-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Salad in Enigma blockchain #102
Comments
Cross-posting from Slack: I thought about the randomness issue again, and it MIGHT be secure for Salad (and might not be - I just can't think of an attack), but I'm fairly convinced it's not secure for things like gaming, auctions, etc.. |
@guyz Wouldn't This allow a user to manipulate the randomness so that |
Data flow for Salad so we can surface some questions:
|
Capturing conversation on slack: Background: Salad mixer contract requires a participation quorum and elapsed_time (# of blocks) to execute the mix. Every time t, the contract is expected to try the mix assuming the participation quorum is met. If it's not, at t= 2t the contract will try to mix again. Currently Salad contract cannot initiate the mix unless it's been triggered by another party external to the contract (can be users or an operator model). The external contract needs to provide a time input. Since we cannot reliably tell the block height inside the secret contract, Salad may be gamed if it's allowed to be called by any network participant. There are two ways around this issue:
Operator model: Crypto-economic incentives:
The problem with the crypto economic modei is that it's complex and requires participation from the network. We know that TCRs at times failed to achieve expected behavior even though there were economic incentives baked into the model The advantage of this model is that it can be done in a completely decentralized and censorship free manner. One option can be to start with the operator model and then see if it creates any problems for Salad before investing in the complexity. However it's worth noting that there'll be applications that won't be able to use a centralized operator for time measurements such as Dead Man Switch cc @reuvenpo |
I see a few issues with the model as you propose it. I will number them only so it's easier for you to reference them later:
|
Based on our discussion today regarding issue #201 , do we have other limitations besides the time for the mix? If we can't tell how much the user is sending to the mixing contract, then we may want to make sure that secret contract takes only a single mix amount such as 10, 100 or 1000 SCRT etc. Since the SGX can verify the message_sender, we can make sure that if there are 10 addresses required to trigger a mix, we will be able to accurately verify the number of addresses and make sure that the quorum is achieved without requiring an operator. Is this accurate @reuvenpo |
We still need to verify that the user can afford that constant amount. I'm not sure how we can do that trivially. |
I was thinking that we can force payment on the contract level and if I have insufficient funds, my transaction is invalid. In this case I shouldn't be able to submit my encrypted recipient address to the mixer contract. Am I missing something? We can also look to add a deposit contract if that helps |
You always gotta look at things from the enclave's perspective. If there's a mix that you want to anonymize, then locally (using a modded host/node) you can replay one participant's transaction, and then forge the rest of the transactions in the mix without spending a penny. We might be able to mitigate this by using the message chaining trick that i mentioned when talking about voting. That way we can rely on the consensus layer outside the enclave to ensure that only the contract owner can lock the mix, preventing malicious replays (by anyone except the contract owner) |
This issue links to issue #27
The text was updated successfully, but these errors were encountered: