Ethereum needs to bear the consequences of merging multiple clients

The way to God 2022-04-06 03:35:31 阅读数:176

ethereum needs bear consequences merging

Reprint the original link :

Considering safety and mobility ,Etherum Multi client structure is selected . In order to encourage the pledgor to set up diversified , Higher penalties for related failures . therefore , Only a small number of customers will lose the appropriate amount of the pledge , However, the operation of multiple clients may lead to overall loss . therefore , The responsible pledgor should pay attention to the client environment , Choose an unpopular client .
Why do you need multiple clients ?
Why is the structure of a single client system more controversial . Developing multiple clients will incur considerable costs , That's why we don't see other blockchain networks seriously pursuing multiple client options .
that , Why? etherum The goal is to become multiple clients ? The client is a very complex piece of code , May include errors . The worst is the so-called consensus error , That is, the error in the blockchain core state transition logic . A frequently cited example is the so-called infinite money supply loophole . In this loophole , Vulnerable customers accept printing any number of Ethernet transactions . If someone finds such a loophole , But it was not stopped before reaching the exit ( That is, funds used through mixers or exchanges ), This will lead to ether The value of has collapsed .
If everyone runs the same client , Stopping requires manual intervention , Because all smart contracts and exchanges will run as usual . Even a few minutes is enough for a successful attack , And completely diversify the funds , So it can not only return to the attacker's transaction . According to the printed ETH Number , The community can coordinate the chain back to using vulnerabilities ( After identifying and fixing errors ).
Now? , Let's see what happens when we have multiple customers . There are two possibilities :
1. Vulnerable clients account for less than... Of the pledge share 50%. The client will generate the block with the wrong transaction , Print ETH, Let's call it A chain .
However , Because of ineffectiveness ( Print ETH Invalid operation ), The pledge of most trouble free clients will be ignored . They will build a spare chain B, Not including invalid blocks .
Because most of the right clients ,B The chain will accumulate more evidence . therefore , Even problematic clients will report to B Chain voting ; therefore , chain B Will accumulate 100% Vote for , chain A Will die . The chain will continue , Like mistakes never happen .
2. Most Pledged Shares use problematic clients . under these circumstances , chain a Will accumulate a majority of the votes . However , because B Have less than 50% All certificates , Illegal clients will never see the slave chain a To the chain B Transformation . therefore , We'll see the chain split .
situation 1 It's the ideal situation . Because this may lead to an isolated block , Most users won't even notice it . Developers can debug the client , Fix errors , Everything is fine . contrary , Case study 2 Obviously not so ideal . But it's still better than just one customer —— Most people will soon find that the chain splits ( You can automatically complete multiple customers ), The exchange will quickly suspend deposits , Users can be careful when splitting solutions . Basically , It still provides us with a flashing red warning light , To avoid the worst .
If the wrong client pledge exceeds 2/3, Things will get worse . under these circumstances , It will eventually determine the invalid chain . This will be covered in more detail later .
Some people think that chain splitting is so disastrous , So that it itself is an argument about the structure of a single client system . But please pay attention to , The chain split is only due to a client error . For the client , If you want to fix the problem and return to the original state , You have to go back to the block before the error occurred —— It's as bad as chain splitting ! therefore , Although chain splitting sounds bad , But it's actually a function , Not a mistake . At least you can see some serious problems .
Motivate customer diversity : Anti related penalties .
If the pledge is spread across multiple clients , At best, each client is less than one-third of the total pledge , This is obviously good for the network . This will make it resilient to any errors on a single client . But why should the pledgor care about it ? If the network has no incentives , They are less likely to bear the cost of switching to a few clients .
Unfortunately , We can't let the reward depend directly on the client running the verifier . There is no objective way to measure this .
However , When your client makes a mistake , You can't hide it . This is an anti related punishment : The idea is , If your verifier does something bad , If more validators make mistakes almost at the same time , The punishment will be higher . let me put it another way , You will be punished for failure .
In the ether , You may now be cut off for two acts :
1. Sign on two pieces at the same height .
2. Create a pair of removable certificates ( Around voting or double voting ).
When you're slashed , You don't usually lose all your money . When I write this article , The default penalty is actually very small : I will only lose you 0.5ETH, Or you bet on ether 1.5%( It will eventually increase to 1ETH perhaps 3%).
However , There is a question : Another additional penalty depends on before and after your verifier is cut off 4096 Period (18 God ) All other cuts in . in the meantime , The amount of further penalty is proportional to the total amount of reduction .
This may be much greater than the initial punishment . at present , Its setting is , If all pledge balances are reduced by more than half during this period , You will lose all your money . Last , This will be set to : If a third of the other verifiers are cut off , You will lose all pledges . The reason for choosing a third is that consensus fails and must be ambiguous .
Another anti related punishment : Secondary no active leakage .
Another way for the verifier to fail is to go offline . Again , There are also punishments , But the mechanism is very different . We don't call it reduction , Usually very small. : Under normal operation , The penalty for the offline verifier is the same as that for full verification . While writing this article , The annual growth rate is 4.8%. If your verifier is offline for a few hours or days , for example , Due to temporary Internet outage , It may not be worth sweating .
When more than a third of the validators are offline , The situation will become very different . then , The beacon chain cannot be finalized , This threatens the basic nature of the negotiated agreement , That is activity .
In order to rejuvenate in this situation , The so-called secondary inactive leakage began to work . If the verifier continues offline while the chain is not complete , The total penalty will rise in a quadratic curve over time . It was low at first ; about 4.5 Days later , The offline verifier will lose 1% Pledge of . However , It's in 10 Days later, it increased to 5%, stay 21 Days later, it increased to 20%( This is Arab value , The future will double ).

The mechanism is designed to complete the chain in a large number of catastrophic events . With the increase of off-line verifier pledge loss , Its share in the total pledge will be smaller and smaller . When their pledge fell to less than a third , The remaining online validators will receive more than two-thirds , So that they can finalize the chain .
However , There is another situation related to this : In some cases , The verifier cannot vote to a valid chain , Because they accidentally lock themselves in an invalid chain . Here's more information about this .
How bad most clients run ?
Let's look at three types of failure :
1. Reduce events on a large scale : Because of a mistake , Most client validators have signed significantly fewer certificates .
2. A large number of offline events : Because of a mistake , Most client validators are offline .
3. Invalid block event : Because of a mistake , Most client validators prove that there are invalid blocks .
Other types of mass failures and killings can also occur , But I'm limited to errors related to client errors ( When choosing which client to run, you should consider ).
scene 1: Double signature .
This is probably the most feared scenario for most verifier operators : An error caused the verifier client to sign a removable Certificate . for example , Two witnesses voted for the same target period , But there are different payloads . Because this is a client error , We don't just focus on the promisor , Also focus on all committed people who operate specific clients . Once these fuzzy behaviors are found , It will be a massacre : All relevant commitment parties will lose 100% Committed funds . This is because we are considering multiple clients : If the commitment proportion of relevant clients is only 10%, only 20% The proportion of commitments will be reduced ( stay Altair in ;30%, And set the final penalty parameters ).
under these circumstances , The damage is clearly extreme , But I also think it's highly unlikely . The condition for deleting a certificate is very simple , That's why you build an authentication client (VCS) To enforce them . The verification client is a very small piece of software , After a good audit , Vulnerabilities of this size are unlikely to occur .
up to now , We've seen some reductions , But as far as I know , These are caused by operator faults —— Almost all of this is caused by the operator operating the same verifier at several locations . Because none of this matters , So the amount is very small .
scene 2: Large scale offline activities .
under these circumstances , Let's assume that most clients have errors , When it triggers an error , It will cause the client to crash . The problematic blocks have been integrated into the chain , Whenever the client encounters a block , It will go offline , Unable to participate in further negotiations . Most customers are now offline , So an inactive leak began to appear .
Customer developers will scramble to restructure everything . in fact , They will release bug fixes in a few hours , To eliminate crashes .
meanwhile , The order supplier can also choose to simply switch to another client . As long as more than two-thirds of the validators are online enough , The secondary activity leak will stop . Before the wrong client is fixed , It is not impossible .
This is not impossible ( Crash errors are one of the most common types ), However, the total penalty may not be less than that of pledge 1%.
scene 3: Invalid data block .
For this scenario , We think most clients have errors , Will produce invalid blocks , And accept that it is effective —— in other words , When other validators using the same client see invalid blocks , They will think it is effective , To prove it .
Let's call the block chain that contains invalid A Chain , Once an invalid block is generated , Two things will happen :
1. All working clients ignore invalid blocks , But based on the generation of a single chain B On the latest effective head . All working clients will vote and build on the chain B On .
2. The faulty customer thinks the chain A and B It works , So it will vote for either of the two heaviest chains .
There are three situations to distinguish :
1. Customers with loopholes hold less than half of the total pledge . under these circumstances , All the right customers vote and build on B On the chain , Eventually become the heaviest chain . At this point , Even the wrong client will switch to the chain B. Apart from one or several pieces , Nothing bad . This is gratifying , That's why only most users are great .
2. Customers with loopholes hold more than half but less than two-thirds of the pledge . under these circumstances , We will see two chains being built -a Built by the wrong client ,B Is built by all other clients . No two-thirds of these two chains cannot be finalized . When that happens , Developers will scramble to understand why there are two chains . When they found the chain a When there are invalid blocks in , They can continue to fix the wrong client . Once repaired , chain a Will be recognized as invalid . therefore , It will begin to build on B Based on the chain , This will finalize it . This is very destructive for users . Although we hope the confusion between chain effectiveness will be short , Less than an hour , But the chain may not be finalized in a few hours or even a day . But for producers , Even problematic clients , Their punishment is also relatively light . If they don't participate in the chain a Construction , They may not be sure in a few hours . But for producers , The punishment is also relatively light . However , The punishment we're talking about may be less than a day .
3. Problematic customers hold more than two-thirds of the pledge . under these circumstances , The wrong client will not only build the chain a, There will be enough collateral to end it . Please note that , It will be the only one to think of the chain a Completed client . One of the final conditions is that the chain is effective , chain a Will be invalid for all other clients that operate correctly . however , because casperFG The working mode of the agreement , When the verifier finally determines the chain a when , Unless the chain is finalized ( For anyone interested in details , Please refer to appendix 2), Otherwise, you will never participate in another and A The chain of conflict without being cut off ( therefore , Once the chain a To finalize , The verifier of the wrong client will be in terrible trouble : They have submitted the chain a, But chain a Invalid . They can't work for B Contribute to the , Because it hasn't been finalized yet . Even if their verifier can't be repaired . What's going to happen now ? It's very painful : Undetermined B The chain will enter the second time without active leakage . In a few weeks , The illegal verifier will disclose its pledge again , until B Lose enough collateral . Suppose they started with 70% Pledge of —— They will lose 79% Pledge of , Because that's the amount they need to lose , Less than one third of the total pledge . At this point , chain B It will be confirmed again that all Pledgors can switch to it . The chain will be healthy again , But the interruption will last for weeks , Millions of ETH Will be destroyed in the process .
obviously , Case study 3 Just a disaster . That's why we are very keen to prevent any customer from holding more than two-thirds of the pledge . Then any invalid block cannot be finalized , It will never happen .

risk analysis
that , How do we evaluate these situations ? A typical risk analysis strategy is to assess the likelihood of an event (1- Very unlikely ,5- Very unlikely ) And influence (1- Very low ,5- disaster ). The most important risk is the risk with high scores of the two indicators represented by the product of impact and possibility .
Consider this , up to now , The most important thing is the scene 3. When a client is in two-thirds of the absolute majority , The impact is quite disastrous , This is also a relatively possible scenario . To emphasize that such vulnerabilities are easy to occur , lately Kilntestnet There was such a mistake on the ( see Kilntestnet Prevent the proposal from failing ). under these circumstances ,Prysm After the proposal, the defects of building blocks were indeed detected , There is no proof of this . If Prysm Think blocking is effective , And it happened in Mainet On , So we're in the scene 3 Catastrophic situation described in —— because Prysm At present, it is Mainet Two thirds of . therefore , If you are currently operating Prysm, You may lose all your money . This is a very real risk , You should consider changing the client .
scene 1 Probably the most worrying , Relatively low rating . The reason is that I think the possibility of this happening is quite low , Because I think Validator Client software works well on all clients , It is unlikely to produce a tilt proof or block .
If I currently operate multiple clients , I'm worried about switching , What choice do I have ?
Replacing clients can be a major task , With some risks . If the miter database is not correctly transferred to the new setting , What should we do ? There may be a risk of being cut off , This is completely contrary to the purpose .
I would recommend another option to anyone worried about this . You can also leave the verifier settings unchanged ( No need to take out the key, etc ), And only switch beacon nodes . This is a very low risk , Because as long as the verifier client works as expected , It will never repeat its signature , So you can't cut off . especially , If you have a big operation , Change validator client ( Or remote signature ) The infrastructure will be very expensive , May need to be reviewed , This may be a good choice . If the performance is not as good as expected , You can also easily switch to the original client or try a few other clients .
The good news is , When switching beacon nodes , You hardly have to worry about : Its worst effect on you is to temporarily shut down . This is because the beacon node itself will never produce cuttable information . If you run a few clients , It is impossible to finally enter the scene 3, Because even if you vote for invalid blocks , The block won't get enough tickets to finalize .
How about the client ?
The above applies to consensus client -prysm、lightower、nimbus、loestar and teku. When I write this article ,prysm Maybe two-thirds of the networks .
All this applies to the execution client . Google -etherum It is likely that most of the execution clients after the merger . If an invalid block is generated , Finally, the scene may be determined 3 Catastrophic failure described in .
Fortunately, , We have three other execution clients ready for production -nethermind、besu and erigon. If you are a pledgor , I strongly recommend that you operate one of them . If you run a few clients , The risk is very low ! But if you run most clients , You will be at risk of serious loss of all your money .
appendix 1: Why not significantly reduce invalid blocks ?
Scene 3 in , We must rely on secondary inactivity leakage to punish the verifier of invalid blocks . Strangely enough , Why don't we just punish them ? It looks faster , It's not that painful .
in fact , We don't do this for two reasons —— First, we can't do this at present , But even if we can , We may not do that :
1. at present , It is almost impossible to introduce penalties for invalid data blocks ( A sharp decrease ). This is because the beacon chain and execution chain are not invalid at present —— in other words , To check if the block is valid , You need a context ( state ), The size is 100smb( Beacon chain ) or GB( Execution chain ). This means that there is no concise evidence that the block is invalid . We need such evidence to reduce the number of verifiers : Reducing the verifier block needs to include evidence that the verifier has broken the law . No nationality consensus , There are some ways to get around this problem , But it will involve more complex structures , Such as multiple rounds of fraud evidence , Such as Arbitrum The evidence currently used to summarize .
2. The second reason we may not be eager to introduce such cuts is , Even if we can do this , It is also because invalid blocks are more difficult to prevent than the current reduction conditions . The current conditions are very simple , The verifier client needs only a few lines of code to easily verify . That's why I think the above situation 1 Is unlikely to —— up to now , The message that can be deleted is only caused by the error of the operator , I think this may continue . Add invalid block ( Or prove that they ) The oblique cutting will increase the risk of investors . Now? , Even those who run a few clients can face severe penalties .
All in all , Over the next few years , We are unlikely to see invalid blocks and / Or proof .

appendix 2: Why are defective clients in the final determination chain A Cannot switch to the chain after B?
This section is for those who want to know in more detail why the wrong client can't simply switch back , Designed by someone who had to suffer a terrible activity leak . So , We have to see CasperFG Finally decide how to work .
Each certificate includes a source checkpoint and a target checkpoint . The checkpoint is the first block of an era . If there is a link from one era to another , And the total number of votes for links exceeds two-thirds of all interests ( That is, there is too much evidence , The first checkpoint is the source , The second checkpoint is the target ), We call it hyperlinks .
An era can be reasonable or certain , Its definition is as follows :
1. An era 0 alignment .
2. If there is an absolute majority connection with a reasonable era , So an era agent .
3. If (1) An era X It's aligned ,(2) The next era is also aligned , Most of the sources of links are times X, Then the times X It will eventually be determined .
The rules 3 Slightly simplified ( More conditions can finally determine an era , But they are not important to this discussion ). Now? , Let's look at the conditions for a significant reduction . A substantial reduction proves that there are two rules . Both compare a pair V and W:
1. If V and W The goal is the same era ( That is, the same height ), But they don't vote for the same checkpoint ( Double voting ), They can be cut off .
2. It means (1)V Originated before W The source and (2)V The target is later than W( Vote around ).
The first condition is obvious. Simply vote for two chains of different heights . But what is the second condition ?
Its function is to reduce all participants and finally determine the verifier of two conflict chains ( This will never happen ). To understand why , Let's look at our scene again 3. In the worst case , Most of the wrong clients (>2/3 pledge ). When it continues to vote for the fault chain , It will eventually determine the time of the invalid block , as follows :
The rounded box in the figure represents time , Not a block . The green arrow is the last hyperlink created by all validators . Red arrows are hyperlinks , Only the wrong client supports . A working client ignores an invalid block ( Red ) Time . The first red arrow will prove that the invalid time is correct , The second arrow will determine the invalid time .
Now let's assume that the error has been fixed , The verifier that finally determines the invalid time wants to add the correct chain B. In order to terminate the chain , The first step is to adjust the time X:
However , In order to participate in the times X Adjustment of ( It requires a link mostly indicated by dashed green arrows ), They will have to skip the second red arrow —— The arrow that finally determines the invalid era . Voting for these two links is a severable attack .
This will continue to apply to any subsequent era . The only way to fix it is through a secondary inactive leak : With the chain B The growth of , Locking the verifier will reveal their funds , Up to the chain B It can be reasonably proved and finally determined by the working client .
disclaimer : As a blockchain information platform , The information provided on this website does not imply any investment .

版权声明:本文为[The way to God]所创,转载请带上原文链接,感谢。