feat(ecocredit): custom bridging support for cancelling credits

[aleem1314]

Description

ref: #1084

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title
• added ! to the type prefix if API or client breaking change
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• followed the guidelines for building modules
• included the necessary unit and integration tests
• added a changelog entry to CHANGELOG.md
• included comments for documenting Go code
• updated the relevant documentation or specification
• reviewed "Files changed" and left comments if necessary
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed ! in the type prefix if API or client breaking change
• confirmed all author checklist items have been addressed
• reviewed state machine logic
• reviewed API design and naming
• reviewed documentation is accurate
• reviewed tests and test coverage
• manually tested (if applicable)

[codecov]

Codecov Report

Merging #1101 (f8c3ddd) into master (c2eff89) will decrease coverage by 0.03%.
The diff coverage is 60.71%.

@@            Coverage Diff             @@
##           master    #1101      +/-   ##
==========================================
- Coverage   69.36%   69.33%   -0.04%     
==========================================
  Files         214      216       +2     
  Lines       21898    21948      +50     
==========================================
+ Hits        15190    15218      +28     
- Misses       5388     5402      +14     
- Partials     1320     1328       +8     

Flag	Coverage Δ
experimental-codecov	69.22% <57.14%> (-0.02%)	⬇️
stable-codecov	63.53% <57.14%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[ryanchristo]

Looking good. Mostly nits and I think we should validate contract and recipient address. I'm also wondering if we should define supported bridge targets and validate target as well.

[ryanchristo]

We might want to consider defining supported targets and validate against those. We could have enumerated values stored in the proto files (similar to how we do digest algorithm, media type, etc. in the date module). We would only support Polygon in this initial version. We should be as cautious as we can given cancelling credits cannot be undone. Ok to leave without for now but something to discuss.

[aaronc]

maybe not a bad idea to prevent unexpected fund transfers. should be gov gated in the future IMHO so a chain upgrade isn't always needed but maybe okay for now to just allow polygon-tco2

[clevinson]

if we're doing validation here, I prefer polygon as opposed to polygon-tco2, as we don't want a situation where there could be another way of interpreting the same polygon txhash for creating a different kind of ecocredit / bridge operation.

[ryanchristo]

Looks good to me. Nice work.

[clevinson]

Nice work! One thing I'm worried abt though is nesting MsgCancel within MsgBridge... feels like its not 100% necessary as I don't think we should expect Bridge() calls to explicitly provide a reason when they are already providing the target chain explicitly, and the RPC call is called "Bridge" which is essentially the reason for cancelling credits.

[clevinson]

Looking at this again in more detail, I think it's preferable for us to not nest proto messages that are used as GRPC request messages like this. Ideally when defining msg server API endpoints, each can evolve independently (e.g. Bridge() and Cancel() should be able to evolve independently). So similar to how we always have explicitly separate MsgBridgeRepsonse and MsgCancelResponse, we should probably avoid embedding a MsgCancel field inside the MsgBridge message.

In terms of which fields from MsgCancel we need when a user is calling MsgBridge, I the following is sufficient:

• holder
• repeated credits (could use a similar sub-message to CancelCredits called BridgeCredits?)

My assumption is that we don't actually need an explicit "reason" in the bridge call, as most of the information we would want to pass in the cancel reason would be describing that it's a bridge action, and possibly what chain its coming from. But all of this info we can just get from the target field, and knowing its a Bridge() RPC call.

So for filling the "reason" in the cancel event, can we just hardcode it in the message server to set reason = "bridge" or reason = "bridge-${target}" ?

[ryanchristo]

Just to note, this was implemented as specified in the issue (or at least to our interpretation). That being said, I do agree with the changes proposed. When automatically filling the reason for MsgCancel in the message server implementation, I would be in favor of "bridge-${target}".

[clevinson]

sorry abt the confusion!

[clevinson]

Thanks @aleem1314 !

Approving. One thing that came up in discussion with @ryanchristo today is that we may actually want to revise our thinking around "contract" being an explicit field in the Bridge() API call...

This was my oversight when writing out #1084... From a security perspective, we can't only rely on an end user's desired "contract" for tokens to get minted into on the destination chain. As this may not actually be the corresponding TCO2 contract for the given batch denom. Since the bridge service will anyway need to manage their own mapping between batch denoms & TCO2 contracts on the destination chain, there probably isn't much added value in the user providing this upfront...