Overview
Synopsis
Learn about the 07-tendermint light client module.
The Tendermint client is the first and most deployed light client in IBC. It implements the IBC light client module interface to track a counterparty running CometBFT consensus.
Tendermint is the old name of CometBFT which has been retained in IBC to avoid
expensive migration costs.
The Tendermint client consists of two important structs that keep track of the state of the counterparty chain and allow for future updates. The ClientState struct contains all the parameters necessary for CometBFT header verification. The ConsensusState, on the other hand, is a compressed view of a particular header of the counterparty chain. Unlike off chain light clients, IBC does not store full header. Instead it stores only the information it needs to prove verification of key/value pairs in the counterparty state (i.e. the header AppHash), and the information necessary to use the consensus state as the next root of trust to add a new consensus state to the client (i.e. the header NextValidatorsHash and Timestamp). The relayer provides the full trusted header on UpdateClient, which will get checked against the compressed root-of-trust consensus state. If the trusted header matches a previous consensus state, and the trusted header and new header pass the CometBFT light client update algorithm, then the new header is compressed into a consensus state and added to the IBC client.
Each Tendermint Client is composed of a single ClientState keyed on the client ID, and multiple consensus states which are keyed on both the clientID and header height. Relayers can use the consensus states to verify merkle proofs of packet commitments, acknowledgements, and receipts against the AppHash of the counterparty chain in order to enable verified packet flow.
If a counterparty chain violates the CometBFT protocol in a way that is detectable to off-chain light clients, this misbehaviour can also be submitted to an IBC client by any off-chain actor. Upon verification of this misbehaviour, the Tendermint IBC Client will freeze, preventing any further packet flow from this malicious chain from occurring. Governance or some other out-of-band protocol may then be used to unwind any damage that has already occurred.
Initialization
The Tendermint light client is initialized with a ClientState that contains parameters necessary for CometBFT header verification along with a latest height and ConsensusState that encapsulates the application state root of a trusted header that will serve to verify future incoming headers from the counterparty.
Updates
Once the initial client state and consensus state are submitted, future consensus states can be added to the client by submitting IBC headers. These headers contain all necessary information to run the CometBFT light client protocol.
For detailed information on the CometBFT light client protocol and its safety properties please refer to the original Tendermint whitepaper.
Proofs
As consensus states are added to the client, they can be used for proof verification by relayers wishing to prove packet flow messages against a particular height on the counterparty. This uses the VerifyMembership and VerifyNonMembership methods on the Tendermint client.
The Tendermint client is initialized with an ICS23 proof spec. This allows the Tendermint implementation to support many different merkle tree structures so long as they can be represented in an ics23.ProofSpec.
Misbehaviour
The Tendermint light client directly tracks consensus of a CometBFT counterparty chain. So long as the counterparty is Byzantine Fault Tolerant, that is to say, the malicious subset of the bonded validators does not exceed the trust level of the client, then the client is secure.
In case the malicious subset of the validators exceeds the trust level of the client, then the client can be deceived into accepting invalid blocks and the connection is no longer secure.
The Tendermint client has some mitigations in place to prevent this. If there are two valid blocks signed by the counterparty validator set at the same height [e.g. a valid block signed by an honest subset and an invalid block signed by a malicious one], then these conflicting headers can be submitted to the client as misbehaviour. The client will verify the headers and freeze the client; preventing any future updates and proof verification from succeeding. This effectively halts communication with the compromised counterparty while out-of-band social consensus can unwind any damage done.
Similarly, if the timestamps of the headers are not monotonically increasing, this can also be evidence of malicious behaviour and cause the client to freeze.
Thus, any consensus faults that are detectable by a light client are part of the misbehaviour protocol and can be used to minimize the damage caused by a compromised counterparty chain.
Security model
It is important to note that IBC is not a completely trustless protocol; it is trust-minimized. This means that the safety property of bilateral IBC communication between two chains is dependent on the safety properties of the two chains in question. If one of the chains is compromised completely, then the IBC connection to the other chain is liable to receive invalid packets from the malicious chain. For example, if a malicious validator set has taken over more than 2/3 of the validator power on a chain; that malicious validator set can create a single chain of blocks with arbitrary commitment roots and arbitrary commitments to the next validator set. This would seize complete control of the chain and prevent the honest subset from even being able to create a competing honest block.
In this case, there is no ability for the IBC Tendermint client solely tracking CometBFT consensus to detect the misbehaviour and freeze the client. The IBC protocol would require out-of-band mechanisms to detect and fix such an egregious safety fault on the counterparty chain. Since the Tendermint light client is only tracking consensus and not also verifying the validity of state transitions, malicious behaviour from a validator set that is beyond the BFT fault threshold is an accepted risk of this light client implementation.
The IBC protocol has principles of fault isolation (e.g. all tokens are prefixed by their channel, so tokens from different chains are not mutually fungible) and fault mitigation (e.g. ability to freeze the client if misbehaviour can be detected before complete malicious takeover) that make this risk as minimal as possible.