MIMD-0024: Challenge Mechanism #1207
Replies: 4 comments
-
The hash is derived from these so it does not need to appear in this list right? Or is it a hash of the committed account's content?
The purpose of the salt is not clear at this point: once a validator commits, there should never be multiple identical challenges.
Why would a challenger force a validator to answer with its state and take a 20% stake cut? I thought challenges were only between commits and finalization.
There is no mention of potential parameters here. The whitepaper mentions a slot, which seems excessively short for a full slash.
Isn't the account auto-finalized in the match path?
Still unclear at this point what state this refers to, because hashes refer to the state of the account, but only the account state seems insufficient to properly resolve the conflict. However, if the state here refers to a wider ledger state, passing it to the council would be expensive. Moreover, while sending an account can be done through mainnet, doing so for the ledger requires new methods, which introduce new constraints/vulnerabilities (e.g. NATS crypto integration, DA layers being slow, etc..)
What's the point of the delay? There is no appeal window, the council can take forever, so its decision should be final and the payout immediate. Having a terminology section at the beginning could help clarify the different terms, some of which are a bit overloaded (e.g. state) |
Beta Was this translation helpful? Give feedback.
-
Prevents knowing upfront the data by grinding, as a commit-reveal schema
It's better to catch a fraud as soon as possible. 20% is charged when the challenge is raised when it shouldn't, to prevent ddos
Agreed that 1 slot is excessive, we to run some experiments to find a good value
Correct, the challenge as no side effects
It should be possible to always restrict the conflict to one account on which parties disagree
Just safer in the first phase of the protocol, but agree that the payout could be immediate |
Beta Was this translation helpful? Give feedback.
-
|
I tried to translate the MIMD into a concrete call flow to check whether I am interpreting the proposal Note Assumptions / Terms / Scopes
Records I think are implied
Important interpretation: validator response opens the original commitment My read is that This avoids the case where a validator originally committed Sequence as I understand it sequenceDiagram
autonumber
participant V as Validator
participant C as Challenger
participant DP as Delegation program
participant R as Resolver
participant K as Keeper / anyone
rect rgba(80, 160, 255, 0.12)
V->>DP: SubmitValidatorCommitment<br/>validator, account, commit_id, validator_state_hash
DP->>DP: Store commitment<br/>start challenge window
end
rect rgba(255, 190, 80, 0.16)
C->>C: Detect divergence off-chain<br/>compute challenger state + salt<br/>compute challenge_hash
C->>DP: RaiseChallenge<br/>validator, account, commit_id, challenge_hash, stake
DP->>DP: Lock stake<br/>mark commitment disputed<br/>start validator response timeout
end
alt validator responds in time
rect rgba(120, 220, 140, 0.14)
V->>DP: SubmitValidatorResponse<br/>full state or canonical buffer reference
DP->>DP: Verify response opens stored commitment hash
end
alt valid validator opening
DP->>DP: Start challenger reveal timeout
alt challenger reveals in time
rect rgba(120, 220, 140, 0.14)
C->>DP: RevealChallengerState<br/>state, salt
DP->>DP: Verify reveal opens challenge_hash
end
alt invalid reveal
rect rgba(255, 90, 90, 0.16)
DP->>DP: Slash challenger
end
else states match
rect rgba(120, 220, 140, 0.14)
DP->>DP: Charge 20% challenger stake to protocol<br/>clear dispute
end
else states mismatch
rect rgba(255, 90, 90, 0.16)
DP->>DP: Create ResolutionRecord
R->>DP: Vote
K->>DP: FinalizeResolution
DP->>DP: Apply resolver outcome
end
end
else challenger reveal timeout
rect rgba(255, 90, 90, 0.16)
K->>DP: ClaimChallengerRevealTimeout
DP->>DP: Penalize challenger<br/>release commitment if valid validator opening exists
end
end
else invalid validator opening
rect rgba(255, 90, 90, 0.16)
DP->>DP: Validator-fault handling or resolver
end
end
else validator timeout
rect rgba(255, 90, 90, 0.16)
K->>DP: ClaimValidatorResponseTimeout
DP->>DP: Validator-fault handling or resolver
end
end
Commentary on the sequence
Messages I think are missing or need to be explicit
Finalization rule I infer
The 20% penalty for a valid but unnecessary challenge goes to the protocol. Questions / possible gaps
|
Beta Was this translation helpful? Give feedback.
-
|
Note Suggestion of a challenging mechanism Raising a challengeWhen a verifier detects invalid state (state divergence after replication, or invalid account data committed), it raises a challenge. We suppose both the verifier and the validator have the full ledger available locally. Their goal is to determine when in the ledger the discrepancy started, aka the first transaction when things started to diverge. ModelWe can model the system as follows:
PracticalityTo efficiently find the index State hash comparisonsFor security reasons, this process should most likely happen directly on Solana. However, this drastically increases latency as both participants need to have their state hashes confirmed on mainnet before knowing which next interval to work on. A way to speed up this process is to use the fact that multiple commitments can fit in a single solana transaction: the index Computing state hashesAnother issue is that computing the set Initiating the processThanks to the superblock architecture, replicas can use superblock boundaries as the bootstrapping elements that they will compare:
In all cases, the challenger always include the transaction and state hashes that triggered the inconsistent state (which most likely contains the fraud). The validator then has to compute the state hashes for every transaction in the current superblock, up to the challenge boundary. This part is sequential (challenger sends, validator observes then responds). An optimistic approach can be to precompute the state hashes for the latest superblock, which is likely where the fraud originated. This can be done in parallel to waiting for mainnet confirmation. IteratingAfter both participants sent their initial set of commitments, we can adopt a more parallel approach:
Impact on the protocol
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
MIMD: Dynamic Fraud Proof Challenge Mechanism
Status
Draft proposal/specification.
Goal
Define the permissionless challenge and finalization mechanism for an Ephemeral
Rollup operator commitment.
A state commitment can finalize only if:
commitment;
This proposal is part of the Dynamic Fraud Proof design described in
Dynamic Fraud Proof.
The mechanism is split into three phases:
challenge;
This document focuses on the challenge path and defines a simple initial
resolution path. Future versions are expected to replace the social resolution
path with objective replay on a zkSVM.
Non-goals
State divergence detection is out of scope for this mechanism. Divergence is
detected by
magicblock-validatorinstances running in replica mode andmonitoring operator output.
Multi-account challenges are also out of scope for the first version. A
challenge targets exactly one account at one commit id. Multi-account disputes
must be submitted as independent single-account challenges.
Operator selection and provisioning are out of scope. This document assumes an
operator has already been selected for the delegated account or ER session.
Actors
OperatororValidator: the node running the Ephemeral Rollup session andposting account state commitments to the Delegation Program.
VerifierorActive challenger: a bonded network participant eligible to berandomly selected to verify and co-sign a pending commitment.
Challenger: any participant with the required minimum stake who raises achallenge during the challenge window.
Delegation Program: the base-layer program that stores pending commitments,opens challenge windows, verifies co-signatures, blocks challenged
commitments, and finalizes resolved state.
Security council: a separate stake-weighted resolver used only for theinitial dispute-resolution implementation.
The security council is not the happy-path finalization committee. Happy-path
finalization depends on randomly selected active verifiers.
Commitment scope
A pending commitment is bound to:
The protocol commitment key is the account plus commit id. The ephemeral slot
that produced the state may be included as metadata for observability and
debugging, but it is not the protocol key.
Operator participation must move from the current whitelisting model to a
permissionless operator bond model. The current validator fee vault is not
slashable stake and must not be treated as the operator bond.
Verifier participation must also be permissionless and bonded. A verifier
signature should only count toward finalization if the verifier was eligible and
selected for the commitment round.
State commitment
The operator commits to the account state it wants to finalize by posting a
pending state commitment.
The state commitment must be domain-separated and bound to the complete
commitment context:
The canonical account state for this version consists of:
lamports;owner;data.executableis excluded because executable accounts are not delegatable in thisdesign. The owner should be explicitly committed as part of the finalized state;
the current implementation stores owner information in the delegation record and
commits lamports plus data, but the challenge design should bind owner as well.
Full account data is supported. Large account data may be committed through a
hash and opened through buffered submission if the state is challenged.
The Data Availability pointer must reference the transaction data needed to
replay or verify the ER execution that produced the committed state.
The exact byte serialization, hash function, missing-account representation,
minimum stake amount, initial challenge window, window-extension schedule,
response timeout, and voting timeout are protocol parameters to be finalized
before implementation.
Verifier selection and co-signing
When the operator posts a pending commitment, the challenge window starts and a
set of active verifiers is randomly selected from the bonded verifier set.
Selection must be:
A selected verifier approves a commitment by signing the exact
state_commitment_hashand challenge-window context:Before signing, the verifier is expected to check:
Non-selected verifier signatures do not count. Operator-supplied verifier lists
do not count unless they match the protocol-derived selection.
If the challenge window closes, no unresolved challenge exists, and the required
threshold of selected verifier signatures has been met, the commitment can be
finalized.
If the threshold is not met, the commitment must not finalize. The challenge
window is extended and the approval criteria are adjusted according to protocol
parameters.
If a challenge is raised, the commitment is blocked from finalization until the
challenge reaches a terminal outcome.
Challenge scope
A challenge targets an existing pending commitment. Pre-commit challenges are out
of scope for this version.
A challenge is bound to:
state_commitment_hash;challenge_hash.The challenger must lock a fixed minimum stake when raising the challenge.
A challenge must be submitted during an active challenge window for the pending
commitment. Once accepted, the commitment cannot finalize until the challenge is
resolved or dismissed.
Challenger commitment
The challenger commits to the account state they believe is correct by
submitting a salted hash.
The hash must be domain-separated and bound to the complete challenge context:
The revealed state uses the same canonical account state model as the operator
commitment:
lamports;owner;data.For large accounts, the revealed
datamay be provided through bufferedsubmission. The hash preimage must still bind to the full canonical data.
Lifecycle
flowchart TD A[Operator posts pending state commitment] --> B[Challenge window opens] B --> C[Random active verifiers are selected] C --> D[Selected verifiers check DA and execution] D --> E{Challenge raised?} E -->|No| F{Challenge window closed?} F -->|No| D F -->|Yes| G{Verifier signature threshold met?} G -->|Yes| H[Finalize committed state] G -->|No| I[Extend challenge window and adjust approval criteria] I --> C E -->|Yes| J[Block finalization and enter challenge path] J --> K[Operator opens or confirms full state] K --> L[Challenger reveals state and salt] L --> M{Challenge hash valid?} M -->|No| N[Challenger fully slashed] M -->|Yes| O{States match?} O -->|Yes| P[Challenge dismissed with challenger penalty] O -->|No| Q[Security council resolution] Q --> R{Who is correct?} R -->|Operator| S[Challenger fully slashed] R -->|Challenger| T[Operator fully slashed] T --> U[Challenger payout after 48h timelock] K --> V{Operator timeout?} V -->|Yes| Q1. Post commitment
The operator posts a pending state commitment for one account at one commit id.
The transaction records:
The commitment is pending. It is not finalized at this point.
2. Verifier approval
Selected verifiers monitor pending commitments. If a selected verifier considers
the commitment valid, it signs the commitment.
A verifier signature means that the verifier approves the pending commitment and
is not raising a challenge for that commitment.
The Delegation Program counts only signatures from selected eligible verifiers.
3. Raise challenge
Any challenger with the required fixed minimum stake may raise a challenge
against a pending commitment for one account at one commit id.
The transaction records:
state_commitment_hash;challenge_hash;The operation is permissionless, but economically protected by the required
stake and penalties defined below.
4. Operator response
If the pending commitment does not already expose the full account state onchain,
the operator must respond before the response timeout by opening or confirming
the full account state it claims is correct for the challenged account at the
challenged commit id.
Failure to respond before the timeout is treated as operator fault and moves the
challenge to resolution with operator non-response as evidence of fault.
5. Challenger reveal
After the operator response, the challenger reveals:
The program recomputes the challenge hash using the canonical challenge context.
If the recomputed hash does not match the original
challenge_hash, thechallenger is at fault and is fully slashed.
If the hash matches, the revealed challenger state is compared with the
operator-submitted state.
6. Match path
If the revealed challenger state matches the operator-submitted state, the
challenge was unnecessary.
This is valid protocol behavior, but it is costly. The challenger is charged
20% of the locked challenge stake. The charged stake goes to the protocol.
The remaining challenger stake is unlocked. No operator stake is slashed, and no
account state is changed by the challenge.
The pending commitment may finalize only if the normal finalization conditions
are satisfied: challenge window closed, selected verifier threshold met, and no
other unresolved challenge exists.
7. Mismatch path
If the revealed challenger state does not match the operator-submitted state,
the challenge proves disagreement but does not by itself prove fault.
The challenge enters resolution. The account is not finalized to either state
until resolution completes.
Resolution
The first version uses a stake-weighted security council as a simple resolver.
This is the fallback path for challenged commitments only.
Council members vote on which state is correct:
A resolution requires more than two thirds of council stake voting for one side,
subject to quorum and timeout parameters to be finalized before implementation.
This resolver is intentionally simple and social. It is acceptable only as an
initial implementation because the challenge mechanism is separated from the
resolution mechanism. Future versions should replace or augment this path with
objective replay on a zkSVM.
Outcomes
Outcome 1: happy path finalization
No challenge is raised, the challenge window closes, and enough randomly
selected active verifiers have signed the pending commitment.
Effects:
Outcome 2: not enough verifier signatures
No challenge is raised, but the selected verifier threshold is not met before the
challenge window closes.
Effects:
Outcome 3: state matches
The challenger commitment is valid, and the challenger-revealed state matches
the operator-submitted state.
Effects:
Outcome 4: state mismatches, operator is correct
The challenger commitment is valid, but the revealed state does not match the
operator-submitted state, and the security council resolves in favor of the
operator.
Effects:
and commit id.
Outcome 5: state mismatches, challenger is correct
The challenger commitment is valid, the revealed state does not match the
operator-submitted state, and the security council resolves in favor of the
challenger.
Effects:
account and commit id.
The 48 hour timelock happens after council resolution. It is a payout delay, not
an appeal window.
Finalization
A challenge never finalizes account state at the point of reveal.
Account state is finalized only when one of the following is true:
verifier signatures, and no unresolved challenge;
This prevents a malicious challenger from forcing state finalization before
fault has been assigned.
The current
CommitFinalizepath can remain as an optimized path, but it mustbe extended before being used in the challenge-enabled protocol. Specifically,
CommitFinalizemust verify:account_pubkey + commit_id;Security-council co-signing is not the happy-path Dynamic Fraud Proof condition
and should not be used as a substitute for randomly selected verifier approval.
Economic rules
to the protocol.
timelock.
slashing should be supported before that verifier's approval is considered
economically meaningful.
Security considerations
The state commitment hash and challenge hash must be domain-separated and bound
to the operator, challenger where applicable, account, commit id, DA pointer,
delegation record, and canonical state. Without this binding, commitments and
challenges could be replayed or reused across operators, accounts, or commits.
The protocol must define canonical serialization before implementation. Any
ambiguity in serialization can create slashable mismatches even when both sides
intended the same state.
Random verifier selection must be unpredictable before the commitment round and
verifiable during finalization. Operator-chosen signer sets are not sufficient.
Verifier signatures are only useful if the DA record is available and the
verifier can replay or verify the ER execution.
The initial council resolver is not objective consensus. Its security depends on
the council stake distribution and on council members independently running or
trusting validators capable of verifying the disputed state.
The challenge window should be bounded. Very old-slot challenges increase
archival and data-availability requirements.
Parameters to finalize
Open implementation work
The current implementation should evolve from admin whitelisting toward
permissionless bonded operator and verifier registration.
CommitFinalize;completed dispute resolution before applying state.
Beta Was this translation helpful? Give feedback.
All reactions