Reduce Root Bundle Liveness to 60 Minutes

Proposal

Header

Title: Reduce Root Bundle Liveness to 60 Minutes
Author(s): Nick Pai
Status: RFC
Submission Date: 04/11

Body

Summary:
Every 90 minutes, a Dataworker proposes a batch of relayer repayments, slow fills, and expired deposits that should be issued based on the events that took place approximately since the last validated bundle. This period of events is equal to the liveness window assuming that the dataworker proposes root bundles very soon after the last one was executed. The liveness window therefore has a significant impact on relayer and LP capital efficiency and depositor UX. Reducing this window from to 60 minutes imposes very little additional security risk while adding a lot more capital efficiency to the system for all Across actors.

Motivation:
The longer the challenge window for the root bundle proposal, the more costs are imposed on the following actors within the Across ecosystem:

• Relayers must maintain a longer look-back for fetching on-chain data in order to reconstruct bundles and determine upcoming refunds, slow fills, expired deposit refunds, and more bundle data.
• The Dataworker must maintain a look-back at least as old as the last known validated bundle in order to propose the next bundle. This results in more RPC requests and longer bot run-times.
• Refunds are sent less frequently to relayers
• Slow fills are executed slower for recipients
• Expired depositors are executed slower for depositors
• LP capital gets held on SpokePools for longer rather than getting returned back to the Hubpool. This reduces the compounding of fees for LPs

Specification & Implementation:

Liveness is currently set to 90 minutes, or 5400 seconds. This proposal will set the liveness to 60 minutes, or 3600 seconds.

Rationale:
The initial Across challenge window was 120 minutes, which was most recently decreased to 90 minutes. Personally, I think 45 to 30 minutes is the limit for this challenge window to remain safe for LP’s, but I maintain that 60 minutes would not affect security assumptions much.

On the other hand, the gain in capital efficiency was already significant going from 120 to 90 and I think it will also be very impactful to drop to 60. I recommend pausing again at 60 before further decreases and assessing the data for several months. Roughly, changing liveness from 90 to 60 minutes will allow Relayer capital to be recycled 33% times more frequently, slow fills and expired deposits will be refunded 33% faster, and Dataworker and Relayer implementations will be able to reduce their block lookbacks for the Deposits and Fills by 33% and save RPC costs on these expensive queries.

The reason why the 90 minute challenge window was chosen is for safety. This is a conservative amount of time for actors called Validators to evaluate a proposer’s root bundle proposal and react if they detect any misbehavior. The difference from 90 minutes to 60 minutes is small assuming it takes the validator less than 5 minutes to recompute a root bundle proposal. Empirically, 95% of validator runs using the example implementation repository will complete in << 5 minutes. This gives automated validators plenty of attempts to recompute a root bundle proposal, even when taking conservative finality assumptions into account. This also builds in enough buffer for a potential disputer to submit a dispute transaction on-chain.

In most cases, if a validator agrees with a root bundle proposal on its first run, it should continue to agree on it on following runs. The only time this changes is when chains undergo deep re-orgs or RPC’s suffer regressions and returns missing event logs. The thinking behind 60 minutes is to give a chance to validators to reconstruct the pending bundle from scratch, without relying on cached data, at least 3-5 times. If an honest validator agrees with a bundle 3 times in a row, then its very likely the root bundle proposal has proposed the “correct” bundle. This assumption gets violated if the proposer and the disputer are both relying on RPC’s that happen to be incorrect for the full liveness window. This is why both validators and proposers are usually configured to fetch data from multiple RPC providers and compare them before reacting.

Downside (Cons):
See the security concerns in section above. There is a very real tradeoff between UX, capital efficiency, and security with any decision affecting the liveness period.

Takeaway:
I think that this proposal will be a big benefit for relayers:

• More frequent capital recycling leading to more compounding of profits

with a medium benefit for the dataworker:

• Can maintain a shorter lookback and reduce its RPC reliance

without significant downsides for relayers:

• a 60 minute challenge window is still plenty long enough to not impact volatility of repayment times because it gives challengers enough time to comfortably validate the a bundle multiple times post-probabilistic finality period for all L2s

Voting:
Yes: Set challenge window to 60 minutes

No: Keep challenge window at 90 minutes

Transaction Calldata:
Target: HubPool
Function: setLiveness
Parameters: 3600

oSnap Proposal: Snapshot

I love the idea. As long as the balance you mention is maintained. I also like that the waiting time for users would be shorter in cases of high demand.

this will be a big improvement. agree that security seems not significantly impacted particularly if there is a proposer whitelist

I lean in favor of this proposal because I believe the benefits outweigh any additional risk incurred by shortening the liveness period, provided it doesn’t come at a significantly greater cost to the dataworker/proposer. Third-party relayers would be able to recycle their capital much more quickly, and such a change would allow relayers (especially those with less capital) to choose to fill larger relays.

I support this proposal, and wonder if pushing the liveness window even lower could be made more secure if you had a way to prove that multiple disputers are online, using multiple RPC providers.

Relayers are a vital part of the Across ecosystem. While I’m not familiar with all the technical details, this proposal seems like it would make their work a bit smoother. Smoother operations for relayers benefit the whole system. There’s a mention of a security consideration, and that’s important. But Across has a great track record, so I’m confident the team can handle it. Let’s support our relayers!!!

Thanks everyone for the comments so far. I’ve also received some very helpful feedback on Discord from _gr_ and mydefi. It seems to me that I should slightly reframe this proposal as being a big benefit for relayers:

• More frequent capital recycling leading to more compounding of profits

with a medium benefit for the dataworker:

• Can maintain a shorter lookback and reduce its RPC reliance

without significant downsides for relayers:

• a 60 minute challenge window is still plenty long enough to not impact volatility of repayment times because it gives challengers enough time to comfortably validate the a bundle multiple times post-probabilistic finality period for all L2s

I have proposed this to oSnap, please take a look and vote! Snapshot