feat(attester): IBC-compatible attester overlay with signed votes#392
Draft
feat(attester): IBC-compatible attester overlay with signed votes#392
Conversation
…idation - Add consensus_address field (field 4) to AttesterInfo proto and regenerate pb.go - Add types/attester.go with NewAttesterInfo, GetPubKey, and UnpackInterfaces helpers - Rewrite InitGenesis to materialise AttesterInfo, AttesterSet, ValidatorIndex, and ValidatorPower from genesis attester_infos, sorted by pubkey address ascending to match CometBFT NewValidatorSet ordering; enforce pubkey/address match - Rewrite ExportGenesis to round-trip attester_infos; ValidatorIndices no longer exported - Add keeper/genesis_test.go covering load, mismatch rejection, and export round-trip
Wire verifyVote into the Attest handler so every attestation is cryptographically verified. Remove the SIGN_MODE_CHECKPOINT gate (every height is now attestable) and the MinVoteLen constant (superseded by the full proto decode + signature check inside verifyVote). Update TestAttestHeightBounds to seed attesters directly via keeper calls and build properly signed votes via signTestVote. Update TestAttest and TestAttestVotePayloadValidation similarly.
Both handlers now return ErrInvalidRequest with "attester set changes disabled" since the set is fixed at genesis. Remove MaxAttesters const which was only enforced at join time.
…d quorum gate Add AttesterSet RPC to the network query service so getCommitForHeight can build a cmttypes.Commit that 07-tendermint accepts: one entry per validator in canonical index order, BlockIDFlagAbsent for non-signers, and a hard refusal to serve until more than 2/3 of the set has signed.
…ommitLight Add AddGenesisAttester post-init hook that writes one AttesterInfo entry to app_state.network.attester_infos using the node's ed25519 consensus pubkey and the operator address from the validator keyring entry. Wire the hook into getGmChain so the attester set is populated before genesis is finalized. Without this, MsgAttest rejects votes from unregistered keys and LastAttestedHeight stays 0, breaking Hermes IBC client creation. After the attester starts, wait for the chain to reach height 10 and assert that VerifyCommitLight passes on the fetched commit as an early failure signal before Hermes setup.
…l (prefix-agnostic)
Attesters previously could sign a well-formed cmtproto.Vote over an arbitrary BlockID.Hash — the signature self-verified and the bitmap bit was set, but the reconstructed commit failed 07-tendermint VerifyCommitLight on IBC counterparties. verifyVote now fetches the canonical BlockID from the adapter store via a new BlockIDProvider interface, rejecting mismatches. Provider is wired post-depinject via an app-side networkKeeperBlockIDWirer; if unwired, verification fails closed. Includes regression tests for mismatched and unwired-provider paths.
Contributor
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Remove unused perHeightBlockIDProvider helper and extra blank line flagged by gci/unused.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
genesis) signs each block's
cmtproto.Vote; the ABCI adapter reconstructs acmttypes.Committhat a 07-tendermint light client verifies viaVerifyCommitLighton counterparty chains.MsgAttestand pinvote.BlockID.Hashto the sequencer's stored block hash, preventingattester-forged-BlockID attacks.
pkg/rpc/core/blocks.go: ordered byvalidator address,
BlockIDFlagAbsentfor non-signers, 2/3 voted-powerquorum gate.
server/attester_cmd.go) signs every block with theed25519 consensus key, derives the consensus address correctly, and fetches
latest height via
/block(not/status, which returns 0 in attester mode).MsgJoinAttesterSet/MsgLeaveAttesterSet; the set isgenesis-fixed for this iteration.
VerifyCommitLightpasses on an attested commit and exercises bidirectionalICS20 transfers.
Notable details
GenesisState.UnpackInterfacesimplemented soAny-typed pubkeys resolveafter JSON unmarshaling.
(prefix-agnostic bech32) to tolerate celestia/cosmos prefix drift.
BlockIDProviderwired post-adapter-creation via the app-sidenetworkKeeperBlockIDWirerinterface; the integration-testapp.gopatchinjects
SetNetworkKeeperBlockIDProviderautomatically.Known limitations
Celestia v4's
tokenfilterIBC middleware rejects non-utia inbound —counterparty policy, not an attester-system bug. Follow-up: convert to
assert the expected ack-error, or revert.
(each attester stamps votes from its own
/blockread) is not exercised.couple of tests, `GenesisState.Validate()` doesn't check `AttesterInfos`,
CLI still registers disabled tx subcommands. Non-blocking for this draft.