fix: node skips some epoch length txs making bridgeState corrupt

[troggy]

Requires: leapdao/leap-core#155, #348
Resolves #340
Test to reproduce with: leapdao/leap-sandbox#69

Tendermint replay protection

Tendermint has a build-in replay protection which will reject the same tx from being added to the mempool twice. It seems to work by comparing raw tx bytes. Should two transactions have the same raw bytes, the second one will not make it to the mempool.

Now, EpochLength transaction in leap-core is merely a [type,epochLength] tuple. Tx.epochLength(X) will have the same raw bytes for the same X. Consider the following pretty valid transaction flow:

1. Tx.epochLength(2)
2. Tx.epochLength(4)
3. Tx.epochLength(2)

The third transaction will be rejected by tendermint's replay protection.

How it affects leap-node

The node listens for root chain events, including EpochLength event. Everytime event comes, the node
a) keeps record of the epoch length from event (in the bridgeState.epochLengths list). bridgeState
b) creates epochLength transaction and relays it. eventsRelay
c) handles epochLength tx, once received through ABCI from tendermint. checkEpochLength

The step (c) expects all the a,b,c steps always executed for every EpochLength event. However, if the node receives two EpochLength(X) events for the same epoch length, only steps (a) and (b) will be executed. Step (c) would never happen for the second event, because the transaction created on (b) will be rejected by Tendermint's replay protection. In the end, we have bridgeState.epochLength mutated by (a), which will make checkEpochLength fail for any further epoch length tx.

Proposed solution

Add more differentiation to EpochLength transactions. I suggest adding blockHeight to it. See: leapdao/leap-core#155

These two things needs to be merged first for the fix to work: leapdao/leap-core#155, #348

[codecov]

Codecov Report

Merging #349 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #349      +/-   ##
==========================================
+ Coverage   95.16%   95.17%   +0.01%     
==========================================
  Files          72       72              
  Lines        1096     1099       +3     
  Branches      206      206              
==========================================
+ Hits         1043     1046       +3     
  Misses         47       47              
  Partials        6        6

Impacted Files	Coverage Δ
src/tx/applyTx/checkEpochLength.js	100% <100%> (ø)	⬆️
src/bridgeState.js	69.23% <100%> (+0.29%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 628c596...1063dce. Read the comment docs.

[troggy]

temporary using [email protected] which includes the fix leapdao/leap-core#155

[sunify]

Holy shit. I wonder how we ain't dead yet :D

I have a feeling we should create the new tx type and rename the old one to «Tx.epochLength_legacy» or something like that. If this PR will merged it'll make sync with testnet or mainnet impossible — Tx.fromRaw will fail with malformed epoch tx. error

[troggy]

Tx.fromRaw will fail with malformed epoch tx. error

great catch, totally overlooked this.

[sunify]

We have almost identical (in terms of code) tx type MIN_GAS_PRICE and It affected by the same problem. We can create the new issue or fix here — up to you

[sunify]

We can save blockNumber in bridgeState.epochLengths as well and use it for tx validation 🤔

[troggy]

I didn't get the idea. You propose to use these blockNumbers here when creating epochLength tx ?

[sunify]

In bridgeState we store all epochLength changes. We can add blockNumber into this array ([epochLength, blockNumber][]) and use it in this check

Btw, do not forget to update check anyway — it should handle two tx types (it handles zero currently :-))

[troggy]

hm.. I've updated the check.

I don't see why we need to store blockNumber in bridgeState — we can just take it from the transaction (like I do in my code). If there is no blockNumber in epochLength, chance are that checkEpochLength won't be called at all, exactly the issue we are fixing here.

[troggy]

or you mean, we can compare height from bridgeState with the one from tx ?

[sunify]

Yes :-)

[troggy]

We have almost identical (in terms of code) tx type MIN_GAS_PRICE and It affected by the same problem. We can create the new issue or fix here — up to you

👍
Opened as issue for that: leapdao/leap-core#156

[troggy]

If this PR will merged it'll make sync with testnet or mainnet impossible — Tx.fromRaw will fail with malformed epoch tx. error

addressed with new tx type. I've quickly checked with testnet sync — the sync goes beyond the height 4, no error.

[sunify]

Great job!

(i've already merged integration-tests to run it here)