Improve locking mechanism for parachains #14
Conversation
|
This makes sense to me. Basically, the idea is:
So the solution is: detect when a chain is broken at genesis, allow the chain manager to fix it, lock the chain as soon as it is shown to be "alive". This obviously will not work for every possible scenario which parachain teams may encounter. For example a chain which set the wrong sudo key or multi-sig and stuff like that, which can produce blocks, but then does not have access to their governance. That is fine, still better than the current situation for sure. The question here is then: Shouldn't we just lock a parachain on the production of block 1? I don't see an advantage to a chain getting locked, then getting unlocked, then getting locked again. Chains with some malicious intention could always fake being broken at genesis to then unlock their chain, so might as well assume every chain is unlocked until it produces it first block. This should overall simplify the logic of this locking system, since there is a single definite point where we add the lock, and no need to detect for a pause or anything else to trigger an unlock. So suggestion to the RFC is:
|
The chain could be locked before it is onboarded. For example, create a crowdloan will apply the lock. The para manager can also voluntarily lock the parachain. My proposal will allow rescue parachain for such cases. |
|
We lock a parachain during a crowdloan to prevent the code from significantly changing from what the users thought they were contributing to. However, it seems like:
As for para managers voluntarily locking their parachain, seems like they might only want to do it after the first block anyway. |
I think this is a great solution/compromise, it doesn't add as much complexity to the locking system and also solves the most common issue that teams would face. Besides, runtime issues unrelated to block production (like incorrect sudo keys) can always be tested before and after the parachain code registration using tools like Chopsticks, and then can be easily fixed before the parachain actually gets a slot/buys core time by updating the code before the chain is allowed to produce block 1. |
|
I agree crowdloan lock introduces more trouble than assurances. One more question about the suggested approach: How to handle existing parachains? With my suggestion, parachains that never produced block will automatically be unlocked. With the new approach, they won't, and should we have a migration for them? |
|
I think it's fair to do a migration and unlock every ParaId that never
produced block number 1. Would there be any drawbacks to this?
…On Tue, Jul 25, 2023, 15:17 Xiliang Chen ***@***.***> wrote:
I agree crowdloan lock introduces more trouble than assurances.
One more question about this approach: How to handle existing parachains?
With my suggestion, parachains that never produced block will automatically
be unlocked. With the new approach, they won't, and should we have a
migration for them?
—
Reply to this email directly, view it on GitHub
<#14 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHGXNIRKKIIDGJVPOG4HVTTXSBAWJANCNFSM6AAAAAA2WN2JXE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I can't think much reasons why we shouldn't do that. But I also want to see a few more supports before making the adjustments. |
|
@xlc i think unlocking them seems fine. If we can contact the teams, perhaps we can simply ask them what they would like us to do. Wouldn't be too crazy to make a hand-coded migration for something like this. |
|
It is only the parachains with lease but never produced blocks are qualified for unlock, so I will image it won't be an easy task to contact them. |
|
|
||
| - Parachain teams | ||
|
|
||
| ## Explanation |
There was a problem hiding this comment.
Describe which areas of the runtime will be altered - pallets, interfaces, XCM calls, origins?
There was a problem hiding this comment.
I am not exactly sure what to put for those without making this too much implementation details. This doesn't alter public interfaces and which pallet to modify shouldn't matter.
Co-authored-by: asynchronous rob <[email protected]>
Co-authored-by: asynchronous rob <[email protected]>
|
@shawntabrizi @arrudagates @rphmeier I have updated the RFC to use @shawntabrizi 's mechanism. i.e. only lock parachain when a new block is introduced. Please take another look. |
|
Looks good to me! It is possible to also solve the issue of parachains being unable to swap leases if they halt while being locked, but with Polkadot 2.0 being worked on, that won't be necessary. |
|
With Agile Coretime and the removal of crowdloans, there's no need for locking. |
That's why this is a short term solution and #16 should result in a long term solution compatible with Agile Coretime. |
How so? Having a single account that can do whatever to a parachain does not sound desirable for an established parachain with significant funds on it. |
It's definitely part of the security model for a parachain. Users should simply be aware of this for their trust model. |
What @rphmeier said, though the possibility I was especially considering was setting it to the Sovereign Account of some semi-trusted collective such as the Ecosystem Technical Fellowship or the Polkadot Alliance. The original point of the lock was to ensure that those engaging in a crowdloan which would necessarily have been prior to parachain launch would have a guarantee that the parachain would launch with code corresponding to the advertised code hash. |
anaelleltd
added
Implemented
xlc
added
Implemented
If this is accepted, I plan to implement this to close paritytech/polkadot#7539
Draft PR for Polkadot paritytech/polkadot#7560