# ADR 009: Evidence Module
# Changelog
- 2019 July 31: Initial draft
- 2019 October 24: Initial implementation
# Status
Accepted
# Context
In order to support building highly secure, robust and interoperable blockchain applications, it is vital for the Cosmos SDK to expose a mechanism in which arbitrary evidence can be submitted, evaluated and verified resulting in some agreed upon penalty for any misbehavior committed by a validator, such as equivocation (double-voting), signing when unbonded, signing an incorrect state transition (in the future), etc. Furthermore, such a mechanism is paramount for any IBC (opens new window) or cross-chain validation protocol implementation in order to support the ability for any misbehavior to be relayed back from a collateralized chain to a primary chain so that the equivocating validator(s) can be slashed.
# Decision
We will implement an evidence module in the Cosmos SDK supporting the following functionality:
- Provide developers with the abstractions and interfaces necessary to define custom evidence messages, message handlers, and methods to slash and penalize accordingly for misbehavior.
- Support the ability to route evidence messages to handlers in any module to determine the validity of submitted misbehavior.
- Support the ability, through governance, to modify slashing penalties of any evidence type.
- Querier implementation to support querying params, evidence types, params, and all submitted valid misbehavior.
# Types
First, we define the Evidence
interface type. The x/evidence
module may implement
its own types that can be used by many chains (e.g. CounterFactualEvidence
).
In addition, other modules may implement their own Evidence
types in a similar
manner in which governance is extensible. It is important to note any concrete
type implementing the Evidence
interface may include arbitrary fields such as
an infraction time. We want the Evidence
type to remain as flexible as possible.
When submitting evidence to the x/evidence
module, the concrete type must provide
the validator's consensus address, which should be known by the x/slashing
module (assuming the infraction is valid), the height at which the infraction
occurred and the validator's power at same height in which the infraction occurred.
# Routing & Handling
Each Evidence
type must map to a specific unique route and be registered with
the x/evidence
module. It accomplishes this through the Router
implementation.
Upon successful routing through the x/evidence
module, the Evidence
type
is passed through a Handler
. This Handler
is responsible for executing all
corresponding business logic necessary for verifying the evidence as valid. In
addition, the Handler
may execute any necessary slashing and potential jailing.
Since slashing fractions will typically result from some form of static functions,
allow the Handler
to do this provides the greatest flexibility. An example could
be k * evidence.GetValidatorPower()
where k
is an on-chain parameter controlled
by governance. The Evidence
type should provide all the external information
necessary in order for the Handler
to make the necessary state transitions.
If no error is returned, the Evidence
is considered valid.
# Submission
Evidence
is submitted through a MsgSubmitEvidence
message type which is internally
handled by the x/evidence
module's SubmitEvidence
.
The x/evidence
module's keeper is responsible for matching the Evidence
against
the module's router and invoking the corresponding Handler
which may include
slashing and jailing the validator. Upon success, the submitted evidence is persisted.
# Genesis
Finally, we need to represent the genesis state of the x/evidence
module. The
module only needs a list of all submitted valid infractions and any necessary params
for which the module needs in order to handle submitted evidence. The x/evidence
module will naturally define and route native evidence types for which it'll most
likely need slashing penalty constants for.
# Consequences
# Positive
- Allows the state machine to process misbehavior submitted on-chain and penalize validators based on agreed upon slashing parameters.
- Allows evidence types to be defined and handled by any module. This further allows slashing and jailing to be defined by more complex mechanisms.
- Does not solely rely on Tendermint to submit evidence.
# Negative
- No easy way to introduce new evidence types through governance on a live chain due to the inability to introduce the new evidence type's corresponding handler
# Neutral
- Should we persist infractions indefinitely? Or should we rather rely on events?