ConanMishler
commented
1 year ago @shrnkld Technically, @synechist 's comments (included in this issue) about the need for multiple UTXO plugin adapters to serve as the backend for XLite/cc-daemon have not yet been addressed. For the moment, we need to build a consensus mechanism into cc-daemon's access to utxo-plugin nodes to address this issue. Later on, XRouter-JS/GO will do the consensus. We should probably make another ticket for building a consensus mechanism into cc-daemon's access to utxo-plugin nodes.
shrnkld
Adding recent convo relevant to this issue:
Question for @Arlyn Culwick π : As we are looking to move the back end of XLite over to the Blocknet network, thereby eliminating dependency on CloudChains, a concern comes to my mind. Consider the scenario where only one SNode is providing XRouter/XBridge support for a particular chain (e.g. LBC). If one SNode provides XRouter support for LBC, then XLite should be able to support LBC. However, if that same SNode is the only one providing XBridge support for LBC then it seems there could be a security risk when someone trades LBC from XLite. This concern is based on my understanding of the security system of the atomic swap protocol. Afaiu, in the atomic swap protocol, the accuracy of the LBC blockchain data would normally be verified twice - once on the local copy of the blockchain, and once by the SNode providing XBridge support for that same blockchain. But if LBC is traded from XLite and XLite retrieves its "backend" LBC data from the single SNode on the Blocknet network which supports LBC, then the "local" verification of LBC blockchain ends up coming from the same SNode verifying the LBC blockchain data via XBridge protocol on the SNode. I don't know if I explained that well, but hopefully you get the idea.
Arlyn Culwick π β Yesterday at 5:13 AM Yeah this looks like it's asking for trouble IMO. XRouter is designed for proofs over the largest response set a user can pay for, so using only 1 node is bad in principle. (It's worse than trusting, say, Infura, because nodes are pseudonymous entities on a public network.) LBC node: lies yes Alice has broadcast her bail-in tx User: sweet, here's my bail-in tx then. Alice: surprise! I'm the snode. Your funds are spent to my address. There was never a bail-in tx. Bye.
Conanπ β Yesterday at 5:39 AM Thanks for the reply. So whatβs the solution? XLite requires consensus of N LBC nodes before it supports LBC? Arlyn Culwick π β Yesterday at 5:40 AM Yeah. Maybe >5? Also, it shouldn't request proof data from the snode it's using for the swap. Filter by IP.