Bridges, Plasma, and UTXO Tokens
After implementing a first version of my trustless bridges concept, I have been doing a lot of thinking around scaling Ethereum. This began as a research project at Grid+ to give us a way of operating at a low cost point (i.e. not on the mainnet) and continues to evolve with the research going on more broadly in the Ethereum community. While the current version of our trustless bridges is usable (though likely not bug-free), we continue to iterate and think through design patterns.
Although our trustless bridges are topologically similar to plasma, there is a fundamental difference, which turns out to be quite important: plasma allows users to withdraw on the parent chain, while bridges require that withdrawal to begin on the sidechain. This is important for threat models because if we assume the sidechain is compromised (or can become compromised), the plasma design has a security guarantee that the flat bridge architecture does not — namely, that you can always withdraw your money, even if the sidechain grinds to a halt. (Credit to Jeff Coleman for showing me the light at EthDenver).
There are several design decisions I’ve talked about with the bridges (incentivizing data relaying, Merkle roots of block header hashes, social consensus) that can be transferred to a plasma system. I think it’s important that we (and everyone in the community) maintain an open mind and try more experiments around scaling that utilize different pieces of the puzzle. Each decision has tradeoffs, and we will see many systems in play as Ethereum grows to meet global demand. With that said, in the following article I’d like to explore the possibility of using plasma-like withdrawals in the bridge system that I’ve discussed and developed previously.
Fraud Proofs
The plasma MVP currently being developed by OmiseGo is a great codebase from which to learn, and I encourage my readers to check it out. As reflected in the plasma MVP, OmiseGo has opted to implement plasma using a UTXO-based sidechain wherein deposits from the main chain are created out of thin air. This should give you no concern, since honest withdrawals are guaranteed via plasma withdrawals — for example, if someone is creating a bunch of tokens for himself, you can happily exit with all your unspent tokens.
One of the reasons for using a UTXO child chain is that fraud proofs turn out to be very easy. In the plasma MVP, a user may initiate a withdrawal, which can be ‘proven’ malicious by showing that the user already spent the UTXO he is trying to withdrawal. This is done by including the signed transaction that was played on the plasma chain where the user spent that UTXO, which would trigger a cancellation of the pending withdrawal on the main chain. This challenge procedure is known as a ‘fraud proof’. Note that even in a case where a hijacker prevents a user from using the child chain altogether (e.g., by refusing to broadcast the user’s transactions or include them in blocks on the plasma chain), the worst case scenario is that the user pays gas on the mainnet to withdraw her ether/tokens.
Interestingly, the story gets more complicated in the case where the plasma chain is an account-based rather than UTXO-based system. To prove that a withdrawal from an account-based plasma chain is malicious, you would likely need to prove on the EVM what the user’s current balance on the plasma chain is. This seems comparatively difficult, and I can only imagine a few ways to get there: 1. passing to the mainnet the transaction data for every token transfer the user has ever made on the child chain, or 2. changing the ERC20 token standard. Of course, there are smarter people than me working on these things so I reserve the right to be pleasantly surprised.
The general problem I see with account-based withdrawal is fungibility of the tokens — UTXO systems cleverly make tokens both fungible (in that you can spend multiple token units, which are equivalently valued) and non-fungible (in that every ‘packet’ of tokens is tied to a particular user and has a particular identifier). It is clear that UTXO is a wonderful model with which to work in plasma withdrawal systems, so I have been thinking about how it will be used in the future — is it simply a means for a simplified MVP or does Omise (and/or others) plan to use UTXO tokens for production-level plasma chains?
UTXOs on the EVM
I believe it is worth exploring a plasma chain system which operates using the EVM, but whose significant monetary value is tied up in UTXO tokens. This can be accomplished by a standardized UTXO token contract, which lives on the child chain. In the child chain, there would be “child ether” required for computations; however, this child ether would likely be much less valuable than mainnet ether because it would not be guaranteed by withdrawal in the plasma court.
Furthermore, funding of the plasma chain does not need to derive from valuing ether. One can imagine the protocol requiring a small fee to enter the system, which pays for maintenance of the plasma chain. Note that the dependence of such a system on the fee-recipient would result in a highly centralized — perhaps even PoA-based — plasma chain, but that may not be problematic because of aforementioned security guarantees. In a system funded by fees, a faucet for “child ether” would be easy to establish, allowing users to move their UTXOs for zero marginal cost.
A UTXO contract destined for the EVM-based child chain would be fairly easy to implement. It would have three main functions:
- create — an authority may create new UTXO tokens that are based on mainnet deposits
- spend — an owner of a UTXO may consume it, producing two outputs (unless the entire value is spent, in which case only one output is produced). This destroys the original UTXO
- spendFrom — a contract may initialize the spending of a UTXO owned by an account who has previously authorized it. This would allow UTXO tokens to power applications (in terms of fees, not gas — ether is still needed for the latter) and provide liquidity.
I have crafted a simplified system in this gist, which was later improved by Maurelian here. In this system, a UTXO looks like this:
{
owner: <address>,
value: <uint>,
createdBy: <bytes32>,
id: <bytes32>
}Creating Tokens: Because we don’t need to trust the monetary policy of the plasma chain, we allow an authority to create UTXO tokens out of thin air, which in normal practice map 1:1 to deposits on the main chain.
Spending Tokens: When a user spends a UTXO, it gets split into one or two new UTXOs, depending on the amount. For example, suppose someone owns this:
{
owner: '0x...ab',
value: 10,
createdBy: '0x...0',
id: '0x...1'
}and spends 5 units. This creates the following two UTXOs:
{
owner: '0x...ab',
value: 5,
createdBy: '0x...1',
id: '0x...2'
}{
owner: '0x...ac',
value: 5,
createdBy: '0x...1',
id: '0x...3'
}
The original UTXO (id=0x...1) is consumed and deleted from the system, i.e. it cannot be spent again.
Economics of Plasma Withdrawals
Consideration should be given to the incentives that various players would have in a plasma system, with perhaps the most important one being the incentives of a malicious user. Let’s take a simple example where Bob has made a deposit of 1,000 ETH on the mainnet in order to receive 1,000 tokens on the plasma child chain, and now wishes to withdraw his 1,000 ETH on the mainnet. If he has already spent his 1000 token UTXO on the plasma sidechain, he should not be able to withdraw his 1,000 ETH onto the mainnet.
However, the prospect of being able to spend 1,000 tokens on the plasma child chain while also withdrawing 1,000 ETH on the mainnet — essentially a cross-chain “double spend” — is a considerable incentive for Bob to attack the system. One such attack would be for Bob to post repeated withdrawal requests to the mainnet contract, forcing others in the system to repeatedly incur costs by submitting fraud proofs to prove his withdrawal is malicious. Bob would hope to eventually exhaust watchers of the network — if the defenders are not directly incentivized to prevent these withdrawals (or if the cost of them submitting fraud proofs may eventually exceed the size of their potential rewards), the system shifts to one that favors attack, especially since defensive transactions, which must include fraud proofs, would then be more costly than offensive ones.
One possible way to disincentivize such “withdrawal attacks” might be to add a ‘stake’ bound to the user’s deposit and/or withdrawal. In the above example, Bob would be required to make a 10% (100 ETH) ‘security deposit’ when initializing the withdrawal request (this number is simply an example — it just needs to be high enough to incentivize defense). The deposited ether would be fully refundable after the withdrawal is carried out successfully (i.e., after the challenge period expired without submission of a fraud proof), but would be awarded to a defender who proved Bob spent the 1,000 token UTXO on the plasma chain and thus should not be permitted to withdraw the corresponding 1,000 ETH on the mainnet.
Why, you might ask, is Bob required to make an additional 100 ETH deposit as his ‘withdrawal stake’, when he already deposited 1,000 ETH in order to enter the plasma child chain in the first place? Why can’t that initial 1,000 ETH serve as his stake? Well, in the scenario we are positing, he already has spent that ETH by spending the corresponding plasma-chain UTXO. Thus, he no longer cares whether that ETH is forfeited, so losing it would not be punitive. Moreover, that ETH now rightfully belongs to one or more other plasma chain users — and so it cannot be spent to reward defenders who successfully submit fraud proofs. Thus, there is inevitably a need to inject ‘new money’ into the situation to serve as the stake.
Research and Development
As the ecosystem evolves, we are becoming increasingly confident that solutions will emerge which harness the security guarantees of the Ethereum mainnet while reaching global demand at a reasonable cost. Plasma is one way to increase the throughput of the system at a fixed cost per transaction (this means it is not technically a ‘scaling’ solution, but is nonetheless useful). The setup of a plasma system is also important, as there are various economic implications of a poorly designed plasma anchor.
At the same time, we do not currently have any live plasma implementations under operation. We believe there are many areas to be tested in plasma/bridge systems, many of which we have discussed in previous articles. We would like to see a system that utilizes social consensus for relaying of child chain data but also retains security guarantees of the mainnet when it comes to withdrawals.
At Grid+ we want the best for Ethereum and are continuing to research a scaling solution that can be ready by the time we launch. The current direction points to a bridge design with a modified withdrawal mechanism to resemble plasma and UTXO tokens of value held on the sidechain. Higher order functionality can be extended to these UTXO tokens, but sometimes at risk of decreased security. This is an area of future research.
We anticipate continuing to engage the broader Ethereum community in dialogue regarding research into Ethereum scalability as part of maintaining a research and educational presence for the Ethereum community. Onwards and upwards.
Thanks to Jeff Coleman for insights, Mark D’Agostino for brainstorms, and Gabe Shapiro for feedback and edits of this post.
