-
Notifications
You must be signed in to change notification settings - Fork 286
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'v1.x' into mergify/bp/v1.x/pr-2394
- Loading branch information
Showing
13 changed files
with
153 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# AnteHandler | ||
|
||
Celestia makes use of a Cosmos SDK [AnteHandler](https://docs.cosmos.network/v0.46/modules/auth/03_antehandlers.html#antehandlers) in order to reject decodable sdk.Txs that do not meet certain criteria. The AnteHandler is defined in [app/ante/ante.go](https://github.com/celestiaorg/celestia-app/blob/7f97788a64af7fe0fce00959753d6dd81663e98f/app/ante/ante.go) and is invoked at multiple times during the transaction lifecycle: | ||
|
||
1. `CheckTx` prior to the transaction entering the mempool | ||
1. `PrepareProposal` when the block proposer includes the transaction in a block proposal | ||
1. `ProcessProposal` when validators validate the transaction in a block proposal | ||
1. `DeliverTx` when full nodes execute the transaction in a decided block | ||
|
||
The AnteHandler chains together several decorators to ensure the following criteria are met: | ||
|
||
- The tx does not contain any [extension options](https://github.com/cosmos/cosmos-sdk/blob/22c28366466e64ebf0df1ce5bec8b1130523552c/proto/cosmos/tx/v1beta1/tx.proto#L119-L122). | ||
- The tx passes `ValidateBasic()`. | ||
- The tx's [timeout_height](https://github.com/cosmos/cosmos-sdk/blob/22c28366466e64ebf0df1ce5bec8b1130523552c/proto/cosmos/tx/v1beta1/tx.proto#L115-L117) has not been reached if one is specified. | ||
- The tx's [memo](https://github.com/cosmos/cosmos-sdk/blob/22c28366466e64ebf0df1ce5bec8b1130523552c/proto/cosmos/tx/v1beta1/tx.proto#L110-L113) is <= the max memo characters where [`MaxMemoCharacters = 256`](<https://github.com/cosmos/cosmos-sdk/blob/a429238fc267da88a8548bfebe0ba7fb28b82a13/x/auth/README.md?plain=1#L230>). | ||
- The tx's [gas_limit](https://github.com/cosmos/cosmos-sdk/blob/22c28366466e64ebf0df1ce5bec8b1130523552c/proto/cosmos/tx/v1beta1/tx.proto#L211-L213) is > the gas consumed based on the tx's size where [`TxSizeCostPerByte = 10`](https://github.com/cosmos/cosmos-sdk/blob/a429238fc267da88a8548bfebe0ba7fb28b82a13/x/auth/README.md?plain=1#L232). | ||
- The tx's feepayer has enough funds to pay fees for the tx. The tx's feepayer is the feegranter (if specified) or the tx's first signer. Note the [feegrant](https://docs.cosmos.network/v0.46/) module is enabled. | ||
- The tx's count of signatures <= the max number of signatures. The max number of signatures is [`TxSigLimit = 7`](https://github.com/cosmos/cosmos-sdk/blob/a429238fc267da88a8548bfebe0ba7fb28b82a13/x/auth/README.md?plain=1#L231). | ||
- The tx's [gas_limit](https://github.com/cosmos/cosmos-sdk/blob/22c28366466e64ebf0df1ce5bec8b1130523552c/proto/cosmos/tx/v1beta1/tx.proto#L211-L213) is > the gas consumed based on the tx's signatures. | ||
- The tx's [signatures](https://github.com/cosmos/cosmos-sdk/blob/22c28366466e64ebf0df1ce5bec8b1130523552c/types/tx/signing/signature.go#L10-L26) are valid. For each signature, ensure that the signature's sequence number (a.k.a nonce) matches the account sequence number of the signer. | ||
- The tx's [gas_limit](https://github.com/cosmos/cosmos-sdk/blob/22c28366466e64ebf0df1ce5bec8b1130523552c/proto/cosmos/tx/v1beta1/tx.proto#L211-L213) is > the gas consumed based on the blob size(s). Since blobs are charged based on the number of shares they occupy, the gas consumed is calculated as follows: `gasToConsume = sharesNeeded(blob) * bytesPerShare * gasPerBlobByte`. Where `bytesPerShare` is a a global constant (an alias for [`ShareSize = 512`](https://github.com/celestiaorg/celestia-app/blob/c90e61d5a2d0c0bd0e123df4ab416f6f0d141b7f/pkg/appconsts/global_consts.go#L27-L28)) and `gasPerBlobByte` is a governance parameter that can be modified (the [`DefaultGasPerBlobByte = 8`](https://github.com/celestiaorg/celestia-app/blob/c90e61d5a2d0c0bd0e123df4ab416f6f0d141b7f/pkg/appconsts/initial_consts.go#L16-L18)). | ||
- The tx's total blob size is <= the max blob size. The max blob size is derived from the maximum valid square size. The max valid square size is the minimum of: `GovMaxSquareSize` and `SquareSizeUpperBound`. | ||
- The tx does not contain a message of type [MsgSubmitProposal](https://github.com/cosmos/cosmos-sdk/blob/d6d929843bbd331b885467475bcb3050788e30ca/proto/cosmos/gov/v1/tx.proto#L33-L43) with zero proposal messages. | ||
- The tx is not an IBC packet or update message that has already been processed. | ||
|
||
In addition to the above criteria, the AnteHandler also has a number of side-effects: | ||
|
||
- Tx fees are deducted from the tx's feepayer and added to the fee collector module account. | ||
- Tx priority is calculated based on the the smallest denomination of gas price in the tx and set in context. | ||
- The nonce of all tx signers is incremented by 1. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,53 @@ | ||
# Block Validity Rules | ||
|
||
## Introduction | ||
|
||
Unlike most blockchains, Celestia derives most of its functionality from | ||
stateless commitments to data rather than stateful transitions. This means that | ||
the protocol relies heavily on block validity rules. Notably, resource | ||
constrained light clients must be able to detect when a subset of these validity | ||
rules have not been followed in order to avoid making an honest majority | ||
assumption on the consensus network. This has a significant impact on thier | ||
design. More information on how light clients can check the invalidity of a | ||
block can be foud in the [Fraud Proofs](./fraud_proofs.md) spec. | ||
|
||
> **Note** Celestia relies on CometBFT (formerly tendermint) for consensus, | ||
> meaning that it has single slot finality and is fork-free. Therefore, in order | ||
> to ensure that an invalid block is never committed to, each validator must | ||
> check that each block follows all validity rules before voting. If over two | ||
> thirds of the voting power colludes to break a validity rule, then fraud | ||
> proofs are created for light clients. After light clients verify fraud proofs, | ||
> they halt. | ||
## Validity Rules | ||
|
||
Before any Celestia specific validation is performed, all CometBFT [block | ||
validation | ||
rules](https://github.com/cometbft/cometbft/blob/v0.34.28/spec/core/data_structures.md#block) | ||
must be followed. | ||
|
||
Notably, this includes verifying data availability. Consensus nodes verify data | ||
availabily by simply downloading the entire block. | ||
|
||
> **Note** Light clients only sample a fraction of the block. More details on | ||
> how sampling actually works can be found in the seminal ["Fraud and Data | ||
> Availability Proofs: Maximising Light Client Security and Scaling Blockchains | ||
> with Dishonest Majorities"](https://arxiv.org/abs/1809.09044) and in the | ||
> [`celestia-node`](https://github.com/celestiaorg/celestia-node) repo. | ||
Celestia specifc validity rules can be categorized into two groups: | ||
|
||
### Transaction Validity Rules | ||
|
||
All `BlobTx` transactions must be valid according to the [BlobTx validity rules](../../../x/blob/README.md#validity-rules). | ||
|
||
All remaining transactions must be decodable and pass all [AnteHandler](./ante_handler.md) checks. | ||
|
||
For a complete list of modules see [state machine modules](./state_machine_modules.md). | ||
|
||
### Data Root Construction | ||
|
||
The data root must be calculated from a correctly constructed data square per the [data square layout rules](./data_square_layout.md) | ||
|
||
<img src="./figures/rs2d_extending.svg" alt="Figure 1: Erasure Encoding" width="400"/> <img | ||
src="./figures/rs2d_quadrants.svg" alt="Figure 2: rsmt2d" width="400"/> <img src="./figures/data_root.svg" alt="Figure 3: Data Root" width="400"/> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Fraud Proofs | ||
|
||
## Bad Encoding Fraud Proofs | ||
|
||
In order for data availability sampling to work, light clients must be convinced | ||
that erasure encoded parity data was encoded correctly. For light clients, this | ||
is ultimately enforced via [bad encoding fraud proofs | ||
(BEFPs)](https://github.com/celestiaorg/celestia-node/blob/v0.11.0-rc3/docs/adr/adr-006-fraud-service.md#detailed-design). | ||
Consensus nodes must verify this themselves before considering a block valid. | ||
This is done automatically by verifying the data root of the header, since that | ||
requires reconstructing the square from the block data, performing the erasure | ||
encoding, calculating the data root using that representation, and then | ||
comparing the data root found in the header. | ||
|
||
## Blob Inclusion | ||
|
||
TODO | ||
|
||
## State | ||
|
||
State fraud proofs allow light clients to avoid making an honest majority assumption for | ||
state validity. While these are not incorporated into the protocol as of v1.0.0, | ||
there are example implementations that can be found in | ||
[Rollkit](https://github.com/rollkit/rollkit). More info in | ||
[rollkit-ADR009](https://github.com/rollkit/rollkit/blob/4fd97ba8b8352771f2e66454099785d06fd0c31b/docs/lazy-adr/adr-009-state-fraud-proofs.md). |