Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(x/circuit): add note on ante handler #18637

Merged
merged 3 commits into from
Dec 6, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 56 additions & 4 deletions x/circuit/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,29 @@

Circuit Breaker is a module that is meant to avoid a chain needing to halt/shut down in the presence of a vulnerability, instead the module will allow specific messages or all messages to be disabled. When operating a chain, if it is app specific then a halt of the chain is less detrimental, but if there are applications built on top of the chain then halting is expensive due to the disturbance to applications.

## How it works

Circuit Breaker works with the idea that an address or set of addresses have the right to block messages from being executed and/or included in the mempool. Any address with a permission is able to reset the circuit breaker for the message.

The transactions are checked and can be rejected at two points:

* In `CircuitBreakerDecorator` [ante handler](https://docs.cosmos.network/main/learn/advanced/baseapp#antehandler):

```go reference
https://github.com/cosmos/cosmos-sdk/blob/x/circuit/v0.1.0/x/circuit/ante/circuit.go#L27-L41
```

* With a [message router check](https://docs.cosmos.network/main/learn/advanced/baseapp#msg-service-router):

```go reference
https://github.com/cosmos/cosmos-sdk/blob/v0.50.1/baseapp/msg_service_router.go#L104-L115
```

:::note
The `CircuitBreakerDecorator` works for most use cases, but does not check the inner messages of a transaction. This some transactions (such as `x/authz` transactions or some `x/gov` transactions) may pass the ante handler. **This does not affect the circuit breaker** as the message router check will still fail the transaction.
This tradeoff is to avoid introducing more dependencies in the `x/circuit` module. Chains can re-define the `CircuitBreakerDecorator` to check for inner messages if they wish to do so.
:::

## State

### Accounts
Expand Down Expand Up @@ -38,7 +59,6 @@ type Access struct {
}
```


### Disable List

List of type urls that are disabled.
Expand Down Expand Up @@ -108,7 +128,7 @@ This message is expected to fail if:

* if the type url is not disabled

## Events - list and describe event tags
## Events

The circuit module emits the following events:

Expand Down Expand Up @@ -143,9 +163,41 @@ The circuit module emits the following events:
| message | action | reset_circuit_breaker |


## Keys - list of key prefixes used by the circuit module
## Keys

* `AccountPermissionPrefix` - `0x01`
* `DisableListPrefix` - `0x02`

## Client - list and describe CLI commands and gRPC and REST endpoints
## Client

### CLI

`x/circuit` module client provides the following CLI commands:

```shell
$ <appd> tx circuit
Transactions commands for the circuit module

Usage:
simd tx circuit [flags]
simd tx circuit [command]

Available Commands:
authorize Authorize an account to trip the circuit breaker.
disable Disable a message from being executed
reset Enable a message to be executed
```

```shell
$ <appd> query circuit
Querying commands for the circuit module

Usage:
simd query circuit [flags]
simd query circuit [command]

Available Commands:
account Query a specific account's permissions
accounts Query all account permissions
disabled-list Query a list of all disabled message types
```
Loading