Hash Time Lock Contracts #168
Conversation
And move ugly repetitive decoding to the executive.
| @@ -0,0 +1,380 @@ | |||
| //! This module contains `Verifier` implementations related to Hash Time Lock Contracts. | |||
There was a problem hiding this comment.
For review purposes, this file is the main additions.
The rest of the diff is mostly moving existing verifiers to dedicated files.
There was a problem hiding this comment.
I would have preferred to see the changes to the Verifier trait in a separate PR, then make HTLC depend on it. Although being small, I think it's a better approach for such a breaking change, but that's up to you.
Anyway the Redeemer is a really nice and clever addition, great job with that!
And the HTLC implementation looks good to me.
PS please take a look to the failing test 😿
tuxedo-core/src/verifier/htlc.rs
Outdated
| /// interesting to use public key hash, or better yet, simply abstract this over some opaque | ||
| /// inner verifier for maximum composability. | ||
| /// | ||
| /// @lederstrumpf when the time expires, is the primary "happy" path supposed to remain open? | ||
| /// Or is it that if the swap hasn't started on time, the refund is the only option. |
There was a problem hiding this comment.
I think these kinds of comments should be kept out of the docs
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Agreed. This one needs to be resolved before this is merged. Based Andreas's point in the video (link to exact moment) I believe that that the happy path should remain enabled which is how I have it now.
There was a problem hiding this comment.
/// @Lederstrumpf when the time expires, is the primary "happy" path supposed to remain open?
/// Or is it that if the swap hasn't started on time, the refund is the only option.
Strong question you raise.
In the Farcaster protocol, the happy path closes once one of the parties initiates the cancel path.
HTLC atomic swap protocols on Bitcoin keep the happy path open even after timeout expires - see e.g. the COMIT spec: https://comit.network/docs/0.13.0/core-concepts/atomic-swap-htlc/#htlcs-on-different-ledgers (interestingly, they've done the same for the ETH protocol: https://github.com/comit-network/RFCs/blob/master/RFC-007-SWAP-Basic-Ether.adoc)
or the original proposal:
https://bitcointalk.org/index.php?topic=193281.msg2224949#msg2224949
or BIP 119:
https://github.com/bitcoin/bips/blob/master/bip-0199.mediawiki#summary
The reason for this is indeed that there's deliberately no OP_CHECKSEQUENCE nor OP_CHECKLOCKTIME - only their guardian variants OP_CHECKSEQUENCEVERIFY & OP_CHECKLOCKTIMEVERIFY.
Most discussion around this is probably in the annals of the bitcoin wizards IRC, if you wanna investigate deeper.
The arguments that have bubbled to my surface:
Satoshi's stance in 2010 (i.e. The Prophet's unassailable proclamation in Bitcoin Land, for better or worse): https://bitcointalk.org/index.php?topic=1786.msg22119#msg22119
Jeremy Rubin's AMA: https://www.reddit.com/r/Bitcoin/comments/gwjr8p/comment/ft80amd/?utm_source=share&utm_medium=web2x&context=3
Another disgruntled (& highly ignored) seeker of The Truth's summary: https://bitcoin.stackexchange.com/questions/96366/what-are-the-reasons-to-avoid-spend-paths-that-become-invalid-over-time-without
Now, while I have reservations about the reorg arguments even in Bitcoin's context, they are not applicable to chains with deterministic finality, i.e. all substrate based chains (aside from Kulupu).
i.e. with deterministic finality, you could have the equivalent of OP_CHECK{SEQUENCE,LOCKTIME}, and it would be safe as long as the output being spent has been finalized.
I reckon it might be preferable to have mutually exclusive success & refund paths for HTLC based swaps too - with a more general definition of HTLC, i.e. going beyond what Bitcoin Script allows.
It would still not ensure atomicity (since the chains run on different clocks), but improves safety of the swap for Bob assuming chain A's clock doesn't outrace chain B's clock.
Breakable assumption if crosschain: t1 < t2:
Let's take chain A to be the chain where Alice funds TX1 (with a timelock t2 for her refund TX2) and chain B as the chain where Bob funds TX3 (with a timelock t1 for his refund TX4)
Assuming both funding txs have been published, but Alice has not claimed yet, then the possible spending conditions are:
TX1 (Chain A): (x ∧ Bob) ∨ (t2 ∧ Alice)
TX3 (Chain B): (x ∧ Alice) ∨ (t1 ∧ Bob)
In detail:
!t1 ∧ !t2: Alice can claim. Bob can't do jack and has to wait fort1or Alice to claim.t1 ∧ !t2(t1has passed): Alice can claim (unsafe since Bob would learnxand his refund might frontrun her claim tx) or wait fort2to refund. Bob can (and should) refund or (unsafe!) wait for Alice to claim.t1 ∧ t2(botht1andt2have passed): Alice can claim or refund. Bob can refund and should already have done so beforet2passed, else non-atomic.!t1 ∧ t2(t2has passed): Alice can claim or refund. Bob has to wait fort1or for Alice to claim: non-atomic scenario.
If you now impose that the happy path is unavailable after t1 or t2 respectively, then this changes to:
Chain A: (!t2 ∧ x ∧ Bob) ∨ (t2 ∧ Alice)
Chain B: (!t1 ∧ x ∧ Alice) ∨ (t1 ∧ Bob)
!t1 ∧ !t2: Alice can claim. Bob can't do jack and has to wait fort1or for Alice to claim.t1 ∧ !t2(t1has passed): Alice can't claim (which would anyway be unsafe), so must wait fort2to refund. Bob can refund.t1 ∧ t2(botht1andt2have passed): Alice can only refund. Bob can only refund.!t1 ∧ t2(t2has passed): Alice can claim or refund. Bob has to wait fort1or for Alice to claim: non-atomic scenario.
The primary advantage is that Alice can't steal from Bob unless she publishes TX2 prior to t1.
Note you'd get the same if you'd just make the paths on TX1 temporally mutually exclusive, assuming Alice never leaks x to Bob (e.g. by hopelessly trying to spend TX1, or by getting hacked).
So if this was a crosschain swap of Tuxedo with e.g. Bitcoin, you could retain this advantage as long as Tuxedo = Chain A.
There was a problem hiding this comment.
TLDR: to keep compatibility with Bitcoin Script (not in terms of only supporting its features, but also the assumptions about what can happen), I'd keep the happy path open.
But keeping compatibility with BS's assumptions means restricting Verifier rules to what BS would permit, so this is a pretty fundamental decision. The other alternative is going with whatever makes most sense for a particular protocol and breaking compatibility with BS's assumptions. And that's also a pretty fundamental decision ;)
There was a problem hiding this comment.
Because Tuxedo is a framework, we don't have to make any decision once and for all here. The framework can support any old verifier whether it is compatible with bitcoin or not.
When it comes time to launch a Tuxedo-based chain then we have to decide what verifiers are concretely allowed on that particular chain. I don't think we should enforce bitcoin compatibility to the entire Tuxedo ecosystem.
tuxedo-core/src/verifier/htlc.rs
Outdated
| /// interesting to use public key hash, or better yet, simply abstract this over some opaque | ||
| /// inner verifier for maximum composability. | ||
| /// | ||
| /// @lederstrumpf when the time expires, is the primary "happy" path supposed to remain open? | ||
| /// Or is it that if the swap hasn't started on time, the refund is the only option. |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
tuxedo-core/src/verifier/htlc.rs
Outdated
| /// interesting to use public key hash, or better yet, simply abstract this over some opaque | ||
| /// inner verifier for maximum composability. | ||
| /// | ||
| /// @lederstrumpf when the time expires, is the primary "happy" path supposed to remain open? | ||
| /// Or is it that if the swap hasn't started on time, the refund is the only option. |
There was a problem hiding this comment.
/// @Lederstrumpf when the time expires, is the primary "happy" path supposed to remain open?
/// Or is it that if the swap hasn't started on time, the refund is the only option.
Strong question you raise.
In the Farcaster protocol, the happy path closes once one of the parties initiates the cancel path.
HTLC atomic swap protocols on Bitcoin keep the happy path open even after timeout expires - see e.g. the COMIT spec: https://comit.network/docs/0.13.0/core-concepts/atomic-swap-htlc/#htlcs-on-different-ledgers (interestingly, they've done the same for the ETH protocol: https://github.com/comit-network/RFCs/blob/master/RFC-007-SWAP-Basic-Ether.adoc)
or the original proposal:
https://bitcointalk.org/index.php?topic=193281.msg2224949#msg2224949
or BIP 119:
https://github.com/bitcoin/bips/blob/master/bip-0199.mediawiki#summary
The reason for this is indeed that there's deliberately no OP_CHECKSEQUENCE nor OP_CHECKLOCKTIME - only their guardian variants OP_CHECKSEQUENCEVERIFY & OP_CHECKLOCKTIMEVERIFY.
Most discussion around this is probably in the annals of the bitcoin wizards IRC, if you wanna investigate deeper.
The arguments that have bubbled to my surface:
Satoshi's stance in 2010 (i.e. The Prophet's unassailable proclamation in Bitcoin Land, for better or worse): https://bitcointalk.org/index.php?topic=1786.msg22119#msg22119
Jeremy Rubin's AMA: https://www.reddit.com/r/Bitcoin/comments/gwjr8p/comment/ft80amd/?utm_source=share&utm_medium=web2x&context=3
Another disgruntled (& highly ignored) seeker of The Truth's summary: https://bitcoin.stackexchange.com/questions/96366/what-are-the-reasons-to-avoid-spend-paths-that-become-invalid-over-time-without
Now, while I have reservations about the reorg arguments even in Bitcoin's context, they are not applicable to chains with deterministic finality, i.e. all substrate based chains (aside from Kulupu).
i.e. with deterministic finality, you could have the equivalent of OP_CHECK{SEQUENCE,LOCKTIME}, and it would be safe as long as the output being spent has been finalized.
I reckon it might be preferable to have mutually exclusive success & refund paths for HTLC based swaps too - with a more general definition of HTLC, i.e. going beyond what Bitcoin Script allows.
It would still not ensure atomicity (since the chains run on different clocks), but improves safety of the swap for Bob assuming chain A's clock doesn't outrace chain B's clock.
Breakable assumption if crosschain: t1 < t2:
Let's take chain A to be the chain where Alice funds TX1 (with a timelock t2 for her refund TX2) and chain B as the chain where Bob funds TX3 (with a timelock t1 for his refund TX4)
Assuming both funding txs have been published, but Alice has not claimed yet, then the possible spending conditions are:
TX1 (Chain A): (x ∧ Bob) ∨ (t2 ∧ Alice)
TX3 (Chain B): (x ∧ Alice) ∨ (t1 ∧ Bob)
In detail:
!t1 ∧ !t2: Alice can claim. Bob can't do jack and has to wait fort1or Alice to claim.t1 ∧ !t2(t1has passed): Alice can claim (unsafe since Bob would learnxand his refund might frontrun her claim tx) or wait fort2to refund. Bob can (and should) refund or (unsafe!) wait for Alice to claim.t1 ∧ t2(botht1andt2have passed): Alice can claim or refund. Bob can refund and should already have done so beforet2passed, else non-atomic.!t1 ∧ t2(t2has passed): Alice can claim or refund. Bob has to wait fort1or for Alice to claim: non-atomic scenario.
If you now impose that the happy path is unavailable after t1 or t2 respectively, then this changes to:
Chain A: (!t2 ∧ x ∧ Bob) ∨ (t2 ∧ Alice)
Chain B: (!t1 ∧ x ∧ Alice) ∨ (t1 ∧ Bob)
!t1 ∧ !t2: Alice can claim. Bob can't do jack and has to wait fort1or for Alice to claim.t1 ∧ !t2(t1has passed): Alice can't claim (which would anyway be unsafe), so must wait fort2to refund. Bob can refund.t1 ∧ t2(botht1andt2have passed): Alice can only refund. Bob can only refund.!t1 ∧ t2(t2has passed): Alice can claim or refund. Bob has to wait fort1or for Alice to claim: non-atomic scenario.
The primary advantage is that Alice can't steal from Bob unless she publishes TX2 prior to t1.
Note you'd get the same if you'd just make the paths on TX1 temporally mutually exclusive, assuming Alice never leaks x to Bob (e.g. by hopelessly trying to spend TX1, or by getting hacked).
So if this was a crosschain swap of Tuxedo with e.g. Bitcoin, you could retain this advantage as long as Tuxedo = Chain A.
| impl Verifier for HashTimeLockContract { | ||
| type Redeemer = HtlcSpendPath; | ||
|
|
||
| fn verify(&self, simplified_tx: &[u8], block_height: u32, spend_path: &HtlcSpendPath) -> bool { | ||
| match spend_path { | ||
| HtlcSpendPath::Claim { secret, signature } => { | ||
| // Claims are valid as long as the secret is correct and the receiver signature is correct. | ||
| BlakeTwo256::hash(secret) == self.hash_lock | ||
| && sp_io::crypto::sr25519_verify( | ||
| signature, | ||
| simplified_tx, | ||
| &self.recipient_pubkey, | ||
| ) | ||
| } | ||
| HtlcSpendPath::Refund { signature } => { | ||
| // Check that the time has elapsed | ||
| block_height >= self.claim_period_end | ||
|
|
||
| && | ||
|
|
||
| // Check that the refunder has signed properly | ||
| sp_io::crypto::sr25519_verify( | ||
| signature, | ||
| simplified_tx, | ||
| &self.refunder_pubkey, | ||
| ) | ||
| } | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
What's your stance on composable Verifier?
I'm otherwise undecided whether you are deliberately not composing HashLock & TimeLock implementations to construct HashTimeLockContract, or are leaving this for a later stage.
I think there are pros (e.g. leaner interface & codebase) but also cons (more moving parts beneath a Verifier, so requires more careful versioning) to composing.
See 29a20fe1 for a candidate implementation that reuses Verifier implementations from HashLock & TimeLock.
There was a problem hiding this comment.
Thanks for the detailed writeup and citations regarding expiring transactions. I'm not all that convinced by the Prophet's argument TBH. As others explained in the forum, there are already double spend scenarios that make a transaction invalid from one fork to another, so I don't see expiry being that much worse. The state boat from expired transactions is more convincing to me, but in the case of swaps, the transaction never truly expires, only one of its paths does, so I'm not too concerned. I think for now we let the happy path remain open simply for compatability with the chains where farcaster currently runs. Anyone could write their own verifier that leaves it open or adds a happy_path_expires: bool field if they want it later.
I think composing the verifiers is a good idea. I was already starting to consider it when I was writing this PR. Even looking at the simple HashLock, for example, even it could be composed with an inner Sr25519Signature rather than repeating the sig check logic. And by making them composable, we can also make them generic. I could imagine some verifier combinators for scenarios like And Or Not etc. I'll experiment with it.
There was a problem hiding this comment.
I love the composed Verifier. Although it's not really more convenient in this particular case, it is actually a great example of what I believe should be a good practice in action.
This comment was marked as resolved.
This comment was marked as resolved.
JoshOrndorff
dismissed
muraca’s stale review
I've addressed the relevant concerns.
This PR is a first step towards more interesting verifiers and cross-chain atomic swaps. Already there are enough verifiers to support swaps between two Tuxedo chains with the HTLC verifier 🚀
Before we can realize the goal of serving on the arbitrating side of the Farcaser protocol we would need Either a verifier that supports bitcoin script, or dedicated farcaster verifiers, both of which are feasible and put off until a future PR.
Some references I followed:
New verifier implementations