feat!: prevent modifications on governance unmodifiable params

[fahimahmedx]

Overview

1 of 2 PRs that will address #2916. This PR adds test cases for the governance unmodifiable params.
The three params below are not added as they are already constants in mint/types/constants.go

mint.DisinflationRate
mint.InitialInflationRate
mint.TargetInflationRate

Checklist

• New and updated code has appropriate documentation
• New and updated code has new and/or updated testing
• Required CI checks are passing
• Visual proof for any user facing features like CLI or documentation updates
• Linked issues closed with keywords

[coderabbitai]

Warning

Rate Limit Exceeded

@fahimahmedx has exceeded the limit for the number of files or commits that can be reviewed per hour. Please wait 7 minutes and 51 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.
Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.
Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between 3738a99 and 5958cb4.

Walkthrough

The changes involve updates to the App struct and various test cases to accommodate new and modified parameters, primarily affecting staking configurations and governance. The updates reflect a broader set of controls for block sizes, validator options, and unbonding times, with corresponding adjustments in the test suites to ensure compliance with the new parameter specifications.

Changes

File(s)	Change Summary
app/app.go	Updated BlockedParams to include new parameters for consensus, staking, and block configuration.
x/paramfilter/test/param_filter_test.go, app/test/std_sdk_test.go	Modified staking parameter references and assertions in test cases.
specs/src/specs/params.md	Added information on tests and clarified governance parameters in the specs document.
x/paramfilter/test/governance_params_test.go	Introduced a new test suite for governance parameter change proposals.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

Note: Auto-reply has been disabled for this repository by the repository owner. The CodeRabbit bot will not respond to your comments unless it is explicitly tagged.

• You can tag CodeRabbit on specific lines of code or entire files in the PR by tagging @coderabbitai in a comment. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• You can tag @coderabbitai in a PR comment and ask questions about the PR and the codebase. Examples:
  • @coderabbitai generate interesting stats about this repository from git and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid.
  • @coderabbitai read the files in the src/scheduler package and generate README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[fahimahmedx]

In paramfilter/test/param_filter_test.go, is this test still valid considering staking.MaxValidators can not be changed by governance?

[rootulp]

In paramfilter/test/param_filter_test.go, is this test still valid considering staking.MaxValidators can not be changed by governance?

Good point. params.md claims that MaxValidators is not governance-modifiable
https://github.com/celestiaorg/celestia-app/blame/74b3404679e8b258b58fad5b791794f522baa460/specs/src/specs/params.md#L64

So in my opinion:

1. The existing test should be re-written to include a valid change (i.e. modify a param that is governance modifiable) and an invalid change (modify a param that is not governance modifiable or not even a real param) and verify that no changes are observed to the first param.
2. Add a separate test that verifies that MaxValidators is not governance modifiable

[rootulp]

Thanks for tackling this! I left a few comments on how I think we can proceed

[rootulp]

[blocking] this adds more params to the list of blocked params which is potentially something we need to do so that there isn't a divergence between what is stated in params.md and what is actually modifiable. However, it's not clear if these need to be added without appropriate test coverage.

IMO we should tackle this in a few steps:

1. Write a table-driven test with test cases for each param listed in params.md. The test should attempt to modify the param and see if it was actually modified. Each test case should have a boolean field that indicates if modification was expected to happen (i.e. that param is governance modifiable) or not happen (i.e. that param is not governance modifiable).
2. Once we have the test above, we can compare the test results to params.md. If any divergences exist, create a GH issue with the divergence so that we can get alignment on whether the param should be governance modifiable.
3. [Optional] If there are any params that are governance modifiable and shouldn't be, we may need to add them to this BlockedParams list.

[rootulp]

This PR adds test cases for the governance unmodifiable params.

@fahimahmedx is it possible you didn't push a commit? I don't see the new test cases.

[fahimahmedx]

@rootulp Hi Rootul, thank you for your fast review!

1. Regarding the adding test cases, correct me if I'm wrong, is it not the case that the already existing test case should test the newly added parameters (for the unmodifiable params specifically)? I will add additional test cases for the modifiable params in a seperate PR.

2. As another question regarding the consensus.block.TimeIotaMs param, I noticed that in our version of cosmos-sdk, there is no cosmos-sdk/x/consensus/types folder. However, I noticed that the BlockParams struct in proto/tendermint/types/params.pb.go contains the field TimeIotaMs. Is it valid for me to block the param using baseapp.ParamStoreKeyBlockParams? Because the issue I see doing this is that it also blocks consensus.block.MaxBytes and consensus.block.MaxGas which are not supposed to be blocked, so any input on how to approach this would be greatly appreciated!

3. A similar problem to the question above is regarding global params like MaxSquareSize. I wasn't able to find any usage of it outside of a struct Params inside of a test folder, test/testground/network/params.go. Any thoughts on how I would access this param?

[rootulp]

is it not the case that the already existing test case should test the newly added parameters (for the unmodifiable params specifically)? I will add additional test cases for the modifiable params in a seperate PR.

Rephrasing a bit to something I understand: does the existing test TestParamFilter already cover unmodifiable params? IMO it doesn't because it only tests the BlockedParams() which as you've noticed doesn't contain all of the claimed unmodifiable params in params.md

So I think we should add test cases for those params before modifying the BlockedParams to see if they're actually necessary to add to BlockedParams.

[cmwaters]

Can we rephrase the name of this PR from test to feat! as it's a breaking change which adds functionality

[fahimahmedx]

Hi @rootulp, I noticed that that there isn't a mint.BondDenom in celestia's cosmos-sdk. Rather, there is a mint.MintDenom as seen here. Is the docs supposed to say mint.MintDenom instead?

Additionally, as parameters like mint.DisinflationRate are constants as seen here, is that enough reasoning to prove this governance unmodifiable parameter is indeed unmodifiable?

[rootulp]

Sorry for my delay @fahimahmedx.

I noticed that that there isn't a mint.BondDenom in celestia's cosmos-sdk. Rather, there is a mint.MintDenom as seen here. Is the docs supposed to say mint.MintDenom instead?

celestia-app doesn't use the mint module defined in celestiaorg/cosmos-sdk so MintDenom doesn't need to be covered by these tests. celestia-app uses the x/mint module defined in this repo so mint.BondDenom is likely referring to this.

is that enough reasoning to prove this governance unmodifiable parameter is indeed unmodifiable?

Yep. Since mint.InitialInflationRate, mint.DisinflationRate, and mint.TargetInflationRate are constants, I think they don't strictly need to be covered by tests here.

[rootulp]

is this enough justification to show that mint.BondDenom is not modifiable by governance?

Yes I think it is. Thanks for your thorough research! We may want to include a note in the mint module README.md that the mint module doesn't have any governance modifiable parameters for the reasons you've outlined. We can include the note in a separate PR, it doesn't have to be in this one.

Update: https://github.com/celestiaorg/celestia-app/tree/main/x/mint#params exists already so we may not need to add anything. Instead we could add a note in paramfilter or params.md that the x/mint module doesn't have any governance modifiable params.

[fahimahmedx]

Hi @rootulp, I've implemented the changes and the PR is now ready for review!
Addressing point 2 on this comment, the following parameters that were supposed to be unmodifiable were able to be modified through a proposal request.

• bank.SendEnabled
• conensus.validator.PubKeyTypes
• consensus.Version.AppVersion
• staking.BondDenom
• staking.MaxValidators
• staking.UnbondingTime

Do I proceed with opening an issue for each parameter (given this divergence) to get alignment on if they should be modifiable or not?

I have added these parameters to App.BlockedParams() to prevent them from being modified in the meanwhile.

[rootulp]

Thanks for all your hard work here!

Do I proceed with opening an issue for each parameter (given this divergence) to get alignment on if they should be modifiable or not?

Yea can you please open one GH issue and reference the list of params that are governance modifiable even though the specs claim they shouldn't be modifiable. Then we can get input from the team (cc: @evan-forbes ) on how to proceed.

IMO we should have tests covering all the params before we add any params to the blocked list.

[rootulp]

[question] if TimeIotaMs is not in consensus.block, should it be removed from the list of params above? Do you know if this field exists elsewhere?

[fahimahmedx]

For context, ConsensusParams in celestia-core/abci/types/types.pb.go as seen here uses BlockParam from celestia-core/abci/types/types.pb.go instead of types1.BlockParams from celestia-core/proto/tendermint/types/params.pb.go.
We use this version of ConsensusParams in BaseApp.GetConsensusParams() as seen in cosmos-sdk/baseapp/baseapp.go here.

BlockParam does not contain TimeIotaMs, however I am not sure why types1.BlockParams (which contains it) isn't used instead, or if ConsensusParams from celestia-core/proto/tendermint/types/params.pb.go as seen here is another valid alternative that could be used instead in baseapp.go.

With this context in mind and knowing the field exists somewhere else (but seems to not be used), I think it would be good to clarify if the intended version of BlockParams is being used in the first place before we discuss if TimeIotaMs should be removed from params.md. Do you have any thoughts on this or know of anyone else who might?

[fahimahmedx]

For further context on why I ask this, it is because I use BaseApp.GetConsensusParams() when testing if the governance modification was successful. This commit here shows this code.

[rootulp]

I expect this test to fail when running make test-short. If that's the case, we may want to skip it in short mode via something like:

	if testing.Short() {
		t.Skip("skipping handler test suite in short mode.")
	}
	suite.Run(t, new(HandlerTestSuite))

[rootulp]

[blocking] this is a breaking change so if it is included in this PR then the PR title needs a ! to conform to conventional commits.

IMO we shouldn't add this to the blocked list yet. We should create a GH issue with the list of params that are governance modifiable even though the specs claim they shouldn't be. We should get team alignment on what to do for those params. Then we may update this list or update the specs accordingly. cc: @evan-forbes

[evan-forbes]

yeah any consens breaking change needs a CIP

@fahimahmedx, this is consensus breaking since nodes running this won't change a param, where nodes that are not will change the param

[evan-forbes]

the CIP doesn't have to be super in depth, since the change is pretty small, but we do still need to explain the benefits of adding or removing any params

[rootulp]

Converting this to draft until we have a CIP with alignment.