# Handling Storage, Bandwidth and Eclipse Attacks *Thanks to @pfh, @adityapk, @sds and @kc for conversations that contributed to this design* Farcaster Hubs promise to store [~20,000 messages](https://hackmd.io/@farcasterxyz/BJj3zuVVj) for every fid perpetually. Registering an fid has a one-time gas cost, but hubs must pay ongoing cloud storage and bandwidth costs. A tragedy of the commons ensures since users have no incentive to minimize data transfer or clean up unused data, increasing the burden for hub operators. Our goal is to allocate limited storage and bandwidth between users to maximize network value. Our constraints are that Hubs must fit into a single cloud instance (< 64 TB) and we must support at least 10M users. We also believe that: 1. **Increasing costs may align incentives**. While a one-time gas fee prevents rampant abuse, a recurring fee would result in useless data being flushed more often. 2. **Storage demand could exceed supply**. Dynamic pricing or first-come first serve allocation will be needed to enforce the 64 TB limit. 3. **Premature optimizaton should be avoided**. Charging too much, adding complexity or delaying launch may make the solution worse than the problem. 4. **Network costs are also a problem**. Network throughput also places an economic burden on hubs, and a separate design is needed to handle that. ## Allocating Bandwidth A user sends messages to a hub, which in turn broadcasts it to all its peers, which then repeat the process. On average users send out 1,200 messages a year which is easy to handle. But an errant script written by a developer may accidentally send thousands of messages in a second, which can clog the network or take it down entirely. This is likely to be a problem very soon after hubs are launched. We assume that at 10M users we are producing about 400 messages/ssecond on average, and may burst up to 40,000 messages/s during peak times. More research and benchmarking is needed to see what our current system is capable of handling. Flooding can be preventing by imposing rate limits at three different layers: 1. Client API's - to prevent a single client from breaking the rules 2. Sending Layer - to prevent clients in aggregate from break the rules 3. Receiving Layer - to protect against malicious hubs that ignore the rules The most efficient way to protect the network is to prevent flooding from affect any hubs by blocking at the client API's. But this may not be possible in all cases and a more defense in depth implementation may be needed. There are three types of rate limits that can be imposed: - **Per Hub Limits** — a hub will only receive N messages in a duration D from each peer. violations are met with a temporary mute leading to an eventual disconnect. a corresponding sending limit can be implemented to prevent hubs from accidentally triggering this. - **Per User Limits** — a hub will only receive N messages in a duration D per user after which they are ignored for a period. repeat violations are met with exponentially longer ignore periods. - **Timestamp Limits** — a hub will only accept N messages in timestamp-duration T per user. this limit is based on the user reported timestamp and not the produced timestamp. additional messages will result in earlier messages in that period being dropped. this is a consensus layer change that is more complicated to implement but may have benefits when it comes to speeding up eventual consistency. There are a few things to consider when implementing such rate limits: - Rotating signers may cause a large volume of messages to be issued triggering rate limits - Rate limits can delay eventual consistency even further and trigger more out-of-band syncs - Rate limits make state less deterministic making it harder to determine eclipse attacks ### Recommendation Implement per hub sending and receiving rate limits to prevent accidental flooding during phase 4. Re-evaluate other strategies as problems emerge. ## Allocating Storage Over five years, a user who spends $2 in gas fees can make hubs spend $10 in storage costs. The calculation is based on current gas prices and a target of 100 hubs: ``` registration = ~60,000 gas , ~$2.00 at today's prices storing 20mb = 0.02c / year * 100 hubs = $2/year ``` This math is based on some assumptions that may change: - Today's gas prices are used, but future costs could be 100x higher. - Hub network size is set to 100, but it could be 10x higher. - Message size is set to 1KB, but it may grow as we add features. - Storage costs are kept static but will reduce marginally over time. We can introduce a system to help hubs scale by adding a new contract called the Farcaster Storage Registry. The registry defines a yearly rent for a unit of storage and a total number of units available for rent. Users can store 200 messages with an fid, and may rent more storage by paying a fee to this contract. Hubs listen for events and update the allocated storage accordingly. The yearly rent has a base price which increases as the number of available slots decreases, ensuring that the network does not get overwhelmed. Such a system can be implemented at any point in the future, without affecting the design or decentralization of existing contracts. Fees collected through the system can be sent to a protocol treasury. It is unlikely that such fees can be passed directly to hubs in a fair manner, but they can indirectly help hubs by incentivizing the development of more efficient hub software. ### Recommendation We propose making no immediate change and allowing users to store up to 20k messages today. Improvements described above can be made at a later date as usage of the network begins to place a load on hubs. This should be revisited before open-access launch on mainnet. ## Preventing Eclipse Attacks A sophisticated attacker can spin up thousands of hubs and “eclipse” a user by refusing to sync their messages. Legitimate hubs that peer with the attacker’s hubs will behave the same way, disappearing the user from the network. It's desirable to quickly eliminate bad actors from the network by detecting such behavior and dropping them as peers. We have a few tools available at our disposal: - **Home Hubs** — a contract can let fids register a hub url where they upload content. a hub suspecting a peer of eclisping the user can compare the state of the user on the home hub and on the peer and make a decision. - **State Comparison** — a hub can check peers periodically by requesting the merkle root for a range of historical data and punishing peers who have fewer messages than expected by disconnecting from them. More research is required to come up with a peering system that will be robust enough to identify and detect bad users quickly. ### Recommendation We expect there to be little incentive to attack the network early on and want to avoid premature optimization. However, when developing our syncing system we should do it in a way that allows data sampling and state comparison in a deterministic manner. ## Appendix * [KC's Response](https://gist.github.com/kcchu/88c7220f4c9f90de33fb8479d5f0610d)
Last changed by  
Farcaster
A sufficiently decentralized social network
795

Read more

A Turing Complete Social Protocol

Farcaster and Bitcoin are very different networks but share a parochial approach to problem-solving. Bitcoin lets users store and move money without a trusted third party, while Farcaster does the same for text. Describing Farcaster as a decentralized, public, and text-centric social network would be accurate. Many apps have a "twitter-like" feel, with a text feed generated from a set of "follow" relationships. Developers are starting to push the limits of the current design, with apps focussed on image and video sharing, physical presence, and on-chain ownership. People want Farcaster to act more like Ethereum and less like Bitcoin, allowing more degrees of freedom and creativity. Could Farcaster become a "Turing-complete" protocol allowing different social networks to be built? Or is a unique architecture needed for each? Achieving Completeness Farcaster already has essential building blocks like decentralized identity, text storage, and graph relationships. But building diverse networks like Facebook, LinkedIn, YouTube, or Whatsapp requires a few more elements: Flexible schemas so that devs can introduce new content and metadata types without a protocol upgrade (e.g., polls) Context separation so that users can keep identities, graphs, and data segregated across networks. Long-term storage so that users don't have to discard older data which is valuable on some networks.

4/28/2023
Account Linking

Problem Using a new app may may require an on-chain transaction. For example, signing up for Farcaster requires making a transaction to the Registry to get an fid. Using your primary wallet to make this transaction may be impractical for a few reasons: Your wallet is on your ledger, at home Your wallet is on your desktop, and you’re on your phone Your wallet is available, but you’re having trouble connecting You don’t trust this app, and would prefer not to have it come close to your wallet Solution The app creates a new wallet, uses a paymaster to cover the transaction costs and can charge you in fiat if necessary. The problem is that you now have a wallet for each new app and remembering the recovery phrases is impractical.

4/25/2023
What’s next for Farcaster? (Apr 23)

With the launch of Hubs now in its final phases, we wanted to recalibrate our priorities as a community. This document is a draft of some goals, problems and a few early solutions and we’re looking for input from casters. Goals Increase the number of people creating useful content on Farcaster. Increase the number of developers building on Farcaster. Achieve credible neutrality. Make money to keep funding protocol development. Stack-Ranked Problems Make sure that Hubs are working as expected

4/13/2023
Farcaster Wallets

Users sign up for Farcaster by registering an fid using an Ethereum wallet. Apps can be authorized to act on the user's behalf by providing them with a signature from this wallet. Apps & Wallets The default line of thinking is that users should use general-purpose wallets to register, and apps can get signatures via WalletConnect. This is convenient for users who have a wallet and for app devs who don't want to deal with the headache of building a wallet. But in practice, the user experience is bad enough to hinder Farcaster’s adoption. In particular: Users without a wallet must set one up first before using Farcaster. Signing messages is confusing and intimidating to the average user. Wallet Connect does not always reliably establish connections.

4/3/2023
Read more from Farcaster
Published on HackMD