You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

160 lines
5.4 KiB

lite2: remove auto update (#4535) We first introduced auto-update as a separate struct AutoClient, which was wrapping Client and calling Update periodically. // AutoClient can auto update itself by fetching headers every N seconds. type AutoClient struct { base *Client updatePeriod time.Duration quit chan struct{} trustedHeaders chan *types.SignedHeader errs chan error } // NewAutoClient creates a new client and starts a polling goroutine. func NewAutoClient(base *Client, updatePeriod time.Duration) *AutoClient { c := &AutoClient{ base: base, updatePeriod: updatePeriod, quit: make(chan struct{}), trustedHeaders: make(chan *types.SignedHeader), errs: make(chan error), } go c.autoUpdate() return c } // TrustedHeaders returns a channel onto which new trusted headers are posted. func (c *AutoClient) TrustedHeaders() <-chan *types.SignedHeader { return c.trustedHeaders } // Err returns a channel onto which errors are posted. func (c *AutoClient) Errs() <-chan error { return c.errs } // Stop stops the client. func (c *AutoClient) Stop() { close(c.quit) } func (c *AutoClient) autoUpdate() { ticker := time.NewTicker(c.updatePeriod) defer ticker.Stop() for { select { case <-ticker.C: lastTrustedHeight, err := c.base.LastTrustedHeight() if err != nil { c.errs <- err continue } if lastTrustedHeight == -1 { // no headers yet => wait continue } newTrustedHeader, err := c.base.Update(time.Now()) if err != nil { c.errs <- err continue } if newTrustedHeader != nil { c.trustedHeaders <- newTrustedHeader } case <-c.quit: return } } } Later we merged it into the Client itself with the assumption that most clients will want it. But now I am not sure. Neither IBC nor cosmos/relayer are using it. It increases complexity (Start/Stop methods). That said, I think it makes sense to remove it until we see a need for it (until we better understand usage behavior). We can always introduce it later 😅. Maybe in the form of AutoClient.
5 years ago
  1. # ADR 046: Lite Client Implementation
  2. ## Changelog
  3. * 13-02-2020: Initial draft
  4. * 26-02-2020: Cross-checking the first header
  5. * 28-02-2020: Bisection algorithm details
  6. ## Context
  7. A `Client` struct represents a light client, connected to a single blockchain.
  8. The user has an option to verify headers using `VerifyHeader` or
  9. `VerifyHeaderAtHeight` or `Update` methods. The latter method downloads the
  10. latest header from primary and compares it with the currently trusted one.
  11. ```go
  12. type Client interface {
  13. // verify new headers
  14. VerifyHeaderAtHeight(height int64, now time.Time) (*types.SignedHeader, error)
  15. VerifyHeader(newHeader *types.SignedHeader, newVals *types.ValidatorSet, now time.Time) error
  16. Update(now time.Time) (*types.SignedHeader, error)
  17. // get trusted headers & validators
  18. TrustedHeader(height int64) (*types.SignedHeader, error)
  19. TrustedValidatorSet(height int64) (valSet *types.ValidatorSet, heightUsed int64, err error)
  20. LastTrustedHeight() (int64, error)
  21. FirstTrustedHeight() (int64, error)
  22. // query configuration options
  23. ChainID() string
  24. Primary() provider.Provider
  25. Witnesses() []provider.Provider
  26. Cleanup() error
  27. }
  28. ```
  29. A new light client can either be created from scratch (via `NewClient`) or
  30. using the trusted store (via `NewClientFromTrustedStore`). When there's some
  31. data in the trusted store and `NewClient` is called, the light client will a)
  32. check if stored header is more recent b) optionally ask the user whenever it
  33. should rollback (no confirmation required by default).
  34. ```go
  35. func NewClient(
  36. chainID string,
  37. trustOptions TrustOptions,
  38. primary provider.Provider,
  39. witnesses []provider.Provider,
  40. trustedStore store.Store,
  41. options ...Option) (*Client, error) {
  42. ```
  43. `witnesses` as argument (as opposite to `Option`) is an intentional choice,
  44. made to increase security by default. At least one witness is required,
  45. although, right now, the light client does not check that primary != witness.
  46. When cross-checking a new header with witnesses, minimum number of witnesses
  47. required to respond: 1. Note the very first header (`TrustOptions.Hash`) is
  48. also cross-checked with witnesses for additional security.
  49. Due to bisection algorithm nature, some headers might be skipped. If the light
  50. client does not have a header for height `X` and `VerifyHeaderAtHeight(X)` or
  51. `VerifyHeader(H#X)` methods are called, these will perform either a) backwards
  52. verification from the latest header back to the header at height `X` or b)
  53. bisection verification from the first stored header to the header at height `X`.
  54. `TrustedHeader`, `TrustedValidatorSet` only communicate with the trusted store.
  55. If some header is not there, an error will be returned indicating that
  56. verification is required.
  57. ```go
  58. type Provider interface {
  59. ChainID() string
  60. SignedHeader(height int64) (*types.SignedHeader, error)
  61. ValidatorSet(height int64) (*types.ValidatorSet, error)
  62. }
  63. ```
  64. Provider is a full node usually, but can be another light client. The above
  65. interface is thin and can accommodate many implementations.
  66. If provider (primary or witness) becomes unavailable for a prolonged period of
  67. time, it will be removed to ensure smooth operation.
  68. Both `Client` and providers expose chain ID to track if there are on the same
  69. chain. Note, when chain upgrades or intentionally forks, chain ID changes.
  70. The light client stores headers & validators in the trusted store:
  71. ```go
  72. type Store interface {
  73. SaveSignedHeaderAndValidatorSet(sh *types.SignedHeader, valSet *types.ValidatorSet) error
  74. DeleteSignedHeaderAndValidatorSet(height int64) error
  75. SignedHeader(height int64) (*types.SignedHeader, error)
  76. ValidatorSet(height int64) (*types.ValidatorSet, error)
  77. LastSignedHeaderHeight() (int64, error)
  78. FirstSignedHeaderHeight() (int64, error)
  79. SignedHeaderAfter(height int64) (*types.SignedHeader, error)
  80. }
  81. ```
  82. At the moment, the only implementation is the `db` store (wrapper around the KV
  83. database, used in Tendermint). In the future, remote adapters are possible
  84. (e.g. `Postgresql`).
  85. ```go
  86. func Verify(
  87. chainID string,
  88. h1 *types.SignedHeader,
  89. h1NextVals *types.ValidatorSet,
  90. h2 *types.SignedHeader,
  91. h2Vals *types.ValidatorSet,
  92. trustingPeriod time.Duration,
  93. now time.Time,
  94. trustLevel tmmath.Fraction) error {
  95. ```
  96. `Verify` pure function is exposed for a header verification. It handles both
  97. cases of adjacent and non-adjacent headers. In the former case, it compares the
  98. hashes directly (2/3+ signed transition). Otherwise, it verifies 1/3+
  99. (`trustLevel`) of trusted validators are still present in new validators.
  100. ### Bisection algorithm details
  101. Non-recursive bisection algorithm was implemented despite the spec containing
  102. the recursive version. There are two major reasons:
  103. 1) Constant memory consumption => no risk of getting OOM (Out-Of-Memory) exceptions;
  104. 2) Faster finality (see Fig. 1).
  105. _Fig. 1: Differences between recursive and non-recursive bisections_
  106. ![Fig. 1](./img/adr-046-fig1.png)
  107. Specification of the non-recursive bisection can be found
  108. [here](https://github.com/tendermint/spec/blob/zm_non-recursive-verification/spec/consensus/light-client/non-recursive-verification.md).
  109. ## Status
  110. Accepted.
  111. ## Consequences
  112. ### Positive
  113. * single `Client` struct, which is easy to use
  114. * flexible interfaces for header providers and trusted storage
  115. ### Negative
  116. * `Verify` needs to be aligned with the current spec
  117. ### Neutral
  118. * `Verify` function might be misused (called with non-adjacent headers in
  119. incorrectly implemented sequential verification)