Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CHECKLIST] Trigger emergency fallback when stalling is detected #628

Open
7 tasks
drewstone opened this issue Jun 7, 2023 · 0 comments
Open
7 tasks

[CHECKLIST] Trigger emergency fallback when stalling is detected #628

drewstone opened this issue Jun 7, 2023 · 0 comments
Assignees

Comments

@drewstone
Copy link
Contributor

drewstone commented Jun 7, 2023

Overview

One of the last open loops we haven't closed is how the emergency fallback mechanism gets triggered. When the chain stalls, due to the inability of the active DKG authorities to sign the next DKG public key , we must have a way to recover either with the active DKG key and authorities or by triggering an emergency keygen reset which effectively moves on without a proper rotation.

Let's consider the latter. When we trigger an emergency reset on the keygen mechanism, assume a new DKG protocol is executed successfully. The state of the active key and signature are erased and the active key is set to then be the new DKG key. In this event, one potential trigger mechanism is:

  • The fallback participants are the validators themselves, specifically the ecdsa (wdkg) keypair that we generate for each validator.
  • The wdkg key is what is also used in the ProposerSetUpdate proposal (here, (test of proposal execution).
  • When the active validators (not authorities) execute a force emergency keygen, we can enforce (with slashing) that the validators must submit a signature of a vote, i.e. we would utilize their wdkg key to sign abi.encodePacked(vote).
  • Relayers would relay these signatures to the SignatureBridges in order to force rotate those contracts governors, i.e. our fallback resembles a multi-sig vote by the DKG authorities themselves (voters are bound by ProposerSetUpdate proposals).

Needed changes

  • We would add a method to Governable.sol that allows us to relay these signatures to the contract directly, further decentralizing the applications through this separation of signing and execution.
  • We would add a relayer service that exclusively handles this process (or tack it onto the "Governance Relayer"). This role would listen for signed ProposerSetUpdate proposals on the DKG chain and relay them to updateProposerSetData in a similar way to how the RefreshVote rotation protocol is handled.
  • We would need to trigger this signature generation by active validators once a stall is triggered.
  • We would need to add slashing to validators who don't vote if an outcome cannot be decided within some chosen interval of time.

(Aside: To an extent, more functionality like this separates the DKG networks like Tangle from the applications that they indirectly govern. Using the DKG in your application is permissionless (the DKG stays alive by sometimes executing emergency resets, the applications' userbase must relay the DKG protocol output in order to stay alive).)

Checklist

Functionality

DKG Work

  • Active proposers should watch for stalled chains in a worker service.
  • When stall is detected, active proposers should generate ECDSA signature of the encoded Vote object and submit it on-chain.
  • New pallet functionality to handle submission and storage of these signatures for the respective session with key events for watching/subscribing to.

Relayer work

  • Governance relayers (or a new ProposerSetUpdate relayer) should listen for the specific event when a vote signature is submitted.
  • These relayers should submit a TX to the update the proposer set on the Governable instances.

Smart contract work

  • We should make the signatures of Votes relayable, by simply providing signatures of a vote and ensure replay-ability is prevented across sessions.
  • We should consider making both the refresh + proposer set update executable in a single function so as to prevent the need for multiple txes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants