From 3920d5df61801bca5ce5e2dc8b7f0b9ceb69e44b Mon Sep 17 00:00:00 2001 From: Aditya Sripal <14364734+AdityaSripal@users.noreply.github.com> Date: Wed, 21 Aug 2024 13:51:07 +0200 Subject: [PATCH] create structure and paste v1 specs for now --- spec/core/v2/PLACEHOLDER.md | 0 .../v2/ics-002-client-semantics/README.md | 662 +++++++ .../v2/ics-004-packet-semantics/README.md | 1544 +++++++++++++++++ .../core/v2/ics-005-port-allocation/README.md | 246 +++ .../v2/ics-024-host-requirements/README.md | 411 +++++ 5 files changed, 2863 insertions(+) delete mode 100644 spec/core/v2/PLACEHOLDER.md create mode 100644 spec/core/v2/ics-002-client-semantics/README.md create mode 100644 spec/core/v2/ics-004-packet-semantics/README.md create mode 100644 spec/core/v2/ics-005-port-allocation/README.md create mode 100644 spec/core/v2/ics-024-host-requirements/README.md diff --git a/spec/core/v2/PLACEHOLDER.md b/spec/core/v2/PLACEHOLDER.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/spec/core/v2/ics-002-client-semantics/README.md b/spec/core/v2/ics-002-client-semantics/README.md new file mode 100644 index 000000000..e1d1fd6de --- /dev/null +++ b/spec/core/v2/ics-002-client-semantics/README.md @@ -0,0 +1,662 @@ +--- +ics: 2 +title: Client Semantics +stage: draft +category: IBC/TAO +kind: interface +requires: 23, 24 +required-by: 3 +version compatibility: ibc-go v7.0.0 +author: Juwoon Yun , Christopher Goes , Aditya Sripal +created: 2019-02-25 +modified: 2022-08-04 +--- + +## Synopsis + +This standard specifies the properties that consensus algorithms of state machines implementing the inter-blockchain +communication (IBC) protocol are required to satisfy. +These properties are necessary for efficient and safe verification in the higher-level protocol abstractions. +The algorithm utilised in IBC to verify the state updates of a remote state machine is referred to as a *validity predicate*. +Pairing a validity predicate with a trusted state (i.e., a state that the verifier assumes to be correct), +implements the functionality of a *light client* (often shortened to *client*) for a remote state machine on the host state machine. +In addition to state update verification, every light client is able to detect consensus misbehaviours through a *misbehaviour predicate*. + +Beyond the properties described in this specification, IBC does not impose any requirements on +the internal operation of the state machines and their consensus algorithms. +A state machine may consist of a single process signing operations with a private key (the so-called "solo machine"), a quorum of processes signing in unison, +many processes operating a Byzantine fault-tolerant consensus algorithm (e.g., Tendermint), or other configurations yet to be invented +— from the perspective of IBC, a state machine is defined entirely by its light client validation and misbehaviour detection logic. + +This standard also specifies how the light client's functionality is registered and how its data is stored and updated by the IBC protocol. +The stored client instances can be introspected by a third party actor, +such as a user inspecting the state of the state machine and deciding whether or not to send an IBC packet. + +### Motivation + +In the IBC protocol, an actor, which may be an end user, an off-chain process, or a module on a state machine, +needs to be able to verify updates to the state of another state machine (i.e., the *remote state machine*). +This entails accepting *only* the state updates that were agreed upon by the remote state machine's consensus algorithm. +A light client of the remote state machine is the algorithm that enables the actor to verify state updates of that state machine. +Note that light clients will generally not include validation of the entire state transition logic +(as that would be equivalent to simply executing the other state machine), but may +elect to validate parts of state transitions in particular cases. +This standard formalises the light client model and requirements. +As a result, the IBC protocol can easily be integrated with new state machines running new consensus algorithms, +as long as the necessary light client algorithms fulfilling the listed requirements are provided. + +The IBC protocol can be used to interact with probabilistic-finality consensus algorithms. +In such cases, different validity predicates may be required by different applications. For probabilistic-finality consensus, a validity predicate is defined by a finality threshold (e.g., the threshold defines how many block needs to be on top of a block in order to consider it finalized). +As a result, clients could act as *thresholding views* of other clients: +One *write-only* client could be used to store state updates (without the ability to verify them), +while many *read-only* clients with different finality thresholds (confirmation depths after which +state updates are considered final) are used to verify state updates. + +The client protocol should also support third-party introduction. +For example, if `A`, `B`, and `C` are three state machines, with +Alice a module on `A`, Bob a module on `B`, and Carol a module on `C`, such that +Alice knows both Bob and Carol, but Bob knows only Alice and not Carol, +then Alice can utilise an existing channel to Bob to communicate the canonically-serialisable +validity predicate for Carol. Bob can then use this validity predicate to open a connection and channel +so that Bob and Carol can talk directly. +If necessary, Alice may also communicate to Carol the validity predicate for Bob, prior to Bob's +connection attempt, so that Carol knows to accept the incoming request. + +Client interfaces should also be constructed so that custom validation logic can be provided safely +to define a custom client at runtime, as long as the underlying state machine can provide an +appropriate gas metering mechanism to charge for compute and storage. On a host state machine +which supports WASM execution, for example, the validity predicate and misbehaviour predicate +could be provided as executable WASM functions when the client instance is created. + +### Definitions + +- `get`, `set`, `Path`, and `Identifier` are as defined in [ICS 24](../ics-024-host-requirements). + +- `Consensus` is a state update generating algorithm. It takes the previous state of a state machine together + with a set of messages (i.e., state machine transactions) and generates a valid state update of the state machine. + Every state machine MUST have a `Consensus` that generates a unique, ordered list of state updates + starting from a genesis state. + + This specification expects that the state updates generated by `Consensus` + satisfy the following properties: + - Every state update MUST NOT have more than one direct successor in the list of state updates. + In other words, the state machine MUST guarantee *finality* and *safety*. + - Every state update MUST eventually have a successor in the list of state updates. + In other words, the state machine MUST guarantee *liveness*. + - Every state update MUST be valid (i.e., valid state transitions). + In other words, `Consensus` MUST be *honest*, + e.g., in the case `Consensus` is a Byzantine fault-tolerant consensus algorithm, + such as Tendermint, less than a third of block producers MAY be Byzantine. + + Unless the state machine satisfies all of the above properties, the IBC protocol +may not work as intended, e.g., users' assets might be stolen. Note that specific client +types may require additional properties. + +- `Height` specifies the order of the state updates of a state machine, e.g., a sequence number. + This entails that each state update is mapped to a `Height`. + +- `CommitmentRoot` is as defined in [ICS 23](../ics-023-vector-commitments). + It provides an efficient way for higher-level protocol abstractions to verify whether + a particular state transition has occurred on the remote state machine, i.e., + it enables proofs of inclusion or non-inclusion of particular values at particular paths + in the state of the remote state machine at particular `Height`s. + +- `ClientMessage` is an arbitrary message defined by the client type that relayers can submit in order to update the client. + The ClientMessage may be intended as a regular update which may add new consensus state for proof verification, or it may contain + misbehaviour which should freeze the client. + +- `ValidityPredicate` is a function that validates a ClientMessage sent by a relayer in order to update the client. + Using the `ValidityPredicate` SHOULD be more computationally efficient than executing `Consensus`. + +- `ConsensusState` is the *trusted view* of the state of a state machine at a particular `Height`. + It MUST contain sufficient information to enable the `ValidityPredicate` to validate state updates, + which can then be used to generate new `ConsensusState`s. + It MUST be serialisable in a canonical fashion so that remote parties, such as remote state machines, + can check whether a particular `ConsensusState` was stored by a particular state machine. + It MUST be introspectable by the state machine whose view it represents, + i.e., a state machine can look up its own `ConsensusState`s at past `Height`s. + +- `ClientState` is the state of a client. It MUST expose an interface to higher-level protocol abstractions, + e.g., functions to verify proofs of the existence of particular values at particular paths at particular `Height`s. + +- `MisbehaviourPredicate` is a function that checks whether the rules of `Consensus` were broken, + in which case the client MUST be *frozen*, i.e., no subsequent `ConsensusState`s can be generated. + +- `Misbehaviour` is the proof needed by the `MisbehaviourPredicate` to determine whether + a violation of the consensus protocol occurred. For example, in the case the state machine + is a blockchain, a `Misbehaviour` might consist of two signed block headers with + different `CommitmentRoot`s, but the same `Height`. + +### Desired Properties + +Light clients MUST provide state verification functions that provide a secure way +to verify the state of the remote state machines using the existing `ConsensusState`s. +These state verification functions enable higher-level protocol abstractions to +verify sub-components of the state of the remote state machines. + +`ValidityPredicate`s MUST reflect the behaviour of the remote state machine and its `Consensus`, i.e., +`ValidityPredicate`s accept *only* state updates that contain state updates generated by +the `Consensus` of the remote state machine. + +In case of misbehavior, the behaviour of the `ValidityPredicate` might differ from the behaviour of +the remote state machine and its `Consensus` (since clients do not execute the `Consensus` of the +remote state machine). In this case, a `Misbehaviour` SHOULD be submitted to the host state machine, +which would result in the client being frozen and higher-level intervention being necessary. + +## Technical Specification + +This specification outlines what each *client type* must define. A client type is a set of definitions +of the data structures, initialisation logic, validity predicate, and misbehaviour predicate required +to operate a light client. State machines implementing the IBC protocol can support any number of client +types, and each client type can be instantiated with different initial consensus states in order to track +different consensus instances. In order to establish a connection between two state machines (see [ICS 3](../ics-003-connection-semantics)), +the state machines must each support the client type corresponding to the other state machine's consensus algorithm. + +Specific client types shall be defined in later versions of this specification and a canonical list shall exist in this repository. +State machines implementing the IBC protocol are expected to respect these client types, although they may elect to support only a subset. + +### Data Structures + +#### `Height` + +`Height` is an opaque data structure defined by a client type. +It must form a partially ordered set & provide operations for comparison. + +```typescript +type Height +``` + +```typescript +enum Ord { + LT + EQ + GT +} + +type compare = (h1: Height, h2: Height) => Ord +``` + +A height is either `LT` (less than), `EQ` (equal to), or `GT` (greater than) another height. + +`>=`, `>`, `===`, `<`, `<=` are defined through the rest of this specification as aliases to `compare`. + +There must also be a zero-element for a height type, referred to as `0`, which is less than all non-zero heights. + +#### `ConsensusState` + +`ConsensusState` is an opaque data structure defined by a client type, used by the validity predicate to +verify new commits & state roots. Likely the structure will contain the last commit produced by +the consensus process, including signatures and validator set metadata. + +`ConsensusState` MUST be generated from an instance of `Consensus`, which assigns unique heights +for each `ConsensusState` (such that each height has exactly one associated consensus state). +Two `ConsensusState`s on the same chain SHOULD NOT have the same height if they do not have +equal commitment roots. Such an event is called an "equivocation" and MUST be classified +as misbehaviour. Should one occur, a proof should be generated and submitted so that the client can be frozen +and previous state roots invalidated as necessary. + +The `ConsensusState` of a chain MUST have a canonical serialisation, so that other chains can check +that a stored consensus state is equal to another (see [ICS 24](../ics-024-host-requirements) for the keyspace table). + +```typescript +type ConsensusState = bytes +``` + +The `ConsensusState` MUST be stored under a particular key, defined below, so that other chains can verify that a particular consensus state has been stored. + +The `ConsensusState` MUST define a `getTimestamp()` method which returns the timestamp associated with that consensus state: + +```typescript +type getTimestamp = ConsensusState => uint64 +``` + +#### `ClientState` + +`ClientState` is an opaque data structure defined by a client type. +It may keep arbitrary internal state to track verified roots and past misbehaviours. + +Light clients are representation-opaque — different consensus algorithms can define different light client update algorithms — +but they must expose this common set of query functions to the IBC handler. + +```typescript +type ClientState = bytes +``` + +Client types MUST define a method to initialise a client state with the provided client identifier, client state and consensus state, writing to internal state as appropriate. + +```typescript +type initialise = (identifier: Identifier, clientState: ClientState, consensusState: ConsensusState) => Void +``` + +Client types MUST define a method to fetch the current height (height of the most recent validated state update). + +```typescript +type latestClientHeight = ( + clientState: ClientState) + => Height +``` + +Client types MUST define a method on the client state to fetch the timestamp at a given height + +```typescript +type getTimestampAtHeight = ( + clientState: ClientState, + height: Height +) => uint64 +``` + +#### `ClientMessage` + +A `ClientMessage` is an opaque data structure defined by a client type which provides information to update the client. +`ClientMessage`s can be submitted to an associated client to add new `ConsensusState`(s) and/or update the `ClientState`. They likely contain a height, a proof, a commitment root, and possibly updates to the validity predicate. + +```typescript +type ClientMessage = bytes +``` + +### Store paths + +Client state paths are stored under a unique client identifier. + +```typescript +function clientStatePath(id: Identifier): Path { + return "clients/{id}/clientState" +} +``` + +Consensus state paths are stored under a unique combination of client identifier and height: + +```typescript +function consensusStatePath(id: Identifier, height: Height): Path { + return "clients/{id}/consensusStates/{height}" +} +``` + +#### Validity predicate + +A validity predicate is an opaque function defined by a client type to verify `ClientMessage`s depending on the current `ConsensusState`. +Using the validity predicate SHOULD be far more computationally efficient than replaying the full consensus algorithm +for the given parent `ClientMessage` and the list of network messages. + +The validity predicate is defined as: + +```typescript +type verifyClientMessage = (ClientMessage) => Void +``` + +`verifyClientMessage` MUST throw an exception if the provided ClientMessage was not valid. + +#### Misbehaviour predicate + +A misbehaviour predicate is an opaque function defined by a client type, used to check if a ClientMessage +constitutes a violation of the consensus protocol. For example, if the state machine is a blockchain, this might be two signed headers +with different state roots but the same height, a signed header containing invalid +state transitions, or other proof of malfeasance as defined by the consensus algorithm. + +The misbehaviour predicate is defined as + +```typescript +type checkForMisbehaviour = (ClientMessage) => bool +``` + +`checkForMisbehaviour` MUST throw an exception if the provided proof of misbehaviour was not valid. + +#### Update state + +Function `updateState` is an opaque function defined by a client type that will update the client given a verified `ClientMessage`. Note that this function is intended for **non-misbehaviour** `ClientMessage`s. + +```typescript +type updateState = (ClientMessage) => Void +``` + +`verifyClientMessage` must be called before this function, and `checkForMisbehaviour` must return false before this function is called. + +The client MUST also mutate internal state to store +now-finalised consensus roots and update any necessary signature authority tracking (e.g. +changes to the validator set) for future calls to the validity predicate. + +Clients MAY have time-sensitive validity predicates, such that if no ClientMessage is provided for a period of time +(e.g. an unbonding period of three weeks) it will no longer be possible to update the client, i.e., the client is being frozen. +In this case, a permissioned entity such as a chain governance system or trusted multi-signature MAY be allowed +to intervene to unfreeze a frozen client & provide a new correct ClientMessage. + +#### Update state on misbehaviour + +Function `updateStateOnMisbehaviour` is an opaque function defined by a client type that will update the client upon receiving a verified `ClientMessage` that is valid misbehaviour. + +```typescript +type updateStateOnMisbehaviour = (ClientMessage) => Void +``` + +`verifyClientMessage` must be called before this function, and `checkForMisbehaviour` must return `true` before this function is called. + +The client MUST also mutate internal state to mark appropriate heights which +were previously considered valid as invalid, according to the nature of the misbehaviour. + +Once misbehaviour is detected, clients SHOULD be frozen so that no future updates can be submitted. +A permissioned entity such as a chain governance system or trusted multi-signature MAY be allowed +to intervene to unfreeze a frozen client & provide a new correct ClientMessage which updates the client to a valid state. + +#### `CommitmentProof` + +`CommitmentProof` is an opaque data structure defined by a client type in accordance with [ICS 23](../ics-023-vector-commitments). +It is utilised to verify presence or absence of a particular key/value pair in state +at a particular finalised height (necessarily associated with a particular commitment root). + +### State verification + +Client types must define functions to authenticate internal state of the state machine which the client tracks. +Internal implementation details may differ (for example, a loopback client could simply read directly from the state and require no proofs). + +- The `delayPeriodTime` is passed to the verification functions for packet-related proofs in order to allow packets to specify a period of time which must pass after a consensus state is added before it can be used for packet-related verification. +- The `delayPeriodBlocks` is passed to the verification functions for packet-related proofs in order to allow packets to specify a period of blocks which must pass after a consensus state is added before it can be used for packet-related verification. + +`verifyMembership` is a generic proof verification method which verifies a proof of the existence of a value at a given `CommitmentPath` at the specified height. It MUST return an error if the verification is not successful. +The caller is expected to construct the full `CommitmentPath` from a `CommitmentPrefix` and a standardized path (as defined in [ICS 24](../ics-024-host-requirements/README.md#path-space)). If the caller desires a particular delay period to be enforced, +then it can pass in a non-zero `delayPeriodTime` or `delayPeriodBlocks`. If a delay period is not necessary, the caller must pass in 0 for `delayPeriodTime` and `delayPeriodBlocks`, +and the client will not enforce any delay period for verification. + +```typescript +type verifyMembership = ( + clientState: ClientState, + height: Height, + delayPeriodTime: uint64, + delayPeriodBlocks: uint64, + proof: CommitmentProof, + path: CommitmentPath, + value: bytes) + => Error +``` + +`verifyNonMembership` is a generic proof verification method which verifies a proof of absence of a given `CommitmentPath` at the specified height. It MUST return an error if the verification is not successful. +The caller is expected to construct the full `CommitmentPath` from a `CommitmentPrefix` and a standardized path (as defined in [ICS 24](../ics-024-host-requirements/README.md#path-space)). If the caller desires a particular delay period to be enforced, +then it can pass in a non-zero `delayPeriodTime` or `delayPeriodBlocks`. If a delay period is not necessary, the caller must pass in 0 for `delayPeriodTime` and `delayPeriodBlocks`, +and the client will not enforce any delay period for verification. + +Since the verification method is designed to give complete control to client implementations, clients can support chains that do not provide absence proofs by verifying the existence of a non-empty sentinel `ABSENCE` value. Thus in these special cases, the proof provided will be an ICS-23 Existence proof, and the client will verify that the `ABSENCE` value is stored under the given path for the given height. + +```typescript +type verifyNonMembership = ( + clientState: ClientState, + height: Height, + delayPeriodTime: uint64, + delayPeriodBlocks: uint64, + proof: CommitmentProof, + path: CommitmentPath) + => Error +``` + +### Query interface + +#### Chain queries + +These query endpoints are assumed to be exposed over HTTP or an equivalent RPC API by nodes of the chain associated with a particular client. + +`queryUpdate` MUST be defined by the chain which is validated by a particular client, and should allow for retrieval of clientMessage for a given height. This endpoint is assumed to be untrusted. + +```typescript +type queryUpdate = (height: Height) => ClientMessage +``` + +`queryChainConsensusState` MAY be defined by the chain which is validated by a particular client, to allow for the retrieval of the current consensus state which can be used to construct a new client. +When used in this fashion, the returned `ConsensusState` MUST be manually confirmed by the querying entity, since it is subjective. This endpoint is assumed to be untrusted. The precise nature of the +`ConsensusState` may vary per client type. + +```typescript +type queryChainConsensusState = (height: Height) => ConsensusState +``` + +Note that retrieval of past consensus states by height (as opposed to just the current consensus state) is convenient but not required. + +`queryChainConsensusState` MAY also return other data necessary to create clients, such as the "unbonding period" for certain proof-of-stake security models. This data MUST also be verified by the querying entity. + +#### On-chain state queries + +This specification defines a single function to query the state of a client by-identifier. + +```typescript +function queryClientState(identifier: Identifier): ClientState { + return provableStore.get(clientStatePath(identifier)) +} +``` + +The `ClientState` type SHOULD expose its latest verified height (from which the consensus state can then be retrieved using `queryConsensusState` if desired). + +```typescript +type latestHeight = (state: ClientState) => Height +``` + +Client types SHOULD define the following standardised query functions in order to allow relayers & other off-chain entities to interface with on-chain state in a standard API. + +`queryConsensusState` allows stored consensus states to be retrieved by height. + +```typescript +type queryConsensusState = ( + identifier: Identifier, + height: Height, +) => ConsensusState +``` + +#### Proof construction + +Each client type SHOULD define functions to allow relayers to construct the proofs required by the client's state verification algorithms. These may take different forms depending on the client type. +For example, Tendermint client proofs may be returned along with key-value data from store queries, and solo client proofs may need to be constructed interactively on the solo state machine in question (since the user will need to sign the message). +These functions may constitute external queries over RPC to a full node as well as local computation or verification. + +```typescript +type queryAndProveClientConsensusState = ( + clientIdentifier: Identifier, + height: Height, + prefix: CommitmentPrefix, + consensusStateHeight: Height) => ConsensusState, Proof + +type queryAndProveConnectionState = ( + connectionIdentifier: Identifier, + height: Height, + prefix: CommitmentPrefix) => ConnectionEnd, Proof + +type queryAndProveChannelState = ( + portIdentifier: Identifier, + channelIdentifier: Identifier, + height: Height, + prefix: CommitmentPrefix) => ChannelEnd, Proof + +type queryAndProvePacketData = ( + portIdentifier: Identifier, + channelIdentifier: Identifier, + height: Height, + prefix: CommitmentPrefix, + sequence: uint64) => []byte, Proof + +type queryAndProvePacketAcknowledgement = ( + portIdentifier: Identifier, + channelIdentifier: Identifier, + height: Height, + prefix: CommitmentPrefix, + sequence: uint64) => []byte, Proof + +type queryAndProvePacketAcknowledgementAbsence = ( + portIdentifier: Identifier, + channelIdentifier: Identifier, + height: Height, + prefix: CommitmentPrefix, + sequence: uint64) => Proof + +type queryAndProveNextSequenceRecv = ( + portIdentifier: Identifier, + channelIdentifier: Identifier, + height: Height, + prefix: CommitmentPrefix) => uint64, Proof +``` + +#### Implementation strategies + +##### Loopback + +A loopback client of a local state machine merely reads from the local state, to which it must have access. + +##### Simple signatures + +A client of a solo state machine with a known public key checks signatures on messages sent by that local state machine, +which are provided as the `Proof` parameter. The `height` parameter can be used as a replay protection nonce. + +Multi-signature or threshold signature schemes can also be used in such a fashion. + +##### Proxy clients + +Proxy clients verify another (proxy) state machine's verification of the target state machine, by including in the +proof first a proof of the client state on the proxy state machine, and then a secondary proof of the sub-state of +the target state machine with respect to the client state on the proxy state machine. This allows the proxy client to +avoid storing and tracking the consensus state of the target state machine itself, at the cost of adding +security assumptions of proxy state machine correctness. + +##### Merklized state trees + +For clients of state machines with Merklized state trees, these functions can be implemented by calling the [ICS-23](../ics-023-vector-commitments/README.md) `verifyMembership` or `verifyNonMembership` methods, using a verified Merkle +root stored in the `ClientState`, to verify presence or absence of particular key/value pairs in state at particular heights in accordance with [ICS 23](../ics-023-vector-commitments). + +```typescript +type verifyMembership = (ClientState, Height, CommitmentProof, Path, Value) => boolean +``` + +```typescript +type verifyNonMembership = (ClientState, Height, CommitmentProof, Path) => boolean +``` + +### Sub-protocols + +IBC handlers MUST implement the functions defined below. + +#### Identifier validation + +Clients are stored under a unique `Identifier` prefix. +This ICS does not require that client identifiers be generated in a particular manner, only that they be unique. +However, it is possible to restrict the space of `Identifier`s if required. +The validation function `validateClientIdentifier` MAY be provided. + +```typescript +type validateClientIdentifier = (id: Identifier) => boolean +``` + +If not provided, the default `validateClientIdentifier` will always return `true`. + +##### Utilising past roots + +To avoid race conditions between client updates (which change the state root) and proof-carrying +transactions in handshakes or packet receipt, many IBC handler functions allow the caller to specify +a particular past root to reference, which is looked up by height. IBC handler functions which do this +must ensure that they also perform any requisite checks on the height passed in by the caller to ensure +logical correctness. + +#### Create + +Calling `createClient` with the client state and initial consensus state creates a new client. + +```typescript +function createClient(clientState: clientState, consensusState: ConsensusState) { + // implementations may define a identifier generation function + identifier = generateClientIdentifier() + abortTransactionUnless(provableStore.get(clientStatePath(identifier)) === null) + initialise(identifier, clientState, consensusState) +} +``` + +#### Query + +Client consensus state and client internal state can be queried by identifier, but +the specific paths which must be queried are defined by each client type. + +#### Update + +Updating a client is done by submitting a new `ClientMessage`. The `Identifier` is used to point to the +stored `ClientState` that the logic will update. When a new `ClientMessage` is verified with +the stored `ClientState`'s validity predicate and `ConsensusState`, the client MUST +update its internal state accordingly, possibly finalising commitment roots and +updating the signature authority logic in the stored consensus state. + +If a client can no longer be updated (if, for example, the trusting period has passed), +it will no longer be possible to send any packets over connections & channels associated +with that client, or timeout any packets in-flight (since the height & timestamp on the +destination chain can no longer be verified). Manual intervention must take place to +reset the client state or migrate the connections & channels to another client. This +cannot safely be done completely automatically, but chains implementing IBC could elect +to allow governance mechanisms to perform these actions +(perhaps even per-client/connection/channel in a multi-sig or contract). + +```typescript +function updateClient( + id: Identifier, + clientMessage: ClientMessage) { + // get clientState from store with id + clientState = provableStore.get(clientStatePath(id)) + abortTransactionUnless(clientState !== null) + + verifyClientMessage(clientMessage) + + foundMisbehaviour := clientState.CheckForMisbehaviour(clientMessage) + if foundMisbehaviour { + updateStateOnMisbehaviour(clientMessage) + // emit misbehaviour event + } + else { + updateState(clientMessage) // expects no-op on duplicate clientMessage + // emit update event + } +} +``` + +#### Misbehaviour + +A relayer may alert the client to the misbehaviour directly, possibly invalidating +previously valid state roots & preventing future updates. + +```typescript +function submitMisbehaviourToClient( + id: Identifier, + clientMessage: ClientMessage) { + clientState = provableStore.get(clientStatePath(id)) + abortTransactionUnless(clientState !== null) + // authenticate client message + verifyClientMessage(clientMessage) + // check that client message is valid instance of misbehaviour + abortTransactionUnless(clientState.checkForMisbehaviour(clientMessage)) + // update state based on misbehaviour + updateStateOnMisbehaviour(misbehaviour) +} +``` + +### Properties & Invariants + +- Client identifiers are immutable & first-come-first-serve. Clients cannot be deleted (allowing deletion would potentially allow future replay of past packets if identifiers were re-used). + +## Backwards Compatibility + +Not applicable. + +## Forwards Compatibility + +New client types can be added by IBC implementations at-will as long as they conform to this interface. + +## Example Implementations + +Please see the ibc-go implementations of light clients for examples of how to implement your own: . + +## History + +Mar 5, 2019 - Initial draft finished and submitted as a PR + +May 29, 2019 - Various revisions, notably multiple commitment-roots + +Aug 15, 2019 - Major rework for clarity around client interface + +Jan 13, 2020 - Revisions for client type separation & path alterations + +Jan 26, 2020 - Addition of query interface + +Jul 27, 2022 - Addition of `verifyClientState` function, and move `ClientState` to the `provableStore` + +August 4, 2022 - Changes to ClientState interface and associated handler to align with changes in 02-client-refactor ADR: + +## Copyright + +All content herein is licensed under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0). diff --git a/spec/core/v2/ics-004-packet-semantics/README.md b/spec/core/v2/ics-004-packet-semantics/README.md new file mode 100644 index 000000000..acd6ad7b6 --- /dev/null +++ b/spec/core/v2/ics-004-packet-semantics/README.md @@ -0,0 +1,1544 @@ +--- +ics: 4 +title: Channel & Packet Semantics +stage: draft +category: IBC/TAO +kind: instantiation +requires: 2, 3, 5, 24 +version compatibility: ibc-go v7.0.0 +author: Christopher Goes +created: 2019-03-07 +modified: 2019-08-25 +--- + +## Synopsis + +The "channel" abstraction provides message delivery semantics to the interblockchain communication protocol, in three categories: ordering, exactly-once delivery, and module permissioning. A channel serves as a conduit for packets passing between a module on one chain and a module on another, ensuring that packets are executed only once, delivered in the order in which they were sent (if necessary), and delivered only to the corresponding module owning the other end of the channel on the destination chain. Each channel is associated with a particular connection, and a connection may have any number of associated channels, allowing the use of common identifiers and amortising the cost of header verification across all the channels utilising a connection & light client. + +Channels are payload-agnostic. The modules which send and receive IBC packets decide how to construct packet data and how to act upon the incoming packet data, and must utilise their own application logic to determine which state transactions to apply according to what data the packet contains. + +### Motivation + +The interblockchain communication protocol uses a cross-chain message passing model. IBC *packets* are relayed from one blockchain to the other by external relayer processes. Chain `A` and chain `B` confirm new blocks independently, and packets from one chain to the other may be delayed, censored, or re-ordered arbitrarily. Packets are visible to relayers and can be read from a blockchain by any relayer process and submitted to any other blockchain. + +The IBC protocol must provide ordering (for ordered channels) and exactly-once delivery guarantees to allow applications to reason about the combined state of connected modules on two chains. + +> **Example**: An application may wish to allow a single tokenized asset to be transferred between and held on multiple blockchains while preserving fungibility and conservation of supply. The application can mint asset vouchers on chain `B` when a particular IBC packet is committed to chain `B`, and require outgoing sends of that packet on chain `A` to escrow an equal amount of the asset on chain `A` until the vouchers are later redeemed back to chain `A` with an IBC packet in the reverse direction. This ordering guarantee along with correct application logic can ensure that total supply is preserved across both chains and that any vouchers minted on chain `B` can later be redeemed back to chain `A`. + +In order to provide the desired ordering, exactly-once delivery, and module permissioning semantics to the application layer, the interblockchain communication protocol must implement an abstraction to enforce these semantics — channels are this abstraction. + +### Definitions + +`ConsensusState` is as defined in [ICS 2](../ics-002-client-semantics). + +`Connection` is as defined in [ICS 3](../ics-003-connection-semantics). + +`Port` and `authenticateCapability` are as defined in [ICS 5](../ics-005-port-allocation). + +`hash` is a generic collision-resistant hash function, the specifics of which must be agreed on by the modules utilising the channel. `hash` can be defined differently by different chains. + +`Identifier`, `get`, `set`, `delete`, `getCurrentHeight`, and module-system related primitives are as defined in [ICS 24](../ics-024-host-requirements). + +See [upgrades spec](./UPGRADES.md) for definition of `pendingInflightPackets` and `restoreChannel`. + +A *channel* is a pipeline for exactly-once packet delivery between specific modules on separate blockchains, which has at least one end capable of sending packets and one end capable of receiving packets. + +A *bidirectional* channel is a channel where packets can flow in both directions: from `A` to `B` and from `B` to `A`. + +A *unidirectional* channel is a channel where packets can only flow in one direction: from `A` to `B` (or from `B` to `A`, the order of naming is arbitrary). + +An *ordered* channel is a channel where packets are delivered exactly in the order which they were sent. This channel type offers a very strict guarantee of ordering. Either, the packets are received in the order they were sent, or if a packet in the sequence times out; then all future packets are also not receivable and the channel closes. + +An *ordered_allow_timeout* channel is a less strict version of the *ordered* channel. Here, the channel logic will take a *best effort* approach to delivering the packets in order. In a stream of packets, the channel will relay all packets in order and if a packet in the stream times out, the timeout logic for that packet will execute and the rest of the later packets will continue processing in order. Thus, we **do not close** the channel on a timeout with this channel type. + +An *unordered* channel is a channel where packets can be delivered in any order, which may differ from the order in which they were sent. + +```typescript +enum ChannelOrder { + ORDERED, + UNORDERED, + ORDERED_ALLOW_TIMEOUT, +} +``` + +Directionality and ordering are independent, so one can speak of a bidirectional unordered channel, a unidirectional ordered channel, etc. + +All channels provide exactly-once packet delivery, meaning that a packet sent on one end of a channel is delivered no more and no less than once, eventually, to the other end. + +This specification only concerns itself with *bidirectional* channels. *Unidirectional* channels can use almost exactly the same protocol and will be outlined in a future ICS. + +An end of a channel is a data structure on one chain storing channel metadata: + +```typescript +interface ChannelEnd { + state: ChannelState + ordering: ChannelOrder + counterpartyPortIdentifier: Identifier + counterpartyChannelIdentifier: Identifier + connectionHops: [Identifier] + version: string + upgradeSequence: uint64 +} +``` + +- The `state` is the current state of the channel end. +- The `ordering` field indicates whether the channel is `unordered`, `ordered`, or `ordered_allow_timeout`. +- The `counterpartyPortIdentifier` identifies the port on the counterparty chain which owns the other end of the channel. +- The `counterpartyChannelIdentifier` identifies the channel end on the counterparty chain. +- The `nextSequenceSend`, stored separately, tracks the sequence number for the next packet to be sent. +- The `nextSequenceRecv`, stored separately, tracks the sequence number for the next packet to be received. +- The `nextSequenceAck`, stored separately, tracks the sequence number for the next packet to be acknowledged. +- The `connectionHops` stores the list of connection identifiers ordered starting from the receiving end towards the sender. `connectionHops[0]` is the connection end on the receiving chain. More than one connection hop indicates a multi-hop channel. +- The `version` string stores an opaque channel version, which is agreed upon during the handshake. This can determine module-level configuration such as which packet encoding is used for the channel. This version is not used by the core IBC protocol. If the version string contains structured metadata for the application to parse and interpret, then it is considered best practice to encode all metadata in a JSON struct and include the marshalled string in the version field. + +See the [upgrade spec](./UPGRADES.md) for details on `upgradeSequence`. + +Channel ends have a *state*: + +```typescript +enum ChannelState { + INIT, + TRYOPEN, + OPEN, + CLOSED, + FLUSHING, + FLUSHINGCOMPLETE, +} +``` + +- A channel end in `INIT` state has just started the opening handshake. +- A channel end in `TRYOPEN` state has acknowledged the handshake step on the counterparty chain. +- A channel end in `OPEN` state has completed the handshake and is ready to send and receive packets. +- A channel end in `CLOSED` state has been closed and can no longer be used to send or receive packets. + +See the [upgrade spec](./UPGRADES.md) for details on `FLUSHING` and `FLUSHCOMPLETE`. + +A `Packet`, in the interblockchain communication protocol, is a particular interface defined as follows: + +```typescript +interface Packet { + sequence: uint64 + timeoutHeight: Height + timeoutTimestamp: uint64 + sourcePort: Identifier + sourceChannel: Identifier + destPort: Identifier + destChannel: Identifier + data: bytes +} +``` + +- The `sequence` number corresponds to the order of sends and receives, where a packet with an earlier sequence number must be sent and received before a packet with a later sequence number. +- The `timeoutHeight` indicates a consensus height on the destination chain after which the packet will no longer be processed, and will instead count as having timed-out. +- The `timeoutTimestamp` indicates a timestamp on the destination chain after which the packet will no longer be processed, and will instead count as having timed-out. +- The `sourcePort` identifies the port on the sending chain. +- The `sourceChannel` identifies the channel end on the sending chain. +- The `destPort` identifies the port on the receiving chain. +- The `destChannel` identifies the channel end on the receiving chain. +- The `data` is an opaque value which can be defined by the application logic of the associated modules. + +Note that a `Packet` is never directly serialised. Rather it is an intermediary structure used in certain function calls that may need to be created or processed by modules calling the IBC handler. + +An `OpaquePacket` is a packet, but cloaked in an obscuring data type by the host state machine, such that a module cannot act upon it other than to pass it to the IBC handler. The IBC handler can cast a `Packet` to an `OpaquePacket` and vice versa. + +```typescript +type OpaquePacket = object +``` + +In order to enable new channel types (e.g. ORDERED_ALLOW_TIMEOUT), the protocol introduces standardized packet receipts that will serve as sentinel values for the receiving chain to explicitly write to its store the outcome of a `recvPacket`. + +```typescript +enum PacketReceipt { + SUCCESSFUL_RECEIPT, + TIMEOUT_RECEIPT, +} +``` + +### Desired Properties + +#### Efficiency + +- The speed of packet transmission and confirmation should be limited only by the speed of the underlying chains. + Proofs should be batchable where possible. + +#### Exactly-once delivery + +- IBC packets sent on one end of a channel should be delivered exactly once to the other end. +- No network synchrony assumptions should be required for exactly-once safety. + If one or both of the chains halt, packets may be delivered no more than once, and once the chains resume packets should be able to flow again. + +#### Ordering + +- On *ordered* channels, packets should be sent and received in the same order: if packet *x* is sent before packet *y* by a channel end on chain `A`, packet *x* must be received before packet *y* by the corresponding channel end on chain `B`. If packet *x* is sent before packet *y* by a channel and packet *x* is timed out; then packet *y* and any packet sent after *x* cannot be received. +- On *ordered_allow_timeout* channels, packets should be sent and received in the same order: if packet *x* is sent before packet *y* by a channel end on chain `A`, packet *x* must be received **or** timed out before packet *y* by the corresponding channel end on chain `B`. +- On *unordered* channels, packets may be sent and received in any order. Unordered packets, like ordered packets, have individual timeouts specified in terms of the destination chain's height. + +#### Permissioning + +- Channels should be permissioned to one module on each end, determined during the handshake and immutable afterwards (higher-level logic could tokenize channel ownership by tokenising ownership of the port). + Only the module associated with a channel end should be able to send or receive on it. + +## Technical Specification + +### Dataflow visualisation + +The architecture of clients, connections, channels and packets: + +![Dataflow Visualisation](dataflow.png) + +### Preliminaries + +#### Store paths + +Channel structures are stored under a store path prefix unique to a combination of a port identifier and channel identifier: + +```typescript +function channelPath(portIdentifier: Identifier, channelIdentifier: Identifier): Path { + return "channelEnds/ports/{portIdentifier}/channels/{channelIdentifier}" +} +``` + +The capability key associated with a channel is stored under the `channelCapabilityPath`: + +```typescript +function channelCapabilityPath(portIdentifier: Identifier, channelIdentifier: Identifier): Path { + return "{channelPath(portIdentifier, channelIdentifier)}/key" +} +``` + +The `nextSequenceSend`, `nextSequenceRecv`, and `nextSequenceAck` unsigned integer counters are stored separately so they can be proved individually: + +```typescript +function nextSequenceSendPath(portIdentifier: Identifier, channelIdentifier: Identifier): Path { + return "nextSequenceSend/ports/{portIdentifier}/channels/{channelIdentifier}" +} + +function nextSequenceRecvPath(portIdentifier: Identifier, channelIdentifier: Identifier): Path { + return "nextSequenceRecv/ports/{portIdentifier}/channels/{channelIdentifier}" +} + +function nextSequenceAckPath(portIdentifier: Identifier, channelIdentifier: Identifier): Path { + return "nextSequenceAck/ports/{portIdentifier}/channels/{channelIdentifier}" +} +``` + +Constant-size commitments to packet data fields are stored under the packet sequence number: + +```typescript +function packetCommitmentPath(portIdentifier: Identifier, channelIdentifier: Identifier, sequence: uint64): Path { + return "commitments/ports/{portIdentifier}/channels/{channelIdentifier}/sequences/{sequence}" +} +``` + +Absence of the path in the store is equivalent to a zero-bit. + +Packet receipt data are stored under the `packetReceiptPath`. In the case of a successful receive, the destination chain writes a sentinel success value of `SUCCESSFUL_RECEIPT`. +Some channel types MAY write a sentinel timeout value `TIMEOUT_RECEIPT` if the packet is received after the specified timeout. + +```typescript +function packetReceiptPath(portIdentifier: Identifier, channelIdentifier: Identifier, sequence: uint64): Path { + return "receipts/ports/{portIdentifier}/channels/{channelIdentifier}/sequences/{sequence}" +} +``` + +Packet acknowledgement data are stored under the `packetAcknowledgementPath`: + +```typescript +function packetAcknowledgementPath(portIdentifier: Identifier, channelIdentifier: Identifier, sequence: uint64): Path { + return "acks/ports/{portIdentifier}/channels/{channelIdentifier}/sequences/{sequence}" +} +``` + +### Versioning + +During the handshake process, two ends of a channel come to agreement on a version bytestring associated +with that channel. The contents of this version bytestring are and will remain opaque to the IBC core protocol. +Host state machines MAY utilise the version data to indicate supported IBC/APP protocols, agree on packet +encoding formats, or negotiate other channel-related metadata related to custom logic on top of IBC. + +Host state machines MAY also safely ignore the version data or specify an empty string. + +### Sub-protocols + +> Note: If the host state machine is utilising object capability authentication (see [ICS 005](../ics-005-port-allocation)), all functions utilising ports take an additional capability parameter. + +#### Identifier validation + +Channels are stored under a unique `(portIdentifier, channelIdentifier)` prefix. +The validation function `validatePortIdentifier` MAY be provided. + +```typescript +type validateChannelIdentifier = (portIdentifier: Identifier, channelIdentifier: Identifier) => boolean +``` + +If not provided, the default `validateChannelIdentifier` function will always return `true`. + +#### Channel lifecycle management + +![Channel State Machine](channel-state-machine.png) + +| Initiator | Datagram | Chain acted upon | Prior state (A, B) | Posterior state (A, B) | +| --------- | ---------------- | ---------------- | ------------------ | ---------------------- | +| Actor | ChanOpenInit | A | (none, none) | (INIT, none) | +| Relayer | ChanOpenTry | B | (INIT, none) | (INIT, TRYOPEN) | +| Relayer | ChanOpenAck | A | (INIT, TRYOPEN) | (OPEN, TRYOPEN) | +| Relayer | ChanOpenConfirm | B | (OPEN, TRYOPEN) | (OPEN, OPEN) | + +| Initiator | Datagram | Chain acted upon | Prior state (A, B) | Posterior state (A, B) | +| --------- | ---------------- | ---------------- | ------------------ | ---------------------- | +| Actor | ChanCloseInit | A | (OPEN, OPEN) | (CLOSED, OPEN) | +| Relayer | ChanCloseConfirm | B | (CLOSED, OPEN) | (CLOSED, CLOSED) | +| Actor | ChanCloseFrozen | A or B | (OPEN, OPEN) | (CLOSED, CLOSED) | + +##### Opening handshake + +The `chanOpenInit` function is called by a module to initiate a channel opening handshake with a module on another chain. Functions `chanOpenInit` and `chanOpenTry` do no set the new channel end in state because the channel version might be modified by the application callback. A function `writeChannel` should be used to write the channel end in state after executing the application callback: + +```typescript +function writeChannel( + portIdentifier: Identifier, + channelIdentifier: Identifier, + state: ChannelState, + order: ChannelOrder, + counterpartyPortIdentifier: Identifier, + counterpartyChannelIdentifier: Identifier, + connectionHops: [Identifier], + version: string) { + channel = ChannelEnd{ + state, order, + counterpartyPortIdentifier, counterpartyChannelIdentifier, + connectionHops, version + } + provableStore.set(channelPath(portIdentifier, channelIdentifier), channel) +} +``` + +See handler functions `handleChanOpenInit` and `handleChanOpenTry` in [Channel lifecycle management](../ics-026-routing-module/README.md#channel-lifecycle-management) for more details. + +The opening channel must provide the identifiers of the local channel identifier, local port, remote port, and remote channel identifier. + +When the opening handshake is complete, the module which initiates the handshake will own the end of the created channel on the host ledger, and the counterparty module which +it specifies will own the other end of the created channel on the counterparty chain. Once a channel is created, ownership cannot be changed (although higher-level abstractions +could be implemented to provide this). + +Chains MUST implement a function `generateIdentifier` which chooses an identifier, e.g. by incrementing a counter: + +```typescript +type generateIdentifier = () -> Identifier +``` + +```typescript +function chanOpenInit( + order: ChannelOrder, + connectionHops: [Identifier], + portIdentifier: Identifier, + counterpartyPortIdentifier: Identifier): (channelIdentifier: Identifier, channelCapability: CapabilityKey) { + channelIdentifier = generateIdentifier() + abortTransactionUnless(validateChannelIdentifier(portIdentifier, channelIdentifier)) + + abortTransactionUnless(provableStore.get(channelPath(portIdentifier, channelIdentifier)) === null) + connection = provableStore.get(connectionPath(connectionHops[0])) + + // optimistic channel handshakes are allowed + abortTransactionUnless(connection !== null) + abortTransactionUnless(authenticateCapability(portPath(portIdentifier), portCapability)) + + channelCapability = newCapability(channelCapabilityPath(portIdentifier, channelIdentifier)) + provableStore.set(nextSequenceSendPath(portIdentifier, channelIdentifier), 1) + provableStore.set(nextSequenceRecvPath(portIdentifier, channelIdentifier), 1) + provableStore.set(nextSequenceAckPath(portIdentifier, channelIdentifier), 1) + + return channelIdentifier, channelCapability +} +``` + +The `chanOpenTry` function is called by a module to accept the first step of a channel opening handshake initiated by a module on another chain. + +```typescript +function chanOpenTry( + order: ChannelOrder, + connectionHops: [Identifier], + portIdentifier: Identifier, + counterpartyPortIdentifier: Identifier, + counterpartyChannelIdentifier: Identifier, + counterpartyVersion: string, + proofInit: CommitmentProof | MultihopProof, + proofHeight: Height): (channelIdentifier: Identifier, channelCapability: CapabilityKey) { + channelIdentifier = generateIdentifier() + + abortTransactionUnless(validateChannelIdentifier(portIdentifier, channelIdentifier)) + abortTransactionUnless(authenticateCapability(portPath(portIdentifier), portCapability)) + + connection = provableStore.get(connectionPath(connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + + // return hops from counterparty's view + counterpartyHops = getCounterPartyHops(proofInit, connection) + + expected = ChannelEnd{ + INIT, order, portIdentifier, + "", counterpartyHops, + counterpartyVersion + } + + if (connectionHops.length > 1) { + key = channelPath(counterparty.PortId, counterparty.ChannelId) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proofInit, + connectionHops, + key + expected)) + } else { + abortTransactionUnless(connection.verifyChannelState( + proofHeight, + proofInit, + counterpartyPortIdentifier, + counterpartyChannelIdentifier, + expected + )) + } + + channelCapability = newCapability(channelCapabilityPath(portIdentifier, channelIdentifier)) + + // initialize channel sequences + provableStore.set(nextSequenceSendPath(portIdentifier, channelIdentifier), 1) + provableStore.set(nextSequenceRecvPath(portIdentifier, channelIdentifier), 1) + provableStore.set(nextSequenceAckPath(portIdentifier, channelIdentifier), 1) + + return channelIdentifier, channelCapability +} +``` + +The `chanOpenAck` is called by the handshake-originating module to acknowledge the acceptance of the initial request by the +counterparty module on the other chain. + +```typescript +function chanOpenAck( + portIdentifier: Identifier, + channelIdentifier: Identifier, + counterpartyChannelIdentifier: Identifier, + counterpartyVersion: string, + proofTry: CommitmentProof | MultihopProof, + proofHeight: Height) { + channel = provableStore.get(channelPath(portIdentifier, channelIdentifier)) + abortTransactionUnless(channel.state === INIT) + abortTransactionUnless(authenticateCapability(channelCapabilityPath(portIdentifier, channelIdentifier), capability)) + + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + + // return hops from counterparty's view + counterpartyHops = getCounterPartyHops(proofTry, connection) + + expected = ChannelEnd{TRYOPEN, channel.order, portIdentifier, + channelIdentifier, counterpartyHops, counterpartyVersion} + + if (channel.connectionHops.length > 1) { + key = channelPath(counterparty.PortId, counterparty.ChannelId) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proofTry, + channel.connectionHops, + key, + expected)) + } else { + abortTransactionUnless(connection.verifyChannelState( + proofHeight, + proofTry, + channel.counterpartyPortIdentifier, + counterpartyChannelIdentifier, + expected + )) + } + // write will happen in the handler defined in the ICS26 spec +} +``` + +The `chanOpenConfirm` function is called by the handshake-accepting module to acknowledge the acknowledgement +of the handshake-originating module on the other chain and finish the channel opening handshake. + +```typescript +function chanOpenConfirm( + portIdentifier: Identifier, + channelIdentifier: Identifier, + proofAck: CommitmentProof | MultihopProof, + proofHeight: Height) { + channel = provableStore.get(channelPath(portIdentifier, channelIdentifier)) + abortTransactionUnless(channel !== null) + abortTransactionUnless(channel.state === TRYOPEN) + abortTransactionUnless(authenticateCapability(channelCapabilityPath(portIdentifier, channelIdentifier), capability)) + + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + + // return hops from counterparty's view + counterpartyHops = getCounterPartyHops(proofAck, connection) + + expected = ChannelEnd{OPEN, channel.order, portIdentifier, + channelIdentifier, counterpartyHops, channel.version} + + if (connectionHops.length > 1) { + key = channelPath(counterparty.PortId, counterparty.ChannelId) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proofAck, + channel.connectionHops, + key + expected)) + } else { + abortTransactionUnless(connection.verifyChannelState( + proofHeight, + proofAck, + channel.counterpartyPortIdentifier, + channel.counterpartyChannelIdentifier, + expected + )) + } + + // write will happen in the handler defined in the ICS26 spec +} +``` + +##### Closing handshake + +The `chanCloseInit` function is called by either module to close their end of the channel. Once closed, channels cannot be reopened. + +Calling modules MAY atomically execute appropriate application logic in conjunction with calling `chanCloseInit`. + +Any in-flight packets can be timed-out as soon as a channel is closed. + +```typescript +function chanCloseInit( + portIdentifier: Identifier, + channelIdentifier: Identifier) { + abortTransactionUnless(authenticateCapability(channelCapabilityPath(portIdentifier, channelIdentifier), capability)) + channel = provableStore.get(channelPath(portIdentifier, channelIdentifier)) + abortTransactionUnless(channel !== null) + abortTransactionUnless(channel.state !== CLOSED) + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + channel.state = CLOSED + provableStore.set(channelPath(portIdentifier, channelIdentifier), channel) +} +``` + +The `chanCloseConfirm` function is called by the counterparty module to close their end of the channel, +since the other end has been closed. + +Calling modules MAY atomically execute appropriate application logic in conjunction with calling `chanCloseConfirm`. + +Once closed, channels cannot be reopened and identifiers cannot be reused. Identifier reuse is prevented because +we want to prevent potential replay of previously sent packets. The replay problem is analogous to using sequence +numbers with signed messages, except where the light client algorithm "signs" the messages (IBC packets), and the replay +prevention sequence is the combination of port identifier, channel identifier, and packet sequence - hence we cannot +allow the same port identifier & channel identifier to be reused again with a sequence reset to zero, since this +might allow packets to be replayed. It would be possible to safely reuse identifiers if timeouts of a particular +maximum height/time were mandated & tracked, and future specification versions may incorporate this feature. + +```typescript +function chanCloseConfirm( + portIdentifier: Identifier, + channelIdentifier: Identifier, + proofInit: CommitmentProof | MultihopProof, + proofHeight: Height) { + abortTransactionUnless(authenticateCapability(channelCapabilityPath(portIdentifier, channelIdentifier), capability)) + channel = provableStore.get(channelPath(portIdentifier, channelIdentifier)) + abortTransactionUnless(channel !== null) + abortTransactionUnless(channel.state !== CLOSED) + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + + // return hops from counterparty's view + counterpartyHops = getCounterPartyHops(proofInit, connection) + + expected = ChannelEnd{CLOSED, channel.order, portIdentifier, + channelIdentifier, counterpartyHops, channel.version} + + if (connectionHops.length > 1) { + key = channelPath(counterparty.PortId, counterparty.ChannelId) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proofInit, + channel.connectionHops, + key + expected)) + } else { + abortTransactionUnless(connection.verifyChannelState( + proofHeight, + proofInit, + channel.counterpartyPortIdentifier, + channel.counterpartyChannelIdentifier, + expected + )) + } + + // write may happen asynchronously in the handler defined in the ICS26 spec + // if the channel is closing during an upgrade, + // then we can delete all auxiliary upgrade information + provableStore.delete(channelUpgradePath(portIdentifier, channelIdentifier)) + privateStore.delete(counterpartyUpgradePath(portIdentifier, channelIdentifier)) + + channel.state = CLOSED + provableStore.set(channelPath(portIdentifier, channelIdentifier), channel) +} +``` + +The `chanCloseFrozen` function is called by a relayer to force close a multi-hop channel if any client state in the +channel path is frozen. A relayer should send proof of the frozen client state to each end of the channel with a +proof of the frozen client state in the channel path starting from each channel end up until the first frozen client. +The multi-hop proof for each channel end will be different and consist of a proof formed starting from each channel +end up to the frozen client. + +The multi-hop proof starts with a chain with a frozen client for the misbehaving chain. However, the frozen client exists +on the next blockchain in the channel path so the key/value proof is indexed to evaluate on the consensus state holding +that client state. The client state path requires knowledge of the client id which can be determined from the +connectionEnd on the misbehaving chain prior to the misbehavior submission. + +Once frozen, it is possible for a channel to be unfrozen (reactivated) via governance processes once the misbehavior in +the channel path has been resolved. However, this process is out-of-protocol. + +Example: + +Given a multi-hop channel path over connections from chain `A` to chain `E` and misbehaving chain `C` + +`A <--> B <--x C x--> D <--> E` + +Assume any relayer submits evidence of misbehavior to chain `B` and chain `D` to freeze their respective clients for chain `C`. + +A relayer may then provide a multi-hop proof of the frozen client on chain `B` to chain `A` to close the channel on chain `A`, and another relayer (or the same one) may also relay a multi-hop proof of the frozen client on chain `D` to chain `E` to close the channel end on chain `E`. + +However, it must also be proven that the frozen client state corresponds to a specific hop in the channel path. + +Therefore, a proof of the connection end on chain `B` with counterparty connection end on chain `C` must also be provided along with the client state proof to prove that the `clientID` for the client state matches the `clientID` in the connection end. Furthermore, the `connectionID` for the connection end MUST match the expected ID from the channel's `connectionHops` field. + +```typescript +function chanCloseFrozen( + portIdentifier: Identifier, + channelIdentifier: Identifier, + proofConnection: MultihopProof, + proofClientState: MultihopProof, + proofHeight: Height) { + abortTransactionUnless(authenticateCapability(channelCapabilityPath(portIdentifier, channelIdentifier), capability)) + channel = provableStore.get(channelPath(portIdentifier, channelIdentifier)) + abortTransactionUnless(channel !== null) + hopsLength = channel.connectionHops.length + abortTransactionUnless(hopsLength === 1) + abortTransactionUnless(channel.state !== CLOSED) + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + + // lookup connectionID for connectionEnd corresponding to misbehaving chain + let connectionIdx = proofConnection.ConnectionProofs.length + 1 + abortTransactionUnless(connectionIdx < hopsLength) + let connectionID = channel.ConnectionHops[connectionIdx] + let connectionProofKey = connectionPath(connectionID) + let connectionProofValue = proofConnection.KeyProof.Value + let frozenConnectionEnd = abortTransactionUnless(Unmarshal(connectionProofValue)) + + // the clientID in the connection end must match the clientID for the frozen client state + let clientID = frozenConnectionEnd.ClientId + + // truncated connectionHops. e.g. client D on chain C is frozen: A, B, C, D, E -> A, B, C + let connectionHops = channel.ConnectionHops[:len(mProof.ConnectionProofs)+1] + + // verify the connection proof + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proofConnection, + connectionHops, + connectionProofKey, + connectionProofValue)) + + + // key and value for the frozen client state + let clientStateKey = clientStatePath(clientID) + let clientStateValue = proofClientState.KeyProof.Value + let frozenClientState = abortTransactionUnless(Unmarshal(clientStateValue)) + + // ensure client state is frozen by checking FrozenHeight + abortTransactionUnless(frozenClientState.FrozenHeight.RevisionHeight !== 0) + + // verify the frozen client state proof + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proofConnection, + connectionHops, + clientStateKey, + clientStateValue)) + + channel.state = FROZEN + provableStore.set(channelPath(portIdentifier, channelIdentifier), channel) +} +``` + +##### Multihop utility functions + +```typescript +// Return the counterparty connectionHops +function getCounterPartyHops(proof: CommitmentProof | MultihopProof, lastConnection: ConnectionEnd) string[] { + + let counterpartyHops: string[] = [lastConnection.counterpartyConnectionIdentifier] + if typeof(proof) === 'MultihopProof' { + for connData in proofs.ConnectionProofs { + connectionEnd = abortTransactionUnless(Unmarshal(connData.Value)) + counterpartyHops.push(connectionEnd.GetCounterparty().GetConnectionID()) + } + + // reverse the hops so they are ordered from sender --> receiver + counterpartyHops = counterpartyHops.reverse() + } + + return counterpartyHops +} +``` + +#### Packet flow & handling + +![Packet State Machine](packet-state-machine.png) + +##### A day in the life of a packet + +The following sequence of steps must occur for a packet to be sent from module *1* on machine *A* to module *2* on machine *B*, starting from scratch. + +The module can interface with the IBC handler through [ICS 25](../ics-025-handler-interface) or [ICS 26](../ics-026-routing-module). + +1. Initial client & port setup, in any order + 1. Client created on *A* for *B* (see [ICS 2](../ics-002-client-semantics)) + 1. Client created on *B* for *A* (see [ICS 2](../ics-002-client-semantics)) + 1. Module *1* binds to a port (see [ICS 5](../ics-005-port-allocation)) + 1. Module *2* binds to a port (see [ICS 5](../ics-005-port-allocation)), which is communicated out-of-band to module *1* +1. Establishment of a connection & channel, optimistic send, in order + 1. Connection opening handshake started from *A* to *B* by module *1* (see [ICS 3](../ics-003-connection-semantics)) + 1. Channel opening handshake started from *1* to *2* using the newly created connection (this ICS) + 1. Packet sent over the newly created channel from *1* to *2* (this ICS) +1. Successful completion of handshakes (if either handshake fails, the connection/channel can be closed & the packet timed-out) + 1. Connection opening handshake completes successfully (see [ICS 3](../ics-003-connection-semantics)) (this will require participation of a relayer process) + 1. Channel opening handshake completes successfully (this ICS) (this will require participation of a relayer process) +1. Packet confirmation on machine *B*, module *2* (or packet timeout if the timeout height has passed) (this will require participation of a relayer process) +1. Acknowledgement (possibly) relayed back from module *2* on machine *B* to module *1* on machine *A* + +Represented spatially, packet transit between two machines can be rendered as follows: + +![Packet Transit](packet-transit.png) + +##### Sending packets + +The `sendPacket` function is called by a module in order to send *data* (in the form of an IBC packet) on a channel end owned by the calling module. + +Calling modules MUST execute application logic atomically in conjunction with calling `sendPacket`. + +The IBC handler performs the following steps in order: + +- Checks that the channel is not closed to send packets +- Checks that the calling module owns the sending port (see [ICS 5](../ics-005-port-allocation)) +- Checks that the timeout height specified has not already passed on the destination chain +- Increments the send sequence counter associated with the channel +- Stores a constant-size commitment to the packet data & packet timeout +- Returns the sequence number of the sent packet + +Note that the full packet is not stored in the state of the chain - merely a short hash-commitment to the data & timeout value. The packet data can be calculated from the transaction execution and possibly returned as log output which relayers can index. + +```typescript +function sendPacket( + capability: CapabilityKey, + sourcePort: Identifier, + sourceChannel: Identifier, + timeoutHeight: Height, + timeoutTimestamp: uint64, + data: bytes): uint64 { + channel = provableStore.get(channelPath(sourcePort, sourceChannel)) + + // check that the channel must be OPEN to send packets; + abortTransactionUnless(channel !== null) + abortTransactionUnless(channel.state === OPEN) + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + + // check if the calling module owns the sending port + abortTransactionUnless(authenticateCapability(channelCapabilityPath(sourcePort, sourceChannel), capability)) + + // disallow packets with a zero timeoutHeight and timeoutTimestamp + abortTransactionUnless(timeoutHeight !== 0 || timeoutTimestamp !== 0) + + // check that the timeout height hasn't already passed in the local client tracking the receiving chain + latestClientHeight = provableStore.get(clientPath(connection.clientIdentifier)).latestClientHeight() + abortTransactionUnless(timeoutHeight === 0 || latestClientHeight < timeoutHeight) + + // increment the send sequence counter + sequence = provableStore.get(nextSequenceSendPath(sourcePort, sourceChannel)) + provableStore.set(nextSequenceSendPath(sourcePort, sourceChannel), sequence+1) + + // store commitment to the packet data & packet timeout + provableStore.set( + packetCommitmentPath(sourcePort, sourceChannel, sequence), + hash(hash(data), timeoutHeight, timeoutTimestamp) + ) + + // log that a packet can be safely sent + emitLogEntry("sendPacket", { + sequence: sequence, + data: data, + timeoutHeight: timeoutHeight, + timeoutTimestamp: timeoutTimestamp + }) + + return sequence +} +``` + +#### Receiving packets + +The `recvPacket` function is called by a module in order to receive an IBC packet sent on the corresponding channel end on the counterparty chain. + +Atomically in conjunction with calling `recvPacket`, calling modules MUST either execute application logic or queue the packet for future execution. + +The IBC handler performs the following steps in order: + +- Checks that the channel & connection are open to receive packets +- Checks that the calling module owns the receiving port +- Checks that the packet metadata matches the channel & connection information +- Checks that the packet sequence is the next sequence the channel end expects to receive (for ordered and ordered_allow_timeout channels) +- Checks that the timeout height and timestamp have not yet passed +- Checks the inclusion proof of packet data commitment in the outgoing chain's state +- Optionally (in case channel upgrades and deletion of acknowledgements and packet receipts are implemented): reject any packet with a sequence already used before a successful channel upgrade +- Sets a store path to indicate that the packet has been received (unordered channels only) +- Increments the packet receive sequence associated with the channel end (ordered and ordered_allow_timeout channels only) + +We pass the address of the `relayer` that signed and submitted the packet to enable a module to optionally provide some rewards. This provides a foundation for fee payment, but can be used for other techniques as well (like calculating a leaderboard). + +```typescript +function recvPacket( + packet: OpaquePacket, + proof: CommitmentProof | MultihopProof, + proofHeight: Height, + relayer: string): Packet { + + channel = provableStore.get(channelPath(packet.destPort, packet.destChannel)) + abortTransactionUnless(channel !== null) + abortTransactionUnless(channel.state === OPEN || (channel.state === FLUSHING) || (channel.state === FLUSHCOMPLETE)) + counterpartyUpgrade = privateStore.get(counterpartyUpgradePath(packet.destPort, packet.destChannel)) + // defensive check that ensures chain does not process a packet higher than the last packet sent before + // counterparty went into FLUSHING mode. If the counterparty is implemented correctly, this should never abort + abortTransactionUnless(counterpartyUpgrade.nextSequenceSend == 0 || packet.sequence < counterpartyUpgrade.nextSequenceSend) + abortTransactionUnless(authenticateCapability(channelCapabilityPath(packet.destPort, packet.destChannel), capability)) + abortTransactionUnless(packet.sourcePort === channel.counterpartyPortIdentifier) + abortTransactionUnless(packet.sourceChannel === channel.counterpartyChannelIdentifier) + + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + + if (len(channel.connectionHops) > 1) { + key = packetCommitmentPath(packet.GetSourcePort(), packet.GetSourceChannel(), packet.GetSequence()) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proof, + channel.ConnectionHops, + key, + hash(packet.data, packet.timeoutHeight, packet.timeoutTimestamp) + )) + } else { + abortTransactionUnless(connection.verifyPacketData( + proofHeight, + proof, + packet.sourcePort, + packet.sourceChannel, + packet.sequence, + hash(packet.data, packet.timeoutHeight, packet.timeoutTimestamp) + )) + } + + // do sequence check before any state changes + if channel.order == ORDERED || channel.order == ORDERED_ALLOW_TIMEOUT { + nextSequenceRecv = provableStore.get(nextSequenceRecvPath(packet.destPort, packet.destChannel)) + if (packet.sequence < nextSequenceRecv) { + // event is emitted even if transaction is aborted + emitLogEntry("recvPacket", { + data: packet.data + timeoutHeight: packet.timeoutHeight, + timeoutTimestamp: packet.timeoutTimestamp, + sequence: packet.sequence, + sourcePort: packet.sourcePort, + sourceChannel: packet.sourceChannel, + destPort: packet.destPort, + destChannel: packet.destChannel, + order: channel.order, + connection: channel.connectionHops[0] + }) + } + + abortTransactionUnless(packet.sequence === nextSequenceRecv) + } + + switch channel.order { + case ORDERED: + case UNORDERED: + abortTransactionUnless(packet.timeoutHeight === 0 || getConsensusHeight() < packet.timeoutHeight) + abortTransactionUnless(packet.timeoutTimestamp === 0 || currentTimestamp() < packet.timeoutTimestamp) + break; + + case ORDERED_ALLOW_TIMEOUT: + // for ORDERED_ALLOW_TIMEOUT, we do not abort on timeout + // instead increment next sequence recv and write the sentinel timeout value in packet receipt + // then return + if (getConsensusHeight() >= packet.timeoutHeight && packet.timeoutHeight != 0) || (currentTimestamp() >= packet.timeoutTimestamp && packet.timeoutTimestamp != 0) { + nextSequenceRecv = nextSequenceRecv + 1 + provableStore.set(nextSequenceRecvPath(packet.destPort, packet.destChannel), nextSequenceRecv) + provableStore.set( + packetReceiptPath(packet.destPort, packet.destChannel, packet.sequence), + TIMEOUT_RECEIPT + ) + } + return; + + default: + // unsupported channel type + abortTransactionUnless(false) + } + + // REPLAY PROTECTION: in order to free storage, implementations may choose to + // delete acknowledgements and packet receipts when a channel upgrade is successfully + // completed. In that case, implementations must also make sure that any packet with + // a sequence already used before the channel upgrade is rejected. This is needed to + // prevent replay attacks (see this PR in ibc-go for an example of how this is achieved: + // https://github.com/cosmos/ibc-go/pull/5651). + + // all assertions passed (except sequence check), we can alter state + + switch channel.order { + case ORDERED: + case ORDERED_ALLOW_TIMEOUT: + nextSequenceRecv = nextSequenceRecv + 1 + provableStore.set(nextSequenceRecvPath(packet.destPort, packet.destChannel), nextSequenceRecv) + break; + + case UNORDERED: + // for unordered channels we must set the receipt so it can be verified on the other side + // this receipt does not contain any data, since the packet has not yet been processed + // it's the sentinel success receipt: []byte{0x01} + packetReceipt = provableStore.get(packetReceiptPath(packet.destPort, packet.destChannel, packet.sequence)) + if (packetReceipt != null) { + emitLogEntry("recvPacket", { + data: packet.data + timeoutHeight: packet.timeoutHeight, + timeoutTimestamp: packet.timeoutTimestamp, + sequence: packet.sequence, + sourcePort: packet.sourcePort, + sourceChannel: packet.sourceChannel, + destPort: packet.destPort, + destChannel: packet.destChannel, + order: channel.order, + connection: channel.connectionHops[0] + }) + } + + abortTransactionUnless(packetReceipt === null) + provableStore.set( + packetReceiptPath(packet.destPort, packet.destChannel, packet.sequence), + SUCCESSFUL_RECEIPT + ) + break; + } + + // log that a packet has been received + emitLogEntry("recvPacket", { + data: packet.data + timeoutHeight: packet.timeoutHeight, + timeoutTimestamp: packet.timeoutTimestamp, + sequence: packet.sequence, + sourcePort: packet.sourcePort, + sourceChannel: packet.sourceChannel, + destPort: packet.destPort, + destChannel: packet.destChannel, + order: channel.order, + connection: channel.connectionHops[0] + }) + + // return transparent packet + return packet +} +``` + +#### Writing acknowledgements + +The `writeAcknowledgement` function is called by a module in order to write data which resulted from processing an IBC packet that the sending chain can then verify, a sort of "execution receipt" or "RPC call response". + +Calling modules MUST execute application logic atomically in conjunction with calling `writeAcknowledgement`. + +This is an asynchronous acknowledgement, the contents of which do not need to be determined when the packet is received, only when processing is complete. In the synchronous case, `writeAcknowledgement` can be called in the same transaction (atomically) with `recvPacket`. + +Acknowledging packets is not required; however, if an ordered channel uses acknowledgements, either all or no packets must be acknowledged (since the acknowledgements are processed in order). Note that if packets are not acknowledged, packet commitments cannot be deleted on the source chain. Future versions of IBC may include ways for modules to specify whether or not they will be acknowledging packets in order to allow for cleanup. + +`writeAcknowledgement` *does not* check if the packet being acknowledged was actually received, because this would result in proofs being verified twice for acknowledged packets. This aspect of correctness is the responsibility of the calling module. +The calling module MUST only call `writeAcknowledgement` with a packet previously received from `recvPacket`. + +The IBC handler performs the following steps in order: + +- Checks that an acknowledgement for this packet has not yet been written +- Sets the opaque acknowledgement value at a store path unique to the packet + +```typescript +function writeAcknowledgement( + packet: Packet, + acknowledgement: bytes) { + // acknowledgement must not be empty + abortTransactionUnless(len(acknowledgement) !== 0) + + // cannot already have written the acknowledgement + abortTransactionUnless(provableStore.get(packetAcknowledgementPath(packet.destPort, packet.destChannel, packet.sequence) === null)) + + // write the acknowledgement + provableStore.set( + packetAcknowledgementPath(packet.destPort, packet.destChannel, packet.sequence), + hash(acknowledgement) + ) + + // log that a packet has been acknowledged + emitLogEntry("writeAcknowledgement", { + sequence: packet.sequence, + timeoutHeight: packet.timeoutHeight, + port: packet.destPort, + channel: packet.destChannel, + timeoutTimestamp: packet.timeoutTimestamp, + data: packet.data, + acknowledgement + }) +} +``` + +#### Processing acknowledgements + +The `acknowledgePacket` function is called by a module to process the acknowledgement of a packet previously sent by +the calling module on a channel to a counterparty module on the counterparty chain. +`acknowledgePacket` also cleans up the packet commitment, which is no longer necessary since the packet has been received and acted upon. + +Calling modules MAY atomically execute appropriate application acknowledgement-handling logic in conjunction with calling `acknowledgePacket`. + +We pass the `relayer` address just as in [Receiving packets](#receiving-packets) to allow for possible incentivization here as well. + +```typescript +function acknowledgePacket( + packet: OpaquePacket, + acknowledgement: bytes, + proof: CommitmentProof | MultihopProof, + proofHeight: Height, + relayer: string): Packet { + + // abort transaction unless that channel is open, calling module owns the associated port, and the packet fields match + channel = provableStore.get(channelPath(packet.sourcePort, packet.sourceChannel)) + abortTransactionUnless(channel !== null) + abortTransactionUnless(channel.state === OPEN || channel.state === FLUSHING) + abortTransactionUnless(authenticateCapability(channelCapabilityPath(packet.sourcePort, packet.sourceChannel), capability)) + abortTransactionUnless(packet.destPort === channel.counterpartyPortIdentifier) + abortTransactionUnless(packet.destChannel === channel.counterpartyChannelIdentifier) + + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + abortTransactionUnless(connection.state === OPEN) + + // verify we sent the packet and haven't cleared it out yet + abortTransactionUnless(provableStore.get(packetCommitmentPath(packet.sourcePort, packet.sourceChannel, packet.sequence)) + === hash(packet.data, packet.timeoutHeight, packet.timeoutTimestamp)) + + // abort transaction unless correct acknowledgement on counterparty chain + if (len(channel.connectionHops) > 1) { + key = packetAcknowledgementPath(packet.GetDestPort(), packet.GetDestChannel(), packet.GetSequence()) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proof, + channel.ConnectionHops, + key, + acknowledgement + )) + } else { + abortTransactionUnless(connection.verifyPacketAcknowledgement( + proofHeight, + proof, + packet.destPort, + packet.destChannel, + packet.sequence, + acknowledgement + )) + } + + // abort transaction unless acknowledgement is processed in order + if (channel.order === ORDERED || channel.order == ORDERED_ALLOW_TIMEOUT) { + nextSequenceAck = provableStore.get(nextSequenceAckPath(packet.sourcePort, packet.sourceChannel)) + abortTransactionUnless(packet.sequence === nextSequenceAck) + nextSequenceAck = nextSequenceAck + 1 + provableStore.set(nextSequenceAckPath(packet.sourcePort, packet.sourceChannel), nextSequenceAck) + } + + // all assertions passed, we can alter state + + // delete our commitment so we can't "acknowledge" again + provableStore.delete(packetCommitmentPath(packet.sourcePort, packet.sourceChannel, packet.sequence)) + + if channel.state == FLUSHING { + upgradeTimeout = privateStore.get(counterpartyUpgradeTimeout(portIdentifier, channelIdentifier)) + if upgradeTimeout != nil { + // counterparty-specified timeout must not have exceeded + // if it has, then restore the channel and abort upgrade handshake + if (upgradeTimeout.timeoutHeight != 0 && currentHeight() >= upgradeTimeout.timeoutHeight) || + (upgradeTimeout.timeoutTimestamp != 0 && currentTimestamp() >= upgradeTimeout.timeoutTimestamp ) { + restoreChannel(portIdentifier, channelIdentifier) + } else if pendingInflightPackets(portIdentifier, channelIdentifier) == nil { + // if this was the last in-flight packet, then move channel state to FLUSHCOMPLETE + channel.state = FLUSHCOMPLETE + publicStore.set(channelPath(portIdentifier, channelIdentifier), channel) + } + } + } + + // return transparent packet + return packet +} +``` + +##### Acknowledgement Envelope + +The acknowledgement returned from the remote chain is defined as arbitrary bytes in the IBC protocol. This data +may either encode a successful execution or a failure (anything besides a timeout). There is no generic way to +distinguish the two cases, which requires that any client-side packet visualiser understands every app-specific protocol +in order to distinguish the case of successful or failed relay. In order to reduce this issue, we offer an additional +specification for acknowledgement formats, which [SHOULD](https://www.ietf.org/rfc/rfc2119.txt) be used by the +app-specific protocols. + +```proto +message Acknowledgement { + oneof response { + bytes result = 21; + string error = 22; + } +} +``` + +If an application uses a different format for acknowledgement bytes, it MUST not deserialise to a valid protobuf message +of this format. Note that all packets contain exactly one non-empty field, and it must be result or error. The field +numbers 21 and 22 were explicitly chosen to avoid accidental conflicts with other protobuf message formats used +for acknowledgements. The first byte of any message with this format will be the non-ASCII values `0xaa` (result) +or `0xb2` (error). + +#### Timeouts + +Application semantics may require some timeout: an upper limit to how long the chain will wait for a transaction to be processed before considering it an error. Since the two chains have different local clocks, this is an obvious attack vector for a double spend - an attacker may delay the relay of the receipt or wait to send the packet until right after the timeout - so applications cannot safely implement naive timeout logic themselves. + +Note that in order to avoid any possible "double-spend" attacks, the timeout algorithm requires that the destination chain is running and reachable. One can prove nothing in a complete network partition, and must wait to connect; the timeout must be proven on the recipient chain, not simply the absence of a response on the sending chain. + +##### Sending end + +The `timeoutPacket` function is called by a module which originally attempted to send a packet to a counterparty module, +where the timeout height or timeout timestamp has passed on the counterparty chain without the packet being committed, to prove that the packet +can no longer be executed and to allow the calling module to safely perform appropriate state transitions. + +Calling modules MAY atomically execute appropriate application timeout-handling logic in conjunction with calling `timeoutPacket`. + +In the case of an ordered channel, `timeoutPacket` checks the `recvSequence` of the receiving channel end and closes the channel if a packet has timed out. + +In the case of an unordered channel, `timeoutPacket` checks the absence of the receipt key (which will have been written if the packet was received). Unordered channels are expected to continue in the face of timed-out packets. + +If relations are enforced between timeout heights of subsequent packets, safe bulk timeouts of all packets prior to a timed-out packet can be performed. This specification omits details for now. + +Since we allow optimistic sending of packets (i.e. sending a packet before a channel opens), we must also allow optimistic timing out of packets. With optimistic sends, the packet may be sent on a channel that eventually opens or a channel that will never open. If the channel does open after the packet has timed out, then the packet will never be received on the counterparty so we can safely timeout optimistically. If the channel never opens, then we MUST timeout optimistically so that any state changes made during the optimistic send by the application can be safely reverted. + +We pass the `relayer` address just as in [Receiving packets](#receiving-packets) to allow for possible incentivization here as well. + +```typescript +function timeoutPacket( + packet: OpaquePacket, + proof: CommitmentProof | MultihopProof, + proofHeight: Height, + nextSequenceRecv: Maybe, + relayer: string): Packet { + + channel = provableStore.get(channelPath(packet.sourcePort, packet.sourceChannel)) + abortTransactionUnless(channel !== null) + + abortTransactionUnless(authenticateCapability(channelCapabilityPath(packet.sourcePort, packet.sourceChannel), capability)) + abortTransactionUnless(packet.destChannel === channel.counterpartyChannelIdentifier) + + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + abortTransactionUnless(connection !== null) + + // note: the connection may have been closed + abortTransactionUnless(packet.destPort === channel.counterpartyPortIdentifier) + + // get the timestamp from the final consensus state in the channel path + var proofTimestamp + if (channel.connectionHops.length > 1) { + consensusState = abortTransactionUnless(Unmarshal(proof.ConsensusProofs[proof.ConsensusProofs.length-1].Value)) + proofTimestamp = consensusState.GetTimestamp() + } else { + proofTimestamp, err = connection.getTimestampAtHeight(connection, proofHeight) + } + + // check that timeout height or timeout timestamp has passed on the other end + abortTransactionUnless( + (packet.timeoutHeight > 0 && proofHeight >= packet.timeoutHeight) || + (packet.timeoutTimestamp > 0 && proofTimestamp >= packet.timeoutTimestamp)) + + // verify we actually sent this packet, check the store + abortTransactionUnless(provableStore.get(packetCommitmentPath(packet.sourcePort, packet.sourceChannel, packet.sequence)) + === hash(packet.data, packet.timeoutHeight, packet.timeoutTimestamp)) + + switch channel.order { + case ORDERED: + // ordered channel: check that packet has not been received + // only allow timeout on next sequence so all sequences before the timed out packet are processed (received/timed out) + // before this packet times out + abortTransactionUnless(packet.sequence == nextSequenceRecv) + // ordered channel: check that the recv sequence is as claimed + if (channel.connectionHops.length > 1) { + key = nextSequenceRecvPath(packet.srcPort, packet.srcChannel) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proof, + channel.ConnectionHops, + key, + nextSequenceRecv + )) + } else { + abortTransactionUnless(connection.verifyNextSequenceRecv( + proofHeight, + proof, + packet.destPort, + packet.destChannel, + nextSequenceRecv + )) + } + break; + + case UNORDERED: + if (channel.connectionHops.length > 1) { + key = packetReceiptPath(packet.srcPort, packet.srcChannel, packet.sequence) + abortTransactionUnless(connection.verifyMultihopNonMembership( + connection, + proofHeight, + proof, + channel.ConnectionHops, + key + )) + } else { + // unordered channel: verify absence of receipt at packet index + abortTransactionUnless(connection.verifyPacketReceiptAbsence( + proofHeight, + proof, + packet.destPort, + packet.destChannel, + packet.sequence + )) + } + break; + + // NOTE: For ORDERED_ALLOW_TIMEOUT, the relayer must first attempt the receive on the destination chain + // before the timeout receipt can be written and subsequently proven on the sender chain in timeoutPacket + case ORDERED_ALLOW_TIMEOUT: + abortTransactionUnless(packet.sequence == nextSequenceRecv - 1) + + if (channel.connectionHops.length > 1) { + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proof, + channel.ConnectionHops, + packetReceiptPath(packet.destPort, packet.destChannel, packet.sequence), + TIMEOUT_RECEIPT + )) + } else { + abortTransactionUnless(connection.verifyPacketReceipt( + proofHeight, + proof, + packet.destPort, + packet.destChannel, + packet.sequence + TIMEOUT_RECEIPT, + )) + } + break; + + default: + // unsupported channel type + abortTransactionUnless(true) + } + + // all assertions passed, we can alter state + + // delete our commitment + provableStore.delete(packetCommitmentPath(packet.sourcePort, packet.sourceChannel, packet.sequence)) + + if channel.state == FLUSHING { + upgradeTimeout = privateStore.get(counterpartyUpgradeTimeout(portIdentifier, channelIdentifier)) + if upgradeTimeout != nil { + // counterparty-specified timeout must not have exceeded + // if it has, then restore the channel and abort upgrade handshake + if (upgradeTimeout.timeoutHeight != 0 && currentHeight() >= upgradeTimeout.timeoutHeight) || + (upgradeTimeout.timeoutTimestamp != 0 && currentTimestamp() >= upgradeTimeout.timeoutTimestamp ) { + restoreChannel(portIdentifier, channelIdentifier) + } else if pendingInflightPackets(portIdentifier, channelIdentifier) == nil { + // if this was the last in-flight packet, then move channel state to FLUSHCOMPLETE + channel.state = FLUSHCOMPLETE + publicStore.set(channelPath(portIdentifier, channelIdentifier), channel) + } + } + } + + // only close on strictly ORDERED channels + if channel.order === ORDERED { + // if the channel is ORDERED and a packet is timed out in FLUSHING state then + // all upgrade information is deleted and the channel is set to CLOSED. + + if channel.State == FLUSHING { + // delete auxiliary upgrade state + provableStore.delete(channelUpgradePath(portIdentifier, channelIdentifier)) + privateStore.delete(counterpartyUpgradePath(portIdentifier, channelIdentifier)) + } + + // ordered channel: close the channel + channel.state = CLOSED + provableStore.set(channelPath(packet.sourcePort, packet.sourceChannel), channel) + } + // on ORDERED_ALLOW_TIMEOUT, increment NextSequenceAck so that next packet can be acknowledged after this packet timed out. + if channel.order === ORDERED_ALLOW_TIMEOUT { + nextSequenceAck = nextSequenceAck + 1 + provableStore.set(nextSequenceAckPath(packet.srcPort, packet.srcChannel), nextSequenceAck) + } + + // return transparent packet + return packet +} +``` + +##### Timing-out on close + +The `timeoutOnClose` function is called by a module in order to prove that the channel +to which an unreceived packet was addressed has been closed, so the packet will never be received +(even if the `timeoutHeight` or `timeoutTimestamp` has not yet been reached). + +Calling modules MAY atomically execute appropriate application timeout-handling logic in conjunction with calling `timeoutOnClose`. + +We pass the `relayer` address just as in [Receiving packets](#receiving-packets) to allow for possible incentivization here as well. + +```typescript +function timeoutOnClose( + packet: Packet, + proof: CommitmentProof | MultihopProof, + proofClosed: CommitmentProof | MultihopProof, + proofHeight: Height, + nextSequenceRecv: Maybe, + relayer: string): Packet { + + channel = provableStore.get(channelPath(packet.sourcePort, packet.sourceChannel)) + // note: the channel may have been closed + abortTransactionUnless(authenticateCapability(channelCapabilityPath(packet.sourcePort, packet.sourceChannel), capability)) + abortTransactionUnless(packet.destChannel === channel.counterpartyChannelIdentifier) + + connection = provableStore.get(connectionPath(channel.connectionHops[0])) + // note: the connection may have been closed + abortTransactionUnless(packet.destPort === channel.counterpartyPortIdentifier) + + // verify we actually sent this packet, check the store + abortTransactionUnless(provableStore.get(packetCommitmentPath(packet.sourcePort, packet.sourceChannel, packet.sequence)) + === hash(packet.data, packet.timeoutHeight, packet.timeoutTimestamp)) + + // return hops from counterparty's view + counterpartyHops = getCounterpartyHops(proof, connection) + + // check that the opposing channel end has closed + expected = ChannelEnd{CLOSED, channel.order, channel.portIdentifier, + channel.channelIdentifier, counterpartyHops, channel.version} + + // verify channel is closed + if (channel.connectionHops.length > 1) { + key = channelPath(counterparty.PortId, counterparty.ChannelId) + abortTransactionUnless(connection.VerifyMultihopMembership( + connection, + proofHeight, + proofClosed, + channel.ConnectionHops, + key, + expected + )) + } else { + abortTransactionUnless(connection.verifyChannelState( + proofHeight, + proofClosed, + channel.counterpartyPortIdentifier, + channel.counterpartyChannelIdentifier, + expected + )) + } + + switch channel.order { + case ORDERED: + // ordered channel: check that packet has not been received + abortTransactionUnless(packet.sequence >= nextSequenceRecv) + + // ordered channel: check that the recv sequence is as claimed + if (channel.connectionHops.length > 1) { + key = nextSequenceRecvPath(packet.destPort, packet.destChannel) + abortTransactionUnless(connection.verifyMultihopMembership( + connection, + proofHeight, + proof, + channel.ConnectionHops, + key, + nextSequenceRecv + )) + } else { + abortTransactionUnless(connection.verifyNextSequenceRecv( + proofHeight, + proof, + packet.destPort, + packet.destChannel, + nextSequenceRecv + )) + } + break; + + case UNORDERED: + // unordered channel: verify absence of receipt at packet index + if (channel.connectionHops.length > 1) { + abortTransactionUnless(connection.verifyMultihopNonMembership( + connection, + proofHeight, + proof, + channel.ConnectionHops, + key + )) + } else { + abortTransactionUnless(connection.verifyPacketReceiptAbsence( + proofHeight, + proof, + packet.destPort, + packet.destChannel, + packet.sequence + )) + } + break; + + case ORDERED_ALLOW_TIMEOUT: + // if packet.sequence >= nextSequenceRecv, then the relayer has not attempted + // to receive the packet on the destination chain (e.g. because the channel is already closed). + // In this situation it is not needed to verify the presence of a timeout receipt. + // Otherwise, if packet.sequence < nextSequenceRecv, then the relayer has attempted + // to receive the packet on the destination chain, and nextSequenceRecv has been incremented. + // In this situation, verify the presence of timeout receipt. + if packet.sequence < nextSequenceRecv { + abortTransactionUnless(connection.verifyPacketReceipt( + proofHeight, + proof, + packet.destPort, + packet.destChannel, + packet.sequence + TIMEOUT_RECEIPT, + )) + } + break; + + default: + // unsupported channel type + abortTransactionUnless(true) + } + + // all assertions passed, we can alter state + + // delete our commitment + provableStore.delete(packetCommitmentPath(packet.sourcePort, packet.sourceChannel, packet.sequence)) + + // return transparent packet + return packet +} +``` + +##### Cleaning up state + +Packets must be acknowledged in order to be cleaned-up. + +#### Reasoning about race conditions + +##### Simultaneous handshake attempts + +If two machines simultaneously initiate channel opening handshakes with each other, attempting to use the same identifiers, both will fail and new identifiers must be used. + +##### Identifier allocation + +There is an unavoidable race condition on identifier allocation on the destination chain. Modules would be well-advised to utilise pseudo-random, non-valuable identifiers. Managing to claim the identifier that another module wishes to use, however, while annoying, cannot man-in-the-middle a handshake since the receiving module must already own the port to which the handshake was targeted. + +##### Timeouts / packet confirmation + +There is no race condition between a packet timeout and packet confirmation, as the packet will either have passed the timeout height prior to receipt or not. + +##### Man-in-the-middle attacks during handshakes + +Verification of cross-chain state prevents man-in-the-middle attacks for both connection handshakes & channel handshakes since all information (source, destination client, channel, etc.) is known by the module which starts the handshake and confirmed prior to handshake completion. + +##### Connection / channel closure with in-flight packets + +If a connection or channel is closed while packets are in-flight, the packets can no longer be received on the destination chain and can be timed-out on the source chain. + +#### Querying channels + +Channels can be queried with `queryChannel`: + +```typescript +function queryChannel(connId: Identifier, chanId: Identifier): ChannelEnd | void { + return provableStore.get(channelPath(connId, chanId)) +} +``` + +### Properties & Invariants + +- The unique combinations of channel & port identifiers are first-come-first-serve: once a pair has been allocated, only the modules owning the ports in question can send or receive on that channel. +- Packets are delivered exactly once, assuming that the chains are live within the timeout window, and in case of timeout can be timed-out exactly once on the sending chain. +- The channel handshake cannot be man-in-the-middle attacked by another module on either blockchain or another blockchain's IBC handler. + +## Backwards Compatibility + +Not applicable. + +## Forwards Compatibility + +Data structures & encoding can be versioned at the connection or channel level. Channel logic is completely agnostic to packet data formats, which can be changed by the modules any way they like at any time. + +## Example Implementations + +- Implementation of ICS 04 in Go can be found in [ibc-go repository](https://github.com/cosmos/ibc-go). +- Implementation of ICS 04 in Rust can be found in [ibc-rs repository](https://github.com/cosmos/ibc-rs). + +## History + +Jun 5, 2019 - Draft submitted + +Jul 4, 2019 - Modifications for unordered channels & acknowledgements + +Jul 16, 2019 - Alterations for multi-hop routing future compatibility + +Jul 29, 2019 - Revisions to handle timeouts after connection closure + +Aug 13, 2019 - Various edits + +Aug 25, 2019 - Cleanup + +Jan 10, 2022 - Add ORDERED_ALLOW_TIMEOUT channel type and appropriate logic + +Mar 28, 2023 - Add `writeChannel` function to write channel end after executing application callback + +## Copyright + +All content herein is licensed under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0). diff --git a/spec/core/v2/ics-005-port-allocation/README.md b/spec/core/v2/ics-005-port-allocation/README.md new file mode 100644 index 000000000..bb940eaa0 --- /dev/null +++ b/spec/core/v2/ics-005-port-allocation/README.md @@ -0,0 +1,246 @@ +--- +ics: 5 +title: Port Allocation +stage: Draft +requires: 24 +required-by: 4 +category: IBC/TAO +kind: interface +version compatibility: ibc-go v7.0.0 +author: Christopher Goes +created: 2019-06-20 +modified: 2019-08-25 +--- + +## Synopsis + +This standard specifies the port allocation system by which modules can bind to uniquely named ports allocated by the IBC handler. +Ports can then be used to open channels and can be transferred or later released by the module which originally bound to them. + +### Motivation + +The interblockchain communication protocol is designed to facilitate module-to-module traffic, where modules are independent, possibly mutually distrusted, self-contained +elements of code executing on sovereign ledgers. In order to provide the desired end-to-end semantics, the IBC handler must permission channels to particular modules. +This specification defines the *port allocation and ownership* system which realises that model. + +Conventions may emerge as to what kind of module logic is bound to a particular port name, such as "bank" for fungible token handling or "staking" for interchain collateralisation. +This is analogous to port 80's common use for HTTP servers — the protocol cannot enforce that particular module logic is actually bound to conventional ports, so +users must check that themselves. Ephemeral ports with pseudorandom identifiers may be created for temporary protocol handling. + +Modules may bind to multiple ports and connect to multiple ports bound to by another module on a separate machine. Any number of (uniquely identified) channels can utilise a single +port simultaneously. Channels are end-to-end between two ports, each of which must have been previously bound to by a module, which will then control that end of the channel. + +Optionally, the host state machine can elect to expose port binding only to a specially-permissioned module manager, +by generating a capability key specifically for the ability to bind ports. The module manager +can then control which ports modules can bind to with a custom rule-set, and transfer ports to modules only when it +has validated the port name & module. This role can be played by the routing module (see [ICS 26](../ics-026-routing-module)). + +### Definitions + +`Identifier`, `get`, `set`, and `delete` are defined as in [ICS 24](../ics-024-host-requirements). + +A *port* is a particular kind of identifier which is used to permission channel opening and usage to modules. + +A *module* is a sub-component of the host state machine independent of the IBC handler. Examples include Ethereum smart contracts and Cosmos SDK & Substrate modules. +The IBC specification makes no assumptions of module functionality other than the ability of the host state machine to use object-capability or source authentication to permission ports to modules. + +### Desired Properties + +- Once a module has bound to a port, no other modules can use that port until the module releases it +- A module can, on its option, release a port or transfer it to another module +- A single module can bind to multiple ports at once +- Ports are allocated first-come first-serve, and "reserved" ports for known modules can be bound when the chain is first started + +As a helpful comparison, the following analogies to TCP are roughly accurate: + +| IBC Concept | TCP/IP Concept | Differences | +| ----------------------- | ------------------------- | --------------------------------------------------------------------- | +| IBC | TCP | Many, see the architecture documents describing IBC | +| Port (e.g. "bank") | Port (e.g. 80) | No low-number reserved ports, ports are strings | +| Module (e.g. "bank") | Application (e.g. Nginx) | Application-specific | +| Client | - | No direct analogy, a bit like L2 routing and a bit like TLS | +| Connection | - | No direct analogy, folded into connections in TCP | +| Channel | Connection | Any number of channels can be opened to or from a port simultaneously | + +## Technical Specification + +### Data Structures + +The host state machine MUST support either object-capability reference or source authentication for modules. + +In the former object-capability case, the IBC handler must have the ability to generate *object-capabilities*, unique, opaque references +which can be passed to a module and will not be duplicable by other modules. Two examples are store keys as used in the Cosmos SDK ([reference](https://github.com/cosmos/cosmos-sdk/blob/97eac176a5d533838333f7212cbbd79beb0754bc/store/types/store.go#L275)) +and object references as used in Agoric's Javascript runtime ([reference](https://github.com/Agoric/SwingSet)). + +```typescript +type CapabilityKey object +``` + +`newCapability` must take a name and generate a unique capability key, such that the name is locally mapped to the capability key and can be used with `getCapability` later. + +```typescript +function newCapability(name: string): CapabilityKey { + // provided by host state machine, e.g. ADR 3 / ScopedCapabilityKeeper in Cosmos SDK +} +``` + +`authenticateCapability` must take a name & a capability and check whether the name is locally mapped to the provided capability. The name can be untrusted user input. + +```typescript +function authenticateCapability(name: string, capability: CapabilityKey): bool { + // provided by host state machine, e.g. ADR 3 / ScopedCapabilityKeeper in Cosmos SDK +} +``` + +`claimCapability` must take a name & a capability (provided by another module) and locally map the name to the capability, "claiming" it for future usage. + +```typescript +function claimCapability(name: string, capability: CapabilityKey) { + // provided by host state machine, e.g. ADR 3 / ScopedCapabilityKeeper in Cosmos SDK +} +``` + +`getCapability` must allow a module to lookup a capability which it has previously created or claimed by name. + +```typescript +function getCapability(name: string): CapabilityKey { + // provided by host state machine, e.g. ADR 3 / ScopedCapabilityKeeper in Cosmos SDK +} +``` + +`releaseCapability` must allow a module to release a capability which it owns. + +```typescript +function releaseCapability(capability: CapabilityKey) { + // provided by host state machine, e.g. ADR 3 / ScopedCapabilityKeeper in Cosmos SDK +} +``` + +In the latter source authentication case, the IBC handler must have the ability to securely read the *source identifier* of the calling module, +a unique string for each module in the host state machine, which cannot be altered by the module or faked by another module. +An example is smart contract addresses as used by Ethereum ([reference](https://ethereum.github.io/yellowpaper/paper.pdf)). + +```typescript +type SourceIdentifier string +``` + +```typescript +function callingModuleIdentifier(): SourceIdentifier { + // provided by host state machine, e.g. contract address in Ethereum +} +``` + +`newCapability`, `authenticateCapability`, `claimCapability`, `getCapability`, and `releaseCapability` are then implemented as follows: + +```typescript +function newCapability(name: string): CapabilityKey { + return callingModuleIdentifier() +} +``` + +```typescript +function authenticateCapability(name: string, capability: CapabilityKey) { + return callingModuleIdentifier() === name +} +``` + +```typescript +function claimCapability(name: string, capability: CapabilityKey) { + // no-op +} +``` + +```typescript +function getCapability(name: string): CapabilityKey { + // not actually used + return nil +} +``` + +```typescript +function releaseCapability(capability: CapabilityKey) { + // no-op +} +``` + +#### Store paths + +`portPath` takes an `Identifier` and returns the store path under which the object-capability reference or owner module identifier associated with a port should be stored. + +```typescript +function portPath(id: Identifier): Path { + return "ports/{id}" +} +``` + +### Sub-protocols + +#### Identifier validation + +Owner module identifier for ports are stored under a unique `Identifier` prefix. +The validation function `validatePortIdentifier` MAY be provided. + +```typescript +type validatePortIdentifier = (id: Identifier) => boolean +``` + +If not provided, the default `validatePortIdentifier` function will always return `true`. + +#### Binding to a port + +The IBC handler MUST implement `bindPort`. `bindPort` binds to an unallocated port, failing if the port has already been allocated. + +If the host state machine does not implement a special module manager to control port allocation, `bindPort` SHOULD be available to all modules. If it does, `bindPort` SHOULD only be callable by the module manager. + +```typescript +function bindPort(id: Identifier): CapabilityKey { + abortTransactionUnless(validatePortIdentifier(id)) + abortTransactionUnless(getCapability(portPath(id)) === null) + capability = newCapability(portPath(id)) + return capability +} +``` + +#### Transferring ownership of a port + +If the host state machine supports object-capabilities, no additional protocol is necessary, since the port reference is a bearer capability. + +#### Releasing a port + +The IBC handler MUST implement the `releasePort` function, which allows a module to release a port such that other modules may then bind to it. + +`releasePort` SHOULD be available to all modules. + +> Warning: releasing a port will allow other modules to bind to that port and possibly intercept incoming channel opening handshakes. Modules should release ports only when doing so is safe. + +```typescript +function releasePort(id: Identifier, capability: CapabilityKey) { + abortTransactionUnless(authenticateCapability(portPath(id), capability)) + releaseCapability(capability) +} +``` + +### Properties & Invariants + +- By default, port identifiers are first-come-first-serve: once a module has bound to a port, only that module can utilise the port until the module transfers or releases it. A module manager can implement custom logic which overrides this. + +## Backwards Compatibility + +Not applicable. + +## Forwards Compatibility + +Port binding is not a wire protocol, so interfaces can change independently on separate chains as long as the ownership semantics are unaffected. + +## Example Implementations + +- Implementation of ICS 05 in Go can be found in [ibc-go repository](https://github.com/cosmos/ibc-go). +- Implementation of ICS 05 in Rust can be found in [ibc-rs repository](https://github.com/cosmos/ibc-rs). + +## History + +Jun 29, 2019 - Initial draft + +## Copyright + +All content herein is licensed under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0). diff --git a/spec/core/v2/ics-024-host-requirements/README.md b/spec/core/v2/ics-024-host-requirements/README.md new file mode 100644 index 000000000..a5daa2bb8 --- /dev/null +++ b/spec/core/v2/ics-024-host-requirements/README.md @@ -0,0 +1,411 @@ +--- +ics: 24 +title: Host State Machine Requirements +stage: draft +category: IBC/TAO +kind: interface +requires: 23 +required-by: 2, 3, 4, 5, 18 +version compatibility: ibc-go v7.0.0 +author: Christopher Goes +created: 2019-04-16 +modified: 2022-09-14 +--- + +## Synopsis + +This specification defines the minimal set of interfaces which must be provided and properties which must be fulfilled by a state machine hosting an implementation of the interblockchain communication protocol. + +### Motivation + +IBC is designed to be a common standard which will be hosted by a variety of blockchains & state machines and must clearly define the requirements of the host. + +### Definitions + +### Desired Properties + +IBC should require as simple an interface from the underlying state machine as possible to maximise the ease of correct implementation. + +## Technical Specification + +### Module system + +The host state machine must support a module system, whereby self-contained, potentially mutually distrusted packages of code can safely execute on the same ledger, control how and when they allow other modules to communicate with them, and be identified and manipulated by a "master module" or execution environment. + +The IBC/TAO specifications define the implementations of two modules: the core "IBC handler" module and the "IBC relayer" module. IBC/APP specifications further define other modules for particular packet handling application logic. IBC requires that the "master module" or execution environment can be used to grant other modules on the host state machine access to the IBC handler module and/or the IBC routing module, but otherwise does not impose requirements on the functionality or communication abilities of any other modules which may be co-located on the state machine. + +### Paths, identifiers, separators + +An `Identifier` is a bytestring used as a key for an object stored in state, such as a connection, channel, or light client. + +Identifiers MUST be non-empty (of positive integer length). + +Identifiers MUST consist of characters in one of the following categories only: + +- Alphanumeric +- `.`, `_`, `+`, `-`, `#` +- `[`, `]`, `<`, `>` + +A `Path` is a bytestring used as the key for an object stored in state. Paths MUST contain only identifiers, constant strings, and the separator `"/"`. + +Identifiers are not intended to be valuable resources — to prevent name squatting, minimum length requirements or pseudorandom generation MAY be implemented, but particular restrictions are not imposed by this specification. + +The separator `"/"` is used to separate and concatenate two identifiers or an identifier and a constant bytestring. Identifiers MUST NOT contain the `"/"` character, which prevents ambiguity. + +Variable interpolation, denoted by curly braces, is used throughout this specification as shorthand to define path formats, e.g. `client/{clientIdentifier}/consensusState`. + +All identifiers, and all strings listed in this specification, must be encoded as ASCII unless otherwise specified. + +By default, identifiers have the following minimum and maximum lengths in characters: + +| Port identifier | Client identifier | Connection identifier | Channel identifier | +| --------------- | ----------------- | --------------------- | ------------------ | +| 2 - 128 | 9 - 64 | 10 - 64 | 8 - 64 | + +### Key/value Store + +The host state machine MUST provide a key/value store interface +with three functions that behave in the standard way: + +```typescript +type get = (path: Path) => Value | void +``` + +```typescript +type set = (path: Path, value: Value) => void +``` + +```typescript +type delete = (path: Path) => void +``` + +`Path` is as defined above. `Value` is an arbitrary bytestring encoding of a particular data structure. Encoding details are left to separate ICSs. + +These functions MUST be permissioned to the IBC handler module (the implementation of which is described in separate standards) only, so only the IBC handler module can `set` or `delete` the paths that can be read by `get`. This can possibly be implemented as a sub-store (prefixed key-space) of a larger key/value store used by the entire state machine. + +Host state machines MUST provide two instances of this interface - +a `provableStore` for storage read by (i.e. proven to) other chains, +and a `privateStore` for storage local to the host, upon which `get` +, `set`, and `delete` can be called, e.g. `provableStore.set('some/path', 'value')`. + +The `provableStore`: + +- MUST write to a key/value store whose data can be externally proved with a vector commitment as defined in [ICS 23](../ics-023-vector-commitments). +- MUST use canonical data structure encodings provided in these specifications as proto3 files + +The `privateStore`: + +- MAY support external proofs, but is not required to - the IBC handler will never write data to it which needs to be proved. +- MAY use canonical proto3 data structures, but is not required to - it can use + whatever format is preferred by the application environment. + +> Note: any key/value store interface which provides these methods & properties is sufficient for IBC. Host state machines may implement "proxy stores" with path & value mappings which do not directly match the path & value pairs set and retrieved through the store interface — paths could be grouped into buckets & values stored in pages which could be proved in a single commitment, path-spaces could be remapped non-contiguously in some bijective manner, etc — as long as `get`, `set`, and `delete` behave as expected and other machines can verify commitment proofs of path & value pairs (or their absence) in the provable store. If applicable, the store must expose this mapping externally so that clients (including relayers) can determine the store layout & how to construct proofs. Clients of a machine using such a proxy store must also understand the mapping, so it will require either a new client type or a parameterised client. +> +> Note: this interface does not necessitate any particular storage backend or backend data layout. State machines may elect to use a storage backend configured in accordance with their needs, as long as the store on top fulfils the specified interface and provides commitment proofs. + +### Path-space + +At present, IBC/TAO recommends the following path prefixes for the `provableStore` and `privateStore`. + +Future paths may be used in future versions of the protocol, so the entire key-space in the provable store MUST be reserved for the IBC handler. + +Keys used in the provable store MAY safely vary on a per-client-type basis as long as there exists a bipartite mapping between the key formats +defined herein and the ones actually used in the machine's implementation. + +Parts of the private store MAY safely be used for other purposes as long as the IBC handler has exclusive access to the specific keys required. +Keys used in the private store MAY safely vary as long as there exists a bipartite mapping between the key formats defined herein and the ones +actually used in the private store implementation. + +Note that the client-related paths listed below reflect the Tendermint client as defined in [ICS 7](../../client/ics-007-tendermint-client) and may vary for other client types. + +| Store | Path format | Value type | Defined in | +| -------------- | ------------------------------------------------------------------------------ | ----------------- | ---------------------- | +| provableStore | "clients/{identifier}/clientState" | ClientState | [ICS 2](../ics-002-client-semantics) | +| provableStore | "clients/{identifier}/consensusStates/{height}" | ConsensusState | [ICS 7](../../client/ics-007-tendermint-client) | +| privateStore | "clients/{identifier}/connections | []Identifier | [ICS 3](../ics-003-connection-semantics) | +| provableStore | "connections/{identifier}" | ConnectionEnd | [ICS 3](../ics-003-connection-semantics) | +| privateStore | "ports/{identifier}" | CapabilityKey | [ICS 5](../ics-005-port-allocation) | +| provableStore | "channelEnds/ports/{identifier}/channels/{identifier}" | ChannelEnd | [ICS 4](../ics-004-channel-and-packet-semantics) | +| provableStore | "nextSequenceSend/ports/{identifier}/channels/{identifier}" | uint64 | [ICS 4](../ics-004-channel-and-packet-semantics) | +| provableStore | "nextSequenceRecv/ports/{identifier}/channels/{identifier}" | uint64 | [ICS 4](../ics-004-channel-and-packet-semantics) | +| provableStore | "nextSequenceAck/ports/{identifier}/channels/{identifier}" | uint64 | [ICS 4](../ics-004-channel-and-packet-semantics) | +| provableStore | "commitments/ports/{identifier}/channels/{identifier}/sequences/{sequence}" | bytes | [ICS 4](../ics-004-channel-and-packet-semantics) | +| provableStore | "receipts/ports/{identifier}/channels/{identifier}/sequences/{sequence}" | bytes | [ICS 4](../ics-004-channel-and-packet-semantics) | +| provableStore | "acks/ports/{identifier}/channels/{identifier}/sequences/{sequence}" | bytes | [ICS 4](../ics-004-channel-and-packet-semantics) | + +### Module layout + +Represented spatially, the layout of modules & their included specifications on a host state machine looks like so (Aardvark, Betazoid, and Cephalopod are arbitrary modules): + +```shell ++----------------------------------------------------------------------------------+ +| | +| Host State Machine | +| | +| +-------------------+ +--------------------+ +----------------------+ | +| | Module Aardvark | <--> | IBC Routing Module | | IBC Handler Module | | +| +-------------------+ | | | | | +| | Implements ICS 26. | | Implements ICS 2, 3, | | +| | | | 4, 5 internally. | | +| +-------------------+ | | | | | +| | Module Betazoid | <--> | | --> | Exposes interface | | +| +-------------------+ | | | defined in ICS 25. | | +| | | | | | +| +-------------------+ | | | | | +| | Module Cephalopod | <--> | | | | | +| +-------------------+ +--------------------+ +----------------------+ | +| | ++----------------------------------------------------------------------------------+ +``` + +### Consensus state introspection + +Host state machines MUST provide the ability to introspect their current height, with `getCurrentHeight`: + +```typescript +type getCurrentHeight = () => Height +``` + +Host state machines MUST define a unique `ConsensusState` type fulfilling the requirements of [ICS 2](../ics-002-client-semantics), with a canonical binary serialisation. + +Host state machines MUST provide the ability to introspect their own consensus state, with `getConsensusState`: + +```typescript +type getConsensusState = (height: Height, proof?: bytes) => ConsensusState +``` + +`getConsensusState` MUST return the consensus state for at least some number `n` of contiguous recent heights, where `n` is constant for the host state machine. Heights older than `n` MAY be safely pruned (causing future calls to fail for those heights). + +We provide an optional proof data which comes from the `MsgConnectionOpenAck` or `MsgConnectionOpenTry` for host state machines which are unable to introspect their own `ConsensusState` and must rely on off-chain data. +
+In this case host state machines MUST maintain a map of `n` block numbers to header hashes where the proof would contain full header which can be hashed and compared with the on-chain record. + +Host state machines MUST provide the ability to introspect this stored recent consensus state count `n`, with `getStoredRecentConsensusStateCount`: + +```typescript +type getStoredRecentConsensusStateCount = () => Height +``` + +### Client state validation + +Host state machines MUST define a unique `ClientState` type fulfilling the requirements of [ICS 2](../ics-002-client-semantics). + +Host state machines MUST provide the ability to construct a `ClientState` representation of their own state for the purposes of client state validation, with `getHostClientState`: + +```typescript +type getHostClientState = (height: Height) => ClientState +``` + +Host state machines MUST provide the ability to validate the `ClientState` of a light client running on a counterparty chain, with `validateSelfClient`: + +```typescript +type validateSelfClient = (counterpartyClientState: ClientState) => boolean +``` + +`validateSelfClient` validates the client parameters for a client of the host chain. For example, below is the implementation for Tendermint hosts, using `ClientState` as defined in [ICS 7](../../client/ics-007-tendermint-client/): + +```typescript +function validateSelfClient(counterpartyClientState: ClientState) { + hostClientState = getHostClientState() + + // assert that the counterparty client is not frozen + if counterpartyClientState.frozenHeight !== null { + return false + } + + // assert that the chain ids are the same + if counterpartyClientState.chainID !== hostClientState.chainID { + return false + } + + // assert that the counterparty client is in the same revision as the host chain + counterpartyRevisionNumber = parseRevisionNumber(counterpartyClientState.chainID) + if counterpartyRevisionNumber !== hostClientState.latestHeight.revisionNumber { + return false + } + + // assert that the counterparty client has a height less than the host height + if counterpartyClientState.latestHeight >= hostClientState.latestHeight { + return false + } + + // assert that the counterparty client has the same ProofSpec as the host + if counterpartyClientState.proofSpecs !== hostClientState.proofSpecs { + return false + } + + // assert that the trustLevel is within the allowed range. 1/3 is the minimum amount + // of trust needed which does not break the security model. + if counterpartyClientState.trustLevel < 1/3 || counterpartyClientState.trustLevel > 1 { + return false + } + + // assert that the unbonding periods are the same + if counterpartyClientState.unbondingPeriod != hostClientState.unbondingPeriod { + return false + } + + // assert that the unbonding period is greater than or equal to the trusting period + if counterpartyClientState.unbondingPeriod < counterpartyClientState.trustingPeriod { + return false + } + + // assert that the upgrade paths are the same + hostUpgradePath = applyPrefix(hostClientState.upgradeCommitmentPrefix, hostClientState.upgradeKey) + counterpartyUpgradePath = applyPrefix(counterpartyClientState.upgradeCommitmentPrefix, counterpartyClientState.upgradeKey) + if counterpartyUpgradePath !== hostUpgradePath { + return false + } + + return true +} +``` + +### Commitment path introspection + +Host chains MUST provide the ability to inspect their commitment path, with `getCommitmentPrefix`: + +```typescript +type getCommitmentPrefix = () => CommitmentPrefix +``` + +The result `CommitmentPrefix` is the prefix used by the host state machine's key-value store. +With the `CommitmentRoot root` and `CommitmentState state` of the host state machine, the following property MUST be preserved: + +```typescript +if provableStore.get(path) === value { + prefixedPath = applyPrefix(getCommitmentPrefix(), path) + if value !== nil { + proof = createMembershipProof(state, prefixedPath, value) + assert(verifyMembership(root, proof, prefixedPath, value)) + } else { + proof = createNonMembershipProof(state, prefixedPath) + assert(verifyNonMembership(root, proof, prefixedPath)) + } +} +``` + +For a host state machine, the return value of `getCommitmentPrefix` MUST be constant. + +### Timestamp access + +Host chains MUST provide a current Unix timestamp, accessible with `currentTimestamp()`: + +```typescript +type currentTimestamp = () => uint64 +``` + +In order for timestamps to be used safely in timeouts, timestamps in subsequent headers MUST be non-decreasing. + +### Port system + +Host state machines MUST implement a port system, where the IBC handler can allow different modules in the host state machine to bind to uniquely named ports. Ports are identified by an `Identifier`. + +Host state machines MUST implement permission interaction with the IBC handler such that: + +- Once a module has bound to a port, no other modules can use that port until the module releases it +- A single module can bind to multiple ports +- Ports are allocated first-come first-serve and "reserved" ports for known modules can be bound when the state machine is first started + +This permissioning can be implemented with unique references (object capabilities) for each port (a la the Cosmos SDK), with source authentication (a la Ethereum), or with some other method of access control, in any case enforced by the host state machine. See [ICS 5](../ics-005-port-allocation) for details. + +Modules that wish to make use of particular IBC features MAY implement certain handler functions, e.g. to add additional logic to a channel handshake with an associated module on another state machine. + +### Datagram submission + +Host state machines which implement the routing module MAY define a `submitDatagram` function to submit datagrams[1](#footnote1), which will be included in transactions, directly to the routing module (defined in [ICS 26](../ics-026-routing-module)): + +```typescript +type submitDatagram = (datagram: Datagram) => void +``` + +`submitDatagram` allows relayer processes to submit IBC datagrams directly to the routing module on the host state machine. Host state machines MAY require that the relayer process submitting the datagram has an account to pay transaction fees, signs over the datagram in a larger transaction structure, etc — `submitDatagram` MUST define & construct any such packaging required. + +### Exception system + +Host state machines MUST support an exception system, whereby a transaction can abort execution and revert any previously made state changes (including state changes in other modules happening within the same transaction), excluding gas consumed & fee payments as appropriate, and a system invariant violation can halt the state machine. + +This exception system MUST be exposed through two functions: `abortTransactionUnless` and `abortSystemUnless`, where the former reverts the transaction and the latter halts the state machine. + +```typescript +type abortTransactionUnless = (bool) => void +``` + +If the boolean passed to `abortTransactionUnless` is `true`, the host state machine need not do anything. If the boolean passed to `abortTransactionUnless` is `false`, the host state machine MUST abort the transaction and revert any previously made state changes, excluding gas consumed & fee payments as appropriate. + +```typescript +type abortSystemUnless = (bool) => void +``` + +If the boolean passed to `abortSystemUnless` is `true`, the host state machine need not do anything. If the boolean passed to `abortSystemUnless` is `false`, the host state machine MUST halt. + +### Data availability + +For deliver-or-timeout safety, host state machines MUST have eventual data availability, such that any key/value pairs in state can be eventually retrieved by relayers. For exactly-once safety, data availability is not required. + +For liveness of packet relay, host state machines MUST have bounded transactional liveness (and thus necessarily consensus liveness), such that incoming transactions are confirmed within a block height bound (in particular, less than the timeouts assign to the packets). + +IBC packet data, and other data which is not directly stored in the state vector but is relied upon by relayers, MUST be available to & efficiently computable by relayer processes. + +Light clients of particular consensus algorithms may have different and/or more strict data availability requirements. + +### Event logging system + +The host state machine MUST provide an event logging system whereby arbitrary data can be logged in the course of transaction execution which can be stored, indexed, and later queried by processes executing the state machine. These event logs are utilised by relayers to read IBC packet data & timeouts, which are not stored directly in the chain state (as this storage is presumed to be expensive) but are instead committed to with a succinct cryptographic commitment (only the commitment is stored). + +This system is expected to have at minimum one function for emitting log entries and one function for querying past logs, approximately as follows. + +The function `emitLogEntry` can be called by the state machine during transaction execution to write a log entry: + +```typescript +type emitLogEntry = (topic: string, data: []byte) => void +``` + +The function `queryByTopic` can be called by an external process (such as a relayer) to retrieve all log entries associated with a given topic written by transactions which were executed at a given height. + +```typescript +type queryByTopic = (height: Height, topic: string) => []byte +``` + +More complex query functionality MAY also be supported, and may allow for more efficient relayer process queries, but is not required. + +### Handling upgrades + +Host machines may safely upgrade parts of their state machine without disruption to IBC functionality. In order to do this safely, the IBC handler logic must remain compliant with the specification, and all IBC-related state (in both the provable & private stores) must be persisted across the upgrade. If clients exist for an upgrading chain on other chains, and the upgrade will change the light client validation algorithm, these clients must be informed prior to the upgrade so that they can safely switch atomically and preserve continuity of connections & channels. + +## Backwards Compatibility + +Not applicable. + +## Forwards Compatibility + +Key/value store functionality and consensus state type are unlikely to change during operation of a single host state machine. + +`submitDatagram` can change over time as relayers should be able to update their processes. + +## Example Implementations + +- Implementation of ICS 24 in Go can be found in [ibc-go repository](https://github.com/cosmos/ibc-go). +- Implementation of ICS 24 in Rust can be found in [ibc-rs repository](https://github.com/cosmos/ibc-rs). + +## History + +Apr 29, 2019 - Initial draft + +May 11, 2019 - Rename "RootOfTrust" to "ConsensusState" + +Jun 25, 2019 - Use "ports" instead of module names + +Aug 18, 2019 - Revisions to module system, definitions + +Jul 05, 2022 - Lower the minimal allowed length of a channel identifier to 8 + +Jul 27, 2022 - Move `ClientState` to the `provableStore`, and add "Client state validation" section + +## Copyright + +All content herein is licensed under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0). + +--- + +1: A datagram is an opaque bytestring transmitted over some physical network, and handled by the IBC routing module implemented in the ledger's state machine. In some implementations, the datagram may be a field in a ledger-specific transaction or message data structure which also contains other information (e.g. a fee for spam prevention, nonce for replay prevention, type identifier to route to the IBC handler, etc.). All IBC sub-protocols (such as opening a connection, creating a channel, sending a packet) are defined in terms of sets of datagrams and protocols for handling them through the routing module.