-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
delayedack should validate ibc client state against latest rollapp committed state #874
Comments
As discussed with @yishay-dym , we're gonna handle it optimistically to not hurt UX. Will probably require ADR. |
trying to reprhase the issue:
IMO this issue is solved by design. |
Not sure I got you @mtsitrin
Are you trying to say it's already solved by eibc? In this way, the fulfillers absorb risk? |
I suggested that we can detect the invalid ibc state even before the sequencer state update. |
for the record, as discussed over a call, this is not solved by design as it's not eibc related but the ability of the sequencer to submit invalid ibc headers for specific heights which is not verified against the state update.
This is a possible solution but I think it has a few drawbacks in comparison to verify it on the hub:
the only pro I see in this appraoch is that you save time in the case where state update comes after the ibc header. however as this time is very negligible (i.e usually 1 min in happy case + currently requires gov proposal, and in any other case if the sequencer doesn't send msgUpdate anyway no eibc will be approved or any related transfers) In general I think in that case the "optimistic" solution doesn't provide significant value over the "pessimistic" but actually makes the system more complex. IMO we should be pessimistic as possible where we can, assuming it doesn't create a substantial overhead. With that being said, a more through research should be done on the optimal solution and trade-offs. |
Besides given us the gurantee that we only accept packets after a sequencer committed to it on the hub (i.e non-trusted sequencer assumption), it also protects us from a potential failure (non-malicious) where ibc transferes from rollapp to hub are processed before state committed and the blocks could potentially get lost. Assume the following scenario:
the "hacky" solution for now is just to make sure relayers are only connected to full nodes (and not to the sequencer) so at least we know the block was already gossiped to the network.
Long term solution (besides the obvious maliciuos behavior a sequencer can perform) would be to validate against latest committed state of the sequencer.
This has the obvious downside of making ibc transfers wait until the sequencer committed the state which could take an order of dozens of seconds.
The text was updated successfully, but these errors were encountered: