Redundancy
Last updated
Last updated
Despite the various General Message Passing (GMP) protocols having robust decentralized consensus mechanisms, a compromised GMP could potentially inject unauthorized messages into contracts at any time. To counter this issue, implementing redundancy routing is an effective solution.
Redundancy routing involves sending the same message through multiple pathways. Upon arrival, the destination expects several instances of this message from various different sources. These received messages are then cross-checked to ensure their content is consistent and hasn't been modified by any intermediaries within the network.
The redundancy feature of Glacis enables an application to simultaneously dispatch a message through various GMP protocols. On the destination chain, the message will be forwarded to the intended contract only if a predetermined number of identical messages are received from different GMP protocols.
To be able to account for identical messages, Glacis creates a unique messageId for every routed message.
Glacis messageId is calculated by serializing and hashing the following routing parameters:
uint256
toChainId
The Glacis ID of the chain that you wish to send a message to
uint256
fromChainId
The Glacis ID of the chain that the message is being sent from
address
to
The address of the destination contract that you are sending a message to
bytes32
payloadHash
The hash of the payload that is being sent to destination contract
address
messageSender
The sender of the message
uint256
nonce
A calculated nonce
As a result a bytes32 messageId is generated on source Glacis Infrastructure, returned to the caller, and encoded along with the message payload.
At the destination, within the Glacis Infrastructure, the messageId is recalculated and verified. All incoming messages that have matching validated messageIds are regarded as identical.
Quorum represents the number of identical messages that Glacis needs to receive to effectively send the message to the destination.
To prevent potential tampering of the quorum, it is established previously on the destination contract rather than being transmitted via the message itself.
When messages are received on the destination chain, the Glacis Infrastructure will compile all messages from various GMP protocols, accounting for those that are identical.
If a GMP protocol is compromised and the message payload is maliciously altered, this results in a different messageId. Consequently, such messages will be counted in a different messageId accumulator hence separated in the count towards achieving the quorum.
If the number of identical messages is equal to the requested quorum the message is delivered to destination
If the application wants to be sure that no GMP protocol has tampered the message the following steps must be performed:
Set a required quorum on the destination contract
Route through more than one GMP by specifying a list of glacis GMP IDs.
Upon the first reception of a new message, Glacis will check for the destination smart contract's required quorum and start accumulating for identical messageId receipts.
If the quorum is not reached the message is not delivered to the destination.
If a message of some message ID is received with identical content and metadata, the message count increases. If it becomes equal to the quorum, the last message is delivered to the destination contract.
Any other message arriving with the same Id will increase the number of receipts but that will not trigger a new delivery since the quorum will have already been exceeded.
Key potential challenges associated with redundancy in message passing include:
Forced Quorum
Tampered Payload
A compromised GMP might attempt to unilaterally achieve quorum by preempting other GMPs, through dispatching multiple copies of the message, thereby forcibly meeting the quorum requirements.
To mitigate this, Glacis keeps a record of which GMP each message arrived from and does not allow the processing of a message that has already been received previously from a GMP.
A compromised GMP might attempt to alter the original message payload.
To mitigate this, Glacis calculates on the destination chain the message Id and compares it to the message's Id. If they differ, the message is discarded as an invalid message Id.
The process through which Glacis achieves redundancy takes place in the GlacisRouter and unfolds as follows:
When the application executes the route() function with a message with retriable true, the following tasks are performed by the router:
Increment a unique nonce that is then added to the message payload
Create a message Id that includes the routing parameters along with payload hash, message sender and nonce
Upon the reception of a message from a GMP, the receiveMessage() function is executed, performing the following tasks:
Get client contract quorum configuration
Extract the message receipts for this messageId.
Validate there are no previous receipts for this messageId for each requested GMP.
Validate that the messageId calculated with all passed parameters is equal to the informed one.
Increase the number of unique messages received for this messageId and GMP
If all checks pass, and the number of received messages for this messageId is equal to client quorum configuration, deliver the message to destination.