Make xcm execution non-mandatory

I don’'t know which is the best place between github and the forum to talk about this problem, so I write on both.

The problem

In the FRAME framework, there are two kind of on-chain execution: mandatory and non-mandatory.

Extrinsic execution is not mandatory, so the block producer can exclude an extrinsic from the block if execution panics. On the other hand, the execution of some hooks and inherents is mandatory, meaning that it is impossible to produce a valid block without executing them.

If a panic occurs during a mandatory execution, the chain is stalled. If this happens to a parachain, it is forced to go through Polkadot governance (or kusama, depending on the network concerned) to deploy a runtime hotfix, which will generally involve several days of downtime for the parachain in question.

For some parachains this is not acceptable, which is why mandatory executions should be minimized.

However, the execution of incoming XCM messages is currently mandatory, which is a problem because XCM messages can execute any runtime call (vwith Transact).
We therefore lose the security feature that discards an extrinsic if it contains a bug.

Today’s xcmp queue and dmp queue pallets have been designed in such a way that they cannot easily execute non-mandatory XCM messages.

Deferring execution to the on_idle hook is not a solution, as the on_idle hook is mandatory if there’s enough block space left.


Create a non-mandatory inherent for pallet xcmp queue and dmp queue, and defer execution of xcm messages in these non-mandatory inherents.

A new Storage item XcmExecuted can store a boolean set to false in on_initialize and verified in on_finalize. If it is still false in on-finalize, then the queue is suspended. Then, to solve the bug, parachain governance must be used.

The goal is precisely to be able to solve the potential buig through the governance of the parachain, without having to involve the governance of the relay chain.

Do you have a better idea of how to achieve this goal?

Related github issue: Make xcm execution non-mandatory · Issue #2819 · paritytech/cumulus · GitHub

1 Like

I believe this will be handled by executing XCM programs within tasks, described in [FRAME Core] General system for recognising and executing service work · Issue #13530 · paritytech/substrate · GitHub

1 Like

Ask Alistair but afaik…

We always want reliable delivery and execution in messaging systems which touch the relay chain, but these should be restricted, meaning XCM should not be able to execute any runtime call.

If you do not need reliable execution, then you could do purely off-relay-chain messages, which look like:

  1. message body M
  2. inclusion proof of M in some sending parachain block P1
  3. backing proof of P1 in relay chain block R1
  4. ancestry proof of R1 for another relay chain block R2
  5. proof that R2 is a relay parent of some block P2 on the receiving parachain
  6. parachain enforces that P2 is an ancestor of the receiving parachain block

In this, 4 could be empty of R1 = R2, and 5+6 could be almost empty P2 is the current block.