feat: Support pending SpokePool upgrades #611
Conversation
This is a first pass at establishing concurrent support for the new & legacy events. There's stilll work to be done to (at least): - Specify how to handle new relayer repayment capabilities. - Specify how to handle pre-fills where the relayer orchestrates the deposit after the fill. There are edge cases to consider.
UMIPs/umip-179.md
Outdated
| #### Validating Pre-fills | ||
| For each of the `Deposits` emitted within the target block range where no corresponding `Fill` is identified on the destination chain, identify the valid `Fill` according to the following criteria: | ||
| 1. Verify that the destination chain `FillStatus` for the `Deposit` `RelayData` is `Filled` as at the destination chain end block number for the proposal. | ||
| 2. Resolve the corresponding `Fill` on the destination chain. | ||
|
|
||
| #### Note | ||
| - No specific method is prescribed for resolving the fill on the destination chain. An `eth_getLogs` request can facilitate this, and if required, the target block range could be narrowed by a binary search over the `FillStatus` field. This is left as an implementation decision. |
There was a problem hiding this comment.
I added this section to describe how to identify pre-fills. This is a fairly abstract description; it arises out of the realisation that an arbitrarily-old fill with a non-deterministic depositId can still be identified via a binary search, which should remove the need to artificially limit the fill->deposit time delta. This should be naively fine OK as long as SpokePool addresses and token mappings don't change. We might consider adding a note to explicitly warn relayers of these risks.
fwiw, the SDK already has an implementation of the necessary logic for a binary search here: https://github.com/across-protocol/sdk/blob/db244fbaec15dc049452cd104ca7bec5856ad3da/src/utils/SpokeUtils.ts#L328 This implementation came out of the resilience work that was done, because RPC provider jank can also cause a deposit without a corresponding fill event.
There is a consideration about the load imposed on proposers and disputers from a binary search, which can only be done per-deposit. I think this is the optimal strategy for now, where only a small number of deposits are expected to fall outside of the proposer/disputer lookback window. The strategy could be improved if the ratio of pre-fills started to become significant. One candidate for optimising this could be to just increase the block range when querying for fills. Since most missing fills are probably only hours old, this strategy could be used quite effectively.
If the load from increasing the getLogs range did ultimately produce a scalability problem then I think we'd ultimately look to bound the fill -> deposit delta by some multiple of the fillDeadline specified in the deposit. But I think that should be reserved for a future UMIP change (and may not even be necessary).
| - The `FundsDeposited` and `V3FundsDeposited` `outputToken` field is not required to be a known HubPool `l1Token`. In-protocol arbitrary token swaps are technically supported by Across v3. | ||
| - The address identified by `exclusiveRelayer` has exclusive right to complete the relay on the destination chain until `exclusivityDeadline` has elapsed. | ||
| - If `exclusivityDeadline` is set to a past timestamp, any address is eligible to fill the relay. | ||
| - Any deposit that remains unfilled after the specified `fillDeadline` shall be refunded to the `depositor` address via the origin SpokePool in a subsequent settlement bundle. |
There was a problem hiding this comment.
What about if the deposit is a duplicate relay hash? Which is now possible with non uniqueness of deposit ids
There was a problem hiding this comment.
Just to tease this one out into a scenario: unsafeDeposit() is called, producing a relayDataHash collision on the destination SpokePool. The proposer concludes that the deposit was filled by some previous, unrelated fill. The proposer then identifies that fill and credits the relayer with the repayment, meaning the relayer gets paid twice and the depositor can never receive their refund. Is this the same scenario you're thinking of?
In this specific case, I think there is some risk that the depositor (or relayer, or more broadly the "facilitator" of the order flow) takes when they call unsafeDeposit() (this is basically why it's called unsafe). It is however possible for them to check the FillStatus on the destination chain in advance of selecting the salt for their depositId, so they can avoid the scenario where they collide with a very old fill. I think this then reduces the risk to a collision occurring within a much shorter period of time - i.e. seconds or minutes.
This might not be the only scenario, and my reasoning might be flawed on this. This scenario alone also indicates that we need to add some guidance in our docs for how integrators should select their salt when generating pre-fill deposits for depositors to sign. wdyt?
There was a problem hiding this comment.
One additional and very simple check that could protect against this - the proposer and disputer could be required to verify both the relayDataHash and a subset of the fields - i.e. to verify that some or all of the following fields are an exact match. That would protect against relayDataHash collisions, and would allow the proposer to refund the deposit on the origin chain:
depositorrecipientinputTokeninputAmountoutputAmountfillDeadline
There was a problem hiding this comment.
The proposer then identifies that fill and credits the relayer with the repayment, meaning the relayer gets paid twice and the depositor can never receive their refund. Is this the same scenario you're thinking of?
No, in this case the relayer could only fill once because the relay hash is the same for both deposits. The deposit pays twice and only gets filled once. The relayer gets refunded for one their one fill
But overall I think the function is aptly named "unsafe" and depositors who do this should be aware they might lose their deposit.
There was a problem hiding this comment.
No, in this case the relayer could only fill once because the relay hash is the same for both deposits. The deposit pays twice and only gets filled once. The relayer gets refunded for one their one fill
If the proposer/disputer resolves solely on RelayData hash then I'd still expect it to match a new deposit (via unsafeDeposit()) with a very old fill that was made for whatever other deposit that collided. So in that case, it'd conclude that the old fill was valid and would then enqueue a relayer refund, and would not refund the depositor.
So the argument is not that the fill would occur twice, but that the proposer/disputer would issue two relayer repayments for the same fill. Does that make sense?
There was a problem hiding this comment.
Currently the proposer will not reward a refund for any duplicate expired deposits -- only the first would get refunded: across-protocol/sdk#838
There was a problem hiding this comment.
If the relayHash matches, these would have to match, right? Otherwise, we've found a keccak hash collision, no? One important thing to also note is that it's pretty hard to spoof collisions without controlling the calling user's wallet. The depositor and msg.sender (in addition to nonce) must match to create a collision.
Agreed! The risk of a depositor reusing their salt (depositNonce) is much more realistic. It's a lot easier to create collisions now that deposit permits fillDeadline to be in the past.
If I'm understanding correctly, the primary motivation for the double relayer payment is that we don't have a good way to go back and find a deposit from long ago, so we can't distinguish between a prefill and double deposit. But I also think the most likely failure mode is a double transaction submission, where the deposits are very close together, so if we could protect users in that case, I think this sharp edge wouldn't be too painful for users.
Thoughts?
I still feel allergic to the possibility of a double repayment, even if it can be confined to rare cases. It's very counter-intuitive and is likely to be quite tricky to investigate, if it ever happens. I'm much more in favour of finding solutions where we can eliminate the possibility. It's unclear whether we can achieve that given other constraints though.
There was a problem hiding this comment.
Looks like this isn't resolved AFAICT. The UMIP suggests that deposits are refunded if not filled, but I don't see a clarification about what "filled" really means here (i.e. a duplicate deposits are allowed and can all be considered filled by the same fill and thus result in loss of funds).
There was a problem hiding this comment.
We have a couple of threads adjacent to this - I left a response here. Are you OK with the proposed definition for what a filled relay is?
There was a problem hiding this comment.
Just to round this out, I think we settled on the maximally simple definition of a fill - tldr, a deposit is filled when the deposit FillStatus on the destination chain is in state Filled.
UMIPs/umip-179.md
Outdated
| - The applicable rate model shall be sourced from the AcrossConfigStore contract for the relevant `l1Token`. | ||
| - Deposits where the `originChainId` is a "Lite" chain in the AcrossConfigStore as of the `quoteTimestamp` shall always be repaid on the deposit's origin chain. This means the protocol overrides the relayer's requested `repaymentChainId` with the `originChainId` instead. | ||
|
|
||
| The recipient of relayer repayments shall be the `Fill` `relayer` address. If the `relayer` address is invalid for the respective `repaymentChainId`, the proposer shall: | ||
| - Issue the refund on the `destinationChainId` instead of the `repaymentChainId`, AND |
There was a problem hiding this comment.
What if the destination chain is a lite chain?
There was a problem hiding this comment.
I think it's OK when the destination chain is a lite chain (we permit this currently), but it's not OK when the origin chain is a lite chain (good catch). So the logic needs to be tightened up, such that this has a lower precedence than the lite chain constraints.
There was a problem hiding this comment.
@nicholaspai Updated here to be more explicit about the precedence of the applied repaymentChainId and reverting to a fallback repayment address in case of an invalid relayer-specified address for the applied repaymentChainId.
wdyt?
There was a problem hiding this comment.
left one comment a95d437#r1923960561
Co-authored-by: nicholaspai <[email protected]>
pxrl
changed the title
|
|
||
| ### Computing Deposit Refunds | ||
| For an expired `V3FundsDeposited` event, the depositor refund amount shall be computed as `inputAmount` units of `inputToken`. | ||
| For an expired `Deposit` event, the depositor refund amount shall be computed as `inputAmount` units of `inputToken`. |
There was a problem hiding this comment.
I think you should also say that if you set the depositor field to an invalid EVM address, (i.e. a bytes32 address), then you won't be refunded if you aren't filled.
There was a problem hiding this comment.
@mrice32 @nicholaspai This is something that we can enforce at the contract level, and not enforcing it there leads to this risk that the depositor's funds get locked in the protocol. It costs a bit more gas to do this but gives a lot more safety to the depositor. Given that we already need to modify the SpokePool for the RelayData hash, would we consider also enforcing that depositor is a valid EVM address?
There was a problem hiding this comment.
Description updated so that refunds for invalid depositor addresses are discarded: cab40f8
There was a problem hiding this comment.
Leaving this open for now, pending confirmation of across-protocol/contracts#874 being merged.
| | Name | Type | Description | | ||
| | :--- | :--- | :---------- | | ||
| | relayer | address | The address completing relay on the destination SpokePool. | | ||
| | repaymentChainId | uint256 | The depositId of the corresponding `V3FundsDeposited` event to be updated. | | ||
| | relayExecutionInfo | V3RelayExecutionInfo | The effective `recipient`, `message` and `outputAmount`, as well as the `FillType` performed (FastFill, ReplacedSlowFill, SlowFill). | | ||
| | relayExecutionInfo | V3RelayExecutionEventInfo | The effective `recipient`, `message` and `outputAmount`, as well as the `FillType` performed (FastFill, ReplacedSlowFill, SlowFill). | |
There was a problem hiding this comment.
This may need an update, subject to across-protocol/contracts#872
…re-slowfill-requests ### Definitions - "pre-fill": any fill that is in a bundle that precedes the bundle containing the matched deposit - "pre-slow-fill-request": a mouthful, and any slow fill request in a bundle that precedes the bundle containing the matched deposit ## Core logic for refunding pre-fills: Evaluate all deposits in the current bundle that were not filled in the current bundle. Figure out whether the deposit was filled, by either: - Finding the fill in the spoke pool client's memory, or - Querying the fill status on-chain If there is a fill for this deposit then we need to issue a refund for this fill because the fill occurred in a previous bundle where it might not have been refunded. We need to use a similar algorithm for creating slow fill leaves for pre-slow-fill-requests ## Avoiding duplicate refunds for pre-fills We don't deterministically know whether this pre-fill was refunded in the prior bundle because we don't know for certain what kind of event search window the proposer of the prior bundle used when constructing the bundle. To illustrate this problem, imagine if a fill and a deposit are sent 10 minutes apart such that the fill is at the end of the current bundle and the deposit is at the beginning of the next. The prior bundle proposer probably would have issued a refund for this fill, but we don't know for certain. So, one way around this non-determinism is to introduce a new rule to the UMIP: ### Do not issue refunds for fills or slow fill leaves where the matched deposit is later than the current bundle block range This rule makes it always apparent which bundle should include a refund or slow fill leaf for a pre-fill or pre-slow-fill-request. This will require a UMIP change to [this PR](UMAprotocol/UMIPs#611) ## TODO I still need to update the `findFillBlock()` function to return a historical fill for a deposit, because we'll need the FilledRelay's `relayerAddress` or `msg.sender` to credit the refund to (the latter in the case where the relayer address isn't valid on the repayment chain).
| - The `FundsDeposited` and `V3FundsDeposited` `outputToken` field is not required to be a known HubPool `l1Token`. In-protocol arbitrary token swaps are technically supported by Across v3. | ||
| - The address identified by `exclusiveRelayer` has exclusive right to complete the relay on the destination chain until `exclusivityDeadline` has elapsed. | ||
| - If `exclusivityDeadline` is set to a past timestamp, any address is eligible to fill the relay. | ||
| - Any deposit that remains unfilled after the specified `fillDeadline` shall be refunded to the `depositor` address via the origin SpokePool in a subsequent settlement bundle. |
There was a problem hiding this comment.
One additional and very simple check that could protect against this - the proposer and disputer could be required to verify both the relayDataHash and a subset of the fields
If the relayHash matches, these would have to match, right? Otherwise, we've found a keccak hash collision, no? One important thing to also note is that it's pretty hard to spoof collisions without controlling the calling user's wallet. The depositor and msg.sender (in addition to nonce) must match to create a collision.
The proposer then identifies that fill and credits the relayer with the repayment, meaning the relayer gets paid twice and the depositor can never receive their refund. Is this the same scenario you're thinking of?
Do we want this behavior to be universal? Or if the deposits are within some range of one another, we do a refund (since the duplicate is detectable in that case)?
If I'm understanding correctly, the primary motivation for the double relayer payment is that we don't have a good way to go back and find a deposit from long ago, so we can't distinguish between a prefill and double deposit. But I also think the most likely failure mode is a double transaction submission, where the deposits are very close together, so if we could protect users in that case, I think this sharp edge wouldn't be too painful for users.
Thoughts?
I'm also leaning towards (2) in absence of any more comprehensive solution to it (...I haven't been able to think of one). I'm not sure it's the best UX for depositors though - it's painful in the case they make a duplicate deposit and the repayment gets credited to the relayer of the original fill, but I think this is caveat emptor when using a function called I think (2) also allows us to settle on the simplest definition of what a filled relay is - when a deposit's RelayData hash has state [edit]: There is one sticking point with the above proposed definition - it works poorly when the deposit is generated once, but is incidentally submitted more than once. This can be done by the depositor (standard deposit-first scenario) and can happen within the Scenarios to consider are:
The The best I can think of at the moment is this convoluted description (edited after Nick feedback): A Note:
|
I think you're confusing the FillStatus type from the FillType type: export enum FillStatus {
Unfilled = 0,
RequestedSlowFill,
Filled,
}
export enum FillType {
FastFill = 0,
ReplacedSlowFill,
SlowFill,
}We can probably change this to be "A |
The rule I've implemented so far in across-protocol/sdk#835 is:
These rules do not pay duplicate depositors who are:
I think this scenario is very unlikely if you consider how deposits are designed to work with pre-fills:
|
|
Is all this special logic worthwhile if depositors can just get unlucky with bundle timing and lose their funds anyway? I think, in general, we should aim to make as little depend on bundle block ranges as possible, since they can be manipulated by the proposer and (even if non-malicious) are unpredictable for users/relayers. My thinking is that the following logic would work well and require no additional lookback. It is similar to the casework above, but it combines the two cases and decouples the duplicate refund logic from the fill status.
Thoughts? Do you think this works? |
| #### Note | ||
| - If the `Deposit` event specifies `outputToken` 0x0 (i.e. the Zero Address), the equivalent SpokePool token on the destination chain shall be substituted in. For the purpose of determining `RelayData` equivalency, the updated/substituted `outputToken` shall be used in place of 0x0. | ||
| - `RelayData` equality can be determined by comparing the keccak256 hashes of two `RelayData` objects. | ||
| - Fills of type `SlowFill` are valid, but are not relevant for computing relayer repayments. |
There was a problem hiding this comment.
For SlowFill-ed deposits where the fill is a pre-fill, we should ideally refund the depositor. Otherwise there is no way for the depositor to get funds back. We can essentially assume deposits sent after a slow fill are always duplicates, by definition for that slow fill to have been created
Updated version: So we are dealing with duplicate deposits in two cases:
So in all cases, duplicate deposits only get refunded once the deposit gets filled (or has already been filled at the time the deposit is mined):
|
UMIPs/umip-179.md
Outdated
| 1. The `Deposit` is identical with another `Deposit`. | ||
| 2. The destination chain `FillStatus` for the `Deposit` is `Filled`. | ||
| 3. The destination chain `Fill` `FillType` was `SlowFill`. | ||
| 4. The destination chain `Fill` occurred within the current `BundleBlockRange`. |
There was a problem hiding this comment.
Do all these conditions have to happen? If so we should probably explicitly state that above the list or adding an AND after each point
| - The AcrossConfigStore contract shall be used to identify the correct rate model, instead of a `RateModelStore` contract. | ||
| - The `HubPool` `liquidityUtilizationCurrent()` and `liquidityUtilizationPostRelay()` functions shall be used instead of the `BridgePool` variant. | ||
| - The event `inputToken` shall be mapped from the SpokePool address to a HubPool `l1Token` address by following the matching procedure outlined above. | ||
| - The LP fee is computed between the `originChainId` and `FilledV3Relay.repaymentChainId` where the `relayExecutionInfo.FillType != SlowFill` and `FilledV3Relay.destinationChainId` otherwise. | ||
| - The LP fee is computed between the `originChainId` specified by the `Deposit` and `repaymentChainId` specified by the relayer, where the `relayExecutionInfo.FillType != SlowFill` and the Fill `destinationChainId` otherwise. |
There was a problem hiding this comment.
We actually collect LP fees on each SlowFill's execution, not sure if that was a mistake from the previous version but we should note that. SlowFill's pay out inputAmount - lpFee to the recipient and when and if the the SlowFill gets executed, the LP fee gets accumulated to the bundleLpFees entry in the PoolRebalanceRoot
| - The `fillDeadline` timestamp shall be resolved to a block number on the destination chain in order to determine inclusion within the target block range. | ||
| - The `fillDeadline` timestamp shall be resolved to a block number on the destination chain in order to determine inclusion within the `Bundle Block Range`. | ||
|
|
||
| ### Finding Unfillable Deposits |
There was a problem hiding this comment.
Would a better name be Duplicate Slow Filled Deposits ?
Signed-off-by: Matt Rice <[email protected]>
Signed-off-by: Matt Rice <[email protected]>
mrice32
force-pushed
the
pxrl/umip179-1
branch
from
a72b9f1 to
b221c6f
Compare
|
This pull request includes significant updates to the Across v3 protocol documentation in Data Types and Definitions Updates:
Event Updates:
Notes and Clarifications:
Definitions Section:
These changes aim to improve the clarity and functionality of the Across v3 protocol documentation, ensuring that users and developers can better understand and utilize the protocol. |
This is a first pass at establishing concurrent support for the new & legacy events.