substrate icon indicating copy to clipboard operation
substrate copied to clipboard
verified publisher icon paritytech

Safe mode

Open gavofyork opened this issue 4 years ago • 4 comments

Underway in https://github.com/paritytech/substrate/pull/12092

Introduce a system flag SafeMode: Option<T::BlockNumber>.

Also introduce a second BaseFilter called SafeBaseFilter into runtimes which restricts everything except calls to the governance pallets.

The actual filter is selected between BaseFilter and SafeBaseFilter depending on whether SafeMode is Some or not.

In the block initialization phase, then if SafeMode is Some and the inner block number is less than or equal to the current block number, then it is replaced with None.

A weak governance origin (e.g. one councillor) is able to upgrade SafeMode from None to be Some with a modest number of blocks (e.g. 10 minutes) higher than the current block number.

A strong governance origin (e.g. the entire council) is able to downgrade SafeMode to None or upgrade SafeMode from None to be Some with a substantial number of blocks higher than the current block number (e.g. 3 hours).

Anyone may place a signficant amount (e.g. 1,000 KSM) of their funds into reserve in order to upgrade SafeMode from None to be Some with a modest number of blocks (e.g. 10 minutes) higher than the current block number.

In that case, the reserved funds may be unreserved only after 24 hours and may be slashed or unreserved prior by a strong governance origin.

gavofyork avatar Oct 14 '21 15:10 gavofyork

A permisionless pause could introduce new attack vector for some chains with time sensitive operations. A possible solution is permisionless counter pause and later require strong governance origin to decide which one (or if both) action is based on good intention. But lot more research is required to figure out the exact mechanism and it should also be flexible enough to be useable for all different types of chains.

xlc avatar Jun 09 '22 23:06 xlc

This issue has been mentioned on Polkadot Forum. There might be relevant details there:

https://forum.polkadot.network/t/parachain-technical-summit-next-steps/51/1

Polkadot-Forum avatar Aug 27 '22 15:08 Polkadot-Forum

A permisionless pause could introduce new attack vector for some chains with time sensitive operations.

It's pretty bad form to require that any transaction can always get through in a definite period of time. There are other reasons why this might not happen. Furthermore if there's a particular dispatchable which you want to always get through, it's trivial to put it in the safe-mode Call filter.

gavofyork avatar Sep 15 '22 08:09 gavofyork

In that case, the reserved funds may be unreserved only after 24 hours and may be slashed or unreserved prior by a strong governance origin.

But here I see:

Any deposit made for inducing safe mode should not be returned by default.

So if I understand correctly we still want the reservation to be releasable by anyone after a specific time. This is implemented here as a configurable optional call.

If not, do we only want reservations to be released explicitly via the configured origin?

nuke-web3 avatar Oct 13 '22 19:10 nuke-web3