pNetwork Security and progressive decentralisation

Updates on our progress and decentralisation roadmap

The pNetwork is the increasingly decentralised layer powering and governing the cross-chain pTokens solution. As part of the project’s progressive decentralization roadmap, a growing number of decentralized components are being introduced to the system.

An important element when building the next generation financial instruments is to make it accessible to everyone and not for its audience to be restricted by technical barriers. An inherent challenge of this is the need to untangle complex technical concepts into easily-understandable axioms.

Such a process does sometimes lead to the oversimplification of concepts and therefore making properties appear either black or white when they are truly different shades of grey.

An example of this is the so-called “mint function” (function mint(address to, uint256 value)) that often appears in smart contracts. It is commonly-understood by non-technical crypto enthusiasts that token smart contracts presenting a “mint function” in their code are to be avoided as a token investment. While it has been improperly used as a hidden instrument non-transparently leveraged by projects’ teams in the past, the “mint function” enables a variety of interesting and powerful use-cases and it is implemented within a variety of token smart contracts (i.e. it may be used for rebases and other similar dynamics).

Another well-established notion is the one of “decentralization” — systems need to be decentralized for them to be truly adherent to the values of blockchain technology, and projects need to be decentralized for them to be secure.

While full decentralization is the goal, systems cannot easily be labelled either as centralized or decentralized — does a project implementing a multi-node structure but maintaining full control over the decision making qualify as centralized or decentralized? Does an anonymous team align with the philosophy of permissionless finance (since there is no easy target for an attacker who may want to influence/control the network) or does it cause trust issues (no reputation at stake)? Unfortunately today, due to excessive oversimplification and easy manipulation of information, projects are erroneously labeled as either centralized or decentralized, regardless of their current status.

(Hint: very few DeFi projects are currently truly decentralized, but many are doing good progress in becoming increasingly so.)

Data from defiscore.io — The DeFi Score is a single, consistently comparable value for measuring platform risk, based on factors including smart contract, centralization and financial risk.

In its initial phase, the pTokens system is underpinned by Trusted Execution Environments (TEE) to give transparency guarantees around the cross-chain movement of assets (more on this below). In line with the project’s progressive decentralization roadmap, a Decentralised Autonomous Organization (DAO) has been introduced earlier this Q3. The pNetwork DAO is the first major step towards decentralising the pTokens system, encouraging community-participation and removing any exclusive governance powers from the main development team.

Below, we dive into the current level of decentralization of the pTokens system as well as describing the next steps towards Phase 1.

Security practices — transparency and continuous auditing

Following the successful audit of pTokens, we have adopted earlier this year a continuous auditing approach for all future pNetwork development initiatives.

Auditing serves as an important intermediary in the development of DeFi projects. With the assistance of neutral and reputable third parties, auditing ensures that smart contracts have been configured according to best practices and that all processes are operating as intended.

While YOLO-ing on unaudited projects may be acceptable in the short-term, we believe security and transparency are essential elements for DeFi’s long-term growth.

Data from defisafety.com — DeFi product ratings color coded

The continuous auditing approach we have adopted introduces a new auditing standard and is a best-in-class auditing process that sees the continuous technical review of code (every change is audited before going to production!).

Although blockchain technology is inherently transparent, immutable, and secure, it’s important to understand that projects within DeFi can be as innovative as they are vulnerable. In order to eliminate potential breaches, and fuel positive growth in the market, we are implementing a new auditing standard that delivers frequent, recurring evaluation by industry experts.

Such a continuous auditing process aims to heighten the bar in the DeFi ecosystem in terms of a project’s security. The “audited” label on a project doesn’t always mean that the code running in production is the one that has been audited — later changes might have been applied to the original code that do affect its security. As we commit to building exceedingly secure systems for the DeFi ecosystem, a continuous auditing process shows our unwavering commitment to security and transparency.

The continuous auditing process of all pNetwork development initiatives is performed by Cryptonics Consulting. Previous reports are available here.

While Ethereum smart contracts backing both pTokens and pNetwork are available for anyone to review on Etherscan, all of the code (including off-chain components) is open source and can be found on the relevant GitHub repositories.

Specifically, the “pTokens Core” repository contains the code for the central library of the pTokens bridges, which implements light-clients for various blockchains and manages the cross-chain conversions between a host and a native blockchain.

The open-source nature of the code enables anyone to review the entire system and contributes to making the pTokens bridges transparent.

pNetwork DAO — decentralized governance

In their initial phase, the pTokens bridges were governed exclusively by the development team. This has facilitated the set-up and has sped up the preliminary stages of the project. The pNetwork DAO was the first major step towards decentralising the pTokens system, encouraging community-participation and removing any exclusive governance powers from the main development team. This is a critical component in the context of any truly decentralized system.

Anyone holding $PNT is able to participate in the governance of the project by staking and voting on various proposals. To incentivize and reward this active participation within the pNetwork DAO, holders earn rewards (42% APR during the first year) on their tokens at stake.

The pNetwork DAO has been created using Aragon, a global platform for hosting and managing community-run initiatives and online organisations. It comprises four main elements: a staking app, a voting app, a rewards app and the steroids app. These apps interconnect and communicate with each other via the Aragon platform. Using the Aragon framework, we designed custom Aragon apps so they could be added to the core DAO infrastructure, allowing extra functionalities to be added. The code for each app is available on GitHub.

These apps can be consistently upgraded with new logic and rules as the DAO evolves, thanks to the possibility of the DAO to upgrade itself.

The interaction with the DAO is possible via the Aragon interface (recommended for users who need advanced functionalities, such as staking on behalf of other Ethereum addresses or interacting with the Steroids yield farming programme) and via the Eidoo app (facilitating the interaction for users who need basic staking and voting functionalities).

Anyone can join the DAO and participate in the community-governance of the pNetwork.

Members of the DAO are called to vote and decide whether or not to approve any proposal opened in the DAO. Past proposals include pTokens-related decision making as well as strategic approaches to grow the pNetwork ecosystem (available here). Currently, proposals can only be opened by the main development team — this prevents an unnecessary overload on the DAO. While we are committed to consider community suggestions and scale them up to DAO proposals when there is a need for it (the very first DAO vote was indeed a suggestion coming from a community member), we understand this is a limitation.

A first upgrade of the DAO will enable entities other than the main development team to open proposals as part of the community-governed system. Specifically, knowledgeable and reputable entities in the ecosystem will be invited to join the pNetwork DAO and operate a key role in the active governance of the system.

Towards pNetwork Phase 1 — many nodes to sustain the network, plus the TEE hardening!

In its initial stages of development, pTokens have been backed by a single validating node — we call this stage of the system “Phase 0”. Following its kickoff, the plan is for the pTokens system to undergo a series of upgrades to achieve a fully decentralized structure.

As mentioned earlier, the launch of the pNetwork DAO was the first major step towards decentralising the pTokens system. Further upgrades are planned to achieve a fully decentralized network of validators, the pNetwork, where multiple operators (namely, validators) will ensure there is no single point of failure.

Validators are node operators having special signing capabilities — these are an essential component of the network as they validate the asset switch from one blockchain to another (peg-in and peg-out) in a secure and decentralized fashion. Validators are required to cooperate and perform the cross-chain movement of assets after they have all verified independently the external blockchains’ conditions.

The first system upgrade of pTokens is planned for the first part of Q4 2020 and it will see a major shift from a single validating node to a network of validating nodes. Such an upgrade will scale up the project to its “Phase 1”.

During Phase 1, security over the crypto assets locked into the pTokens system will be achieved via a “smart” multisig. While requiring multiple keys to authorize a blockchain transaction (which is how multisig works), the specific multisig structure implemented by pNetwork Phase 1 requires each key holder to additionally use Trusted Execution Environments (TEEs) to cooperate (more on this below). Specifically, each validator will operate one or more enclaves within one or more TEE-enabled devices. Key-pairs required to perform the cross-chain movement of assets are generated and managed by these enclaves. This is a fundamental component that guarantees transparency and security to the cross-chain movement of assets — more on this in the next section.

Validators in the network are in charge of multi-signing transactions for the cross-chain transactions (peg-in and peg-out) to happen.

The upgrade from single validator to network of validators is designed to improve security by removing a central point of failure. Specifically, the network of validators ensures a more reliable service (the system will be less prone to downtimes thanks to a larger number of available nodes supporting it) and a censorship-resistant structure.

The first pTokens system upgrade will open the network to a set of known parties by reducing the development team’s control over the project.

Additional security guarantees — Trusted Execution Environments

A Trusted Execution Environment is a computational environment that is isolated from the main operating system running on a given device. Such isolation is achieved via both software- and hardware-enforced mechanisms. In simpler terms, a TEE is a secure sandbox where code executions can be performed with a higher level of security compared to using a normal server.

In general, a TEE runs a small-footprint operating system which exposes a minimal interface to the main operating system running on the device. This smaller footprint reduces the potential attack surfaces of the TEE. Because of this, TEEs can run applications with high-security requirements, such as cryptographic key-management, biometric-authentication, secure payment- processing and DRM.

Unfortunately, TEEs are widely misunderstood. To explain it in simple terms, let’s assume you have a multisignature wallet with N keyholders — would you prefer each keyholder to keep their private key in custody as they wish or would you feel more comfortable knowing that they are all safeguarding it on a hardware wallet kept in a safe live-streamed 24/7? The latter doesn’t guarantee their good behaviour but it surely makes thefts and misuses less practical.

The easiest way to look at TEEs is to simply consider them as the hardening of a node. The trust factor is still there, but gets minimized. Abuses are still possible, but way more expensive. Ultimately, there is no reason to prefer a non-hardened setup over a hardened one.

The use of TEEs within the pTokens infrastructure gives unique transparency guarantees to users (or anyone who wants to review the process) around the status of the validating network.

While blockchain-based code executions are inherently transparent as their on-chain nature makes them available for anyone to review, off-chain components do not have this same property. Off-chain components serve an important role in the blockchain ecosystem as they enable blockchain technology to go beyond its boundaries. For example, off-chain components enable smart contracts to be connected with real-world data as well as allowing cross-chain communications.

Thanks to the use of Trusted Execution Environments, full transparency is guaranteed on the whole cross-chain movement of assets (including all off-chain operations).

The secure sandbox (TEE) where pTokens bridges run can ensure at any time the integrity of the node, and guarantee a secure and fully auditable execution of all minting and redeeming processes. In fact, an inherent property of TEEs is their ability to cryptographically demonstrate the correct execution of a given computation. In the pTokens case, such a computation is the encounter of the native and host blockchains and specifically the triggering of a pTokenised asset issuance on the host blockchain whenever a deposit of the corresponding underlying asset is detected on the native blockchain.

Because the key-pairs needed to perform such cross-chain actions are generated and managed via TEEs, the system produces unique transparency guarantees for anyone interacting with pTokens.

Trusted Execution Environments have been securing the pTokens bridges since the very beginning. DeFi enthusiasts have no blind spots when using pTokens as they benefit from the full transparency of the system.

Going forward, this solution will still be used as additional protection, yet it will be paired with a security-oriented, increasingly decentralized approach as explained in previous sections of this article.

TL;DR The pTokens system is not perfectly decentralized yet, but it stands out today for its best-in-class security practices and the transparency guarantees it provides.

🦜 Want to join our flock? Connect with us on Twitter and join the conversation in our pTokens Telegram and Discord.

💡 For a more technical deep dive into pTokens infrastructure, read our technical paper or check out the summary on our website.

🔋 Learn more about the pNetwork, the decentralized system and DAO powering pTokens.

🔗 For any blockchain project looking to integrate pTokens into their infrastructure, we have also built a pTokens JS library.

💌 Excited about pBTC & pLTC? Sign up for our newsletter and be the first to know which blockchain pTokens will make their home in next.