FMA: Interop Transaction Handling #249
Conversation
axelKingsley
force-pushed
the
fma-interopTx-filters
branch
from
ce0c767 to
6d90225
Compare
|
The framing of two extremes is a great introduction to this topic |
|
Is there any consideration with the batcher? Did we add some new interop specific config? |
|
There could be a failure mode of disk growth given we have to index a lot of data. The solution seems to be pruning, which we will know the depth at which we can prune once we get the final expiry window |
|
Another more esoteric option for checks: |
| - We should deploy at least one "Utility Supervisor" to respond to Checks from `proxyd` instances. | ||
| The size and quantitiy of the Supervisor(s) could be scaled if needed. (Note: A Supervisor also requires Nodes | ||
| of each network to function) | ||
| ## FM3b: Transaction Volume causes DOS Failures of Supervisor |
There was a problem hiding this comment.
Something to call out here, that's different in ingress than tx-pool usage (*) is that transactions can declare a very very long access-list that they cannot actually afford to include. Since the gas-limit vs gas-used and sender balance are not checked yet.
Two possible solutions:
- rate-limit the access-list checks. E.g. configure a burst (= per tx access-list size limit) and a rate (= total load on supervisor) that may be checked.
- do balance/nonce check before access-list check, in ingress.
Option 1 may be sufficient, if the rate is reasonable, even if txs do not pay. This largely depends on supervisor performance. On the bright side, these checks should be relatively quick (binary search a flat DB) and can run in parallel (different proxyd RPC handler routines, different supervisor RPC handler routines).
Option 2 here is going to add load to EL nodes, and thus less favorable from a DoS perspective. And it's easy to get out of sync (since you would need to look at the pending nonce, not the latest state, and either may lag behind on a verifier node).
There was a problem hiding this comment.
Regarding Option 2 getting out of sync: the EL Nodes could do all this checking through an API, right? We could make checkInterop an API of Geth, which does the balance checks and then calls the Supervisor if needed. Then we can manage just one checking implementation, in geth.
There was a problem hiding this comment.
And, I will add this callout and Action Item to this document, thanks.
@SozinM thanks for this idea! I think this is functionally equivalent to our decision to batch-evaluate these messages on a recurring timer. If the timer happened to match the block building time, you'd achieve the same effect, where transactions get evaluated in anticipation of the next block. Hooking it directly to block number sounds neat, but I wouldn't want to put validation in the way of our block building timing. And I totally agree regarding only validating on block's worth in advance. The nice thing is that we can statically determine if transactions are interop or not, so if there are 100k tx in the pool, we will only need to look over them once to identify the interop ones, and batch-check those (which would be a small subset of all possible tx) |
|
Takeaways from review meeting:
|
No description provided.