Merge pull request #101 from datachainlab/fix-tendermint-lc

tendermint-lc: avoid reading states not included in a commitment

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>

Author: bluele

Cargo.lock

@@ -8,6 +8,7 @@ ibc = { version = "0.29.0", default-features = false, features = ["serde"] }
 serde = { version = "1.0.184", default-features = false, features = ["alloc"] }
 log = { version = "0.4.8", default-features = false }
 flex-error = { version = "0.4.4", default-features = false }
+tendermint-light-client-verifier = { version = "0.29", features = ["rust-crypto"], default-features = false }
 
 light-client = { path = "../light-client", default-features = false, features = ["ibc"] }
 lcp-proto = { path = "../../proto", default-features = false }

enclave/Cargo.lock

@@ -2,6 +2,7 @@ use crate::errors::Error;
 use crate::message::{ClientMessage, Header, Misbehaviour};
 use crate::prelude::*;
 use crate::state::{canonicalize_state, gen_state_id, ClientState, ConsensusState};
+use crate::verifier::check_header_and_update_state;
 use core::str::FromStr;
 use crypto::Keccak256;
 use ibc::clients::ics07_tendermint::client_state::{
@@ -35,6 +36,7 @@ use light_client::{
     LightClientRegistry, UpdateClientResult, VerifyMembershipResult,
 };
 use light_client::{MisbehaviourData, UpdateStateData, VerifyNonMembershipResult};
+#[allow(unused_imports)]
 use log::*;
 
 #[derive(Default)]
@@ -238,37 +240,6 @@ impl TendermintLightClient {
             .into());
         }
 
-        // Read consensus state from the host chain store.
-        let latest_consensus_state: ConsensusState = ctx
-            .consensus_state(&client_id, &client_state.latest_height().into())
-            .map_err(|_| {
-                Error::ics02(ICS02Error::ConsensusStateNotFound {
-                    client_id: client_id.clone().into(),
-                    height: client_state.latest_height(),
-                })
-            })?
-            .try_into()?;
-
-        debug!("latest consensus state: {:?}", latest_consensus_state);
-
-        let now = ctx.host_timestamp();
-        let duration = now
-            .duration_since(latest_consensus_state.timestamp().into_tm_time().unwrap())
-            .map_err(|_| {
-                Error::ics02(ICS02Error::InvalidConsensusStateTimestamp {
-                    time1: latest_consensus_state.timestamp(),
-                    time2: now.into(),
-                })
-            })?;
-
-        if client_state.expired(duration) {
-            return Err(Error::ics02(ICS02Error::HeaderNotWithinTrustPeriod {
-                latest_time: latest_consensus_state.timestamp(),
-                update_time: header.timestamp(),
-            })
-            .into());
-        }
-
         let height = header.height().into();
         let header_timestamp: Time = header.timestamp().into();
 
@@ -288,17 +259,17 @@ impl TendermintLightClient {
         let UpdatedState {
             client_state: new_client_state,
             consensus_state: new_consensus_state,
-        } = client_state
-            .check_header_and_update_state(
-                &IBCContext::<TendermintClientState, TendermintConsensusState>::new(ctx),
-                client_id.into(),
-                Any::from(header.clone()).into(),
-            )
-            .map_err(|e| {
-                Error::ics02(ICS02Error::HeaderVerificationFailure {
-                    reason: e.to_string(),
-                })
-            })?;
+        } = check_header_and_update_state(
+            &client_state,
+            &IBCContext::<TendermintClientState, TendermintConsensusState>::new(ctx),
+            client_id.into(),
+            Any::from(header.clone()).into(),
+        )
+        .map_err(|e| {
+            Error::ics02(ICS02Error::HeaderVerificationFailure {
+                reason: e.to_string(),
+            })
+        })?;
 
         let new_client_state = ClientState(
             downcast_client_state::<TendermintClientState>(new_client_state.as_ref())

modules/tendermint-lc/Cargo.toml

@@ -26,3 +26,4 @@ pub mod client;
 pub mod errors;
 pub mod message;
 pub mod state;
+mod verifier;

modules/tendermint-lc/src/client.rs

@@ -0,0 +1,120 @@
+use crate::prelude::*;
+use ibc::{
+    clients::ics07_tendermint::{
+        client_state::ClientState, client_type,
+        consensus_state::ConsensusState as TmConsensusState, error::Error,
+        header::Header as TmHeader,
+    },
+    core::{
+        ics02_client::{
+            client_state::{ClientState as Ics2ClientState, UpdatedState},
+            consensus_state::ConsensusState,
+            error::ClientError,
+        },
+        ics24_host::{identifier::ClientId, path::ClientConsensusStatePath},
+        ContextError, ValidationContext,
+    },
+};
+use lcp_proto::google::protobuf::Any;
+use tendermint_light_client_verifier::{
+    types::{TrustedBlockState, UntrustedBlockState},
+    ProdVerifier, Verdict, Verifier,
+};
+
+/// Fork of the `check_header_and_update_state` function from ibc-rs v0.29.0
+/// https://github.com/cosmos/ibc-rs/blob/10b47c077065a07ded9ac7f03fdb6c0980592d81/crates/ibc/src/clients/ics07_tendermint/client_state.rs#L457
+pub(crate) fn check_header_and_update_state(
+    client_state: &ClientState,
+    ctx: &dyn ValidationContext,
+    client_id: ClientId,
+    header: Any,
+) -> Result<UpdatedState, ClientError> {
+    let client_state = downcast_tm_client_state(client_state)?.clone();
+    let header = TmHeader::try_from(header)?;
+
+    if header.height().revision_number() != client_state.chain_id().version() {
+        return Err(ClientError::ClientSpecific {
+            description: Error::MismatchedRevisions {
+                current_revision: client_state.chain_id().version(),
+                update_revision: header.height().revision_number(),
+            }
+            .to_string(),
+        });
+    }
+
+    let trusted_client_cons_state_path =
+        ClientConsensusStatePath::new(&client_id, &header.trusted_height);
+    let trusted_consensus_state = downcast_tm_consensus_state(
+        ctx.consensus_state(&trusted_client_cons_state_path)
+            .map_err(|e| match e {
+                ContextError::ClientError(e) => e,
+                _ => ClientError::Other {
+                    description: e.to_string(),
+                },
+            })?
+            .as_ref(),
+    )?;
+
+    let trusted_state = TrustedBlockState {
+        chain_id: &client_state.chain_id.clone().into(),
+        header_time: trusted_consensus_state.timestamp,
+        height: header
+            .trusted_height
+            .revision_height()
+            .try_into()
+            .map_err(|_| ClientError::ClientSpecific {
+                description: Error::InvalidHeaderHeight {
+                    height: header.trusted_height.revision_height(),
+                }
+                .to_string(),
+            })?,
+        next_validators: &header.trusted_validator_set,
+        next_validators_hash: trusted_consensus_state.next_validators_hash,
+    };
+
+    let untrusted_state = UntrustedBlockState {
+        signed_header: &header.signed_header,
+        validators: &header.validator_set,
+        // NB: This will skip the
+        // VerificationPredicates::next_validators_match check for the
+        // untrusted state.
+        next_validators: None,
+    };
+
+    let options = client_state.as_light_client_options()?;
+    let now = ctx
+        .host_timestamp()
+        .map_err(|e| ClientError::Other {
+            description: e.to_string(),
+        })?
+        .into_tm_time()
+        .unwrap();
+
+    match ProdVerifier::default().verify(untrusted_state, trusted_state, &options, now) {
+        Verdict::Success => Ok(()),
+        Verdict::NotEnoughTrust(reason) => Err(Error::NotEnoughTrustedValsSigned { reason }),
+        Verdict::Invalid(detail) => Err(Error::VerificationError { detail }),
+    }?;
+
+    Ok(UpdatedState {
+        client_state: client_state.with_header(header.clone())?.into_box(),
+        consensus_state: TmConsensusState::from(header).into_box(),
+    })
+}
+
+fn downcast_tm_client_state(cs: &dyn Ics2ClientState) -> Result<&ClientState, ClientError> {
+    cs.as_any()
+        .downcast_ref::<ClientState>()
+        .ok_or_else(|| ClientError::ClientArgsTypeMismatch {
+            client_type: client_type(),
+        })
+}
+
+fn downcast_tm_consensus_state(cs: &dyn ConsensusState) -> Result<TmConsensusState, ClientError> {
+    cs.as_any()
+        .downcast_ref::<TmConsensusState>()
+        .ok_or_else(|| ClientError::ClientArgsTypeMismatch {
+            client_type: client_type(),
+        })
+        .map(Clone::clone)
+}