Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XDM: Permissioned channels - 1 #2602

Merged
merged 6 commits into from
Mar 14, 2024
Merged

XDM: Permissioned channels - 1 #2602

merged 6 commits into from
Mar 14, 2024

Conversation

vedhavyas
Copy link
Contributor

This PR introduces permissioned channels as described in this spec here - Permissioned channels

This is an invasive PR that changes how channels are opened between Chains. Whenever user initiates the channel, the src_chain will reject if the dst_chain is not in the allowed channel list. Once the dst_chain is in the allowed list, user can initiate a channel. When the message is relayed to dst_chain, if the dst_chain's allow list does not have the src_chain, then the transaction is not included. This brings a scenario where relayer will continue to gossip the transaction and txn will be dropped from the pool until dst_chain allowlist is updated.
There is potential DDOS where user can initiate multiple channels to dst_chain and all of them ends up failing since dst_chain allowlist is not updated.

This scenario does not exist for now since I have not removed the Sudo user call for all the operations including domain owner which is also a sudo user.

I'll be giving a second PR that would handle the above issue by making the channel initiation economincally not viable. That will be done with following upcoming changes

  • Remove sudo call for channel initiation and channel close so that anyone can initiate a channel
  • Ensure the funds are reserved when a user initiates a channel
    • If the dst_chain does not have the src_chain in the allow list, user funds will be locked and will not recoverable until dst_chain's allow list is updated. This will ensure, users will not be able to do a conitnuous attack of intiating channels
    • Once the channel is open, channel owner can choose to close the channel and get their reserved funds back

Once the second PR is in, Sudo is only required to open channel from consensus chain and to update consensus chain's allow list.
For the domains, domain owner can update the Domain's allowlist through consensus chain and then anyone can procced to open the channel.

Code contributor checklist:

@vedhavyas vedhavyas added the audit Audit results label Mar 11, 2024
@vedhavyas

This comment was marked as outdated.

Sign in to view
@vedhavyas
define Chainallowlist storage, Calls to update the storage for consen…
ea01965 
…sus and domain, and necessary traits

traits are used in the coming commits
@vedhavyas
define storage and runtime call to initiate chain allow list update o…
8bf19ed 
…n consensus chain for the given domain by domain owner
@vedhavyas
update domain operator's inherent providers to include domain allowli…
010a756 
…st updates and a minor cleanup to MessengerApi
@vedhavyas
update domain extrinsics root fraud proof to include domain chain all…
3227da2 
…owlist extrinsic during verification
@vedhavyas
use ChainAllowlist storage to check if the chain is allowed to open a…
be5cd00 
… channel. Also fixes a small discrepency with inherent extrinsics order
NingLin-P
NingLin-P reviewed Mar 13, 2024
View reviewed changes
Copy link
Member

@NingLin-P NingLin-P left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sense! just one nit.

crates/sp-domains-fraud-proof/src/verification.rs
Comment on lines -126 to +135
// `domain-block-preprocessor::CreateInherentDataProvider`
// pallets order defined in `construct_runtime` macro for domains.
// currently this is the following order
// - timestamp extrinsic
// - executive set_code extrinsic
// - messenger update_domain_allowlist extrinsic
// - block_fees transaction_byte_fee_extrinsic
// since we use `push_front` the extrinsic should be pushed in reversed order
// TODO: this will not be valid once we have a different runtime. To achive consistency across
// domains, we should define a runtime api for each domain that should order the extrinsics
// like inherent are derived while domain block is being built
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

domains/primitives/messenger/src/lib.rs Outdated Show resolved Hide resolved
@vedhavyas vedhavyas added this pull request to the merge queue Mar 14, 2024
Merged via the queue into main with commit 7c9da56 Mar 14, 2024
11 checks passed
@vedhavyas vedhavyas deleted the permissioned_channels branch March 14, 2024 11:05
@dariolina dariolina mentioned this pull request Mar 29, 2024
Closed
@vedhavyas vedhavyas added need to audit This change needs to be audited and removed audit Audit results labels Apr 5, 2024
@vanhauser-thc vanhauser-thc added audited This change was audited and removed need to audit This change needs to be audited labels Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NingLin-P NingLin-P NingLin-P approved these changes

@nazar-pc nazar-pc Awaiting requested review from nazar-pc nazar-pc is a code owner

@rg3l3dr rg3l3dr Awaiting requested review from rg3l3dr rg3l3dr is a code owner

Assignees
No one assigned
Labels
audited This change was audited
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vedhavyas @NingLin-P @vanhauser-thc