

2. The relayer sends message `M` that chain `A` created (at step 0) to chain B, and also attempt to update the client on chain `B` with height `h` (the height in the proof of this message), but is unable to do so because `h` is smaller than `h +1` (the latest height of client on chain B).
adizere marked this conversation as resolved.
Show resolved Hide resolved

3. Chain `B` will be unable to verify message `M` since it lacks the adequate height information `h`, so chain `B` will drop this message, hence ICS3 can no longer progress.
adizere marked this conversation as resolved.
Show resolved Hide resolved

For the full details of this trace, see the [README.md](https://github.com/informalsystems/ibc-rs/blob/e33f32db95314461d18fbdb13574ddeabafedad4/verification/spec/connection-handshake/updateclient-deadlock/README.md) within #73.