From 0f01c678dbede08e1b8c8f744d1e707b477cc37d Mon Sep 17 00:00:00 2001
From: Aditya <adityasripal@gmail.com>
Date: Tue, 6 Jul 2021 16:48:41 +0200
Subject: [PATCH] Sentinel Root Fix (#234)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix sentinel value

* add godoc and test

* fix grammar

* add changelog

Co-authored-by: colin axnér <25233464+colin-axner@users.noreply.github.com>
---
 CHANGELOG.md                                               | 1 +
 .../light-clients/07-tendermint/types/consensus_state.go   | 3 +++
 .../07-tendermint/types/consensus_state_test.go            | 7 +++++++
 modules/light-clients/07-tendermint/types/upgrade.go       | 4 ++--
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e62693b8d37..c66ceb499a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,6 +43,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ### Bug Fixes
 
+* (07-tendermint) [\#234](https://github.com/cosmos/ibc-go/pull/234) Use sentinel value for the consensus state root set during a client upgrade. This prevents genesis validation from failing.
 * (modules) [\#223](https://github.com/cosmos/ibc-go/pull/223) Use correct Prometheus format for metric labels.
 * (06-solomachine) [\#214](https://github.com/cosmos/ibc-go/pull/214) Disable defensive timestamp check in SendPacket for solo machine clients.
 * (07-tendermint) [\#210](https://github.com/cosmos/ibc-go/pull/210) Export all consensus metadata on genesis restarts for tendermint clients.
diff --git a/modules/light-clients/07-tendermint/types/consensus_state.go b/modules/light-clients/07-tendermint/types/consensus_state.go
index c4a92fed967..046d73ce84d 100644
--- a/modules/light-clients/07-tendermint/types/consensus_state.go
+++ b/modules/light-clients/07-tendermint/types/consensus_state.go
@@ -12,6 +12,9 @@ import (
 	"github.com/cosmos/ibc-go/modules/core/exported"
 )
 
+// SentinelRoot is used as a stand-in root value for the consensus state set at the upgrade height
+const SentinelRoot = "sentinel_root"
+
 // NewConsensusState creates a new ConsensusState instance.
 func NewConsensusState(
 	timestamp time.Time, root commitmenttypes.MerkleRoot, nextValsHash tmbytes.HexBytes,
diff --git a/modules/light-clients/07-tendermint/types/consensus_state_test.go b/modules/light-clients/07-tendermint/types/consensus_state_test.go
index 2664071d2b3..b4964ef4060 100644
--- a/modules/light-clients/07-tendermint/types/consensus_state_test.go
+++ b/modules/light-clients/07-tendermint/types/consensus_state_test.go
@@ -21,6 +21,13 @@ func (suite *TendermintTestSuite) TestConsensusStateValidateBasic() {
 				NextValidatorsHash: suite.valsHash,
 			},
 			true},
+		{"success with sentinel",
+			&types.ConsensusState{
+				Timestamp:          suite.now,
+				Root:               commitmenttypes.NewMerkleRoot([]byte(types.SentinelRoot)),
+				NextValidatorsHash: suite.valsHash,
+			},
+			true},
 		{"root is nil",
 			&types.ConsensusState{
 				Timestamp:          suite.now,
diff --git a/modules/light-clients/07-tendermint/types/upgrade.go b/modules/light-clients/07-tendermint/types/upgrade.go
index a4dead6f4fe..d3801d67882 100644
--- a/modules/light-clients/07-tendermint/types/upgrade.go
+++ b/modules/light-clients/07-tendermint/types/upgrade.go
@@ -108,14 +108,14 @@ func (cs ClientState) VerifyUpgradeAndUpdateState(
 	}
 
 	// The new consensus state is merely used as a trusted kernel against which headers on the new
-	// chain can be verified. The root is empty as it cannot be known in advance, thus no proof verification will pass.
+	// chain can be verified. The root is just a stand-in sentinel value as it cannot be known in advance, thus no proof verification will pass.
 	// The timestamp and the NextValidatorsHash of the consensus state is the blocktime and NextValidatorsHash
 	// of the last block committed by the old chain. This will allow the first block of the new chain to be verified against
 	// the last validators of the old chain so long as it is submitted within the TrustingPeriod of this client.
 	// NOTE: We do not set processed time for this consensus state since this consensus state should not be used for packet verification
 	// as the root is empty. The next consensus state submitted using update will be usable for packet-verification.
 	newConsState := NewConsensusState(
-		tmUpgradeConsState.Timestamp, commitmenttypes.MerkleRoot{}, tmUpgradeConsState.NextValidatorsHash,
+		tmUpgradeConsState.Timestamp, commitmenttypes.NewMerkleRoot([]byte(SentinelRoot)), tmUpgradeConsState.NextValidatorsHash,
 	)
 
 	// set metadata for this consensus state