# Fraud Proof Scrubs Instead of the current challenge period that relies on trusted oracles to scrub, this design allows fraud proofs during a challenge period to prevent the withdrawal credential exploit described in [SCRUB CHECK -WITH CRED] in a trustless manner. ### Design The general flow is similar to what we have now: 1. The node operator initiates a first deposit of 1 ETH to the beacon chain. 2. During a scrub period, a fraud proof can be submitted. 3. a) If no fraud proof is submitted, the remaining 31 ETH can be deposited. b) If a valid fraud proof is submitted, the minipool is scrubbed: ETH is returned to liquid stakers and RPL is slashed and awarded to the person providing the proof. The crucial difference in Step 2 is that fraud (frontrunning the deposit to set different withdrawall credentials) is verified on-chain and does not rely on trusted oracles. Instead, a verifiable proof can be submitted by anyone. To achieve this, we use the Deposit Root of the Incremental Merkle Tree maintained by the [Solidity Deposit Contract](https://github.com/ethereum/consensus-specs/blob/v1.2.0/solidity_deposit_contract/deposit_contract.sol) as a source of truth for all deposits that happened before, by storing it in Step 1. Each deposit to the deposit contract adds a `DepositData` object to a incremental Merkel Tree that contains: - `pubkey` of the validator the deposit is for - `withdrawal_credentials` of the validator - deposit `amount` - BLS12-381 `signature` of the validator However this signature [is not verified by the deposit contract](https://github.com/ethereum/consensus-specs/blob/v1.2.0/specs/phase0/deposit-contract.md#depositevent-log). If someone is attempting the withdrawal credential exploit, then the Deposit Root at time of first deposit must contain a leaf with the same pubkey as the minipool and a valid signature. Conversely, if it is not possible to proof existence of such a leave, then the deposit executed by the Rocket Pool smart contracts is guaranteed to be the first valid deposit for this pubkey and the withdrawal credentials will be set correctly. Verifying the signature as part of the fraud proof is necessary to prevent griefing of node operators: Anyone can deposit 1 ETH for a given pubkey together with a made up signature. Such a deposit would be rejected by the beacon chain because of the invalid signature, but it would be part of the deposit data merkle tree. So in a fraud proof system without signature verification, an attacker could frontrun a deposit with an invalid signature and scrub a legitimate minipool. ### Implementation Complexity Ideally, there would be multiple implementations of a "watchtower" software that allows anyone to run scrub checks and submit fraud proofs. The smartnode already implements a check of the Deposit Merkle Tree including signature verification as part of the oDAO scrub duty. Generating the merkle tree proof is comparable to the process for claiming rewards under the merkle rewards system. As explained above, the smart contracts have to implement signature verification. [EIP 2537](https://eips.ethereum.org/EIPS/eip-2537) is [considered for inclusion for Cancun](https://github.com/ethereum/execution-specs/blob/master/network-upgrades/mainnet-upgrades/cancun.md#eips-considered-for-inclusion) and would introduce new opcodes that make that straight forward, see for example this [Deposit Verifier](https://github.com/ralexstokes/deposit-verifier/blob/master/deposit_verifier.sol). Even without EIP 2537, it should be possible to implement the necessary operations ([Map to Field](https://hackmd.io/@benjaminion/bls12-381#Hashing-to-the-curve) and the [Pairing](https://hackmd.io/@benjaminion/bls12-381#Final-exponentiation)). This would add significant implementation complexity and result in higher gas cost of signature verification. But it would only be necessary when a fraud proof is submitted and the gas cost would be covered by the penalty taken from the scrubbed minipool. ### Security Considerations Just like [Verifiable Off-Chain Calculations], this is a form of optimistic fraud proofs and requires at least one honest participant. The risks outlined in [Optimistic Fraud Proofs - Security] apply and the RPL award for the proof provider serves as protection. It is worth pointing out that the current oDAO scrub system has similar weaknesses: It requires not only one but at least 51% honest participants and censorship and DoS during the 12 hour period are a risk.
Last changed by  
knoshua.eth
138

Read more

RPIP-49 Thoughts

If there is a node operator queue, base validators SHALL be given priority over satellite validators

4/3/2024
Fraud Proof Challenge Period

Fraud Proofs have been suggested as a potential alternative for multiple oDAO duties. This section explores the security of optimistic fraud proofs and how it relates to the challenge period and other variables. The challenge period aims to protect against censorship attacks. The first type of censorship to consider is on the block builder level: An attacker can attempt to get builders to exclude the fraud proof transaction from their blocks. If they succeed for every block in the challenge period the fraud goes unreported. One could imagine an attacker using MEV boost relays for something like this, but then a single validator building a block locally during the challenge window could thwart the attack. The second type of censorship requires collusion with a majority of all validators. These validators would not only exclude the fraud proof, but would also fork out blocks from other validators that include it. This attack would require a high level of coordination since forking requires direct intervention of participants, but would be resilient against individuals building locally. Besides the high level of difficulty of both attacks, Ethereum is inherently censorship resilient: censorship creates a DoS vector that could cost validators priority fees while it lasts. It is also possible to detect forking censorship and the challenge period could increase when it is likely. Nevertheless, I believe it is possible to make censorship attacks crypto-economically not viable. These are the variables to consider in this context: The cost to exclude a transaction scales with the reward a challenger would receive for a successful fraud proof, because it determines the priority fee a challenger can pay for inclusion. The payment for censorship needs to make up for that lost reward. The cost also scales with the length of the challenge period or the number of blocks. Under block level censorship, the attacker needs to pay the reward every block, under forking censorship only for 51% of blocks.

5/25/2023
MEV Proofs

This section looks at the potential of proving MEV stealing with the help of the beacon block root proposed in EIP4788. A relatively straight-forward approach would be to use merkle proofs against the beacon root to objectively determine when a node operator has stolen MEV according to some rule set and apply a penalty accordingly. However there are some challenges around what data the beacon root gives us access to and some limitations for what rules can be verified. State Proofs The beacon block root would give access to: The proposer_index contained in the BeaconBlock itself validators in BeaconState linking indices to pubkey and withdrawal_credentials fee_recipient, transactions, and state_root contained in the ExecutionPayload in BeaconBlockBody So unfortunately, a pure state proof approach doesn't appear to be possible with the beacon root alone. For example it would be possible to prove that:

5/25/2023
Chronos

Immunefi Bug Bounty Impacts in scope look reasonable. Pays out $100k - $30k for critical findings, $15k for high, and $5k for medium. Payout are in their native token and vesting: All the rewards given will have a vesting schedule of 2 months, managed by a smart contract. This seems pretty annoying for whitehats and benefit to the protocol is unclear to me. Multisig There is a 5/8 multisig consisting of 4 team members and 4 people from the ecosystem (Byte Masons, Sphere Finance, Deus DAO, Equalizer). It appears that the entire team and 3 of 4 ecosystem members are anon. I could only find information about Blake Hooper, founder of Equalizer.

5/6/2023
Read more from knoshua.eth
Published on HackMD