-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Circuit Breaker #926
Comments
Questions:
|
Yes, I think it makes sense. I'd add
Yes. I think we should just let this field as open as possible and let standards emerge.
No, I don't think we should. This is a tradeoff, and disabling all message types is pretty crippling for the network. There are two scenarios to consider:
|
Per discussion with @ebuchman, we might want an additional requirement of a known identity (possibly AiB) signing off on the circuit breaker. This identity could be elected / changed through governance. Can be implemented when transfers go live if we launch without transfers. |
Latest thinking is to have two conditions for circuit breaking:
The AUTHORITIES are an M-of-N muiltisig decided on by Governance. We should add the details of this to the spec. Relevant question is whether to have a new tx type for this or to re-use the governance voting system just with a new ProposalType and rules for what it means to pass The AUTHORITIES can be chosen by governance in the first place. It must happen before transfers become active and until then we have M=0 |
Thinking about it maybe the circuit breaker has to be implemented at SDK level? Because the app should reject tx types specified by Circuit Breaker proposal |
This is currently still planned #prelaunch, do we have some spec on this? I know there have multiple conversations about this feature. |
Is it? I guess the label is still there, but I thought we had decided otherwise, e.g. https://github.com/cosmos/cosmos-sdk/blob/develop/docs/PRIORITIES.md#lower-priority. If we want to do this prelaunch we need to discuss a much more exact specification. |
I think we need to get this discussion started at the very least cc @ebuchman @jaekwon @gamarin2 @sunnya97 @rigelrozanski |
Yeah I think we can get away with not implementing this - like to know @jaekwon's thoughts here |
The big con of not implementing this prelaunch, is that then activating transfers would require a software upgrade. |
I think this can be done post-launch too. Originally circuit breaker was needed to avoid implementing urgent proposals. Circuit breaker is useful to maintain liveness if bugs are found in specific modules. Thing is, we are only going to launch with modules we cannot afford to de-activate like staking or gov (we assume gov is not compromised for circuit breaker to work). If we were launching with IBC or transfers I would argue that circuit breaker is needed, but since we're not... I think circuit breaker should come in the same upgrade that activates transfers. |
Going to go ahead and close this issue as we have implemented. |
actually the circuit breaker is not implemented. |
Should we rename this issue to |
Why's that @jackzampolin? Afaik, (d)CERT and the like are orthogonal to the circuit breaker. |
We decided to roll out dCERT in to phases. Less contentious proposal for dCERT does not include circuit breaker, afterwords the community may want to vote that would like the dCERT group to have circuit breaker capabilities |
Do we plan on having this as an isolated module still (e.g. |
Hmm... maybe for potential client functionality. A lot of the core logic of the circuit breaker actually lives in baseapp however. But yeah I agree as much as possible should be separated out into a circuit breaker module |
Should this be considered as a feature of the crisis module? |
This is another amazing use case for ABCI 2.0 and vote extensions. If something needs to be halted validators can come to consensus on it through vote extensions instead of submitting a tx. The tx approach is a Valid use case and may want to be implemented until 0.38 is out |
closing in favour of #14225 to discuss design |
As per discussions in validator meeting. Introduce a circuit breaker to temporarily de-activate certain message types.
When:
Circuit breaker needs 1/6th of total voting power to be activated. Will be de-activated after X blocks or if de-activation is voted (can be de-activated with a proposal).
Message type of circuit breaker transactions should be gov (because we only assume that governance module is not compromised).
When submitting a circuit breaker transaction, one must specify:
Need to add the ability for proposals to de-activate circuit breakers if accepted. Also need a special de-activation message.
Pulling in @sunnya97 to refine.
The text was updated successfully, but these errors were encountered: