Skip to content

Commit f3e7e68

Browse files
carlostomeWhatisRT
andauthored
641-incorporate-feedback-from-the-second-audit (#662)
* Highlight txid * Rename Enact-NewComm to UpdComm * Rename pp Q5e to Q5 * Add security-group parameters to figure * Add reference to definition of Deposits * Clarify that a voter needs to be registered to vote * Combine sec. 8.1-8.3 and emphasize 8.1 more; add clarification about deposit in cert. * Clarify the role of UpdateT in updating parameters * Clarify the threshold of votes --------- Co-authored-by: Andre Knispel <andre.knispel@iohk.io>
1 parent aefe4ca commit f3e7e68

File tree

12 files changed

+78
-44
lines changed

12 files changed

+78
-44
lines changed

src/Ledger/Certs.lagda

Lines changed: 25 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ instance
3131
((quote DepositPurpose , DecEq-DepositPurpose) ∷ [])
3232
\end{code}
3333
\caption{Deposit types}
34+
\label{fig:certs:deposit-types}
3435
\end{figure*}
3536

3637
\begin{figure*}[h!]
@@ -184,9 +185,22 @@ private variable
184185
cc : ℙ Credential
185186
\end{code}
186187

187-
\subsection{Removal of Pointer Addresses, Genesis Delegations and MIR Certificates}
188+
\subsection{Changes Introduced in Conway Era}
188189

189-
In the Conway era, support for pointer addresses, genesis delegations
190+
\subsubsection{Delegation}
191+
192+
Registered credentials can now delegate to a DRep as well as to a
193+
stake pool. This is achieved by giving the \delegate certificate two
194+
optional fields, corresponding to a DRep and stake pool.
195+
196+
Stake can be delegated for voting and block production simultaneously,
197+
since these are two separate features. In fact, preventing this could
198+
weaken the security of the chain, since security relies on high
199+
participation of honest stake holders.
200+
201+
\subsubsection{Removal of Pointer Addresses, Genesis Delegations and MIR Certificates}
202+
203+
Support for pointer addresses, genesis delegations
190204
and MIR certificates is removed. In \DState, this means that the four
191205
fields relating to those features are no longer present, and \DelegEnv
192206
contains none of the fields it used to in the Shelley era.
@@ -198,25 +212,18 @@ stake distribution anymore. Genesis delegations and MIR certificates
198212
have been superceded by the new governance mechanisms, in particular
199213
the \TreasuryWdrl governance action in case of the MIR certificates.
200214

201-
\subsection{Explicit Deposits}
215+
\subsubsection{Explicit Deposits}
202216

203217
Registration and deregistration of staking credentials are now
204218
required to explicitly state the deposit that is being paid or
205-
refunded. This aligns them better with other design decisions such as
206-
having explicit transaction fees and helps make this information
207-
visible to light clients and hardware wallets. While not shown in the
208-
figures, the old certificates without explicit deposits will still be
209-
supported for some time for backwards compatibility.
210-
211-
\subsection{Delegation}
212-
213-
Registered credentials can now delegate to a DRep as well as to a
214-
stake pool. This is achieved by giving the \delegate certificate two
215-
optional fields, corresponding to a DRep and stake pool. Stake can be
216-
delegated for voting and block production simultaneously, since these
217-
are two separate features. In fact, preventing this could weaken the
218-
security of the chain, since security relies on high participation of
219-
honest stake holders.
219+
refunded. This deposit is used for checking correctness of transactions
220+
with certificates. Including the deposit aligns better with other
221+
design decisions such as having explicit transaction fees and helps
222+
make this information visible to light clients and hardware wallets.
223+
224+
While not shown in the figures, the old certificates without explicit
225+
deposits will still be supported for some time for backwards
226+
compatibility.
220227

221228
\subsection{Governance Certificate Rules}
222229

src/Ledger/Enact.lagda

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ data _⊢_⇀⦇_,ENACT⦈_ where
128128
───────────────────────────────────────
129129
⟦ gid , t , e ⟧ᵉ ⊢ s ⇀⦇ NoConfidence ,ENACT⦈ record s { cc = nothing , gid }
130130

131-
Enact-NewComm : let old = maybe proj₁ ∅ (s .cc .proj₁)
131+
Enact-UpdComm : let old = maybe proj₁ ∅ (s .cc .proj₁)
132132
maxTerm = s .pparams .proj₁ .ccMaxTermLength +ᵉ e
133133
in
134134
∀[ term ∈ range new ] term ≤ maxTerm

src/Ledger/Gov.lagda

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -438,13 +438,11 @@ The GOV transition system is now given as the reflexitive-transitive
438438
closure of the system GOV', described in
439439
Figure~\ref{defs:gov-rules}.
440440

441-
For \GOVVote{}, we check that the governance action being voted on
442-
exists and the role is allowed to vote. \canVote{} is defined in
443-
Figure~\ref{fig:ratification-requirements}. Note that there are no
444-
checks on whether the credential is actually associated with the
445-
role. This means that anyone can vote for, e.g., the \CC{} role. However,
446-
during ratification those votes will only carry weight if they are
447-
properly associated with members of the constitutional committee.
441+
For \GOVVote, we check that the governance action being voted on
442+
exists; that the voter's role is allowed to vote (see \canVote{} in
443+
Figure~\ref{fig:ratification-requirements}); and that the voter's
444+
credential is actually associated with their role (see
445+
\isRegistered{} in Figure~\ref{defs:gov-defs}).
448446

449447
For \GOVPropose{}, we check the correctness of the deposit along with some
450448
and some conditions that ensure the action is well-formed and valid;

src/Ledger/GovernanceActions/Properties.agda

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ instance
2323
(UpdateCommittee new rem q)
2424
case ¿ ∀[ term ∈ range new ]
2525
term ≤ s .pparams .proj₁ .PParams.ccMaxTermLength +ᵉ' e ¿ of λ where
26-
(yes p) success (-, Enact-NewComm
26+
(yes p) success (-, Enact-UpdComm
2727
(subst (λ x ∀[ term ∈ range new ] term ≤ x) (sym +ᵉ≡+ᵉ') p))
2828
(no ¬p) failure "ENACT failed at ∀[ term ∈ range new ] term ≤ (s .pparams .proj₁ .PParams.ccMaxTermLength +ᵉ e)"
2929
(NewConstitution dh sh) success (-, Enact-NewConst)
@@ -37,7 +37,7 @@ instance
3737
Computational-ENACT .completeness ⟦ _ , t , e ⟧ᵉ s action _ p
3838
with action | p
3939
... | .NoConfidence | Enact-NoConf = refl
40-
... | .UpdateCommittee new rem q | Enact-NewComm p
40+
... | .UpdateCommittee new rem q | Enact-UpdComm p
4141
rewrite dec-yes
4242
(¿ ∀[ term ∈ range new ] term
4343
≤ s .pparams .proj₁ .PParams.ccMaxTermLength +ᵉ' e ¿)

src/Ledger/PDF/ConwayBootstrap.lagda

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ be made to the ledger described in this document.
1616
\item Transactions containing a vote other than a \CC vote,
1717
a \SPO vote on a \TriggerHF action or any vote on an \Info
1818
action will be rejected.
19-
\item \Qfour, \Pfive and \Qfivee are set to $0$.
19+
\item \Qfour, \Pfive and \Qfive are set to $0$.
2020
\item An SPO that does not vote is assumed to have voted \abstain.
2121
\end{itemize}
2222

src/Ledger/PParams.lagda

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ record DrepThresholds : Type where
7676

7777
record PoolThresholds : Type where
7878
field
79-
Q1 Q2a Q2b Q4 Q5e : ℚ
79+
Q1 Q2a Q2b Q4 Q5 : ℚ
8080

8181
record PParams : Type where
8282
field
@@ -136,6 +136,11 @@ record PParams : Type where
136136
drepActivity : Epoch
137137
\end{code}
138138
\end{AgdaMultiCode}
139+
\emph{Security group}
140+
141+
\maxBlockSize{} \maxTxSize{} \maxHeaderSize{} \maxValSize{}
142+
\maxBlockExUnits{} \AgdaField{a}{} \AgdaField{b}{}
143+
\minFeeRefScriptCoinsPerByte{} \coinsPerUTxOByte{} \govActionDeposit{}
139144
\caption{Protocol parameter definitions}
140145
\label{fig:protocol-parameter-declarations}
141146
\end{figure*}
@@ -404,7 +409,7 @@ following concepts.
404409
\begin{itemize}
405410
\item \drepThresholds: governance thresholds for \DReps; these are rational numbers
406411
named \Pone, \Ptwoa, \Ptwob, \Pthree, \Pfour, \Pfivea, \Pfiveb, \Pfivec, \Pfived, and \Psix;
407-
\item \poolThresholds: pool-related governance thresholds; these are rational numbers named \Qone, \Qtwoa, \Qtwob, \Qfour and \Qfivee;
412+
\item \poolThresholds: pool-related governance thresholds; these are rational numbers named \Qone, \Qtwoa, \Qtwob, \Qfour and \Qfive;
408413
\item \ccMinSize: minimum constitutional committee size;
409414
\item \ccMaxTermLength: maximum term limit (in epochs) of constitutional committee members;
410415
\item \govActionLifetime: governance action expiration;
@@ -429,10 +434,21 @@ instance
429434
... | yes refl | yes p = ⊥-elim $ m+1+n≢m m $ ×-≡,≡←≡ p .proj₁
430435
\end{code}
431436

432-
Finally, to update parameters we introduce an abstract type. An update
433-
can be applied and it has a set of groups associated with it. An
434-
update is well formed if it has at least one group (i.e. if it updates
435-
something) and if it preserves well-formedness.
437+
Figure~\ref{fig:pp-update-type} defines types and functions to update
438+
parameters. These consist of an abstract type \AgdaField{UpdateT} and
439+
two functions \AgdaField{applyUpdate} and \AgdaField{updateGroups}.
440+
The type \AgdaField{UpdateT} is to be instantiated by a type that
441+
%
442+
\begin{itemize}
443+
\item can be used to update parameters, via the
444+
function~\AgdaField{applyUpdate}
445+
\item can be queried about what parameter groups it updates, via the
446+
function~\AgdaField{updateGroups}
447+
\end{itemize}
448+
%
449+
An element of the type~\AgdaField{UpdateT} is well formed if it
450+
updates at least one group and applying the update preserves
451+
well-formedness.
436452

437453
\begin{figure*}[ht]
438454
\begin{AgdaMultiCode}

src/Ledger/Ratify.lagda

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,9 @@ in that order.
5050
The symbols mean the following:
5151
\begin{itemize}
5252
\item
53-
\AgdaFunction{vote} x: For an action to pass, the stake associated with the yes votes must exceed the threshold x.
53+
\AgdaFunction{vote} x: For an action to pass, the fraction of stake
54+
associated with yes votes with respect to that associated
55+
with yes and no votes must exceed the threshold x.
5456
\item
5557
\AgdaFunction{─}: The body of governance does not participate in voting.
5658
\item
@@ -151,7 +153,7 @@ threshold pp ccThreshold =
151153
pparamThreshold EconomicGroup = (vote P5b , ─ )
152154
pparamThreshold TechnicalGroup = (vote P5c , ─ )
153155
pparamThreshold GovernanceGroup = (vote P5d , ─ )
154-
pparamThreshold SecurityGroup = (─ , vote Q5e )
156+
pparamThreshold SecurityGroup = (─ , vote Q5 )
155157

156158
P/Q5 : PParamsUpdate → Maybe ℚ × Maybe ℚ
157159
P/Q5 ppu = maxThreshold (mapˢ (proj₁ ∘ pparamThreshold) (updateGroups ppu))

src/Ledger/Transaction.lagda

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,8 @@ Ingredients of the transaction body introduced in the Conway era are the followi
5151
\begin{itemize}
5252
\item \txvote, the list of votes for goverance actions;
5353
\item \txprop, the list of governance proposals;
54-
\item \txdonation, the treasury donation amount;
55-
\item \curTreasury, the current value of the treasury.
54+
\item \txdonation, amount of \Coin to donate to treasury, e.g., to return money to the treasury after a governance action;
55+
\item \curTreasury, the current value of the treasury. This field serves as a precondition to executing Plutus scripts that access the value of the treasury;
5656
\item \txsize and \txid, the size and hash of the serialized form of the transaction that was included in the block.
5757
\end{itemize}
5858
\end{Conway}

src/Ledger/Utxo.lagda

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -145,7 +145,8 @@ is gone with the new design.
145145

146146
Similar to \ScriptPurpose, \DepositPurpose carries the information
147147
what the deposit is being made for. The deposits are stored in the
148-
\deposits field of \UTxOState. \updateDeposits is responsible for
148+
\deposits field of \UTxOState (the type \Deposits{} is defined in
149+
Figure~\ref{fig:certs:deposit-types}). \updateDeposits is responsible for
149150
updating this map, which is split into \updateCertDeposits and
150151
\updateProposalDeposits, responsible for certificates and proposals
151152
respectively. Both of these functions iterate over the relevant fields

src/ScriptVerification/Lib.agda

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ createEnv s = record { slot = s ; treasury = 0 ;
6565
; Q2a = ½
6666
; Q2b = ½
6767
; Q4 = ½
68-
; Q5e = ½
68+
; Q5 = ½
6969
}
7070
; govActionLifetime = 10 -- unknown
7171
; govActionDeposit = 1000000 -- unknown (set to 1 ada)

0 commit comments

Comments
 (0)