Commit Graph

138 Commits

Author SHA1 Message Date
Leo 6c7ca964e4 Remove outdated TODO comments
- Metrics tracked in #11.
- Timeout and retransmits covered in #21.
- Dependency injection doesn't make sense at this scale.
- `-1` on `GenerateKeyPair` means "this doesn't make sense for Ed25519,
  please crash if anyone ever tried to generate RSA keys".

ghstack-source-id: 895162835186df360bcc526a5fb904b1567b5da9
Pull Request resolved: https://github.com/certusone/wormhole/pull/66
2020-10-28 22:47:12 +01:00
Leo 11c74dd692 bridge: refactor p2p logic into pkg/p2p
ghstack-source-id: 86417c130111ef8e7ec9f4bb5bb97729adf23cbf
Pull Request resolved: https://github.com/certusone/wormhole/pull/65
2020-10-28 22:47:12 +01:00
Leo fd27570637 bridge: remove all supervisor.SignalHealthy calls
Supervisor does not back off tasks that failed in a healthy state.

There are a couple places where we rely on supervisor for
application-level backoff, so we always want back-off. The distinction
is meant to enable runnables to implement their own specific back-off
logic, which we don't, so we can safely ignore it.

Fixes #37

ghstack-source-id: c756381b1b1598305ae6d59b2967ca7ea35aa68f
Pull Request resolved: https://github.com/certusone/wormhole/pull/64
2020-10-28 22:47:12 +01:00
Leo 8be34ac657 bridge: refactor processor logic into pkg/processor
This increases modularity in preparation for integration testing
and addition of a CLI command hierarchy.

ghstack-source-id: 9c9437323610d3d3a4745b04928eb9fdb6566963
Pull Request resolved: https://github.com/certusone/wormhole/pull/63
2020-10-28 22:47:12 +01:00
Leo bdd9d96559 bridge: bypass p2p for our own signatures
ghstack-source-id: ce2bbc780fdc6db13b3594c01aedd8ccd57d0abf
Pull Request resolved: https://github.com/certusone/wormhole/pull/60
2020-10-28 22:47:12 +01:00
Leo 45d10618ce bridge: verify LockupObservation signature
Final missing piece of the aggregation mechanism - signatures are now
verified before storing them in the aggregation.

ghstack-source-id: 3bb57c488623454370ad1bf2a38e1278c65ce9e0
Pull Request resolved: https://github.com/certusone/wormhole/pull/59
2020-10-28 22:47:12 +01:00
Leo 55fd671228 bridge: correctly calculate 2/3+ majority
Adds test vectors.

ghstack-source-id: 1f7e0d783fdcb8b0d27b621f464efd0d1cc06deb
Pull Request resolved: https://github.com/certusone/wormhole/pull/58
2020-10-28 22:47:12 +01:00
Leo 509d9c3d73 bridge: use mlockall(2) to prevent pages from being swapped out
The extra capability is harmless and is, at worst, a DoS risk.

ghstack-source-id: d30b50dbca
Pull Request resolved: https://github.com/certusone/wormhole/pull/55
2020-10-22 16:51:56 +02:00
Leo f872d0be44 bridge: improve VAA submission logging 2020-10-22 13:36:08 +02:00
Leo 9753cee14f tools.go: . -> _ import 2020-10-22 12:28:21 +02:00
Leo 096d048703 bridge: log submission for cross-submissions to Solana
ghstack-source-id: 1cf9ff2244
Pull Request resolved: https://github.com/certusone/wormhole/pull/54
2020-10-22 12:20:14 +02:00
Leo 58dcc43f17 bridge: do not resubmit submitted VAAs during aggregation
Fixes #49

ghstack-source-id: 8e03ec38f6
Pull Request resolved: https://github.com/certusone/wormhole/pull/53
2020-10-22 12:20:14 +02:00
Leo d3875ba523 bridge: do not log errors for duplicate VAA submissions
No functional change, just nicer log output.

ghstack-source-id: f946cbe71d
Pull Request resolved: https://github.com/certusone/wormhole/pull/52
2020-10-22 12:20:13 +02:00
Leo e5e6690f35 bridge: have all nodes submit VAAs to Solana
VAAs are deduplicated by the on-chain contracts. For Ethereum,
submission happens outside of the bridge anyway, and for Solana, the
first tx to be confirmed wins. Subsequent attempts to submit it
will fail in preflight, so the fee won't be spent multiple times.

This eliminates the need for leader selection and fixes #20.

ghstack-source-id: 60388d532c
Pull Request resolved: https://github.com/certusone/wormhole/pull/51
2020-10-22 12:20:13 +02:00
Leo 91241ee852 bridge/pkg/solana: retry VAA submission on transient errors
In particular, this fixes a race condition where the Solana devnet would
take longer to deploy than the ETH devnet to deploy and we'd end up
with an outdated guardian set on Solana.

We currently create a Goroutine for every pending resubmission, which
waits and blocks on the channel until solwatch is processing requests
again. This is effectively an unbounded queue. An alternative approach
would be a channel with sufficient capacity plus backoff.

Test Plan: Deployed without solana-devnet, waited for initial guardian
set change VAA to be requeued, then deployed solana-devnet.

The VAA was successfully submitted once the transient error resolved:

```
[...]
21:08:44.712Z	ERROR	wormhole-guardian-0.supervisor	Runnable died	{"dn": "root.solwatch", "error": "returned error when NODE_STATE_HEALTHY: failed to receive message from agent: EOF"}
21:08:44.712Z	INFO	wormhole-guardian-0.supervisor	rescheduling supervised node	{"dn": "root.solwatch", "backoff": 0.737286432}
21:08:45.451Z	INFO	wormhole-guardian-0.root.solwatch	watching for on-chain events
21:08:50.031Z	ERROR	wormhole-guardian-0.root.solwatch	failed to submit VAA	{"error": "rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL", "digest": "79[...]"}
21:08:50.031Z	ERROR	wormhole-guardian-0.root.solwatch	requeuing VAA	{"error": "rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL", "digest": "79[...]"}
21:09:02.062Z	INFO	wormhole-guardian-0.root.solwatch	submitted VAA	{"tx_sig": "4EKmH[...]", "digest": "79[...]"}
```

ghstack-source-id: 1b1d05a4cb
Pull Request resolved: https://github.com/certusone/wormhole/pull/48
2020-10-22 12:20:12 +02:00
Leo 08156ca438 bridge: move initial guardian set fetching to pkg/ethereum/watcher.go
This removes the special case in the processor. The initial guardian set
is now treated like a regular guardian set update, and the devnet
update check is executed on every update.

Fixes an edge case where processing a guardian set update would fail
with a spurious `abi: attempting to unmarshall an empty string while arguments are expected`
error, leaving the node in a bad state since restarting ethwatch
wouldn't cause the guardian set to be re-fetched.

ghstack-source-id: e580a65e90
Pull Request resolved: https://github.com/certusone/wormhole/pull/46
2020-10-22 12:20:12 +02:00
Leo 3b35ddc1ce bridge: propagate panics from runnables
Any error that can be recovered by restarting a runnable
can also be recovered from by restarting the entire process.

If we encounter a panic, it's safer to restart the process than
attempting to limp along by restarting the runnable.

We always assume that an external process manager will restart
our process if it crashes. We already rely on this behavior for
libp2p errors which we handle by terminating the process, since libp2p
maintains global state that we can't clear.

ghstack-source-id: 2f20ef764d
Pull Request resolved: https://github.com/certusone/wormhole/pull/45
2020-10-22 12:20:11 +02:00
Leo c698d4e3b9 bridge: in-place debugging using dlv
Optional support for in-place debugging using an external
IDE debugger. Disabled by default.

The dlv binary is always compiled in the Dockerfile -
this is cheap due to it only depending on go.mod.

ghstack-source-id: 58532e3017
Pull Request resolved: https://github.com/certusone/wormhole/pull/44
2020-10-22 12:20:11 +02:00
Leo 7e366b5da6 Update all Go dependencies to latest
...except for libp2p, which broke compatibility
between go-libp2p and go-libp2p-core:

https://github.com/libp2p/go-libp2p-core/issues/168

I explicitly updated all transitive dependencies using
go get -u ./..., so the top-level go.mod file grew to include those.
2020-10-16 20:48:53 +02:00
Leo 26387f43f5 Improve a log message for better comprehensibility 2020-10-08 18:00:37 +02:00
Hendrik Hofstadt 2747839bd4 bridge: use hash instead of big for signingMsg
Using Big could truncate padding which lead to hashes of len != 32

Closes #10
2020-08-31 20:17:51 +02:00
Hendrik Hofstadt d537f976f9 bridge: setup pubsub before connecting to bootnodes; buffer observations 2020-08-31 16:11:09 +02:00
Leo cb757192b3 bridge: wrap agent recv errors 2020-08-28 17:12:16 +02:00
Leo 072b4c4ddf Add repo overview to README.md 2020-08-28 15:34:42 +02:00
Hendrik Hofstadt f6750a3762 all: consider decimals on wrapped assets, fix VAA posting, fix solana account parsing 2020-08-28 15:10:42 +02:00
Hendrik Hofstadt 8e6dc495dc bridge: remove VAA timeout
Closes #35
2020-08-28 08:49:46 +02:00
Hendrik Hofstadt 1eef0b3bce bridge: use full token address 2020-08-28 08:35:59 +02:00
Leo 5a72d9029a VAA guardian devnet submission 2020-08-27 17:46:40 +02:00
Leo ed6b8d23de Update supervisor library to fix negative backoff
Fixes #9
2020-08-24 21:06:12 +02:00
Leo afa70fd473 Submit ETH VAAs to Solana for data availability 2020-08-24 16:13:27 +02:00
Leo c370a94911 Remove instructions for running devnet_setup.sh 2020-08-22 11:03:20 +02:00
Leo 57ea6ae656 Submit the right VAA to devnet 2020-08-22 00:21:57 +02:00
Leo ef2aab5998 Decouple lifecycle of processor and ethwatch
We now do an independent fetch of the guardian set.
2020-08-22 00:21:57 +02:00
Leo 30d921ec25 Always cancel contexts to avoid leaking goroutines 2020-08-21 23:48:02 +02:00
Leo 5b8c6e89bd Ethereum lockup VAA submission to devnet 2020-08-21 23:40:03 +02:00
Leo 4b24a74547 agent: use max commitment and fix nonce type
It appears that single confirmation level is not useful
for transactions that depend on each other.
2020-08-21 22:53:31 +02:00
Leo 72289be8ee Wire up Solana lockup watcher 2020-08-21 20:49:33 +02:00
Leo b663e2dc56 Generalize token lockup processor 2020-08-21 13:00:44 +02:00
Leo 10621625f0 Handle supervisor.RunGroup error 2020-08-21 13:00:44 +02:00
Leo 935411c036 Refactor all node key management into nodekeys.go 2020-08-21 13:00:44 +02:00
Leo d317164345 Rename ethwatch to ethlockup and run it in a runnable group with the watcher
This ensures that we re-fetch the guardian set when ethlockup dies.
2020-08-21 11:17:55 +02:00
Leo 9bb44eb0f5 Enable VAA submission to Solana 2020-08-21 00:06:38 +02:00
Leo c381ed2459 Print initial guardian set bytes for devnet 2020-08-20 23:39:51 +02:00
Leo b6b2d21bde Fix race condition where p2p is faster than ETH 2020-08-20 22:24:33 +02:00
Leo ec6e261c43 Receive own signatures 2020-08-20 22:05:25 +02:00
Leo f1f2d0c8b8 Solana VAA submission stub 2020-08-20 21:48:58 +02:00
Leo da8840e363 Update ABI for 9b3f7999 2020-08-20 21:04:32 +02:00
Leo e1c760af6d Update ABI for 9b3f7999 2020-08-20 20:26:21 +02:00
Hendrik Hofstadt 8f4127f781 Add slot to agent 2020-08-20 19:20:11 +02:00
Leo d1c86a0eaa bridge: use new eth devnet addresses and keygen 2020-08-19 17:38:55 +02:00
Hendrik Hofstadt 59449a30b3 Update VAA structure 2020-08-19 16:41:25 +02:00
Leo d6ef9c932c bridge: listen to eth lockups and aggregate signatures from all nodes
Improved devnet setup to generate deterministic node and guardian keys.

Devnet setup routine that configures a dynamic guardian set on Ethereum.

Configurable number of nodes in Tiltfile.
2020-08-19 14:24:38 +02:00
Leo 69d8125c67 ethereum: emit guardian set IDs in LogGuardianSetChanged
go-ethereum is having trouble parsing a log with structs.
2020-08-19 11:47:29 +02:00
Leo 8b34a3c534 ethereum: add getGuardianSet accessor 2020-08-18 16:19:28 +02:00
Leo 12873e5819 Add tooling to regenerate the Go ABI 2020-08-17 23:02:06 +02:00
Leo a1dcc36df9 Handle ipfslog.SetLogLevel error 2020-08-17 23:02:06 +02:00
Leo 760d5541b7 Move loadGuardianKey and ethLockupProcessor out of main.go 2020-08-17 19:36:17 +02:00
Leo 7903402fa6 Deterministic hashes for ETH lockups
We're missing a nonce for truly unique hashes - for now, two
identical transfers will only be executed once.
2020-08-17 19:29:25 +02:00
Leo bc3714fc73 Add nodeName to override hostname in gossip 2020-08-17 19:22:12 +02:00
Leo 955bcc93fe bridge: devnet guardian key generation 2020-08-17 18:20:28 +02:00
Leo 9171eb89cb Import Hendrik's vaa-test 2020-08-17 16:33:02 +02:00
Leo e548bbbee3 devnet: add send-lockups.js truffle script to generate test lockups 2020-08-17 16:31:48 +02:00
Leo d049aa08e7 pkg/ethereum: fix watcher lifecycle 2020-08-17 14:56:22 +02:00
Leo c4d53247d3 bridge: fix p2p routine restart
Turns out, libp2p cannot be cleaned up so till this is fixed,
we have to exit if p2p dies.

Expose the root context to p2p and cancel it.
2020-08-17 14:55:51 +02:00
Leo 090d0aca84 bridge: split up guardiand/main.go 2020-08-17 12:29:52 +02:00
Leo bdf164a5b5 bridge: signal readiness 2020-08-17 12:25:16 +02:00
Leo 24d38b12ea bridge: default to 15 blocks ETH lockup 2020-08-17 12:14:57 +02:00
Leo 8174679360 Remove unused chainlink imports
We're not going to use Schnorr/threshold signatures for now -
turns out, multisigs are cheaper on ETH.

Ran `go mod tidy`.
2020-08-16 19:05:32 +02:00
Leo 2744c1df25 bridge: heartbeat, eth watcher service 2020-08-16 17:05:58 +02:00
Leo 28fef7efca bridge: make sure the process crashes if we can't connect to any bootstrap peers
Supervisor rescheduling doesn't do the trick since the p2p socket doesn't clean up reliably.
2020-08-16 15:02:11 +02:00
Leo 7fc59ec5f4 Add Solana devnet and have agents talk to it 2020-08-15 23:54:44 +02:00
Leo d8c9b41a01 Add builds for protos and the Solana agent
- Build buf and protoc-gen-go and use it to build Go proto packages
- Rename agent proto package to agent.v1 (to prevent namespace collisions and conform to buf's standards)
- Default to DOCKER_BUILDKIT=1 for CI setup
- Add incremental Docker build for solana/agent
- Move build machinery to top level
2020-08-15 22:15:26 +02:00
Hendrik Hofstadt 6e5a3fa118 Update ETH smart contract for new signature schema 2020-08-15 00:09:48 +02:00
Hendrik Hofstadt 2a096790d3 new VAA format in Golang 2020-08-14 22:45:45 +02:00
Hendrik Hofstadt 0e69aa4ddc remove requirement for half_q on pub key x
Schnorr signatures don't have the ecdsa malleability vulnerability, also we protect against malleable signatures by tracking consumed VAAs using their body hash.
The check was implemented because the author assumed that ecrecover in the EVM does not accept s < HALF_Q values for malleability protection. There were 2 misconceptions:
1. pubkey_x is passed in as r and not s, 2. the check is not enforced in the precompiled evm instruction.
2020-08-10 21:08:57 +02:00
Hendrik Hofstadt 9a4e1f396d Track confirmations in watcher 2020-08-06 19:14:31 +02:00
Hendrik Hofstadt b6c85217b6 Add ETH tracking 2020-08-06 15:43:45 +02:00
Hendrik Hofstadt b3832ab8c7 Fully implement U256; add source_address to transfer VAA 2020-08-05 13:12:54 +02:00
Hendrik Hofstadt dece1a6a90 Fix protocol compatibility and increase VAA test coverage 2020-08-05 12:28:44 +02:00
Hendrik Hofstadt a1ba223361 Remove duplicate CL libraries, add signing logic to VAA 2020-08-05 10:48:43 +02:00
Hendrik Hofstadt 8f333ba0fd Fix chainlink key generation/validation 2020-08-04 23:52:39 +02:00
Hendrik Hofstadt 7993a72dea Add VAA serialization logic 2020-08-04 23:43:16 +02:00
Leo 540e39296a bridge: README stub 2020-08-04 19:52:41 +02:00
Leo 2a81b445b1 Import Chainlink's Distributed Schnorr implementation
Unmodified except for imports and addition of license files.
2020-08-04 19:52:41 +02:00
Leo a7d17cf5aa Add persistent keys and bootstrap peer
This connects all nodes to a full mesh.
2020-08-04 12:15:51 +02:00
Leo b8c2efdf86 Simple local devnet for development 2020-08-04 12:15:51 +02:00
Leo dd8b2ade81 libp2p stub that can find peers on a private network
Test Plan:

    go run github.com/certusone/wormhole/bridge/cmd/guardiand -network wormhole-dev -port 9000 &
    go run github.com/certusone/wormhole/bridge/cmd/guardiand -network wormhole-dev -bootstrap /ip4/127.0.0.1/udp/9000/quic/p2p/<id> -port 9001
2020-08-04 12:15:51 +02:00
Leo 39eb919aaa Import supervision tree from internal SignOS repo
Once SignOS is public, we can un-vendor this.
2020-08-04 12:15:51 +02:00