Skip to content

Commit

Permalink
Describe a way to protect the exported ledger against dishonest update.
Browse files Browse the repository at this point in the history
  • Loading branch information
@Sventimir
Sventimir committed Oct 27, 2023
1 parent b079a9c commit 6b1e886
Showing 1 changed file with 19 additions and 11 deletions.
30 changes: 19 additions & 11 deletions rfcs/0050-genesis-ledger-export.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,18 +74,26 @@ genesis ledger.

The generated genesis ledger is prone to malevolent manual
modifications. Beyond containing the hash of the previous ledger, it's
unprotected from tampering with. However, at the moment there is no
mechanism which could improve the situation. The system considers
genesis ledger the initial state of the blockchain, so there is no
previous state it could refer to. Also, because we dump the **staged
ledger**, it is never snarked. It can only be verified manually by end
users, which is cumbersome at best.

Some protection against tampering with the ledger we gain from the
unprotected from tampering with.

One way to improve this is to provide an external program, capable of
computing hash of the ledger as it will be after the config is loaded
into a node. Users will be able to obtain a raw fork config file from
their nodes. Later, given the official config for the new network,
they will be able to run the program against both files and compute
ledger hashes. The reason why this is needed is that the configuration
file will likely contain some manual updates. For instance the genesis
ledger timestamp will need to be updated manually when the start time
of the new network is known. Further changes may concern genesis
constants and other network configuration. All these changes should be
ignored during the hash computation and only the genesis ledger itself
should be taken into consideration. This way a user seeing that the
configuration file is not identical to the one they computed, still
does not contain any changes to the genesis ledger.

Further protection against tampering with the ledger we gain from the
fact that all the nodes must use the same one, or they'll be kicked
out from the network. This protects the ledger from node operators,
but it doesn't exclude the possibility of tampering with it by the
party which will generate the configuration.
out from the network.

## Rationale and alternatives

Expand Down

0 comments on commit 6b1e886

Please sign in to comment.