The ideal scenario is that fraud never happens. In the event that it does however, Nomad has a built-in mechanism via the optimistic timeout period to prevent it. Once fraud has been prevented, the system will need to be recovered and set back into normal operations. This section covers that process from a high level.

Post-fraud, the state on-chain is as follows:

• The Home where fraud was flagged is in the FAILED state. This means that the Home can no longer accept new Updates.

• Replicas are un-enrolled in the xAppConnectionManager for all xApps. Replicas CAN accept new Updates, but message processing is paused for all xApps.

How does Nomad Recover?

When Fraud has occurred, there are three main categories of action that must be taken to recover the channel:

1. Block Further Fraud

2. Erase Past Fraud

3. Restore the Channel

Block Further Fraud

Fraud being detected implies that Updater is either malicious, compromised, or (unfortunately) the victim of a large re-org on the origin chain. In any case, the Updater must be removed from their position of power, in order to prevent them from submitting any further fraudulent Updates in the future.

Home

• The Home is in a FAILED state, and the fraudulent Updater can no longer submit any Updates

• Therefore, further Fraud from this Updater is automatically blocked

Replica

• The Updater can keep submitting Updates indefinitely while they still hold the Updater role

• In order to block ongoing fraud attempts from a malicious Updater, they must be un-seated from their privileged role

• This must be done before attempting to erase past fraud; otherwise, there is no definitive cap on the amount of fraudulent state that must be erased

Erase Past Fraud

Home

• By definition, fraudulent roots cannot be stored on the Home — data availability on the home guarantees that it will be detected by the smart contract and automatically prevented

  • Therefore, “erasing fraud” is irrelevant within the context of the Home

Replica

• Fraudulent roots CAN be submitted to the Replica at any time

• As long as a fraudulent root is set in the confirmAt mapping on the Replica, it is or will soon be possible to attempt to prove messages against it

• Once the Updater has been un-seated from their role, they can no longer continue to submit fraudulent updates

• Therefore, there is a finite number of fraudulent roots from that Updater which can be present on the Replica

• In order to restore the integrity of the Replica, Nomad governance must erase fraudulent Updates from all Replicas affected

• When this is done, the state on the Replica will once again appropriately reflect the state of the Home

• At this point, processing messages from the Replica is once again safe

Restore the Channel

Once the attempted damage done by a fraudulent Updater has been mitigated, it is safe to allow the system to continue operating. In order to do so, we must rotate the Updater role to a new key, with which the system can have a renewed sense of (optimistic) trust.

Home

• We must rotate the Updater role to a new, un-compromised public key

• We must transition the Home contract state from FAILED to ACTIVE

• This will allow the Home contract to begin to accept Updates from the new Updater, such that the channel can continue operating as normal

Replica

• Applications must re-enroll the Replica on their xAppConnectionManager contract

• This will allow processing of messages for the xApp to resume as usual