Add design doc for smart batching feature #229
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| # Smart Batching: Design Doc | ||
|
|
||
| | | | | ||
| | ------------------ | -------------------------------------------------- | | ||
| | Author | @jbearer (Espresso Systems) | | ||
| | Created at | 2025-03-25 | | ||
| | Initial Reviewers | Eli Haims, Sam McIngvale | | ||
| | Need Approval From | | | ||
| | Status | In Review | | ||
|
|
||
| ## Purpose | ||
|
|
||
| Enabling plugin logic for application-specific sequencing or batching behavior without the need to fork the derivation pipeline. | ||
|
|
||
| ## Summary | ||
|
|
||
| Enables chains to deploy a contract at the batch inbox address with custom logic for filtering | ||
| batches. The derivation pipeline is modified to ignore batches where the contract reverts. This | ||
| expands the design space for OP stack rollups running the canonical derivation pipeline. | ||
|
|
||
| Example uses: | ||
|
|
||
| - TEE-sequencer: L1 enforces that the rollup sequencer runs in a TEE, which enforces additional sequencing policies: | ||
| - Unichain wants to use a TEE for Flashblocks and verifiable priority ordering. Currently the derivation pipeline cannot check the TEE attestation, so the current implementation is no better than a trusted sequencer. This proposed change would provide an avenue to fix that. It will also be needed for the UVN. | ||
| - The Celo sequencer will run a TEE that first posts its transaction batches to a fast BFT consensus (run by Espresso Network) and only posts batches to the L1 that were already confirmed by this BFT consensus. This allows users and protocols (exchanges, bridges, etc) to obtain rollup soft confirmations (pre-L1 finality) from the fast BFT consensus that are more secure than confirmations coming from a regular centralized sequencer. Other OP stack chains are interested in adding this protective layer as well. | ||
| - L1 directly verifies that the sequenced batches have been confirmed by an external layer (e.g. Espresso) instead of relying on a TEE. | ||
| - Enabling various decentralized sequencing policies, by deploying an inbox contract with logic for determining which sequencer is eligible to post any given batch (similar to [RFP](https://github.com/ethereum-optimism/ecosystem-contributions/issues/63) that Espresso completed for OP Labs) | ||
|
|
||
| ## Problem Statement + Context | ||
|
|
||
| It is desirable for many chains to customize the behavior of the OP stack. This is always possible | ||
| by forking and modifying the derivation pipeline, but it is desirable to be able to run the canonical stack, with custom behavior as plugins. OP stack natively supports customization of certain aspects of the rollup (such as alt-DA layers) but lacks sufficient customizability to deploy new batching and sequencing policies. | ||
|
|
||
| A simple way for rollups to deploy custom batch posting rules without needing to run a fork of | ||
| validators and RPC nodes is to deploy a *batch inbox* contract on L1, which acts as a pre-filter to | ||
| the derivation pipeline, rejecting any batches that don't satisfy the custom rules while | ||
| allowing the derivation pipeline to ingest the remaining batches and execute them as normal. | ||
|
|
||
| Unfortunately, this is not quite possible with the current derivation pipeline. While the inbox | ||
| address can be configured to the address of a contract, the contract cannot stop batches from being ingested by the derivation pipeline, because **the derivation pipeline does not check revert status of transactions**. Thus, even if the contract reverts, the reverting transactions can still end up included in an L1 block, and the derivation pipeline will still parse and execute their calldata or | ||
| blob data. | ||
|
|
||
| ## Proposed Solution | ||
|
There was a problem hiding this comment. Right now its not possible to reconfigure the batch inbox and existing chains generally send to an address with no know private key. Any thoughts on how to handle this?
There was a problem hiding this comment. Hmm so your saying it's not currently possible to do a chain upgrade to change the inbox address? If not we would definitely want to add this ability There was a problem hiding this comment. It is not currently possible for a chain to change its batch inbox. It is hardcoded as part of the chains genesis config There was a problem hiding this comment. Gotcha, I'll work on adding this, thanks |
||
|
|
||
| Modify the L1 derivation stage of the pipeline (`calldata_source` and `blob_data_source`) to fetch receipts for each L1 block they process, and skip any transaction where the `status` field of the receipt is 0 (reverted transactions). | ||
|
|
||
| To support existing chains opting into this feature, we also make it possible for chains to update their inbox address, by adding an owner-only `setBatchInbox` method to the `SystemConfig.sol` contract. Chains can then use the existing mechanisms for updating the `SystemConfig` to change their batch inbox address to that of a smart contract. | ||
|
There was a problem hiding this comment. This will also need to take into account passing the information into the L2 system, so there will likely need to be an UpdateType and the L1 attributes tx calldata will need to include the batch inbox address. Its not ideal to keep bloating the size of the L1 attributes tx but its a clear way to continue to add config and would result in a larger diff to the proof system if we didn't include it in the calldata There was a problem hiding this comment. @tynes adding batchInbox to SystemConfig and making it settable + ingestable via an Update event feels natural, but I'm curious as to the alternative of just updating the config.json and then updating the FaultDisputeGame's prestateHash (which is done for every hardfork already). What are the pros and cons of both approaches? I guess another one I'm curious about is what if we don't even add a SetBatchInbox() function, and just do a SystemConfig contract upgrade to change the value. What happens in such a case, would that upgrade get automatically picked up by the derivation pipeline the same way an UpdateType event would? |
||
|
|
||
| ### Compatibility | ||
|
|
||
| The change is backwards compatible. If the inbox address is not a contract, transactions to it will never revert. Thus the only action necessary to opt in is to deploy a contract and upgrade to change the batch inbox address. | ||
|
|
||
| ### Resource Usage | ||
|
|
||
| The derivation pipeline already fetches transaction receipts in several places (e.g. attributes | ||
|
There was a problem hiding this comment. I believe this may mean that L1 execution will have to happen in the proof system, to recreate the execution in the L1 inbox to create the receipt. We may be able to get around it by unwrapping the receipts from the receipts root in the header if we have a trusted L1 blockhash, but would want to check with @Inphi @ajsutton @clabby to understand the tradeoffs here There was a problem hiding this comment.
This was how I imagined it would work. Is there not already something like this in the proof system, since the derivation pipeline already depends on receipts (e.g. for attributes derivation)? |
||
| derivation) and it caches them when fetched. Thus, adding an additional place where they are fetched does not meaningfully increase the cost of fetching L1 data. | ||
|
|
||
| There may be additional costs related to the deployment and operation of the contract, but that is | ||
| rollup-specific and opt-in. | ||
|
|
||
| ### Single Point of Failure and Multi Client Considerations | ||
|
|
||
|
There was a problem hiding this comment.
There was a problem hiding this comment. Added some brief discussion on this |
||
| This change adds a potential single point of failure in op-node, in which bugs (in the new derivation pipeline logic _or_ in an inbox contract deployed by a particular rollup) could cause batches to be erroneously rejected and thus lead to a liveness fault. Recovery from such a fault could require manual intervention or social consensus (e.g. chain upgrade to fix the bug so that batches can be posted again). It is also very important that the added logic is deterministic, so that all nodes derive the same state. This should be automatic because we are not adding any additional inputs from the external world (transaction receipts are already a derivation input). | ||
|
|
||
| We note that the proposed change ought to be quite small and self-contained, so it should be possible to thoroughly and confidently audit for potential consensus bugs. | ||
|
|
||
| There are no multi-client considerations as the changes are only in op-node, not in op-geth/op-reth. | ||
|
|
||
| ## Alternatives Considered | ||
|
|
||
| - Using alt-DA to implement custom batching rules. It is possible to put custom batch filtering | ||
| logic in a DA implementation; however the `altda_data_source` treats any L1 input data which is not a DA commitment as a normal batch, allowing malicious sequencers/batchers to bypass filtering logic in the DA layer. | ||
|
|
||
| Removing this fallback is another way to implement the desired plugin functionality; but this is undesirable even if it only applies to rollups opting into the new feature, as they may still want the ability to bypass the alt DA layer for liveness purposes. | ||
|
|
||
|
|
||
| ## Risks & Uncertainties | ||
|
|
||
| Introducing an additional filtering stage to the pipeline could incur liveness risks depending on | ||
| the custom logic being deployed. This is rollup-specific and opt-in. | ||
|
|
||
| Note that *regardless* of the custom logic deployed, this feature does not incur any additional risk | ||
| of safety violations, double spends, etc. as the only change in op-node itself is an additional way | ||
| a batch can be skipped over. There is no additional or modified code path for accepting a batch or changing how batches are interpreted and executed. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does "confirmed" mean here? Are you talking about EspressoDA here or something else? Because one thing we are currently looking at for EigenDA is to verify a certificate of availability in the batcher inbox.