Implementation of Sunny's Mesh Security talk (Hackathon / Prototype status)

Overview

mesh-security (Hackathon / Prototype status)

An implementation of Sunny's Mesh Security talk from Cosmoverse 2022.

This should run on any CosmWasm enabled chain. This is MVP design and gives people hands on use, that should work on a testnet. Open questions that need to be resolved before we can use this in production are listed below.

Architecture

Please check out the architectural documentation, which gives a thorough view of all the components in a completed system.

You can also look at Sunny's original flipboard to get view of the various flows involved.

Contracts

  • meta-staking - a bridge between the rest of the contracts and the x/staking module to provide a consistent, friendly interface for our use case
  • mesh-lockup - a contract that locks tokens and allows lockers to issue multiple claims to other consumers, who can all slash that stake and eventually release their claim
  • mesh-provider - an IBC-enabled contract that issues claims on an ILP and speaks IBC to a consumer. It is responsible for submitting slashes it receives from the slasher to the ilp contract.
  • mesh-consumer - an IBC-enabled contract that receives messages from ibc-provider and communicates with meta-staking to update the local delegations / validator power
  • mesh-slasher - a contract that is authorized by the mesh-provider to submit slashes to it. There can be many types of slasher contracts (for different types of evidenses of misbehaviors)

Overview for Users

High Level: You connect Osmosis to Juno and Juno to Osmosis. We will only look at one side of this, but each chain is able to be both a consumer and producer at the same time. You can also connect each chain as a provider to N chains and a consumer from N chains.

Let's analyze the Osmosis side of this. Osmosis is the provider of security to Juno. Once the contracts have been deployed, a user can interact with this as follows.

Cross-staking:

  1. User stakes their tokens in the mesh-lockup contract on Osmosis
  2. User can cross-stake those tokens to a Juno mesh-provider contract (on Osmosis), specifying how many of their tokens to cross-stake and to which validator
  3. The Osmosis mesh-consumer contract (on Juno) receives a message from the counterparty mesh-provider contract and updates the stake in the meta-staking contract (on Juno).
  4. The meta-staking contract checks the values and updates it's delegations to x/staking accordingly. (The meta-staking contract is assumed to have enough JUNO tokens to do the delegations. How it gets that JUNO is out of scope.)

Claiming Rewards:

  1. Anyone can trigger the Osmosis consumer contract to claim rewards from the meta-staking contract
  2. The mesh-consumer contract (on JUNO) sends tokens to the mesh-provider contract (on Osmosis) via ics20
  3. The mesh-consumer contract sends a message to the mesh-provider contract to inform of the new distribution (and how many go to which validator).
  4. The mesh-provider (on Osmosis) contract updates distribution info to all stakers, allowing them to claim their share of the $JUNO rewards on Osmosis.

Unstaking:

  1. A user submits a request to unstake their tokens from the mesh-provider contract (on Osmosis)
  2. We update the local distribution info to reflect the new amount of tokens staked
  3. This sends a message to the mesh-consumer contract (on Juno), which updates the Juno meta-staking contract to remove the delegation.
  4. The mesh-provider contract (on Osmosis) gets the unbonding period for this cross stake by querying the slasher contract
  5. After the unbonding period has passed (eg. 2 weeks, 4 weeks) the mesh-provider contract informs the mesh-lockup contract that it removes its claim.
  6. If the user's stake in the mesh-lockup contract has not more claims on it, they can withdraw their stake.

Slashing:

  1. Someone calls a method to submit evidence of Juno misbehavior on the meta-slasher contract (on Osmosis).
  2. The meta-slasher contract verifies that a slashing event has indeed occurred and makes a contract call to the mesh-provider contract with the amount to slash.
  3. The mesh-provider updates the mesh-lockup stakes of everyone delegating to the offending validator. Tokens are unbonded and scheduled to be burned.
  4. mesh-provider sends IBC packet updates to the mesh-consumers on all other chains about the new voting power.

Claiming tokens:

A user can stake any number of tokens to the mesh-lockup contract, and use them in multiple provider contracts. The mesh-lockup contract ensures that the user has balance >= the max claim at all times. If you put in eg 1000 OSMO, but then provide 700, 500, and 300 to various providers, you can pull out 300 OSMO from the mesh-lockup contract. Once you successfully release the claim on the provider with 700, then you can pull out another 200 OSMO.

Overview for Installing

  1. Deploy the contracts to Osmosis and Juno
  2. x/gov on Juno will tell the "Osmosis consumer contract" which (connectionId, portId) to trust
  3. x/gov on Juno will provide the "Osmosis consumer contract" with some JUNO tokens with which it can later delegate (This is a hacky solution to give the consumer contract OSMO to be able to stake... we discuss improvement below).
  4. A relayer connects the two contracts, the consumer contract ensures that the channel is made from the authorized (connectionId, portId) or rejects it in the channel handshake. It also ensures only one channel exists at a time.
  5. Once the trusted connection is established and the consumer contract has been granted sufficient delegation power, then the user flow above can be used.

Features to add

These are well-defined but removed from the MVP for simplicity. We can add them later.

  • mesh-lockup must also allow local staking, and tie into the meta-staking contract to use that same stake to provide security on the home chain.

Open Questions

These are unclear and need to be discussed and resolved further.

  • How to cleanly grant consumer contracts the proper delegation power?
    • Something like "superfluid staking" module where we can mint "synthetic staking tokens" that work like normal, but are removed from the "totalSupply" query via offset.
    • Fork x/staking to allow such synthetic delegations that don't need tokens. This is a hard lift, but would allow custom logic, like counting those tokens in tendermint voting power, but exclude them from x/gov, and decide on some reducing factor for their rewards.
  • How to cleanly define limits for the providing chains on how much power they can have on the consuming chain? We start with a fixed number (# of JUNO), but better to do something like "max 10% of total staking power".
  • Ensure a minimum voting power for the local stake. If we let 3 chains each use up to 30% of the voting power, and they all stake to the max, then we only have 10% of the power locally. We can set a minimum to say 40% local, and if all remote chains stake to the max, their relative powers are reduced proportionally to ensure this local minimum stake.
  • How to normalize the token values? If we stake 2 million $OSMO, we need to convert that to the same $$ value of $JUNO before using it to calculate staking power on the Juno chain.
  • How to properly handle slashing, especially how a slashing on JUNO triggers a slash on OSMO, which should then reduce the voting power of the correlated validators on STARS (that was based on the same OSMO stake). This is a bit tricky, IBC messages could be sent out to all consumer chains, but there could be performance implications for this.
  • Desired reward payout mechanism. For MVP, we treat this as a normal delegator and send the tokens back to the provider chain to be distributed. But maybe we calculate rewards in another way, especially when we modify x/staking. Should also be computationally efficient
  • How to improve installation UX? Ideally, when the consumer chain votes to instantiate mesh security with another chain, all contracts are deployed and configured in one governance prop.
  • How to handle changing prices? What is a good price oracle? We need to update the voting power of the consumer contract when the price changes. This may lead to issues in normalization especially if the remote token price rises considerably.
  • What do we do when the consumer stake is greater than the max allowance? Do we fail that extra Stake? Do we normalize the validators within that consumer? Failing is easier, but not possible in response to price oracle changes. For example, if max power is 1000 and we have 500 for val A and 1000 for val B and 1000 for val C, we could normalize to A=200, B=400, C=400.
Comments
  • Validate validator valoper address

    Validate validator valoper address

    There are a number place where we have to validate an validator operator address, for example:

    • https://github.com/CosmWasm/mesh-security/blob/main/contracts/meta-staking/src/contract.rs#L100
    • https://github.com/CosmWasm/mesh-security/blob/main/contracts/meta-staking/src/contract.rs#L156
    • https://github.com/CosmWasm/mesh-security/blob/main/contracts/mesh-lockup/src/contract.rs#L105

    This maybe a good thing to contribute upstream somewhere. Maybe even cosmwasm_std?

    opened by JakeHartnell 6
  • Withdraw rewards

    Withdraw rewards

    This is draft PR for #34:

    meta-staking:

    1. withdraw_delegator_reward - can be called by anyone to distribute rewards from validator, store rewards by validator
    2. withdraw_to_consumer - called by anyone to send accumulated rewards to consumer.

    mesh-consumer:

    1. execute_receive_rewards - sends received funds over IBC to provider

    mesh-provider:

    1. receive_rewards - gets msg from consumer that we sent funds with a list of rewards per validator, calculate rewards per user, and enter rewards into rewards map.
    2. execute_claim_rewards - sends funds to the sender.

    Still missing:

    • [x] send funds from mesh-consumer to mesh-provider
    • [x] WithdrawRewards from mesh-provider
    • [x] ts-relayer integration tests.
    opened by Art3miX 6
  • Define consumer architecture

    Define consumer architecture

    This builds on #74 and provides more detail to how the consumer side functions. We begin to delve into the native sdk module needed here.

    I feel like I am improving names somewhat from the original design here, but they need a lot more work. Please comment heavily on the naming, I am very happy to re-name them to something better. Remember, once this is launched, it will be very hard to change names, so let's make something that is easy to understand.

    To see rendered docs, look at the Consumer folder on this branch

    opened by ethanfrey 3
  • Handle mesh-provider IBC Failure Cases

    Handle mesh-provider IBC Failure Cases

    EDIT 10/19

    I went through and implemented some todos related to IBC failures in mesh-provider. The only unintuitive change involves a shift from unilateral staking to bilateral staking. That is, mesh-provider only updates its staking state after it receives confirmation via ack from mesh-consumer on the "stake" IBC call. By contrast, mesh-provider continues to offer unilateral unstaking, since we must assume that the consumer chain might be byzantine.

    Qs

    • @ethanfrey is there a way to mock IBC calls for testing?

    Closes #37

    opened by teddyknox 3
  • Complete meta-staking queries

    Complete meta-staking queries

    Implement the unimplemented queries in the meta-staking contract:

    • [ ] all_validators: return all validators that a consumer contract delegates to.
    • [ ] delegation: return info about a particular consumer delegation
    • [ ] consumers: return a list of consumers
    opened by JakeHartnell 3
  • Meta staking testing

    Meta staking testing

    This is a draft PR to start organizing tests a little bit better in mesh-security and maybe around the cosmos as well.

    I have implement a new testing method on meta-staking, im still missing some tests to write and check coverage, but the general idea is already in code.

    In packages -> mesh-testing, we have testing library/framework for our tests, it includes 2 wrappers around std::testing and cw-multi-test, and utils folder that include helper utilities like addr_wrapper that allow us to set const addrs for testing. The library include 2 features, "unit" and "multi", in meta-staking I needed to use both testing libraries, mainly because multi-test doesn't support IBC yet, but also because there are stuff that just didn't require the multi-test things (for example testing add/remove consumer).

    In meta-staking we have a testing folder under src, the src folder now include only core contract code, and testing include all testing related code.

    In testing we hold the test file themselves, separated by what each file tests, for example delegations.rs test that we do delegate and undelegate correctly, while rewards.rs test only rewards related stuff like calculation and withdrawal.

    Under testing we have the utils folder, this folder hold all helper files for our tests, again separated by files based on what they help for like rewards.rs which hold functions to query rewards from the staking module. It also hold our setup functions, setup.rs hold all unit test setup functions prefixed with "setup_contract", while setup_app.rs hold all multi-test setup functions prefixed with "setup_app".

    The beauty in this, is that we can choose a different testing method for each of our tests based on the needs of that specific test. As you can see in testing -> delegations.rs file, the add_remove_delegations test is using multi-test method because we are talking with the module while no_consumer test is using unit tests because we expect errors here and don't need multi-test.

    opened by Art3miX 2
  • Make IBC Packet lifetime configurable

    Make IBC Packet lifetime configurable

    Currently hardcoded in mesh-provider and mesh-consumer:

    • https://github.com/CosmWasm/mesh-security/blob/main/contracts/mesh-consumer/src/ibc.rs#L18
    • https://github.com/CosmWasm/mesh-security/blob/main/contracts/mesh-provider/src/ibc.rs#L20
    opened by JakeHartnell 1
  • Implement mesh-provider IBC packet failure cases

    Implement mesh-provider IBC packet failure cases

    See contracts/mesh-provider/src/ibc.rs:

    • [ ] fail_list_validators: send another ListValidators message
    • [ ] fail_stake: release the bonded stake, adjust number
    • [ ] fail_unstake: unrelease the bonded stake, remove claim (see comment)
    opened by JakeHartnell 1
  • Withdraw consumer rewards from the meta-staking contract

    Withdraw consumer rewards from the meta-staking contract

    The consumer should be able to withdraw rewards from the meta-staking contract. This was not finished due to time constraints during the hackathon.

    During the presentation, @sunnya97 stated that anyone should be able to withdraw rewards on behalf of the consumer... I agree.

    This touches on a number of different contracts, meta-staking, mesh-consumer, and mesh-provider. The basic withdraw flow can be found in the flipboard here.

    Whoever takes this on, please write integration tests. :pray:

    opened by JakeHartnell 1
  • Cleanup

    Cleanup

    Prepping for future work with a bunch of small clean up, mostly making the dev environment a bit nicer. Borrowed heavily from the DAO DAO contracts repo.

    • Closes #72
    • Closes #70
    • Closes #71
    opened by JakeHartnell 0
  • Fix `cargo doc`

    Fix `cargo doc`

    Documentation generation fails with:

    error: document output filename collision
    The bin `schema` in package `mesh-lockup v0.1.0 (/home/meow/Dev/CosmWasm/mesh-securme as the bin `schema` in package `mesh-consumer v0.1.0 (/home/meow/Dev/CosmWasm/meOnly one may be documented at once since they output to the same path.
    
    good first issue 
    opened by JakeHartnell 0
  • Add notice of new repo for production code

    Add notice of new repo for production code

    As I have been working on docs, I realized it will be much messier and error prone to try to convert all these contracts.

    Rather, we created a new repo for production code (under Osmosis, who is funding this multi-chain initiative). This repo will remain as it is, a working prototype you can play with. The other will be focused building towards a stable version.

    opened by ethanfrey 0
  • Change lockup to vault

    Change lockup to vault

    This PR changes mesh-lockup to mesh-vualt.

    • tests pass
    • renaming completed
    • checked the ts too

    closes: #75

    • https://github.com/CosmWasm/mesh-security/issues/75
    opened by faddat 0
  • Allowlist of providers

    Allowlist of providers

    Mesh-lockup contract should maintain a list of vetted providers to be used by UIs, etc.

    Configuration could control whether use of providers outside of this list would be allowed.

    opened by JakeHartnell 0
Owner
CosmWasm
Secure Multi-Chain Smart Contracts on the Cosmos SDK
CosmWasm
Firmware, application and documentation for the hackathon

eclipsecon-2022-hackathon WORK IN PROGRESS This repository contains software, firmware and documentation for the EclipseCon 2022 hackathon. Bluetooth

Eclipse IoT Working Group 6 Oct 27, 2022
Hackathon project, not production ready (yet)

Ledger Nano PIV Application This is a Ledger Hackathon project targeted on building a PIV compatible Ledger Nano X/S+ application. The focus of this a

Ledger 6 Dec 20, 2022
Rust implementation of the Matter protocol. Status: Experimental

matter-rs: The Rust Implementation of Matter Build Building the library: $ cd matter $ cargo build Building the example: $ cd matter $ RUST_LOG="matt

Connectivity Standards Alliance 12 Jan 5, 2023
A prototype implementation of the Host Identity Protocol v2 for bare-metal systems, written in pure-rust.

Host Identity Protocol for bare-metal systems, using Rust I've been evaluating TLS replacements in constrained environments for a while now. Embedded

null 31 Dec 12, 2022
Prototype: ORAM and related for Intel SGX enclaves

mc-oblivious Traits and implementations for Oblivious RAM inside of Intel SGX enclaves. The scope of this repository is: Traits for fast constant-time

MobileCoin 37 Nov 23, 2022
A fast tool to scan prototype pollution vulnerability written in Rust. 🦀

ppfuzz Prototype Pollution Fuzzer A fast tool to scan prototype pollution vulnerability written in Rust. ?? Installation Binary Source Dependencies Us

Dwi Siswanto 410 Dec 27, 2022
A prototype project integrating jni rust into Kotlin and using protobuf to make them work together

KotlinRustProto a prototype project integrating jni rust into Kotlin and using protobuf to make them work together How to start add a RPC call in Droi

woo 11 Sep 5, 2022
NIP-41 "HD" Key Invalidation Prototype

NIP-41 "HD" Key Invalidation Prototype NIP-41 is a proposal for a scheme whereby a Nostr identity key can be invalidated to a new one safely. nostr-pr

optout 3 Apr 19, 2023
Prototype risk modeling simulation for Portfolio using Arbiter.

proto-sim Prototype simulation using Arbiter as the simulation & agent engine. Build & Run build.sh cargo run Arbiter config The arbiter.toml config

Primitive 13 Aug 14, 2023
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
Bindings to the macOS Security.framework

macOS/iOS Security framework for Rust Documentation Bindings to the Apple's Security.framework. Allows use of TLS and Keychain from Rust. License Lice

Kornel 172 Dec 24, 2022
A suite of programs for Solana key management and security.

?? goki Goki is a suite of programs for Solana key management and security. It currently features: Goki Smart Wallet: A wallet loosely based on the Se

Goki Protocol 157 Dec 8, 2022
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Dec 30, 2022
An uploader honeypot designed to look like poor website security.

HoneyUp An uploader honeypot designed to look like poor website security. Requirements Linux server NGiNX Rust toolchain (build only) Installation Bui

Chad Baxter 21 Dec 20, 2022
Ingraind - a security monitoring agent built around RedBPF for complex containerized environments and endpoints.

ingraind is a security monitoring agent built around RedBPF for complex containerized environments and endpoints. The ingraind agent uses eBPF probes to provide safe and performant instrumentation for any Linux-based environment.

KingoOo 5 Apr 6, 2022
security.txt for Solana Contracts

security.txt This library defines a macro, which allows developers to provide easy-to-parse information to security researchers that wish to contact t

Neodyme 79 Dec 28, 2022
Automated security testing for open source libraries and applications.

autovet continuously searches for security breaches in open source libraries and applications. Recently processed packages package version channel las

null 5 Aug 23, 2022
Open-source tool to enforce privacy & security best-practices on Windows and macOS, because privacy is sexy 🍑🍆

privacy-sexy Open-source tool to enforce privacy & security best-practices on Windows and MacOs, because privacy is sexy ?? ?? privacy-sexy is a data-

Subconscious Compute 3 Oct 20, 2022
Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer of security for your most sensitive files.

Koofr Vault https://vault.koofr.net Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer o

Koofr 12 Dec 30, 2022