CIP-0118? | Validation Zones #862
Conversation
|
thanks @polinavino ... really happy to see the continuation of this work. I'm marking the title with the obligatory cc (for continuing review from the old proposal) @Quantumplation @fallen-icarus - p.s. cc (re: Rationale ["towards better design"]) @AndrewWestberg |
There was a problem hiding this comment.
I believe it is proper for this to be a separate PR from the first one, though that should be confirmed by other CIP editors today (https://hackmd.io/@cip-editors/93 - cc @Ryun1 @Crypto2099). Given the significance of the revision, the commit history in this case I think is more important than the discussion history & hopefully any prior discussion points will be summarised by previous reviewers here (@fallen-icarus @Quantumplation).
|
|
||
| ## Path to Active | ||
|
|
||
| ### Software Readiness Level |
There was a problem hiding this comment.
For consistency with other CIPs (mainly for review in parallel with 100+ others) this section needs to be broken into Acceptance and Implementation ... I guess since it refers to testing functionality then it would be on the Implementation path.
When done sifting material around in this section it will also help for these items to be GitHub formatted tickboxes (- [ ]) but I am not going to be pedantic about it especially at this stage.
There was a problem hiding this comment.
Sounds good, will do that later today!
|
@fallen-icarus @lehins @disassembler let us assume that
then, the risk of "having unfulfilled exchange offers hang around forever" becomes significantly reduced by being able to set your own custom Babel offers filter that only keeps certain offers around :
so, a Babel service discards offers they're not interested in, and also phase-1 invalid offers. Phase-2 invalid offers can go on-chain immediately for collateral collection, without the need to be fulfilled. This feels like a decent compromise and addresses multiple usecases. |
|
I don't think this design addresses what I consider to be the biggest issue: there is a fundamental mismatch of incentives between service providers and end-users. What is good for the babel service is bad for the end-user, and vice versa. A distributed system with badly aligned incentives can still result in a centralized ecosystem. Ethereum's staking situation is a real world example of this. Ethereum requires users to lock up ETH, but no one actually wants to do this. So companies like Lido were created to fill the incentives gap, and as a result, ethereum is still centralized despite using a distributed network. I think this design will end up the same way and it is the assumption itself that is the problem. Specifically, this part: each transaction in a zone has enough collateral to cover preceeding ones.
This is assuming end-users will actually submit "offers" to the babel network that satisfy the collateral requirement, and I think that is a completely unrealistic assumption. The collateral requirement is not possible for end-users to satisfy without coordination. Since this is supposed to be a distributed/global network, coordination among end-users is totally impractical. What I think will likely happen instead is flowchart LR
Alice --> BabelNetwork
Bob --> BabelNetwork
Charlie --> BabelNetwork
BabelNetwork --> Cardano
we effectively have this: flowchart LR
Alice --> CompanyA
Bob --> CompanyA
Charlie --> CompanyA
CompanyA --> Cardano
The ecosystem ends up in the exact same scenario as with transaction swaps except it is actually worse for three reasons:
|
The (forthcoming "nested transactions") design will operate in a slightly different way, that is somewhere between validation zones and swaps. Instead of a zone, there will be a (fully phase-1 valid) top-level transaction that contains a list of transactions (which are instead of swaps). This is how I picture a Babel service working in that case :
In step 3, the service has a choice of whether to cover the collateral of tx1 to increase their chances of another service wanting to validate [tx ; tx1], or cover just their own collateral, or cover no collateral at all. They can also decide how much fees they want to pay. The idea here is that the very minimum requirement is that that when a top-level transaction is sent across Cardano network, it has to have enough collateral. Many other constraints what on non-top-level transactions Babel fee services accept are up to the Babel fee service developers. The complexity here is reduced by making swaps full transactions -
|
Will the list [tx ; tx1] be signed? What is preventing a man-in-the-middle from making changes to the list, or another batcher from just using the transactions separately?
I don't know enough about the ledger to comment on the ledger-related points, but I disagree with the plutus script comment. I think writing smart contracts for either transaction swaps or validation zones would be very easy (it ultimately depends on the new script context), but I would actually prefer if smart contracts always saw the whole transaction because it would enable more use cases. Perhaps I am missing some low-level nuance, but I don't think there is a need to keep ExUnits constant between local execution and full scope execution. AFAIU the point of the ex units is to sign off on how much you are willing to pay in fees for your scripts. But in this context, even without the ex units, I can still sign off on how much I am willing to pay in fees by controlling how many assets are unbalanced in my transaction piece. I am still incentivized not to waste ex units since the babel service is incentivized to fit as many orders in a transaction as possible; they would just omit my order if I use too many ex units. Depending on what the new script context will be, it should be very easy to write a smart contract where the ex units between the local execution and full scope execution vary only slightly. For example, if the smart contract is shown the entire transaction (ie, not just its own piece), the ledger can tell the smart contract being executed which internal transaction it is from (using an index for location in the internal transactions list). Then the smart contract can just focus on that piece. The only variability would be how many steps it takes to get to the required internal transaction. But constant-time lookups would eliminate this variability entirely. Also, the eUTxO model guarantees high assurances for smart contracts being executed locally to have the same result in the full scope. Breaking the transaction into pieces doesn't change this. I think it would be very easy for me to update all of my DApps to execute in a piece and know with 100% certainty that it will have the same result in the full scope context (there would be slight variability in ex units as described above). The only smart contracts that may have a different result are those that actually care about the full transaction. But if they do care about the full transaction, why would you expect the local result to be the same as the full scope result? If this kind of smart contract actually did behave the same, it would be a defective smart contract. Besides, I think this variability is actually fine:
The role token example you mentioned before is just a result of smart contract devs taking a (valid) shortcut based on the assumption that the smart contract will always be executed against a fully balanced transaction. That shortcut obviously can't be used for unbalanced transactions, but it may not even be necessary since the inputs and outputs would be fractured across the top-level transaction and internal transactions. Instead of having to look through an aggregate list of outputs with 20 entries, it can look through both the inputs and outputs from that specific scope. This scope may only have 2 entries in each list. This actually saves ex units despite now looking through both inputs and outputs of a specific scope. Therefore, proper usage of role tokens is actually very easy and cheap to guarantee, even with transaction swaps. |
nothing - this is no different from either zones or swaps. In any of the three designs, transactions can be transmitted in whatever format off-chain, really. Lists is one option to combine them into a single data structure for transmission. Anyone making a block can always build a new top level transaction (or last zone transaction) that contains whatever other swaps/transactions they want. They just have to provide enough collateral for all transactions. Anyone checking a block will (in phase-1 checks) see whether enough collateral has been provided by the top-level tx.
Showing scripts within a swap the full transaction will never be advantageous over running scripts in the full sub-transactions, because if
Note that for swaps, allowing top-level transaction to affect script semantics has the effect that now they are not just the problem of the programmer or the swap-builder. Script semantics become also the problem of the builder of the top-level tx, since they have to either figure out what the script expects from their top-level transaction construction in a (hopefully) automated way, or figure out that the script can never be satisfied by any top-level transaction. |
I don't think this is an insurmountable obstacle. Here are a few options I would personally try:
I think this assertion is too strong. You are effectively arguing there is no use case for logical Blockchain isn't just meant for distributed use cases, it is also meant to minimize how much you need to trust other people. Consider business partners that are jointly protecting some assets using a multisig. Right now, one of the partners needs to create the entire transaction and send it around to all of the other partners to sign. With transaction pieces, it becomes possible to build up the final transaction like a negotiation. Negotiations use logical |
|
Could you provide an example of the use of this Also, could you suggest a usecase in which one would require a script that
|
|
Businesses are not allowed to mix business expenses and personal expenses. Doing so has huge legal consequences. When you are in business with a partner, only one of you needs to mess up to put all parties at risk. Even if you didn't know about your partner's misuse of funds, you will still be held accountable. In the business multisig example using an unbalanced piece, if I sign off on spending the jointly controlled funds and my partner uses his share of the funds for a personal expense in the same transaction, regulators can easily view this as the business paying a personal expense since that is what it looks like on the blockchain. I would then also be held liable for my partner's misuse of funds. It would be better for me to include a smart contract in my piece that will fail unless my partner sends his share of the funds to one of his pre-approved personal addresses (or pre-approved business expenses/donations). If the funds went to my partner's personal address and then he spent the funds from this address in a separate transaction, there would be a verifiable trail that the business paid my partner his salary and then he used his income on whatever he wanted. There is zero ambiguity on whether the funds were misused. This is effectively a negotiation where I agree to release the funds as long as my partner does not use his share of the funds for personal expenses in the same transaction. This eliminates the need for me to have to trust my partner. If I just left my transaction unbalanced (ie, it is missing my partner's share in the outputs), I still have to trust my partner won't use his share for personal expenses in the same transaction. Splitting the transaction into two steps (using validation zones) has the same limitation. In a business setting, I need to be able to put constraints on how the extra funds are used. The funds used for a personal expense cannot come from a business UTxO. Again, I recognize this can be done with a general multisig, but this approach seems more natural and flexible. For example, imagine if I signed the full transaction, but now a change needs to be made for my partner's output. My signature is now invalid since the transaction is completely different; I need to sign the new transaction. If we used pieces instead, only my partner's portion needs to be updated and resigned. My piece is still valid and can already be used with my partner's new portion; he doesn't need to come back to me to approve the change to his output. In other words, the pieces approach makes it easier for businesses to make last minute changes to how funds are spent. I think you are missing the point of my argument, though. Can you definitively say there isn't a single valid use case for logical |
Note here that along with the smart contract that checks this, you you have to include a specification (in some kind of language - maybe just use the Plutus contract itself or maybe something else) of the properties of other swaps that your contract should be compatible with . Then, the aggregator (top level Tx builder) will have to check every swap that comes in to see if it meets this specification of another swap(s) by running the Plutus contracts in every swap that comes in(or check them with whatever other language the specification is written in), rather than getting the full data needed for processing your sub-tx in one shot, and they have to do this for every arbitrary combinations of swaps. This compounds the problem that with swaps, there isn't even the possibility of DDoS protection via collateral, and anyone can get the aggregator to run some code that the sender themselves has never tried executing on relevant input. This scheme also does not reduce communication (since your partner has to send a transaction to you in the case of nested transactions, and the aggregator in the case of swaps). If you yourself are the aggregator (which is likely the cheapest option for dealing with both swaps and nested txs), the two schemes are equivalent. Then, of course, there is the question of fees - they may change depending on other swaps, and that requires either trust or additional communication, such as requiring your partner to commit to paying for more exunits. If you, as the aggregator, are paying for their scripts, you still need their full transaction/swap . |
|
I will make the nested Txs CIP in such a way that you can toggle between your thing being a swap or a full tx. The difference will be whether
|
|
The part you quoted isn't meant to be used in a distributed scenario. There's no aggregator and there are no swaps from strangers in that scenario. It was an example of a non-distributed use case that would benefit from a logical
Centralized services don't need on-chain protection from DDoS. They can use api keys. When a user signs up to use my service, I would give them an api key (this can be hidden from the user so they don't even know they are using one). This approach is better than using IP addresses or specific credentials from the transaction. With api keys, I can easily rate limit the number of pieces they can send to me, and easily punish them if they misbehave (by temporarily blocking more pieces from them). For the scenario where users include their own scripts, I would allow only one (maybe two) restriction per piece. Disallowing a specific script to be executed should cover most use cases and be very cheap to check. If a specific user tries using too many restriction, I can immediately drop their piece and punish them through the api key. The smart contract error message programming language is entirely up to me as the service provider. If there actually is an issue with wasting a lot of energy running bad transactions that get dropped, charging a subscription for the service can easily help cover the cost. Don't forget that what is expensive to a smart contract is dirt cheap to a typical laptop. My business would have a stronger computer than a laptop which means it would take a lot for my servers to feel the wasted transaction validations. Ideally, there would be both a distributed network and centralized service providers. The distributed network can just have the network disallow custom scripts. Meanwhile, if users want to still use custom scripts, they have the choice of using a centralized service provider. I definitely think centralized services can make use of the logical |
Who toggles this? If it must be toggled at the top-level, then the aggregator can maliciously not toggle it. Also, specifying required transactions by name won't work since the point is to have the logical |
it's set by the body of every transaction (top level or not), so that the ledger code will add the units provided by the aggregator if that is what you want (ie set the flag to). this setting will also allow the scripts in your transaction to see all other subTxs instead of only ones you have specified as required so you do not have to receive them in advance of constructing your own transaction, but in case of failure, only top-level tx collateral will be collected |
rphair
added
the
State: Confirmed
|
The new README-nested.md is a first draft of Nested Transactions.
@rphair @Quantumplation @fallen-icarus @WhatisRT There are still a couple of TODO's, and a Haskell prototype (built on the real ledger codebase) will be available shortly. |
|
I'm happy to weigh in on the proposal, but I definitely can't commit to being a coauthor 😅 |
|
This new design makes it possible to define a script which (via conditioning on transactions fixed by Such conditioning can be done in two ways
|
|
After some discussion with @willjgould and @lehins , we have come up with a way for sub-transactions to constrain the batches they are in - batch observers, see the updated README-nested.md. This is very similar to script observers and both can/will? be implemented together , however
It is essentially impossible to run (calculate exUnits, etc.) batch observer scripts unless you are building the top-level tx, so it probably makes sense for off-chain code to give special instructions to the top-level tx builder in some high-level language about how to build it in a way that will satisfy the script (simpler than Plutus). |
| 5. a new intent we call "spend-by-output", wherein a sub-transactions may specify _outputs_ it | ||
| intends to spend, and the top-level transaction specifies the inputs that point | ||
| to those outputs in the UTxO set. This is included as a way to showcase that this | ||
| change to the ledger rules establishes the infrastructure to add additional | ||
| kids of supported intents (see CPS-15). |
There was a problem hiding this comment.
I don't understand what this means. The use of the terms "inputs" and "outputs" is confusing to me. In my vocabulary, "inputs" are UTxOs that a transaction intends to spend while "outputs" are UTxOs that would be created by the transaction. So I don't understand what it means to "specify outputs it intends to spend" or "[specify] the inputs that point to those outputs in the UTxO set". Can you explain what you mean by this?
There was a problem hiding this comment.
My interpretation is that "output" is the contents (address/datum/value), while "input" is the out_ref pointing to a specific output.
- a new intent we call "spend-by-output", wherein a sub-transaction may specify the contents of the outputs it intends to spend, and the top-level transaction specifies the transaction references to those output in the UTxO set
There was a problem hiding this comment.
suppose tx has inputs txin1, txin2 and output o1
also, in the UTxO we have
txin1 |-> o
txin2 |-> o'\
then, we can build tx' that has spendOuts containing o, o' and output o1. A top-level transaction builder can then complete the batch with txTop, with (possibly some inputs), and
corInputs containing txin1, txin2
Then, in some sense, tx and tx'; txTop do a similar thing - remove entries corresponding to txin1, txin2 from the UTxO, and add o, o' to the UTxO. tx' would likely include a payment to whoever builds txTop for their tx-building services.
The reason we are proposing this is that if a light client (LC) is not following the chain, they would be unaware of the txins they would want to spend. If an LC requests a service provider to build a transaction for them that satisfies some specification (e.g. "pay key k the amount x of ada from key k'), the SP should be able to respond in a way that the LC does not use the data in this response to construct a new valid transaction that excludes payment to the SP. Obscuring inputs that SP can supply later makes it so that the transaction is not valid unless it comes with a top-level tx that provides the missing inputs.
There was a problem hiding this comment.
This design answers the question of "how can a user approve payment from their wallet without knowing anything about the chain except what the transaction spending their money is doing with their money"?
| ### Open (atomic) swaps | ||
|
|
||
| A user wants to swap 10 Ada for 5 tokens `myT`. He creates an unbalanced transaction `tx` that | ||
| has extra 10 Ada, but is short 5 `myT`. | ||
| Any counterparty that sees this transaction can create a top-level | ||
| transaction `tx'` that includes `tx` as a sub-transaction. The transaction | ||
| `tx'` would have extra 5 `myT`, and be short 10 Ada. |
There was a problem hiding this comment.
Can you possibly be a bit more explicit with this example? This CIP talks about underspecified transactions, but doesn't really give a user-friendly example of one. I believe this new version has adopted the approach from my Transaction Pieces, right? So it would be accurate to say:
txhas inputs with 10 Ada and an output with 5myT, and is left unbalanced like this.tx'has inputs with 5myTand an output with 10 Ada.- They are submitted together as a balanced batch with
tx'as the top-level transaction.
I think I am biased by the original Validation Zones CIP that had unresolved holes, so I would personally find this example helpful to show there are no unresolved holes in this version.
|
Hey everyone. I didn't have a clear idea on this CIP for a while but recently I'm thinking that it doesn't bring a lot of value especially considering the cost of implementation (impact on the ledger etc...) Most of what validations zone could achieve could instead be achieved leveraging utxo contention. We can have multiple transactions spending different utxos of a contract, but the same utxos of a given user. If someone is worried about contention on the contract, the more utxos the contract can spend (and the user can use in mutually exclusive transactions), the less chance of contention by the contract. This is effectively moving the load from the ledger to the consensus, that in theory should already be able to handle, without hardfork. |
|
BTW, I see and understand how validation zones could turn useful, and I not entirely opposed to it. Just wanted to let you know of potential alternative possibilities |
We propose a set of changes that revolve around validation zones, a construct for allowing certain kinds of underspecified transactions. In particular, for the Babel-fees usecase we discuss here, we allow transactions that specify part of a swap request. A validation zone is a list of transactions such that earlier transactions in the list may be underspecified, while later transactions must complete all partial specifications. In the Babel-fees usecase, the completion of a specification is the fulfillment of a swap request. We discuss how validation zones for the Babel fees usecase can be generalized to a template for addressing a number of use cases from CPS-15.
📄 Rendered Proposal