-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
light: set DefaultTrustLevel
from 1/3 to 2/3
#9290
Comments
Hmm not sure. Typically users run the Relayer users can also create IBC clients individually with specific security parameters eg they could do
This is true depending on the channel traffic conditions. 10% of channels in production (related to DExes) might have traffic every O(1) blocks, but the majority of channels are less heavy in traffic (once every hour or less).
I agree with this (there is extra security due to a larger overlap) and likely no additional cost of extra messages assuming the channel is indeed high traffic. Not sure how I would quantify that security though, and how to think of its importance in the broader context of the other security parameters (trusting period, clock drift). |
In the go relayer we use the default set by tendermint and will follow whatever the team decides here. https://github.com/cosmos/relayer/blob/main/relayer/chains/cosmos/tx.go#L1063 |
Thanks for your responses @adizere and @jackzampolin.
Is the default level in Hermes just copied from Tendermint or was there another reason for the choice?
Perhaps it might be helpful to do some concrete research around this but I'd assume that chains (even across an entire day) wouldn't experience validator voting power turnover in excess of 1/3. This means all client updates can happen in a single message (actually is it possible to just have multiple update client messages in a single transaction?)
Trust period and clock drift are less directly attributable to security. Trust period which is modelled around the unbonding period merely indicates how long a client can go without being updated before it loses the additional security of being able to punish the malevolent validators. Clock drift, AFAIK, is tweaked to improve latency. Too short of a clock drift and if one chain drifts with respect to another, messages will take longer to be bridged across. Too long of a clock drift and relayers that want to challenge a fraudulent header need to wait longer before being able to send the conflicting header. As a question, how does IBC handle weak subjectivity i.e. how are clients first initialised? - can they be challenged if I were to use a fraudulent header? |
I doubt we copied it from Tendermint codebase, but possibly we copied it from the light client specs. One reason we choose it is also likely because its the optimal value (intuitivelly, this is the smallest value that provides the same security as the consensus core algorithm).
The relayer pulls a header from a trusted RPC node of the counterparty chain and uses that header to create the client. Does your question refer to some specific detail of initialization?
I don't think so. If the client is initialized with a fraudulent header, then I only know of one way to "challenge" or "fix it" -- run misbheavior detection, freeze the client, then recover the client via gov proposal.
I think this makes sense. Two remarks:
|
I could write a tool to grep chain validator sets and try measure the rate of change. I need to think what's the best way to represent the degree with which validator sets change. |
Summary
An important parameter in the light client verification algorithm is the
TrustLevel
. InVerifyNonAdjacent
, this parameter specifies the minimum acceptable overlap in validator voting power from a trusted validator set to the validator set at the height of the header being verified (untrusted validator set).The
TrustLevel
is a fraction that must be between 1/3 and 1. Below 1/3 infringes on Tendermint's security guarantees. We currently set the default at the lower bound of 1/3.More practically, relayers use this default when submitting IBC transactions to create a new client. We should have a default that tends to a more secure setup than a less secure setup. In the case of IBC, where transactions to update the client are submitted very frequently (every 1 to 10 blocks), observing a 2/3 overlap is extremely common and thus with this change, chains get the upside of extra security without slowing down ibc tx latency by requiring multiple messages.
In the case of a light node which is used to verify transactions within a in-browser wallet at the frequency of once a week, having a 1/3 trust level is likely to be notably quicker than 2/3, hence why users may want a less secure verification option.
For further information, there is very little (or potentially even no) gain to setting a
TrustLevel
above 2/3. At that point of control of the chain, a multitude of other attack vectors appear.Proposal
We should change the default to 2/3. This is a breaking change. It should be done in a minor release with adequate communication.
cc Susannah (@womensrights)
The text was updated successfully, but these errors were encountered: