-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using a commit/contest method to scale validator set #123
Comments
As @OliverNChalk mentioned we are considering scaling Bridge to tens or hundreds of validators (perhaps even more). The goal is increased security of the bridge. I would add some implementation details to this proposal:
|
Hi @OliverNChalk ! Nice to see your proposal. Thanks! I would suggest to create an issues like this next time in the https://github.com/poanetwork/poa-bridge-contracts repo. I have a few comments to your proposal, it will be great to continue discussion:
Please share your thoughts on this. |
Also an important moment is the independence of RPC providers for the bridge validators. In order to provide maximum of security all validators must have their own nodes synchronizing the foreign and home chains. Otherwise it is possible an attack to compromise RPC providers which is used by groups of validators. From this point of view economical aspect of such kind of bridge should include expenses which are experiencing by the bridge validators to maintain the chain nodes. The token bridge oracle could be re-worked to use light nodes (and we did few experiments in the past) to reduce the chain nodes cost but it is still outstanding work. |
Hey @akolotov , thanks for the quick response! My thoughts on your questions:
You were correct, those were some interesting questions :P |
Correct. One validator relays collected signatures to the Ethereum Mainnet. If you look at https://blockscout.com/eth/mainnet/tx/0xd8453479702a1c516e8250e1087cc5faddfc82aee20d739bdee614a23226bd7c you will see that it consumed ~129500 gas to confirm transfer by three signatures.
Since the timer will be controlled by the bridge contract and any Ethereum contract has no ability to wake up by itself, someone needs to trigger the contract after the timer expiration.
For me, the dispute threshold is a time which the bridge contract will wait after the validator's proposal appearance before allowing to mint/unlock tokens.
Correct. But the contract knows nothing if a dispute is not arriving due to agreement of other validators or since they did not handle the corresponding block due to latency with synchronization. Moreover there is a nonzero chance that a dispute will not arrive since other validators are offline. And things are getting more complex if we consider several possible scenarios.
Not sure that understood entire flow properly. Who will attach the bounty? Will the bond be distributed among all validators or only among validators participated in the dispute?
Could you clarify which statement this is for? I am quite lost.
Correct. But this model assumes to work with any (even small) number of validators. And bridging fees could (probably) cover at least part of expenses to maintain the RPC nodes. If we increase the number of validators the reward which every validator gets becomes smaller. So, incentive to be the bridge validator is questionable in the case of large number of validators. And, in fact, these are general questions - what kind of the issue we would like to solve by increasing the number of validators? What motivation of the people or companies to be a bridge validator is? |
Okay, so the current model cannot scale to 100 validators.
Anyone can call this, probably the user wanting their tokens. Or we can incentivize validators to this automatically to improve UX.
There seems to be a misunderstanding here. The process for commits and disputes are as follows:
Well the proposing validator has a bond associated with their stay as a validator. So if their transaction was indeed fraudulent, their bond will be confiscated and can fund the bounty among other things.
Ideally, validators would already have access to a trustworthy Ethereum node, or they simply run one alongside their PoA node due to the huge economic benefits of doing so. Running two nodes will support hundreds of tokens among critical ones like stablecoins.
I think a 3 or 5 validators is not sufficiently decentralized to support moving a million DAI to another chain. Due to the chance for collusion and lack of fault tolerance, with my proposed model you can scale bridges easily alongside scaling the chain's PoA set. As an example, some POA chains are targeting 101 validators, this model would allow bridges to integrate nicely with the existing model. |
Thanks @OliverNChalk for detailed explanation! This is a good brainstorm to understand social and technical issues which could appear in running such service.
:) Definitely not. And I am looking at https://forum.poa.network/c/xdai-chain/validators-intro have some skepticism if it is achievable in practice. Things could be even worse if it is mandatory for the validator to setup the mainnet node as the RPC provider for the bridge oracle.
As I said above, in some scenarios the user has no funds to cover transaction fee to finish minting/unlocking process.
Correct. It should be the part of the model.
This is my understanding too. I could clarify my previous question in the context of your example:
Another thing which came into my mind if the bond confiscation in case of failed dispute could incentivize validators to fail a dispute intentionally. For example, if the validators are anonymous (no KYC procedure is applied) they could fail a dispute in order to get short term profit even if they are excluded from the list of bridge validators after that. In case of high traffic through the bridge assuming that cheating will not be discovered instantly this strategy could cover the amount of the bond staked by an account to be the bridge validator.
OK. I see. The assumption here is that the network validators should play the role of the bridge validator as well, isn't it? And it means that KYC will be applied for all network validators to be an authority. If so, it could motivate the validators to maintain full node for another chain since otherwise they are under the risk to lose their authority in the PoA chain due to incorrect bridge transaction validation.
If 101 validators use their own trustworthy Ethereum nodes as RPC providers it is definitely good. If they use the same RPC provider like INFURA we cannot talk about decentralization. |
That is correct, this design would be targeted at having the network validators run the node. This means the validators will be public entities and in some cases KYCd / have a network bond staked.
This is a valid point, it is easy to prove a transaction was not included in the past. However, it is much harder to prove that you are at the head of the chain. I feel it is quite unlikely that no validator / member of the public will pull the trigger (in a sufficient dispute period). In fact it will create a nice balance between risk and reward. Which would hopefully result in people sending disputes at different times as it becomes clearer. If this is a more serious issue than I am acknowledging, there are various mechanisms we can implement to further address it.
So for this scenario, we have two cases:
If we assume that the POA chain has higher throughput and is generally less likely to be congested (and would cost more to spam than Ethereum). Then it would make sense to adjust the confirmation time accordingly (i.e. depositing can be faster than withdrawing, which would help onboarding). Another thing to consider, on the POA chain validators can include their own transactions. As such, if the POA chain is not byzantine we can guarantee that disputes will make it in (if we assume bridge and validator set overlap). This means our main concern is withdrawing to Ethereum from POA. This is because spamming Ethereum is less costly than spamming POA and POA validators are not miners and thus cannot guarantee transaction inclusion. We also need to assume Ethereum miners are not byzantine. This leads me two thoughts:
For point 2, it's important to note that 10K gas at 100 GWEI cost 0.001 Ether. If we assume disputes can be started with 70K gas, that's a cost of 0.007 Ether per 100 GWEI. This would mean that if the bond was 0.1 Ether we would theoretically have up to 1400 GWEI to play with, if the entire bond went to the disputer. For the topic of setting the bond, I currently see two options:
I think we should prioritize security over latency. If a dispute is initiated, then the transaction will be slowed until the dispute is properly resolved (we can discuss how to most securely properly resolve a dispute). This then opens the questions of: Can this mechanism be abused to slow down transfer times and degrade UX? On this point, I personally think that a proper dispute bond will ensure that there is little chance of this happening on a common basis. We can even explore distributing a portion of the dispute bond to the affected user. Do you foresee any issues caused by targeted slowing down of cross-chain transfer beyond UX. |
Thanks! At this moment I see few assumptions and uncertainties. Do you think it is better to prepare a document like a whitepaper draft in order to get more clear model? |
I don't think I have seen any issues yet, so it might make sense to formalize this a bit to make it easier to digest. I will try to get on to this |
https://github.com/OliverNChalk/commit-reveal-bridge/tree/master - I plan to use this as a working doc, it currently lacks details but do you see any issues with this proposal (beyond needing more details)? |
Hello POA team,
I just wanted to air an idea I had in mind while talking with Marek from ethworks. To my knowledge, current validator sets for cross-chain bridges are fairly small due to the fact that transfer cost scales linearly with the amount of validators (due to each validator needing to vote on transfers).
In our discussions on how we could increase the size of this validator set without creating significant congestion or gas costs, an obvious solution was to use a commit / contest model.
The model is similar to other layer 2 solutions:
This model introduces some changes to the game-theory of cross-chain bridges and also increases the latency of transfers due to dispute periods. However, it should let the bridges significantly scale their validator set.
Interested in any feedback / thoughts.
The text was updated successfully, but these errors were encountered: