[review] MIP-56 : Rate-Limiter for the HTLC-type Native Bridge #56
Conversation
apenzk
changed the title
There was a problem hiding this comment.
In general, because of the asymmetry imposed here by only rate-limiting on the L1, I'm wondering if it may make sense to implement rate limiting on both the L1 and L2 to have symmetry in both directions, with separate budgets for each direction.
The only big downside I can see by implementing on the L1 only is that the L1 rate limiter, in the case of a L2->L1 transfer can only block a call on the lockBridgeTransfer call, i.e this is the earliest intervention it can make. However, I think this downside is moot and doesn't effect the rate-limiting mechanism negatively.
What do you think? If you agree, we can with the Rate Limiter on L1 only.
| The **Rate-Limiter** for the Native Bridge is introduced to de-escalate the risk of double-spends through the bridge by limiting the number of tokens that can be transferred during a certain time frame. The rate limit is determined by the reaction time of the bridge operator, called the **Risk Period**, and the value locked in the **Security Fund**, see [MIP-50](https://github.com/movementlabsxyz/MIP/pull/50). | ||
|
|
||
| The Native Bridge Rate Limiter is implemented through a contract on L1. This contract is governed by the Aptos governance framework, see [MIP-48](https://github.com/movementlabsxyz/MIP/pull/48/), and can be updated through a governance process. | ||
|
|
There was a problem hiding this comment.
If the Limiter is on the L1, how will the governance framework (which is on the L2 communicate with it?) there is no direct path. Perhaps, for now any arguments passed to it are set via restricted functions and later you could have some kind of proxy governance on the L1. Though I would say this is out of scope here.
There was a problem hiding this comment.
If the governance is on L2 the rate limit and other governance related function should be implemented on L2?
There was a problem hiding this comment.
is the governance on L2 due to operational (gas) costs?
There was a problem hiding this comment.
Good question. I think we just initially thought of governance on the L2 because we are aptos first. But perhaps governance on the L1 makes more sense for us. To align those decisions and execute on the L1.
There was a problem hiding this comment.
i think at least initially we should decide on a particular layer, which would require that most things happen on that layer. which would mean that Rate-Limiter, Bridge-Security-Fund, Governance would need to be on the same layer.
Considerations:
- Choice for L1 : Ethereum - alignment
- Choice for L2 : improved Cost and Latency
There was a problem hiding this comment.
Surely L1. We don't care about cost for L1, as governance transactions are infrequent. High Gas could be considered a good thing for governance, i.e: its expensive to submit a proposal, do it thoughtfully.
There was a problem hiding this comment.
Also, with that, we can just use already existing protocols such as snapshot https://snapshot.org/#/
Or the MolochDAO contracts (I wouldn't recommend), snapshot better.
There was a problem hiding this comment.
For the governance, I think it's because Aptos framework implements one that we wanted to use.
There was a problem hiding this comment.
perhaps, for now any arguments passed to it are set via restricted functions
so who sets these values if not governance?
There was a problem hiding this comment.
a trusted signer, us. For Bilbao Model, as we wont have any governance implemented for initial mainnet. Only post.
| 1. The Rate-Limiter SHOULD be implemented as a contract on L1. | ||
| 1. The Rate-Limiter MUST handle both the **transfer directions** L1 -> L2 and L2 -> L1. | ||
| 1. For either transfer direction the transfer value MUST be tracked, i.e. the transferred value for L1->L2 should be recored in `budget_L1L2` and for L2->L1 in `budget_L2L1`. | ||
| 1. The Rate-Limiter SHOULD be governed by the Aptos governance framework, see [MIP-48](https://github.com/movementlabsxyz/MIP/pull/48/), and can be updated through a governance process. |
There was a problem hiding this comment.
Related to my comment above, I see no way (given our current design) the aptos_governance module can communicate directly to the L1.
If you're proposing that decisions be made via aptos_governance on the L2 then those decisions be carried out on the L1 by a trusted party, that will suffice for now. Perhaps you could make that clearer here or elsewhere.
There was a problem hiding this comment.
this ties in with the above comment on selecting a main action layer.
| 1. For either transfer direction the transfer value MUST be tracked, i.e. the transferred value for L1->L2 should be recored in `budget_L1L2` and for L2->L1 in `budget_L2L1`. | ||
| 1. The Rate-Limiter SHOULD be governed by the Aptos governance framework, see [MIP-48](https://github.com/movementlabsxyz/MIP/pull/48/), and can be updated through a governance process. | ||
| 1. The security fund contract, see [MIP-50](https://github.com/movementlabsxyz/MIP/pull/50), MUST update `security_fund` in the Rate-Limiter contract if the amount of funds changes in the security fund contract. | ||
| 1. The `risk_period` value SHOULD be set by the governance process and updated through the governance process. It estimates the maximum reaction time to check whether transfers have been completed correctly. |
There was a problem hiding this comment.
At this point it could only be updated manually. Which is fine for Bilbao stage.
We have no way to relay arbitrary actions / messages from one chain to another. This would imply, for full automation and tight governance, a governance relayer, for relayer actions that are outcomes of an accepted proposal from the L2 contract to the L1, which is an interesting idea. Again out of scope though.
| 1. The Rate-Limiter SHOULD be governed by the Aptos governance framework, see [MIP-48](https://github.com/movementlabsxyz/MIP/pull/48/), and can be updated through a governance process. | ||
| 1. The security fund contract, see [MIP-50](https://github.com/movementlabsxyz/MIP/pull/50), MUST update `security_fund` in the Rate-Limiter contract if the amount of funds changes in the security fund contract. | ||
| 1. The `risk_period` value SHOULD be set by the governance process and updated through the governance process. It estimates the maximum reaction time to check whether transfers have been completed correctly. | ||
| 1. For a given transfer direction, the Rate-Limiter should disable transfers across the bridge if the rate limit is exceeded for that transfer direction. |
There was a problem hiding this comment.
the Rate-Limiter should disable transfers across the bridge if the rate limit is exceeded for that transfer direction
For "across the bridge" what is meant exactly, on the L2 and L1? I still fail to see how the L1 contract can do any operations on the L2 (it can use the relayer of course, but I think the idea here is to not rely on relaying a message)?
There was a problem hiding this comment.
- across means L1->L2 or L2->L1
- the L1 contract does not need to perform any actions on L2. the rate limited is set on L1 alone. do you think this is problematic and why? (maybe the L2->L1 is problematic as it might rely on L2timeouts)
| 1. The `risk_period` value SHOULD be set by the governance process and updated through the governance process. It estimates the maximum reaction time to check whether transfers have been completed correctly. | ||
| 1. For a given transfer direction, the Rate-Limiter should disable transfers across the bridge if the rate limit is exceeded for that transfer direction. | ||
| 1. The rate limit MUST be set according to the equation `rate_limit = security_fund / risk_period * 0.5`. This is to ensure that each bridge transfer direction is ensured sufficiently. | ||
| 1. The Rate-Limiter MUST reject a transfer request if the rate limit is exceeded for that transfer direction by that transaction. I.e. for L1->L2 the Rate-Limiter MUST reject any transfer that would violate `budget_L1L2 < rate_limit` and for L2->L1 the Rate-Limiter MUST reject any transfer that would violate `budget_L2L1 < rate_limit`. |
There was a problem hiding this comment.
To drill down a bit. The case :
L1->L2 is fine, as it will just internally block initiateBridgeTransfer
Whereas
L2->L1 the only contract L1 has visibility of in this direction is the AtomicBridgeCounteropartyMOVE.sol, so the only call it can block is the lockBridgeTransfer call.
Is this what you intend?
There was a problem hiding this comment.
it seems the function that would apply the rate limit should be lock_bridge_transfer on L1 according to Figure 2 in #39
i assume currently a failed lock on L1 would not be reported to L2? Or is there a way the user on L2 can learn that the transfer request failed due to rate limit on L1?
There was a problem hiding this comment.
also see the next code line that i just added (L35 currently: ... The rate limiation should be applied at the earliest ....)
There was a problem hiding this comment.
Why we don't apply rater limiting on both side to the initiate_transfer. There's no need to have it only on one chain. They just have to share the same equation.
There was a problem hiding this comment.
Would also be possible, but requires two pools : one security pool on L1 and one security pool on L2.
pro
- earliest possible reject.
- easy to separate different rate limits
con
risk_periodhas to be set twice (once on L1 and once on L2)- have to implement rate limiter on solidity and on Move
- need two security fund contracts, once in solidity and once in Move
- increased code surface for bugs?
- security funds are separate,
weightcan only be adjusted by physically sending funds from L1->L2 (L2->L1) between security pools
There was a problem hiding this comment.
added it as an optimization suggestion
There was a problem hiding this comment.
With the addition of two pools this adds too much complexity for something Minimal that achieves that rate-limit guarantee that we need. I am going to implement on L1 only if we want to add Rate Limiter on the L2 later, this can happen post Bilbao Model. Or, can be considered as part of the Biarritz Model.
|
I have more a practical remark. The rate limit cancels transfers if activated. As it executes on L1, the way to limit it is to reject the |
|
@musitdev Yes I had the same remark here #56 (comment) I think this is what @apenzk is suggesting. For this L2 -> L1 and block-lock case, we are forced to simple have the user wait for refund and let them know. The nice thing about this implementation, is the Front End could read the rate limit from the contract and display that to the user on the front end. Some kind of loader bar to show the rate-limit is approaching, this would incentivise the user to transfer if the rate-limit is almost exceeded. |
| 1. The `risk_period` value SHOULD be set by the governance process and updated through the governance process. It estimates the maximum reaction time to check whether transfers have been completed correctly. | ||
| 1. For a given transfer direction, the Rate-Limiter should disable transfers across the bridge if the rate limit is exceeded for that transfer direction. | ||
| 1. The rate limit MUST be set according to the equation `rate_limit = security_fund / risk_period * 0.5`. This is to ensure that each bridge transfer direction is ensured sufficiently. | ||
| 1. The Rate-Limiter MUST reject a transfer request if the rate limit is exceeded for that transfer direction by that transaction. I.e. for L1->L2 the Rate-Limiter MUST reject any transfer that would violate `budget_L1L2 < rate_limit` and for L2->L1 the Rate-Limiter MUST reject any transfer that would violate `budget_L2L1 < rate_limit`. |
There was a problem hiding this comment.
With the addition of two pools this adds too much complexity for something Minimal that achieves that rate-limit guarantee that we need. I am going to implement on L1 only if we want to add Rate Limiter on the L2 later, this can happen post Bilbao Model. Or, can be considered as part of the Biarritz Model.
apenzk
changed the title
@franck44 should we set it to status "withdrawn" instead? |
|
As per MIP-committee decision we are closing MIPs and MDs for the HTLC-based Native-bridge. |
Summary
MIP-56
The Rate-Limiter expands MIP-50 and is part of the Biarritz Model (MIP-54). It de-escalates concerns regarding liveness and safety of the relayer.
The presented design does not address whether a breach of the bridge happened - which is the role of the informer (no MIP yet) and the security fund (MIP-50).