interchain-security icon indicating copy to clipboard operation
interchain-security copied to clipboard
Published 10 months ago verified publisher icon cosmos

Change consumer proposal whitelist -> blacklist (or remove the list outright)

Open asalzmann opened this issue 2 years ago • 1 comments

Protocol Change Proposal

Summary

Currently, all proposals must be whitelisted on consumer chains. This is not ideal for two reasons

  1. It's hard for consumers to maintain the list of proposals
  2. Providers care about what proposals are blacklisted, not what proposals are whitelisted (e.g. they want to make sure consumers don't slash them, not review the internals of the consumer code)

In practice, slashing on providers is governance gated anyway. Even if slashing weren't gated, it's unclear how much protection providers actually get from the whitelist, because software upgrades (whitelisted) and bugs can cause provider slashing.

At a minimum, I'd propose changing the whitelist on consumers to a blacklist, so consumers don't have to maintain long lists of whitelisted proposals.

It might also make sense to remove the whitelist/blacklist entirely, since it doesn't offer much protection and adds complexity.

Problem Definition

What problems may be addressed by introducing this change?

  • consumers can't easily maintain the whitelist
  • providers can't easily review the whitelist What benefits does ICS stand to gain by including this change?
  • ICS code is simpler to reason about and easier to maintain Are there any disadvantages of including this change?
  • changes to the whitelist might be flagged in reviewing an upgrade proposal, whereas if a blacklist is used, new props could be introduced on consumers and would be harder for reviewers to surface

Proposal

Remove the proposal whitelisting logic from consumers (please let me know if I should add more details here)

For Admin Use

  • [ ] Not duplicate issue
  • [ ] Appropriate labels applied
  • [ ] Appropriate contributors tagged
  • [ ] Contributor assigned/self-assigned
  • [ ] Is a spike necessary to map out how the issue should be approached?

asalzmann avatar Aug 09 '23 18:08 asalzmann

The main disadvantage with having whitelist is that we need to take care of params in dependency modules like sdk, and ibc go, not only our own modules. So removing the whitelisting logic would be beneficial, I think.

strbrian avatar Aug 10 '23 01:08 strbrian