Try   HackMD

[WIP] Guardian

What can the Guardian do in Bootstrap Mode?

Explicit: RocketDAONodeTrusted.sol

Explicit: RocketDAOProtocol.sol

  • can change pDAO settings
  • can change distribution of RPL inflation rewards
  • can spend pDAO RPL funds
  • can disable bootstrap mode

Explicit: RocketMinipoolPenalty.sol

After the merge, priority fees will go to the validator that proposed the block. The validator will be able to configure the "coinbase"/ fee recipient as the address where these rewards go to. Rocket Pool has no way to enforce that the fee recipient is set to a smart contract that ensures fair sharing with rETH. Therefore, the protocol includes a penalty function that can be used to impose penalties on ETH for node operators that do not share priority fees fairly.

The penalty is applied after a minipool has been exited and the balance is distributed. It's defined as a percentage and is limited to the maximum penalty rate. The guardian can set the maximum penalty rate and maintains this ability after bootstrap mode is disabled.

The penalty rate for a minipool can be set by any network contract. There currently aren't any network contracts that use this method. The penalized amount goes to rETH directly during the distribution process.

Implicit: Penalize Minipools

Since the guardian is able to add new network contracts, they are also able to add a contract that gives the guardian the ability to set the penalty rate for any minipool.

This is just one example of how the ability to change or add contracts can add new functionality to the guardian role.

Implicit: Take over oDAO duties

Since the guardian is able to add new oDAO members, they can add oDAO nodes until they control a majority and effectively gain all the oDAO privileges:

  • can remove oDAO members
  • can set minipools as withdrawable
  • can set network balances (total ETH balance, staking ETH balance, total rETH supply)
  • can set RPL price and effective RPL staked
  • scrub minipools
Last changed by 
knoshua.eth
0
102

Read more

RPIP-49 Thoughts

If there is a node operator queue, base validators SHALL be given priority over satellite validators

Apr 3, 2024
Fraud Proof Challenge Period

Fraud Proofs have been suggested as a potential alternative for multiple oDAO duties. This section explores the security of optimistic fraud proofs and how it relates to the challenge period and other variables. The challenge period aims to protect against censorship attacks. The first type of censorship to consider is on the block builder level: An attacker can attempt to get builders to exclude the fraud proof transaction from their blocks. If they succeed for every block in the challenge period the fraud goes unreported. One could imagine an attacker using MEV boost relays for something like this, but then a single validator building a block locally during the challenge window could thwart the attack. The second type of censorship requires collusion with a majority of all validators. These validators would not only exclude the fraud proof, but would also fork out blocks from other validators that include it. This attack would require a high level of coordination since forking requires direct intervention of participants, but would be resilient against individuals building locally. Besides the high level of difficulty of both attacks, Ethereum is inherently censorship resilient: censorship creates a DoS vector that could cost validators priority fees while it lasts. It is also possible to detect forking censorship and the challenge period could increase when it is likely. Nevertheless, I believe it is possible to make censorship attacks crypto-economically not viable. These are the variables to consider in this context: The cost to exclude a transaction scales with the reward a challenger would receive for a successful fraud proof, because it determines the priority fee a challenger can pay for inclusion. The payment for censorship needs to make up for that lost reward. The cost also scales with the length of the challenge period or the number of blocks. Under block level censorship, the attacker needs to pay the reward every block, under forking censorship only for 51% of blocks.

May 25, 2023
MEV Proofs

This section looks at the potential of proving MEV stealing with the help of the beacon block root proposed in EIP4788. A relatively straight-forward approach would be to use merkle proofs against the beacon root to objectively determine when a node operator has stolen MEV according to some rule set and apply a penalty accordingly. However there are some challenges around what data the beacon root gives us access to and some limitations for what rules can be verified. State Proofs The beacon block root would give access to: The proposer_index contained in the BeaconBlock itself validators in BeaconState linking indices to pubkey and withdrawal_credentials fee_recipient, transactions, and state_root contained in the ExecutionPayload in BeaconBlockBody So unfortunately, a pure state proof approach doesn't appear to be possible with the beacon root alone. For example it would be possible to prove that:

May 25, 2023
Fraud Proof Scrubs

Instead of the current challenge period that relies on trusted oracles to scrub, this design allows fraud proofs during a challenge period to prevent the withdrawal credential exploit described in [SCRUB CHECK -WITH CRED] in a trustless manner. Design The general flow is similar to what we have now: The node operator initiates a first deposit of 1 ETH to the beacon chain. During a scrub period, a fraud proof can be submitted. a) If no fraud proof is submitted, the remaining 31 ETH can be deposited. b) If a valid fraud proof is submitted, the minipool is scrubbed: ETH is returned to liquid stakers and RPL is slashed and awarded to the person providing the proof.

May 24, 2023
Read more from knoshua.eth
Published on HackMD