Motion to NOT include ProgPow without audit

progpow

#21

Fully in support of needing a (well-defined and scoped) audit before moving forward with ProgPoW

And included in that audit we should look into the ASIC-resistance claims of ProgPoW and see if they actually stand up to scrutiny. See recent detailed write-up by Linzhi:


#22

I guess most of us would like to avoid to trade our ship’s :ship: diesel engine for that experimental new different technology diesel engine or maybe even warp drive w/o having a clear understanding of the risks associated with that.

This change might have a broad effect in multiple dimensions and various groups have various incentives to either oppose or favour it. That’s to some extend also the problem and should be carried to a different battlefield (“political discussion”). I see people criticising every aspect of the ProgPoW discussion(s) for various reasons and hidden agendas, even the scoping gets its fair share of critics but unfortunately only the minority appears to be contributing or even working on an objective solution, still everyone would like to have one.

If it is likely that ProgPoW happens for whatever reason that might be we should make sure to fully understand the risks, be prepared and treat them appropriately (this includes potentially agreeing on accepting risks if the community wishes to do so - given it permits others to reduce their own risk e.g. by withdrawing their stake from the system). Accepting risks w/o knowing them feels like a bold move - not sure if that would be seen as a trust building exercise. Not doing security due diligence is negligent as summarized by @tvanepps:

Funding: The problem with peer-to-peer relationships appears to be that responsibility (e.g. in preserving the future of the ethereum ecosystem) is distributed across so many people that in the end nobody feels responsible - most people waiting for the others to make a move. It is even kicking off “why should I/groupX fund this” discussion ignoring the fact that we are in this all together. I wonder if this will work out in the end.

Since we’re already discussing security here I’d like to remind people that @boris set up a security discussion slot at the Istanbul & ETH1x Roadmap Planning Meeting - April 17th & 18th in Berlin. Participate, criticise AND contribute/discuss potential solutions.


#23

We have been making risky changes to the client for years now without third-party audits. progPoW has been in the open and under review by experts for almost 11 months now, and experts are still reviewing it. So an audit will good to have, but I can’t see demanding one.


#24

ASIC resistance claims analysis is part of the audit proposal: https://github.com/ethereum-cat-herders/progpow-audit/blob/master/Least%20Authority%20-%20ProgPow%20Algorithm%20Audit%20Proposal%20(v2).pdf


#25

I’d kindly like you to list all the risky changes, along with some evaluation (chance of exploitability / impact if exploited) that have been merged in the clients over the last 12 months (or more if you like). Chance of exploitation is a “?” in progpow, and impact if exploited is beyond imagination.


#26

Copying this here for reference in the hopes that it makes the discussion a bit less fragmented. ProgPow discussed on the AllCoreDevs Gitter: https://gitter.im/ethereum/AllCoreDevs?at=5c9e6a374de4296efc201237

Ideally, let’s keep the discussion here, but I wanted to share the parallel one that happened.


#27

Just to give an observer’s perspective, “people” didn’t articulate anything about the audit. It seemed that ProgPoW was tentatively going to be implemented (judging by the AllCoreDevs calls leading up to Call 54), and then this idea of an audit was presented as a fiat accompli in Call 54. I have been following the development of Ethereum quite closely, and that was the first I had ever heard about an audit. So, from my perspective, I would say that this audit has been thrown up as a barrier to ProgPoW - it was not requested by anyone outside of AllCoreDevs, and no-one seems able to articulate what it is actually for. I agree that ProgPoW needs very careful scrutiny before it is used, but the process by which that is happening is almost comical in its inability to achieve anything.


#28

Exactly. If an audit is needed for all “critical” EIPs across the board, we should explore how to ensure that happens, what “critical” means, and how to fund it on a regular basis.


#29

Just take a look at the hard fork meta EIPs. Most of the changes affect the VM, and so have much higher risk than a change to the PoW algorithm.


#30

Also, please define what “exploit” means.

Here’s a few:

  1. Algorithm totally breaks.
  2. Algorithm disrupts the network.
  3. Algorithm has a hole that allows certain miners to exploit for financial gain.

The Mitigation for all 3 of these is that we just fork back the old code, which is the same as any other EIP. This is hopefully caught beforehand by extensive testing. If it’s not, this is our mitigation.

Yes, it incurs huge overhead costs, but so did Constantinople, and with the intense amount of eyes on this particular proposal, I expect it to have less show-stopping bugs than most other proposals in recent history (otherwise those against would’ve found something by now). If you disagree, look through the proposal and find some bugs. If you don’t feel comfortable doing that, you contribute money to the audit and we get some professionals to do that for us.


Security isn’t magic. It’s hard work. It requires money. This EIP is no different than the others in having problems with funding or security review. If it’s a showstopper for this EIP, I propose all progress on Istanbul EIPs should be stopped until we figure out a way to make sure all get the level of attention and expert review that this one is getting.


#31

Most of the issues surrounding ProgPoW have been entirely political in nature. Based on our (Whiteblock) preliminary evaluation of ProgPoW, I think that basic benchmarking would likely be fairly useless. Most of the code I reviewed in ProgPoW appeared to be harmless at face value, but one thing I saw that really concerned me (not sure if this has been changed since or not) is how it handles randomization. If anything, this should be thoroughly vetted and highly scrutinized. Frankly, I’m surprised no one has brought this up yet (to my knowledge). I’ve kept out of these discussions as much as possible because I don’t want to get involved in a political war, so I’ll just leave it at that.


#32

It would be absolutely, positively, foolhardy to implement ProgPoW without an audit.

Needless risk.

Let’s not do it.


#33

Well, this is my biggest worry - that this change can dominate the next upgrade (or two, if it does not end up going to the first one, or three) for all the wrong reasons. Not because it is urgent, or something is broken, but because someone wanted it and someone else said “Yeah, OK, why not”.


#34

Summary of the entire problem with EIPs right here.


#35

Will you fund security reviews for all EIPs?

They all affect the operation of the network just as much as this one does. Why does this proposal need special treatment? We have the same mitigations in place (forking back to the original) available to us as we do for any other mistakes that get made!

I definitely think an audit is necessary, but I also think audits are necessary for every EIP, not just politically contentious ones.


#36

I also believe ProgPoW should not be included in a fork until an indepdentent audit is completed.

The premise of my argument against ProgPoW is irrelevant here. If the community shows support for ProgPoW I will also support it, after a proper independent audit is completed.

This isnt a trivial change and certainly many changes in the past have not been as well. However, previous changes and many current EIPs are well within the realm of expertise of the core developers. ProgPoW is not. From listening to the Core Devs calls since #38 when ProgPoW was introduced for consideration, it is clear that there is a knowledge gap amongst core devs in fully understanding ProgPoW, I believes this makes them more susceptible to proponents with the requisite knowledge. An independent audit with a report in a level of detail most can understand will go a long way in determining the efficacy and benefite, as well as the shortcomings of the algo.

I firmly support @lrettig’s statement in Core Devs #54 (https://github.com/ethereum/pm/blob/master/All%20Core%20Devs%20Meetings/Meeting%2054.md) in which he supported a pre-audit decision, but relying on the results of the audit for a final go / no go status.


#37

And that pre-audit decision was never made or not articulated clearly - precisely what I was afraid of!


#38

Cross post from https://gitter.im/ethereum/governance


“I care about rational arguments.”

“Phil Daian’s essay is rather convincing. It would have been more useful before January.”

This seems sort of comical. Sorry to single you out @gcolvin, but here you’re basically admitting to not caring about rational arguments and excusing yourself for making the decision without considering them.

Much rational. Such logic.


As for @mhswende’s arguments (https://swende.se/blog/Progpow.html):

Community. As far as I’ve seen, most signals point to ‘the community’ wanting to go ahead with progpow.

This is the signaling argument you don’t like, right? Also our discussion over the last week points to more contention than I most ProgPow proponents expected. Most of us didn’t even realize that the ProgPow decision had “been made” back in January.

Known “evils”. If we switch to progpow, we will keep the ‘same’ ecosystem of miners around.

Who cares? The GPU miners will have their issuance reduced in the coming year anyways as PoS starts to provide finality for the PoW chain.

In my view, a hardfork which updates ethash-hashimoto to ethash-progpow will be the simplest fork we have ever done.

If this was really the case, then why is there so much fuss about getting an audit done? Either it’ll be trivial, and we should do it, or it won’t be trivial, and we should definitely do it.

Ethereum has historically been aimed to be ASIC-resistant… to me, this means that the ‘conservative’ route forward is to keep this model. And conversely, if we are to change this model, then the burden of proof for why we should change this model is on the progpow opponents.

Yea, we should allow ASICs temporarily because:

  1. We’re well on our way to PoS securing the PoW chain, so the ROI on this change is negative for the community (due to coordination cost), and only positive for GPU miners. The ASICs will lose their relevancy over the next 1-2 years.

  2. ASICs do not represent an existential risk at this time, and I don’t understand the fear that ProgPow proponents have of ASIC manufacturers trying to impede PoS. Like, let’s say we start to see more miner centralization, and then they attack the PoS transition by not going along with the fork… who in their right mind would want be on the centralized miner chain instead of the PoS chain, or at least the PoW chain secured by PoS in the meantime?


#39

audits are necessary for every EIP, not just politically contentious ones.

This is a change in the core algorithm (never been done on Ethereum). It seems like a full order of magnitude more risky than the typical EIP change.


#40

That’s the big point of contention I don’t think people understand. In terms of raw technical risk, it is actually fairly small. Most of the implementations have been completed in under a week, and the engineers are fairly confident in them at this point. There is huge execution risk, in that a small mistake could have a major impact. Execution risk is purely short term. If we do a good job, test it, and get it right, that risk does not carry over longer term.

At this point I agree an audit would be a good part of an overall security strategy for this EIP, and a good part of reducing the potential for high impact to the network. The audit proposal, as written today, is extremely broad as far as security audits typically go, including evaluating such claims as “providing better decentralization”. I wouldn’t modify the proposal at this point, but I would say that the majority of the claims to be evaluated have largely been debated and discussed in the community at large and most have been resolved, at least to my knowledge. These claims have very little to do with the software codebase, which is a software security firm’s primary expertise. I expect the debate to continue afterwards, but at least we can all get happy with the code being as well-crafted as possible.

A majority of EIPs affect the core consensus algorithm through EVM execution, which is notoriously difficult to get correct, hence the massive test suite that we have. Many EIPs are way more difficult than this change. We are absolutely underfunding security review across the board for EIPs.