feat(sequencer, bridge-withdrawer)!: enforce withdrawals consumed#1391
feat(sequencer, bridge-withdrawer)!: enforce withdrawals consumed#1391
Conversation
github-actions
bot
added
proto
joroshiba
force-pushed
the
joroshiba/start-event-consumption
branch
from
7a1c32c to
64bcc9a
Compare
Fraser999
left a comment
Fraser999
left a comment
There was a problem hiding this comment.
Mostly nitpicks, but one issue in bridge/state_ext.rs causing the rollup block height to not be parsed correctly. Not blocking the PR though since the actual value isn't critical to the flow, only whether it exists in storage or not.
| ensure!(self.timeout_time() != 0, "timeout time must be non-zero",); | ||
| ensure!(self.amount() > 0, "amount must be greater than zero",); | ||
| if self.bridge_address.is_some() { | ||
| let parsed_bridge_memo: Ics20WithdrawalFromRollupMemo = |
There was a problem hiding this comment.
We're JSON-encoding a PB version of this type, whereas here we're decoding straight into our domain type. The serde try_from = "raw::Ics20WithdrawalFromRollup" on the domain type handles that ok, but I still keep feeling uneasy when I see this.
There was a problem hiding this comment.
I could either remove the domain type or modify the serialization on the other end, it uses the pb::name property when serializing for errors which is why it uses the raw type
There was a problem hiding this comment.
It's certainly not a blocker, and maybe I'm being overly pedantic. But I guess I'd prefer if the domain type didn't derive serde traits, forcing us to always use the pb type for encoding to/decoding from JSON, and we use the domain type in the business logic.
No probs if you prefer to leave as is - I think we're doing similar things elsewhere. We can always try and get more strict on the separation of pb and domain types in the future.
There was a problem hiding this comment.
I went ahead and went back to how the memos were defined in domain type as reexporting, less code changes here a bit cleaner I think.
There was a problem hiding this comment.
IMO this check_stateless (and the other deseriailzation in check_and_execute) shows that using validated domain types that establish invariants is preferable over doing the validation here.
There was a problem hiding this comment.
I have created an issue here for follow up
Co-authored-by: Fraser Hutchison <190532+Fraser999@users.noreply.github.com>
SuperFluffy
left a comment
SuperFluffy
left a comment
There was a problem hiding this comment.
Everything in this PR seems fine. I am still blocking this because I am uneasy about the keys used to put the events into state (see the comment there).
proto/protocolapis/astria/protocol/transactions/v1alpha1/types.proto
Outdated
Show resolved
Hide resolved
| #[async_trait::async_trait] | ||
| impl ActionHandler for BridgeUnlockAction { | ||
| async fn check_stateless(&self) -> Result<()> { | ||
| ensure!(self.amount > 0, "amount must be greater than zero",); |
There was a problem hiding this comment.
What would be so bad if it was 0?
There was a problem hiding this comment.
It's just kinda pointless? I would prefer not wasting compute time on pointless actions :)
| ensure!(self.timeout_time() != 0, "timeout time must be non-zero",); | ||
| ensure!(self.amount() > 0, "amount must be greater than zero",); | ||
| if self.bridge_address.is_some() { | ||
| let parsed_bridge_memo: Ics20WithdrawalFromRollupMemo = |
There was a problem hiding this comment.
IMO this check_stateless (and the other deseriailzation in check_and_execute) shows that using validated domain types that establish invariants is preferable over doing the validation here.
SuperFluffy
left a comment
SuperFluffy
left a comment
There was a problem hiding this comment.
Discussed offline: BridgeUnlockAction::check_and_execute contains a check that no event with a given ID was previously processed, so a second action would not be able to overwrite the first. That addresses my issue.
Approving.
Co-authored-by: Richard Janis Goldschmidt <github@aberrat.io>
Co-authored-by: Richard Janis Goldschmidt <github@aberrat.io>
* main: chore: ibc e2e smoke test (#1284) chore(metrics): restrict `metrics` crate usage to `astria-telemetry` (#1192) fix(charts)!: sequencer-relayer chart correct startup env var (#1437) chore(bridge-withdrawer): Add instrumentation (#1324) chore(conductor): Add instrumentation (#1330) fix(cli, bridge-withdrawer): dont fail entire block due to bad withdraw event (#1409) feat(sequencer, bridge-withdrawer)!: enforce withdrawals consumed (#1391)
) ## Summary Adds state for bridge events and consumes the events as they occur. Updates proto for bridge unlock to no longer use memo for rollup information and instead include on main action. Renames `rollup_transaction_hash` to `rollup_withdrawal_event_id`. ## Background There was only implicit stop against reusing a withdrawal event, this adds consumption of withdrawal events. While this is not strictly security enhancing, consuming the event adds in protocol protection against accidental double spend by the bridge operator. ## Changes - Proto updates for `BridgeUnlockAction` + `ICS20WithdrawalMemo` - Add stateless checks on bridging unlock and withdrawals of correct information filled out - Added state to enforce rollup event cannot be consumed twice. - Enforce that `Ics20WithdrawalAction` must have `bridge_address` set if making a bridge withdrawal ## Testing smoke test + minor test updates ## Breaking Changelist - New stateful information about rollup withdrawal events - Adds new fields to `BridgeUnlockAction` ## Related Issues closes #1430 --------- Co-authored-by: Fraser Hutchison <190532+Fraser999@users.noreply.github.com> Co-authored-by: Richard Janis Goldschmidt <github@aberrat.io>
) ## Summary Adds state for bridge events and consumes the events as they occur. Updates proto for bridge unlock to no longer use memo for rollup information and instead include on main action. Renames `rollup_transaction_hash` to `rollup_withdrawal_event_id`. ## Background There was only implicit stop against reusing a withdrawal event, this adds consumption of withdrawal events. While this is not strictly security enhancing, consuming the event adds in protocol protection against accidental double spend by the bridge operator. ## Changes - Proto updates for `BridgeUnlockAction` + `ICS20WithdrawalMemo` - Add stateless checks on bridging unlock and withdrawals of correct information filled out - Added state to enforce rollup event cannot be consumed twice. - Enforce that `Ics20WithdrawalAction` must have `bridge_address` set if making a bridge withdrawal ## Testing smoke test + minor test updates ## Breaking Changelist - New stateful information about rollup withdrawal events - Adds new fields to `BridgeUnlockAction` ## Related Issues closes #1430 --------- Co-authored-by: Fraser Hutchison <190532+Fraser999@users.noreply.github.com> Co-authored-by: Richard Janis Goldschmidt <github@aberrat.io>
3 participants
Summary
Adds state for bridge events and consumes the events as they occur. Updates proto for bridge unlock to no longer use memo for rollup information and instead include on main action. Renames
rollup_transaction_hashtorollup_withdrawal_event_id.Background
There was only implicit stop against reusing a withdrawal event, this adds consumption of withdrawal events. While this is not strictly security enhancing, consuming the event adds in protocol protection against accidental double spend by the bridge operator.
Changes
BridgeUnlockAction+ICS20WithdrawalMemoIcs20WithdrawalActionmust havebridge_addressset if making a bridge withdrawalTesting
smoke test + minor test updates
Breaking Changelist
BridgeUnlockActionRelated Issues
closes #1430