Tari Protocol Discussion 20

On Monday, the Tari community discussed how pruned and archival nodes might sync with each other and handle re-orgs. Below is the TL;DR on Monday’s conversation (full transcript included below):

Archival nodes:

  • Necessary as a safety backstop
  • At least one honest archival node required to recover from a deep re-org (a deep re-org is one that goes further back than a node’s pruning horizon)

Pruned nodes:

  • Maintain a subset of all past blocks
  • How many blocks should pruned nodes track before pruning (pruning horizon)?

Join us for our next discussion on Freenode in #tari-dev.

Discussion times proposed by the Tari community:

Mondays: 6pm CAT (11am EST)

Thursdays: 11am CAT (4am EST)

To keep up with the latest Tari developments, you can follow the project on Twitter.

Transcript of Monday’s discussion

10:58 AM <@cjs77> We'll be answering your questions -- particularly around how nodes can sync / seed /  handle re-orgs in pruned mode & archival node
10:58 AM <@cjs77> But any other Qs are ok too :)
11:02 AM <Blackwolfsa> Thanks, that's probably the biggest negative point with typora, no built in spell checker
11:04 AM <@cjs77> IntelliJ's Markdown navigator plugin does a great job -- maybe check that out
11:05 AM <@cjs77> Instead of repeating everything here, I think the RFC PR https://github.com/tari-project/tari/pull/102 covers all the bases ..
11:05 AM <@cjs77> Thanks blackwolfsa for writing it up;
11:06 AM <@cjs77> If there are any comments about it, feel free to brig it up.
11:07 AM <@cjs77> One thing that one might pick up is that a big re-org happens past the point of the `PruningHorizon`, pruning nodes are stuffed.
11:08 AM <Blackwolfsa> Yes please
11:08 AM <@cjs77> So it highlights why some archival nodes are necessary as a safety backstop
11:08 AM <Blackwolfsa> Yes you have two choices there, find an archive node or a node with a higher pruning horizon
11:08 AM <@cjs77> (But also note that Grin implements the same strategy)
11:09 AM <Blackwolfsa> Technically it's not a nessasity. You can just sync with the node that provided you with the longest chain
11:09 AM <Blackwolfsa> Pow chain that is
11:09 AM <tk___> if im not a block explorer (or the NSA) what would be the incentive (not financial per se) to run an archival node?
11:10 AM <@cjs77> Or an exchange..
11:10 AM <@cjs77> But none, really :)
11:10 AM <tk___> hmm i see
11:10 AM <@cjs77> Blackwolfsa: good point. There may be a distribution of nodes with different pruning horizons
11:11 AM <@cjs77> I was assuming that most folk run with the default setting :)
11:13 AM <Blackwolfsa> Even then it's not required. We should just ensure our defaults are chosen in such a way to ensure its statistically safe
11:14 AM <Blackwolfsa> For example let's say it's something stupid like 5, you will get the complete header information and then the 5 blocks to satisfy your horizon
11:15 AM <simian_za> what is the proposed default horizon?
11:15 AM <Hansie> Wallets may benefit from services provided by archival nodes as they need some kind of proof that the view of the blockchain they see is real. Some wallets could potentially offer better security than SPV.  This may mean that they want to look at a pruned view of the blockchain going past the pruning horizon.
11:17 AM <Blackwolfsa> But why would a wallet want to look at the history?
11:17 AM <@cjs77> It's 5,000 on Grin, right? But maybe we can have an installer that allows users to select "safe" (10,000), "med" (5,000), "small" (2,500) -- in the absence of an installer the docs for the config file provides this guidance. That way we can be more confident of getting a distribution
11:17 AM <Blackwolfsa> It has even less motivation to due to then a base node
11:18 AM <Hansie> Trust
11:18 AM <Blackwolfsa> Unless I am missing something completely. Wallets only care about its own utxo, not even the other utxo
11:18 AM <Blackwolfsa> What trust? Wallets don't track consensus rules?
11:19 AM <simian_za> The only benefit of seeing the full history is to recover from a reorg, other than a major reorg a non-pruned view of the blockchain has no extra security features?
11:19 AM <neonknight> It seems as if the largest bitcoin reorg was 53 blocks in 2010 and after that only 4.
11:19 AM <simian_za> so 5000 blocks is 3.5 days which seems fairly solid
11:20 AM <simian_za> assuming a 1 minute block time
11:22 AM <@cjs77> Big reorgs are either: a 51% attack, or due to a network partition. Either is really bad if it leads to a reorg of even 100 blocks; but you should be able to get the entire network back in sync no matter how deep the re-org.
11:23 AM <ixside> Is there a ratio of archival nodes to pruned nodes that must be met to recover from a deep re-org?
11:24 AM <@cjs77> Assuming the majority of Monero miners merge-mine Tari the risk of a re-org like that is really miniscule, but you still have to be able to recover from it imho
11:25 AM <@cjs77> ixside: Nope. You only need one honest archival node (Blackwolfsa - check my math ;) )
11:25 AM <Blackwolfsa> I am. Missing why you need one?
11:26 AM <simian_za> yes even one will be enough to recover...as long as you trust it. So more archival nodes = more trust due to lower likelihood of sybil
11:26 AM <simian_za> attack
11:26 AM <Blackwolfsa> The node that has the longest pow chain should also have the required header and most likely blocks as well
11:26 AM <Blackwolfsa> Some base node had to have assembled that longest chain?
11:27 AM <simian_za> but if it is reorged beyond its Horizon how do we recover?
11:27 AM <Hansie> One does not need to trust the archival node, must just be able to verify everything.
11:27 AM <Hansie> Full sync to archival node
11:27 AM <@cjs77> Do you need to trust it? When you reach your pruning horizon, you'll be able to compare UTXO sets again
11:28 AM <Hansie> Yip, do not trust, verify
11:28 AM <Blackwolfsa> Yes if you go beyond your horizon. But remember for some base node that has not happened
11:29 AM <Blackwolfsa> How else do you get a new longest chain?
11:31 AM <Hansie> How is the UTXO set verified?
11:32 AM <Blackwolfsa> He has to have a valid set of utxo + headers
11:32 AM <Blackwolfsa> Otherwise he can't have a longer chain
11:32 AM <@cjs77> doh - you're right. Sorry -- was doing something else and not thinking clearly
11:35 AM <Hansie> So if a reorg goes past the pruning horizon there is a problem, even though highly unlikely?
11:36 AM <Blackwolfsa> No, you sync to the node which has it
11:36 AM <Blackwolfsa> The only case where we might have an issue is if the node supplying the re org has a horizon of 1
11:37 AM <Blackwolfsa> In that case I am in favor of ignoring the reorg. That just smells fishy
11:38 AM <Hansie> Hence cjs77 suggestion of "allows users to select "safe" (10,000), "med" (5,000), "small" (2,500) "
11:38 AM <Blackwolfsa> Yes
11:38 AM <Blackwolfsa> But nothing stop that node from making his 1
11:39 AM <Hansie> So can we assume/fix in the code that if a node is unable to provide the small set that node can never have the longest chain?
11:41 AM <Blackwolfsa> Yes, if he can't prove he has the longest chain, then he doesn't have it
11:42 AM <Hansie> Meaning at least  full blocks for the last 2500 blocks?
11:43 AM <@cjs77> An horizon of 1?
11:44 AM <@cjs77> That's node won't sync anyone though, so why worry?
11:44 AM <Blackwolfsa> It's if he has the longest chain
11:44 AM <@cjs77> The horizon is the # of blocks you track without pruning
11:45 AM <Blackwolfsa> I am thinking in the lines of if some node can't supply you of a valid chain, meaning log enough for your horizon, then you ignore it ans go on
11:45 AM <@cjs77> right? So my node with a horizon of 2,500 blocks will either handle the re-org or be in the same boat as that guy
11:45 AM <Blackwolfsa> So your node has a horizon of 2500. Some block with horizon 1 comes along with the correct headers for a chain of longer pow
11:45 AM <Blackwolfsa> What do you do?
11:46 AM <Blackwolfsa> He can only supply you with one node? This seems to me a vector for attack and he should just be ignored
11:46 AM <@cjs77> You mean supply me with one block?
11:47 AM <ixside> Why would a node have a horizon of 1? 
11:47 AM <Blackwolfsa> That's my point, if he has a horizon that small, he is most likely an attacker
11:48 AM <@cjs77> If the reorg is beyond my pruning horizon, the RFC says I must get blocks from a node with  longer horizon or an archoval node (infinite horizon), so by that logic, yes, I ignore the node with horizon 1
11:48 AM <@cjs77> That makes sense to me, unless I'm missing something
11:49 AM <Blackwolfsa> Yes
11:49 AM <@cjs77> So I'd also ignore a node with a 2,499 block horizon
11:49 AM <Hansie> So logically a reorg cannot be promoted by any node if the full blocks for the impacted portion of the blockchain cannot be provided?
11:49 AM <@cjs77> ^ yes