Illegal tx detection in context of whole bundle

[ParthDesai]

Description

This PR updates domain runtime as follows in first commit:

1. Modification of check_transaction_validity runtime api: The modification allows it to validate unsigned and SelfContained evm txs along with signed txs.
2. Addition of check_transaction_validity_and_do_pre_dispatch api: This api validates the transaction as per check_transaction_validity + also preform pre_dispatch on the extrinsic to have changes like nonce updation persist in the buffer of RuntimeApiImpl.
3. Modification of storage_keys_for_verifying_transaction_validity: The modification changes function signature to make passing AccountId optional.
4. Addition of check_bundle_extrinsics_validity: This runtime api internally uses check_transaction_validity_and_do_pre_dispatch to validates extrinsic in the bundle and in case any illegal tx is detected it returns Err.

Changes to the domain client is as follows in second commit:

1. In domain proposer: While gathering tx to build a bundle, we utilize a single runtime instance to maintain context over multiple runtime calls to check_transaction_validity_and_do_pre_dispatch. In case an illegal tx is detected, it is ignored and its changes are rolled back from the context saved in that runtime instance. the call to the check_transaction_validity_and_do_pre_dispatch is shifted last to make sure that tx's changes do not persist if any check failes
2. In block preprocessor: We are using single runtime instance and check_transaction_validity_and_do_pre_dispatch to maintain context when iterating through the bundle transactions. This check is after inherent extrinsic as inherent extrinsic will always fail the validation check.

Code contributor checklist:

• I have read, understood and followed contributing guide

[NingLin-P]

I wonder if we still need to return these storage keys here, since the generation of fraud proof happens when there is mismatch of ER::inbo_bundles instead of when this check return error.

[vedhavyas]

If we are doing this check on bundle level, should we do this check on individual extrinsics above?
Would they go through the same approach making individual extrinsic check redundant ?

[NingLin-P]

We don't need the individual extrinsic level check IMHO since the bundle level is a superset of it. Ideally, we should perform the check on the block level (like the consensus chain does when producing block) but bundle level is the best we can do.

[NingLin-P]

While it is desired to perform a more exhaustive validation here to cover different types of tx and checks, the storage_keys only contains a few storages used in the SignedExtra check which may not be exhaustive, i.e. if the pre_dispatch of a tx requires access to another storage which is not included in the storage_keys then we are unable to construct a valid fraud proof. I think this is a broader problem we need to think on cc @vedhavyas

[ParthDesai]

@NingLin-P I have found a way. Idea is to use ProofRecorder to get the keys accessed during runtime execution. These keys are not public at the moment. I have opened a PR here: paritytech/polkadot-sdk#2561

Once that is in, to create storage proof, we simply have to execute desired runtime call and get the accessed keys from ProofRecorder.

[vedhavyas]

@ParthDesai You should also patch this in our fork so that we use it right away instead of waiting until we upgrade substrate

[NingLin-P]

We don't need the individual extrinsic level check IMHO since the bundle level is a superset of it. Ideally, we should perform the check on the block level (like the consensus chain does when producing block) but bundle level is the best we can do.

[vedhavyas]

I'm confused with so many new API being introduced/changed but we would just need one API to check the bundle validity here 🤔

[vedhavyas]

If we are doing a full bundle check during the bundle generation, shouldn't we use the same here and mark bunlde invalid if bundle check fails?

[ParthDesai]

We do that. If this check fails it is marked as invalid.

[vedhavyas]

I dont see this being used during bundle proposal. I'm confused why there are so many api when all we need is this API to check the bundle validity and return the extrinsic index that fails the precheck and the storage proof until this extrinsic. This also make me think how big can the storage proof be

[NingLin-P]

This also make me think how big can the storage proof be

This depends on the exact storage accessed during the pre_dispatch of the illegal tx, but the size should be guarded by the excessive transaction check since pre_dispatch is also part of the execution of the tx.

[ParthDesai]

@vedhavyas Reason why we have used check_transaction_and_do_pre_dispatch and not check_bundle_extrinsics_validity both during bundle proposal and bundle validation is because they both are equivalent in the sense bundle one deals with vector of extrinsic and the other one deal with single extrinsic.

I think, I am starting to see how it is easy to be confused by this. Let me remove this api. We can always add it back if it is required.

[ParthDesai]

@vedhavyas Regarding storage proof, idea is that you only check for extrinsic signed by same signer. Which covers both nonce and tx payment check. This would mean storage proof is bounded to storage keys used during validation of all extrinsics signed by same signer.

[ParthDesai]

I'm confused with so many new API being introduced/changed but we would just need one API to check the bundle validity here 🤔

At the time of writing this PR, idea was to have two equivalent apis one operate on single tx and other one operate on set of tx. Looking back, I realized that check_bundle_extrinsics is not needed. We can always use check_transaction_and_do_pre_dispatch instead. I will be removing that.

[NingLin-P]

The changes look good to me in general and I'm okay to move forward and leave the storage keys collect in a separate PR.

Some nits are left, mostly just some cleanup and the test (PTAL at how other tests using the helper function to reduce the size of the test)

[NingLin-P]

This is essentially a wrapper of TaggedTransactionQueue::validate_transaction with additional storage keys returned in the error, since we will get the storage keys in other ways I think this runtime API can be removed and the CheckTxValidityError can be replaced with TransactionValidityError

[ParthDesai]

Okay. I can remove the new version of the API. But, as stated in another comment, we cannot deprecate a runtime api without adding newer version of that runtime api. So, old version need to stay as it is till we upgrade to new network.

[NingLin-P]

IIUC, this runtime API is used to return a fixed set of storage key should also deprecate, right?

[ParthDesai]

Problem is, we cannot deprecate a runtime api without adding newer version of that runtime api in its place. As far as I understand, what this translates to is there is no clear upgrade path on how to remove/deprecate an api without introducing a new one.

Ref: https://paritytech.github.io/polkadot-sdk/master/sp_api/macro.decl_runtime_apis.html

I guess we need to remove it in next version of the network.

[NingLin-P]

I think we are going to have a maintenance branch for gemini-3g soon, so the compatibility with gemini-3g won't be a concern anymore. cc @jfrank-summit

[nazar-pc]

If breaking changes are introduced, PR should be marked with corresponding label

[ParthDesai]

Okay. Label added. Will remove those apis as well as api versioning requirement as well.

[NingLin-P]

This will call multiple times for each extrinsic and the result will be preserved as we use the same runtime API instance for all extrinsic. From the System::initialize implementation it seems fine though.

[ParthDesai]

Yes. We deliberately invoke System::initialize here as it is required to validate the SignedExtension. This is something I imported from Executive::validate_transaction.

[NingLin-P]

It seems this check is duplicated with runtime_instance_assumptions_are_correct

[ParthDesai]

The tests are mostly similar, but the runtime assumption test is there to make sure that the assumptions we made throughout the code regarding runtime api is valid.

While this test is more concerned about testing the api.

Anyways, I have renamed runtime assumption test api to be more clear.

[ParthDesai]

@NingLin-P I have simplified the runtime api changes now (deleted storage keys related apis and the tx validity api). And accordingly tests are also more clear and simplified with changes suggested by the review incorporated.

[NingLin-P]

Rest LGTM 👍

[vedhavyas]

Make sense but why did we break compatibility here?
I apologize for any confusion but we still want to maintain compatibility for gemini-3g though

[ParthDesai]

Make sense but why did we break compatibility here? I apologize for any confusion but we still want to maintain compatibility for gemini-3g though

@vedhavyas As per @NingLin-P and my conversation with @jfrank-summit this fraud proof will be part of the next iteration of the network. So, I just cleaned up legacy stuff related to storage keys and validating txs.

[vedhavyas]

@vedhavyas As per @NingLin-P and my conversation with @jfrank-summit this fraud proof will be part of the next iteration of the network. So, I just cleaned up legacy stuff related to storage keys and validating txs.

I agree but we cannot upgrade on Gemini-3g at this state. You can leave a TODO to cleanup once we are prepping for the next network. We have bunch of TODOs that will be gone before next network

[vedhavyas]

LGTM without approval since some comments needs to be resolved

[ParthDesai]

@NingLin-P @vedhavyas Comments are resolved now. If there are no further concern, can you guys approve it?