Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Graph Protocol / Workshops / 5 May 2021
Graph Protocol / Workshops / 5 May 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Disputes & Arbitration

Description

Workshop recorded May 5th, 2021.

A

All right, hey everyone, thanks uh for being here uh at the migration workshop for disputes and arbitration. um Today, the agenda is basically they're trying to get everyone mostly indexers up to speed on how disputes and arbitration are going to be working.

A

uh You know in the decentralized network, not just from a protocol economic standpoint, but also from like you know, the sort of uh hands-on tooling that you'll be using to interact with um the disputes mechanism uh and also um you know how arbitration uh will play out.

A

So some of this will be a little bit of review for those that were in the protocol town hall yesterday, so bear with me here, but I just want to do a quick overview of the arbitration charter that we showed uh yesterday, because that's kind of the context for um how a lot of this other stuff is going to play out that you'll be diving into later with the tooling.

A

So let me share my screen. Real quick.

A

Hopefully, all of you guys can see this so one thing I want to emphasize with the arbitration charter. This is the the gip that, um like I said that we went through yesterday, is that this isn't giving the arbitrator any new capabilities right. The capabilities of the arbitrator are sort of defined and you know hard-coded into the smart contracts that are, uh you know in solidity that have already been deployed to the network.

A

This is about establishing norms to actually constrain uh the abilities of the arbitrator and also just add clarity to how they will behave in certain situations that maybe are a little bit difficult to formalize in code, or at least haven't been formalized yet um so, since a lot of this is going to be review for some of you, I'm going to try and move through this pretty quickly.

A

Most of you should know what the arbitrator does at this point, there's effectively two types of disputes that I guess you could say three but query, and in dioxin disputes is what the arbitrator decides. The outcome of um and query disputes have two subtypes. You know one is the single query: attestation, where it's just uh the fisherman disputing an indexer directly and then another is where a fisherman uses two indexers to kind of effectively dispute uh each other.

A

um A big part of you know what felt important to us in writing. This proposal was that indexers felt confident to participate in this kind of early stage of the network um without the fear of being punished for things that are outside their reasonable control or outside of what they could be reasonably expected to do and from like a diligence perspective, and so a big part of that is like we don't expect all indexers to be graph node core developers.

A

um We think that would be bad for decentralization if that was requirement, so the arbitrator has the discretion. You know using this draw outcome mechanism to decide disputes as draws, if there's a reasonable uh uh evidence that it was due to a you know: determinism bug in graph node or some other software- that the kind of core developers have shipped to to indexers. We've seen these in the past.

A

um You know the protocol is still under rapid development. So it's not unreasonable to think that these would come up uh again in the future. Another one here that we mentioned yesterday was double jeopardy. uh Indexers shouldn't be slashable for the same offense twice.

A

uh Unfortunately, today the attestation data structure doesn't have any replay protection, so that means you know for a specific query uh request response pair the indexer can only be slashed once uh and which you know effectively means like a single mistake can't be, you know, can't be compounded. You know by someone just repeatedly uh creating disputes for that mistake.

A

Furthermore, there's going to be a statute of limitations on uh on how long ago a fault may have occurred for an indexer to be disputed, at least according to this proposal. um The reason for that is twofold.

A

One is that attackers very commonly will just exit the protocol immediately, so we didn't want to create any asymmetry between you know, sort of the assumptions that an attacker can expect versus an honest indexer um and then the second is that if there was no statute of limitations, um the longer an indexer participated in the protocol, the more likely there they would be to accumulate some fault.

A

At some point in their past, right and and so like, we don't also want to punish indexers for being long time, honest participants in the protocol by saying that hey you're, just constantly accumulating risk of being slashed for something you did at some point. You know in the past, um so we think the statute of limitations, kind of achieves that uh this proposal has it set at basically two thawing periods, so um 56 epochs mainly to give the arbitrator.

A

You know a nice buffer to still do its job.

A

uh This. This should be pretty straightforward, but disputes can't be decided as a in anyone's favor if the data isn't available to uh look at the dispute, so hopefully we'll get to some of this in the tooling. But you know if uh I so. As you know, the attestation structure just has like the content hash of a query in it right. It doesn't have the entire query body itself that wouldn't really be practical to store on chain or emit in a solidity event.

A

So the dispute mechanism kind of relies on the fact that these uh query uh requests are posted to ipfs so that the arbitrator can actually find. uh uh Can find the query you know when it's time to to settle dispute.

A

um Furthermore, this is kind of the case for a lot of parts of the protocol, but the sub graph has to be available right if the subgraph uh manifest and mappings and schema aren't available on ipfs, then again, the arbitrator can't really recreate the work of the query to decide whether the the work was done correctly or not.

A

um This clause is about setting a cap on the amount of times that an indexer can be slashed for queries during an allocation, and the reason that this is important is that an indexer only submits one proof of indexing per allocation and thus one uh instance of possible slashing per for that allocation, whereas we fully expect indexers to serve.

A

You know millions of queries per allocation, and so if each of those queries was slashable, uh and even if the slashing percentage was like really small, you know like it could have been like a fraction of a fraction of a percent uh that would still be potentially enough to wipe out. You know an indexer's entire stake in a single allocation.

A

You know due to a determinism bug, for example, uh that you know, let's say for the sake of argument, that the that the arbitrator wasn't aware of um and that we felt would put an undue disincentive for indexers to serve queries, and so we wanted to create some clarity around that there is a sort of bounded downside risk for serving queries during uh during an allocation.

A

This also piggybacks some of the work that rel offers some of the work that rel presented yesterday of separating the slashing percentages and the protocol for indexing aquarium. So today it's just a single parameter across the protocol. uh You know an indexing dispute and a query dispute are punished equally, um but in the future. If that proposal is accepted, then uh we'll be able to parameterize the query uh slashing percentage uh lower than the then the indexing slashing percentage for for this reason.

A

uh Valid proofs of indexing for a given epoch, it's the correct behavior for an indexers to submit a proof of indexing for the first block of the epoch in which they closed an allocation uh right now the closed allocation transaction doesn't have a um an epoch argument or parameter so there's no way to like fail that transaction. If, for some reason, let's say due to blockchain congestion, it actually ends up getting mined during the next epoch.

A

um So for that reason, uh if a proof of indexing is incorrect for the epoch in which an allocation was closed, but it is correct for the previous allocation, then that dispute would be a draw. It's basically sort of a there's, a little grace grace window there in the future. We might uh add that argument to the uh to the closeoutlocation method in the future proposal, uh in which case you know some of this stuff could could be more automated and then the last one.

A

This doesn't really impact the indexers, but this is just more about. The arbitrator is expected to settle disputes in a timely manner in it and it kind of uh defines what that means, um and so the rest of this gip is just rationale, for you know some of the stuff that we just talked through, but uh I guess I'll pause there. Yesterday we didn't get a lot of time for questions. So uh are there any questions specifically on the contents of this charter? uh Zorro slash oliver, I know you had some feedback in the forums.

A

I haven't totally incorporated that in here. Yet is there anything you want to actually discuss with respect to this.

A

Or anyone or anyone else if they have any questions or comments. Hopefully this is super clear.

A

Cool all right: well, if there's no questions there, then I think we can hand it off to ford who will be walking you guys through how to use the indexer agent. uh It looks like we actually do have a question.

A

Is there a role that fishermen and arbitrators should be independent? um There isn't a rule like that in the charter right now and it's impossible to enforce at the protocol level um yeah. I guess I would have to understand the motivation behind the question. If it's that you wouldn't want the the same uh like indexers to be assigned to, uh I I guess your concern is that you don't want a fisherman to basically submit a dispute and then just uh arbitrate themselves.

A

um It's really impossible to enforce that. So there's sort of a degree of uh I guess, trust that the arbitrator has right now. In terms of you know its role, that's been assigned by decentralized governance. So one of the things that the charter sort of does outline is removal of the arbitrator.

A

And so, if the arbitrator is you know a sort of obvious fault of the arbitrator, it would be to settle disputes incorrectly, uh and that would absolutely be ground for removal by you know: decentralized uh governance. In this case the graph council.

A

It looks like zoro was, was muted by martine uh oliver. Did you have anything you wanted to add here.

B

uh Nothing to add, as such um I mean I left my uh some of the feedback in the forum post and um there's certainly some things that I've learned more since uh you shared the entire charter, um a couple of things we can certainly dig into as we review certain uh chapters. So I'm good for now.

A

Cool yeah, thank you uh so yeah. This has been posted to the forum for about a week or so. um Oliver has some great feedback in there that we'll try and incorporate. um So I encourage you guys to take a look at that. Obviously this affects you know indexers quite a bit, so we look forward to uh your feedback and, with that I'll hand it off to ford he'll be walking through uh so the splashing penalty. That's going to be covered in a separate gip.

A

um I actually don't recall off the top of my head. What what the number latest number we've been playing around with it's definitely substantially lower than the indexing slashing percentage. I would guess somewhere around one percent, but I don't think that's finalized. Yet.

A

And yeah and feel free to keep posting questions uh in chat. um We'll move on to forward for now, but we'll have some time for q a at the end, and we can cover this stuff as well. So ford will be talking through the index or agent which is used for, uh among many other things, detecting bad pois from other indexers, so we'll hand off the ford.

C

All right, thanks brandon, um so to start, I'm gonna just um do an overview of how proofs of indexing work, because that's an important uh part of this overall mechanism, so a proof of indexing is a cryptographically strong digest that the graph node uses to prove that has done the work of indexing, a specific subgraph deployment and that it has the correct data for that deployment.

C

um What do I mean by cryptographically strong here? um It is. There is no chance of collisions between different proof of indexing, so they will be unique and it does not leak information. So you cannot use a poi from another indexer to try to derive one for yourself. For example, each poi is specific to a deployment, an indexer address and a block number.

C

So a poi basically declares that you've indexed that specific subgraph to that block, and it also includes your index or address for uniqueness.

C

The information in the poi is exposed by the graph node indexing node graphql endpoint. So you can query that on your infrastructure at any point, and that is what the indexer agent uses to compare against the network pois to try to identify disputes and the poi is important. It must be submitted with an allocation, closed transaction in order for that allocation to be eligible for rewards, and that also makes it eligible to be disputed and potentially slashed.

C

So, in order to use the poi monitoring mechanism that we've added to the indexer agent, you simply need to turn on poi dispute monitoring using the startup argument or using the corresponding environment. Variable.

C

And what the feature does is it monitors pois that have been submitted on the network and it creates reference pois from your indexer and it compares those in order to identify potential disputes.

C

So if the reference pois that it generates, do not match the poi that was submitted on chain it'll flag, that as a potential dispute and then what it does, is it stores those potential disputes in a database table called poi disputes that you can then later reference to submit disputes on chain we've also added a command to the index or cli a disputes get command so that you can view all this all uh allocations that have been flagged as potentials um and I've been running this on my machine, and so I'm just gonna show you guys what the output of some of this might look like.

C

So here's my indexer agent running, you can see a log here that shows that it has monitored a disputable allocations on chain and has found some valid allocations and no potential disputes in that in that run, um and then I'm going to go over here into the index or cli and what I can do is I can call that disputes get command um and list any potential disputes that have been flagged. So you can see here. I have, I think, eight disputes that have been flagged and you can see the information from those allocations.

C

You can see the indexer that had submitted that allocation. You can see the the proof that was submitted with that allocation, um the allocation amount etc.

C

So you can look at this to look at more metadata about the allocations that have been flagged and, for example, one thing that stands out here is: you can see these fe fe fefe proof of indexings that are are clearly not valid and those were test pois that we've submitted on chain on testnet to test this.

C

Of course, you can also go to the database and explore the data and uh just to show you guys um overall numbers, uh I've taken that database table and made a few charts, um and so I've like broken up the allocations that have been submitted on chain overall, um and here are the potential disputes that have been identified.

C

So not too many on test net broken out by deployment, and this kind of just gives you a good overview of what's been going on on testnet and how you can look at this data and then once you've identified potential disputes. The next step would be to look a little bit closer at them identify ones you might want to submit as disputes, and then we have another tool that ariel is going to talk about here for actually submitting those.

C

Disputes um but before we go to rl, do we have any questions about that.

A

I had one question that I'll that I'll be the rubber duck for um so you mentioned uh that the graph node has an endpoint for returning the poi. uh Does that api take the indexer's public key as a argument, or is the indexer agent, the one that's actually computing? The final proof of indexing.

C

Yeah so that endpoint does take the index or address as an argument along with the deployment id and a block identifier and so in normal operation. Your indexer will use your indexer address to create pois and then submit those, but when you're checking against another indexer you'll use their address to create that poi, that's unique to them.

C

um The there's like a base, poi that's stored in the database and then that's combined with the index. Our address the deployment id and block number to create a unique digest.

D

Any other question.

A

Some people are seeing themselves on the uh yeah the test net list yeah. So if there's nothing else, then I guess uh reo. I will take the stage and walk through the submitting of disputes.

D

Yeah um I'll share my screen. um I want to show the the how the dispute process works um related to uh the unchained part. um The first thing that um you need to do is to identify a potential dispute like uh ford show, but then um there's uh a process of submitting that dispute on chain to a contract, so the the visuals are currently managed by a contract called the dispute manager.

D

uh That's deployed in um like with these addresses that you see here in mainnet and rinkeby, and you can check the contract code anytime by looking at if a scan, because it's verified um yeah.

D

This is the implementation I was looking at the proxy, uh so the the first thing you need to do is to to interact with this contract by creating a dispute passing the information related to the allocation id or the query. That is wrong and for doing that, you can use uh any tool because the contract is open and it's out there and you can use remix. You can use etherscan, but we created a tool to do that easily a cli tool.

D

um The first things you probably want to know are some relevant network parameters. um The dispute process works by doing a slashing on the indexers and the the percentage of um of the stake that would be slashed can be checked in this url.

D

If you go to network um you'll, see um that variable here, 2.5 and this is set by governance and is stored in the dispute manager contract that I show uh so. This dispute manager, whenever you present a dispute and is resolved by the arbitration, um will talk with this taking contract and will slash based on the indexer stake and this 2.5 percent. Okay.

D

um So that's that's one of the important variables you want you you want to see, then there's um a different governance um parameter related to disputes. That is the percentage of the slash that the the the submitter of the dispute we get. So when I, when, um when a dispute is resolved um accepted and the indexer is slashed, 50 of that slash is going to go to the submitter of the of the dispute.

D

That's another value that is set by governance and the last one is the the bond that you need to present as a submitter. uh If you find a dispute- and you want to dispute that and present that in the in the difficult manager you need to deposit uh 10 000 grt, now, okay, so so that's something that you need to to have before um creating a dispute.

D

As I I was saying before, we have a cli uh that you can install, don't do it now, because it's not published, but I will publish the the script after the after this meeting and probably um in some hours, but you can install with npm uh it's it's a scripting type script and it will give you like different commands that you can use to interact with the dispute financial contract.

D

uh You will need this, this information, um the the end point to query for trust. uh For for the pois. um This is the one that ford mentioned. um So this script will test. If whatever you are presenting is um valid dispute or not, so we can catch any like issue before submitting to the dispute manager.

D

um You need an ephedium node, because it's going to interact with the contrast. uh You need uh the networks graph url, because it's going to query for allocations and and some information to present on the in the in the script, you will need a private key, so you send the transaction to the field manager contract and you need the funds, uh the 10k. If you are going to dispute, um then this this all the things are configurable.

D

You can use um the uh the environment you want, like you, can use the an ethereum node for mainnet or winkyv and interact with any of these deployed contracts.

D

So the the graph dispute cli provides these commands um a command to list the active disputes and it will show active disputes and and resolve these fields with the details, a show command that you can pass the dispute id and see the details of that particular dispute.

D

Some uh commands to create indexing disputes or query disputes.

D

In these cases, the the parameters um that you need to pass change a bit uh in the case of an indexing dispute, you will pass the allocation id that you find it's um using a bad proof. uh In the case of a query dispute, you will present an attestation that the indexer is going to send you, okay uh as a response, um then you can pass it the deposit that I said like the minimum.

D

The minimum deposit is 10k, but you can you can pass any number about that 10k um and then it also provides some um commands that will be used for arbitration to reject, accept or draw the dispute. um This is this is going to be used by the by the arbitrators to to basically decide what to do with that dispute.

D

um So I'm going to go like a bit about the the different like type of disputes and and what's happening behind, and what what is cli is doing uh to help the the process, um as brandon said that there's an arbitration charter and the arbitrators will look at the charter and decide on what to do with a dispute based on that.

D

um But the speed is going to help to validate things uh before the dispute is submitted, uh to follow the arbitration charter and had the arbitrators, so um port already described what a poi is and the um like. It's related with an allocation id that is, that is closed uh on an epoch.

D

um What you need to do you need to know is that anyone can dispute. uh It's like a public process like anyone can call this create dispute uh function, uh so anyone that is monitoring the network uh can create a dispute on our location id, but there are some conditions um well first, this is the the an example of the how you would call the cli to um to create the transaction that will uh submit the dispute.

D

Okay, in this case, I'm submitting this allocation id with this deposit, and these are all the end points I'm going to use okay.

D

So, when you're creating these uh these disputes, uh there are some things that are enforced by the contract. um You can't you can't create multiple disputes from the same allocation. That's one thing: uh the allocation must exist in the seeking contract. If you pass like a random allocation id, it's not going to work. It's going to revert, the indexer must have some stake.

D

You can't dispute like an indexer that doesn't have any funds or or or doesn't exist basically, and the deposit ban bond should be above the minimum required, so those things are enforced by the contract, but the cra is going to test a number of things to to help the the like to follow the charter.

D

um These things are: um it's not going to let you create a dispute on on on some allocation that was already um slashed uh to to basically follow this double jeopardy uh protection in the charter.

D

It's it's also going to check if the allocation is old and uh the it's it's like um older than the throwing periods in the charter, it's going to like issue a warning, so you don't submit that dispute because basically the arbitrators will reject or draw, um and it's going to check that data availability like it's going to test that the content is there, so the the dispute can be reproduced by the arbitrators okay.

D

So that's! This is the case for for indexing. Rewards. Okay, you don't need many input variables like you need the yellow allocation id, but this is going to test the number of things by quoting the subgraph, putting ipfs for the data and quoting the content. Okay,.

D

Then the other type of dispute is the query. Disputes indexers are responding to queries and it's going to sign attestations based on um the response, and these attestations can be used as a receipt that if the consumer finds the query to be invalid, it can use this attestation to submit a file a dispute. Okay.

D

So in this case we will use instead of create indexing, we'll create query the query dispute and we will pass the bytes this. This is the basically this structure getstation, but in invite format, and this will submit the equity dispute in the in the dispute manager contract. Okay, an additional information that needs to be available is the the actual query that you did and that needs to be available in ipfs, because this whole process is, we need to reproduce the the the dispute, so we can know if it's right or wrong.

D

So this um the request needs to be available in ipfs, so um some conditions enforced by the contract. um Only one dispute with the same data and some meter can be active um if the any of these conditions will revert. If it's not um fulfilled the index might have a available stake and the deposit must be over the minimum required again. In this case, um the the cli will help to enforce the charter by not submitting disputes that are going to be draw by the arbitrator. Okay.

D

uh This would help like not getting like a lot of submissions on things that's going to be drawn, um so it will help the indexers consumers and the arbitration process. um Any questions so far.

A

uh We've had a couple: questions have come up in chat, they're, not specifically related to the tooling. uh Maybe we can look back on those at the end. If you have more to get through here,.

D

Okay, um then uh there's some. This is these are the that I would say two commands that most people will use to file disputes.

D

After doing some analysis, uh probably like going using the the the asian detection and maybe looking at the information manually a bit and and and then the last step would be to use this cli to have reassurance about the the checks the the script is doing and then getting the dispute submitted.

D

I'm not sure if it's obvious, but submitting a dispute means a transaction in the in the blockchain. So you'll need to pay for some gas cost for creating the dispute.

D

um Then uh there are some tools that can be used by anyone. The by the arbitrators and and and anyone wanting to to file a dispute is the this command um again. You need to pass a number of end points that this scripture will use and it's going to list some information about the dispute.

D

So in this case, in this case you see the dispute id that is created in the contract.

D

The type of dispute um this in this case an indexing dispute, is undecided because the arbitrator needs to resolve this dispute. You will see the the addresses of the indexer and the submitter uh the subgraph deployment, um some information about the allocation that this dispute is related.

D

Like you'll see the id when the allocation was created on on the on the block, hash and the actual poi submitted by the indexer, and then the script will do some checks to see if the re reference poi match like in this case, you see like match is false and it falls again.

D

These are two checks because, uh as brandon mentioned, we are checking the the epoch when the allocation was closed and the epoch before that to ensure that we have some time like if some congestion in the network happens, you have more time to to to mine the transaction.

D

um So in this case uh the reference poise doesn't match with the one with this one in this case, there's a lot of leading ceos. It's a bit strange and it's a it's a bad proof, so um the arbitrator can assume that this poi is is really a wrong one and then decide to accept the the dispute. Okay. um But anyone can use this this tool to list the the current um disputes in the contract.

D

um Then the resolution process um can be um the resolution process can can follow like uh with an accept a rejection or a draw.

D

um Accepting a dispute means that the indexer will be slashed, the deposit will be returned to the fisherman and the 50 percent of the of the flash will go to the to the submitter and the rest will and the rest will be burned.

D

The other condition could be to be rejected, and that means that the indexers won't be slashed and the fisherman will lose all the the deposit and the last condition will be a draw where the indexer is not slow is slashed and the fisherman will not um lose the deposit, basically, okay, so that's more than like the neutral one. um One note uh is that the dispute id that I showed here is created within the contract. um It's basically a hash of some fields uh to to avoid duplication of of the of the issues you present.

D

um So you will find the dispute id after you created this property.

D

And I'm thinking I'm covering most of the things um the package is not yet published, but uh we'll publish in the following hours: okay,.

B

um I have a question one from the uh yeah on the resolution structure.

B

um Is it meaningful and and also feasible, to consider an escalating penalty structure on the indexer side that might start at a lower base for a first time offense, but then then escalate escalates progressively, with with more offenses being being recorded.

A

Yeah, I think I think these things types of things are all in the design space. um One thing actually that that relates to is another question that I saw come up uh from state machine which basically asks uh you know. If an indexer knows that he submitted a bad poi, can he open a dispute on itself and minimize splashing effect? In any case, um the reason I think both your questions are related is because it relates to like what are the true penalties for being slashed.

A

So the the simple answer to stake machines question is yes, if you wanted to preemptively slash yourself as the fisherman, then in theory you're, reducing your uh you're, reducing your you know economic penalty for that single incident by 50, with the current parameters when you think of the system as a whole.

A

Another way to look at slashing in disputes is that this is part of your permanent record under this indexers account, and so this is something that's both visible to delegators, but it's also visible to uh consumers.

A

So I don't know how many of you guys were in uh I'm trying to think the last time we did a workshop on indexer selection. It might have been even the test net uh might have been. You know, after the network launch, but the indexer selection algorithm that's run by both the gateway and the uh query engine. It actually takes into account a whole list of factors that it basically applies. Utility functions to so some of those are things like performance. uh You know throughput latency availability, you know, are you always online?

A

uh What's your efficiency with respect to negotiation?

A

Do you accurately advertise prices, um but some of that is also economic, security and reputation, and so uh so to your your point, zorro about compounding um compounding penalties, even if, in the slashing mechanism itself, there's not a compounding penalty, I would say that already today there is a compounding penalty with respect to reputation, because if an indexer is slashed once or twice that can be seen by an index or selection algorithm or a delegator, as you know, an honest mistake, if an indexer is slashed repeatedly, I think it's very likely that you would see delegators start to exit that indexer as well as uh consumers start to deny list that index or completely from receiving query volume.

A

um So that's not to say that there's not more, you could do in the future, but but it's worth noting that some of that I think, already exists. That dynamic already exists today in the protocol.

A

But great great question, um so a few more questions we had that came in uh chat. I think this is a really interesting one. Josh asked um assuming an indexer is acting honestly. What are examples of situations that may result in an indexer being disputed?

A

um There's a couple that I can list off the top of my head and I think ford might be able to elaborate on some more that that we've seen. But you know, one example could be like your ethereum provider or ethereum know that you're running being faulty right so either like you know, right now, the graph node relies on calls to like eth get logs to make sure that it's getting events.

A

You know we've seen cases in the past where either events were missed or uh events were duplicated by the ether by the ethereum, node or ethereum node provider, and so that could be a cause outside of graph node that leads to determinism issues, because you're, basically double processing or missing an event another one that we talked about yesterday. This will be a new kind of case. Is that graph nodes, starting with 1.0 release, is going to adopt december conventions?

A

So the idea is that the protocol, at any given point will have like an official major version of graph node, but that minor versions are meant to be backwards compatible with one another. With respect to you know the proofs of index seen in queries that would be uh produced, so you could imagine like a bug that the core developers introduced where they just accidentally.

A

Don't uh you know they introduce something that doesn't comply with december conventions, so an indexer upgrades to a newer, minor version, thinking hey my proofs of indexing and attestations will be the same when in fact uh you know an inconsistency was introduced. So that would be another one.

A

I think we've seen things in the past with you know, kind of like transient, uh like block, rewards, and uh you know, network events putting the database into inconsistent states um for do you have any other color to add on like past determinism, bugs that we've.

C

Yeah seen mean that's like a good intro, um another big class of things that could lead to a poi, not matching a trusted. Reference is configuration issues.

C

Maybe your index or agent is talking to a mainnet sub graph and getting the incorrect epoch value, and so it submits for the wrong block number or other other small issues like that. That often will lead to the poi being valid, but not lining up with the arbitration charter and being for the correct epoch.

C

So it's definitely becoming more important to be very uh prudent about your versioning of your software um and making sure you're checking everything in your configs, especially on mainnet.

A

Yeah, that's a great point and we've gotten pretty good at I'd, say debugging and root, causing a lot of these determinism uh bugs. I know ford and rdl spent a lot of time actually when, uh when implementing the index or agent cross, checking specifically looking at that last class of determinism uh bugs um so one thing I forgot to, I guess: drill down on the arbitration charter was just what do you do when you see yourself being disputed on shane like what should your next steps be?

A

um The arbitration charter has a placeholder link right now put to a spot in the forums um and that's basically where uh the arbitrator, which today is a multi-sig set to arielle dave and giannis.

A

That's where you know that root cause analysis can happen so like if you were. You know if you believe that you know the proof of indexing was incorrect because you thought the epoch was wrong or uh you know, or you think, there's a determinism bug in the uh you know the graph node or you think there was an issue with your ethereum node provider. That's that's the place where we can share logs. We can you know uh we can kind of investigate. It's meant to be a collaborative process.

A

You know we recognize that the network is still kind of in this bootstrapping early phase, and so the idea is to work with people as much as possible that are trying to behave honestly in the network.

A

I think so alex is asking: will these cases of determinism bugs be settled as a draw or rejected? They will be settled as a draw, because it's also not the fisherman's fault. If uh you know from the fisherman's perspective, they are correct that there isn't inconsistent uh proof of indexing.

B

One one follow-up question to your earlier comment: is there a chance, an indexer might not even know that there's a dispute case being logged against him and all of a sudden, the first time he hears about it is the decision itself.

A

uh Certainly, that's a possibility, I mean being an indexer in the graph is, is much more of an engaged, I would say active activity than being an indexer or excuse me being a validator in, like let's say, like a blockchain network, where you could like spin up a raspberry, pi and like set it and forget it.

A

um So you know we've already seen this with like the subgraph migration, I would say there was like a you know, certain set of indexers that were like ready and saw that the subgraphs were migrating and like took action immediately and we saw other indexers were a little bit slower to respond because they're sort of not actively engaged in the network. um So I'd say at the phase that we're at now it is.

A

It is primarily the indexers responsibility to be active and engaged and make sure that they're, you know participating with the mec the the mechanisms of the protocol responsibly um in the future. There should be a lot more tooling available, so someone already asked in the chat whether there was a way to query the disputes outside of looking at the contracts directly. There is a disputes entity in the network subgraph, which a lot of uh community members have already been built using to build their sort of third-party.

A

uh You know dashboards and network explorers. I fully expect that, as uh you know, as we see more usage of the mechanism, we'll see a lot more of that incorporated into those explorers. um It's also on the roadmap for the some of the web apps products that edge node is working on, uh although it won't be part of the it likely won't, be part of the um the mvp release. That's happening at the end of the the phase. Three uh migration.

A

uh So joseph from figma asks, is it only the query, fees that are slashed and not the indexers deposit? No indexers um indexed or stake is slashed in in the case of disputes.

A

And I believe to your follow-up question: what about rebate pull rewards so all so for the indexer like once rewards, are settled, I believe, they're all part of the same, like pool of funds from the perspective of the protocol. So at the point that once they're in there they're they're slashable, I don't think the part of the rebate pool that goes to like delegators that wouldn't be slashable. For example,.

A

Yes, right now, so someone asked is this over the allocated stake on the specific subgraph today. The way that it works in the mechanism is that it is over the total index or stake. uh I actually just as an aside. I do believe there. There would be there's valid reasons for shifting that to the allocated stake. um That's kind of on my personal backlog of proposals to work on, but today the way that it works in the contracts is that it's the total the total stake owned by the indexer.

A

Any other are you up for? Do you see any other questions we haven't addressed yet.

C

There's one question is uh about whether or not an indexer can can compare their poi with a reference prior to submitting their allocation. Close, that's a good question. It would be prudent to have some extra checks.

C

However, you would need to work with another trusted indexer and use their poi or ask them to compare, because this is not something that I would recommend you expose to other indexers, because um then they'll be able to spoof proof of indexing.

A

Yeah, so sharing your by sharing your proof of indexing with other indexers you're, basically, sharing your reward with other indexers yeah.

C

Exactly um but it's something to think about, and uh I hope that that'll not be necessary as we hone in on determinism and hardening all of our various systems, um but you may want to work with some other trusted indexers to do some validation in these earlier stages.

A

uh One one question that sounds like we might have missed was: how long does it take to resolve a dispute? um So the expectation that's set in the arbitration charter is that the arbitrator should attempt to settle dispute within one bond period. That's kind of logical since an attacker would presumably exit immediately, and then we only have one thawing period to slash them um in practice. That might not always be possible.

A

So this isn't the kind of thing that's gonna like if an arbitrator is not gonna be removed for not always meeting that goal um specifically because the arbitrator needs to be able to recreate the work, uh that's implied in the dispute, and so sometimes that's going to be a quick and easy process. Sometimes that might be a longer process.

A

As I mentioned earlier, the the initial arbitrators uh that are set in the multi-sig are um or are that are part of the arbitrator. Multisig rather are ariel dave and giannis, uh and so uh they're sort of proactively running. You know kind of their indexer to uh basically be in a position where they can reproduce work very quickly. But if a dispute, for example, were to come up for like some subgraph that somehow they're not already indexing, then it might take longer as they you know, index this new subgraph from scratch.

A

To kind of get to the you know, get to the block where that that proof of indexing uh dispute or query dispute um is relevant.

A

Any other questions before we wrap up.

A

I guess I'll close with some some final thoughts on another mechanism. This isn't something we'll have time to go in depth uh on today, but it's something that maybe would be a good topic for a future workshop. It's just the the role of the subgraph oracle and securing the network.

A

So it kind of your last question kind of made me made me think of this, which is just you know what, if um uh someone, what, if the malicious indexer submits a you know, subgraph that's impossible for the arbitrator to index and reproduce the work on or is exceedingly difficult. For. You know some known set of reasons. um So that's the role of the subgraph oracle.

A

um There will be a subgraph oracle charter, uh gip at some point in the future to clarify the processes that that role should take in a way that we similar way that we've done to the arbitrator.

A

The main action that the subgraph of oracle takes, as many of you know, is that they disable indexing rewards on they have the ability to disable indexing rewards on specific subgraphs.

A

um The reason that this ends up acting as a kind of penalty of sorts is that you know if attacker does signal a bunch on a subgraph that, for example, no one can index where no one can reasonably be expected to index, and then they also allocate a bunch on that as a uh as an indexer a they have the opportunity.

A

Cost of you know the index for allocated stake, but then also as the curator they're paying this curation tax, and so when that, um when that uh subgraph gets disabled for indexing rewards effectively, the curation tax that they've paid is is now worthless, and so um part of the role of the the oracle is disabling subgraphs on a short enough time frame to make those sorts of attacks.

A

Unprofitable.

A

uh State machine is asking what about serving bad data for queries. So that's that's the second like big category of disputes that we talked about. uh I think it was the first category that or the second category that rl showed in the tooling, but that's uh the query. Attestation disputes so uh there's a couple different types of those but yeah, absolutely there's a dispute process for those.

B

I do have a couple of thoughts going back to the arbitration charter and considerations to add to the role of arbitrators. One would be a consideration for introducing a postmortem process uh on a dispute following the arbitration decision.

B

um A review of uh you know what is the likelihood of that sort of dispute um to recur in the future, and can there be um introduced mechanisms or protocol improvements to address that gap, and here would be the um arbitrator's role to do sort of like a mini um review of that and then possibly engage the community on ideas.

A

Yeah, I think that's a great idea, I think a really natural place, for that would be. I guess, like the forum thread where, uh where you know the arbitrators intended to engage with the the honest indexer that made a mistake and yeah the final step in that could be to to put some kind of um uh postmortem.

D

But also.

A

Like you know, I, I guess an opinion you know so to speak right of why they uh why they decided the outcome, the way that they did, the other.

B

Thought was the idea of an appeal process, which I don't think I've seen in the arbitration charter, and I don't know if that is something to consider. But the idea would be that an indexer has an opportunity to appeal the decision of the arbitration, um not necessarily based on content but maybe based on process.

A

uh Yeah, so that's a really interesting idea. um One thought I had here that I didn't put into the arbitration charter, because mainly the charter was about non-code changes, but I think it could be interesting to put like a waiting period on this flashing. That's something we could explore in the future so like the arbitrator, makes their decision and the indexers stake at that point.

A

Can't exit the protocol, so it's sort of like frozen, but uh but maybe they're not slashed right away, um and that would actually you know, give the graph council, for example, time to act as in like an appeals body, if you know, for some reason the arbitrator needed to be removed uh if they were making like a string of bad. You know bad decisions, um so I think these are really great suggestions um that could either be worked into either this charter, or you know, just future proposals for improving and hardening the arbitration.

A

Mechanism, do you have any any other thoughts oliver on? I know I think you've posted a couple other things in the forum as well. Yeah.

B

I think most of the uh other items that I've posted on the forum have uh since been addressed by just getting deeper insight into the clutter and also, um as far as I had one comment on the penalty and what levels but ariel walked us through that today as well. So I think you know what I've brought up were the ones that I think are still maybe valid. Ideas to consider everything else, I think is, is addressed.

A

Cool, thank you so josh asked: where did the reference pois come from that the indexers are comparing to um ariel? I I assume he means to the reference ones that showed up in your in your tooling.

A

If I understand the question correctly,.

C

It seems our ale might be frozen, but um hi. I.

A

Thought he was just being stoic.

C

In in rl script you can supply trusted index or endpoint. um A graph node has the. What's we call the index node status, endpoint, that's a graphql endpoint! That includes the proof of index inquiry.

C

um So in the indexer agent monitoring tool. I showed that would query your own infrastructure and compare in ariel's dispute script. You can point that to any graph node that you have access to that. You trust.

A

Cool, so it looks like we're at the top of the hour here. um uh If you guys have any other questions, you know please find us on discord. Performs you kind of know know how to reach us, um but yeah thanks for everyone, for your questions for showing up and uh yeah good luck with the rest of the migration workshops.