Drafting Requirements/considerations for any HF mechanism
HF signalling
On-chain or off-chain
HF pre-release for nodes to participate in the HF
Upgrade monitoring period/ HF activation
60% of the stake should upgrade to proceed with the HF
Able to abort fork if stake percentage not reached and continue with the previous version or a manual emergency HF
New version
Change in protocol and/or major transaction version number. This may impacts zkApps (backwards compatibility) and other applications that consume blockchain state.
State transition
Ledger transition (in the case account field changes or hash function changes) should be automated and performed by nodes during the upgrade
Blockchain state transition at fork point is performed by nodes during the upgrade.
Continue the chain by recursively proving block at the fork point. Until this is possible, all nodes should produce the same genesis block.
Berkeley HF did not recursively prove at the fork point.
Snarking all staged transactions at the fork point i.e., all confirmed transactions should be snarked. Berkeley HF used staged ledger and relied on out-of-snark consensus on the ledger.
Fork point should be finalized as per the consensus algorithm. Ouroboros Samasika finality guaranteed at 290 confirmations. For Berkeley 100 slots (~60 confirmations) were used for finalization.
A tie breaking rule must exist in the event there are forks of the same length as block selected from the canonical chain
Historical state preservation
Archive node migration be completed before the switch. Ideally this should be after HF is activated/confirmed as a result of 60% or more upgraded. Otherwise, there needs to be a mechanism to revert or fail forward in the event nodes don't upgrade.
Testing
Public testnets with the new changes
Ability to disable features with major/critical bugs to ensure rest of the HF features/fixes can be released
Public testing of the upgrade mechanism
Monitoring
Be able to monitor software upgrades before the fork (pre-fork release) and determine upgraded stake
Monitor fill rate post upgrade but before the fork
Protocol level-
Compatibility with previous version
Blocks built from previous version should not be accepted. Blockchain snarks from previous versions should not be verifiable/accepted
Transactions may change and become incompatible
Applied transaction must not be replayable
public/private keys must be compatible
Signatures must be compatible (mainnet and devnet)
Signing apps should remain compatible
zkapp Proofs may become incompatible until a backwards compatibilty for zkApps is added
Account data must remain as is except for any protocol fields that are updated. Also, new fields may be added. Any change in the ledger hash should be transparent and verifiable
Network RPCs may change making it incomaptible with previous version
GraphQL changes- breaking changes? TBD (including any format/serialization changes)
Archive node changes- TBD
CLI changes, Rosetta changes- TBD
Global slot since genesis must be continued from previous version.
Cosnequently locked tokens should continue to vest as per schedule in the previous version
Drafting Requirements/considerations for any HF mechanism
HF signalling
HF pre-release for nodes to participate in the HF
Upgrade monitoring period/ HF activation
New version
State transition
Historical state preservation
Testing
Monitoring
Emergency HF mechanism