diff --git a/docs/spec/ibc/images/CleanUp.png b/docs/spec/ibc/images/CleanUp.png
new file mode 100644
index 0000000000..b9b5a1d348
Binary files /dev/null and b/docs/spec/ibc/images/CleanUp.png differ
diff --git a/docs/spec/ibc/optimizations.md b/docs/spec/ibc/optimizations.md
index 5724554963..a6e45d3589 100644
--- a/docs/spec/ibc/optimizations.md
+++ b/docs/spec/ibc/optimizations.md
@@ -12,175 +12,47 @@ One solution to this is to include a timeout in the IBC message itself. When se
For a sending chain _A_ and a receiving chain _B_, with _k=(_, _, i)_ for _A:qB.send_ or _B:qA.receipt_ we currently have the following guarantees:
-_A:Mk,v,h = _
+_A:Mk,v,h =_ ∅ _if message i was not sent before height h_
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
+_A:Mk,v,h =_ ∅ _if message i was sent and receipt received before height h (and the receipts for all messages j < i were also handled)_
-_if message i was not sent before height h_
+_A:Mk,v,h _ ≠ ∅ _otherwise (message result is not yet processed)_
-_A:Mk,v,h = _
+_B:Mk,v,h =_ ∅ _if message i was not received before height h_
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
+_B:Mk,v,h _ ≠ ∅ _if message i was received before height h (and all messages j < i were received)_
-_if message i was sent and receipt received before height h _
-
-
- _(and the receipts for all messages j < i were also handled)_
-
-_A:Mk,v,h _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_otherwise (message result is not yet processed)_
-
-_B:Mk,v,h = _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_if message i was not received before height h_
-
-_B:Mk,v,h _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_if message i was received before height h_
-
-_ (and all messages j < i were received)_
-
-Based on these guarantees, we can make a few modifications of the above protocol to allow us to prove timeouts, by adding some fields to the messages in the send queue, and defining an expired function that returns true iff _h > maxHeight_ or _timestamp(Hh ) > maxTime._
+Based on these guarantees, we can make a few modifications of the above protocol to allow us to prove timeouts, by adding some fields to the messages in the send queue, and defining an expired function that returns true iff _h > maxHeight_ or _timestamp(Hh ) > maxTime_.
_Vsend = (maxHeight, maxTime, type, data)_
-_expired(Hh ,Vsend ) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_[true/false]_
+_expired(Hh ,Vsend )_ ⇒ _[true/false]_
We then update message handling in _IBCreceive_, so it doesn't even call the handler function if the timeout was reached, but rather directly writes and error in the receipt queue:
_IBCreceive:_
-
-_ …._
-
-_ expired(latestHeader, v) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_push(qS.receipt , (None, TimeoutError));_
-
-_ v = (_, _, type, data) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_(result, err) :=ftype(data); push(qS.receipt , (result, err)); _
+ * ….
+ * _expired(latestHeader, v)_ ⇒ _push(qS.receipt , (None, TimeoutError)),_
+ * _v = (\_, \_, type, data)_ ⇒ _(result, err) := ftype(data); push(qS.receipt , (result, err));_
and add a new _IBCtimeout_ function to accept tail proofs to demonstrate that the message was not processed at some given header on the recipient chain. This allows the sender chain to assert timeouts locally.
-_S:IBCtimeout(A, Mk,v,h) _
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_ match_
-
-_qA.send =_
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("unregistered sender"), _
-
-_ k = (_, send, _) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("must be a receipt"),_
-
-_ k = (d, _, _) and d _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_S_
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("sent to a different chain"),_
-
-_ Hh _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_TA _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("must submit header for height h"),_
-
-_ not valid(Hh ,Mk,v,h ) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("invalid merkle proof"),_
-
-_ k = (S, receipt, tail)_
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_match_
-
-
- _tail _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_head(qS.send )_
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("receipt exists, no timeout proof")_
-
-
- _not expired(peek(qS.send )) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("message timeout not yet reached")_
-
-
- _default _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_(_, _, type, data) := pop(qS.send ); rollbacktype(data); Success_
-
-
- _default _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("must be a tail proof")_
+_S:IBCtimeout(A, Mk,v,h)_ ⇒ _match_
+ * _qA.send =_ ∅ ⇒ _Error("unregistered sender"),_
+ * _k = (\_, send, \_)_ ⇒ _Error("must be a receipt"),_
+ * _k = (d, \_, \_) and d_ ≠ _S_ ⇒ _Error("sent to a different chain"),_
+ * _Hh_ ∉ _TA_ ⇒ _Error("must submit header for height h"),_
+ * _not valid(Hh , Mk,v,h )_ ⇒ _Error("invalid merkle proof"),_
+ * _k = (S, receipt, tail)_ ⇒ _match_
+ * _tail_ ≥ _head(qS.send )_ ⇒ _Error("receipt exists, no timeout proof")_
+ * _not expired(peek(qS.send ))_ ⇒ _Error("message timeout not yet reached")_
+ * _default_ ⇒ _(\_, \_, type, data) := pop(qS.send ); rollbacktype(data); Success_
+ * _default_ ⇒ _Error("must be a tail proof")_
which processes timeouts in order, and adds one more condition to the queues:
-_A:Mk,v,h = _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_if message i was sent and timeout proven before height h_
-
-
- _(and the receipts for all messages j < i were also handled)_
+_A:Mk,v,h =_ ∅ _if message i was sent and timeout proven before height h (and the receipts for all messages j < i were also handled)_
Now chain A can rollback all transactions that were blocked by this flood of unrelayed messages, without waiting for chain B to process them and return a receipt. Adding reasonable time outs to all packets allows us to gracefully handle any errors with the IBC relay processes, or a flood of unrelayed "spam" IBC packets. If a blockchain requires a timeout on all messages, and imposes some reasonable upper limit (or just assigns it automatically), we can guarantee that if message _i_ is not processed by the upper limit of the timeout period, then all previous messages must also have either been processed or reached the timeout period.
@@ -192,118 +64,30 @@ While we clean up the _send queue_ upon getting a receipt, if left to run indefi
The observant reader may also notice, that when we perform the timeout on the sending chain, we do not update the _receipt queue_ on the receiving chain, and now it is blocked waiting for a message _i_, which **no longer exists** on the sending chain. We can update the guarantees of the receipt queue as follows to allow us to handle both:
-_B:Mk,v,h = _
+_B:Mk,v,h =_ ∅ _if message i was not received before height h_
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
+_B:Mk,v,h =_ ∅ _if message i was provably resolved on the sending chain before height h_
-_if message i was not received before height h_
-
-_B:Mk,v,h = _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_if message i was provably resolved on the sending chain before height h_
-
-_B:Mk,v,h _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_otherwise (if message i was processed before height h,_
-
-_ and no ack of receipt from the sending chain)_
+_B:Mk,v,h _ ≠ ∅ _otherwise (if message i was processed before height h, and no ack of receipt from the sending chain)_
Consider a connection where many messages have been sent, and their receipts processed on the sending chain, either explicitly or through a timeout. We wish to quickly advance over all the processed messages, either for a normal cleanup, or to prepare the queue for normal use again after timeouts.
Through the definition of the send queue above, we see that all messages _i < head_ have been fully processed, and all messages _head <= i < tail_ are awaiting processing. By proving a much advanced _head_ of the _send queue_, we can demonstrate that the sending chain already handled all messages. Thus, we can safely advance our local _receipt queue_ to the new head of the remote _send queue_.
-_S:IBCcleanup(A, Mk,v,h) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_ match_
-
-_qA.receipt =_
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("unknown sender"), _
-
-_ k = (_, send, _) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("must be for the send queue"),_
-
-_ k = (d, _, _) and d _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_S_
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("sent to a different chain"),_
-
-_ k_
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_ (_, _, head) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("Need a proof of the head of the queue"),_
-
-_ Hh _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_TA _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("must submit header for height h"),_
-
-_ not valid(Hh ,Mk,v,h ) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("invalid merkle proof"),_
-
-_ head := v _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_match_
-
-_ head <= head(qA.receipt) _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_Error("cleanup must go forward"),_
-
-_ default _
-
->>>>> gd2md-html alert: equation: use MathJax/LaTeX if your publishing platform supports it.
(Back to top)(Next alert)
>>>>>
-
-_advance(qA.receipt , head); Success_
+_S:IBCcleanup(A, Mk,v,h)_ ⇒ _match_
+ * _qA.receipt =_ ∅ ⇒ _Error("unknown sender"),_
+ * _k = (\_, send, \_)_ ⇒ _Error("must be for the send queue"),_
+ * _k = (d, \_, \_) and d_ ≠ _S_ ⇒ _Error("sent to a different chain"),_
+ * _k_ ≠ _(\_, \_, head)_ ⇒ _Error("Need a proof of the head of the queue"),_
+ * _Hh_ ∉ _TA_ ⇒ _Error("must submit header for height h"),_
+ * _not valid(Hh ,Mk,v,h )_ ⇒ _Error("invalid merkle proof"),_
+ * _head := v_ ⇒ _match_
+ * _head <= head(qA.receipt)_ ⇒ _Error("cleanup must go forward"),_
+ * _default_ ⇒ _advance(qA.receipt , head); Success_
This allows us to invoke the _IBCcleanup _function to resolve all outstanding messages up to and including _head_ with one merkle proof. Note that if this handles both recovering from a blocked queue after timeouts, as well as a routine cleanup method to recover space. In the cleanup scenario, we assume that there may also be a number of messages that have been processed by the receiving chain, but not yet posted to the sending chain, _tail(B:qA.reciept ) > head(A:qB.send )_. As such, the _advance_ function must not modify any messages between the head and the tail.
-
-
->>>>> gd2md-html alert: inline image link here (to images/Cosmos-IBC3.png). Store image on your image server and adjust path/filename if necessary.
(Back to top)(Next alert)
>>>>>
-
-
-
+
### 4.3 Handling Byzantine Failures