From 478ab0ca289d44352fa7e6e0881eb3ce0565e1db Mon Sep 17 00:00:00 2001 From: dapplion <35266934+dapplion@users.noreply.github.com> Date: Thu, 18 May 2023 18:05:23 +0200 Subject: [PATCH 01/11] Add EIP: Perpetually Valid Signed Voluntary Exits --- EIPS/eip-7044.md | 57 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 EIPS/eip-7044.md diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md new file mode 100644 index 0000000000000..f4b48f6736a74 --- /dev/null +++ b/EIPS/eip-7044.md @@ -0,0 +1,57 @@ +--- +eip: 7044 +title: Perpetually Valid Signed Voluntary Exits +description: Lock voluntary exit signature domain on capella for perpetual validity +author: Lion (@dapplion) +discussions-to: https://github.com/ethereum/consensus-specs/pull/3288 +status: Draft +type: Standards Track +category: Core +created: 2023-05-18 +--- + +## Abstract + +Lock validator voluntary exit signature domain on Capella for perpetual validity. Currently, signed voluntary exits are only valid for two forks. + +## Motivation + +Currently, signed voluntary exits are valid for only two forks, due to the Beacon Chain state holding only the current and previous fork. This limitation affects increases the complexity of some staking operations. Specifically those that require the exchange of signed exits ahead of time valid for an unbounded number of forks. + +The limited validity of volutary exits was originally motivated to isolate them in the event of a perpetual fork. If fork A and B exist and a validator operators on both, if they send an exit, it will be replayable on both. However, this positive is not sufficient to justify the UX degradation exposed above. + +## Specification + +### Consensus Layer + +The mechanics of the specification can be found in the [Consensus Layer specs](https://github.com/ethereum/consensus-specs/pull/3288). + +To make the change backwards compatible the signature domain is locked on the capella fork + +### Execution Layer + +This specification does not require any changes to the Execution Layer. + +## Rationale + +Perpetually valid signed exits allow simpler staking operation designs. It also aligns the UX of such objects to BLSToExecutionChanges and deposits, such that downstream tooling do not need to be updated with fork future information. + +## Backwards Compatibility + +This change is backwards compatible to the Consensus Layer of Ethereum block processing logic. + +The expectation of future validity of exits is not forward compatible. Specifically, users who have already pre-signed exits utilizing the Deneb fork domain with an expectation of their validity should be aware that these pre-signed exits will no longer be recognized as valid. Consequently, users should adjust their approach moving forward. For continued validity across forks, including Deneb and subsequent forks, users should ensure that their exits are signed using the Capella fork domain. + +There are no forwards/backwards compatibility issues with the Execution Layer + +## Test Cases + +Test cases are work-in-progress within the standard Consensus Layer tests. + +## Security Considerations + +The divergent signature domains across forked networks would previously have prevented the replay of VoluntaryExits after two hard forks. This specification change causes this replay protection to no longer exist. These potential replays could impact individual stakers on both sides of a fork, but does not impact the security of the chain. + +## Copyright + +Copyright and related rights waived via [CC0](../LICENSE.md). From 05770a983878165a9c91141e357740c64f59f6fa Mon Sep 17 00:00:00 2001 From: dapplion <35266934+dapplion@users.noreply.github.com> Date: Fri, 19 May 2023 08:03:19 +0200 Subject: [PATCH 02/11] Address reviews --- EIPS/eip-7044.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index f4b48f6736a74..947e529791c6a 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -3,7 +3,7 @@ eip: 7044 title: Perpetually Valid Signed Voluntary Exits description: Lock voluntary exit signature domain on capella for perpetual validity author: Lion (@dapplion) -discussions-to: https://github.com/ethereum/consensus-specs/pull/3288 +discussions-to: https://ethereum-magicians.org/t/eip-7044-perpetually-valid-signed-voluntary-exits/14348 status: Draft type: Standards Track category: Core @@ -16,9 +16,9 @@ Lock validator voluntary exit signature domain on Capella for perpetual validity ## Motivation -Currently, signed voluntary exits are valid for only two forks, due to the Beacon Chain state holding only the current and previous fork. This limitation affects increases the complexity of some staking operations. Specifically those that require the exchange of signed exits ahead of time valid for an unbounded number of forks. +Currently, signed voluntary exits are valid up-to only two forks for block inclusion due to the Beacon Chain state considering only the current and previous fork. This limitation increases the complexity of some staking operations, specifically those that require the exchange of signed exits ahead of time for an unbounded number of forks. -The limited validity of volutary exits was originally motivated to isolate them in the event of a perpetual fork. If fork A and B exist and a validator operators on both, if they send an exit, it will be replayable on both. However, this positive is not sufficient to justify the UX degradation exposed above. +The limited validity of voluntary exits was originally motivated to isolate them in the event of a perpetual fork. If fork A and B exist and a validator operates on both, if they send an exit, it will be replayable on both. However, this possibility is not sufficient to justify the UX degradation exposed above. ## Specification @@ -50,7 +50,7 @@ Test cases are work-in-progress within the standard Consensus Layer tests. ## Security Considerations -The divergent signature domains across forked networks would previously have prevented the replay of VoluntaryExits after two hard forks. This specification change causes this replay protection to no longer exist. These potential replays could impact individual stakers on both sides of a fork, but does not impact the security of the chain. +The divergent signature domains across forked networks would previously have prevented the replay of VoluntaryExits after two hard forks. This specification change causes the replay protection to no longer exist. These potential replays could impact individual stakers on both sides of a fork, but does not impact the security of the chain. ## Copyright From d1a832b43b5bbaed8ff4d0b53561a3902547c018 Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Fri, 19 May 2023 18:32:22 +0200 Subject: [PATCH 03/11] Update EIPS/eip-7044.md Co-authored-by: Andrew B Coathup <28278242+abcoathup@users.noreply.github.com> --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 947e529791c6a..9f635c149ae77 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -26,7 +26,7 @@ The limited validity of voluntary exits was originally motivated to isolate them The mechanics of the specification can be found in the [Consensus Layer specs](https://github.com/ethereum/consensus-specs/pull/3288). -To make the change backwards compatible the signature domain is locked on the capella fork +To make the change backwards compatible the signature domain is locked on the Capella fork ### Execution Layer From 7ac7f0c8f9ae2f6924a3102339142654a68f5311 Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Tue, 20 Jun 2023 13:02:33 +0300 Subject: [PATCH 04/11] Update CL link to a blob --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 9f635c149ae77..2388c0ad98d1f 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -24,7 +24,7 @@ The limited validity of voluntary exits was originally motivated to isolate them ### Consensus Layer -The mechanics of the specification can be found in the [Consensus Layer specs](https://github.com/ethereum/consensus-specs/pull/3288). +The mechanics of the specification can be found in the [Consensus Layer specs](https://github.com/ethereum/consensus-specs/commit/14212958d3605c5dd4f8ab617f157328f53ce559). To make the change backwards compatible the signature domain is locked on the Capella fork From 3938fec96b23febc2e274044d4b694517f712937 Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Sat, 24 Jun 2023 13:52:01 +0300 Subject: [PATCH 05/11] Update EIPS/eip-7044.md Co-authored-by: Danny Ryan --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 2388c0ad98d1f..210024a185824 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -12,7 +12,7 @@ created: 2023-05-18 ## Abstract -Lock validator voluntary exit signature domain on Capella for perpetual validity. Currently, signed voluntary exits are only valid for two forks. +Lock validator voluntary exit signature domain on Capella for perpetual validity. Currently, signed voluntary exits are only valid for two upgrades. ## Motivation From 64dd9c5b8c6e410c1173a0e7b021c8e079d5eb82 Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Sat, 24 Jun 2023 13:52:09 +0300 Subject: [PATCH 06/11] Update EIPS/eip-7044.md Co-authored-by: Danny Ryan --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 210024a185824..8336ec5ac666a 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -16,7 +16,7 @@ Lock validator voluntary exit signature domain on Capella for perpetual validity ## Motivation -Currently, signed voluntary exits are valid up-to only two forks for block inclusion due to the Beacon Chain state considering only the current and previous fork. This limitation increases the complexity of some staking operations, specifically those that require the exchange of signed exits ahead of time for an unbounded number of forks. +Currently, signed voluntary exits are valid up-to only two upgrades for block inclusion due to the Beacon Chain state considering only the current and previous fork version. This limitation increases the complexity of some staking operations, specifically those in which the staking operator (holder of active key) is distinct from the owner of the funds (holder of the withdrawal credential). Because voluntary exits can only be signed by the active key, such a relationship requires the exchange of signed exits ahead of time for an unbounded number of forks. The limited validity of voluntary exits was originally motivated to isolate them in the event of a perpetual fork. If fork A and B exist and a validator operates on both, if they send an exit, it will be replayable on both. However, this possibility is not sufficient to justify the UX degradation exposed above. From 11b8c701b5744e63c94dbf10655c84e54a139044 Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Sat, 24 Jun 2023 13:52:17 +0300 Subject: [PATCH 07/11] Update EIPS/eip-7044.md Co-authored-by: Danny Ryan --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 8336ec5ac666a..5265c1c884a9e 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -18,7 +18,7 @@ Lock validator voluntary exit signature domain on Capella for perpetual validity Currently, signed voluntary exits are valid up-to only two upgrades for block inclusion due to the Beacon Chain state considering only the current and previous fork version. This limitation increases the complexity of some staking operations, specifically those in which the staking operator (holder of active key) is distinct from the owner of the funds (holder of the withdrawal credential). Because voluntary exits can only be signed by the active key, such a relationship requires the exchange of signed exits ahead of time for an unbounded number of forks. -The limited validity of voluntary exits was originally motivated to isolate them in the event of a perpetual fork. If fork A and B exist and a validator operates on both, if they send an exit, it will be replayable on both. However, this possibility is not sufficient to justify the UX degradation exposed above. +The limited validity of voluntary exits was originally motivated to isolate them in the event of a hard fork that results in two maintained chains. If fork A and B exist and a validator operates on both, if they send an exit, it will be replayable on both. However, this possibility is not sufficient to justify the UX degradation exposed above, as no funds are at risk and the staker can re-stake on one or both of the chains. ## Specification From 0c58b6385966feae1b6c51f30979feb793bbed63 Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Sat, 24 Jun 2023 13:52:26 +0300 Subject: [PATCH 08/11] Update EIPS/eip-7044.md Co-authored-by: Danny Ryan --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 5265c1c884a9e..60fd00c911644 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -34,7 +34,7 @@ This specification does not require any changes to the Execution Layer. ## Rationale -Perpetually valid signed exits allow simpler staking operation designs. It also aligns the UX of such objects to BLSToExecutionChanges and deposits, such that downstream tooling do not need to be updated with fork future information. +Perpetually valid signed voluntary exits allow simpler staking operation designs. It also aligns the UX of such objects to `BLSToExecutionChanges` and deposits, such that downstream tooling does not need to be updated with fork version information. ## Backwards Compatibility From 0ff6d9a90148dcfd638da0c1e8a71851a207b5fc Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Sat, 24 Jun 2023 13:52:35 +0300 Subject: [PATCH 09/11] Update EIPS/eip-7044.md Co-authored-by: Danny Ryan --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 60fd00c911644..c19b80a93e3d9 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -42,7 +42,7 @@ This change is backwards compatible to the Consensus Layer of Ethereum block pro The expectation of future validity of exits is not forward compatible. Specifically, users who have already pre-signed exits utilizing the Deneb fork domain with an expectation of their validity should be aware that these pre-signed exits will no longer be recognized as valid. Consequently, users should adjust their approach moving forward. For continued validity across forks, including Deneb and subsequent forks, users should ensure that their exits are signed using the Capella fork domain. -There are no forwards/backwards compatibility issues with the Execution Layer +There are no forwards/backwards compatibility issues with the Execution Layer. ## Test Cases From c87bb6755c327917522d6dbe1adbf7a2042a90ce Mon Sep 17 00:00:00 2001 From: Lion - dapplion <35266934+dapplion@users.noreply.github.com> Date: Sat, 24 Jun 2023 13:52:43 +0300 Subject: [PATCH 10/11] Update EIPS/eip-7044.md Co-authored-by: Danny Ryan --- EIPS/eip-7044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index c19b80a93e3d9..335eeffc312d3 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -50,7 +50,7 @@ Test cases are work-in-progress within the standard Consensus Layer tests. ## Security Considerations -The divergent signature domains across forked networks would previously have prevented the replay of VoluntaryExits after two hard forks. This specification change causes the replay protection to no longer exist. These potential replays could impact individual stakers on both sides of a fork, but does not impact the security of the chain. +The divergent signature domains across forked networks would previously have prevented the replay of VoluntaryExits after two hard forks. This specification change causes the replay protection to no longer exist. These potential replays could impact individual stakers on both sides of a fork, but does not put funds at risk and does not impact the security of the chain. ## Copyright From b9dea385c75f9bcfdd7fb4bd945e4075a3815772 Mon Sep 17 00:00:00 2001 From: dapplion <35266934+dapplion@users.noreply.github.com> Date: Sat, 24 Jun 2023 13:56:51 +0300 Subject: [PATCH 11/11] commit @djrtwo suggestion --- EIPS/eip-7044.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/EIPS/eip-7044.md b/EIPS/eip-7044.md index 335eeffc312d3..111aa42132eb3 100644 --- a/EIPS/eip-7044.md +++ b/EIPS/eip-7044.md @@ -24,7 +24,13 @@ The limited validity of voluntary exits was originally motivated to isolate them ### Consensus Layer -The mechanics of the specification can be found in the [Consensus Layer specs](https://github.com/ethereum/consensus-specs/commit/14212958d3605c5dd4f8ab617f157328f53ce559). +Specification changes are built into the Consensus Specs Deneb upgrade. + +The specific makes one change to the state transition function: + +- Modify [`process_voluntary_exit`](https://github.com/ethereum/consensus-specs/blob/75971a8c218b1d76d605dd8b88a08d39c42de221/specs/deneb/beacon-chain.md#modified-process_voluntary_exit) to compute the signing domain and root fixed on `CAPELLA_FORK_VERSION`. + +Additionally, the `voluntary_exit` gossip conditions are implicitly modified to support this change. To make the change backwards compatible the signature domain is locked on the Capella fork