Add few clarifications

Merge branch 'master' into zm_fork-accountability
table discussion
2025-07-24 00:32:02 +00:00 · 2019-09-02 15:00:19 +02:00 · 2019-08-26 15:17:03 +04:00 · 2019-08-26 09:30:33 +02:00 · 2019-08-26 09:05:34 +02:00 · 2019-08-23 17:02:19 +02:00
15 changed files with 630 additions and 671 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -51,6 +51,22 @@ jobs:
          paths:
            - /go/src/github.com/tendermint/tendermint

+  build_slate:
+    <<: *defaults
+    steps:
+      - attach_workspace:
+          at: /tmp/workspace
+      - restore_cache:
+          key: v4-pkg-cache
+      - restore_cache:
+          key: v3-tree-{{ .Environment.CIRCLE_SHA1 }}
+      - run:
+          name: slate docs
+          command: |
+            set -ex
+            export PATH="$GOBIN:$PATH"
+            make build-slate
+
  test_abci_apps:
    <<: *defaults
    steps:
@@ -200,11 +216,11 @@ jobs:
          name: Trigger website build
          command: |
            curl --silent \
-                --show-error \
-                -X POST \
-                --header "Content-Type: application/json" \
-                -d "{\"branch\": \"$CIRCLE_BRANCH\"}" \
-                "https://circleci.com/api/v1.1/project/github/$CIRCLE_PROJECT_USERNAME/$WEBSITE_REPO_NAME/build?circle-token=$TENDERBOT_API_TOKEN" > response.json
+                 --show-error \
+                 -X POST \
+                 --header "Content-Type: application/json" \
+                 -d "{\"branch\": \"$CIRCLE_BRANCH\"}" \
+                 "https://circleci.com/api/v1.1/project/github/$CIRCLE_PROJECT_USERNAME/$WEBSITE_REPO_NAME/build?circle-token=$TENDERBOT_API_TOKEN" > response.json

            RESULT=`jq -r '.status' response.json`
            MESSAGE=`jq -r '.message' response.json`
@@ -357,12 +373,12 @@ jobs:
    steps:
      - checkout
      - run:
-          name: Test RPC endpoints against swagger documentation
+          name: Test RPC endpoints agsainst swagger documentation
          command: |
            set -x
            export PATH=~/.local/bin:$PATH

-            # install node and dredd
+            # install node 11.15 and dredd
            ./scripts/get_nodejs.sh

            # build the binaries with a proper version of Go
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,32 +1,5 @@
 # Changelog

-## v0.32.3
-
-*August 28, 2019*
-
-@climber73 wrote the [Writing a Tendermint Core application in Java
-(gRPC)](https://github.com/tendermint/tendermint/blob/master/docs/guides/java.md)
-guide.
-
-Special thanks to external contributors on this release:
-@gchaincl, @bluele, @climber73
-
-Friendly reminder, we have a [bug bounty
-program](https://hackerone.com/tendermint).
-
-### IMPROVEMENTS:
-
- [consensus] [\#3839](https://github.com/tendermint/tendermint/issues/3839) Reduce "Error attempting to add vote" message severity (Error -> Info)
- [mempool] [\#3877](https://github.com/tendermint/tendermint/pull/3877) Make `max_tx_bytes` configurable instead of `max_msg_bytes` (@bluele)
- [privval] [\#3370](https://github.com/tendermint/tendermint/issues/3370) Refactor and simplify validator/kms connection handling. Please refer to [this comment](https://github.com/tendermint/tendermint/pull/3370#issue-257360971) for details
- [rpc] [\#3880](https://github.com/tendermint/tendermint/issues/3880) Document endpoints with `swagger`, introduce contract tests of implementation against documentation
-
-### BUG FIXES:
-
- [config] [\#3868](https://github.com/tendermint/tendermint/issues/3868) Move misplaced `max_msg_bytes` into mempool section (@bluele)
- [rpc] [\#3910](https://github.com/tendermint/tendermint/pull/3910) Fix DATA RACE in HTTP client (@gchaincl)
- [store] [\#3893](https://github.com/tendermint/tendermint/issues/3893) Fix "Unregistered interface types.Evidence" panic
-
 ## v0.32.2

 *July 31, 2019*
--- a/CHANGELOG_PENDING.md
+++ b/CHANGELOG_PENDING.md
@@ -1,4 +1,4 @@
-## v0.32.4
+## v0.32.3

 \*\*

@@ -19,4 +19,13 @@ program](https://hackerone.com/tendermint).

 ### IMPROVEMENTS:

+- [privval] \#3370 Refactors and simplifies validator/kms connection handling. Please refer to thttps://github.com/tendermint/tendermint/pull/3370#issue-257360971
+- [consensus] \#3839 Reduce "Error attempting to add vote" message severity (Error -> Info)
+- [mempool] \#3877 Make `max_tx_bytes` configurable instead of `max_msg_bytes`
+- [rpc] \#3880 Document endpoints with `swagger`, introduce contract tests of implementation against documentation
+
 ### BUG FIXES:
+
+- [config] \#3868 move misplaced `max_msg_bytes` into mempool section
+- [store] \#3893 register block amino, not just crypto
+- [rpc] [\#3910](https://github.com/tendermint/tendermint/pull/3910) protect subscription access from race conditions (@gchaincl)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,7 +2,7 @@

 Thank you for considering making contributions to Tendermint and related repositories! Start by taking a look at the [coding repo](https://github.com/tendermint/coding) for overall information on repository workflow and standards.

-Please follow standard github best practices: fork the repo, branch from the tip of `master`, make some commits, and submit a pull request to `master`.
+Please follow standard github best practices: fork the repo, branch from the tip of `master`, make some commits, and submit a pull request to `master`. 
 See the [open issues](https://github.com/tendermint/tendermint/issues) for things we need help with!

 Before making a pull request, please open an issue describing the
@@ -21,16 +21,16 @@ Please make sure to use `gofmt` before every commit - the easiest way to do this

 Please note that Go requires code to live under absolute paths, which complicates forking.
 While my fork lives at `https://github.com/ebuchman/tendermint`,
-the code should never exist at `$GOPATH/src/github.com/ebuchman/tendermint`.
+the code should never exist at  `$GOPATH/src/github.com/ebuchman/tendermint`.
 Instead, we use `git remote` to add the fork as a new remote for the original repo,
-`$GOPATH/src/github.com/tendermint/tendermint`, and do all the work there.
+`$GOPATH/src/github.com/tendermint/tendermint `, and do all the work there.

 For instance, to create a fork and work on a branch of it, I would:

- Create the fork on github, using the fork button.
- Go to the original repo checked out locally (i.e. `$GOPATH/src/github.com/tendermint/tendermint`)
- `git remote rename origin upstream`
- `git remote add origin git@github.com:ebuchman/basecoin.git`
+  * Create the fork on github, using the fork button.
+  * Go to the original repo checked out locally (i.e. `$GOPATH/src/github.com/tendermint/tendermint`)
+  * `git remote rename origin upstream`
+  * `git remote add origin git@github.com:ebuchman/basecoin.git`

 Now `origin` refers to my fork and `upstream` refers to the tendermint version.
 So I can `git push -u origin master` to update my fork, and make pull requests to tendermint from there.
@@ -38,8 +38,8 @@ Of course, replace `ebuchman` with your git handle.

 To pull in updates from the origin repo, run

- `git fetch upstream`
- `git rebase upstream/master` (or whatever branch you want)
+  * `git fetch upstream`
+  * `git rebase upstream/master` (or whatever branch you want)

 ## Dependencies

@@ -113,7 +113,7 @@ removed from the header in rpc responses as well.

 ## Branching Model and Release

-The main development branch is master.
+The main development branch is master. 

 Every release is maintained in a release branch named `vX.Y.Z`.

@@ -140,35 +140,36 @@ easy to reference the pull request where a change was introduced.

 #### Major Release

-1. start on `master`
+1. start on `master` 
 2. run integration tests (see `test_integrations` in Makefile)
 3. prepare release in a pull request against `master` (to be squash merged):
-   - copy `CHANGELOG_PENDING.md` to top of `CHANGELOG.md`
-   - run `python ./scripts/linkify_changelog.py CHANGELOG.md` to add links for
-     all issues
-   - run `bash ./scripts/authors.sh` to get a list of authors since the latest
-     release, and add the github aliases of external contributors to the top of
-     the changelog. To lookup an alias from an email, try `bash ./scripts/authors.sh <email>`
-   - reset the `CHANGELOG_PENDING.md`
-   - bump versions
+    - copy `CHANGELOG_PENDING.md` to top of `CHANGELOG.md`
+    - run `python ./scripts/linkify_changelog.py CHANGELOG.md` to add links for
+      all issues
+    - run `bash ./scripts/authors.sh` to get a list of authors since the latest
+      release, and add the github aliases of external contributors to the top of
+      the changelog. To lookup an alias from an email, try `bash
+      ./scripts/authors.sh <email>`
+    - reset the `CHANGELOG_PENDING.md`
+    - bump versions
 4. push your changes with prepared release details to `vX.X` (this will trigger the release `vX.X.0`)
 5. merge back to master (don't squash merge!)

 #### Minor Release

-If there were no breaking changes and you need to create a release nonetheless,
-the procedure is almost exactly like with a new release above.
+If there were no breaking changes and you need to create a release nonetheless, 
+the procedure is almost exactly like with a new release above. 

 The only difference is that in the end you create a pull request against the existing `X.X` branch.
 The branch name should match the release number you want to create.
-Merging this PR will trigger the next release.
-For example, if the PR is against an existing 0.34 branch which already contains a v0.34.0 release/tag,
+Merging this PR will trigger the next release. 
+For example, if the PR is against an existing 0.34 branch which already contains a v0.34.0 release/tag, 
 the patch version will be incremented and the created release will be v0.34.1.

 #### Backport Release

 1. start from the existing release branch you want to backport changes to (e.g. v0.30)
-   Branch to a release/vX.X.X branch locally (e.g. release/v0.30.7)
+Branch to a release/vX.X.X branch locally (e.g. release/v0.30.7)
 2. cherry pick the commit(s) that contain the changes you want to backport (usually these commits are from squash-merged PRs which were already reviewed)
 3. steps 2 and 3 from [Major Release](#major-release)
 4. push changes to release/vX.X.X branch
@@ -186,12 +187,12 @@ includes its continuous integration status using a badge in the `README.md`.
 ### RPC Testing

 If you contribute to the RPC endpoints it's important to document your changes in the [Swagger file](./docs/spec/rpc/swagger.yaml)
-To test your changes you should install `nodejs` and run:
+To test your changes you should install `nodejs` version `v11.15.*` and run:

 ```bash
 npm i -g dredd
 make build-linux build-contract-tests-hooks
 make contract-tests
-```
+``` 

 This command will popup a network and check every endpoint against what has been documented
--- a/21
+++ b/21
@@ -16,9 +16,6 @@ BUILD_FLAGS = -mod=readonly -ldflags "$(LD_FLAGS)"

 all: check build test install

-# The below include contains the tools.
-include scripts/Makefile
-
 check: check_tools

 ########################################
@@ -82,13 +79,13 @@ check_tools:
 	@echo "Found tools: $(foreach tool,$(notdir $(GOTOOLS)),\
        $(if $(shell which $(tool)),$(tool),$(error "No $(tool) in PATH")))"

-# get_tools:
-# 	@echo "--> Installing tools"
-# 	./scripts/get_tools.sh
+get_tools:
+	@echo "--> Installing tools"
+	./scripts/get_tools.sh

-# update_tools:
-# 	@echo "--> Updating tools"
-# 	./scripts/get_tools.sh
+update_tools:
+	@echo "--> Updating tools"
+	./scripts/get_tools.sh

 #For ABCI and libs
 get_protoc:
@@ -307,6 +304,10 @@ sentry-stop:
 	@if [ -z "$(DO_API_TOKEN)" ]; then echo "DO_API_TOKEN environment variable not set." ; false ; fi
 	cd networks/remote/terraform && terraform destroy -var DO_API_TOKEN="$(DO_API_TOKEN)" -var SSH_KEY_FILE="$(HOME)/.ssh/id_rsa.pub"

+# meant for the CI, inspect script & adapt accordingly
+build-slate:
+	bash scripts/slate.sh
+
 # Build hooks for dredd, to skip or add information on some steps
 build-contract-tests-hooks:
 ifeq ($(OS),Windows_NT)
@@ -326,4 +327,4 @@ contract-tests:
 # To avoid unintended conflicts with file names, always add to .PHONY
 # unless there is a reason not to.
 # https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html
-.PHONY: check build build_race build_abci dist install install_abci check_tools get_tools update_tools draw_deps get_protoc protoc_abci protoc_libs gen_certs clean_certs grpc_dbserver test_cover test_apps test_persistence test_p2p test test_race test_integrations test_release test100 vagrant_test fmt rpc-docs build-linux localnet-start localnet-stop build-docker build-docker-localnode sentry-start sentry-config sentry-stop protoc_grpc protoc_all build_c install_c test_with_deadlock cleanup_after_test_with_deadlock lint build-contract-tests-hooks contract-tests
+.PHONY: check build build_race build_abci dist install install_abci check_tools get_tools update_tools draw_deps get_protoc protoc_abci protoc_libs gen_certs clean_certs grpc_dbserver test_cover test_apps test_persistence test_p2p test test_race test_integrations test_release test100 vagrant_test fmt rpc-docs build-linux localnet-start localnet-stop build-docker build-docker-localnode sentry-start sentry-config sentry-stop build-slate protoc_grpc protoc_all build_c install_c test_with_deadlock cleanup_after_test_with_deadlock lint build-contract-tests-hooks contract-tests
--- a/README.md
+++ b/README.md
@@ -74,8 +74,9 @@ and the [contributing guidelines](CONTRIBUTING.md) when submitting code.
 Join the larger community on the [forum](https://forum.cosmos.network/) and the [chat](https://riot.im/app/#/room/#tendermint:matrix.org).

 To learn more about the structure of the software, watch the [Developer
-Sessions](/docs/DEV_SESSIONS.md) and read some [Architectural Decision
-Records](https://github.com/tendermint/tendermint/tree/master/docs/architecture).
+Sessions](https://www.youtube.com/playlist?list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv)
+and read some [Architectural
+Decision Records](https://github.com/tendermint/tendermint/tree/master/docs/architecture).

 Learn more by reading the code and comparing it to the
 [specification](https://github.com/tendermint/tendermint/tree/develop/docs/spec).
--- a/docs/DEV_SESSIONS.md
+++ b/docs/DEV_SESSIONS.md
@@ -1,33 +0,0 @@
-# Developer Sessions
-
-The Tendermint Core developer call is comprised of both [Interchain
-Foundation](http://interchain.io/) and [All in Bits](https://tendermint.com/)
-team members discussing the development of [Tendermint
-BFT](https://github.com/tendermint/tendermint) and related research. The goal
-of the Tendermint Core developer calls is to provide transparency into the
-decision making process, technical information, update cycles etc.
-
-## List
-
-| Date            | Topic                                     | Link(s)                                                                                                           |
-| --------------- | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
-| August 2019     | Part Three: Tendermint Lite Client        | [YouTube](https://www.youtube.com/watch?v=whyL6UrKe7I&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=5)         |
-| August 2019     | Fork Accountability                       | [YouTube](https://www.youtube.com/watch?v=Jph-4PGtdPo&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=4)         |
-| July 2019       | Part Two: Tendermint Lite Client          | [YouTube](https://www.youtube.com/watch?v=gTjG7jNNdKQ&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=6)         |
-| July 2019       | Part One: Tendermint Lite Client          | [YouTube](https://www.youtube.com/watch?v=C6fH_sgPJzA&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=7)         |
-| June 2019       | Testnet Deployments                       | [YouTube](https://www.youtube.com/watch?v=gYA6no7tRlM&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=10)        |
-| June 2019       | Blockchain Reactor Refactor               | [YouTube](https://www.youtube.com/watch?v=JLBGH8yxABk&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=11)        |
-| June 2019       | Tendermint Rust Libraries                 | [YouTube](https://www.youtube.com/watch?v=-WXKdyoGHwA&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=9)         |
-| May 2019        | Merkle Tree Deep Dive                     | [YouTube](https://www.youtube.com/watch?v=L3bt2Uw8ICg&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=8)         |
-| May 2019        | Remote Signer Refactor                    | [YouTube](https://www.youtube.com/watch?v=eUyXXEEuBzQ&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=12)        |
-| May 2019        | Introduction to Ansible                   | [YouTube](https://www.youtube.com/watch?v=72clQLjzPg4&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=14&t=0s)   |  |  |
-| April 2019      | Tendermint State Sync Design Discussion   | [YouTube](https://www.youtube.com/watch?v=4k23j2QHwrM&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=11)        |
-| April 2019      | ADR-036 - Blockchain Reactor Refactor     | [YouTube](https://www.youtube.com/watch?v=TW2xC1LwEkE&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=10)        |
-| April 2019      | Verifying Distributed Algorithms          | [YouTube](https://www.youtube.com/watch?v=tMd4lgPVBxE&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=9)         |
-| April 2019      | Byzantine Model Checker Presentation      | [YouTube](https://www.youtube.com/watch?v=rdXl4VCQyow&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=8)         |
-| January 2019    | Proposer Selection in Idris               | [YouTube](https://www.youtube.com/watch?v=hWZdc9c1aH8&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=7)         |
-| January 2019    | Current Mempool Design                    | [YouTube](https://www.youtube.com/watch?v=--iGIYYiLu4&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=6)         |
-| December 2018   | ABCI Proxy App                            | [YouTube](https://www.youtube.com/watch?v=s6sQ2HOVHdo&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=5)         |
-| October 2018    | DB Performance                            | [YouTube](https://www.youtube.com/watch?v=jVSNHi4l0fQ&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=4)         |
-| October 2018    | Alternative Mempool Algorithms            | [YouTube](https://www.youtube.com/watch?v=XxH5ZtM4vMM&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv&index=2)         |
-| October 2018    | Tendermint Termination                    | [YouTube](https://www.youtube.com/watch?v=YBZjecfjeIk&list=PLdQIb0qr3pnBbG5ZG-0gr3zM86_s8Rpqv)                 |
--- a/docs/spec/consensus/fork-accountability.md
+++ b/docs/spec/consensus/fork-accountability.md
@@ -0,0 +1,319 @@
+# Fork accountability -- Problem statement and attacks
+
+## Problem Statement
+
+Tendermint consensus guarantees the following specifications for all heights:
+* agreement -- no two correct full nodes decide differently.
+* validity -- the decided block satisfies the predefined predicate *valid()*.
+* termination -- all correct full nodes eventually decide,
+
+if the
+faulty validators have at most 1/3 of voting power in the current validator set. In the case where this assumption
+does not hold, each of the specification may be violated.
+
+The agreement property says that for a given height, any two correct validators that decide on a block for that height decide on the same block. That the block was indeed generated by the blockchain, can be verified starting from a trusted (genesis) block, and checking that all subsequent blocks are properly signed.
+
+
+However, faulty nodes may forge blocks and try to convince users (lite clients) that the blocks had been correctly generated. In addition, Tendermint agreement might be violated in the case where more than 1/3 of the voting power belongs to faulty validators: Two correct validators decide on different blocks. The latter case motivates the term "fork": as Tendermint consensus also agrees on the next validator set, correct validators may have decided on disjoint next validator sets, and the chain branches into two or more partitions (possibly having faulty validators in common) and each branch continues to generate blocks independently of the other.
+
+We say that a fork is a case in which there are two commits for different blocks at the same height of the blockchain. The proplem is to ensure that in those cases we are able to detect faulty validators (and not mistakenly accuse correct validators), and incentivize therefore validators to behave according to the protocol specification.
+
+**Conceptual Limit.** In order to prove misbehavior of a node, we have to show that the behavior deviates from correct behavior with respect to a given algorithm. Thus, an algorithm that detects misbehavior of nodes executing some algorithm *A* must be defined with respect to algorithm *A*. In our case, *A* is Tendermint consensus (+ other protocols in the infrastructure; e.g.,full nodes and the Lite Client). If the consensus algorithm is changed/updated/optimized in the future, we have to check whether changes to the accountability algorithm are also required. All the discussions in this document are thus inherently specific to Tendermint consensus and the Lite Client specification.
+
+**Q:** Should we distinguish agreement for validators and full nodes for agreement? The case where all correct validators agree on a block, but a correct full node decides on a different block seems to be slightly less severe that the case where two correct validators decide on different blocks. Still, if a contaminated full node becomes validator that may be problematic later on. Also it is not clear how gossiping is impaired if a contaminated full node is on a different branch.
+
+*Remark.* In the case more than 1/3 of the voting power belongs to faulty validators, also validity and termination can be broken. Termination can be broken if faulty processes just do not send the messages that are needed to make progress. Due to asynchrony, this is not punishable, because faulty validators can always claim they never received the messages that would have forced them to send messages.
+
+
+## The Misbehavior of Faulty Validators
+
+Forks are the result of faulty validators deviating from the protocol. In principle several such deviations can be detected without a fork actually occurring:
+
+1. double proposal: A faulty proposer proposes two different values (blocks) for the same height and the same round in Tendermint consensus.
+
+2. double signing: Tendermint consensus forces correct validators to prevote and precommit for at most one value per round. In case a faulty validator sends multiple prevote and/or precommit messages for different values for the same height/round, this is a misbehavior.
+
+3. lunatic validator: Tendermint consensus forces correct validators to prevote and precommit only for values *v* that satisfy *valid(v)*. If faulty validators prevote and precommit for *v* although *valid(v)=false* this is misbehavior.
+
+*Remark.* In isolation, Point 3 is an attack on validity (rather than agreement). However, the prevotes and precommits can then also be used to forge blocks.
+
+1. amnesia: Tendermint consensus has a locking mechanism. If a validator has some value v locked, then it can only prevote/precommit for v or nil. Sending prevote/precomit message for a different value v' (that is not nil) while holding lock on value v is misbehavior.   
+
+2. spurious messages: In Tendermint consensus most of the message send instructions are guarded by threshold guards, e.g., one needs to receive *2f + 1* prevote messages to send precommit. Faulty validators may send precommit without having received the prevote messages.
+
+
+Independently of a fork happening, punishing this behavior might be important to prevent forks altogether. This should keep attackers from misbehaving: if at most 1/3 of the voting power is faulty, this misbehavior is detectable but will not lead to a safety violation. Thus, unless they have more than 1/3 (or in some cases more than 2/3) of the voting power attackers have the incentive to not misbehave. If attackers control too much voting power, we have to deal with forks, as discussed in this document.   
+
+
+## Two types of forks
+
+* Fork-Full. Two correct validators decide on different blocks for the same height. Since also the next validator sets are decided upon, the correct validators may be partitioned to participate in two distinct branches of the forked chain.
+
+As in this case we have two different blocks (both having the same right/no right to exist), a central system invariant (one block per height decided by correct validators) is violated. As full nodes are contaminated in this case, the contamination can spread also to lite clients. However, even without breaking this system invariant, lite clients can be subject to a fork:
+
+* Fork-Lite. All correct validators decide on the same block for height *h*, but faulty processes (validators or not), forge a different block for that height, in order to fool users (who use the lite client).
+
+
+# Attack scenarios
+
+## On-chain attacks
+
+### Equivocation (one round)
+
+There are several scenarios in which forks might happen. The first is double signing within a round.
+
+* F1. Equivocation: faulty validators sign multiple vote messages (prevote and/or precommit) for different values *during the same round r* at a given height h.
+
+
+### Flip-flopping
+
+Tendermint consensus implements a locking mechanism: If a correct validator *p* receives proposal for value v and *2f + 1* prevotes for a value *id(v)* in round *r*, it locks *v* and remembers *r*. In this case, *p* also sends a precommit message for *id(v)*, which later may serve as proof that *p* locked *v*.
+In subsequent rounds, *p* only sends prevote messages for a value it had previously locked. However, it is possible to change the locked value if in a future round *r' > r*, if the process receives proposal and *2f + 1* prevotes for a different value *v'*. In this case, *p* could send a prevote/precommit for *id(v')*. This algorithmic feature can be exploited in two ways:
+
+
+
+* F2. Faulty Flip-flopping (Amnesia): faulty validators precommit some value *id(v)* in round *r* (value *v* is locked in round *r*) and then prevote for different value *id(v')* in higher round *r' > r* without previously correctly unlocking value *v*. In this case faulty processes "forget" that they have locked value *v* and prevote some other value in the following rounds.
+Some correct validators might have decided on *v* in *r*, and other correct validators decide on *v'* in *r'*. Here we can have branching on the main chain (Fork-Full).
+
+
+* F3. Correct Flip-flopping (Back to the past): There are some precommit messages signed by (correct) validators for value *id(v)* in  round *r*. Still, *v* is not decided upon, and all processes move on to the next round. Then correct validators (correctly) lock and decide a different value *v'* in some round *r' > r*. And the correct validators continue; there is no branching on the main chain.
+However, faulty validators may use the correct precommit messages from round *r* together with a posteriori generated faulty precommit messages for round *r* to forge a block for a value that was not decided on the main chain (Fork-Lite).
+
+
+
+
+
+## Off-chain attacks
+
+F1-F3 may contaminate the state of full nodes (and even validators). Contaminated (but otherwise correct) full nodes may thus communicate faulty blocks to lite clients.
+Similarly, without actually interfering with the main chain, we can have the following:
+
+* F4. Phantom validators: faulty validators vote (sign prevote and precommit messages) in heights in which they are not part of the validator sets (at the main chain).
+
+* F5. Lunatic validator: faulty validator that sign vote messages to support (arbitrary) application state that is different from the application state that resulted from valid state transitions.
+
+## Types of victims
+
+We consider three types of potential attack victims:
+
+
+- FN: full node
+- LCS: lite client with sequential header verification
+- LCB: lite client with bisection based header verification
+
+F1 and F2 can be used by faulty validators to actually create multiple branches on the blockchain. That means that correctly operating full nodes decide on different blocks for the same height. Until a fork is detected locally by a full node (by receiving evidence from others or by some other local check that fails), the full node can spread corrupted blocks to lite clients.
+
+*Remark.* If full nodes take a branch different from the one taken by the validators, it may be that the liveness of the gossip protocol may be affected. We should eventually look at this more closely. However, as it does not influence safety it is not a primary concern.
+
+F3 is similar to F1, except that no two correct validators decide on different blocks. It may still be the case that full nodes become affected.
+
+In addition, without creating a fork on the main chain, lite clients can be contaminated by more than a third of validators that are faulty and sign a forged header
+F4 cannot fool correct full nodes as they know the current validator set. Similarly, LCS know who the validators are. Hence, F4 is an attack against LCB that do not necessarily know the complete prefix of headers (Fork-Lite), as they trust a header that is signed by at least one correct validator (trusting period method).
+
+
+
+
+
+
+The following table gives an overview of how the different attacks may affect different nodes. F1-F3 are *on-chain* attacks so they can corrupt the state of full nodes. Then if a lite client (LCS or LCB) contacts a full node to obtain headers (or blocks), the corrupted state may propagate to the lite client.  
+
+F4 and F5 are *off-chain*, that is, these attacks cannot be used to corrupt the state of full nodes (which have sufficient knowledge on the state of the chain to not be fooled). 
+
+
+| Attack |  FN | LCS | LCB |
+|:------:|:------:|:------:|:------:|
+| F1 |  direct  | FN |     FN |
+| F2 |   direct | FN |     FN |
+| F3 |  direct  | FN |     FN |
+| F4 |          |    | direct |
+| F5 |          |    | direct |
+
+
+
+**Q:** Lite clients are more vulnerable than full nodes, because the former do only verify headers but do not execute transactions. What kind of certainty is gained by a full node that executes a transaction?
+
+As a full node verifies all transactions, it can only be
+contaminated by an attack if the blockchain itself violates its invariant (one block per height), that is, in case of a fork that leads to branching.
+
+
+
+
+## Detailed Attack Scenarios
+
+### Equivocation based attacks
+
+In case of equivocation based attacks, faulty validators sign multiple votes (prevote and/or precommit) in the same
+round of some height. This attack can be executed on both full nodes and lite clients. It requires more than 1/3 of voting power to be executed.
+
+#### Scenario 1: Equivocation on the main chain
+
+Validators:
+* CA - a set of correct validators with less than 1/3 of the voting power
+* CB - a set of correct validators with less than 1/3 of the voting power
+* CA and CB are disjoint
+* F - a set of faulty validators with more than 1/3 voting power
+
+Observe that this setting violates the Tendermint failure model.
+
+Execution:
+
+* A faulty proposer proposes block A to CA
+* A faulty proposer proposes block B to CB
+* Validators from the set CA and CB prevote for A and B, respectively.
+* Faulty validators from the set F prevote both for A and B.
+* The faulty prevote messages
+  - for A arrive at CA long before the B messages
+  - for B arrive at CB long before the A messages
+* Therefore correct validators from set CA and CB will observe
+more than 2/3 of prevotes for A and B and precommit for A and B, respectively.
+* Faulty validators from the set F precommit both values A and B.
+* Thus, we have more than 2/3 commits for both A and B.
+
+Consequences:
+* Creating evidence of misbehavior is simple in this case as we have multiple messages signed by the same faulty processes for different values in the same round.
+
+* We have to ensure that these different messages reach a correct process (full node, monitor?), which can submit evidence.
+
+* This is an attack on the full node level (Fork-Full).
+* It extends also to the lite clients,
+* For both we need a detection and recovery mechanism.
+
+#### Scenario 2: Equivocation to a lite client (LCS)
+
+
+Validators:
+* a set F of faulty validators with more than 2/3 of the voting power.
+
+Execution:
+* for the main chain F behaves nicely
+* F coordinates to sign a block B that is different from the one on the main chain.
+* the lite clients obtains B and trusts at as it is signed by more and 2/3 of the voting power.
+
+Consequences:
+
+Once equivocation is used to attack lite client it opens space
+for different kind of attacks as application state can be diverged in any direction. For example, it can modify validator set such that it contains only validators that do not have any stake bonded. Note that after a lite client is fooled by a fork, that means that an attacker can change application state and validator set arbitrarily.
+
+In order to detect such (equivocation-based attack), the lite client would need to cross check its state with some correct validator (or to obtain a hash of the state from the main chain using out of band channels).
+
+*Remark.* The lite client would be able to create evidence of misbehavior, but this would require to pull potentially a lot of data from correct full nodes. Maybe we need to figure out different architecture where a lite client that is attacked will push all its data for the current unbonding period to a correct node that will inspect this data and submit corresponding evidence. There are also architectures that assumes a special role (sometimes called fisherman) whose goal is to collect as much as possible useful data from the network, to do analysis and create evidence transactions. That functionality is outside the scope of this document.
+
+*Remark.* The difference between LCS and LCB might only be in the amount of voting power needed to convince lite client about arbitrary state. In case of LCB where security threshold is at minimum, an attacker can arbitrarily modify application state with  more than 1/3 of voting power, while in case of LCS it requires more than 2/3 of the voting power.
+
+### Flip-flopping: Amnesia based attacks
+
+
+
+In case of amnesia, faulty validators lock some value *v* in some round *r*, and then vote for different value *v'* in higher rounds without correctly unlocking value *v*. This attack can be used both on full nodes and lite clients.
+
+#### Scenario 3: At most 2/3 of faults
+
+Validators:
+
+* a set F of faulty validators with more than 1/3 but at most 2/3 of the voting power
+* a set C of correct validators
+
+Execution:
+
+* Faulty validators commit (without exposing it on the main chain) a block A in round *r* by collecting more than 2/3 of the 
+  voting power (containing correct and faulty validators).
+* All validators (correct and faulty) reach a round *r' > r*.
+* Some correct validators in C do not lock any value before round *r'*.
+* The faulty validators in F deviate from Tendermint consensus by ignoring that they locked A in *r*, and propose a different block B in *r'*.
+* As the validators in C that have not locked any value find B acceptable, they accept the proposal for B and commit a block B.
+
+*Remark.* In this case, the more than 1/3 of faulty validators do not need to commit an equivocation (F1) as they only vote once per round in the execution.
+
+Detecting faulty validators in the case of such an attack can be done by the fork accountability mechanism described in: https://docs.google.com/document/d/11ZhMsCj3y7zIZz4udO9l25xqb0kl7gmWqNpGVRzOeyY/edit?usp=sharing.
+
+If a lite client is attacked using this attack with more than 1/3 of voting power (and less than 2/3), the attacker cannot change the application state arbitrarily. Rather, the attacker is limited to a state a correct validator finds acceptable: In the execution above, correct validators still find the value acceptable, however, the block the lite client trusts deviates from the one on the main chain.
+
+#### Scenario 4: More than 2/3 of faults
+
+In case there is an attack with more than 2/3 of the voting power, an attacker can arbitrarily change application state.
+
+Validators:
+
+* a set F1 of faulty validators with more than 1/3 of the voting power
+* a set F2 of faulty validators with at most 1/3 of the voting power
+
+Execution
+
+* Similar to Scenario 3 (however, messages by correct validators are not needed)
+* The faulty validators in F1 lock value A in round *r*
+* They sign a different value in follow-up rounds
+* F2 does not lock A in round *r*
+
+Consequences:
+
+* The validators in F1 will be detectable by the the fork accountability mechanisms.
+* The validators in F2 cannot be detected using this mechanism.
+Only in case they signed something which conflicts with the application this can be used against them. Otherwise they do not do anything incorrect.
+* This case is not covered by the report https://docs.google.com/document/d/11ZhMsCj3y7zIZz4udO9l25xqb0kl7gmWqNpGVRzOeyY/edit?usp=sharing as it only assumes at most 2/3 of faulty validators.
+
+**Q:** do we need to define a special kind of attack for the case where a validator sign arbitrarily state? It seems that detecting such attack requires different mechanism that would require as an evidence a sequence of blocks that lead to that state. This might be very tricky to implement.
+
+### Back to the past
+
+In this kind of attacks faulty validators take advantage of the fact that they did not sign messages in some of the past rounds. Due to the asynchronous network in which Tendermint operates, we cannot easily differentiate between such an attack and delayed message. This kind of attack can be used at both full nodes and lite clients.
+
+#### Scenario 5:
+
+Validators:
+* C1 -  a set of correct validators with 1/3 of the voting power
+* C2 - a set of correct validators with 1/3 of the voting power
+* C1 and C2 are disjoint
+* F - a set of faulty validators with 1/3 voting power
+* one additional faulty process *q*
+* F and *q* violate the Tendermint failure model.
+
+
+Execution:
+
+* in a round *r* of height *h* we have C1 precommitting a value A,
+* C2  precommits nil,
+* F does not send any message
+* *q* precommits nil.
+* In some round *r' > r*, F and *q* and C2 commit some other value B different from A.
+* F and *fp* "go back to the past" and sign precommit message for value A in round *r*.
+* Together with precomit messages of C1 this is sufficient for a commit for value A.
+
+
+Consequences:
+
+* Only a single faulty validator that previously precommited nil did equivocation, while the other 1/3 of faulty validators actually executed an attack that has exactly the same sequence of messages as part of amnesia attack. Detecting this kind of attack boil down to mechanisms for equivocation and amnesia.
+
+**Q:** should we keep this as a separate kind of attack? It seems that equivocation, amnesia and phantom validators are the only kind of attack we need to support and this gives us security also in other cases. This would not be surprising as equivocation and amnesia are attacks that followed from the protocol and phantom attack is not really an attack to Tendermint but more to the Proof of stake module.
+
+### Phantom validators
+
+In case of phantom validators, processes that are not part of the current validator set but are still bonded (as attack happen during their unbonding period) can be part of the attack by signing vote messages. This attack can be executed against both full nodes and lite clients.
+
+#### Scenario 6:
+
+Validators:
+* F -- a set of faulty validators that are not part of the validator set on the main chain at height *h + k*
+
+Execution:
+
+* There is a fork, and there exists two different headers for height *h + k*, with different validator sets:
+  - VS2 on the main chain
+  - forged header VS2', signed by F (and others)
+
+* a lite client has a trust in a header for height *h* (and the corresponding validator set VS1).
+* As part of bisection header verification, it verifies header at height *h + k* with new validator set VS2'.
+
+Consequences:
+
+* To detect this, a node needs to see both, the forged header and the canonical header from the chain.
+* If this is the case, detecting these kind of attacks is easy as it just requires verifying if processes are signing messages in heights in which they are not part of the validator set.  
+
+**Remark.** We can have phantom-validator-based attacks as a follow up of equivocation or amnesia based attack where forked state contains validators that are not part of the validator set at the main chain. In this case, they keep signing messages contributed to a forked chain (the wrong branch) although they are not part of the validator set on the main chain. This attack can also be used to attack full node during a period of time he is eclipsed.
+
+### Lunatic validator
+
+Lunatic validator agrees to sign commit messages for arbitrary application state. It is used to attack lite clients.
+Note that detecting this behavior require application knowledge. Detecting this behavior can probably be done by
+referring to the block before the one in which height happen.  
+
+**Q:** can we say that in this case a validator ignore to check if proposed value is valid before voting for it?
--- a/docs/spec/consensus/light-client.md
+++ b/docs/spec/consensus/light-client.md
@@ -1,329 +1,113 @@
-# Lite client
-
-A lite client is a process that connects to Tendermint full nodes and then tries to verify application data using the Merkle proofs.
-
-## Context of this document
-
-In order to make sure that full nodes have the incentive to follow the protocol, we have to address the following three Issues
-
-1) The lite client needs a method to verify headers it obtains from full nodes according to trust assumptions -- this document.
-
-2) The lite client must be able to connect to one correct full node to detect and report on failures in the trust assumptions (i.e., conflicting headers) -- a future document.
-
-3) In the event the trust assumption fails (i.e., a lite client is fooled by a conflicting header), the Tendermint fork accountability protocol must account for the evidence -- see #3840
-
-## Problem statement
-
-
-We assume that the lite client knows a (base) header *inithead* it trusts (by social consensus or because the lite client has decided to trust the header before). The goal is to check whether another header *newhead* can be trusted based on the data in *inithead*.
-
-The correctness of the protocol is based on the assumption that *inithead* was generated by an instance of Tendermint consensus. The term "trusting" above indicates that the correctness on the protocol depends on this assumption. It is in the responsibility of the user that runs the lite client to make sure that the risk of trusting a corrupted/forged *inithead* is negligible.
-
-
-## Definitions
-
-### Data structures
-
-In the following, only the details of the data structures needed for this specification are given.
-
-  * header fields
-    - *height*
-    - *bfttime*: the chain time when the header (block) was generated
-    - *V*: validator set containing validators for this block.
-    - *NextV*: validator set for next block.
-    - *commit*: evidence that block with height *height* - 1 was committed by a set of validators (canonical commit). We will use ```signers(commit)``` to refer to the set of validators that committed the block.
-
-  * signed header fields: contains a header and a  *commit* for the current header; a "seen commit". In the Tendermint consensus the "canonical commit" is stored in header *height* + 1.
-
-  * For each header *h* it has locally stored, the lite client stores whether
-    it trusts *h*. We write *trust(h) = true*, if this is the case.
-
-  * Validator fields. We will write a validator as a tuple *(v,p)* such that
-    + *v* is the identifier (we assume identifiers are unique in each validator set)
-    + *p* is its voting power
-
-
-### Functions
-
-For the purpose of this lite client specification, we assume that the Tendermint Full Node exposes the following function over Tendermint RPC:
-```go
-    func Commit(height int64) (SignedHeader, error)
-      // returns signed header: header (with the fields from
-      // above) with Commit that include signatures of
-      // validators that signed the header
-
-
-    type SignedHeader struct {
-      Header        Header
-      Commit        Commit
-    }
-```
-
-### Definitions
-
-* *tp*: trusting period   
-* for realtime *t*, the predicate *correct(v,t)* is true if the validator *v*
-  follows the protocol until time *t* (we will see about recovery later).
-
-
-
-
-### Tendermint Failure Model
-
-If a block *h* is generated at time *bfttime* (and this time is stored in the block), then a set of validators that hold more than 2/3 of the voting power in h.Header.NextV is correct until time h.Header.bfttime + tp.
-
-Formally,
-\[
-\sum_{(v,p) \in h.Header.NextV \wedge correct(v,h.Header.bfttime + tp)} p >
-2/3 \sum_{(v,p) \in h.Header.NextV} p
-\]
-
-*Assumption*: "correct" is defined w.r.t. realtime (some Newtonian global notion of time, i.e., wall time), while *bfttime* corresponds to the reading of the local clock of a validator (how this time is computed may change when the Tendermint consensus is modified). In this note, we assume that all clocks are synchronized to realtime. We can make this more precise eventually (incorporating clock drift, accuracy, precision, etc.). Right now, we consider this assumption sufficient, as clock synchronization (under NTP) is in the order of milliseconds and *tp* is in the order of weeks.  
-
-*Remark*: This failure model might change to a hybrid version that takes heights into account in the future.
-
-The specification in this document considers an implementation of the lite client under this assumption. Issues like *counter-factual signing* and *fork accountability* and *evidence submission* are mechanisms that justify this assumption by incentivizing validators to follow the protocol.
-If they don't, and we have more that 1/3 faults, safety may be violated. Our approach then is to *detect* these cases (after the fact), and take suitable repair actions (automatic and social). This is discussed in an upcoming document on "Fork accountability". (These safety violations include the lite client wrongly trusting a header, a fork in the blockchain, etc.)
-
-
-## Lite Client Trusting Spec
-
-The lite client communicates with a full node and learns new headers. The goal is to locally decide whether to trust a header. Our implementation needs to ensure the following two properties:
-
- Lite Client Completeness: If header *h* was correctly generated by an instance of Tendermint consensus (and its age is less than the trusting period), then the lite client should eventually set *trust(h)* to true.
-
- Lite Client Accuracy:  If header *h* was *not generated* by an instance of Tendermint consensus, then the lite client should never set *trust(h)* to true.
-
-*Remark*: If in the course of the computation, the lite client obtains certainty that some headers were forged by adversaries (that is were not generated by an instance of Tendermint consensus), it may submit (a subset of) the headers it has seen as evidence of misbehavior.
-
-*Remark*: In Completeness we use "eventually", while in practice *trust(h)* should be set to true before *h.Header.bfttime + tp*. If not, the block cannot be trusted because it is too old.
-
-*Remark*: If a header *h* is marked with *trust(h)*, but it is too old (its bfttime is more than *tp* ago), then the lite client should set *trust(h)* to false again.
-
-*Assumption*: Initially, the lite client has a header *inithead* that it trusts correctly, that is, *inithead* was correctly generated by the Tendermint consensus.
-
-To reason about the correctness, we may prove the following invariant.
-
-*Verification Condition: Lite Client Invariant.*
- For each lite client *l* and each header *h*:
-if *l* has set *trust(h) = true*,
-  then validators that are correct until time *h.Header.bfttime + tp* have more than two thirds of the voting power in *h.Header.NextV*.
-
-  Formally,
-  \[
-  \sum_{(v,p) \in h.Header.NextV \wedge correct(v,h.Header.bfttime + tp)} p >
-  2/3 \sum_{(v,p) \in h.Header.NextV} p
-  \]
-
-*Remark.* To prove the invariant, we will have to prove that the lite client only trusts headers that were correctly generated by Tendermint consensus, then the formula above follows from the Tendermint failure model.
-
-
-## High Level Solution
-
-Upon initialization, the lite client is given a header *inithead* it trusts (by
-social consensus). It is assumed that *inithead* satisfies the lite client invariant. (If *inithead* has been correctly generated by Tendermint consensus, the invariant follows from the Tendermint Failure Model.)
-
-When a lite clients sees a signed new header *snh*, it has to decide whether to trust the new
-header. Trust can be obtained by (possibly) the combination of three methods.
-
-1. **Uninterrupted sequence of proof.** If a block is appended to the chain, where the last block
-is trusted (and properly committed by the old validator set in the next block),
-and the new block contains a new validator set, the new block is trusted if the lite client knows all headers in the prefix.
-Intuitively, a trusted validator set is assumed to only chose a new validator set that will obey the Tendermint Failure Model.
-
-2. **Trusting period.** Based on a trusted block *h*, and the lite client
-invariant, which ensures the fault assumption during the trusting period, we can check whether at least one  validator, that has been continuously correct from *h.Header.bfttime* until now, has signed *snh*.
-If this is the case, similarly to above, the chosen validator set in *snh* does not violate the Tendermint Failure Model.
-
-3. **Bisection.** If a check according to the trusting period fails, the lite client can try to obtain a header *hp* whose height lies between *h* and *snh* in order to check whether *h* can be used to get trust for *hp*, and *hp* can be used to get trust for *snh*. If this is the case we can trust *snh*; if not, we may continue recursively.
-
-## How to use it
-
-We consider the following use case:
- the lite client wants to verify a header for some given height *k*. Thus:
-  - it requests the signed header for height *k* from a full node
-  - it tries to verify this header with the methods described here.
-
-This can be used in several settings:
-  - someone tells the lite client that application data that is relevant for it can be read in the block of height *k*.
-  - the lite clients wants the latest state. It asks a full nude for the current height, and uses the response for *k*.
-
-
-## Details
-
-*Assumptions*
-
-1. *tp < unbonding period*.
-2. *snh.Header.bfttime < now*
-3. *snh.Header.bfttime < h.Header.bfttime+tp*
-4. *trust(h)=true*
-
-
-**Observation 1.** If *h.Header.bfttime + tp > now*, we trust the old
-validator set *h.Header.NextV*.
-
-When we say we trust *h.Header.NextV* we do *not* trust that each individual validator in *h.Header.NextV* is correct, but we only trust the fact that at most 1/3 of them are faulty (more precisely, the faulty ones have at most 1/3 of the total voting power).
-
-
-
-### Functions
-
-The function *Bisection* checks whether to trust header *h2* based on the trusted header *h1*. It does so by calling
-the function *CheckSupport* in the process of
-bisection/recursion. *CheckSupport* implements the trusted period method and, for two adjacent headers (in term of heights), it checks uninterrupted sequence of proof.
-
-*Assumption*: In the following, we assume that *h2.Header.height > h1.Header.height*. We will quickly discuss the other case in the next section.
-
-We consider the following set-up:
- the lite client communicates with one full node
- the lite client locally stores all the signed headers it obtained (trusted or not). In the pseudo code below we write *Store(header)* for this.
- If *Bisection* returns *false*, then the lite client has seen a  forged header.
-  * However, it does not know which header(s) is/are the problematic one(s).
-  * In this case, the lite client can submit (some of) the headers it has seen as evidence. As the lite client communicates with one full node only when executing Bisection, there are two cases
-    - the full node is faulty
-    - the full node is correct and there was a fork in Tendermint consensus. Header *h1* is from a different branch than the one taken by the full node. This case is not focus of this document, but will be treated in the document on fork accountability.
-
- the lite client must retry to retrieve correct headers from another full node
-  * it picks a new full node
-  * it restarts *Bisection*
-  * there might be optimizations; a lite client may not need to call *Commit(k)*, for a height *k* for which it already has a signed header it trusts.
-  * how to make sure that a lite client can communicate with a correct full node will be the focus of a separate document (recall Issue 3 from "Context of this document").
-
-**Auxiliary Functions.** We will use the  function ```votingpower_in(V1,V2)``` to compute the voting power the validators in set V1 have according to their voting power in set V2;
-we will write ```totalVotingPower(V)``` for ```votingpower_in(V,V)```, which returns the total voting power in V.
-We further use the function ```signers(Commit)``` that returns the set of validators that signed the Commit.
-
-**CheckSupport.** The following function checks whether we can trust the header h2 based on header h1 following the trusting period method.
-
-```go
-  func CheckSupport(h1,h2,trustlevel) bool {
-    if h1.Header.bfttime + tp < now { // Observation 1
-      return false // old header was once trusted but it is expired
-    }  
-    vp_all := totalVotingPower(h1.Header.NextV)
-      // total sum of voting power of validators in h2
-
-    if h2.Header.height == h1.Header.height + 1 {
-      // specific check for adjacent headers; everything must be
-      // properly signed.
-      // also check that h2.Header.V == h1.Header.NextV
-      // Plus the following check that 2/3 of the voting power
-      // in h1 signed h2
-      return (votingpower_in(signers(h2.Commit),h1.Header.NextV) >
-              2/3 * vp_all)
-        // signing validators are more than two third in h1.
-    }
-
-    return (votingpower_in(signers(h2.Commit),h1.Header.NextV) >
-            max(1/3,trustlevel) * vp_all)
-      // get validators in h1 that signed h2
-      // sum of voting powers in h1 of
-      // validators that signed h2
-      // is more than a third in h1
-  }
-```
-
-  *Remark*: Basic header verification must be done for *h2*. Similar checks are done in:  
-  https://github.com/tendermint/tendermint/blob/master/types/validator_set.go#L591-L633
-
-  *Remark*: There are some sanity checks which are not in the code:
-  *h2.Header.height > h1.Header.height* and *h2.Header.bfttime > h1.Header.bfttime* and *h2.Header.bfttime < now*.
-
-  *Remark*: ```return (votingpower_in(signers(h2.Commit),h1.Header.NextV) > max(1/3,trustlevel) * vp_all)``` may return false even if *h2* was properly generated by Tendermint consensus in the case of big changes in the validator sets. However, the check ```return (votingpower_in(signers(h2.Commit),h1.Header.NextV) >
-          2/3 * vp_all)``` must return true if *h1* and *h2* were generated by Tendermint consensus.
-
-*Remark*: The 1/3 check differs from a previously proposed method that was based on intersecting validator sets and checking that the new validator set contains "enough" correct validators. We found that the old check is not suited for realistic changes in the validator sets. The new method is not only based on cardinalities, but also exploits that we can trust what is signed by a correct validator (i.e., signed by more than 1/3 of the voting power).
-
-*Correctness arguments*
-
-Towards Lite Client Accuracy:
- Assume by contradiction that *h2* was not generated correctly and the lite client sets trust to true because *CheckSupport* returns true.
- h1 is trusted and sufficiently new
- by Tendermint Fault Model, less than 1/3 of voting power held by faulty validators => at least one correct validator *v* has signed *h2*.
- as *v* is correct up to now, it followed the Tendermint consensus protocol at least up to signing *h2* => *h2* was correctly generated, we arrive at the required contradiction.
-
-
-Towards Lite Client Completeness:
- The check is successful if sufficiently many validators of *h1* are still validators in *h2* and signed *h2*.
- If *h2.Header.height = h1.Header.height + 1*, and both headers were generated correctly, the test passes
-
-*Verification Condition:* We may need a Tendermint invariant stating that if *h2.Header.height = h1.Header.height + 1* then *signers(h2.Commit) \subseteq h1.Header.NextV*.
-
-*Remark*: The variable *trustlevel* can be used if the user believes that relying on one correct validator is not sufficient. However, in case of (frequent) changes in the validator set, the higher the *trustlevel* is chosen, the more unlikely it becomes that CheckSupport returns true for non-adjacent headers.
-
-**Bisection.** The following function uses CheckSupport in a recursion to find intermediate headers that allow to establish a sequence of trust.
-
-
-
-
-```go
-func Bisection(h1,h2,trustlevel) bool{
-  if CheckSupport(h1,h2,trustlevel) {
-    return true
-  }
-  if h2.Header.height == h1.Header.height + 1 {
-    // we have adjacent headers that are not matching (failed
-    // the CheckSupport)
-    // we could submit evidence here
-    return false
-  }
-  pivot := (h1.Header.height + h2.Header.height) / 2
-  hp := Commit(pivot)
-    // ask a full node for header of height pivot
-  Store(hp)  
-    // store header hp locally
-  if Bisection(h1,hp,trustlevel) {
-    // only check right branch if hp is trusted
-    // (otherwise a lot of unnecessary computation may be done)
-    return Bisection(hp,h2,trustlevel)
-  }
-  else {
-    return false
-  }
+# Light Client
+
+A light client is a process that connects to the Tendermint Full Node(s) and then tries to verify the Merkle proofs
+about the blockchain application. In this document we describe mechanisms that ensures that the Tendermint light client
+has the same level of security as Full Node processes (without being itself a Full Node).
+
+To be able to validate a Merkle proof, a light client needs to validate the blockchain header that contains the root app hash.
+Validating a blockchain header in Tendermint consists in verifying that the header is committed (signed) by >2/3 of the
+voting power of the corresponding validator set. As the validator set is a dynamic set (it is changing), one of the
+core functionality of the light client is updating the current validator set, that is then used to verify the
+blockchain header, and further the corresponding Merkle proofs.
+
+For the purpose of this light client specification, we assume that the Tendermint Full Node exposes the following functions over
+Tendermint RPC:
+
+```golang
+Header(height int64) (SignedHeader, error) // returns signed header for the given height
+Validators(height int64) (ResultValidators, error) // returns validator set for the given height
+LastHeader(valSetNumber int64) (SignedHeader, error)   // returns last header signed by the validator set with the given validator set number
+
+type SignedHeader struct {
+    Header        Header
+    Commit        Commit
+    ValSetNumber  int64
 }
-```  

-
-
-
-*Correctness arguments (sketch)*
-
-Lite Client Accuracy:
- Assume by contradiction that *h2* was not generated correctly and the lite client sets trust to true because Bisection returns true.
- Bisection returns true only if all calls to CheckSupport in the recursion return true.
- Thus we have a sequence of headers that all satisfied the CheckSupport
- again a contradiction
-
-Lite Client Completeness:
-
-This is only ensured if upon *Commit(pivot)* the lite client is always provided with a correctly generated header.
-
-*Stalling*
-
-With Bisection, a faulty full node could stall a lite client by creating a long sequence of headers that are queried one-by-one by the lite client and look OK, before the lite client eventually detects a problem. There are several ways to address this:
-* Each call to ```Commit``` could be issued to a different full node
-* Instead of querying header by header, the lite client tells a full node which header it trusts, and the height of the header it needs. The full node responds with the header along with a proof consisting of intermediate headers that the light client can use to verify. Roughly, Bisection would then be executed at the full node.
-* We may set a timeout how long bisection may take.
-
-
-### The case *h2.Header.height < h1.Header.height*
-
-In the use case where someone tells the lite client that application data that is relevant for it can be read in the block of height *k* and the lite client trusts a more recent header, we can use the hashes to verify headers "down the chain." That is, we iterate down the heights and check the hashes in each step.
-
-*Remark.* For the case were the lite client trusts two headers *i* and *j* with *i < k < j*, we should discuss/experiment whether the forward or the backward method is more effective.
-
-```go
-func Backwards(h1,h2) bool {
-  assert (h2.Header.height < h1.Header.height)
-  old := h1
-  for i := h1.Header.height - 1; i > h2.Header.height; i-- {
-    new := Commit(i)
-    Store(new)
-    if (hash(new) != old.Header.hash) {
-      return false
-    }
-    old := new
-  }
-  return (hash(h2) == old.Header.hash)
- }
+type ResultValidators struct {
+    BlockHeight   int64
+    Validators    []Validator
+    // time the current validator set is initialised, i.e, time of the last validator change before header BlockHeight
+    ValSetTime    int64
+}
 ```
+
+We assume that Tendermint keeps track of the validator set changes and that each time a validator set is changed it is
+being assigned the next sequence number. We can call this number the validator set sequence number. Tendermint also remembers
+the Time from the header when the next validator set is initialised (starts to be in power), and we refer to this time
+as validator set init time.
+Furthermore, we assume that each validator set change is signed (committed) by the current validator set. More precisely,
+given a block `H` that contains transactions that are modifying the current validator set, the Merkle root hash of the next
+validator set (modified based on transactions from block H) will be in block `H+1` (and signed by the current validator
+set), and then starting from the block `H+2`, it will be signed by the next validator set.
+
+Note that the real Tendermint RPC API is slightly different (for example, response messages contain more data and function
+names are slightly different); we shortened (and modified) it for the purpose of this document to make the spec more
+clear and simple. Furthermore, note that in case of the third function, the returned header has `ValSetNumber` equals to
+`valSetNumber+1`.
+
+Locally, light client manages the following state:
+
+```golang
+valSet        []Validator    // current validator set (last known and verified validator set)
+valSetNumber  int64          // sequence number of the current validator set
+valSetHash    []byte         // hash of the current validator set
+valSetTime    int64          // time when the current validator set is initialised
+```
+
+The light client is initialised with the trusted validator set, for example based on the known validator set hash,
+validator set sequence number and the validator set init time.
+The core of the light client logic is captured by the VerifyAndUpdate function that is used to 1) verify if the given header is valid,
+and 2) update the validator set (when the given header is valid and it is more recent than the seen headers).
+
+```golang
+VerifyAndUpdate(signedHeader SignedHeader):
+  assertThat signedHeader.valSetNumber >= valSetNumber
+  if isValid(signedHeader) and signedHeader.Header.Time <= valSetTime + UNBONDING_PERIOD then
+    setValidatorSet(signedHeader)
+    return true
+  else
+    updateValidatorSet(signedHeader.ValSetNumber)
+    return VerifyAndUpdate(signedHeader)
+
+isValid(signedHeader SignedHeader):
+  valSetOfTheHeader = Validators(signedHeader.Header.Height)
+  assertThat Hash(valSetOfTheHeader) == signedHeader.Header.ValSetHash
+  assertThat signedHeader is passing basic validation
+  if votingPower(signedHeader.Commit) > 2/3 * votingPower(valSetOfTheHeader) then return true
+  else
+    return false
+
+setValidatorSet(signedHeader SignedHeader):
+  nextValSet = Validators(signedHeader.Header.Height)
+  assertThat Hash(nextValSet) == signedHeader.Header.ValidatorsHash
+  valSet = nextValSet.Validators
+  valSetHash = signedHeader.Header.ValidatorsHash
+  valSetNumber = signedHeader.ValSetNumber
+  valSetTime = nextValSet.ValSetTime
+
+votingPower(commit Commit):
+  votingPower = 0
+  for each precommit in commit.Precommits do:
+    if precommit.ValidatorAddress is in valSet and signature of the precommit verifies then
+      votingPower += valSet[precommit.ValidatorAddress].VotingPower
+  return votingPower
+
+votingPower(validatorSet []Validator):
+  for each validator in validatorSet do:
+    votingPower += validator.VotingPower
+  return votingPower
+
+updateValidatorSet(valSetNumberOfTheHeader):
+  while valSetNumber != valSetNumberOfTheHeader do
+    signedHeader = LastHeader(valSetNumber)
+    if isValid(signedHeader) then
+      setValidatorSet(signedHeader)
+    else return error
+  return
+```
+
+Note that in the logic above we assume that the light client will always go upward with respect to header verifications,
+i.e., that it will always be used to verify more recent headers. In case a light client needs to be used to verify older
+headers (go backward) the same mechanisms and similar logic can be used. In case a call to the FullNode or subsequent
+checks fail, a light client need to implement some recovery strategy, for example connecting to other FullNode.
--- a/docs/spec/rpc/swagger.yaml
+++ b/docs/spec/rpc/swagger.yaml
@@ -1,6 +1,6 @@
 swagger: "2.0"
 info:
-  version: "Master"
+  version: "0.32.1"
  title: RPC client for Tendermint
  description: A REST interface for state queries, transaction generation and broadcasting.
  license:
@@ -37,12 +37,12 @@ paths:
        If you haven't received anything after a couple of blocks, resend it. If the
        same happens again, send it to some other node. A few reasons why it could
        happen:
-
+        
        1. malicious node can drop or pretend it had committed your tx
        2. malicious proposer (not necessary the one you're communicating with) can
        drop transactions, which might become valid in the future
        (https://github.com/tendermint/tendermint/issues/3322)
-
+        

        Please refer to
        https://tendermint.com/docs/tendermint-core/using-tendermint.html#formatting
@@ -60,11 +60,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/BroadcastTxResponse"
+            $ref: '#/definitions/BroadcastTxResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /broadcast_tx_async:
    get:
      summary: Returns right away, with no response. Does not wait for CheckTx nor DeliverTx results.
@@ -101,11 +101,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/BroadcastTxResponse"
+            $ref: '#/definitions/BroadcastTxResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /broadcast_tx_commit:
    get:
      summary: Returns with the responses from CheckTx and DeliverTx.
@@ -140,11 +140,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/BroadcastTxCommitResponse"
+            $ref: '#/definitions/BroadcastTxCommitResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /subscribe:
    get:
      summary: Subscribe for events via WebSocket.
@@ -285,11 +285,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/EmptyResponse"
+            $ref: '#/definitions/EmptyResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /unsubscribe:
    get:
      summary: Unsubscribe from event on Websocket
@@ -297,19 +297,19 @@ paths:
        - Websocket
      operationId: unsubscribe
      description: |
-        ```go
-        client := client.NewHTTP("tcp:0.0.0.0:26657", "/websocket")
-        err := client.Start()
-        if err != nil {
-           handle error
-        }
-        defer client.Stop()
-        query := "tm.event = 'Tx' AND tx.height = 3"
-        err = client.Unsubscribe(context.Background(), "test-client", query)
-        if err != nil {
-           handle error
-        }
-        ```
+         ```go
+         client := client.NewHTTP("tcp:0.0.0.0:26657", "/websocket")
+         err := client.Start()
+         if err != nil {
+            handle error
+         }
+         defer client.Stop()
+         query := "tm.event = 'Tx' AND tx.height = 3"
+         err = client.Unsubscribe(context.Background(), "test-client", query)
+         if err != nil {
+            handle error
+         }
+         ```
      parameters:
        - in: query
          name: query
@@ -328,11 +328,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/EmptyResponse"
+            $ref: '#/definitions/EmptyResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /unsubscribe_all:
    get:
      summary: Unsubscribe from all events via WebSocket
@@ -347,11 +347,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/EmptyResponse"
+            $ref: '#/definitions/EmptyResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /health:
    get:
      summary: Node heartbeat
@@ -366,11 +366,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/EmptyResponse"
+            $ref: '#/definitions/EmptyResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /status:
    get:
      summary: Node Status
@@ -385,11 +385,11 @@ paths:
        200:
          description: Status of the node
          schema:
-            $ref: "#/definitions/StatusResponse"
+            $ref: '#/definitions/StatusResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /net_info:
    get:
      summary: Network informations
@@ -404,11 +404,11 @@ paths:
        200:
          description: empty answer
          schema:
-            $ref: "#/definitions/NetInfoResponse"
+            $ref: '#/definitions/NetInfoResponse'
        500:
          description: empty error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /blockchain:
    get:
      summary: Get block headers for minHeight <= height <= maxHeight.
@@ -434,11 +434,11 @@ paths:
        200:
          description: Block headers, returned in descending order (highest first).
          schema:
-            $ref: "#/definitions/BlockchainResponse"
+            $ref: '#/definitions/BlockchainResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /block:
    get:
      summary: Get block at a specified height
@@ -460,11 +460,11 @@ paths:
        200:
          description: Block informations.
          schema:
-            $ref: "#/definitions/BlockResponse"
+            $ref: '#/definitions/BlockResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /block_results:
    get:
      summary: Get block results at a specified height
@@ -486,11 +486,11 @@ paths:
        200:
          description: Block results.
          schema:
-            $ref: "#/definitions/BlockResultsResponse"
+            $ref: '#/definitions/BlockResultsResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /commit:
    get:
      summary: Get commit results at a specified height
@@ -512,11 +512,11 @@ paths:
        200:
          description: Commit results.
          schema:
-            $ref: "#/definitions/CommitResponse"
+            $ref: '#/definitions/CommitResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /validators:
    get:
      summary: Get validator set at a specified height
@@ -538,11 +538,11 @@ paths:
        200:
          description: Commit results.
          schema:
-            $ref: "#/definitions/ValidatorsResponse"
+            $ref: '#/definitions/ValidatorsResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /genesis:
    get:
      summary: Get Genesis
@@ -557,11 +557,11 @@ paths:
        200:
          description: Genesis results.
          schema:
-            $ref: "#/definitions/GenesisResponse"
+            $ref: '#/definitions/GenesisResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /dump_consensus_state:
    get:
      summary: Get consensus state
@@ -576,11 +576,11 @@ paths:
        200:
          description: consensus state results.
          schema:
-            $ref: "#/definitions/DumpConsensusResponse"
+            $ref: '#/definitions/DumpConsensusResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /consensus_state:
    get:
      summary: Get consensus state
@@ -595,11 +595,11 @@ paths:
        200:
          description: consensus state results.
          schema:
-            $ref: "#/definitions/ConsensusStateResponse"
+            $ref: '#/definitions/ConsensusStateResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /consensus_params:
    get:
      summary: Get consensus parameters
@@ -621,11 +621,11 @@ paths:
        200:
          description: consensus parameters results.
          schema:
-            $ref: "#/definitions/ConsensusParamsResponse"
+            $ref: '#/definitions/ConsensusParamsResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /unconfirmed_txs:
    get:
      summary: Get the list of unconfirmed transactions
@@ -646,11 +646,11 @@ paths:
        200:
          description: List of unconfirmed transactions
          schema:
-            $ref: "#/definitions/UnconfirmedTransactionsResponse"
+            $ref: '#/definitions/UnconfirmedTransactionsResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /num_unconfirmed_txs:
    get:
      summary: Get data about unconfirmed transactions
@@ -665,11 +665,11 @@ paths:
        200:
          description: status about unconfirmed transactions
          schema:
-            $ref: "#/definitions/NumUnconfirmedTransactionsResponse"
+            $ref: '#/definitions/NumUnconfirmedTransactionsResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /tx_search:
    get:
      summary: Search for transactions
@@ -712,11 +712,11 @@ paths:
        200:
          description: List of unconfirmed transactions
          schema:
-            $ref: "#/definitions/TxSearchResponse"
+            $ref: '#/definitions/TxSearchResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /tx:
    get:
      summary: Get transactions by hash
@@ -745,11 +745,11 @@ paths:
        200:
          description: Get a transaction
          schema:
-            $ref: "#/definitions/TxResponse"
+            $ref: '#/definitions/TxResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /abci_info:
    get:
      summary: Get some info about the application.
@@ -764,11 +764,11 @@ paths:
        200:
          description: Get some info about the application.
          schema:
-            $ref: "#/definitions/ABCIInfoResponse"
+            $ref: '#/definitions/ABCIInfoResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
  /abci_query:
    get:
      summary: Query the application for some information.
@@ -810,11 +810,11 @@ paths:
        200:
          description: Response of the submitted query
          schema:
-            $ref: "#/definitions/ABCIQueryResponse"
+            $ref: '#/definitions/ABCIQueryResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'

  /broadcast_evidence:
    get:
@@ -837,11 +837,12 @@ paths:
        200:
          description: Broadcast evidence of the misbehavior.
          schema:
-            $ref: "#/definitions/BroadcastEvidenceResponse"
+            $ref: '#/definitions/BroadcastEvidenceResponse'
        500:
          description: Error
          schema:
-            $ref: "#/definitions/ErrorResponse"
+            $ref: '#/definitions/ErrorResponse'
+

 definitions:
  JSONRPC:
@@ -856,7 +857,7 @@ definitions:
  EmptyResponse:
    description: Empty Response
    allOf:
-      - $ref: "#/definitions/JSONRPC"
+      - $ref: '#/definitions/JSONRPC'
      - type: object
        properties:
          result:
@@ -865,7 +866,7 @@ definitions:
  ErrorResponse:
    description: Error Response
    allOf:
-      - $ref: "#/definitions/JSONRPC"
+      - $ref: '#/definitions/JSONRPC'
      - type: object
        properties:
          error:
@@ -896,7 +897,7 @@ definitions:
    type: object
    properties:
      protocol_version:
-        $ref: "#/definitions/ProtocolVersion"
+        $ref: '#/definitions/ProtocolVersion'
      id:
        type: string
        x-example: "5576458aef205977e18fd50b274e9b5d9014525a"
@@ -950,7 +951,7 @@ definitions:
        type: string
        x-example: "5D6A51A8E9899C44079C6AF90618BA0369070E6E"
      pub_key:
-        $ref: "#/definitions/PubKey"
+        $ref: '#/definitions/PubKey'
      voting_power:
        type: string
        x-example: "0"
@@ -959,19 +960,19 @@ definitions:
    type: object
    properties:
      node_info:
-        $ref: "#/definitions/NodeInfo"
+        $ref: '#/definitions/NodeInfo'
      sync_info:
-        $ref: "#/definitions/SyncInfo"
+        $ref: '#/definitions/SyncInfo'
      validator_info:
-        $ref: "#/definitions/ValidatorInfo"
+        $ref: '#/definitions/ValidatorInfo'
  StatusResponse:
    description: Status Response
    allOf:
-      - $ref: "#/definitions/JSONRPC"
+      - $ref: '#/definitions/JSONRPC'
      - type: object
        properties:
          result:
-            $ref: "#/definitions/Status"
+            $ref: '#/definitions/Status'
  Monitor:
    type: object
    properties:
@@ -1039,23 +1040,23 @@ definitions:
        type: string
        x-example: "168901057956119"
      SendMonitor:
-        $ref: "#/definitions/Monitor"
+        $ref: '#/definitions/Monitor'
      RecvMonitor:
-        $ref: "#/definitions/Monitor"
+        $ref: '#/definitions/Monitor'
      Channels:
        type: array
        items:
-          $ref: "#/definitions/Channel"
+          $ref: '#/definitions/Channel'
  Peer:
    type: object
    properties:
      node_info:
-        $ref: "#/definitions/NodeInfo"
+        $ref: '#/definitions/NodeInfo'
      is_outbound:
        type: boolean
        x-example: true
      connection_status:
-        $ref: "#/definitions/ConnectionStatus"
+        $ref: '#/definitions/ConnectionStatus'
      remote_ip:
        type: string
        x-example: "95.179.155.35"
@@ -1076,15 +1077,15 @@ definitions:
      peers:
        type: array
        items:
-          $ref: "#/definitions/Peer"
+          $ref: '#/definitions/Peer'
  NetInfoResponse:
    description: NetInfo Response
    allOf:
-      - $ref: "#/definitions/JSONRPC"
+      - $ref: '#/definitions/JSONRPC'
      - type: object
        properties:
          result:
-            $ref: "#/definitions/NetInfo"
+            $ref: '#/definitions/NetInfo'
  BlockID:
    required:
      - "hash"
@@ -1153,7 +1154,7 @@ definitions:
        type: string
        x-example: "3"
      last_block_id:
-        $ref: "#/definitions/BlockID"
+        $ref: '#/definitions/BlockID'
      last_commit_hash:
        type: string
        x-example: "21B9BC845AD2CB2C4193CDD17BFC506F1EBE5A7402E84AD96E64171287A34812"
@@ -1207,9 +1208,9 @@ definitions:
    type: object
    properties:
      block_id:
-        $ref: "#/definitions/BlockMetaId"
+        $ref: '#/definitions/BlockMetaId'
      header:
-        $ref: "#/definitions/BlockMetaHeader"
+        $ref: '#/definitions/BlockMetaHeader'
  Blockchain:
    type: object
    required:
@@ -1222,15 +1223,15 @@ definitions:
      block_metas:
        type: "array"
        items:
-          $ref: "#/definitions/BlockMeta"
+          $ref: '#/definitions/BlockMeta'
  BlockchainResponse:
-    description: Blockchain info
+    description:  Blockchain info
    allOf:
-      - $ref: "#/definitions/JSONRPC"
+      - $ref: '#/definitions/JSONRPC'
      - type: object
        properties:
          result:
-            $ref: "#/definitions/Blockchain"
+            $ref: '#/definitions/Blockchain'
  Commit:
    required:
      - "type"
@@ -1252,7 +1253,7 @@ definitions:
        type: string
        x-example: "0"
      block_id:
-        $ref: "#/definitions/BlockID"
+        $ref: '#/definitions/BlockID'
      timestamp:
        type: string
        x-example: "2019-08-01T11:39:38.867269833Z"
@@ -1269,30 +1270,30 @@ definitions:
    type: object
    properties:
      header:
-        $ref: "#/definitions/BlockMetaHeader"
+        $ref: '#/definitions/BlockMetaHeader'
      data:
        type: array
        items:
          type: string
-          x-example: "yQHwYl3uCkKoo2GaChRnd+THLQ2RM87nEZrE19910Z28ABIUWW/t8AtIMwcyU0sT32RcMDI9GF0aEAoFdWF0b20SBzEwMDAwMDASEwoNCgV1YXRvbRIEMzEwMRCd8gEaagom61rphyEDoJPxlcjRoNDtZ9xMdvs+lRzFaHe2dl2P5R2yVCWrsHISQKkqX5H1zXAIJuC57yw0Yb03Fwy75VRip0ZBtLiYsUqkOsPUoQZAhDNP+6LY+RUwz/nVzedkF0S29NZ32QXdGv0="
+          x-example: 'yQHwYl3uCkKoo2GaChRnd+THLQ2RM87nEZrE19910Z28ABIUWW/t8AtIMwcyU0sT32RcMDI9GF0aEAoFdWF0b20SBzEwMDAwMDASEwoNCgV1YXRvbRIEMzEwMRCd8gEaagom61rphyEDoJPxlcjRoNDtZ9xMdvs+lRzFaHe2dl2P5R2yVCWrsHISQKkqX5H1zXAIJuC57yw0Yb03Fwy75VRip0ZBtLiYsUqkOsPUoQZAhDNP+6LY+RUwz/nVzedkF0S29NZ32QXdGv0='
      evidence:
        type: array
        items:
-          $ref: "#/definitions/Evidence"
+          $ref: '#/definitions/Evidence'
      last_commit:
        type: object
        properties:
          block_id:
-            $ref: "#/definitions/BlockID"
+            $ref: '#/definitions/BlockID'
          precommits:
            type: array
            items:
-              $ref: "#/definitions/Commit"
+              $ref: '#/definitions/Commit'
  Validator:
    type: object
    properties:
      pub_key:
-        $ref: "#/definitions/PubKey"
+        $ref: '#/definitions/PubKey'
      voting_power:
        type: number
      address:
@@ -1309,31 +1310,31 @@ definitions:
      total_voting_power:
        type: number
      validator:
-        $ref: "#/definitions/Validator"
+        $ref:  '#/definitions/Validator'
  BlockComplete:
    type: object
    properties:
      block_meta:
-        $ref: "#/definitions/BlockMeta"
+        $ref: '#/definitions/BlockMeta'
      block:
-        $ref: "#/definitions/Block"
+        $ref: '#/definitions/Block'
  BlockResponse:
-    description: Blockc info
+    description:  Blockc info
    allOf:
-      - $ref: "#/definitions/JSONRPC"
+      - $ref: '#/definitions/JSONRPC'
      - type: object
        properties:
          result:
-            $ref: "#/definitions/BlockComplete"
+            $ref: '#/definitions/BlockComplete'
  Tag:
    type: object
    properties:
      key:
        type: string
-        example: "YWN0aW9u"
+        example: 'YWN0aW9u'
      value:
        type: string
-        example: "c2VuZA=="
+        example: 'c2VuZA=='
  ################## FROM NOW ON NEEDS REFACTOR ##################
  BlockResultsResponse:
    type: "object"
@@ -1370,7 +1371,7 @@ definitions:
                  properties:
                    log:
                      type: "string"
-                      example: '[{"msg_index":"0","success":true,"log":""}]'
+                      example: "[{\"msg_index\":\"0\",\"success\":true,\"log\":\"\"}]"
                    gasWanted:
                      type: "string"
                      example: "25629"
@@ -2230,7 +2231,7 @@ definitions:
                type: "object"
            type: "object"
        type: "object"
-  NumUnconfirmedTransactionsResponse:
+  UnconfirmedTransactionsResponse:
    type: object
    required:
      - "jsonrpc"
@@ -2248,6 +2249,7 @@ definitions:
          - "n_txs"
          - "total"
          - "total_bytes"
+#          - "txs"
        properties:
          n_txs:
            type: "string"
@@ -2258,16 +2260,16 @@ definitions:
          total_bytes:
            type: "string"
            example: "19974"
-        #          txs:
-        #            type: "array"
-        #            x-nullable: true
-        #            items:
-        #              type: "string"
-        #              x-nullable: true
-        #            example:
-        #              - "gAPwYl3uCjCMTXENChSMnIkb5ZpYHBKIZqecFEV2tuZr7xIUA75/FmYq9WymsOBJ0XSJ8yV8zmQKMIxNcQ0KFIyciRvlmlgcEohmp5wURXa25mvvEhQbrvwbvlNiT+Yjr86G+YQNx7kRVgowjE1xDQoUjJyJG+WaWBwSiGannBRFdrbma+8SFK2m+1oxgILuQLO55n8mWfnbIzyPCjCMTXENChSMnIkb5ZpYHBKIZqecFEV2tuZr7xIUQNGfkmhTNMis4j+dyMDIWXdIPiYKMIxNcQ0KFIyciRvlmlgcEohmp5wURXa25mvvEhS8sL0D0wwgGCItQwVowak5YB38KRIUCg4KBXVhdG9tEgUxMDA1NBDoxRgaagom61rphyECn8x7emhhKdRCB2io7aS/6Cpuq5NbVqbODmqOT3jWw6kSQKUresk+d+Gw0BhjiggTsu8+1voW+VlDCQ1GRYnMaFOHXhyFv7BCLhFWxLxHSAYT8a5XqoMayosZf9mANKdXArA="
+#          txs:
+#            type: "array"
+#            x-nullable: true
+#            items:
+#              type: "string"
+#              x-nullable: true
+#            example:
+#              - "gAPwYl3uCjCMTXENChSMnIkb5ZpYHBKIZqecFEV2tuZr7xIUA75/FmYq9WymsOBJ0XSJ8yV8zmQKMIxNcQ0KFIyciRvlmlgcEohmp5wURXa25mvvEhQbrvwbvlNiT+Yjr86G+YQNx7kRVgowjE1xDQoUjJyJG+WaWBwSiGannBRFdrbma+8SFK2m+1oxgILuQLO55n8mWfnbIzyPCjCMTXENChSMnIkb5ZpYHBKIZqecFEV2tuZr7xIUQNGfkmhTNMis4j+dyMDIWXdIPiYKMIxNcQ0KFIyciRvlmlgcEohmp5wURXa25mvvEhS8sL0D0wwgGCItQwVowak5YB38KRIUCg4KBXVhdG9tEgUxMDA1NBDoxRgaagom61rphyECn8x7emhhKdRCB2io7aS/6Cpuq5NbVqbODmqOT3jWw6kSQKUresk+d+Gw0BhjiggTsu8+1voW+VlDCQ1GRYnMaFOHXhyFv7BCLhFWxLxHSAYT8a5XqoMayosZf9mANKdXArA="
        type: "object"
-  UnconfirmedTransactionsResponse:
+  NumUnconfirmedTransactionsResponse:
    type: object
    required:
      - "jsonrpc"
@@ -2303,6 +2305,7 @@ definitions:
              type: string
              x-nullable: true
            example:
+              - null
              - "gAPwYl3uCjCMTXENChSMnIkb5ZpYHBKIZqecFEV2tuZr7xIUA75/FmYq9WymsOBJ0XSJ8yV8zmQKMIxNcQ0KFIyciRvlmlgcEohmp5wURXa25mvvEhQbrvwbvlNiT+Yjr86G+YQNx7kRVgowjE1xDQoUjJyJG+WaWBwSiGannBRFdrbma+8SFK2m+1oxgILuQLO55n8mWfnbIzyPCjCMTXENChSMnIkb5ZpYHBKIZqecFEV2tuZr7xIUQNGfkmhTNMis4j+dyMDIWXdIPiYKMIxNcQ0KFIyciRvlmlgcEohmp5wURXa25mvvEhS8sL0D0wwgGCItQwVowak5YB38KRIUCg4KBXVhdG9tEgUxMDA1NBDoxRgaagom61rphyECn8x7emhhKdRCB2io7aS/6Cpuq5NbVqbODmqOT3jWw6kSQKUresk+d+Gw0BhjiggTsu8+1voW+VlDCQ1GRYnMaFOHXhyFv7BCLhFWxLxHSAYT8a5XqoMayosZf9mANKdXArA="
        type: "object"
  TxSearchResponse:
@@ -2346,7 +2349,7 @@ definitions:
                  properties:
                    log:
                      type: "string"
-                      example: '[{"msg_index":"0","success":true,"log":""}]'
+                      example: "[{\"msg_index\":\"0\",\"success\":true,\"log\":\"\"}]"
                    gasWanted:
                      type: "string"
                      example: "200000"
@@ -2447,7 +2450,7 @@ definitions:
            properties:
              log:
                type: "string"
-                example: '[{"msg_index":"0","success":true,"log":""}]'
+                example: "[{\"msg_index\":\"0\",\"success\":true,\"log\":\"\"}]"
              gasWanted:
                type: "string"
                example: "200000"
@@ -2494,7 +2497,7 @@ definitions:
            properties:
              data:
                type: "string"
-                example: '{"size":0}'
+                example: "{\"size\":0}"
              version:
                type: string
                example: "0.16.1"
--- a/rpc/core/mempool.go
+++ b/rpc/core/mempool.go
@@ -346,7 +346,7 @@ func UnconfirmedTxs(ctx *rpctypes.Context, limit int) (*ctypes.ResultUnconfirmed
 // client := client.NewHTTP("tcp://0.0.0.0:26657", "/websocket")
 // err := client.Start()
 // if err != nil {
-// // handle error
+//   // handle error
 // }
 // defer client.Stop()
 // result, err := client.UnconfirmedTxs()
@@ -361,8 +361,8 @@ func UnconfirmedTxs(ctx *rpctypes.Context, limit int) (*ctypes.ResultUnconfirmed
 //   "result" : {
 //     "n_txs" : "0",
 //     "total_bytes" : "0",
-//     "total" : "0"
 //     "txs" : null,
+//     "total" : "0"
 //   }
 // }
 // ```
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -1,88 +0,0 @@
-###
-# Find OS and Go environment
-# GO contains the Go binary
-# FS contains the OS file separator
-###
-ifeq ($(OS),Windows_NT)
-  GO := $(shell where go.exe 2> NUL)
-  FS := "\\"
-else
-  GO := $(shell command -v go 2> /dev/null)
-  FS := "/"
-endif
-
-ifeq ($(GO),)
-  $(error could not find go. Is it in PATH? $(GO))
-endif
-
-GOPATH ?= $(shell $(GO) env GOPATH)
-GITHUBDIR := $(GOPATH)$(FS)src$(FS)github.com
-GOLANGCI_LINT_VERSION := v1.17.1
-GOLANGCI_LINT_HASHSUM := f5fa647a12f658924d9f7d6b9628d505ab118e8e049e43272de6526053ebe08d
-
-###
-# Functions
-###
-
-go_get = $(if $(findstring Windows_NT,$(OS)),\
-IF NOT EXIST $(GITHUBDIR)$(FS)$(1)$(FS) ( mkdir $(GITHUBDIR)$(FS)$(1) ) else (cd .) &\
-IF NOT EXIST $(GITHUBDIR)$(FS)$(1)$(FS)$(2)$(FS) ( cd $(GITHUBDIR)$(FS)$(1) && git clone https://github.com/$(1)/$(2) ) else (cd .) &\
-,\
-mkdir -p $(GITHUBDIR)$(FS)$(1) &&\
-(test ! -d $(GITHUBDIR)$(FS)$(1)$(FS)$(2) && cd $(GITHUBDIR)$(FS)$(1) && git clone https://github.com/$(1)/$(2)) || true &&\
-)\
-cd $(GITHUBDIR)$(FS)$(1)$(FS)$(2) && git fetch origin && git checkout -q $(3)
-
-mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
-mkfile_dir := $(shell cd $(shell dirname $(mkfile_path)); pwd)
-
-###
-# tools
-###
-
-TOOLS_DESTDIR  ?= $(GOPATH)/bin
-
-GOLANGCI_LINT = $(TOOLS_DESTDIR)/golangci-lint
-GOIMPORTS     = $(TOOLS_DESTDIR)/goimports
-CERTSTRAP     = $(TOOLS_DESTDIR)/certstrap
-PROTOBUF     	= $(TOOLS_DESTDIR)/protoc
-GOX						= $(TOOLS_DESTDIR)/gox
-
-all: get_tools
-
-get_tools: golangci-lint goimports certstrap protobuf gox 
-
-golangci-lint: $(GOLANGCI_LINT)
-$(GOLANGCI_LINT): $(mkfile_dir)/install-golangci-lint.sh
-	bash $(mkfile_dir)/install-golangci-lint.sh $(TOOLS_DESTDIR) $(GOLANGCI_LINT_VERSION) $(GOLANGCI_LINT_HASHSUM)
-
-goimports: $(GOIMPORTS)
-$(GOIMPORTS):
-	@echo "Get goimports@v0.0.0-20190628034336-212fb13d595e"
-	@go get golang.org/x/tools/cmd/goimports@v0.0.0-20190628034336-212fb13d595e
-
-certstrap: $(CERTSTRAP)
-$(CERTSTRAP):
-	@echo "Get Certstrap"
-	@go get github.com/square/certstrap@338204a88c4349b1c135eac1e8c14c693ad007da
-
-protobuf: $(PROTOBUF)
-$(PROTOBUF):
-	@echo "Get Protobuf"
-	## protobuf v1.3.0
-	@go get github.com/gogo/protobuf/protoc-gen-gogo@0ca988a254f991240804bf9821f3450d87ccbb1b
-
-gox: $(GOX)
-$(GOX):
-	@echo "Get Gox"
-# used to build tm-monitor & tm-bench binaries
-	## gox v1.0.1
-	@go get github.com/mitchellh/gox@d8caaff5a9dc98f4cfa1fcce6e7265a04689f641
-
-
-
-tools-clean:
-	rm -f $(CERTSTRAP) $(GOIMPORTS) $(GOLANGCI_LINT) $(PROTOBUF) $(GOX)
-	rm -f tools-stamp
-
-.PHONY: all get_tools tools-clean
--- a/scripts/get_nodejs.sh
+++ b/scripts/get_nodejs.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-VERSION=v12.9.0
+VERSION=v11.15.0
 NODE_FULL=node-${VERSION}-linux-x64

 mkdir -p ~/.local/bin
@@ -10,5 +10,5 @@ tar -xzf ~/.local/node/${NODE_FULL}.tar.gz -C ~/.local/node/
 ln -s ~/.local/node/${NODE_FULL}/bin/node ~/.local/bin/node
 ln -s ~/.local/node/${NODE_FULL}/bin/npm ~/.local/bin/npm
 export PATH=~/.local/bin:$PATH
-npm i -g dredd
+npm i -g dredd@11.0.1
 ln -s ~/.local/node/${NODE_FULL}/bin/dredd ~/.local/bin/dredd
--- a/scripts/install-golangci-lint.sh
+++ b/scripts/install-golangci-lint.sh
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-f_sha256() {
-  local l_file
-  l_file=$1
-  python -sBc "import hashlib;print(hashlib.sha256(open('$l_file','rb').read()).hexdigest())"
-}
-
-installer="$(mktemp)"
-trap "rm -f ${installer}" EXIT
-
-GOBIN="${1}"
-VERSION="${2}"
-HASHSUM="${3}"
-CURL="$(which curl)"
-
-echo "Downloading golangci-lint ${VERSION} installer ..." >&2
-"${CURL}" -sfL "https://raw.githubusercontent.com/golangci/golangci-lint/${VERSION}/install.sh" > "${installer}"
-
-echo "Checking hashsum ..." >&2
-[ "${HASHSUM}" = "$(f_sha256 ${installer})" ]
-chmod +x "${installer}"
-
-echo "Launching installer ..." >&2
-exec "${installer}" -d -b "${GOBIN}" "${VERSION}"
--- a/version/version.go
+++ b/version/version.go
@@ -20,7 +20,7 @@ const (
 	// Must be a string because scripts like dist.sh read this file.
 	// XXX: Don't change the name of this variable or you will break
 	// automation :)
-	TMCoreSemVer = "0.32.3"
+	TMCoreSemVer = "0.32.2"

 	// ABCISemVer is the semantic version of the ABCI library
 	ABCISemVer  = "0.16.1"
Author	SHA1	Message	Date
Zarko Milosevic	dd1bed70f1	Add few clarifications	2019-09-02 15:00:19 +02:00
Anton Kaliaev	16c0d2b471	Merge branch 'master' into zm_fork-accountability	2019-08-26 15:17:03 +04:00
Josef Widder	5c9d54b90e	table discussion	2019-08-26 09:30:33 +02:00
Josef Widder	159849ff95	more misbehavior	2019-08-26 09:05:34 +02:00
Josef Widder	3e870ca584	misbehave	2019-08-23 17:02:19 +02:00
Josef Widder	c9526d6051	misbehavior	2019-08-23 16:56:06 +02:00
Josef Widder	736fd2fa9c	added question on conflicting proposals	2019-08-21 11:30:35 +02:00
Josef Widder	2b09b7b1a0	consensus properties explained	2019-08-20 10:04:22 +02:00
josef-widder	dd7264b9a6	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:57:39 +02:00
josef-widder	9bd6dad4f0	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:57:17 +02:00
josef-widder	3486f10a00	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:56:56 +02:00
josef-widder	ed1b060701	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:56:36 +02:00
josef-widder	57d16a8b1f	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:56:13 +02:00
josef-widder	e157367fbf	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:55:24 +02:00
josef-widder	097e7fd31a	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:54:33 +02:00
josef-widder	4ba817f82b	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com>	2019-08-14 15:53:54 +02:00
josef-widder	4c5134086e	Update docs/spec/consensus/fork-accountability.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com>	2019-08-14 15:53:16 +02:00
Josef Widder	95ba65283c	Merge branch 'zm_fork-accountability' of github.com:tendermint/tendermint into zm_fork-accountability	2019-08-09 10:55:45 +02:00
Josef Widder	4a9ba10398	added more structure to the attack scenarios	2019-08-09 10:54:26 +02:00
Marko	b169475534	Merge branch 'master' into zm_fork-accountability	2019-07-29 14:25:42 +02:00
Zarko Milosevic	231e0a75a5	Add more details about varios attack cases	2019-07-26 13:46:39 +03:00
Zarko Milosevic	c4f3ef9430	Add fork scenarios	2019-07-25 12:57:14 +03:00