CIP-1694 | Guard security-relevant protocol parameter changes behind SPO votes #622
Conversation
Ryun1
changed the title
Also clarify that the proposal policy only applies to protocol parameter updates and treasury withdrawals.
|
We'll need to add this new parameter to the list of security params: IntersectMBO/cardano-ledger#3952 |
|
Whilst we are editing CIP-1694, would it be possible to add a note about script-based constitutional committee credentials? |
|
I've added that CC members can be scripts, that the new PParam |
| The security relevant protocol parameters are: | ||
| * `maxBBSize` | ||
| * `maxTxSize` | ||
| * `maxBHSize` | ||
| * `maxValSize` | ||
| * `maxBlockExUnits` | ||
| * `minFeeA` | ||
| * `minFeeB` | ||
| * `coinsPerUTxOByte` | ||
| * `govActionDeposit` | ||
| * `minFeeRefScriptsCoinsPerByte` | ||
|
|
There was a problem hiding this comment.
If this can be done at the protocol level, you should add dvtMotionNoConfidence and pvtMotionNoConfidence to this list as well and remove the CC rights to vote on these 2 parameters that were designed originaly to remove them.
They already cannot vote on "Motion of no confidence" and "Update Committee" governance actions, for obvious reasons. Which is why I think, their right to vote on these 2 parameters should be given to SPOs instead in my opinion. 😄👍
There was a problem hiding this comment.
Unfortunately that can't happen due to technical reasons, since dvtMotionNoConfidence and dvtMotionNoConfidence are not individual protocol parameters, but instead they are thresholds that are part of a threshold set, as such they can't be voted on individually. In other words, whenever a proposal is submitted that updates Stake Pool or DRep thresholds, all of the thresholds must be provided.
Moreover, drastic changes to the CIP are not possible at this stage.
The formal specification is complete and undergoing the audit at this point. Any changes right now will cause a significant delay to the release.
That being said, if you believe such functionality is very important, feel free to submit a CIP for the next era.
There was a problem hiding this comment.
Thank you for this explanation @lehins
Would you happen to have more information on the mentioned "threshold set" and what they contain?
Are the sets the different governance action thresholds for DReps and SPOs?
There was a problem hiding this comment.
There are two separate protocol parameters one for DReps and another for Stake Pools. Both of which contain all the relevant thresholds.
There was a problem hiding this comment.
Would you happen to have more information on the mentioned "threshold set" and what they contain?
Are the sets the different governance action thresholds for DReps and SPOs?
@thenic95 Here are the 2 "threshold set" grouped in square brackets:
What he meant is:
when you submit a PP governance action, you have to include all Protocol Parameters of the same "set" in the proposal file even if you change only one parameter from the same "set".
Thanks for the info @lehins 🥇
|
I have forwarded this PR to the Intersect governance parameter working group for comment :) |
|
The only thing I would add is that, since we have the CC and Dreps votes on But in that case, if you see this as a security issue, why all other deposits wouldn't be equally at risk? If risk there is. ( I can understand the importance of adding layers of difficulty to all other ones though (Transaction related ones), but I really don't think govActionDeposit is a big of a deal. |
|
This list of security-relevant parameters comes from multiple sessions with security researchers where we analyzed how the chain might break if certain parameters were set to bad values. There were some strict criteria for a parameter to be included, one of which being unrecoverability. While this may sound unrealistic, the point of the security-relevant parameters is to cover all possible attacks that satisfy these criteria. You only need to trust the SPOs to trust that the chain will not suffer from these attacks, no matter what happens with DReps & the CC. |
…SPO votes (cardano-foundation#622) * Guard security-relevant protocol parameter changes behind SPO votes * Replace the 'security group' by 'security relevant parameters' Also clarify that the proposal policy only applies to protocol parameter updates and treasury withdrawals. * Minor fixes and additions * Fix outdated wording
…SPO votes (cardano-foundation#622) * Guard security-relevant protocol parameter changes behind SPO votes * Replace the 'security group' by 'security relevant parameters' Also clarify that the proposal policy only applies to protocol parameter updates and treasury withdrawals. * Minor fixes and additions * Fix outdated wording
These changes came out of recent discussions with security researchers. Guarding certain parameters behind SPO votes results in preserving the current security and liveness properties of the system without having to make further security assumptions.
This is WIP for now, since I'm not sure yet whether the list of parameters guarded behind this extra condition is final.