search

cosmos / cosmos-sdk

:chains: A Framework for Building High Value Public Blockchains :sparkles:
https://cosmos.network/
Apache License 2.0
6.27k stars 3.63k forks source link

Add a non-destructive way to check invariants #11389

Closed yihuang closed 1 year ago

yihuang commented 2 years ago

Summary

The design of the crisis module is to halt the chain when invariant check fails, it's useful to provide a way to check invariant without halt the chain, like in a grpc query handler.

Problem Definition

Proposal

For Admin Use

peterbourgon commented 2 years ago

Is it not the case that if an invariant fails, the chain is by definition unsound?

faddat commented 1 year ago

He's right though.

Also, how to check invariants at all?

yihuang commented 1 year ago

Is it not the case that if an invariant fails, the chain is by definition unsound?

Sometimes, the invariant is just too strict. Or there's a benign bug that breaks an invariant, but crisis module will make a a serious bug and could be exploit by attacker to halt the chain. There was an old example that attack might find a way to send tokens to some module addresses which breaks a invariant, but having some tokens in module address is not a serious issue in itself.

peterbourgon commented 1 year ago

Sometimes, the invariant is just too strict. Or there's a benign bug that breaks an invariant, but crisis module will make a a serious bug and could be exploit by attacker to halt the chain. There was an old example that attack might find a way to send tokens to some module addresses which breaks a invariant, but having some tokens in module address is not a serious issue in itself.

If an invariant is "too strict" and can be violated by "a benign bug" without needing to halt the chain, then it isn't actually an invariant (as defined by x/crisis) and should be fixed, or removed altogether, right?

alexanderbez commented 1 year ago

Invariants are stringent checks against application state that are used to determine if the state is what it "should" be. "Too strict" isn't really a thing. They can be violated by any sort of bug, and if so, should be dealt with immediately.

E.g. staking_pool_balance == unbonded_pool + bonded_pool + unbonding_pool. If this is untrue at any point, your app has a serious problem. How this problem, for example, came to be, is for you to debug and figure out.

Invariants used in conjunction with the simulator were absolutely paramount to testing the initial Hub and SDK code and allowed us to launch quickly.

julienrbrt commented 1 year ago

Given https://github.com/cosmos/cosmos-sdk/issues/15706 I think this can be closed.