|
| 1 | +# Problem Statement + Context |
| 2 | + |
| 3 | +The fault proof system for interop, continues to use the split game where the bottom half of the game bisects the cannon |
| 4 | +execution trace. However the top half of the game no longer progresses from one block to the next, but breaks down the |
| 5 | +transition between one super root to the next into 1024 individual steps. As a result, the trace for the top half of the |
| 6 | +game requires 2048 steps per 2 seconds compared to the pre-interop game when using 2 second block times, or 1024 times |
| 7 | +more when using 1 second block times. |
| 8 | + |
| 9 | +To operate correctly, the game's split depth must always be large enough for there to be enough leaf nodes in the top |
| 10 | +half of the game to progress from the anchor state to the current chain safe head. Otherwise the valid trace for the |
| 11 | +top half of the game would exceed the maximum supported trace length. |
| 12 | + |
| 13 | +The current configuration has a split depth of 30, which allows a maximum trace length of 2^31. With a 2 second block |
| 14 | +time that allows the anchor state to be approximately 136 years old. However, it would be infeasible for the fault proof |
| 15 | +VM to walk back that many L1 blocks to find the batch data required for the earliest blocks within the 3.5 day chess |
| 16 | +clock. |
| 17 | + |
| 18 | +With the same split depth, the interop fault proof game would only support an anchor state up to 24 days old. That may |
| 19 | +be insufficient if there was an issue in the fault proof system which required investigation and then governance |
| 20 | +approval to fix. |
| 21 | + |
| 22 | + |
| 23 | +# Proposed Solution |
| 24 | + |
| 25 | +Reduce the number of steps required per super root to 128. |
| 26 | + |
| 27 | +# Alternatives Considered |
| 28 | + |
| 29 | +## Reduce the Number of Steps Per Super Root |
| 30 | + |
| 31 | +The 1024 steps between each super root was chosen to align with a power of two and allow up to 1023 chains in the |
| 32 | +dependency set before needing to change the game mechanics (the 1024th step is to check interop messages). There is |
| 33 | +no chance of us reaching 1023 chains any time soon and a significantly reduced number could be used. |
| 34 | + |
| 35 | +Such a high number was originally chosen to avoid the complexity of adjusting the number of steps at a hard fork, and |
| 36 | +potentially needing to deal with games that spanned timestamps with different numbers of blocks between them. However, |
| 37 | +the number of steps chosen doesn't actually affect the derivation process - only the dispute game. The number of steps |
| 38 | +could simply be moved from a constant in the fault proof program and op-challenger to an input from the dispute game |
| 39 | +contract, supplied to the challenger via a getter and via a local key to op-program. This would require some work |
| 40 | +but is reasonably straight forward and doesn't require complex transitional handling. |
| 41 | + |
| 42 | +If the number of steps per timestamp were reduced to 128, the current split depth would allow for a maximum anchor state |
| 43 | +age of 194 days - just over 6 months. It is reasonable to assume that the security council could take action to |
| 44 | +manually update the anchor state within 6 months if required. This would also support adding 127 chains to the |
| 45 | +dependency set before the number of steps needs to be increased. |
| 46 | + |
| 47 | +Given the consolidation step is currently done for all chains in a single fault proof VM execution, it is not feasible |
| 48 | +to support 127 chains in the dependency without making changes to the game execution anyway. |
| 49 | + |
| 50 | +## Increase Split Depth and Max Game Depth |
| 51 | + |
| 52 | +The split depth could be increased to increase the maximum trace supported by the top game and increase the maximum |
| 53 | +supported anchor state age. To keep the same maximum trace length for the bottom game, the max depth would need to be |
| 54 | +increased by the same amount. |
| 55 | + |
| 56 | +The [bond scaling](https://specs.optimism.io/fault-proof/stage-one/bond-incentives.html#bond-scaling) is designed such |
| 57 | +that for any max depth, the bond required at the max depth covers the potential gas for posting a large preimage. Thus, |
| 58 | +the bond amounts automatically scale as appropriate. However, the total bonds that would need to be paid by the honest |
| 59 | +actor to reach the maximum depth significantly increases as the max depth increases because they need to perform more |
| 60 | +moves and additional bonds. This decreases the capital efficiency of the fault proof system further when it is already |
| 61 | +a weak point of the system. |
| 62 | + |
| 63 | +## No Changes |
| 64 | + |
| 65 | +Accept that the anchor state can not be more than 24 days old. It would be expected that the security council could fall |
| 66 | +back to the permissioned game before this limit was actually reached but it seems unnecessarily short. In the case of |
| 67 | +an incident it could easily restrict the available options and would be a constant consideration. |
0 commit comments