Summary

Please provide a way for app modules (like Agoric's x/swingset) to add additional state to the snapshots generated by the state-sync mechanism for the new clients to download.

@erikgrinaker said on Discord:

Currently the Cosmos SDK automatically dumps IAVL data from the rootmulti store, there aren't any hooks to extend this - but feel free to open a feature request for it, although it'll likely need some design work.

Problem Definition

For the https://agoric.com chain, we maintain some crucial (and large) state outside of the IAVL tree. We'd like our x/swingset module to be able to save external state to snapshots so that when the snapshot is downloaded by clients doing state-sync, they will be able to use our external state to catch up to the external state of the chain as well.

We use the Cosmos SDK as I/O from our deterministic Javascript world. So, if a new validator is going to skip past (many) blocks while using state-sync, that validator also needs to download enough information to allow it to skip past evaluating all the blocks to update the JS heap.

The feature will accommodate chains that have state outside of the IAVL tree.

There will be greater complexity to include this feature, but it will make state-sync more general.

Proposal

Somehow provide a callback so that app modules can choose to publish additional state to the snapshots. Also, allow the module to decide how to interpret that downloaded state during state-sync. I don't have suggestions for how to accomplish this and am leaning on the Cosmos SDK team to decide the best course of action.

On Discord, @zmanian said:

I suspect the Agoric heap state will be large enough that it should be sent as multiple chunks

and @erikgrinaker replied:

That shouldn't really be a problem, we currently just chunk a byte stream of serialized data items. It shouldn't be too hard to extend this with additional item types, but needs some sort of API to register schemas and (de)serializers and such. I suppose in the most naïve case the API could just export a binary reader/writer, although that might prevent us from implementing any sort of incremental chunk verification scheme later.

For Admin Use

• [ ] Not duplicate issue
• [ ] Appropriate labels applied
• [ ] Appropriate contributors tagged
• [ ] Contributor assigned/self-assigned

Problem Definition

The Cosmos SDK has historically used Amino JSON for signing of transactions whereas Amino binary is used for encoding. During the SDK's migration to protobuf, we had made the preliminary decision to use a canonical protobuf JSON encoding for signing as described in https://github.com/regen-network/canonical-proto3.

As a consequence of #6030, the Cosmos SDK is moving in the direction of using protobuf's Any type for the transaction encoding and signing format. In this discussion, a number of participants have asked that we revisit the transaction signing discussion. The options that have been discussed/are available for consideration are outlined below.

It should be noted that it is theoretically possible to support more than one of the following options via an enum flag on the signature. Whether that should or should not be done is a related question.

Proposals

Feel free to suggest updates to these alternatives in the comments

(1) Protobuf canonical JSON

The official proto3 spec defines a canonical mapping to JSON. This is not really deterministic, however, so we define a canonical encoding on top of that using https://gibson042.github.io/canonicaljson-spec/.

Pros:

• By including field names, JSON is more self-describing than proto and is somewhat human-readable
• Can prevent certain user errors made when manually copying proto definitions or if proto definitions are changed between versions (shouldn't be done)
• Relatively easy migration for existing signing tools like the Ledger app
• Causes transaction verifiers to reject unknown fields which is generally correct

Cons:

• Converting to another format for signing may introduce transaction malleability vulnerabilities - i.e when different encoding representations map to a single signing representation. This is known to exist, at least for Timestamp, although that malleability is likely un-exploitable.
• Requires clients to have proto JSON and canonical JSON in addition to protobuf. There are very few implementations of canonical JSON (only go as far as we know) and some protobuf implementations don't implement proto JSON correctly (none of the Rust ones do for example)
• Doesn't bech32 encode addresses, pubkeys, etc. like Amino JSON
• By default, encodes fields in lowerCamelCase, i.e. some_field becomes someField
• Special treatment for well known types (e.g. Timestamp, Any, Duration, Struct) not necessarily supported well in existing libraries.
• And kind of renaming in field names leads to breaking changes of the message

(2) Protobuf canonical binary

This involves re-encoding the protobuf used for transaction encoding canonically for signing - meaning that fields must be ordered and defaults omitted. This is how Weave does signing.

Pros:

• Simpler for clients to implement, most protobuf implementations serialize things canonically
• Canonicalization could prevent a certain small class of user errors (if the wrong protobuf definition was used to encode a message)
• Renaming fields is a non-breaking change (as long as semantics don't change)
• Causes transaction verifiers to reject unknown fields which is generally correct

Cons:

• Introduces a subtle transaction malleability vulnerability if modules attempt to use proto2 semantics - i.e. interpret null/omitted differently from default/zero
• Not all protobuf implementations serialize things canonically and may require an additional canonicalization layer
• Doesn't prevent user errors made to reordering fields when copying or modifying proto files (like JSON does), but this should be much less of an issue using Any (because the full type URL is included and oneof's are not copied manually) and breaking change checkers like Buf/Prototool
• Hard to implement in the Ledger app for many/arbitrary message types

(3) Protobuf binary as encoded in transaction

This simply uses the protobuf encoding as broadcast in the transaction. This becomes a little easier for both signature creation and verification because of Any (although it could be done without Any too). Because Any wraps the raw bytes of the sdk.Msg, it is pretty easy to use these same exact bytes for signing and verification and only require that SignDoc itself is encoded canonically, rather than every Msg 

Pros:

• Simpler for clients to implement than even (2). All implementations should pretty much just work
• Is not vulnerable to proto2 semantics transaction malleability as (2)

Cons:

• Same as (2) in not preventing user errors related to manually copying or tampering with proto definitions, although less of an issue with Any
• Does not cause transaction verifiers to reject unknown fields (unlike 1, 2 & 4) which may lead to unexpected behavior for comments

(4) Amino JSON

This is how tx's are signed currently. The reason this is under consideration is because breaking Amino JSON signing would break many clients especially the ledger app. Transactions could still be encoded with protobuf and the /tx/encode endpoint could accept Amino JSON and return protobuf rather than amino binary for tx broadcasting - some upfront work would be required to enable this but it is possible

Pros:

• Doesn't break existing clients right away
• Doesn't introduce new transaction malleability issues that weren't already there
• Bech32 encodes addresses, pubkeys, etc. for better readability than (1)
• Causes transaction verifiers to reject unknown fields which is generally correct

Cons:

• Delays the deployment of protobuf signing, although Amino JSON signing could be enabled via a flag on Signature so maybe this is a non-issue
• Requires an additional layer on top of protobuf with information that isn't conveyed by the protobuf schema and so far lacks extensive library support

(5) Custom Proto JSON

Extend (1) to support custom encoding of certain types like bech32 addresses

Pros:

• The same benefits as Amino JSON for signing with embedded devices but derived from .proto files, i.e. human readable bech32 addresses and keys
• An easier migration path than (1)
• Does not try to re-use an encoding that was never designed to be deterministic (multiple signing algorithms?)

Cons:

• Requires a possibly even more complex custom JSON layer on top of protobuf plus extensions to protobuf field to indicate custom formatting like bech32
• Every signature verifier (on and off-chain) needs to maintain support all options (forever)

Related Question: Should we allow multiple signing algorithms?

Theoretically we can allow clients to use multiple signing algorithms and indicate which one they used as an enum flag on the Signature struct.

Pros:

• allows clients to sign with the method they feel are able to use and feel most secure with
• allows Amino JSON compatibility without delaying protobuf signing support

Cons:

• increases the number of vulnerability paths that need auditing
• increases maintenance requirements for supporting multiple paths* leaves too much responsibility to clients rather than making an opinionated, well-informed decision

For Admin Use

• [ ] Not duplicate issue
• [ ] Appropriate labels applied
• [ ] Appropriate contributors tagged
• [ ] Contributor assigned/self-assigned

Description

ADR for arbitrary message signature to allow cosmos-sdk users to create and verify messags, where by message we intend arbitrary bytes (json files, text, etc).

Tentative implementation: https://github.com/cosmos/cosmos-sdk/pull/7896

Before we can merge this PR, please make sure that all the following items have been checked off. If any of the checklist items are not applicable, please leave them but write a little note why.

• [ ] Targeted PR against correct branch (see CONTRIBUTING.md)
• [ ] Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• [ ] Code follows the module structure standards.
• [ ] Wrote unit and integration tests
• [ ] Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• [ ] Added relevant godoc comments.
• [ ] Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• [ ] Re-reviewed Files changed in the Github PR explorer
• [ ] Review Codecov Report in the comment section below once CI passes

Description

This is draft PR closes: #7108

Before we can merge this PR, please make sure that all the following items have been checked off. If any of the checklist items are not applicable, please leave them but write a little note why.

• [ ] Targeted PR against correct branch (see CONTRIBUTING.md)
• [ ] Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• [ ] Code follows the module structure standards.
• [ ] Wrote unit and integration tests
• [ ] Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• [ ] Added relevant godoc comments.
• [ ] Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• [ ] Re-reviewed Files changed in the Github PR explorer
• [ ] Review Codecov Report in the comment section below once CI passes

This is linked to meta-issue #7096.

Summary

This issue discusses potential approaches to the ongoing maintenance or replacement of IAVL.

Problem Description

It our understanding that IAVL has effectively become an orphaned project within the Cosmos ecosystem. I don't have a good understanding of all of the issues related to IAVL, but welcome those with more context to share. /cc @ethanfrey @erikgrinaker @alexanderbez

Proposals

Overhaul IAVL

A complete overhaul has been proposed as one solution. I don't have the context fully for why this is needed, but would appreciate those who do to share those details here.

Replace IAVL

Replacing IAVL with a more mature alternative has been proposed as well. I'll just list out the alternatives that have been mentioned here:

• https://github.com/oasisprotocol/oasis-core/tree/master/go/storage/mkvs
  • @zmanian said: "It appears to support the same core features including state sync. I suspect it's of higher engineering quality and has a maintainer."
• https://github.com/lazyledger/smt
  • https://twitter.com/musalbas/status/1294624434226167810?s=21
  • has no GC/pruning
  • /cc @hxrts @marbar3778 @liamsi
• https://github.com/yihuang/libra-jellyfish-merkle
  • /cc @hxrts
  • https://github.com/crypto-com/chain/blob/6d22c38c62778a60a77324e86d12a000171fb3b0/architecture-docs/adr-003.md

ref: #7093 #7421

This ADR introduces a system for permissioned inter-module communication leveraging the protobuf Query and Msg service definitions defined in ADR 021 and ADR 031 which provides:

• stable module interfaces to eventually replace the keeper paradigm based on protobuf
• stronger inter-module object capabilities guarantees
• module accounts and sub-account authorization (#4657)

It is intended serve as a foundational piece in the roadmap towards Cosmos SDK v1.0.

Before we can merge this PR, please make sure that all the following items have been checked off. If any of the checklist items are not applicable, please leave them but write a little note why.

• [ ] Targeted PR against correct branch (see CONTRIBUTING.md)
• [ ] Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• [ ] Code follows the module structure standards.
• [ ] Wrote unit and integration tests
• [ ] Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• [ ] Added relevant godoc comments.
• [ ] Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• [ ] Re-reviewed Files changed in the Github PR explorer
• [ ] Review Codecov Report in the comment section below once CI passes

Description

replace: #9284 ref: #9174 #9065

This ADR defines a generic NFT module of x/nft ~~which supports NFTs as a proto.Any and contains BaseNFT as the default implementation.~~, which supports storing NFT by id and owner, and contains the data field as proto.Any to extend the usage scenarios of NFTs.

Before we can merge this PR, please make sure that all the following items have been checked off. If any of the checklist items are not applicable, please leave them but write a little note why.

• [x] Targeted PR against correct branch (see CONTRIBUTING.md)
• [x] Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• [x] Code follows the module structure standards.
• [ ] Wrote unit and integration tests
• [ ] Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• [x] Added relevant godoc comments.
• [ ] Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• [x] Re-reviewed Files changed in the Github PR explorer
• [x] Review Codecov Report in the comment section below once CI passes

Description

Before this PR, delegation and undelegation calculations made during accounting operations for vesting accounts were made correct but not written back to the account store.

This PR fixes that behavior.

closes: #8601 closes: #8812

Before we can merge this PR, please make sure that all the following items have been checked off. If any of the checklist items are not applicable, please leave them but write a little note why.

• [ ] Targeted PR against correct branch (see CONTRIBUTING.md)
• [ ] Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• [ ] Code follows the module structure standards.
• [ ] Wrote unit and integration tests
• [ ] Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• [ ] Added relevant godoc comments.
• [ ] Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• [ ] Re-reviewed Files changed in the Github PR explorer
• [ ] Review Codecov Report in the comment section below once CI passes

Description

Validators using the default pruning config may end up with many old blocks due to pruning-keep-every = "500"

This is a proof of concept showing how a gradual pruning of much older state can be removed without needing to unsafe-reset-all

Questions

Is there any danger to pruning older blocks that are no longer necessary for a "pure" validator? (no API role)

Is extending PruningOptions to include new options from app.toml desirable?

What is the right way to log from store/rootmulti/store.go?

Are we able to somehow see the [state-sync] snapshot-interval / snapshot-keep-recent variables from store/rootmulti/store.go to avoid removing required blocks?

Is there any extensive testing that is desired when implementing this change? At the core it only adds additional heights to be pruned which is not a very special operation.

Since each chain uses a different cosmos-sdk version, is there a proper release/v0.##.x branch(es) to target first/later?

Author Checklist

I have...

• [X] included the correct type prefix in the PR title
• [ ] added ! to the type prefix if API or client breaking change - N/A
• [X] targeted the correct branch (see PR Targeting)
• [ ] provided a link to the relevant issue or specification - N/A
• [ ] followed the guidelines for building modules - N/A?
• [x] included the necessary unit and integration tests
• [ ] added a changelog entry to CHANGELOG.md - TODO after branch selection
• [X] included comments for documenting Go code
• [ ] updated the relevant documentation or specification - TODO
• [X] reviewed "Files changed" and left comments if necessary
• [ ] confirmed all CI checks have passed - TODO

Reviewers Checklist

I have...

• [ ] confirmed the correct type prefix in the PR title
• [ ] confirmed ! in the type prefix if API or client breaking change
• [ ] confirmed all author checklist items have been addressed
• [ ] reviewed state machine logic
• [ ] reviewed API design and naming
• [ ] reviewed documentation is accurate
• [ ] reviewed tests and test coverage
• [ ] manually tested (if applicable)

Adding upgrade file watcher for cosmovisor.

Currently the comswisor upgrade mechanism relays on parsing log messages. This is not reliable:

• depends on the log level output (x/upgrade uses INFO)
• can be hacked by accidentally logging user user content
• can be broken by using upgrade name which will break the regex pattern.

closes: #7703 closes: #8523 closes: #8651 closes: #8793 closes: #8964

Depends on:

• #9652

Before we can merge this PR, please make sure that all the following items have been checked off. If any of the checklist items are not applicable, please leave them but write a little note why.

• [ ] Targeted PR against correct branch (see CONTRIBUTING.md)
• [ ] Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• [ ] Code follows the module structure standards.
• [ ] Wrote unit and integration tests
• [ ] Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• [ ] Added relevant godoc comments.
• [ ] Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• [ ] Re-reviewed Files changed in the Github PR explorer
• [ ] Review Codecov Report in the comment section below once CI passes

Description

Closes: #10310 Solution:

• only call skipUntilExistsOrInvalid at construction and end of Next, cache the valid status
• use tidwall btree directly instead of memdb.

run benchmark: go test -run=^$ -bench=. -benchmem ./store/cachekv/benchmark_test.go -count=10. benchstat compare result:

$ benchstat before.txt after.txt
name                   old time/op    new time/op    delta
DeepContextStack1-12     11.2µs ±12%     5.7µs ± 1%   -48.57%  (p=0.000 n=10+8)
DeepContextStack3-12     32.2µs ±16%     7.1µs ± 2%   -77.99%  (p=0.000 n=9+9)
DeepContextStack10-12     244ms ±17%       0ms ±10%   -99.99%  (p=0.000 n=10+10)
DeepContextStack13-12     16.5s ± 1%      0.0s ± 1%  -100.00%  (p=0.000 n=10+10)

name                   old alloc/op   new alloc/op   delta
DeepContextStack1-12     3.94kB ± 0%    3.03kB ± 0%   -23.12%  (p=0.000 n=10+10)
DeepContextStack3-12     6.33kB ± 0%    3.59kB ± 0%   -43.24%  (p=0.000 n=10+10)
DeepContextStack10-12    15.1kB ± 1%     5.6kB ± 0%   -63.27%  (p=0.000 n=10+10)
DeepContextStack13-12    20.8kB ± 0%     6.4kB ± 0%   -69.20%  (p=0.000 n=10+10)

name                   old allocs/op  new allocs/op  delta
DeepContextStack1-12       50.0 ± 0%      42.0 ± 0%   -16.00%  (p=0.000 n=10+10)
DeepContextStack3-12       74.0 ± 0%      50.0 ± 0%   -32.43%  (p=0.000 n=10+10)
DeepContextStack10-12       172 ± 2%        78 ± 0%   -54.62%  (p=0.000 n=10+10)
DeepContextStack13-12       272 ± 0%        90 ± 0%   -66.91%  (p=0.000 n=10+10)

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.

I have...

• [ ] included the correct type prefix in the PR title
• [ ] added ! to the type prefix if API or client breaking change
• [ ] targeted the correct branch (see PR Targeting)
• [ ] provided a link to the relevant issue or specification
• [ ] followed the guidelines for building modules
• [ ] included the necessary unit and integration tests
• [ ] added a changelog entry to CHANGELOG.md
• [ ] included comments for documenting Go code
• [ ] updated the relevant documentation or specification
• [ ] reviewed "Files changed" and left comments if necessary
• [ ] confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

• [ ] confirmed the correct type prefix in the PR title
• [ ] confirmed ! in the type prefix if API or client breaking change
• [ ] confirmed all author checklist items have been addressed
• [ ] reviewed state machine logic
• [ ] reviewed API design and naming
• [ ] reviewed documentation is accurate
• [ ] reviewed tests and test coverage
• [ ] manually tested (if applicable)

how to distribute inflated tokens per tokenomics?

If i understand it correctly, the distribution module distributes the newly minted tokens only to validators and community pool. Could you clarify if multiple additional pools and their accounts can be configured for token distribution after minting?

Description

Implements pagination logic for a collection.

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.

I have...

• [ ] included the correct type prefix in the PR title
• [ ] added ! to the type prefix if API or client breaking change
• [ ] targeted the correct branch (see PR Targeting)
• [ ] provided a link to the relevant issue or specification
• [ ] followed the guidelines for building modules
• [ ] included the necessary unit and integration tests
• [ ] added a changelog entry to CHANGELOG.md
• [ ] included comments for documenting Go code
• [ ] updated the relevant documentation or specification
• [ ] reviewed "Files changed" and left comments if necessary
• [ ] confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

• [ ] confirmed the correct type prefix in the PR title
• [ ] confirmed ! in the type prefix if API or client breaking change
• [ ] confirmed all author checklist items have been addressed
• [ ] reviewed state machine logic
• [ ] reviewed API design and naming
• [ ] reviewed documentation is accurate
• [ ] reviewed tests and test coverage
• [ ] manually tested (if applicable)

Description

Ref: #14446 Audit: #13951

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.

I have...

• [ ] included the correct type prefix in the PR title
• [ ] added ! to the type prefix if API or client breaking change
• [ ] targeted the correct branch (see PR Targeting)
• [ ] provided a link to the relevant issue or specification
• [ ] followed the guidelines for building modules
• [ ] included the necessary unit and integration tests
• [ ] added a changelog entry to CHANGELOG.md
• [ ] included comments for documenting Go code
• [ ] updated the relevant documentation or specification
• [ ] reviewed "Files changed" and left comments if necessary
• [ ] confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

• [ ] confirmed the correct type prefix in the PR title
• [ ] confirmed ! in the type prefix if API or client breaking change
• [ ] confirmed all author checklist items have been addressed
• [ ] reviewed state machine logic
• [ ] reviewed API design and naming
• [ ] reviewed documentation is accurate
• [ ] reviewed tests and test coverage
• [ ] manually tested (if applicable)

Description

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.

I have...

• [ ] included the correct type prefix in the PR title
• [ ] added ! to the type prefix if API or client breaking change
• [ ] targeted the correct branch (see PR Targeting)
• [ ] provided a link to the relevant issue or specification
• [ ] followed the guidelines for building modules
• [ ] included the necessary unit and integration tests
• [ ] added a changelog entry to CHANGELOG.md
• [ ] included comments for documenting Go code
• [ ] updated the relevant documentation or specification
• [ ] reviewed "Files changed" and left comments if necessary
• [ ] confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

• [ ] confirmed the correct type prefix in the PR title
• [ ] confirmed ! in the type prefix if API or client breaking change
• [ ] confirmed all author checklist items have been addressed
• [ ] reviewed state machine logic
• [ ] reviewed API design and naming
• [ ] reviewed documentation is accurate
• [ ] reviewed tests and test coverage
• [ ] manually tested (if applicable)

Description

Closes: #14406

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.

I have...

• [ ] included the correct type prefix in the PR title
• [ ] added ! to the type prefix if API or client breaking change
• [ ] targeted the correct branch (see PR Targeting)
• [ ] provided a link to the relevant issue or specification
• [ ] followed the guidelines for building modules
• [ ] included the necessary unit and integration tests
• [ ] added a changelog entry to CHANGELOG.md
• [ ] included comments for documenting Go code
• [ ] updated the relevant documentation or specification
• [ ] reviewed "Files changed" and left comments if necessary
• [ ] confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

• [ ] confirmed the correct type prefix in the PR title
• [ ] confirmed ! in the type prefix if API or client breaking change
• [ ] confirmed all author checklist items have been addressed
• [ ] reviewed state machine logic
• [ ] reviewed API design and naming
• [ ] reviewed documentation is accurate
• [ ] reviewed tests and test coverage
• [ ] manually tested (if applicable)

It is becoming more and more common for Cosmos chains to use Module and vesting accounts but sending funds to a fresh Cosmos address automatically initializes the account as a BaseAccount.

We should modify the auth module with a protoaccount type that can receive funds and then be migrated to an actual account type on initialization.