Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBC Rate Limiting #556

Merged
merged 80 commits into from
Feb 18, 2023
Merged

IBC Rate Limiting #556

merged 80 commits into from
Feb 18, 2023

Conversation

sampocs
Copy link
Collaborator

@sampocs sampocs commented Jan 4, 2023

Co-Author: @antstalepresh
Closes: #414

Context and purpose of the change

The ratelimit module is meant as a safety control in the event of a bug or attack, and prevents massive inflows or outflows of IBC tokens to/from Stride in a short time frame. See module docs here for an overview of the purpose and tech spec.

Brief Changelog

  • Added ratelimit module as IBC middleware around transfer module
  • Added governance transactions AddRateLimit, UpdateRateLimit, ResetRateLimit and RemoveRateLimit
  • Added rate-limit, list-rate-limits and rate-limits-by-chain queries
  • Added unit tests and bash integration tests
  • Added Juno <> Osmo relayer config for testing transfers between non-stride chains
  • Added TODO to add store key when upgrade handler is added
  • Added Hour epoch

Upgrade

The upgrade handler was excluded from the PR as the target upgrade has not been determined yet.
IN THE ASSOCIATED UPGRADE, WE MUST REMEMBER TO ADD THE STORE KEY AND HOUR EPOCH
WE MUST ALSO ADD RATE LIMITS FOR EXISTING DENOMS!

Testing

  • There's a full suite of integration tests that were meant to be a comprehensive sanity check before launching this module. They are NOT meant to run in CI and are intentionally pedantic (they take ~30 minutes to run). They're also redundant with the unit tests.
  • Run tests with
make start-docker-all && bash dockernet/scripts/ratelimit/run_all_tests.sh
  • Once the PR has been reviewed and approved, I'll run through the normal stride integration tests and the rate limit integration tests one last time before merging:
  • CI Integration Tests for all host zones
  • RateLimit Integration Tests

Updates needed for sdk 46 and ibc-go v5

  • Change sdk.Int to cosmossdk/math
  • Remove rest client and rest route registered in module.go
  • IBC go callback args
  • Refactor ICS4Wrapper
  • Implement GetAppVesrion

Before Merging

  • Do we need to bind PortID? I don't think so since the middleware starts from the transfer port
  • Revert dockernet config settings to default
  • Add blacklist
  • Add evens

Author's Checklist

I have...

  • Run and PASSED locally all GAIA integration tests
  • If the change is contentful, I either:
    • Added a new unit test OR
    • Added test cases to existing unit tests
  • OR this change is a trivial rework / code cleanup without any test coverage

If skipped any of the tests above, explain.

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • reviewed state machine logic
  • reviewed API design and naming
  • manually tested (if applicable)
  • confirmed the author wrote unit tests for new logic
  • reviewed documentation exists and is accurate

Documentation and Release Note

  • Does this pull request introduce a new feature or user-facing behavior changes?
  • Is a relevant changelog entry added to the Unreleased section in CHANGELOG.md?
  • This pull request updates existing proto field values (and require a backend and frontend migration)?
  • Does this pull request change existing proto field names (and require a frontend migration)?
    How is the feature or change documented?
    • not applicable
    • jira ticket XXX
    • specification (x/<module>/spec/)
    • README.md
    • not documented

@jstr1121
Copy link
Contributor

jstr1121 commented Feb 7, 2023

It would be nice if this PR supports blacklisting for specific token IBC transfer (receive/send) and export interface for registration of those tokens in keeper level so that it can be used on other modules.

@womensrights
Copy link

I was just passing by and saw this comment, you might be interested in this middleware celestia have implemented

// }
//
// 2. Add hour epoch to store
// 3. Add rate limits for existing denoms
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we implement these here and just leave them commented out?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd require adding the whole upgrade handler, so I think I'd lean toward doing it in a separate PR. Wdyt?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, makes sense to put in a separate PR. We should just make sure that goes in the next upgrade.

dockernet/scripts/ratelimit/test_denoms.sh Show resolved Hide resolved
x/ratelimit/types/quota.go Show resolved Hide resolved
@riley-stride
Copy link
Contributor

It would be nice if this PR supports blacklisting for specific token IBC transfer (receive/send) and export interface for registration of those tokens in keeper level so that it can be used on other modules.

Sam's suggestion to set the rate limit to 0 for the particular IBC denom in this case sounds like the cleanest solution to this question

Copy link
Contributor

@riley-stride riley-stride left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unit testing coverage is really strong. I have no comments and I think this is ready to merge if you feel good about it @sampocs 🎉

Copy link
Contributor

@riley-stride riley-stride left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

x/ratelimit/README.md Outdated Show resolved Hide resolved
}

// If the rate limit is exceeded or the denom is blacklisted, we emit an event
func EmitRateLimitExceededEvent(ctx sdk.Context, denom, channelId string, direction types.PacketDirection, amount sdkmath.Int, err error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: might be nice to have separate events for attempts to transfer blacklisted assets vs attempts to transfer assets whose rate limits were exceeded. The former seems important to be able to identify at a moment's notice in potential emergency scenarios

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went back and forth on that a little. My thinking was you could easily determine whether it was blacklisted or throttled based on the error message and I thought it would be nice to have a common event type to listen to all blocked txs.

Another option is to change the event type to TransferBlocked and then add an attribute that's either RateLimitExceeded or BlacklistedDenom?
Also fine with just using different event types

Wdyt?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change the event type to TransferBlocked and then add an attribute that's either RateLimitExceeded or BlacklistedDenom?

I think this would be nice n clean. I know this is nit, but it could make a big difference in the moment if there's ever a blacklist event

@riley-stride
Copy link
Contributor

Was wondering @sampocs : is there any reason we should prevent from-and-to-Stride transfers of blacklisted assets? (eg bank send from stride1...A to stride1....B. I can't think of any, but curious if you can!

Co-authored-by: riley-stride <[email protected]>
@sampocs
Copy link
Collaborator Author

sampocs commented Feb 17, 2023

Was wondering @sampocs : is there any reason we should prevent from-and-to-Stride transfers of blacklisted assets? (eg bank send from stride1...A to stride1....B. I can't think of any, but curious if you can!

Good question! Nothing comes to mind

@sampocs sampocs merged commit 94e3a91 into main Feb 18, 2023
sontrinh16 pushed a commit to notional-labs/stride that referenced this pull request Mar 27, 2023
Co-authored-by: antstalepresh <[email protected]>
Co-authored-by: antstalepresh <[email protected]>
Co-authored-by: Aidan Salzmann <[email protected]>
Co-authored-by: riley-stride <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Epic: IBC rate limiting module
6 participants