Cosmos: Create Transaction Payload

Requirements

  • Quorum PGP Key

  • Air-Gapped Bundle

    • The proposer should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.

    • The proposer should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the vaults repo

  • Linux Workstation (online machine)

    • Any internet connected computer with a Linux shell will suffice

  • Clone the Vaults Repository for your organization to the machine

Procedure

  1. Turn on online linux workstation

  2. Clone the vaults repository if it's not available locally and get the latest changes:

    $ git clone <repository_git_url>
$ git pull origin main

  3. Unseal the SD Card Pack

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

  4. Plug a fresh SD card into the online linux workstation

  5. Look for your SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<your_device> /media

  6. Save the vaults repo to the SD card, referred to as the Ceremony SD card

    $ cp -r ~/vaults/ /media

  7. Unplug the Ceremony SD card

  8. Unseal the tamper proofed bundle

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

  9. Insert the AirgapOS SD card into the airgapped machine and turn it on

  10. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage

  11. Plug in the Ceremony SD card

  12. Copy the git repo locally from the Ceremony SD card and change to it

    $ cp -r /media/vaults /root
$ cd /root/vaults

  13. Create a new payloads directory in the vaults repository for the date on which the ceremony for the transaction will take place if it doesn't already exist

    • mkdir -p <namespace>/ceremonies/<date>/payloads

    • e.g mkdir -p acme-coin-01/ceremonies/2025-01-01/payloads

  14. Use icepick workflow --help to list the available workflows and options

  15. Plug in the Operator smart card

  16. Use icepick to generate and sign the payload by running one of the following available workflows:

    All commands in the following sections take --chain-name and (with the exception of withdraw-rewards) --asset-name. These are the "Chain" and "Asset" fields from the table below. For example, Kyve Mainnet tokens would be --chain-name kyve --asset-name KYVE. Seda Mainnet tokens would be --chain-name seda --asset-name SEDA. The table below documents all currently-supported combinations of chain and primary asset.

    Chain NameChainAsset
    SedasedaSEDA
    Seda Devnetseda-devnetSEDA
    KyvekyveKYVE
    Kyve TestnetkaonKYVE
    Kyve DevnetkorelliaKYVE

    Additionally, there may be some difficulty broadcasting a transaction due to the amount of gas consumed, as each Cosmos chain may have different computation power available. The option --gas-factor may be set to a number to multiply the gas by, such as 1.2, to increase the amount of gas for a transaction. The default value is 1, and may be omitted if desired. A value lower than 1 is not recommended.

    Stake

    Stake coins on the provided chain towards a validator operator's address.

    $ icepick workflow cosmos stake --delegate-address <delegate-address> --validator-address <validator-address> --chain-name <chain-name> --asset-name <asset-name> --asset-amount <asset-amount> --gas-factor <gas-factor> --export-for-quorum --sign

    Transfer

    Transfer coins on the cosmos blockchain.

    $ icepick workflow cosmos transfer --from-address <from-address> --to-address <to-address> --chain-name <chain-name> --asset-name <asset-name> --asset-amount <asset-amount> --export-for-quorum --sign

    Withdraw

    Withdraw staked coins from a validator. Staked coins may be held for an unbonding period, depending on the chain upon which they are staked.

    $ icepick workflow cosmos withdraw --delegate-address <delegate-address> --validator-address <validator-address> --chain-name <chain-name> --asset-name <asset-name> --gas-factor <gas-factor> --export-for-quorum-sign

    Withdraw Rewards

    Withdraw rewards gained from staking to a validator.

    $ icepick workflow cosmos withdraw-rewards --delegate-address <delegate-address> --validator-address <validator-address> --chain-name <chain-name> --gas-factor <gas-factor> --export-for-quorum-sign

  17. Copy the updated ceremonies repo to the SD card

    $ cp -r /root/vaults /media

  18. Transfer the SD card from the air-gapped machine to the online machine

  19. Look for your SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<your_device> /media

  20. Copy the updated repository locally and switch to it:

    $ cp -r /media/vaults ~/
$ cd ~/vaults

  21. Stage, sign, commit and push the changes to the ceremonies repository:

    $ git add <namespace>/ceremonies/<date>/payloads/*
$ git commit -S -m "add payload signature for payload_<num>.json"
$ git push origin main

  22. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.

  23. Tamper proof the AirgapOS and Air-gapped laptop

  24. Insert object(s) into plastic sealing bag

  25. Fill bag with enough plastic beads that most of the object is surrounded

  26. Use vacuum sealer to remove air from the bag until the beads are no longer able to move

  27. Take photographs of both sides of the sealed object using both the digital and polaroid camera

  28. Date and sign the polaroid photographs and store them in a local lock box

  29. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.