Owners of Munt coins are able to lock their coins into a special address which we will call a "Witness account", the Witness account is assigned a weight based on a carefully picked weighting formula witnessutil.cpp
There are various restrictions/properties here to be aware of:
- Lock period can be anywhere between 1 month and 3 years; approximated as 30 and 1095 days
- A lower limit is desirable to prevent attackers from creating accounts with really short lock periods to perform an attack
- An upper limit is required to prevent attackers from creating high weight accounts via really long lock periods but with very few coins; e.g. 100 coins for 5000 millenia
-
A minimum amount of 5000 coins and a minimum weight of 10000 is imposed
- From a technical perspective this is to protect against "DoS" of the system via creation of tens of thousands of tiny accounts that bog down calculations
- From a usability perspective its also to protect users from having a poor experience; e.g. prevent them from locking coins for three years but have no hope of ever earning anything and then being upset about this
- Weight formula is non linear:
witnessutil.cpp
- `x` coins for `y` period always have a higher weight than 2 accounts of `x/2` coins for `y` period which have a higher weight than 3 accounts of `x/3 `coins for `y` period etc.
- `x` coins for `y` period always has more than double the weight of x coins for y/2 period
- This incentivises/rewards users who place their funds in a single large account and disincentivizes/punishes those who place their funds in multiple smaller ones
How these accounts then participate in adding new blocks to the chain and securing the network.
I. Eligible witness pool
A pool of all valid witness accounts is calculated from the blockchain by every node on the network and updated with every new block, from this a smaller pool of eligible witnesses are calculated.
witnessvalidation.cpp witnessvalidation.cppA witness is eligible if:
- The lock period on their address has not expired
- Their address has not had any activity in the last 100 blocks; there is a cooldown period of 100 blocks after every action
- Their address has not gone longer than a certain time period without performing a witness action, this period is calculated statistically for each address based on its weight in relation to the network weight
- An address in this state must pay a small fee and wait a further 100 blocks to re-enter the pool
- This incentivises witnesses to ensure their nodes are online, in good state and that they don't miss their turn, it also makes things harder for an attacker.
II. PoW Mining
When a miner mines a new block the hash of the resulting block is deterministically used as the seed for a “roulette” selection algorithm to pick a single witness from the pool of eligible witnesses.
witnessvalidation.cppImportant things:
- This is deterministic and there is only one witness for a unique block
- There is no way to know in advance who will be the witness of a block, or for the miner to manipulate the block data to favour a specific witness, only at the exact moment of finding a valid block is the hash formed and the witness then selected and set in stone
- If the witness for a block is not online then miners will mine competing blocks and when one of those is witnessed the unwitnessed block will be orphaned.
- The formula that selects the witness reduces any single account that holds more than 1% of the network weight to 1% at most, so no account ever holds more than a 1% chance of being selected. witnessvalidation.cpp
III. Witnessing
The selected witness adds additional data and metadata to the block and finally signs the block, at this point the block is final.
witness.cppMore details on important bits:
- Like miners witnesses are paid a reward for the block they have created and also get to collect the transaction fees of any transactions they have added to the block
- The entire witnessing operation is very quick; i.e. measured in milliseconds not seconds.
- The witness sets a timestamp on the block matching the current block
- Miners set the timestamp when they start mining a block, which is a very long process, so the timestamp is often very different from the actual time the block is found. In contrast the witness timestamp and signing occur within milliseconds of one another so is very close to the actual time.
- In a plain PoW system miners have an incentive to lie about the timestamp, by doing so they can manipulate the difficulty adjustment and hope to find a larger quantity of low difficulty blocks quicker and various other similar tricks. Even very large witnesses only get to witness once or twice a day at most, so have nothing to gain from manipulating time data.
- The witness timestamps provide a quality source of time data, witness time data is used to keep miners honest and in turn miner time data is used to keep witnesses honest. Difficult adjustment is much more accurate on Munt as a result.
- The witness fills any remaining space in the block with any available transactions that are waiting for block inclusion.
- Any fees from these transactions are paid to the witness
- If the miner left the block empty this just provides more space for the witness to take advantage of. Therefore it's no longer possible for miners to mine empty blocks (DoS) or block certain transactions (censorship), both of these things would now require both witnesses and miners to cooperate which is a much less likely prospect.
- Unlike miners, who can gain a minor performance advantage from mining empty or small blocks (less chance of being orphaned by a competing block) witnesses have no real benefit in not filling their blocks so are less likely to make empty blocks.
- Transactions will enter the chain faster on average because there are two opportunities for them to be selected: By the miner when he starts mining; By the witness after the miner is done mining.
This allows for a smoother user experience and better network throughput. - The witness also inserts a compact delta of any changes the block makes to the set of witnesses on the network. This delta allows for an additional fast way for SPV and other nodes to sync with the network. validation.cpp
IV. Broadcast
The witness then broadcasts the block to the network where it becomes the new chain tip, miners will then start mining the next block on top of the new tip.
Important points:
- A miner who finds block 100 cannot begin mining block 101 immediately because it is not yet witnessed, he (like everyone else) must wait for the witnessed version of 100 before he can start on 101
- This prevents some flaws that regular PoW systems face, the problems with a normal PoW system:
- When a miner finds a block x he gets a headstart on starting to mine the next block, block x+1 because other miners do not have block x yet, even if he is honest and broadcasts the block immediately.
- Large dishonest miners can gain further advantage via strategically deliberately delaying block broadcast to other miners to get a further head start, this is known as "selfish mining"
- It has been shown that what people commonly call a "51% attack" on a regular PoW system and believe requires >50% of the hashrate, can be performed successfully (not always but often) with as little as 33% of the hashrate by taking advantage of selfish mining in a strategic way.
- There is a second effect related to the above where miners that are geographically (in a network sense) near other large miners gain an advantage over the rest of the network as they get that miners blocks quicker than others and get a bit of a headstart as well
- This can cause hashpower to concentrate towards pools or to central locations (further than it already does due to electricity pricing and other factors)
- The above factors lead to pools finding more blocks than they should for their hashrate and punishes solo miners, which is the reason all PoW coins end up dominated by pools.
- Witnessing negates all of the above flaws and negates all unfair advantages that a pool usually has, as a result Munt has no mining pools but is only solo mined.
Some more details on the security workings.
- A PoW miner can no longer attack the chain (e.g. 51% attack) with just hashrate but requires some witness accounts as well.
- On a PoW chain 51% of the hashrate would give an attacker 51% chance of controlling (mining) the next block faster than the network, given enough time and patience success is eventually guaranteed.
- On a PoW2 chain 51% of the hashrate and 51% of the network weight gives a 51% chance of mining the next block faster than the network; but this doesn't mean controlling it, to do that the attacker still needs to witness it as well, there is only a 51% chance of being the witness of a block that only had a 51% chance of mining faster than the network, leaving only a 26% chance of actually finding a block faster than the network.
- To get to a >50% chance 71% witness weight and 71% of mining hashrate is required.
- An attacker can reduce this down to 51% mining/51% witness for a 51% chance again by withholding witness signatures he controls from the competing main chain and only using it for the secret side chain he is constructing, however NB! This is a detectable condition; it is noticeable on the main chain that there is a sudden influx of absent witnesses; the attacker effectively broadcasts his intent to the network ahead of time and it is possible for services to be alerted and take precautions. (Note that we don't currently have services in place for this but it is something that can and will be developed in future and that services can already implement now themselves)
- Due to the cooldown period of 100 blocks, to attack multiple blocks in a row multiple accounts are required, one per block.
- The "1%" rule also plays a role here, to obtain 51% of the network weight 51 accounts of 1% each is required, larger accounts are not possible
- This means that an attacker must split his funds into multiple accounts
- However this means that he will get less weight in exchange for his funds, because splitting funds into more parts always results in less weight
- This pushes the amount an attacker must spend to get e.g. 51% of the network weight upwards
- An attacker needs all of his accounts to be "eligible" in order to actually use them in an attack, but he faces various difficulties in terms of this
- Due to the cooldown period of 100 blocks any of his accounts that have recently witnessed cannot take part in the account, he must stop witnessing with his accounts at least 100 blocks prior to executing an attack or wait for a period in which none of his accounts are selected for over 100 blocks
- The more percent of the network weight he has the more unlikely that a period of 100 blocks in which he is not selected ever occurs
- Selection of his accounts are random until it actually happens so he cannot predict in advance such a period in order to take advantage of it
- A sudden increase in absent witnesses of large weight again broadcasts that something is up to the network and software/services can take precautions based on this. Currently we do not implement this but it can and will be taken advantage of in future.
- If he stops witnessing for too long his accounts become ineligible due to missing their expected window
- An attacker must perform a difficult juggling act of ensuring all of his accounts are both out of cooldown and not about to expire from being inactive for too long in order to use them as part of an attack, while dealing with the random nature of the network, this is quite a challenge.
- Due to the cooldown period of 100 blocks any of his accounts that have recently witnessed cannot take part in the account, he must stop witnessing with his accounts at least 100 blocks prior to executing an attack or wait for a period in which none of his accounts are selected for over 100 blocks
- An attacker needs to spend a large amount of capital to actually acquire enough coins to get a large weight to attack the network, and be willing to lock this capital up for multiple months
- Attempting to acquire this many coins can push up the coin price, leading to the attacker paying more for his coins, and possibly not being able to sell them for the same price later when he is done with the attack
- Pushing the price up in turn increases mining hashrate and might prompt more people to witness etc.; again increasing the attackers costs further
- If the attacker opts for the shortest lock period then his weight per coin is a lot less, so he must spend a lot more to get weight
- If the attacker opts for the longest period he has become a long term 3 year holder of the coin, and attacking the coin becomes a questionable decision at that point.
- Acquiring a large weight and attacking in that way is therefore not a great prospect, the remaining and more likely avenue is for an attacker to only acquire a small percent of the network weight and a much larger percent e.g. 3000% of the network hashrate instead
- This circumvents some of the difficulties/costs of acquiring large witness accounts and managing their eligibility, but still requires an investment in the coin and the account
- A very large hashrate in comparison to the network is required to go this route; it's now a 3000% attack instead of a 51% attack. So the network security is still greatly improved over a regular PoW network