AIP: BOLD - permissionless validation for Arbitrum

Submitted by: The Arbitrum Foundation

Category: Constitutional, Software Upgrade

Abstract

This Constitutional AIP proposes upgrading both Arbitrum One and Arbitrum Nova’s Rollup Contracts to use Arbitrum BOLD: a new dispute resolution protocol that is designed to replace the existing and currently deployed Arbitrum protocol. BOLD delivers two critical improvements:

  • Unlocks permissionless validation for Arbitrum chains,
  • Enhances the security of Arbitrum chains by mitigating the risk of delay attacks.

BOLD accomplishes this feat by ensuring that any single honest party can always successfully defend against malicious claims to an Arbitrum chain’s state. BOLD represents the next step on the journey to having the Arbitrum technology stack being recognized as a Stage 2 Ethereum rollup. The implementation of BOLD will be thoroughly tested to ensure both its effectiveness and safety. The testing plan includes:

  • A comprehensive audit by Trail of Bits,
  • Deployment of the protocol to public testnets for at least 8 weeks,
  • A public audit program,
  • Publication of mathematical safety proofs and formal specifications.

This proposal requests the ArbitrumDAO to approve an upgrade to the onchain smart contracts and to support the deployment of a new challenger manager contract on Ethereum. If the upgrade is approved, then validators on Arbitrum One and Arbitrum Nova can use the Nitro software to participate in BOLD.

Additionally, all Arbitrum Orbit chains may choose to adopt BOLD to reap the security benefits of this new dispute resolution protocol as soon as the upgrade is generally available. BOLD, like the current Arbitrum dispute resolution protocol, makes use of WebAssembly (WASM) technology and can seamlessly support Arbitrum Stylus, should the ArbitrumDAO adopt Stylus.

Motivation

The ArbitrumDAO should consider approving this AIP as BOLD delivers critical security and decentralization improvements for Arbitrum One and Arbitrum Nova that benefit all Arbitrum users, Arbitrum node operators, dApps on Arbitrum, and Arbitrum bridges. These benefits can be extended to any Orbit chain that wishes to adopt BOLD.

More specifically, this new dispute resolution protocol brings the following benefits to Arbitrum chains:

  • Permissionless validation - Today, the critical role of being a validator for Arbitrum One and Nova is currently restricted to a permissioned set of validators in order to prevent delay attacks on the current rollup protocol - a class of attacks where actors can delay confirmations if they are willing to sacrifice their stakes. However, since BOLD mitigates the risks of delay attacks using a different mechanism (enforcing a fixed upper time bound on dispute resolution), reliance on a permissioned set of validators is no longer necessary. Therefore, passing this AIP and implementing BOLD to secure Arbitrum One and Nova effectively enables permissionless validation, marking a key milestone for Arbitrum chains to be recognized as Stage 2 Rollups, as part of Arbitrum’s journey to full decentralization.

  • Fixed delay time for assertion confirmation - The current rollup protocol for Arbitrum chains has a ~6.4 day challenge period during which validators can dispute claims about the chain’s state. These claims about the chain’s state are called “assertions”. While assertions are confirmable after 1 challenge period, malicious actors can open many challenges to delay confirming these assertions in a type of attack known as a delay attack. BOLD guarantees that all assertions, if there is a dispute using the validating bridge contract, will be confirmed within a fixed time window of 2 challenge periods (~6.4 days each), 2 day grace period for the security council to intervene, and a small delta for computing challenges.

  • Security Council Safety-First Approach - There is a set of contracts on Ethereum known as the OneStepProver contracts. These contracts are used to declare a winner in a challenge by producing the correct L2 state given the single step of WASM execution being disputed. As mentioned above, a 2 day “grace period” (also called the “challenge grace period”) exists at the end of a dispute for the Security Council to intervene if there are any severe bugs in the OneStepProver contracts. The grace period is configurable by the ArbitrumDAO and initially set to 2 days.

Rationale

Enabling permissionless validation has been a long term goal of Arbitrum on the progressive journey towards decentralization.

BOLD mitigates the risk of delay attacks on Optimistic Rollups by ensuring challenges can be resolved within a fixed time period so long as there is an honest party involved. This particular change unlocks permissionless validation, enabling any well-resourced honest party or parties to defend and protect Arbitrum from malicious actors. All Arbitrum nodes are like watchtowers - honest validators by default and are able to catch fraudulent claims, and act if so desired.

More specifically, this AIP for bringing BOLD to Arbitrum chains is:

  • Ethereum-aligned: Arbitrum, with BOLD validation, will continue to rely on Ethereum for transaction data and the arbitration of disputes. Additionally, in line with Ethereum’s commitment to being open to everyone, Arbitrum will become more decentralized and trustless since participation to secure the network (i.e. validation) will be entirely permissionless and open to everyone who wishes to participate.

  • Sustainable: The BOLD protocol is a long-term dispute resolution protocol to secure Arbitrum chains. Additionally, there are already future investments and research expected following the initial launch, to ensure BOLD and its security guarantees evolve alongside the Arbitrum protocol, technology, and community.

  • Secure: The BOLD protocol is an intentional and strict improvement to the security model of Arbitrum chains. Arbitrum rollup chains, with BOLD validation, will continue to rely on Ethereum for data availability of transaction data and the arbitration of disputes.

  • Socially inclusive: Should this AIP be adopted, permissionless validation using BOLD will allow any entity, individual, or team in the community to participate constructively in securing Arbitrum. Validation is not restricted to a single address, as BOLD considers all entities that are proposing honest claims to be part of the same team. Where one honest validator may fall off, another one can take up its same responsibility.

  • Technically inclusive: The BOLD protocol specification is publicly available on Github here. The technology is permitted for use by anyone (i.e. permissionless) for the sole purpose of operating and developing an Arbitrum Nitro Instantiation.

  • User-focused: If this AIP is adopted, both users and dApp project developers on Arbitrum One and Nova alike will not need to take any additional action to reap the benefits of BOLD. BOLD will be working silently “under the hood” to ensure safe withdrawals and secure, permissionless validation.

  • Neutral and open: BOLD has been and will continue to be “built in the public”, in line with how Orbit and Stylus are being developed. This AIP is made in good faith to be neutral, transparent, factual, and open for anyone in the community to critique and inspect.

Implementation, Formal Specification, and Safety Proofs

The following link, BOLD Implementation Deep Dive, explains how BOLD is implemented and how it works at a high level. To read about the formal specification and mathematical safety proofs for the protocol, check out the official BOLD whitepaper.

Overview of BOLD’s Economics and Spam Prevention

This section describes the bonding mechanism behind Arbitrum BOLD at a high level. The following link, Economics of Disputes in Arbitrum BOLD, offers greater details on the rationale behind the proposed bond sizes, why bonds are important, and how to think about their magnitude in the context of designing a dispute resolution protocol.

Based on feedback, we wanted to clarify the various roles and expectations for those participating in bold validation -

By default, all Arbitrum nodes are validators that will track the progress of the chain to verify assertions being posted to the parent chain to flag if an invalid assertion is observed. Running this type of validator is permissionless today and does not require any bond. Running a validator in this mode is also known as a “watchtower” node.

BOLD lets validators permissionlessly become proposers and challengers if they want to. The role of a proposer is required to help progress the chain which requires bonding ETH, proposing and then posting state assertions to the parent chain. This bond is known as an “assertion bond”. The chain only needs 1 proposer to make progress. Therefore, most validators can watch the chain and independently verify assertions without being a proposer.

In the unhappy case where there is a dispute about a proposed state assertion, BOLD lets anyone permissionlessly put up a bond of ETH to open challenges in the defense of Arbitrum (in their capacity as a challenger to invalid state assertions). This bond is known as a “challenge bond”.

Given that participation in BOLD is permissionless, we recommend that the size of bonds required to participate be high enough to disincentivize malicious actors from attacking Arbitrum One and Nova and to mitigate against spam (that would otherwise delay confirmations up to approximately 1 challenge period). High bonding values do not harm decentralization because (1) trustless bonding (or staking) pools can be deployed permissionlessly to open challenges and post assertions, and (2) any number of honest parties of unknown identities can emerge to bond their funds to the correct assertion and participate in the defense of Arbitrum at any time within a challenge. As with the current dispute resolution protocol, there are no protocol level incentives for parties who opt in to participate in validating Arbitrum One and Nova with BOLD.

While both of these bonds can be any ERC20 token and be set to any size, this proposal recommends the use of the WETH ERC20 token & the following bond sizes:

  • Assertion bonds: 3600 ETH - required from validators to bond their funds to an assertion in the eventual hopes of having that assertion be confirmed by the rollup protocol. This is a one-time bond required to be able to start posting assertions. This bond can be withdrawn once a validator’s assertion is confirmed and can alternatively be put together via a trustless bonding pool.

  • Challenge-bonds, per level: 555/79 ETH (UPDATED) - required from validators to open challenges against an assertion observed on Ethereum, for each level. Note that “level” corresponds to the level of granularity at which the interactive dissection game gets played over, starting at the block level, moving on to a range of WASM execution steps, and then finally to the level of a single step of execution. These values were carefully calculated to optimize for the resource ratio and gas costs in the event of an attack, as explained in Economics of Disputes in Arbitrum BOLD and the BoLD whitepaper. This effectively means that an entity that has already put up a bond to propose an assertion does not need to put up a separate bond to challenge an invalid state assertion that they observe. These bonds can be refunded at the end of a challenge and can also alternatively be put together by the community using a trustless bonding pool.

The following link, Economics of Disputes in Arbitrum BOLD, covers the rationale behind the design and recommended values above in greater detail. Note that the ArbitrumDAO can change these values and the type of asset used for the bonds via a governance proposal.

BOLD makes permissionless validation possible for Arbitrum rollup chains and marks a major step towards full decentralization. This significant milestone also lays the groundwork for productive discussions about future economic incentives for those participating in the protocol since anyone can participate.

Rewards, Reimbursements, and penalties in BoLD

Once all of a validator’s proposed assertions are confirmed, a validator can withdraw their bond in full. Other costs spent by the honest parties to defend Arbitrum, such as the L1 gas costs and the challenge bonds, are fully refundable following confirmation of all sub-challenges. Challenge bonds will be automatically refundable in-protocol while L1 gas costs will be reimbursed by the Arbitrum Foundation using a procedure that will be published at a later date. All costs spent by malicious actors, including the assertion bond, are confiscated and sent to an ArbitrumDAO controlled address.

All eligible entities who wish to be paid a reward or be reimbursed by the ArbitrumDAO or the Arbitrum Foundation must undergo the Arbitrum Foundation’s KYC process.

Service fee for “Active” proposers

We propose that the ArbitrumDAO pay a service fee to active top-level proposers as a way of removing the disincentive for participation by honest parties who bond their own capital and propose assertions for Arbitrum One. The fee should be denominated in ETH and should correlate to the annualized income that Ethereum mainnet validators receive, over the same time period. At the time of writing, the estimated annual income for Ethereum mainnet validators is approximately 3% to 4% of their stake (based on CoinDesk Indices Composite Ether Staking Rate (CESR) 2 benchmark and Rated.Network 1). This fee is not a “reward” for the same reasons why the protocol does not reward honest parties with the funds confiscated from a malicious actor 2.

This service fee can be paid out upon an active proposer’s top-level assertion being confirmed on Ethereum and will be calculated using the duration of time that the proposer was considered active by the protocol. The procedure that calculates this will be handled off-chain, using a procedure that will be published at a later date. BOLD makes it permissionless for any validator to become a proposer and also introduces a way to pay a service fee to honest parties for locking up capital to do so. Validators are not considered active proposers until they successfully propose an assertion with a bond.

In order to become an active proposer for Arbitrum One, post-BOLD, a validator has to propose an L2 state assertion to Ethereum. If they do not have an active bond on L1, they then need to attach a bond to their assertion in order to successfully post the assertion. Subsequent assertions posted by the same address will simply move the already-supplied bond to their latest proposed assertion. Meanwhile, if an entity, say Bob, has posted a successor assertion to one previously made by another entity, Alice, then Bob would be considered by the protocol to be the current active proposer. Alice would no longer be considered by the protocol as the active proposer and once Alice’s assertion is confirmed, then Alice gets her assertion bond refunded. There can only be 1 “active” proposer at any point in time.

Rewards and Reimbursements for Defenders

The service fee described above is meant to incentivize or reimburse an honest, active proposer for locking up their capital to propose assertions and advance the chain. Similarly, in the event of an attack, a reward is proposed to be paid out to honest defenders using confiscated funds from malicious actors.

Specifically, 1% (one percent) of the confiscated funds from a malicious actor is proposed to be rewarded to honest parties who deposit a challenge bond and post assertions as part of a sub-challenge, proportional to the amount that a defender has put up to defend a correct state assertion during the challenge. This reward is approximately 42.34 ETH per challenge (1% of confiscated bonds) that goes to the honest parties who have locked up 634 ETH in challenge bonds. Note that any gas costs spent by honest parties to defend Arbitrum One during a challenge is 100% refundable by the Arbitrum Foundation. In this model, honest defenders and proposers of Arbitrum One stand are incentivized to participate while malicious actors stand to lose everything they spent attacking Arbitrum One.

Defenders are only eligible for this reward if they deposit a challenge bond (555 or 79 ETH, depending on the level), posted an on-chain assertion as part of a sub-challenge (i.e. not the top-level assertion), and have had their on-chain sub-challenge assertion get confirmed by the protocol. The calculation for this reward is conducted off-chain by the Arbitrum Foundation and payment will be made via a DAO vote (since confiscated funds go to a DAO-controlled address).

The topic of further improvements and new economic and incentive models for BOLD are valuable and we believe it deserves the full focus and attention of the community via a separate proposal/discussion - decoupled from this proposal to bring BOLD to mainnet. Details around additional or new proposed economic or incentive models for BOLD will need continued research and development work, but the deployment of BOLD as-is represents a substantial improvement to the security of Arbitrum even without economic-related concerns resolved.

This proposed service fee would not apply to entities that use the DAO’s funds to become a proposer, if the proposal passes. The DAO may choose, via governance, to fund other parties or change this reward or service fee model at any time.

Technical risks

Some of the technical risks of the BOLD upgrade include:

  • Issues preventing liveness of challenges due to smart contract bugs in the new contracts. For instance, no honest validator able to make a move when it should be able to;
  • Safety issues where a malicious party is able to game the system and win due to logic errors in smart contracts;
  • Logic bugs in the assertion smart contracts that could affect assertion confirmation and posting, which could delay withdrawals until it is fixed; and
  • Bugs in bonding logic in the smart contracts that could lead to loss of funds due to logic errors in the Arbitrum Rollup and challenge manager smart contracts.

Risks that remain the same between the current Arbitrum Rollup protocol and BOLD

  • Bugs in the one step proof logic: BOLD does not change how one step proofs work for Arbitrum chains.

Timeline and steps to implement BOLD for Arbitrum One and Nova

Below is a list of initiatives to ensure the new BOLD dispute resolution protocol is ready to be reviewed and ready to be voted on by the ArbitrumDAO for adoption in Arbitrum One and Arbitrum Nova. Feedback from the community and any findings from testing will be collected and used to inform decisions and evolve BOLD along the way.

  1. Deployment of a public testnet with BOLD validators for a minimum of 4 weeks, meant to ensure BOLD gets tested against conditions closer to what would be seen on mainnet (e.g. complexity of txns, traffic volume, larger and diverse validator sets, L1 testnet with real usage, etc).

  2. Please check out this guide on how to deploy a BOLD validator on the testnet to begin testing out permissionless validation using Arbitrum technology!

  3. The submission of the AIP in the format of a forum post. [This post]

  4. Audit of the protocol’s implementation by Trail of Bits 6

  5. Hosting of a governance call to talk about BOLD to answer questions from the community about BOLD and this AIP.

  6. A formal temperature check proposal to activate BOLD on Arbitrum’s Sepolia for a minimum of 4 weeks. be made via a snapshot vote, as per Phase 1 in the The Lifecycle of an Arbitrum Improvement Proposal 2.

  7. Kick-start a public audit program 1 (running between May 10 - 27, 2024).

  8. Finalize pre-mainnet requirements, including:

  • a. Publication of BOLD migration documentation for existing validators;
  • b. Deployment of a monitoring stack to view on-going challenges on an Arbitrum chain; and
  • c. Publication of a formal procedure for The Arbitrum Foundation to handle L1 gas costs reimbursements for honest parties.
  1. Formal AIP gets submitted to Tally. A call-for-voting will be made, as per Phase 2 in The Lifecycle of an Arbitrum Improvement Proposal 2.

  2. Should the formal on-chain proposal pass, BOLD will activate on Arbitrum One and Nova following Phase 7 of the Lifecycle of an Arbitrum Improvement Proposal 2 flow.

BOLD is now deployed on a permissionless public testnet as of April 15, 2024 that settles to Ethereum Sepolia. Should the corresponding governance proposals pass, the target timelines for BOLD to get activated on Arbitrum Sepolia is late Spring 2024 and then eventually Arbitrum One and Nova sometime in Summer 2024. These dates are tentative targets that will depend on a number of factors, including the governance vote outcomes, audit findings, and feedback from the ArbitrumDAO community.

Recommendation for Arbitrum Nova

Although this AIP proposes that both Arbitrum One and Nova upgrade to use BOLD, we recommend for the removal of the allowlist of validators for Arbitrum One while keeping Nova permissioned with a DAO-controlled allowlist of entities - unchanged from today. This update was made for two reasons.

First, Arbitrum Nova’s TVL is much lower than Arbitrum One’s TVL, (~$17B vs. ~$46M at the time of writing, from L2Beat). This means that the high bond sizes necessary for preventing spam and delay attacks would make up a significant proportion of Nova’s TVL - which we believe introduces a centralization risk as very few parties would be incentivized to secure Nova. A solution here would be to lower the bond sizes, which brings us to the second reason: lower bond sizes reduce the costs of delay grieving attacks (where malicious actors delay the chain’s progress) and therefore hurt the security of the chain. We believe enabling permissionless validation for Nova is not worth the capital requirement tradeoffs, given the unique security model of AnyTrust chains. .

Notably, since Arbitrum Nova’s security already depends on at least one DAC member providing honest data availability, trusting the same committee to have at least one member provide honest validation does not add a major trust assumption. This requires all DAC members also to run validators. If the DAC is also validating the chain, a feature the Offchain Labs team has been working on, Fast Withdrawals, would allow users to withdraw assets from Nova in ~15 minutes, or the time it takes to reach L1 finality. This is made possible by the DAC attesting to and instantly confirming an assertion. Fast Withdrawals will be the subject of a separate AIP.

Overall Cost

There is no cost for this proposal to the ArbitrumDAO as Offchain Labs, Inc. will incur all engineering and audit costs to complete the implementation of BOLD and get this new dispute resolution protocol into a mainnet-ready state. Engineering efforts to prepare BOLD for mainnet, as documented in the Steps to Implement section above will be owned by Offchain Labs, Inc. Currently, future development work for BOLD is expected to also be undertaken by Offchain Labs, Inc.

References

Where to Learn More about BOLD?

  • There have been two governance calls on this proposal to date. You can see the meeting recordings here: governance call #1 and governance call #2

  • Listen to the AMA recording on ‘Uncovering BOLD & Permissionless Validation’ that took place on April 18, here: x.com

FAQ document

Upon having conversations with stakeholders in the DAO and wider ecosystem, we’ve consolidated together of frequently asked questions (FAQ) and answers here. This FAQ document will be iteratively updated as and when more common questions are raised.

13 Likes

Great progress towards security and decentralization, congrats.

I am interested in cryptoeconomics behind the values of ETH for posting assertions. It seems unreasonably high considering mainnet validator costs only 32eth. I understand there needs to be a spam prevention but this seems like quite a lot. Are there any plans on lowering it, creating pools or so? Incentive to lock in this much capital must be also very high.

1 Like

I have been following the Bold testnet with interest since it started because i beleive this will be an important step for Arbitrum.

There are some suggestions that come to my mind on this subject. Can the required token for the validator be set to $ARB and can network $eth revenues be distribute for validator incentive?
According to game theory, this structure may be the most ideal for a sustainable economic future.

1 Like

Based on feedback received from the community, an amendment was made to the proposal to clarify that validation of Arbitrum chains using BOLD has and continues to be permissionless, with no bond or stake required. BOLD let’s any one of those validators put up a bond of ETH to become proposers and challengers of state assertions about the L2 state.

By default, all Arbitrum nodes are validators that will track the progress of the chain to verify assertions being posted to the parent chain to flag if an invalid assertion is observed. Running this type of validator is permissionless today and does not require any bond. Running a validator in this mode is also known as a “watchtower” node.

BOLD lets validators permissionlessly become proposers and challengers if they want to. The role of a proposer is required to help progress the chain which requires bonding ETH, proposing and then posting state assertions to the parent chain. This bond is known as an “assertion bond”. The chain only needs 1 proposer to make progress. Therefore, most validators can watch the chain and independently verify assertions without being a proposer.

In the unhappy case where there is a dispute about a proposed state assertion, BOLD lets anyone permissionlessly put up a bond of ETH to open challenges in the defense of Arbitrum (in their capacity as a challenger to invalid state assertions). This bond is known as a “challenge bond”.

2 Likes

This is good. The fact that L3s can leverage the protocol is even better.

Regarding the reward for validators, I totally understand the logic of preventing competition but still feel a percentage of the funds from the malicious actors should go to the validators. What that percentage will be, I am not sure but these are some of the things we could brainstorm on.

Also, going over the economics on Github, I came across this:

Screenshot (374)

Just curious, is it possible for an attacker to go above the security budget? and what happens then? Not so clear on that.

1 Like

There has been an edit under the Reimbursements and Penalties section , and there is an investigation is underway determine the feasibility of automatically calculating and performing challenge bond refunds on-chain, and so have made an update to the AIP to be transparent.

Previously, a manual procedure was to be published for the Arbitrum Foundation to use to calculate and handle both challenge bond reimbursements and L1 gas costs. L1 gas costs refunds are still expected to be handled by the Arbitrum Foundation. We intend to update the AIP once more when the investigation concludes.

3 Likes

Like most, I’m very excited to see this finally hit the forum ~ it’s a huge step forward towards having truly decentralised rollups. My only question is regarding the ERC20 bond - is there an specific reason why a token like WETH would be preferable over ARB? Is it a matter of safety, liquidity, volatility etc?

4 Likes

Exciting times folks - Arbitrum will soon upgrade to Stage 2.

I am equally happy to know that all Orbit chains can follow the same path: this truly positions the Arbitrum ecosystem on another level and we, as a DAO, should do our best to highlight & promote this paradigm shift.

As per BOLD itself, no specific concerns from my side.
I’ll be voting FOR in the upcoming Snapshot to move to the testnet phase.

2 Likes

Hey @cattin,

I believe that from the standpoint of economic safety (i.e claims posted by Arbitrum validators on Ethereum are valid and there is a financial disincentive for errors/malicious behaviors), it makes sense to require a ≈$2 million bond from those who wish to validate transactions for the Arbitrum network. The presence and bonding of at least one honest validator/assertion poster is necessary for the chain’s security. The significant cost of this bond acts as a discouragement against unnecessary delays in processing Arbitrum One withdrawals, especially since a dispute would extend the withdrawal time by an additional week beyond the already existing one-week timeframe for standard withdrawals.

Provided that disputes can be resolved and we have functional “bonding pools” that operate without the need for trust, the integrity of the Arbitrum chain is maintained. WETH is commonly seen as a store of value asset, and as such, it tends to experience less price fluctuation compared to assets like ARB, making it an appropriate choice as a bonding asset. With that being said, the DAO holds the power to modify the required assets and the amounts for bonding in the future, should it be necessary.

8 Likes

There have been 3 updates to the proposal that we want to flag out to the DAO -

  1. Challenge Grace Period extended to 2 days
    The “challenge grace period” has been extended from 1 day to 2 days. This is to give the Security Council additional time to intervene in case of an emergency and to fulfill its role in making time-sensitive and emergency response decisions to protect the interests of the DAO, its members, and the broader Arbitrum community.

  2. Requirement for posting assertions and opening a block-level challenge
    This effectively means that an entity that has already put up a bond to propose an assertion does not need to put up a separate bond to challenge an invalid state assertion that they observe. Specifically, the proposal now requires a one-time bond of 3600 ETH to allow a proposer to both propose top level assertion AND open a block-level challenge (if they need to), with 1000/100/10 ETH remaining as the tiered bond sizes for each challenge level. This is a change from the previous requirements where a one-time bond of 1500 ETH was needed for the top-level assertion bond while an additional 3600 ETH was needed for opening a block-level challenge, followed by challenge bond sizes of 1000/100/10 ETH for each subsequent sub-challenge level.

  3. FAQ Document
    We have put together an iterative FAQ document upon having conversations with stakeholders in the DAO and wider ecosystem here. This FAQ document will be updated as the DAO continues to have conversations and questions about BOLD.

5 Likes

Reminder: There will be a governance call about this proposal today!

1 Like

Here is a link to the meeting recording: BOLD & Permissionless Validation - Governance Call (2024-04-25 16:05 GMT+1) - Google Drive

2 Likes

There have been 2 subsequent updates to the proposal that we would like to flag out to the DAO -

  1. Adding a Service fee for “Active” proposers

We propose that the ArbitrumDAO pay a service fee to active proposers as a way of removing the disincentive for participation by honest parties who bond their own capital and propose assertions for Arbitrum One. The fee should be denominated in ETH and should correlate to the annualized income that Ethereum mainnet validators receive, over the same time period. At the time of writing, the estimated annual income for Ethereum mainnet validators is approximately 3% to 4% of their stake (based on CoinDesk Indices Composite Ether Staking Rate (CESR) benchmark and Rated.Network ). This fee is not a “reward” for the same reasons why the protocol does not reward honest parties with the funds confiscated from a malicious actor.

This service fee can be paid out upon an active proposer’s assertion being confirmed on Ethereum and will be calculated using the duration of time that the proposer was considered active by the protocol. The procedure that calculates this will be handled off-chain, using a procedure that will be published at a later date.BOLD makes it permissionless for any validator to become a proposer and also introduces a way to pay a service fee to honest parties for locking up capital to do so. Validators are not considered active proposers until they successfully propose an assertion with a bond.

In order to become an active proposer for Arbitrum One, post-BOLD, a validator has to propose an L2 state assertion to Ethereum. If they do not have an active bond on L1, they then need to attach a bond to their assertion in order to successfully post the assertion. Subsequent assertions posted by the same address will simply move the already-supplied bond to their latest proposed assertion. Meanwhile, if an entity, say Bob, has posted a successor assertion to one previously made by another entity, Alice, then Bob would be considered by the protocol to be the current active proposer. Alice would no longer be considered by the protocol as the active proposer and once Alice’s assertion is confirmed, then Alice gets her assertion bond refunded. There can only be 1 “active” proposer at any point in time.

The topic of economic and incentive models for BOLD are valuable and we believe it deserves the full focus and attention of the community via a separate proposal/discussion - decoupled from this proposal to bring BOLD to mainnet. Details around proposed economic or incentive models for BOLD will need continued research and development work, but the deployment of BOLD as-is represents a substantial improvement to the security of Arbitrum even without economic-related concerns resolved.

This proposed service fee would not apply to Offchain Labs, if the proposal passes. The DAO may choose, via governance, to fund other parties or change this service fee model at any time.

  1. Including a Recommendation for Arbitrum Nova section

Although this AIP proposes that both Arbitrum One and Nova upgrade to use BOLD, we recommend for the removal of the allowlist of validators for Arbitrum One while keeping Nova permissioned with a DAO-controlled allowlist of entities - unchanged from today. This update was made for two reasons.

First, Arbitrum Nova’s TVL is much lower than Arbitrum One’s TVL, (~$17B vs. ~$46M at the time of writing, from L2Beat). This means that the high bond sizes necessary for preventing spam and delay attacks would make up a significant proportion of Nova’s TVL - which we believe introduces a centralization risk as very few parties would be incentivized to secure Nova. A solution here would be to lower the bond sizes, which brings us to the second reason: lower bond sizes reduce the costs of delay grieving attacks (where malicious actors delay the chain’s progress) and therefore hurt the security of the chain. We believe enabling permissionless validation for Nova is not worth the capital requirement tradeoffs, given the unique security model of AnyTrust chains. .

Notably, since Arbitrum Nova’s security already depends on at least one DAC member providing honest data availability, trusting the same committee to have at least one member provide honest validation does not add a major trust assumption. This requires all DAC members also to run validators. If the DAC is also validating the chain, a feature the Offchain Labs team has been working on, Fast Withdrawals, would allow users to withdraw assets from Nova in ~15 minutes, or the time it takes to reach L1 finality. This is made possible by the DAC attesting to and instantly confirming an assertion. Fast Withdrawals will be the subject of a separate AIP.

3 Likes

Taking into account all the listed changes, this proposal can have a positive impact on the development of Arbitrum.
The only thing that confuses me is the Stylus. In the Stylus thread you did not answer my questions about the implementation, namely:

  • Due to the fact that each node must be identical, how to implement this?
  • What if one node is without Stylus, how will it process contracts executed for Stylus?

Could you elaborate on the 3% to 4% APR? Specifically, is the 3% applied to the amount bonded? like say 3% of 3600 ETH? If that’s the case, the WETH would be locked and thus unable to yield. So, which assets are used to generate this yield? Would it involve some ETH from the Arbitrum bridge?

As you mentioned, there can be only one proposer at any given time. How does this affect bonding pool scenarios? Specifically, since the active proposer is refunded but also depends on bonds from other pool members, what does the reimbursement mechanism look like?

for those who have left queries in the comments, do check out the BOLD FAQ document which is being continuously updated :slight_smile:

Also, there will be a follow up Governance Call on this proposal, as requested in the first call, on Tuesday May 7, 17:00 UTC

BOLD & Permissionless Validation - Governance Call #2
Tuesday, May 7 · 5:00 – 6:00pm
Time zone: UTC
Google Meet joining info
Video call link: https://meet.google.com/hgm-ajns-rxx

2 Likes

What are the estimations for $C_\max$ and $delta$? My understanding is that (using single-level BoLD and ignoring update moves for simplicity) $C_\max + (\delta + 1)(k_\max + 2)$ is well below 50’400 blocks (~7 days), but it would be interesting to see any sort of analysis with real data. What about Orbit L3s though? The Arbitrum One protocol can currently censor and delay each move via the DelayedInbox up to 24h, meaning that now $(\delta+1)(k_\max+2)$ is at least 45d or 89d counting update moves. How can L3s be made secure? Also, other L2s could have worse censorship properties. In general, there should be some guidance on how to approach these situations and appropriately choose values.

p.s. (meta) please add math plugin :slight_smile:

1 Like

You are going to make a big mistake by preferring $WETH rather than the native $ARB token. Thus, you emphasize the uselessness and meaninglessness of the $ARB token, except for selling it for your personal purposes. You need to urgently introduce some kind of utility for $ARB while you still can. Every time, it turns out that Optimism + Base is already ahead of Arbitrum in all metrics except TVL. Your community is starting to run away to them. You have already lost most of the Turkish and Asian community, who claim that the OffChain Labs team is unscrupulous. You have a great chance to include $ARB in the game, but instead, you prefer $WETH.

No one is stopping you from arranging a vote and doing this
However, there are several reasons to use WETH,
And yes, you’re right about ARB utility - it will be better for community, not necessarily for these cases, which may never happen in life

1 Like

Here is the link to the meeting recording: BOLD & Permissionless Validation - Governance Call #2 (2024-05-07 18:05 GMT+1) - Google Drive