Babylon's BTC Staking protocol introduces an additional consensus round on blocks produced by CometBFT, called the finality round. The participants of this round are referred as finality providers and their voting power stems from staked bitcoins delegated to them.
The Finality module is responsible for handling finality votes, maintaining the finalization status of blocks, and identifying equivocating finality providers in the finalization rounds. This includes:
- handling requests for committing EOTS public randomness from finality providers;
- handling requests for submitting finality votes from finality providers;
- maintaining the finalization status of blocks; and
- maintaining equivocation evidences of culpable finality providers.
Babylon Bitcoin Staking. Babylon's Bitcoin Staking protocol allows bitcoin holders to trustlessly stake their bitcoins, in order to provide economic security to the Babylon chain and other Proof-of-Stake (PoS) blockchains. The protocol composes a PoS blockchain with an off-the-shelf finality voting round run by a set of finality providers who receive BTC delegations from BTC stakers. The finality providers and BTC delegations are maintained by Babylon's BTC Staking module, and the Finality module is responsible for maintaining the finality voting round.
Finality voting round. In the finality voting round, a block committed in the CometBFT ledger receives finality votes from a set of finality providers. A finality vote is a signature under the Extractable One-Time Signature (EOTS) primitive. A block is considered finalized if it receives a quorum, i.e., votes from finality providers with more than 2/3 voting power at its height.
Slashable safety guarantee. The finality voting round ensures the slashable safety property of finalized blocks: upon a safety violation where a conflicting block also receives a valid quorum, adversarial finality providers with more than 1/3 total voting power will be provably identified by the protocol and be slashed. The formal definition of slashable safety can be found at the S&P'23 paper and the CCS'23 paper. In Babylon's Bitcoin Staking protocol, if a finality provider is slashed, then
- the secret key of the finality provider is revealed to the public,
- a parameterized amount of bitcoins of all BTC delegations under it will be burned on the Bitcoin network, and
- the finality provider's voting power will be zeroized.
In addition to the standard safety guarantee of CometBFT consensus, the slashable safety guarantee disincentivizes safety offences launched by adversarial finality providers.
Interaction between finality providers and the Finality module. In order to participate in the finality voting round, an active finality provider with BTC delegations (as specified in the BTC Staking module) needs to interact with the Finality module as follows:
- Committing EOTS public randomness. The finality provider proactively commits a list of EOTS public randomness for future heights to the Finality module. EOTS ensures that given an EOTS public randomness, a signer can only sign a single message. Otherwise, anyone can extract the signer's secret key by using two EOTS signatures on different messages, the corresponding EOTS public randomness, and the signer's public key.
- Submitting EOTS signatures. Upon a new block, if the finality provider has committed an EOTS public randomness at this height, then it submits an EOTS signature w.r.t. the committed EOTS public randomness to the Finality module. The Finality module will verify the EOTS signature, and check if there are known EOTS signatures on conflicting blocks from this finality provider. If yes, then this constitutes an equivocation, and the Finality module will save the equivocation evidence, such that anyone can extract the finality provider's secret key and slash it.
Babylon has implemented a BTC staking tracker daemon program that subscribes to equivocation evidences in the Finality module, and slashes BTC delegations under equivocating finality providers by sending their slashing transactions to the Bitcoin network.
The Finality module maintains the following KV stores.
The parameter storage maintains the Finality module's
parameters. The Finality module's parameters are represented as a Params
object defined as follows:
// Params defines the parameters for the module.
message Params {
option (gogoproto.goproto_stringer) = false;
// min_pub_rand is the minimum number of public randomness each
// message should commit
uint64 min_pub_rand = 1;
}
The public randomness storage maintains the
list of EOTS public randomness that each finality provider commits to Babylon.
The key is the finality provider's Bitcoin secp256k1 public key concatenated
with the block height, and the value is a SchnorrPubRand
object representing the EOTS public
randomness that this finality provider commits at this height. The
SchnorrPubRand
is a point on the secp256k1 curve, and is defined as a 32-byte
array in the implementation.
type SchnorrPubRand []byte
const SchnorrPubRandLen = 32
The finality vote storage maintains the finality votes of
finality providers on blocks. The key is the block height concatenated with the
finality provider's Bitcoin secp256k1 public key, and the value is a
SchnorrEOTSSig
object representing an EOTS
signature. Here, the EOTS signature is signed over a block's height and
AppHash
by the finality provider, using the private randomness corresponding
to the EOTS public randomness it commits to at the block's height. The EOTS
signature serves as a finality vote on this block from this finality provider.
It is a 32-byte scalar and is defined as a 32-byte array in the implementation.
type SchnorrEOTSSig []byte
const SchnorrEOTSSigLen = 32
The indexed block storage maintains the necessary
metadata and finalization status of blocks. The key is the block height and the
value is an IndexedBlock
object
defined as follows.
// IndexedBlock is the necessary metadata and finalization status of a block
message IndexedBlock {
// height is the height of the block
uint64 height = 1;
// app_hash is the AppHash of the block
bytes app_hash = 2;
// finalized indicates whether the IndexedBlock is finalised by 2/3
// finality providers or not
bool finalized = 3;
}
The equivocation evidence storage maintains evidences of
equivocation offences committed by finality providers. The key is a finality
provider's Bitcoin secp256k1 public key concatenated with the block height, and
the value is an Evidence
object representing the
evidence that this finality provider has equivocated at this height. Anyone
observing the Evidence
object can extract the finality provider's Bitcoin
secp256k1 secret key, as per EOTS's extractability property.
// Evidence is the evidence that a finality provider has signed finality
// signatures with correct public randomness on two conflicting Babylon headers
message Evidence {
// fp_btc_pk is the BTC Pk of the finality provider that casts this vote
bytes fp_btc_pk = 1 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.BIP340PubKey" ];
// block_height is the height of the conflicting blocks
uint64 block_height = 2;
// pub_rand is the public randomness the finality provider has committed to
bytes pub_rand = 3 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.SchnorrPubRand" ];
// canonical_app_hash is the AppHash of the canonical block
bytes canonical_app_hash = 4;
// fork_app_hash is the AppHash of the fork block
bytes fork_app_hash = 5;
// canonical_finality_sig is the finality signature to the canonical block
// where finality signature is an EOTS signature, i.e.,
// the `s` in a Schnorr signature `(r, s)`
// `r` is the public randomness that is already committed by the finality provider
bytes canonical_finality_sig = 6 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.SchnorrEOTSSig" ];
// fork_finality_sig is the finality signature to the fork block
// where finality signature is an EOTS signature
bytes fork_finality_sig = 7 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.SchnorrEOTSSig" ];
}
The Finality module handles the following messages from finality providers. The message formats are defined at proto/babylon/finality/v1/tx.proto. The message handlers are defined at x/finality/keeper/msg_server.go.
The MsgCommitPubRandList
message is used for committing a list of EOTS public
randomness that will be used by a finality provider in the future. It is
typically submitted by a finality provider via the finality
provider program.
// MsgCommitPubRandList defines a message for committing a list of public randomness for EOTS
message MsgCommitPubRandList {
option (cosmos.msg.v1.signer) = "signer";
string signer = 1;
// fp_btc_pk is the BTC PK of the finality provider that commits the public randomness
bytes fp_btc_pk = 2 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.BIP340PubKey" ];
// start_height is the start block height of the list of public randomness
uint64 start_height = 3;
// pub_rand_list is the list of public randomness
repeated bytes pub_rand_list = 4 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.SchnorrPubRand" ];
// sig is the signature on (start_height || pub_rand_list) signed by
// SK corresponding to fp_btc_pk. This prevents others to commit public
// randomness on behalf of fp_btc_pk
// TODO: another option is to restrict signer to correspond to fp_btc_pk. This restricts
// the tx submitter to be the holder of fp_btc_pk. Decide this later
bytes sig = 5 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.BIP340Signature" ];
}
Upon MsgCommitPubRandList
, a Babylon node will execute as follows:
- Ensure the message contains at least
MinPubRand
number of EOTS public randomness, whereMinPubRand
is defined in the module parameters. - Ensure the finality provider has been registered in Babylon.
- Ensure the list of EOTS public randomness does not overlap with existing EOTS public randomness that this finality provider previously committed before.
- Verify the Schnorr signature over the list of public randomness signed by the finality provider.
- Store the list of EOTS public randomness to the public randomness storage.
The MsgAddFinalitySig
message is used for submitting a finality vote, i.e., an
EOTS signature over a block signed by a finality provider. It is typically
submitted by a finality provider via the finality
provider program.
// MsgAddFinalitySig defines a message for adding a finality vote
message MsgAddFinalitySig {
option (cosmos.msg.v1.signer) = "signer";
string signer = 1;
// fp_btc_pk is the BTC PK of the finality provider that casts this vote
bytes fp_btc_pk = 2 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.BIP340PubKey" ];
// block_height is the height of the voted block
uint64 block_height = 3;
// block_app_hash is the AppHash of the voted block
bytes block_app_hash = 4;
// finality_sig is the finality signature to this block
// where finality signature is an EOTS signature, i.e.,
// the `s` in a Schnorr signature `(r, s)`
// `r` is the public randomness that is already committed by the finality provider
bytes finality_sig = 5 [ (gogoproto.customtype) = "github.com/babylonchain/babylon/types.SchnorrEOTSSig" ];
}
Upon MsgAddFinalitySig
, a Babylon node will execute as follows:
- Ensure the finality provider has been registered in Babylon and is not slashed.
- Ensure the finality provider has voting power at this height.
- Ensure the finality provider has not previously casted the same vote.
- Ensure the finality provider has a committed EOTS public randomness at this height.
- Verify the EOTS signature w.r.t. the committed EOTS public randomness.
- If the voted block's
AppHash
is different from the canonical block at the same height known by the Babylon node, then this means the finality provider has voted for a fork. Babylon node buffers this finality vote to the evidence storage. If the finality provider has also voted for the block at the same height, then this finality provider is slashed, i.e., its voting power is removed, equivocation evidence is recorded, and a slashing event is emitted. - If the voted block's
AppHash
is same as that of the canonical block at the same height, then this means the finality provider has voted for the canonical block, and the Babylon node will store this finality vote to the finality vote storage. If the finality provider has also voted for a fork block at the same height, then this finality provider will be slashed.
The MsgUpdateParams
message is used for updating the module parameters for the
Finality module. It can only be executed via a govenance proposal.
// MsgUpdateParams defines a message for updating finality module parameters.
message MsgUpdateParams {
option (cosmos.msg.v1.signer) = "authority";
// authority is the address of the governance account.
// just FYI: cosmos.AddressString marks that this field should use type alias
// for AddressString instead of string, but the functionality is not yet implemented
// in cosmos-proto
string authority = 1 [(cosmos_proto.scalar) = "cosmos.AddressString"];
// params defines the finality parameters to update.
//
// NOTE: All parameters must be supplied.
Params params = 2 [(gogoproto.nullable) = false];
}
Upon EndBlocker
, the Finality module of each Babylon node will execute the
following if the BTC staking protocol is activated (i.e., there has
been >=1 active BTC delegations):
- Index the current block, i.e., extract its height and
AppHash
, construct anIndexedBlock
object, and save it to the indexed block storage. - Tally all non-finalized blocks as follows:
- Find the starting height that the Babylon node should start to finalize. This is the earliest height that is not finalize yet since the activation of BTC staking.
- For each
IndexedBlock
between the starting height and the current height, tally this block as follows:- Find the set of active finality providers at this height.
- If the finality provider set is empty, then this block is not finalizable and the Babylon node will skip this block.
- If the finality provider set is not empty, then find all finality votes
on this
IndexedBlock
, and check whether thisIndexedBlock
has received votes of more than 2/3 voting power from the active finality provider set. If yes, then finalize this block, i.e., set thisIndexedBlock
to be finalized in the indexed block storage and distribute rewards to the voted finality providers and their BTC delegations. Otherwise, none of the subsequent blocks shall be finalized and the loop breaks here.
The Finality module defines the EventSlashedFinalityProvider
event. It is
emitted when a finality provider is slashed due to equivocation.
// EventSlashedFinalityProvider is the event emitted when a finality provider is slashed
// due to signing two conflicting blocks
message EventSlashedFinalityProvider {
// evidence is the evidence that the finality provider double signs
Evidence evidence = 1;
}
The Finality module provides a set of queries about finality signatures on each block, listed at docs.babylonchain.io.