"Magic abort transaction" mechanism to disable activation of a network upgrade

[daira]

This is an idea proposed by @tromer (originally for Sapling, but note that the Sapling spec is frozen), to allow activation of a pending Network Upgrade to be aborted by use of a "magic transaction" mined before the activation would have occurred. Related to #3040, #3270, and #3311.

One way to do this is to have a hard-coded UTXO that disables activation if it is spent in a block before the activation height. For this particular mechanism, I can think of the following advantages and disadvantages:

Advantages

• The UTXO can be held by a multisig address, thus allowing multi-factor control of keys with little additional code complexity. Similarly, the keys can be held by hardware wallets.
• It's a simple mechanism that is easy to describe, precisely specify, and test.
• This is an "on-chain" (non)activation signal so it avoids potential ambiguity due to some nodes receiving an alert and others not.

Disadvantages

• It relies on the magic transaction being mined, so if there were a coalition of miners who wanted to exploit a vuln then they could potentially censor it (this seems unlikely to succeed to me under normal circumstances, but should be considered especially in the context of vulns that affect mining or that DoS the network).
• It isn't clear right up until the activation height whether the activation will occur. This could be mitigated by only paying attention to whether the magic UTXO has been spent by a "lock-in height" N blocks before the activation height (where N > 100, so rollbacks can't affect whether activation occurs).
• Arguably, having validation below the UTXO layer be dependent on UTXO handling is a layering violation.
• It exerts centralized control over whether an upgrade goes ahead
  • counterargument: not much more than it is already centralized. This argument could be stronger if and when there are multiple implementations.