Skip to content

Commit

Permalink
Fix syntax / links
Browse files Browse the repository at this point in the history
  • Loading branch information
maurolacy committed Jun 30, 2023
1 parent dcd1b93 commit 3183a02
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 22 deletions.
28 changes: 14 additions & 14 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ You can get a good overview of the whole system flow in the above diagram.
The design should allow one chain to provide security to multiple chains, while
at the same time receiving security from multiple chains.

A key to understanding the design, is that the whole system is _delegator-centeric_
A key to understanding the design, is that the whole system is _delegator-centric_
not _validator-centric_. This means that we don't try to match the same validators on
multiple chains, or even subsets, but rather focus on leveraging the security
provided by staking tokens to secure validators on multiple chains. This provides a way to
Expand All @@ -65,9 +65,9 @@ Addressing some common points people raise up, which are hidden in the docs.

There are many questions if this isn't "fractional reserve banking" or such.
This does use the same collateral to back multiple claims (staking), but
the [final invariant in the vault](https://github.com/osmosis-labs/mesh-security/blob/main/contracts/vault/README.md#invariants)
the [final invariant in the vault](https://github.com/osmosis-labs/mesh-security/blob/main/contracts/provider/vault/README.md#invariants)
ensures there is sufficient collateral to cover the maximum loss
(eg. if all local and cross-staked validators double-sign).
(e.g. if all local and cross-staked validators double-sign).
If the double slash penalty is 5%, you can safely cross stake 20x.
If it were to be raised to say 40%, you could only safely cross stake 2.5x
This is more like insurance companies holding reserves for the worse cases expected losses,
Expand All @@ -76,9 +76,9 @@ not the total value of all property insured.
### Power Limits on Remote Chains

Another common concern is whether there are effective limits in the power a remote
chain can exert over one chain. Would it be possible for a higher cap chain (eg $ATOM)
chain can exert over one chain. Would it be possible for a higher cap chain (e.g. $ATOM)
to take over more than one-third, or even two-thirds or the power of a smaller cap chain
(eg $STARS) it is cross-staking on.
(e.g. $STARS) it is cross-staking on.

Clearly the consumer chain wants to put some limits. The first limit is the
[discount applied during the conversion](https://github.com/osmosis-labs/mesh-security/blob/main/docs/consumer/Converter.md#price-normalization).
Expand Down Expand Up @@ -110,7 +110,7 @@ There are three main failure modes to consider:
#### Huge Price Swing

This is the most likely scenario. If the provider price rises too much, it may suddenly have
disproportionate power over the affairs of the consumer. If the provier price falls too much,
disproportionate power over the affairs of the consumer. If the provider price falls too much,
in the period until the price oracle is updated, there may be less remote collateral
than the virtual stake.

Expand All @@ -135,7 +135,7 @@ max cap limit preventing total takeover, so it just provides overly high rewards
#### Byzantine Provider Chain

The worst case is the provider claims to deposit millions of tokens on one malicious validator,
while not actually locking any collateral on it's own chain. This is similar to the case of
while not actually locking any collateral on its own chain. This is similar to the case of
a hostile community on the provider chain selecting validators against the interest of the
community on the consumer chain.

Expand All @@ -154,18 +154,18 @@ perceived stability.
If a Consumer Chain goes Byzantine (or starts some mob-rule governance proposals), it can
try to damage stake on the Provider chain. There are several ways it can try to do so:

- Withholding all rewards to said Provider
- Removing all voting power from said Provider
- Refusing to unlock the virtual stake of the Provider
- Unfairly slashing virtual stake from the Provider
- Withholding all rewards to said Provider.
- Removing all voting power from said Provider.
- Refusing to unlock the virtual stake of the Provider.
- Unfairly slashing virtual stake from the Provider.

The first two are temporary and can be seen in the case when the consumer no longer trusts the
provider and sets "max cap" to zero. This is a temporary effect but must be acknowledged as
a possible risk, which is loss of benefits, but not loss of collateral.

The third point is impossible, as the unlock period is implemented between the external staking
contracts and the vault on the provider side. Nothing on the Consumer can lock up stake longer.
And if a Provider feels they have unfairly withhold benefits (first two points), they could
And if a Provider feels they have unfairly withheld benefits (first two points), they could
make a governance vote to allow immediate unbonding of all cross-stake to that consumer.

The last point is a bit trickier. We will not fully define slashing until v1, but the design is
Expand Down Expand Up @@ -201,7 +201,7 @@ Some common terms are defined here, which may be used throughout the documentati
based on misbehavior of that validator.
- **Unbonding period** - The time delay between initiating unbonding and having free access to the
underlying collateral. Once this time has passed after unstaking, all claims on the underlying
collateral are released and
collateral are released.
- **Rewards** - Block rewards are issued to validators in the native token of the consumer chain.
A portion of these rewards goes to the stakers and is collected cross-chain.
- **Slashing** - If a validator misbehaves, the tokens delegated to it, which provided the
Expand All @@ -212,7 +212,7 @@ Some common terms are defined here, which may be used throughout the documentati
prevented from returning. Tokens staked to it would be partially slashed and should be unstaked
as soon as possible, as they will receive no more rewards. Stake to a jailed validator still must
wait the unbonding period to be liquid.
- **Latency** - Time delay from an action being initiated and the effects being reflected in
- **Latency** - Time delay from an action being initiated and its effects being reflected in
another contract or chain. This doesn't refer to the unbonding period, but rather the delay between
initiating bonding or unbonding on the provider and the equivalent action occurring on the consumer.

Expand Down
17 changes: 9 additions & 8 deletions docs/UseCases.md
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
# Use Cases

We assume each chain has a native staking token denom, with some quantity (could be 1 or 1,000,000,000).
This is the initial token to start the chain with. Each provider chain that connects gets a maximum of X virtual tokens, defined by consumer govenance
when authorizing the new provider. The ratio between the amount of native tokens and the max cap
of virtual tokens on each provider is a key element in defining the various security models.
This is the initial token to start the chain with. Each provider chain that connects gets a maximum of X virtual tokens,
defined by consumer governance when authorizing the new provider. The ratio between the amount of native tokens
and the max cap of virtual tokens on each provider is a key element in defining the various security models.

To make these diagrams easier to read, I will normalize each chain has 100 native tokens, and label the
connections on how many virtual tokens they are authorized to mint. Thus, a connection with 100 could
exert the same amount of voting power as all native stakers. A connection with 10 could exert 10% of the
power of native stakers, and a connection of 1000 could exert 10 times the power of native stakers.

(Note this is not clear percentages. 40 / (100 + 40) = 28.5% of the total power in the hands of that provider)
(Note that these are not clear percentages. 40 / (100 + 40) = 28.5% of the total power in the hands of that provider).

## Sibling Chains

Expand Down Expand Up @@ -52,7 +52,7 @@ You could analyze Juno in this example:
Osmosis hits the 1/3 threshold exactly, while native tokens still hold the majority in the governance votes.
Does that make sense, should this be adjusted?

## DAOs migrating to own chain
## DAOs migrating to their own chain

A number of Juno DAOs launching their own chains. They want to inherit most of their security from Juno,
but keep governance to their own token.
Expand All @@ -65,13 +65,14 @@ flowchart TD
Juno -- 300, no gov --> DAO3;
```

Note < 1/3 power in the native token, so all PoS security relies on Juno (while all governance security relies on the DAO token)
Note that less than 1/3 power is in the native token, so all PoS security relies on Juno (while all governance security relies
on the DAO token).

## Almost Replicated Security

Mesh Security is not ICSv1 "Replicated Security". We do not map validators from provider to consumer, but rather delegators.
And the power is the subset of staked tokens that opt-in, so will always be lower than full stake. By design we always require
a native staking token in the consumer chain, but we can approximate "replciated security" for the "fully owned subsidiary"
And the power is the subset of staked tokens that opt-in, so will always be lower than full stake. By design, we always require
a native staking token in the consumer chain, but we can approximate "replicated security" for the "fully owned subsidiary"
use case.

You can launch a chain with a governance token with minimal distribution to bootstrap the chain. Then accept another chain as a
Expand Down

0 comments on commit 3183a02

Please sign in to comment.