ADR 004: IBC Whitelisting #696
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # ADR 004: IBC Whitelist/Allowlist | ||
|
|
||
| ## Terminology | ||
|
|
||
| All terminology is defined in [ICS 024](https://github.com/cosmos/ibc/tree/main/spec/core/ics-024-host-requirements) and some references are from corresponding implementation of [ICS 002](https://github.com/cosmos/ibc/tree/main/spec/core/ics-002-client-semantics) in [ibc-go](https://github.com/cosmos/ibc-go/blob/da1b7e0aaf4b7d466b1a7d1ed4f5d81149ff1d5b/modules/core/02-client) | ||
|
|
||
| ## Changelog | ||
|
|
||
| - 2022-03-03: Initial Commit | ||
|
|
||
| ## Context | ||
|
|
||
| While enabling IBC, we want to connect, and allow messages from selected chains. However, we don't want the ability for an arbitrary entity to create an IBC connection with a zone. This is so that we can keep the state machine as minimal and focused as possible. | ||
|
|
||
| ICS specification indicates that is possible by providing a custom `validateClientIdentifier`, but no such functionality exists currently. | ||
|
|
||
| Secondly, the ICS specification dictates that `createClient` takes in an `Identifier`. A potential solution could be to create a store for allowed `Identifiers` at genesis, and reject creation of clients for invalid identifiers. However, this is not true for the current state of the implementation. Rather, client ID is generated from an incremental counter `NextClientSequence` and the client type. | ||
|
|
||
| ## Proposal | ||
|
|
||
| Fork IBC, and create a store of whitelisted public keys. Only `createClient` txns that are signed by private keys corresponding to whitelisted/stored public keys are deemed valid, and the rest are invalidated. Specific keys will only be required for client creation, and rest of IBC will work as is. | ||
|
There was a problem hiding this comment. while a list of keys would probably be simplest, I'm guessing that it's also possible to rely strictly on governance? There was a problem hiding this comment. Yes, this is possible. Creation of clients can be strictly restricted to governance There was a problem hiding this comment. Note: this still requires us having to fork IBC (iiuc) |
||
|
|
||
| ## Alternative approaches | ||
|
|
||
| 1. Simplest solution is fork to IBC, and add a small change to disallow creation/registration of new clients. Then we can create clients for the chains that we want to allow at genesis, and effectively create a whitelist. However, adding new clients or removing clients is not feasible under this. | ||
|
There was a problem hiding this comment. agree that relying on hardforks for any changes isn't desirable imo. Not being able to move tokens for a few weeks if something weird happens seems like a non-starter. |
||
|
|
||
| 2. Add a middleware to revert packets from non-whitelisted chains. This still adds state bloat since clients and corresponding connections are allowed to be established, but adds economic incentive in terms of lost gas from the malicious user/actor | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[optional] one term is sufficient to describe this. Slight preference for
Allowlistbecause rails/rails#33677Note: accepting this suggestion implies updating the filename too. Preferably:
adr-004-ibc-allowlist.mdto conform to #772