-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incremental decommit #1057
Comments
Discussed the approach with researchers and here are today's notes also reflected in the TBD section above, while the main body of the issues requires some updating now: Notes on decrements <2023-11-16 Thu>
|
We had a discussion today which led to the question:
Many use cases will mean a denial of service if any participant (or users "in proxy") can request decommitting arbitrary UTxO. A simple example would be two actors Maybe this is a bit constructed, but certainly most use cases would be impacted by such an "attack" vector.
Closing a head does "level the playing field" more as everyone is impacted the same. For this feature to be useful, this needs to be handled and we should update the What requirements of this feature item! Ideas we had to avoid/solve this:
|
The person attempting to decommit must own the utxos in the hydra ledger. In the hydrozoa paper, my approach was to include in the decommit request a transaction with no outputs and inputs consisting of the utxos to be decommitted. This transaction is invalid on L1 (which prevents it from being submitted there — an added benefit) but can be interpreted by a special ledger rule that disables the tx balancing check when handling decommit requests. Since the other ledger rules are still active, this means that:
Indeed, the above transaction precisely describes what should happen to the L2 ledger when the utxos are decommitted. On L1, such transactions are illegal because it must conserve tokens (modulo mint/burn); on L2, such transactions are necessary because utxos can enter/leave the system exogenously. https://github.com/GeorgeFlerovsky/cardano-hydrozoa#decommit-on-l2 |
Latest update of example transaction traces using signatures including Nominal decrementAlternative: Close with U3 instead of decrementAlternative: Close with U3 after decrement |
Only specification changes for #1057 to get them merged first as described in #1473. :nail_care: Marked sections red that are about to change with incremental decommits. :nail_care: Adds `decrementTx` which removes UTxO from the head state to protocol overview, on-chain and off-chain sections. :nail_care: Updates close, contest and fanout steps accordingly. :nail_care: Uses a "version counting" scheme to distinguish cases where the same snapshot is used to decrement and close the head. :nail_care: Removes $\mathcal{T}_{\mathsf{all}}$ book-keeping and makes snapshots request full transactions. Adds a note that requesting only transaction ids is possible if all parties keep an index. This simplifies the specification (but departs from a 1:1 mapping to implemented protocol logic in `Hydra.HeadLogic`) :nail_care: (Re-)introduces snapshot objects to group confirmed variables (e.g. $\bar{s}, \bar{v}$) which are just kept to refer to them later on in `close`. --- <!-- Consider each and tick it off one way or the other --> * [ ] CHANGELOG updated or not needed * [x] Documentation updated * [x] Haddocks not needed * [ ] No new TODOs introduced or explained herafter - [x] ~~Figures are not updated~~ - [ ] Some handwavy-ness when dealing with $tx_\omega$ and interface between off-chain and on-chain in regards with $\mathsf{CloseType}$ is unsharp --------- Co-authored-by: Sasha Bogicevic <[email protected]>
Why
Hydra Heads should not need to be closed to remove funds. This will make Hydra Heads more flexible in enables use cases where long-living Heads are beneficial.
Also, the current protocol may result in "non-finalizable" heads when some UTxO can't be represented on the Cardano mainchain. It would be desirable to recover at least compatible outputs back on L1.
What
Implement the protocol extension for de-committing only part of the Head state (without closing the Head) as already briefly described in the original Hydra Head paper.
Decommit
websocket command or http requestPOST /decommit
Tx
is just a list of transaction output references (aka. transaction inputs), in cardano-api:[TxIn]
decommit
tx is spending inputs from the confirmed UTxO in the head, but will produce UTxO which are to be decommitted into the L1decommit
tx by validating it against the L2 ledger state.hydra-node
does create and submit adecrementTx
onto the L1Submitting thedecrementTx
will make the requested outputs available on the Cardano L1Properties
Security
Out of scope
How
Idea: Re-use the
ReqSn
and snapshots in off-chain consensus to request exclusion of UTxO. With that "granted", on-chainopen
state is updated in a newdecrementTx
. We need to make sure off-chain snapshots can only be used to close specificopen
heads (replay protection).decrementTx
closeTx
fanoutTx
Possible tasks
/decommit
endpoint #1209ReqDec
and extend snapshots to hold optionaldecrementTx
asopen -> open
transitioncloseTx
with state references (additional data in redeemers?)fanoutTx
to handle newLatest task breakdown
To be discussed
ReqTx
)decrementTx
is never submitted to L1?closed
statedecrementTx
above never happens,fanoutTx
produce all corresponding outputscloseTx
and lead to a normalclosed
state with a singledecrementTx
to avoid stalling.decrementTx
?withdrawTx
(= partial fanout)?decrementTx
) to clean-up the correspondingopen
states. A state reference is basically just thedecrementTx
instead of just multi-signingclosed
state with the "to-be-decommitted"fanoutTx
needs to recreate outputs satisfying both[TxIn]
on the endpoints convenient?UTxO
Tx
as we need to authorize a decommit (see comments)The text was updated successfully, but these errors were encountered: