This is a significant revision of CHIPs signaling phase: Babylon x Cosmos Hub [Deprecated], which is intended to bring Bitcoin security to the Cosmos Hub with Babylon.
We’ve made a new thread since it is such a significant revision. Refer to the old thread to see prior discussion.
Both of these proposals follow this discussion phase post: Bringing Bitcoin security to the Cosmos Hub with Babylon.
After hearing concerns from the community about the complexity of the previous design and conferring with the Babylon team, we are significantly revising this proposal. The Babylon team has created a CosmWasm contract to enable Bitcoin security. This is installed on chains consuming Bitcoin security from Babylon.
This CosmWasm contract includes a WASM Bitcoin light client, meaning that it does not need an offchain oracle such as Slinky.
How it works
The new integration uses Babylon’s “finality provider” concept. This is a variation on the dual quorum shared security model. The finality providers are effectively a second validator set, whose power comes from staked Bitcoin. They sign off on each block which has been produced by a chain’s main validator set. They protect against forks by refusing to sign two separate blocks at the same height. If a finality provider signs two blocks at the same height, their Bitcoin delegators are slashed.
A client which chooses to take Bitcoin security into account will only accept finalized blocks if they bear the signatures of the finality provider set. Currently this is limited to full nodes, and full nodes can choose not to consider the finality provider signatures if they do not want to. In the future, the Babylon team will work on an IBC client which can incorporate this information.
Cosmos Hub
The Cosmos Hub (if approved by governance) will install the Babylon CosmWasm contract to prove out the integration. The Cosmos Hub is intended to be the second consumer of staked Bitcoin security, after BabylonChain itself. No inflation will be used to pay the Bitcoin delegators and finality providers until another proposal is passed to authorize this. This step is not strictly necessary to enable consumer chains to use Babylon’s Bitcoin staking but will bring attention from the Bitcoin community to the Cosmos Hub as the best place to launch Bitcoin L2s.
Consumer chains
ICS consumer chains who choose to use Babylon’s Bitcoin security will also install the CosmWasm contract. In this configuration, their primary validator set will still be secured by ATOM over ICS, and the finality provider set will exist to add an additional layer of security for clients which choose to use it.
In this scenario, staked ATOM from the Hub will protect the consumer chain against double signing, incorrect execution, and liveness issues. Meanwhile, staked Bitcoin will add an additional high level of security against double signing.
Users of a consumer chain’s full node can verify for themselves that no incorrect execution has taken place, and additionally be protected against double signing by security from both ATOM and BTC. This configuration will provide an very high level of security and may be favored by power users such as exchanges and RPC providers.
Implementation
We are currently working to connect the Cosmos Hub persistent testnet to Babylon’s Euphrates devnet.
Cosmos Hub
Once Gaia v18 with CosmWasm is released, and Babylon is live, we will introduce a governance proposal to upload the Babylon contract to the Cosmos Hub. Once this contract is activated, it will connect to Babylon, and finality providers will be able to begin signing blocks.
No full node or light client of the Hub will need to pay attention to the finality provider’s signatures unless they would like to benefit from the additional security.
ICS Consumer chains
Consumer chains which would like to benefit from Bitcoin security will install Babylon’s CosmWasm contract as well. We may also work to get this integrated into the Spawn tool for new consumer chains launching.
Once they are running the Babylon contract, their first quorum will still be secured by staked ATOM, and Hub validators will run their actual binaries. The Babylon finality provider set will provide an additional layer of security against double signing.
Pros and cons of the two proposed approaches
Old approach (power mixing)
Pros
- Power mixing can smoothly integrate power from many sources (this is why Mesh Security was supposed to use a power mixing model).
- Oracle design can work for any security provider, not just those whose light clients can be implemented in WASM.
- Overall, the approach tended towards a “security aggregation” concept, where the Hub becomes a central security “clearinghouse”.
Cons
- The power mixing module design was somewhat complex and would have been a lot of implementation work.
- Oracle design is heavier to run. It would require each validator to run a client for each security source (such as a Bitcoin full node).
New approach (dual quorum)
Pros
- The finality provider set is optional, and can be used only by clients who desire extra security
- It is impossible for the finality provider set, or the Bitcoin stakers to halt the chain or to cause safety problems
- The integration will primarily be developed and maintained by the Babylon team
- Overall, the approach tends towards a “chain launchpad” concept, where Hub validators provide core security and chain operation services, while additional security from other ecosystems can be layered on top
Cons
- Dual quorum is not as amenable to getting security from many different providers. It’s unclear if “triple quorum” or “quadruple quorum” would make much sense.
- Currently, the extra security provided does not apply to IBC channels, until more work is done to make IBC clients verify finality provider signatures and check finality provider’s stakes on Bitcoin
FAQ
What is the benefit of this feature to the Cosmos Hub?
The primary benefit of this feature is to make the Cosmos Hub an appealing place to launch Bitcoin L2s using the Cosmos SDK, thereby bringing more activity to the platform.
Will this result in more work for validators?
No. The finality provider set is separate from the validator set, and Hub validators will not need to run any additional code.
Can Babylon, the finality providers, or the Bitcoin stakers attack the Hub?
No. The finality provider can only sign blocks that have already been produced by the main validator set, so cannot do anything malicious by themselves.
Can Babylon, the finality providers, or the Bitcoin stakers halt the Hub?
No. If the finality provider set refuses to sign blocks, it will only affect full nodes who have chosen to pay attention to them.
Will this cost the Hub anything?
While it may well be a good idea for the Hub to put inflation towards Bitcoin security at some point, the initial integration will not include this.
If consumer chains are supposed to install the Babylon contract themselves, what is the Hub for?
The finality provider set cannot produce blocks by themselves. A consumer chain’s ATOM staked Hub validator set plays the role of running the code, installing updates, performing computations, and serving the RPC endpoints. The finality providers simply provide a layer of additional security.