feat(sequencers): whitelisted relayers

[keruch]

Description

ADR link https://www.notion.so/dymension/ADR-Whitelisted-Relayer-Fee-Exemption-in-Rollapp-104a4a51f86a80e8ad94c916c87deb17
Closes dymensionxyz/dymension#1226

---

Closes #XXX

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow-up issues.

PR review checkboxes:

I have...

• Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• Targeted PR against the correct branch
• included the correct type prefix in the PR title
• Linked to the GitHub issue with discussion and accepted design
• Targets only one GitHub issue
• Wrote unit and integration tests
• Wrote relevant migration scripts if necessary
• All CI checks have passed
• Added relevant godoc comments
• Add an issue in the e2e-tests repo if necessary

SDK Checklist

• Import/Export Genesis
• Registered Invariants
• Registered Events
• Updated openapi.yaml
• No usage of go map
• No usage of time.Now()
• Used fixed point arithmetic and not float arithmetic
• Avoid panicking in Begin/End block as much as possible
• No unexpected math Overflow
• Used sendCoin and not SendCoins
• Out-of-block compute is bounded
• No serialized ID at the end of store keys
• UInt to byte conversion should use BigEndian

Full security checklist here

---

For Reviewer:

• Confirmed the correct type prefix in the PR title
• Reviewers assigned
• Confirmed all author checklist items have been addressed

---

After reviewer approval:

• In case the PR targets the main branch, PR should not be squash merge in order to keep meaningful git history.
• In case the PR targets a release branch, PR must be rebased.

[zale144]

looks good. left a couple of questions

The base branch was changed.

[keruch]

the task is suspended until the RollApp-Hub ADR is ready.

[keruch]

the PR is ready for review once again!

[mtsitrin]

how this TX prevented from being sent manually on the L2?

[omritoptix]

as discussed, it can be sent by only by the owner of the address (i.e sequencer can update it's own reward and relayer address which is fine)

[mtsitrin]

I'm not talking about the update msgs, but the UpsertSequencer which creates new sequencer.
It's supposed to be treated solely as Consesnsus msg

[mtsitrin]

anyway, if it can be run by L2 users, we need to validate the pubkey (as we had in create_sequencer before).
I prefer to handle it as trusted consensus msg

[omritoptix]

as discussed gonna block it from running by the L2.

[keruch]

i added a hack what allows the message to be executed only as part of RequestBeginBlocker.

basically, we say that the only signer is x/seqeucners module addr, thus in practice no one can sign this message. however, while processing consensus msgs, we trigger the execution through MsgServiceRouter and bypass the ante handler that verifies signatures, thus this msg can be executed as consensus msg.

// GetSigners returns signers of the msg. The only signer is x/sequencers which allows this msg
// to be executed only as part of consensus msgs.
func (m *ConsensusMsgUpsertSequencer) GetSigners() []sdk.AccAddress {
	authority := authtypes.NewModuleAddress(ModuleName)
	return []sdk.AccAddress{authority}
}

[omritoptix]

the export genesis is explicitly setting the reward address though we have this already as a field on the sequencer (old code). not sure why?

// ExportGenesis returns the sequencers module's exported genesis.
func (k *Keeper) ExportGenesis(ctx sdk.Context) *types.GenesisState {
	genesis := types.DefaultGenesis()
	genesis.Params = k.GetParams(ctx)

	sequencersAsValidators := k.GetAllSequencers(ctx)
	genesis.Sequencers = make([]types.Sequencer, len(sequencersAsValidators))
	for i, v := range sequencersAsValidators {
		genesis.Sequencers[i].Validator = &v
		rewardAddr, ok := k.GetRewardAddr(ctx, v.GetOperator())
		if ok {
			genesis.Sequencers[i].RewardAddr = rewardAddr.String()
		}
	}

	return genesis
}

Also seems like we're not setting the RelayerAddress collection upon genesis import?

[keruch]

the export genesis is explicitly setting the reward address though we have this already as a field on the sequencer (old code). not sure why?

@omritoptix we don't store Sequencer type anywhere, it's used only for genesis. instead, we store 3 keys in the state: staking.Validator, whitelisted relayers, reward addr. i did this due to backward compatibility (previously we were storing only staking.Validator).