Here’s an idea for how to construct the Athena challenge protocol such that the only L1 miners that have to execute the Athena VM code are the block proposers and Hare participants for the layer in which the challenge is adjudicated.
It also allows the auxiliary challenge data to be pruned after Hare execution is complete.
High-level overview
TL;DR: L1 full nodes don’t verify challenges at all – they “blindly” trust the Hare committee to put only correct challenges in the block, and slash any L1 security deposits that need to be punished according to the block.
However, the rewards for successful challenges are given in Athena funds. So L1 miners never allocate rewards — only Athena executors do. The (honest) Athena executors know the correct Athena state, so they don’t have to trust the Hare participants to decide which challenges are correct Thus, they can refund deposits that were erroneously slashed at L1.
In a bit more detail
Executor state commitment
Eligible executors publish a state commitment for the layer they are executing. The commitment is conditional, and has the form:
“if the cumulative layer hash at layer i is L then the correct state hash after executing all blocks up to (including) layer i is h.”
In addition, the state commitment can include a list of “Athena→L1” messages. These affect L1 state, and are parsed by L1 miners with a delay (e.g., 50 layers after the block in which they appear),
(This assumes the previous layer’s block, that is included in the layer hash L, has a correct state; if not, the executor must issue a challenge instead).
Challenge format
If an executor state commitment in the previous layer is incorrect, the challenger sends a transaction that includes:
-
The correct state hash (in the same format as the executor state commitment)
-
Auxiliary data: The data from Athena state that is required to execute the block and recompute the state hash after all modified data is written. This data is included along with Merkle paths to the previous (correct) state hash.
For example, if the block contains a transfer from account A to account B, the data would include the balances of A and B.
(We’re assuming here the challenge is for the latest state, to simplify the exposition)
Challenge protocol
- Every challenger and every executor must have an L1 security deposit in order to be eligible.
- We call a challenge “valid” if it is signed by a challenger that has a valid L1 deposit.
- L1 miners will not gossip invalid challenges. Note that checking validity does not require execution of the Athena VM.
- We call a challenge “good” if it is valid and when executed gives the correct state.
A proposal and a block has only a single “slot” for a “good” challenge.
Constructing proposals
- Every L1 miner that is eligible to generate a proposal is responsible for executing all valid challenges (actually, it’s enough to execute a single “good” challenge — once the correct state is known, every challenge with a different state is clearly bad). The miner will choose at most one good challenge to include in the proposal (it will include all valid bad challenges.)
Constructing the block
- Hare participants must also execute all valid challenges included in proposals.
- If a proposal has a bad challenge in its good challenge slot, the miner will vote against that proposal.
- When constructing the unified content block, a single good challenge from the selected proposals will be chosen for the block’s good challenge slot. All the bad challenges will also be included in the block.
- The only data that needs to be stored for each challenge is the challenger’s ID (to allow reward/punishment) and the claimed correct state.
Executing a block with challenges
Challenges in the block have effects both on L1 and Athena state.
- In L1:
- if a challenge appeared in the “good” slot of a block, then the L1 security deposit of every conflicting executor is burned.
- if a challenge appeared in one of the bad challenge slots, then the L1 security deposit of the corresponding challenger is burned.
- In Athena:
- Executors behave differently depending on whether a challenge is actually correct. Note that executors don’t need extra data to verify a challenge – they have the entire Athena state and know the correct state hash for every layer.
- Correct challenge:
- If the challenge appears in the “good challenge” slot of a block, some part of the burned executor security deposits are transferred to the Athena account of the challenger.
- If the challenge appears in on of the bad slots of the block, some part of the burned challenger security deposit is transferred to the Athena accounts of the block proposers and Hare participants that validated the challenge (maybe also to the executors executing this block).
- Incorrect challenge:
- An “Incorrect challenge” message is added to the Athena→L1 message list. L1 miners that process this message slash the corresponding deposits.
- If the challenge appears in the “good challenge” slot of a block (i.e., some honest executors were incorrectly slashed), the value of the burned executor security deposits is transferred (refunded) in full to the Athena accounts of the executors that were harmed. (alternatively, an Athena→L1 transfer message can be output, as if the executors have just transferred the funds from Athena back to their L1 accounts)
- If a challenge appeared in one of the bad challenge slots of the block (i.e., the challenger was incorrectly slashed), the value of the burned challenger deposit is refunded to the challenger’s Athena account (or directly to the L1 account via an Athena→L1 message).
Analysis
If the honest-majority holds for the Hare, then only good challenges will be accepted, the malicious executors’/challengers’ L1 deposits burned, and the rewards for good challengers deposited in their Athena accounts.
If there is a temporary dishonest majority in the Hare, then the block may contain incorrect challenges. In that case, once honest majority is restored, the honest executors will refund any incorrectly burned deposits. A dishonest majority can still cause some damage to honest executors (there will be at least a few layers in which they do not have their security deposit, so they won’t be eligible to execute), but not too much. In particular, they can’t steal the deposit funds from honest executors or challengers.
The “incorrect challenge” Athena→L1 messages are a little tricky, because a malicious executor can generate bad messages (along with bad state). However, this will only have an effect if there are no honest challenges during the entire delay period (the time from when the messages are published to when the L1 miners process them). So this should only happen extremely rarely.
If it does happen, the same mechanism can be used recover — slashed L1 deposits will be refunded to Athena accounts by honest executors.