QGB ADR-005 Reducing QGB module state usage #657
Conversation
rach-id
added
documentation
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
| ### Keep the existing design | ||
|
|
||
| Keeping the current design would entail using the state extensively. | ||
| This proves bad when the state grows after a few hundred attestations, and performing checks on the `Valset Confirms` and `DataCommitment Confirms` becomes so expensive. |
There was a problem hiding this comment.
[nit]
| This proves bad when the state grows after a few hundred attestations, and performing checks on the `Valset Confirms` and `DataCommitment Confirms` becomes so expensive. | |
| This proves bad when the state grows after a few hundred attestations, and performing checks on the `Valset Confirms` and `DataCommitment Confirms` becomes too expensive. |
I remember hearing that this state is bounded by some fixed upper limit. Is it worth explaining that limit here?
There was a problem hiding this comment.
check now please, added a sentence explaining that.
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
|
|
||
| ### Negative | ||
|
|
||
| - Reducing the checks applied on the confirms: everyone will be able to post commitments, and we will have no way to sanitize them before adding them to a block. This would add an extra overhead for the relayer to choose the right commitments. However, it is alright, since we will not have a lot of Also, we will need to decide if this will be relayers, and we can give them enough computation power to compensate the overhead. |
There was a problem hiding this comment.
However, it is alright, since we will not have a lot
the rest of this sentence got lost
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
…espace.md Co-authored-by: Rootul Patel <rootulp@gmail.com>
…espace.md Co-authored-by: Rootul Patel <rootulp@gmail.com>
Co-authored-by: Rootul Patel <rootulp@gmail.com>
|
|
||
| ## Context | ||
|
|
||
| Currently, the QGB is using the state to save all the attestations and confirms it needs. |
There was a problem hiding this comment.
the state
[optional] it may help non-familiar readers (i.e. me) to clarify what this state is. Is it specifically state stored within the QGB module which would end up bloating the celestia-app state?
There was a problem hiding this comment.
just to note some things @sweexordious and I discussed synchronously:
- For any new more stateless approach, we need to first have a plausible-potentially-hand-wavy form of slashing. As already mentioned, deciding on when we actually want this formal mechanism for slashing is also important.
- A more stateless approach could be as simple as keeping identical transaction types, but not storing the confirmations in the state! We'd still have the valset/data commitment requests be handled and stored by the state machine, and the mapping between validators and their orchestrator keys, but the rest would simply be charged gas fees and be stored in block data. Relayers and orchestrators can then reconstruct a local copy of the state using the block data.
- One hand-wavy-potentially-viable formal slashing mechanism could involve some sort of commit-reveal scheme, where anyone can post a bond and claim that a validator should be slashed for a specific violation. It is then up to any other honest participant to refute that claim. If successful, then they get the bond. This would likely require other additional data be kept in state, but that's still to be investigated. As mentioned, it might be easier to implement fraud proofs (or tendermint like evidence)
note to selves: specifying a formal mechanism for slashing is a perfect thing to do at the onsite.
|
|
||
| - Reduce significantly the gas fees paid by orchestrators. | ||
| - Reduce significantly the use of Celestia state. | ||
| - Keep the whole QGB confirms history via using block data, instead of being forced to delete it after the unbonding period to not end up with a super gigantic state. This would allow any QGB contract to have the whole history on any EVM chain. |
There was a problem hiding this comment.
Keep the whole QGB confirms history via using block data
not sure if this bullet point makes it clear that the old approach was also not deleting the transactions from previous blocks, so it technically could also do the same thing. The relayer design I think is what enables this
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
| ## Context | ||
|
|
||
| Currently, the QGB is using the state to save all the attestations and confirms it needs. | ||
| We propose to post `Valset Confirms` and `DataCommitment Confirms` in a reserved namespace instead of adding them to the state to achieve the following: |
There was a problem hiding this comment.
Are we still planning on sticking the confirms in their own namespace? if not, I think we can update this to reflect that we're planning on simply posting them in the txs namespace instead of in their own.
| ### Keep the existing design | ||
|
|
||
| Keeping the current design would entail using the state extensively. | ||
| This proves bad when the state grows after a few hundred attestations, and performing checks on the `Valset Confirms` and `DataCommitment Confirms` becomes too expensive. |
There was a problem hiding this comment.
not 100% sure state growth is the correct term here since the querying mechanism ended up being the culprit for the gas leak.
Also, we were planning on deleting the state after so long, so the state in theory would be constant
docs/architecture/ADR-005-QGB_posting_confirms_in_reserved_namespace.md
Outdated
Show resolved
Hide resolved
|
This also will need to be addressed in this ADR: #613 (comment) |
rach-id
changed the title
|
|
||
| For the orchestrators, they will also need to parse the history to keep track of any missed signatures. But, same as with the relayers, the cost is justified. | ||
|
|
||
| For posting transactions, we will rely on gas fees as a mechanism to limit malicious parties to flood the network with invalid transactions. Then, eventually slash malicious behavious. However, since posting confirms will be possible for any user of the network. It won't be possible to slash ordinary users, who are not running validators, if they post invalid confirms. |
There was a problem hiding this comment.
[no change needed]
If we assume that the QGB data (i.e. Valset Confirms and DataCommitment Confirms) is stored in a non-reserved namespace, I think the problem stated above == https://forum.celestia.org/t/woods-attack-on-celestia/59
If the QGB data is only stored in transaction data and this document proposed adding new transaction types (distinct from MsgPayForData), I think we need a follow-up issue to discuss the metering (i.e. gas accounting) for these new message types.
There was a problem hiding this comment.
If we assume that the QGB data (i.e. Valset Confirms and DataCommitment Confirms) is stored in a non-reserved namespace, I think the problem stated above == https://forum.celestia.org/t/woods-attack-on-celestia/59
We are no longer posting in confirms in namespaces, so woods attack is not relevant, if I understand right.
If the QGB data is only stored in transaction data and this document proposed adding new transaction types (distinct from MsgPayForData), I think we need a follow-up issue to discuss the metering (i.e. gas accounting) for these new message types.
No need for a new message type, we already have them defined and used. And the gas usage will be minimal since there will be no read/write in state.
Co-authored-by: Rootul Patel <rootulp@gmail.com>
There was a problem hiding this comment.
Nice!! excited about this change.
I don't think its necessary at all, since this ADR is focused on the state machine, but after we flesh out the implementation for the orchestrator and relayer, we might want to add a few more details into how that's done. Very optional in my opinion tho, as this serves the purpose of documenting the decision.
Closing #656