disputes: attestation update to latest format

[abarmat]

Related to https://github.com/graphprotocol/network-rfcs/pull/24

- update the attestation format to match the one sent by index node
- add an attestation parser
- set graph protocol to zero in domain separator hash
- emit the signed attestation instead of the bare one

[That3Percent]

This was called Receipt in the latest RFC. The name of the struct factors into the hashKey of EIP-712, so we need to have consistency. I don't mind if we switch to Attestation and SignedAttestation if you prefer, but we need to choose just 1.

[abarmat]

Let's use the same as in the RFC.

[That3Percent]

The latest here is confusing and differs from the RFC. There is an Attestation struct, which matches the RFC I think. But then, in this file there is the ATTESTATION_TYPE_HASH which holds the schema Attestation(bytes32 requestCID,bytes32 responseCID,bytes32 subgraphID). This doesn't match the Attestation struct, but has the fields of the Receipt struct and the name of the Attestation struct.

[abarmat]

@That3Percent this is the one you mention right?

struct Receipt {
  hash requestCID,
  hash responseCID,
  hash subgraphID,
}

So the type_hash says ATTESTATION when it should say RECEIPT as the type hash does not include the signature.

You are right I will do that change!

For the struct I used Attestation because that is what I parse from the incoming transaction, the receipt + signature = attestation.

[abarmat]

And the type hash should be ""Receipt(bytes32 requestCID,bytes32 responseCID,bytes32 subgraphID)" @That3Percent

[That3Percent]

Yes, I think that the type hash should be "Receipt(..., but also that the variable name should be renamed to RECEIPT_TYPE_HASH so as not to be confused with the Attestation struct.

[abarmat]

👍 updated in the last commit

[That3Percent]

This also differs from the details in the latest RFC. I had copied the details from here, before these changes. So instead of bytes sig (which has variable length), we have fields for v r and s in the RFC.

[abarmat]

I'm unpacking v,r,s into the struct now.

[That3Percent]

The RFC does not nest the structs. I'm amenable to nesting, so long as it doesn't increase the size of the struct due to the padding rules. As far as I can tell, we're in the clear here since it looks like the Attestationtype takes up exactly 3 storage slots - but I'm no solidity expert so you'll want to double-check. In any case, we need to have consistency so let me know if you want me to update the RFC.

[abarmat]

I updated structs to match the RFC.

[That3Percent]

This comment is wrong (or misplaced). I think you mean to put it over PAYLOAD_SIZE_BYTES

[That3Percent]

(Sorry, GitHub wouldn't let me comment on line 174). The domainSeparator calculation seems wrong to me. Note that in the EIP domainSeparator is hashStruct(eip712Domain) but within the EIP712Domain struct the version field is of type string, not bytes32. So, pre-hashing this value is not correct. Same for the name field.

[abarmat]

string is variable length and bytes32 is fixed, I think you found an issue, I'll review it

[That3Percent]

Using variable-length values in EIP712Domain should not be an issue, since the domainSeparator is meant to be pre-calcuated and always has an output size of bytes32.

[abarmat]

I've been reviewing the EIP712 and found an example on how the eip712 domain is created. They hash all string data.

https://github.com/ethereum/EIPs/blob/master/assets/eip-712/Example.sol

    function hash(EIP712Domain eip712Domain) internal pure returns (bytes32) {
        return keccak256(abi.encode(
            EIP712DOMAIN_TYPEHASH,
            keccak256(bytes(eip712Domain.name)),
            keccak256(bytes(eip712Domain.version)),
            eip712Domain.chainId,
            eip712Domain.verifyingContract
        ));
    }

In the code I'm doing:

        // EIP-712 domain separator
        DOMAIN_SEPARATOR = keccak256(
            abi.encode(
                DOMAIN_TYPE_HASH,
                DOMAIN_NAME_HASH,
                DOMAIN_VERSION_HASH,
                _getChainID(),
                address(this),
                DOMAIN_SALT
            )
        );

[That3Percent]

Yes, you are correct in pre-hashing the strings. I reviewed encodeData to see if there was any explanation for this and there is:

Each encoded member value is exactly 32-byte long.

...and then later...

The dynamic values bytes and string are encoded as a keccak256 hash of their contents.

[That3Percent]

Does solidity seriously not have some utility for this? You have to do this by hand every time?

[abarmat]

Solidity is super limited, we are using a BytesLib library to do bytes manipulation.
I have an item in my internal TODO to see if we can use a newer feature from Solidity 0.6 (the original code was written for Solidity 0.5.0) to slice calldata bytes. https://solidity.readthedocs.io/en/v0.6.0/types.html#array-slices

Will give quick look before we merge this PR

[abarmat]

I'm now using a feature from Solidity 0.6 to slice arrays and removed a dependency we had on a BytesLib.

[That3Percent]

Hmm. I wasn't clear on my question before about what APIs are offered by solidity. What I want to know is whether this kind of manual deserialization is necessary. Is there not some sort of transmute/cast from bytes to Attestation? Or is it always necessary for solidity developers to roll their own deserialization all the time?

[abarmat]

I misunderstood your initial comment but it helped me to rewrite it in a more efficient way.

You need to roll your own deserialization, it would be great to cast from bytes to the struct directly. The closest discussion about that I found is this one ethereum/solidity#7134

[That3Percent]

I am concerned that this uniquely identifies a dispute from only these fields, and does not include the indexNode in the hash in any way. Since multiple indexers may provide the same incorrect responses, separate disputes need to be created for them.

If anything, the disputeId should be created from r, s, and v once all other checks have passed since these uniquely identify the request/response/indexer tuple.

[abarmat]

Good observation. Yes, this code is now rejecting when two receipts are similar and are submitted by different indexers. I'll ask Brandon as he had some thoughts about conflicting attestations.

[That3Percent]

The field order here does not match the Attestation struct. It has v,r,s but this has r,s,v. Is that a problem?

[abarmat]

Let's use:

    struct Attestation {
        bytes32 requestCID;
        bytes32 responseCID;
        bytes32 subgraphID;
        bytes32 r;
        bytes32 s;
        uint8 v;
    }

The libraries used to sign (web3, ethers) send the signature like r,s,v

[That3Percent]

I think this comment is wrong. EIP712 is not a "format" for interchange. It's a method for hashing and signing - not serialization. There is an encodeStruct method, but this encoding does not match what these methods do to read/write structs from bytes. encodeStruct is not lossless, and therefore cannot in principle be used for serialization even if you wanted to. So, the string returned by this method cannot be of an attestation in "EIP712 format".

[abarmat]

I understand, I think I did a bad use of the language. I'd been using EIP712 "format" when it really is a standard, and I'd been calling the format the end result of encode/hashing the struct with the type_hash and each content field processed.

[That3Percent]

I'm not sure that we're on the same page. This looks like some kind of ABI encoded SignedAttestation, whereas the comment says it's EIP-712.

[abarmat]

In my comment I was referring to when I used EIP712 in the code.

About that particular section, the comment is not ok, it is just the attestation what that function returns, the receipt + signature appended.

[That3Percent]

This has a typo and it says EIP721 when it meant EIP712, but to reiterate, there is no EIP-712 format.

[abarmat]

@That3Percent I pushed changes including:

• DisputeID considering the indexer.
• Use ethers library (better) for signing.
• Refactor decoding the attestation struct.