search

celestiaorg / celestia-app

PoS application for the consensus portion of the Celestia network. Built using celestia-core (fork of CometBFT) and the cosmos-sdk
https://celestia.org
Apache License 2.0
327 stars 261 forks source link

Add a delay between try upgrade and upgrade execution #3544

Closed rootulp closed 2 weeks ago

rootulp commented 3 weeks ago

Context

See finding 3 of Informal Systems findings.

Problem

A greedy cranker can submit a MsgTryUpgrade as soon as 5/6 has signaled for a version.

Proposal

To give some buffer time for the straggling 1/6 validators to upgrade their binaries, we can implement a delay between the block that a MsgTryUpgrade is included in a block and the actual upgrade height. For example: upgrade height = MsgTryUpgradeHeight + one week of blocks. A few questions about this delay:

  1. Should validators be able to change their signaled vote after a MsgTryUpgrade was invoked and before the delayed upgrade height.
  2. Should we disable all signaling after a successful crank invocation?
  3. Can users submit MsgTryUpgrade after a successful previous invocation?
  4. Should upgrade height coordination be performed out of protocol instead of dependent on the block height at which the first MsgTryUpgrade was included?

Acceptance Criteria

  1. Analyze the finding
  2. Prepare a design document on the possible options
  3. Schedule a meeting to drive internal consensus on the option that should be pursued
rootulp commented 2 weeks ago

Closed b/c we just had a meeting about this and agreed to add a time delay. Will create a new issue for that.