SIP-028: sBTC Signer Criteria #186
Conversation
|
Hi Please update the activation criteria to include the voting address as below. Activation Process of ActivationUsers can vote to approve this SIP with either their locked/stacked STX or with unlocked/liquid STX, or both. The criteria for the stacker and non-stacker voting is as follows. For Stackers:In order for this SIP to activate, the following criteria must be met by the set of Stacked STX: At least double the amount of Stacked STX locked by the largest Stacker in the cycle preceding the vote must vote at all to activate this SIP. Bitcoin Yes Address: 3Jq9UT81fnT2t24XjNVY7wijpsSmNSivbK Bitcoin No Address: 3QGZ1fDa97yZCXpAnXQd6JHF4CBC6bk1r4 Stacks Yes Address: SP36GHEPEZPGD53G2F29P5NEY884DXQR7TX90QE3T Stacks No Address: SP3YAKFMGWSSATYNCKXKJHE2Z5JJ6DH88E4T8XJPK which encode the hashes of the following phrases into bitcoin / stacks addresses: Yes to A Decentralized Two-Way Bitcoin Peg Stackers (pool and solo) vote by sending a dust stacks to the corresponding stacks address from the account where their stacks are locked. Solo stackers only, can also vote by sending a bitcoin dust transaction (6000 sats) to the corresponding bitcoin address. For Non-Stackers:Users with liquid STX can vote on proposals using the Ecosystem DAO. Liquid STX is the users balance, less any STX they have locked in PoX stacking protocol, at the block height at which the voting started (preventing the same STX from being transferred between accounts and used to effectively double vote). This is referred to generally as "snapshot" voting. For this SIP to pass, 70% of all liquid STX committed by voting must be in favour of the proposal. The act of not voting is the act of siding with the outcome, whatever it may be. We believe that these thresholds are sufficient to demonstrate interest from Stackers -- Stacks users who have a long-term interest in the Stacks blockchain's successful operation -- in performing this upgrade. |
|
If this sBTC V1 SIP were to go up for community vote. I'd take a look at Multi-sig SIP's voting criteria comment for consistency #152 (comment) Essentially my two suggestions below:
My suggestion would be to change to:
Historically that's what we've done. E.g. in SIP-015 (Stacks 2.1 Upgrade)
Commented in the multi-sig SIP, historically been 66% for context, but I actually think it's great to trial 70% threshold. Recommendation: keep 70%! |
|
How does this sip go with #156 ? |
|
I few nuances to clarify for the public will be great.
2. Number of Signer set
3. Signers voting structure.
|
Updated activation criteria, clarified number of signer set, added detail to the signer voting structure, and cleaned up the language.
Thanks, @Hero-Gamer I have incorporated all of these suggestions into the SIP. |
|
The formatting of this sip is off. I see a sip number referenced, but the PR is adding a single (text) file to the root of the repo. Please create a new file in the format, ex: Secondly - the sip number is already occupied by the emergency SIP process: https://github.com/stacksgov/sips/blob/main/sips/sip-022/sip-022-emergency-pox-fix.md Third - the PR contains a lot of graphics and other data that isn't present in the file being PR'ed. is that by design? If this sip is meant to supersede #156 - can you explain what the differences are, and if that PR is meant to be closed? |
|
hi @andrerserrano please see my comments below Preamble: The preamble is missing several required fields such as 'Author', 'Created', 'License', 'Sign-off', 'Layer', 'Discussions-To', 'Comments-Summary', 'Comments-URI', 'License-Code', 'Post-History', 'Requires', 'Replaces', and 'Superseded-By'. Abstract: The abstract exceeds the 5000-word limit. Introduction: The introduction section is missing. Specification: The specification section lacks detailed technical specifications, code snippets, payload formats and performance evaluations. Need more details on Deposit Accept step. Related Work: This section is missing. Backwards Compatibility: This section is missing. Reference Implementations: This section is missing. Are there any issues/checkins to refer to? |
@wileyj what is the correct SIP number for this?
There are only 200 words in the abstract
The introduction section is formatted similar to SIP 21 with a glossary and problem statement. Going through the rest of the feedback now and will update accordingly. Thanks. |
|
about Bootstrap Signer Eligibility Communication & Availability: towards this, should Signers also have to be public entities ? Ecosystem Alignment: How is this measured or ensured? Are there any security requirements that must be followed by Signers (e.g. hardened deployments, following private key handling best practices? auditable?) |
Renaming to SIP-026
|
|
||
| ### Selection Process | ||
|
|
||
| The sBTC Signer Set will be finalized from the list of eligible Signers, based on the above criteria, by the [sBTC working group](https://github.com/orgs/stacks-network/discussions/469). This process is to ensure that the sBTC Working Group can adjust to any changes in the sBTC Signer Set quickly and without the overhead of an additional community vote. For example, if an sBTC Signer is no longer available to complete their responsibilities, it is imperative for the liveness of the system that the sBTC Working Group is able to implement a suitable replacement based on the above criteria. |
There was a problem hiding this comment.
This process is to ensure that the sBTC Working Group can adjust to any changes in the sBTC Signer Set quickly and without the overhead of an additional community vote.
I think this may be a case of you "saying the quiet part out loud." I can understand the desire to avoid the time costs of a long-running vote, but surely there must be some means for community oversight of the signer set?
There was a problem hiding this comment.
I think once you have an initial signing set, then you can have future SIPs for changing it. Unlike this SIP, I think there's room for SIPs that only change the signing set, which can have shorter voting windows and only require participation from sBTC holders (since they'd be the only stakeholders).
| ### [RBTC](https://rootstock.io/static/a79b27d4889409602174df4710102056/RS-whitepaper.pdf) | ||
|
|
||
| rBTC, Rootstock’s (RSK) 2-way peg protocol, called “the Powpeg,” is a closed membership system. Peg operations settle to Bitcoin via merge mining on the RSK side-chain. Instead of collateralizing the system with a new token, peg operators are incentivized by earning a portion of transaction fees. PowPeg operators keep specialized hardware called PowHSMs active and connected to special types of Rootstock full nodes. Since the Bitcoin blockchain and the Rootstock sidechain are not entangled in a single blockchain or in a parent-child relation, peg-in and peg-out transactions require a high number of block confirmations. Peg-ins require 100 Bitcoin blocks, and peg-outs require 4000 Rootstock blocks. | ||
|
|
There was a problem hiding this comment.
As part of the related work section, can you summarize the important ways by which sBTC differs? This helps the reader understand why sBTC is necessary -- what niche is it filling that these other systems do not fill, and cannot be trivially adapted to fill?
|
|
||
| ## Activation | ||
|
|
||
| sBTC is designed to activate on Stacks Nakamoto as defined in [SIP-021](https://github.com/stacksgov/sips/blob/feat/sip-021-nakamoto/sips/sip-021/sip-021-nakamoto.md). Therefore, this SIP is only meaningful when SIP-021 activates. The sBTC Working Group plans to observe at least 2-4 weeks of network behavior on Stacks Nakamoto to ensure a stable release. After this period, sBTC can be activated on the Stacks network without requiring a separate hard fork. |
There was a problem hiding this comment.
I think a missing but necessary activation criterion will be that the SIP authors put forth the list of signers, and their reasons why they have met the above criteria better than any other candidate (it would also be a good idea to list all of the candidates, even if they did not get selected).
There was a problem hiding this comment.
If the sBTC working group can get together the above data, then at least the SC and user community will not be devolving their authority to advance and ratify SIPs (a strong point of contention I had earlier). The 15 signers would themselves be part of the SIP, as well as the rationale for including them over others. Then, the sBTC working group and its signer set can be held accountable by the user community as part of the activation process.
This also has the nice consequence of avoiding the need for the SC to independently vet the signer set according to the SIP's critiera, which would be very difficult to do as-written due to the ambiguity of the criteria. If there is any contention between the SC and user community with the sBTC working group over the signer set, then we can visit it before activation by way of simply re-considering the ultimate signer list instead of re-considering the means by which they were discovered and ranked.
|
Mostly nits at this point. Great job getting this together! The only significant point of contention that makes this SIP very difficult to ratify is that this SIP still puts too much authority in the hands of the sBTC working group's ability to choose the signers. I can't support this as-is because it would mean that the sBTC working group -- a non-SIP-process body that is not accountable to SIP officers and the community they serve -- would end up with a lot of unrestrained power to decide what happens to peoples' BTC. To avoid this, and to avoid the need to come up with (very complex) means of having the SC validate the signers themselves, I think the SIP authors should do the following prior to activation:
This not only holds the sBTC working group accountable, but also frees them from having to reproduce the vetting process with the SC (some of which can, understandably, be difficult). Also, I think it needs to be explicitly stated that once this SIP activates, the signer set cannot be changed except through a subsequent SIP that supersedes this one. If we need to kick a signer out, or replace signers, then there needs to be an accountable process for doing so (EDIT: such as by having sBTC holders vote on new signing sets). SIPs like this don't need to take a long time to activate; all that's necessary for activation is that the relevant stakeholders have a means to accept or reject the decisions made by SIP officers and authors. |
|
@andrerserrano @aldur I heard from @wileyj, who I understand spoke with you two, and we spoke about how to move this SIP forward. While I think all of the technical comments are readily addressable, it's currently my understanding that you are concerned about the speed at which you can choose a new signing set (should the need arise). And, that concern is the reason why this SIP proposes that the sBTC working group indefinitely retains the ability to unilaterally change signing sets with no community oversight -- something that I oppose on the strongest terms. Community Oversight of the SignersThis SIP proposes a system that is intended to garner significant user and economic traction in the Stacks ecosystem. If ratified, there are three possible outcomes for sBTC:
The first two outcomes are acceptable, and if I had to choose, I'd (obviously) chose the foremost. The third one, however, must be avoided at all costs. What makes this SIP challenging in a way not faced by other SIPs like SIP-010 is that the integrity of sBTC relies on an honest signer set. Indeed, the success or failure of sBTC hinges on the behavior of its signers! It does not matter how perfect the sBTC code is if too many signers go offline or act maliciously -- we can hit outcome #3 solely through signer misbehavior. As such, avoiding outcome #3 requires ensuring that the signer set is honest and online at all times, or as close to it as possible. This not only requires a means of choosing suitable candidates (a process described by this SIP), but also requires a means of identifying, adding, and removing the signers themselves as needed. Offline or malicious singers must be replaced with honest, online signers as quickly as possible to achieve an acceptable quality of service needed for outcome #1 above. But, who decides which signer candidates are trustworthy? It can't be just the SIP authors -- we have no way of knowing who the ecosystem trusts, short of asking the ecosystem itself. But this SIP does not do this. Instead, it proposes delegating the decision-making of which signers are trustworthy to an unelected, unaccountable body that isn't even part of the SIP process. Why should the ecosystem blindly and indefinitely trust the sBTC working group to decide who handles their BTC? Can't the ecosystem collectively decide this for itself? Fast sBTC Signer SelectionThe SIP process is a means for the ecosystem to decide for itself what services the Stacks blockchain should (and should not) provide for them. Since decision speed seems to be the driving concern for choosing sBTC signers, why not extend this SIP to provide a means for the ecosystem to decide the signing set after it it initially proposed? Then, the SIP's ratification would not only choose the initial signing set, but also provide an accountable means for rotating signers. I can see a few ways to do this (this is non-exhaustive):
I'm sure there are other ways to do this, but my point is that signer set agility is feasible today without delegating unilateral authority to the sBTC WG. |
Signer Criteria for sBTC, A Decentralized and Programmable Asset Backed 1:1 with BTC
Abstract
This SIP takes the position that Stacks can play a key role in offering a rich programming environment for Bitcoin with low-latency transactions. This would be achieved with a new wrapped Bitcoin asset, called sBTC, which would be implemented on Stacks 3.0 and later as a SIP-010 token. Stacks today offers a smart contract runtime for Stacks-hosted assets, and the forthcoming Stacks 3.0 release provides lower transaction latency than Bitcoin for Stacks transactions. By providing a robust BTC-wrapping mechanism based on threshold signatures, users would be able to lock their real BTC on the Bitcoin chain, instantiate an equal amount of sBTC tokens on Stacks, use these sBTC tokens on Stacks, and eventually redeem them for real BTC at 1:1 parity, minus the cost of the relevant blockchain transaction fees.
This is the first of several SIPs that describe such a system. This SIP describes the threshold signature mechanism and solicits from the ecosystem both a list of signers and the criteria for vetting them. These sBTC signers would be responsible for collectively holding all locked BTC and redeeming sBTC for BTC upon request. Given the high-stakes nature of their work, the authors of this SIP believe that such a wrapped asset can only be made to work in practice if the Stacks ecosystem members can reach broad consensus on how these signers are chosen. Thus, the first sBTC SIP put forth for activation concerns the selection of sBTC signers.
This SIP outlines but does not describe in technical detail the workings of the first sBTC system. A separate SIP will be written to do so if this SIP successfully activates.