@openzeppelin was asked by the ARDC to review the BOLD AIP to provide security feedback. Overall, we are very pleased and impressed with the level of thoroughness with which the Offchain Labs team and Arbitrum community has discussed the risks of BOLD.
We explored concerns with the handling of confiscated funds as well as the future need to monitor and update BOLD parameters as economic conditions change. You can read the details of our analysis in the report below:
We are voting for this proposal. We believe it increases security of protocol in long term.
Blockworks Research will be voting FOR implementing the BoLD upgrade, as well as bootstrapping the first BoLD validator to be operated by the Foundation and covering BoLD-associated OpEx, on Snapshot.
We naturally support the upgrade to increase Arbitrum’s security and decentralization, while taking off any remaining “training wheels,” as Vitalik calls them. We’re also supportive of allocating capital to the Foundation to become the first proposer for Arbitrum One, as this is clearly required for the system to function from the start and the Foundation’s incentives are to act honestly in its role as a BoLD validator. Apologies if this has already been discussed, but could a situation arise, especially when BoLD is in its infancy, where the Foundation needs more than one challenge’s worth of capital to ensure the system functions properly? If so, it might be sensible to extend a larger amount of capital to bootstrap the validator. Finally, we agree that BoLD validators should be paid service fees and L1 gas costs should be refunded, especially in the beginning to attract a wider set of participants.
The Princeton Blockchain Club is voting FOR bringing BoLD to Arbitrum One at the Snapshot Stage.
By bringing BoLD to mainnet, we finally move away from permissioned validation, and get one step closer to being called a Stage 2 rollup.
The recommendation about keeping Nova permissioned makes sense though - the capital requirements are high for the current TVL. (Looking forward to the Fast Withdrawal AIP btw!)
The OpenZeppelin report on future economic risks is definitely something other delegates should look into - seems like there’s a decent amount of monitoring and tweaking to be done in the future. But for now, we’re excited to finally see this version of BoLD live shortly!
To answer your question upfront: No. The Foundation does not need more than one challenge’s worth of capital to ensure the system functions properly. The first reason is because anyone can permissionlessly step in to help defend challenges for Arbitrum One in support of or in place of the Arbitrum Foundation. This is possible because a given L2 state is entirely deterministic - meaning that there can only be a single, correct L2 assertion at any point in time. So long as an honest party bonds their capital to and defends that single, correct L2 assertion, then they will win disputes. Secondly, Arbitrum BoLD supports trustless bonding pools that can be automatically deployed to crowdsource funds together in response to a challenge. Using bonding pools is permissionless and requires no minimum ETH amount to participate. This ensures that even in the unlikely event that more than 1 challenge occurs per year, there is a safe and independently audited way for anyone to participate anonymously. Lastly, a “defender’s bounty” reward is proposed in this AIP to reward honest defenders (who deposit challenge bonds in the protocol in defense of Arbitrum) with 1% of the confiscated bonds from a dishonest party. This incentive is in place to ensure that even if the Arbitrum Foundation does not mount a defense, other parties are incentivized to do so since the reward is potentially unbounded (more challengers = more rewards). It is also worth noting that the the Arbitrum Foundation is not eligible for this “defender’s bounty”.
It should be noted that while the initial operational amount requested is 1 challenge worth of capital per year, it is not expected that challenges will occur. This is because: (a) dishonest parties who challenge the single, correct L2 assertion will lose all of their funds, (b) a large, upfront bond requirement of 3600 ETH is needed to even open a challenge, and (c) the Arbitrum Security Council has a window to review and intervene at the end of a challenge to ensure only the correct L2 state root gets confirmed. The combination of (a), (b), and (c) are expected to act as technical and economic disincentives to deter bad actors who wish to attack Arbitrum One.
There is an existing and well established precedent of the ArbitrumDAO paying teams to provide services to the ArbitrumDAO governed chains. Specifically, Arbitrum Nova validators and Arbitrum Nova DAC members are compensated with 12% and 8% of the L2 base fee collected from the sequencer, respectively. In general, the ArbitrumDAO is the owner of Arbitrum One and Arbitrum Nova - responsible for the chain’s upkeep, maintenance, security, and deployment of capital accrued via fees in support of the chains’ growth and adoption.
Since BoLD enables permissionless validation, there is no requirement for the Arbitrum Foundation to participate or for the ArbitrumDAO to fund any such party to participate in securing and advancing the chain. It follows then that anyone can volunteer to step up and fulfill the important role of an active proposer for Arbitrum One. Furthermore, anyone is welcome to propose, to the ArbitrumDAO, that these funds be spent on other initiatives or to support other entities. In this particular instance, the Arbitrum Foundation is proposing to step up and fulfill this role using the ArbitrumDAO’s funds. There is no expectation of reward either - this action is purely voluntary because some entity needs to fulfill this role for Arbitrum One. As mentioned in the forum post, taking no action means that the ArbitrumDAO holds the risk that no entity will fulfill the role of being the first honest party to advance & secure Arbitrum One.
Should you and your team continue to believe this to be an issue, we are confident that the community will be receptive to discuss alternative proposals for how to bootstrap the first BoLD validator for Arbitrum One.
Below is the rationale of the UADP for all three BoLD Snapshots:
We voted For all three of the BoLD proposals because they mark a crucial evolution for Arbitrum, significantly boosting the network’s security and decentralization.
AIP: BoLD - permissionless validation for Arbitrum:
Introducing permissionless validation allows any honest participant to help defend the network, thereby reducing our reliance on a small group of validators. This is pivotal in mitigating delay attack risks and ensuring faster, more secure dispute resolutions, aligning with best practices in optimistic rollup protocols.
However, the high bond requirements could create a barrier for smaller participants–but the Economics paper outlines that “bond sizes be high enough to discourage challenges from ever being opened at all, as evil parties will always stand to lose when playing the game” which in our opinion is a good incentive-based justification. The complexity of the dispute resolution process and the need for extensive off-chain computation could introduce operational challenges. Balancing bond costs and preventing spam while ensuring sufficient participation and security is a complex economic issue that requires careful adjustment.
AIP: Funds to bootstrap the first BoLD validator - Bond sentiment & AIP: Funds to bootstrap the first BoLD validator - Operational cost sentiment.
We voted For these two proposals as well. There needs to be an aligned actor to ensure that this system works with integrity, and having the serving as the first one makes a lot of sense. We also appreciate the checks and balances approach being taken by the Foundation: “The ArbitrumDAO will have the authority to single-handedly return the funds to the ArbitrumDAO treasury by revoking the Arbitrum Foundation’s proposer at any time and returning the bonds back to the treasury.” The operational cost, 500 ETH for service fees and 400 ETH for L1 gas costs, seem fairly earmarked but perhaps a bit high. Since the AF will not be entitled to any service fees, that helps with potentially receiving more back after the 3 year period. We’d appreciate how this budget fluctuates over time. It’s better to have a larger buffer in place anyways, so this seems fair.
DAOplomats voted “For” in all three proposals on BoLD.
AIP: BoLD - Permissionless Validation for Arbitrum
Arbitrum BoLD is an essential next step towards complete decentralization. With eyes set on Stage 2, it is only pleasing to see this implementation come to fruition. Besides security, setting this high bar for bad actors makes total sense. We have also gone through the rationale of compensating in ETH as opposed to ARB and we are in support.
AIP: Funds to Bootstrap the First BoLD Validator - Bond Sentiment.
We were in support of releasing the funds requested to the Foundation. Also, seeing that the BoLD upgrade requires at least one active proposer at any point in time, we were happy to allow the Foundation be the first to take up this responsibility.
AIP: Funds to Bootstrap the First BoLD Validator - Operational Cost Sentiment
Finally, we were in support of this proposal to cater for the costs needed to reimburse L1 gas fees as well as the 500 ETH service fees. Due to the nature of the BoLD upgrade, it does sound logical to both reimburse participants and incentivize them for actively working to progress the chain.
It is important to highlight that as part of the initial BoLD 1.0.0 release, there is a Delay Buffer feature, which aims to limit the negative effects of:
A potential issue arises In the event that the parent chain is being repeatedly censored or if the L2 sequencer is offline, every block level assertion and/or sub-challenge assertion would need to wait 24 hours before they can bypass the sequencer (using the theSequencerInbox’s forceInclusion method described here). If this were to happen, challenge resolution would be delayed by a time t where t = (24 hours) * number of moves for a challenge. To illustrate with sample numbers, if a challenge takes 50 sequential moves to resolve, then the delay would be 50 days.
The Delay Buffer feature mitigates this by implementing some time threshold that is decremented when unexpected delays occur. Once that time threshold is met, the force inclusion window is lowered - effectively enabling entities to make moves without the 24 hour delay-per-move.
Under reasonable parameterization, the sequencer could be offline / censoring for 24 hours twice, before the force inclusion window is effectively dropped from 24 hours to a minimum inclusion time. The force inclusion window gradually (over weeks) replenishes to it’s original value over time as long as the sequencer is on “good behavior” - regularly sequencing messages without unexpected delays.
Here are the initial parameter values, which might change slightly as there are still active discussions:
delay buffer B = 14400 L1 blocks (2 days)
threshold T = 150 L1 blocks (30 minutes)
*replenish rate r = 5% meaning 1 days is replenished every 20 days, or roughly a 95% uptimedelayBlock D = 7200 (1 day)
We believe that the Delay Buffer feature provides stronger guarantees of censorship resistance for Arbitrum chains. As always, Orbit chain owners can change the default parameters as they see fit for their use case.
The Delay Buffer feature was not specifically elaborated on in the original temperature check which passed on Snapshot, and since it will be included in the Tally vote, we want to ensure that it is being highlighted.
gm, voting in favor of the proposal on Tally, consistent with the reasons previously outlined.
I’m voting in favor on Tally for the same reasons that I have mentioned for the snapshot vote (AIP: BOLD - permissionless validation for Arbitrum - #58 by 0x_ultra)
I fully support the AIP BOLD proposal for permissionless validation on the Arbitrum chain. This move is crucial for enhancing both security and decentralization, aligning with the core principles of blockchain technology.
By allowing anyone to participate in validation without permission, we reduce the risk of centralization and empower a broader community of validators. The improved dispute resolution mechanism further strengthens the network’s reliability, ensuring that disputes are handled fairly and efficiently.
This proposal is a significant step forward for the Arbitrum ecosystem and its long-term sustainability.
I fully support the proposal, as it will increase the security and decentralization of Arbitrum. This is another step towards achieving Stage 2 of rollups.
We are in full support of the Arbitrum BoLD upgrade. BoLD introduces a next-generation dispute protocol that will enable permissionless validation for Arbitrum chains, marking a crucial step in advancing the ecosystem. By mitigating delay attacks and ensuring disputes are resolved within a fixed time window, BoLD brings greater security and decentralization to Arbitrum One and Arbitrum Nova.
This innovation aligns with the DAO’s goal of becoming a Stage 2 Rollup, allowing any honest party to validate and contribute to the integrity of the network. With its deployment on the public testnet, we are excited to see how this technology evolves and enhances the future of Arbitrum chains.