2023-10-14 19:55:14 -04:00
|
|
|
use core::{future::Future, time::Duration};
|
2023-10-13 22:30:13 -04:00
|
|
|
use std::sync::Arc;
|
2023-04-20 05:05:17 -04:00
|
|
|
|
|
|
|
|
use zeroize::Zeroizing;
|
|
|
|
|
|
|
|
|
|
use ciphersuite::{Ciphersuite, Ristretto};
|
2023-08-14 06:08:55 -04:00
|
|
|
|
2023-10-13 22:30:13 -04:00
|
|
|
use tokio::sync::broadcast;
|
|
|
|
|
|
2023-10-14 21:58:10 -04:00
|
|
|
use scale::{Encode, Decode};
|
2023-10-14 16:47:25 -04:00
|
|
|
use serai_client::{validator_sets::primitives::ValidatorSet, subxt::utils::Encoded, Serai};
|
2023-04-20 05:05:17 -04:00
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
use tributary::{
|
2023-10-14 02:45:47 +03:00
|
|
|
TransactionKind, Transaction as TributaryTransaction, Block, TributaryReader,
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
tendermint::{
|
|
|
|
|
tx::{TendermintTx, decode_evidence},
|
|
|
|
|
TendermintNetwork,
|
|
|
|
|
},
|
2023-04-20 05:05:17 -04:00
|
|
|
};
|
|
|
|
|
|
2023-08-22 01:00:18 -04:00
|
|
|
use serai_db::DbTxn;
|
2023-04-20 05:05:17 -04:00
|
|
|
|
|
|
|
|
use crate::{
|
|
|
|
|
Db,
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
tributary::handle::handle_application_tx,
|
2023-05-09 23:44:41 -04:00
|
|
|
processors::Processors,
|
2023-04-20 05:05:17 -04:00
|
|
|
tributary::{TributaryDb, TributarySpec, Transaction},
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
P2p,
|
2023-04-20 05:05:17 -04:00
|
|
|
};
|
|
|
|
|
|
2023-10-14 21:58:10 -04:00
|
|
|
#[derive(Clone, Copy, PartialEq, Eq, Debug, Encode, Decode)]
|
2023-05-08 22:20:51 -04:00
|
|
|
pub enum RecognizedIdType {
|
Replace ExternalBlock with Batch
The initial TODO was simply to use one ExternalBlock per all batches in the
block. This would require publishing ExternalBlock after the last batch,
requiring knowing the last batch. While we could add such a pipeline, it'd
require:
1) Initial preprocesses using a distinct message from BatchPreprocess
2) An additional message sent after all BatchPreprocess are sent
Unfortunately, both would require tweaks to the SubstrateSigner which aren't
worth the complexity compared to the solution here, at least, not at this time.
While this will cause, if a Tributary is signing a block whose total batch data
exceeds 25 kB, to use multiple transactions which could be optimized out by
'better' local data pipelining, that's an extreme edge case. Given the temporal
nature of each Tributary, it's also an acceptable edge.
This does no longer achieve synchrony over external blocks accordingly. While
signed batches have synchrony, as they embed their block hash, batches being
signed don't have cryptographic synchrony on their contents. This means
validators who are eclipsed may produce invalid shares, as they sign a
different batch. This will be introduced in a follow-up commit.
2023-08-31 22:48:02 -04:00
|
|
|
Batch,
|
2023-05-08 22:20:51 -04:00
|
|
|
Plan,
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-13 22:30:13 -04:00
|
|
|
pub(crate) trait RIDTrait<FRid>:
|
2023-10-14 16:47:25 -04:00
|
|
|
Clone + Fn(ValidatorSet, [u8; 32], RecognizedIdType, [u8; 32], u32) -> FRid
|
2023-10-13 22:30:13 -04:00
|
|
|
{
|
|
|
|
|
}
|
2023-10-14 16:47:25 -04:00
|
|
|
impl<FRid, F: Clone + Fn(ValidatorSet, [u8; 32], RecognizedIdType, [u8; 32], u32) -> FRid>
|
2023-10-13 22:30:13 -04:00
|
|
|
RIDTrait<FRid> for F
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-20 05:05:17 -04:00
|
|
|
// Handle a specific Tributary block
|
2023-08-14 06:08:55 -04:00
|
|
|
async fn handle_block<
|
|
|
|
|
D: Db,
|
|
|
|
|
Pro: Processors,
|
2023-08-24 21:55:59 -04:00
|
|
|
FPst: Future<Output = ()>,
|
|
|
|
|
PST: Clone + Fn(ValidatorSet, Encoded) -> FPst,
|
Replace ExternalBlock with Batch
The initial TODO was simply to use one ExternalBlock per all batches in the
block. This would require publishing ExternalBlock after the last batch,
requiring knowing the last batch. While we could add such a pipeline, it'd
require:
1) Initial preprocesses using a distinct message from BatchPreprocess
2) An additional message sent after all BatchPreprocess are sent
Unfortunately, both would require tweaks to the SubstrateSigner which aren't
worth the complexity compared to the solution here, at least, not at this time.
While this will cause, if a Tributary is signing a block whose total batch data
exceeds 25 kB, to use multiple transactions which could be optimized out by
'better' local data pipelining, that's an extreme edge case. Given the temporal
nature of each Tributary, it's also an acceptable edge.
This does no longer achieve synchrony over external blocks accordingly. While
signed batches have synchrony, as they embed their block hash, batches being
signed don't have cryptographic synchrony on their contents. This means
validators who are eclipsed may produce invalid shares, as they sign a
different batch. This will be introduced in a follow-up commit.
2023-08-31 22:48:02 -04:00
|
|
|
FRid: Future<Output = ()>,
|
2023-10-13 22:30:13 -04:00
|
|
|
RID: RIDTrait<FRid>,
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
P: P2p,
|
2023-08-14 06:08:55 -04:00
|
|
|
>(
|
2023-04-20 05:05:17 -04:00
|
|
|
db: &mut TributaryDb<D>,
|
|
|
|
|
key: &Zeroizing<<Ristretto as Ciphersuite>::F>,
|
2023-08-24 21:55:59 -04:00
|
|
|
recognized_id: RID,
|
2023-05-09 23:44:41 -04:00
|
|
|
processors: &Pro,
|
2023-08-14 06:08:55 -04:00
|
|
|
publish_serai_tx: PST,
|
2023-04-20 05:05:17 -04:00
|
|
|
spec: &TributarySpec,
|
|
|
|
|
block: Block<Transaction>,
|
|
|
|
|
) {
|
2023-08-08 15:12:47 -04:00
|
|
|
log::info!("found block for Tributary {:?}", spec.set());
|
|
|
|
|
|
2023-04-24 06:50:40 -04:00
|
|
|
let genesis = spec.genesis();
|
2023-04-20 05:05:17 -04:00
|
|
|
let hash = block.hash();
|
|
|
|
|
|
|
|
|
|
let mut event_id = 0;
|
2023-04-20 14:24:49 -04:00
|
|
|
#[allow(clippy::explicit_counter_loop)] // event_id isn't TX index. It just currently lines up
|
2023-04-20 05:05:17 -04:00
|
|
|
for tx in block.transactions {
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
if TributaryDb::<D>::handled_event(&db.0, hash, event_id) {
|
|
|
|
|
event_id += 1;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2023-04-20 15:37:22 -04:00
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
let mut txn = db.0.txn();
|
2023-04-20 15:37:22 -04:00
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
match tx {
|
|
|
|
|
TributaryTransaction::Tendermint(TendermintTx::SlashEvidence(ev)) => {
|
|
|
|
|
// Since the evidence is on the chain, it should already have been validated
|
|
|
|
|
// We can just punish the signer
|
|
|
|
|
let msgs = decode_evidence::<TendermintNetwork<D, Transaction, P>>(&ev).unwrap();
|
2023-04-20 05:05:17 -04:00
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
// Since anything with evidence is fundamentally faulty behavior, not just temporal errors,
|
|
|
|
|
// mark the node as fatally slashed
|
|
|
|
|
TributaryDb::<D>::set_fatally_slashed(&mut txn, genesis, msgs.0.msg.sender);
|
2023-04-20 06:59:42 -04:00
|
|
|
|
2023-08-31 23:39:36 -04:00
|
|
|
// TODO2: disconnect the node from network/ban from further participation in Tributary
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
}
|
|
|
|
|
TributaryTransaction::Application(tx) => {
|
2023-08-24 21:55:59 -04:00
|
|
|
handle_application_tx::<D, _, _, _, _, _>(
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
tx,
|
|
|
|
|
spec,
|
|
|
|
|
processors,
|
|
|
|
|
publish_serai_tx.clone(),
|
|
|
|
|
key,
|
2023-08-24 21:55:59 -04:00
|
|
|
recognized_id.clone(),
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
&mut txn,
|
|
|
|
|
)
|
|
|
|
|
.await;
|
2023-04-20 05:05:17 -04:00
|
|
|
}
|
|
|
|
|
}
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
|
|
|
|
|
TributaryDb::<D>::handle_event(&mut txn, hash, event_id);
|
|
|
|
|
txn.commit();
|
|
|
|
|
|
2023-04-20 05:05:17 -04:00
|
|
|
event_id += 1;
|
|
|
|
|
}
|
2023-04-20 06:27:00 -04:00
|
|
|
|
2023-10-14 00:41:07 -04:00
|
|
|
// TODO: Trigger any necessary re-attempts
|
2023-04-20 05:05:17 -04:00
|
|
|
}
|
|
|
|
|
|
2023-09-25 20:27:44 -04:00
|
|
|
pub(crate) async fn handle_new_blocks<
|
2023-08-14 06:08:55 -04:00
|
|
|
D: Db,
|
|
|
|
|
Pro: Processors,
|
2023-08-24 21:55:59 -04:00
|
|
|
FPst: Future<Output = ()>,
|
|
|
|
|
PST: Clone + Fn(ValidatorSet, Encoded) -> FPst,
|
Replace ExternalBlock with Batch
The initial TODO was simply to use one ExternalBlock per all batches in the
block. This would require publishing ExternalBlock after the last batch,
requiring knowing the last batch. While we could add such a pipeline, it'd
require:
1) Initial preprocesses using a distinct message from BatchPreprocess
2) An additional message sent after all BatchPreprocess are sent
Unfortunately, both would require tweaks to the SubstrateSigner which aren't
worth the complexity compared to the solution here, at least, not at this time.
While this will cause, if a Tributary is signing a block whose total batch data
exceeds 25 kB, to use multiple transactions which could be optimized out by
'better' local data pipelining, that's an extreme edge case. Given the temporal
nature of each Tributary, it's also an acceptable edge.
This does no longer achieve synchrony over external blocks accordingly. While
signed batches have synchrony, as they embed their block hash, batches being
signed don't have cryptographic synchrony on their contents. This means
validators who are eclipsed may produce invalid shares, as they sign a
different batch. This will be introduced in a follow-up commit.
2023-08-31 22:48:02 -04:00
|
|
|
FRid: Future<Output = ()>,
|
2023-10-13 22:30:13 -04:00
|
|
|
RID: RIDTrait<FRid>,
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
P: P2p,
|
2023-08-14 06:08:55 -04:00
|
|
|
>(
|
2023-04-20 05:05:17 -04:00
|
|
|
db: &mut TributaryDb<D>,
|
|
|
|
|
key: &Zeroizing<<Ristretto as Ciphersuite>::F>,
|
2023-08-24 21:55:59 -04:00
|
|
|
recognized_id: RID,
|
2023-05-09 23:44:41 -04:00
|
|
|
processors: &Pro,
|
2023-08-14 06:08:55 -04:00
|
|
|
publish_serai_tx: PST,
|
2023-04-20 05:05:17 -04:00
|
|
|
spec: &TributarySpec,
|
2023-04-24 06:50:40 -04:00
|
|
|
tributary: &TributaryReader<D, Transaction>,
|
2023-04-20 05:05:17 -04:00
|
|
|
) {
|
2023-04-24 06:50:40 -04:00
|
|
|
let genesis = tributary.genesis();
|
|
|
|
|
let mut last_block = db.last_block(genesis);
|
2023-04-24 00:53:15 -04:00
|
|
|
while let Some(next) = tributary.block_after(&last_block) {
|
|
|
|
|
let block = tributary.block(&next).unwrap();
|
2023-10-14 02:45:47 +03:00
|
|
|
|
|
|
|
|
// Make sure we have all of the provided transactions for this block
|
|
|
|
|
for tx in &block.transactions {
|
|
|
|
|
// Provided TXs will appear first in the Block, so we can break after we hit a non-Provided
|
|
|
|
|
let TransactionKind::Provided(order) = tx.kind() else {
|
|
|
|
|
break;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// make sure we have all the provided txs in this block locally
|
|
|
|
|
if !tributary.locally_provided_txs_in_block(&block.hash(), order) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-24 21:55:59 -04:00
|
|
|
handle_block::<_, _, _, _, _, _, P>(
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
db,
|
|
|
|
|
key,
|
2023-08-24 21:55:59 -04:00
|
|
|
recognized_id.clone(),
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
processors,
|
|
|
|
|
publish_serai_tx.clone(),
|
|
|
|
|
spec,
|
|
|
|
|
block,
|
|
|
|
|
)
|
|
|
|
|
.await;
|
2023-04-24 00:53:15 -04:00
|
|
|
last_block = next;
|
2023-04-24 06:50:40 -04:00
|
|
|
db.set_last_block(genesis, next);
|
2023-04-20 05:05:17 -04:00
|
|
|
}
|
|
|
|
|
}
|
2023-10-13 22:30:13 -04:00
|
|
|
|
2023-10-13 22:31:26 -04:00
|
|
|
pub(crate) async fn scan_tributaries_task<
|
2023-10-13 22:30:13 -04:00
|
|
|
D: Db,
|
|
|
|
|
Pro: Processors,
|
|
|
|
|
P: P2p,
|
|
|
|
|
FRid: Send + Future<Output = ()>,
|
|
|
|
|
RID: 'static + Send + Sync + RIDTrait<FRid>,
|
|
|
|
|
>(
|
|
|
|
|
raw_db: D,
|
|
|
|
|
key: Zeroizing<<Ristretto as Ciphersuite>::F>,
|
|
|
|
|
recognized_id: RID,
|
|
|
|
|
processors: Pro,
|
|
|
|
|
serai: Arc<Serai>,
|
2023-10-14 14:56:02 -04:00
|
|
|
mut tributary_event: broadcast::Receiver<crate::TributaryEvent<D, P>>,
|
2023-10-13 22:30:13 -04:00
|
|
|
) {
|
|
|
|
|
log::info!("scanning tributaries");
|
|
|
|
|
|
|
|
|
|
loop {
|
2023-10-14 14:56:02 -04:00
|
|
|
match tributary_event.recv().await {
|
|
|
|
|
Ok(crate::TributaryEvent::NewTributary(crate::ActiveTributary { spec, tributary })) => {
|
2023-10-13 22:30:13 -04:00
|
|
|
// For each Tributary, spawn a dedicated scanner task
|
|
|
|
|
tokio::spawn({
|
|
|
|
|
let raw_db = raw_db.clone();
|
|
|
|
|
let key = key.clone();
|
|
|
|
|
let recognized_id = recognized_id.clone();
|
|
|
|
|
let processors = processors.clone();
|
|
|
|
|
let serai = serai.clone();
|
|
|
|
|
async move {
|
|
|
|
|
let spec = &spec;
|
|
|
|
|
let reader = tributary.reader();
|
|
|
|
|
let mut tributary_db = TributaryDb::new(raw_db.clone());
|
|
|
|
|
loop {
|
2023-10-14 19:55:14 -04:00
|
|
|
// Check if the set was retired, and if so, don't further operate
|
|
|
|
|
if crate::MainDb::<D>::is_tributary_retired(&raw_db, spec.set()) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-13 22:30:13 -04:00
|
|
|
// Obtain the next block notification now to prevent obtaining it immediately after
|
|
|
|
|
// the next block occurs
|
|
|
|
|
let next_block_notification = tributary.next_block_notification().await;
|
|
|
|
|
|
|
|
|
|
handle_new_blocks::<_, _, _, _, _, _, P>(
|
|
|
|
|
&mut tributary_db,
|
|
|
|
|
&key,
|
|
|
|
|
recognized_id.clone(),
|
|
|
|
|
&processors,
|
|
|
|
|
|set, tx| {
|
|
|
|
|
let serai = serai.clone();
|
|
|
|
|
async move {
|
|
|
|
|
loop {
|
|
|
|
|
match serai.publish(&tx).await {
|
|
|
|
|
Ok(_) => {
|
|
|
|
|
log::info!("set key pair for {set:?}");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
// This is assumed to be some ephemeral error due to the assumed fault-free
|
|
|
|
|
// creation
|
|
|
|
|
// TODO2: Differentiate connection errors from invariants
|
|
|
|
|
Err(e) => {
|
2023-10-14 02:59:22 -04:00
|
|
|
if let Ok(serai) = serai.with_current_latest_block().await {
|
|
|
|
|
let serai = serai.validator_sets();
|
2023-10-13 22:30:13 -04:00
|
|
|
// Check if this failed because the keys were already set by someone
|
|
|
|
|
// else
|
2023-10-14 02:52:02 -04:00
|
|
|
if matches!(serai.keys(spec.set()).await, Ok(Some(_))) {
|
2023-10-13 22:30:13 -04:00
|
|
|
log::info!("another coordinator set key pair for {:?}", set);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The above block may return false if the keys have been pruned from
|
|
|
|
|
// the state
|
|
|
|
|
// Check if this session is no longer the latest session, meaning it at
|
|
|
|
|
// some point did set keys, and we're just operating off very
|
|
|
|
|
// historical data
|
|
|
|
|
if let Ok(Some(current_session)) =
|
2023-10-14 02:52:02 -04:00
|
|
|
serai.session(spec.set().network).await
|
2023-10-13 22:30:13 -04:00
|
|
|
{
|
|
|
|
|
if current_session.0 > spec.set().session.0 {
|
|
|
|
|
log::warn!(
|
|
|
|
|
"trying to set keys for a set which isn't the latest {:?}",
|
|
|
|
|
set
|
|
|
|
|
);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log::error!(
|
|
|
|
|
"couldn't connect to Serai node to publish set_keys TX: {:?}",
|
|
|
|
|
e
|
|
|
|
|
);
|
|
|
|
|
tokio::time::sleep(core::time::Duration::from_secs(10)).await;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
spec,
|
|
|
|
|
&reader,
|
|
|
|
|
)
|
|
|
|
|
.await;
|
|
|
|
|
|
2023-10-14 19:55:14 -04:00
|
|
|
// Run either when the notification fires, or every interval of block_time
|
|
|
|
|
let _ = tokio::time::timeout(
|
|
|
|
|
Duration::from_secs(tributary::Tributary::<D, Transaction, P>::block_time().into()),
|
|
|
|
|
next_block_notification,
|
|
|
|
|
)
|
|
|
|
|
.await;
|
2023-10-13 22:30:13 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
}
|
2023-10-14 19:55:14 -04:00
|
|
|
// The above loop simply checks the DB every few seconds, voiding the need for this event
|
|
|
|
|
Ok(crate::TributaryEvent::TributaryRetired(_)) => {}
|
2023-10-13 22:30:13 -04:00
|
|
|
Err(broadcast::error::RecvError::Lagged(_)) => {
|
2023-10-14 14:56:02 -04:00
|
|
|
panic!("scan_tributaries lagged to handle tributary_event")
|
2023-10-13 22:30:13 -04:00
|
|
|
}
|
2023-10-14 14:56:02 -04:00
|
|
|
Err(broadcast::error::RecvError::Closed) => panic!("tributary_event sender closed"),
|
2023-10-13 22:30:13 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|