Note this is working (but fragile) code from Sep 2022 Medellin HackWasm. Feel free to bang on it to understand Mesh Security better. As of April 2023, we have started a new repo osmosis-labs/mesh-security, which will host work towards a full production-quality implementation of Mesh Security, written by the same developers and many more.
An implementation of Sunny's Mesh Security talk from Cosmoverse 2022.
This should run on any CosmWasm enabled chain. This is MVP design and gives people hands on use, that should work on a testnet. Open questions that need to be resolved before we can use this in production are listed below.
Please check out the architectural documentation, which gives a thorough view of all the components in a completed system.
You can also look at Sunny's original flipboard to get view of the various flows involved.
meta-staking- a bridge between the rest of the contracts and the x/staking module to provide a consistent, friendly interface for our use casemesh-lockup- a contract that locks tokens and allows lockers to issue multiple claims to other consumers, who can all slash that stake and eventually release their claimmesh-provider- an IBC-enabled contract that issues claims on an ILP and speaks IBC to a consumer. It is responsible for submitting slashes it receives from theslasherto theilpcontract.mesh-consumer- an IBC-enabled contract that receives messages fromibc-providerand communicates withmeta-stakingto update the local delegations / validator powermesh-slasher- a contract that is authorized by themesh-providerto submit slashes to it. There can be many types of slasher contracts (for different types of evidenses of misbehaviors)
High Level: You connect Osmosis to Juno and Juno to Osmosis. We will only look at one side of this, but each chain is able to be both a consumer and producer at the same time. You can also connect each chain as a provider to N chains and a consumer from N chains.
Let's analyze the Osmosis side of this. Osmosis is the provider of security to Juno. Once the contracts have been deployed, a user can interact with this as follows.
- User stakes their tokens in the
mesh-lockupcontract on Osmosis - User can cross-stake those tokens to a Juno
mesh-providercontract (on Osmosis), specifying how many of their tokens to cross-stake and to which validator - The Osmosis
mesh-consumercontract (on Juno) receives a message from the counterpartymesh-providercontract and updates the stake in themeta-stakingcontract (on Juno). - The
meta-stakingcontract checks the values and updates it's delegations tox/stakingaccordingly. (The meta-staking contract is assumed to have enough JUNO tokens to do the delegations. How it gets that JUNO is out of scope.)
- Anyone can trigger the Osmosis consumer contract to claim rewards from the
meta-stakingcontract - The
mesh-consumercontract (on JUNO) sends tokens to themesh-providercontract (on Osmosis) via ics20 - The
mesh-consumercontract sends a message to themesh-providercontract to inform of the new distribution (and how many go to which validator). - The
mesh-provider(on Osmosis) contract updates distribution info to all stakers, allowing them to claim their share of the $JUNO rewards on Osmosis.
- A user submits a request to unstake their tokens from the
mesh-providercontract (on Osmosis) - We update the local distribution info to reflect the new amount of tokens staked
- This sends a message to the
mesh-consumercontract (on Juno), which updates the Junometa-stakingcontract to remove the delegation. - The
mesh-providercontract (on Osmosis) gets the unbonding period for this cross stake by querying theslashercontract - After the unbonding period has passed (eg. 2 weeks, 4 weeks) the
mesh-providercontract informs themesh-lockupcontract that it removes its claim. - If the user's stake in the
mesh-lockupcontract has not more claims on it, they can withdraw their stake.
- Someone calls a method to submit evidence of Juno misbehavior on the
meta-slashercontract (on Osmosis). - The
meta-slashercontract verifies that a slashing event has indeed occurred and makes a contract call to themesh-providercontract with the amount to slash. - The
mesh-providerupdates themesh-lockupstakes of everyone delegating to the offending validator. Tokens are unbonded and scheduled to be burned. mesh-providersends IBC packet updates to themesh-consumers on all other chains about the new voting power.
A user can stake any number of tokens to the mesh-lockup contract, and use them in multiple provider contracts.
The mesh-lockup contract ensures that the user has balance >= the max claim at all times.
If you put in eg 1000 OSMO, but then provide 700, 500, and 300 to various providers,
you can pull out 300 OSMO from the mesh-lockup contract. Once you successfully release the claim on the
provider with 700, then you can pull out another 200 OSMO.
- Deploy the contracts to Osmosis and Juno
x/govon Juno will tell the "Osmosis consumer contract" which(connectionId, portId)to trustx/govon Juno will provide the "Osmosis consumer contract" with some JUNO tokens with which it can later delegate (This is a hacky solution to give the consumer contract OSMO to be able to stake... we discuss improvement below).- A relayer connects the two contracts, the consumer contract ensures that the channel is made
from the authorized
(connectionId, portId)or rejects it in the channel handshake. It also ensures only one channel exists at a time. - Once the trusted connection is established and the consumer contract has been granted sufficient delegation power, then the user flow above can be used.
These are well-defined but removed from the MVP for simplicity. We can add them later.
mesh-lockupmust also allow local staking, and tie into the meta-staking contract to use that same stake to provide security on the home chain.
These are unclear and need to be discussed and resolved further.
- How to cleanly grant consumer contracts the proper delegation power?
- Something like "superfluid staking" module where we can mint "synthetic staking tokens" that work like normal, but are removed from the "totalSupply" query via offset.
- Fork
x/stakingto allow such synthetic delegations that don't need tokens. This is a hard lift, but would allow custom logic, like counting those tokens in tendermint voting power, but exclude them fromx/gov, and decide on some reducing factor for their rewards.
- How to cleanly define limits for the providing chains on how much power they can have on the consuming chain? We start with a fixed number (# of JUNO), but better to do something like "max 10% of total staking power".
- Ensure a minimum voting power for the local stake. If we let 3 chains each use up to 30% of the voting power, and they all stake to the max, then we only have 10% of the power locally. We can set a minimum to say 40% local, and if all remote chains stake to the max, their relative powers are reduced proportionally to ensure this local minimum stake.
- How to normalize the token values? If we stake 2 million
$OSMO, we need to convert that to the same $ $ value of $JUNO before using it to calculate staking power on the Juno chain. - How to properly handle slashing, especially how a slashing on JUNO triggers a slash on OSMO, which should then reduce the voting power of the correlated validators on STARS (that was based on the same OSMO stake). This is a bit tricky, IBC messages could be sent out to all consumer chains, but there could be performance implications for this.
- Desired reward payout mechanism. For MVP, we treat this as a normal delegator and
send the tokens back to the provider chain to be distributed. But maybe we calculate
rewards in another way, especially when we modify
x/staking. Should also be computationally efficient - How to improve installation UX? Ideally, when the consumer chain votes to instantiate mesh security with another chain, all contracts are deployed and configured in one governance prop.
- How to handle changing prices? What is a good price oracle? We need to update the voting power of the consumer contract when the price changes. This may lead to issues in normalization especially if the remote token price rises considerably.
- What do we do when the consumer stake is greater than the max allowance? Do we fail that extra Stake? Do we normalize the validators within that consumer? Failing is easier, but not possible in response to price oracle changes. For example, if max power is 1000 and we have 500 for val A and 1000 for val B and 1000 for val C, we could normalize to A=200, B=400, C=400.