The ideal scenario is that fraud never happens. In the event that it does however, Nomad has a built-in mechanism via the optimistic timeout period to prevent it. Once fraud has been prevented, the system will need to be recovered and set back into normal operations. This section covers that process from a high level.
Post-fraud, the state on-chain is as follows:
- Replicas are un-enrolled in the xAppConnectionManager for all xApps. Replicas CAN accept new Updates, but message processing is paused for all xApps.
When Fraud has occurred, there are three main categories of action that must be taken to recover the channel:
Fraud being detected implies that Updater is either malicious, compromised, or (unfortunately) the victim of a large re-org on the origin chain. In any case, the Updater must be removed from their position of power, in order to prevent them from submitting any further fraudulent Updates in the future.
- The Home is in a
FAILEDstate, and the fraudulent Updater can no longer submit any Updates
- Therefore, further Fraud from this Updater is automatically blocked
- The Updater can keep submitting Updates indefinitely while they still hold the Updater role
- In order to block ongoing fraud attempts from a malicious Updater, they must be un-seated from their privileged role
- This must be done before attempting to erase past fraud; otherwise, there is no definitive cap on the amount of fraudulent state that must be erased
- By definition, fraudulent roots cannot be stored on the Home — data availability on the home guarantees that it will be detected by the smart contract and automatically prevented
- Therefore, “erasing fraud” is irrelevant within the context of the Home
- Fraudulent roots CAN be submitted to the Replica at any time
- Once the Updater has been un-seated from their role, they can no longer continue to submit fraudulent updates
- Therefore, there is a finite number of fraudulent roots from that Updater which can be present on the Replica
- In order to restore the integrity of the Replica, Nomad governance must erase fraudulent Updates from all Replicas affected
- When this is done, the state on the Replica will once again appropriately reflect the state of the Home
- At this point, processing messages from the Replica is once again safe
Once the attempted damage done by a fraudulent Updater has been mitigated, it is safe to allow the system to continue operating. In order to do so, we must rotate the Updater role to a new key, with which the system can have a renewed sense of (optimistic) trust.
- We must rotate the Updater role to a new, un-compromised public key
- We must transition the Home contract state from
- This will allow the Home contract to begin to accept Updates from the new Updater, such that the channel can continue operating as normal
- Applications must re-enroll the Replica on their xAppConnectionManager contract
- This will allow processing of messages for the xApp to resume as usual