Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow loading a list of relays from an API #136

Closed
Tracked by #95
metachris opened this issue Jun 1, 2022 · 6 comments
Closed
Tracked by #95

Allow loading a list of relays from an API #136

metachris opened this issue Jun 1, 2022 · 6 comments
Labels
brainstorming Currently in discussion enhancement New feature or request

Comments

@metachris
Copy link
Collaborator

mev-boost should have the ability to load a list of relays from an URL. This allows updating the used relays without needing to update the CL clients / mev-boost service.

  • This list should be continuously updated by mev-boost
  • It should be possible to supply multiple URLs
  • If the URLs fail to load on startup, hardcoded relays are used as a fallback and in the background mev-boost retries loading relays from URLs
@metachris metachris mentioned this issue Jun 5, 2022
Closed
7 tasks
@ralexstokes
Copy link
Collaborator

ralexstokes commented Jun 7, 2022
edited
Loading

just pointing out that this is a classic "security vs convenience" trade-off.

if we assume a "battle-hardened" validation setup then not only does the operator have to open IP access to the relays but also to this "relay provider" and the relay provider must take a lot of care to not be compromised.

the "low-hanging fruit" class of damage that could be done by compromise of an endpoint like this issue suggests is pretty minimal although I can see how it could be exploited for a liveness fault (esp. if I found a zero-day in the local builder fallback pipeline) -- im sure we can think of increasingly damaging attacks if we spend more time on it

@ralexstokes
Copy link
Collaborator

its also worth considering other discovery mechanisms beyond a registry provided by a direct API.

I know at least ethereum and bitcoin have DNS-based discovery modes (if someone goes down this road, look into authenticating the DNS records a la DNSSEC) and in the limit we could even bake our own discovery layer on top of discv5.

@metachris
Copy link
Collaborator Author

Thanks for the input Alex 🙏 Let's discuss and evaluate this further.

This feature is particularly relevant for parties that manage a large amount of validators, where reconfiguring and restarting mev-boost manually across a large number of nodes is cumbersome.

The best setup to use this feature seems a statically hosted JSON on multiple providers (rather than a dynamic API/service).

@metachris metachris added enhancement New feature or request brainstorming Currently in discussion labels Jun 25, 2022
@ralexstokes
Copy link
Collaborator

yeah I think re-loading a local file is much easier to secure than making arbitrary network requests :)

@metachris
Copy link
Collaborator Author

There has not been much interest in loading a remote list, so let's start with the local config and see if the need arises to allow loading it from an API as well.

@metachris
Copy link
Collaborator Author

For reference, this could also be solved by a local script that queries the API, or a smart contract, and writes the local config file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
brainstorming Currently in discussion enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@metachris @ralexstokes