Why is the forceBatchTimeout so high?
josojo opened this issue · 6 comments
I am really wondering why the forceBatchTimeout is set to such a high value of 5 days?
This is a challenge:
- since a malicious sequencer could deny price feed updates and withdraws for aave or maker for 5 days. This could have a huge impact on liquidations and the working of the system.
- since some defi applications like UMA or realityETH need to challenge invalid inputs within certain time frames. Usually, these timeframes are smaller than 5 days.
Reasons to set it higher:
- It can break normal sequencing and thereby remove "instant finality" for some users.
Would love to hear, whether you guys think its safe to set it to 30 minutes, to eliminate pricefeed manipulations?
Or do you bet mostly on decentralised sequencer to resolve this issue?(I believe that it improves the situation by a lot, though censorhip of ethereum will stay better for quite a long time than the censorship resistance of Espresso?
The force batch should be high enough to not break in any way our trusted state, so the transactions that the sequencer aims to put on the blockchain.
We also put an extra time, just in case some weird unexpected behavior happens
Thanks @invocamanman.
The force batch should be high enough to not break in any way our trusted state
I agree with this. And at the same time, I think if the sequencer finalizies a batch every 15 minutes, then it would be reasonable to an ensured inclusion of 30 mins, right? This would not break any trusted state?
I think allowing the sequencer to "censor in theory" the chain for 5 days would have critical consequences for many applications. Will you change this in the future deployments?
hMM to our point of view, if the sequencer censor for 5 days then it breaks the reputation of the network. The forced batches as it is right now is just for edge cases to have a mechanism if where the sequencer is censoring them to be able to basically withdraw their funds. The problem that you present, in my opinion is very time restrictive, and the only way to approach this would be having a decentralized sequencer ( which we want to have in a future ^^)
in my opinion is very time restrictive,
Yes, and no, I think liquidation protocols can survive 1-2 hours without new price-feed data. But they can't do it for 5 days, as the bad debt might just build up. Hence, I think its not super super time restrictive and a shorter enforcement might actually alleviate many concerns.
Having a forced batch time of 30 mins would not break any trusted state, right? If that is true, why wouldn't you want to expand the usefulness of the forcedBatch to protect users from even more scenarios?
having a forceBatch of 30 min it's extremely risky.
Yes in an ideal scenario won't happen nothing but....
There's upgrades, there's temporal inconveniences, downtime, machines/cloud services problems... etc...
Putting this to 30 minutes would mean a very heavy monitoring and safety measures.
The force batches are not for making a defi operations, are meant to be used only in case of censoring or sequencer downtime, so in extreme situations, and the objective would be just safe your funds because the network does not work as it should do.
Thanks for your explainer!
I guess you are right that one should just build a non-censoring sequencer and not optimize here. If the sequencer is build on a round table of trusted person, there needs to be only one trusted person who is not censoring, to get a non-censoring sequencer... should be doable.
Thanks!