Question about the stakepool registery (central point within decentralized network)

Hi

I’m thinking of opening a stakepool now or later, so I’m documenting.

But I have a hard time understanding that in order to start a stakepool, for the shelley decentralized testnet, one of the first thing you need to do according to the guide is … to register at a central point ( https://github.com/cardano-foundation/incentivized-testnet-stakepool-registry )

Few questions:
*Is this supposed to be temporary or is it here to last?
*Is it theoretically possible to start a private pool that will be able to create blocks, without registering to that central point (I think I’ve seen it’s only to be listed within the wallets).
*What is the use of that list in a centralized github, wouldn’t it be as good to have this info inside the blockchain?

Thank’s in avdance,
Pierre.

I cannot comment on the future, but in absence of implementation of a0 parameter (which would help prevent Sybil attacks), I find it a blessing to have a centralised way to prevent someone (consider 1PCT* pools for example - having created 20+ pull requests to create a cartel of pools) to create unlimited amount of stake pools, or some known bad/malicious actors from creating pools.

Yes, you can still register the pool and delegate stake to it without registering the metadata. Yoroi/Daedalus wallets will not allow the delegation, but nothing stops others from doing so. If you’re using accounts, you can use existing delegation scripts already to delegate the account to a pool ID.

I get your view - but personally - I am not sure if it makes sense to store metadata (that will change/be deleted/unrelated to ledger) on the chain - feel strongly against it:

• Note that not everyone is using all the fields of metadata , and it could easily become a target.
• Think about the errors users already make for simple addition of file to github, you dont want their errors to be recorded on chain forever
• Imagine a complexity being discovered that requires a new field to be to the metadata of a pool - would be messy to have such this on blockchain.

Atleast for now - having it on github keeps a good balance of transparency + allows easy means to update.

Having the meta data in the GitHub of the Cardano Foundation is a temporary solution. This extract from the “Design Specification for Delegation and Incentives in Cardano–Shelley” shows the design for the Shelley mainnet.

It can be found here: https://github.com/input-output-hk/cardano-ledger-specs/tree/master/shelley/design-spec on page 30 the following. (Latex format)

4.2 Stake Pool Metadata

The stake pool registration certificate can contain a URL (up to 64 bytes), pointing to a JSON object with the following content:

A Ticker of 3-5 characters, for a compact display of stake pools in a wallet.

A Title/Name of up to 50 characters.

A Short Textual Description

A URL to a homepage with additional information about the pool.

A list of IP addresses and/or DomainNames of public relay nodes that the stake pool operator provides to contribute to the Cardano network.

A set of tags, keywords that can be used to filter stake pools in the wallet UI. For example, a stake pool that gives their rewards to a charity might indicate this by using a “charity” tag. Other tags could specify the geographic location, or whether a pool is running on cloud infrastructure or a physcial server owned by the pool operator.

All characters in the metadata will be UTF8 encoded. The metadata is restricted to have a size of no more than 512 bytes.

The stake pool operators are responsible for serving this data at the URL provided in the stake pool registration certificate. However, wallets will not retrieve the data for each stake pool at those individual URLs. Not only would that be inefficient, it would also allow malicious actors to intentionally slow down all wallets by intentionally delaying the response of their server. Instead, metadata will be cached on metadata proxy servers.

Those proxy servers will query the metadata URLs in the stake pool registration certificates, and cache the metadata, with the pool’s sks as key. Invalidating the cache will be triggered when the content hash listed in the certificate does not match the content hash of the cached metadata. The wallet will then retrieve the metadata for pools it needs to display from one of the proxy servers, instead of having to send a request to each of the pool’s metadata URLs.

Those servers are simple, and in particular, they require relatively little trust: because of the content hash, someone running a proxy server can not display forged metadata. The worst thing they can do is filter the list of stake pools.

In order to avoid those proxy servers to become a point of centralisation of the system, we will encourage third parties (stake pools, people in the community) to run metadata proxy servers, and provide code and binaries for the proxies. Wallets should be configurable to query a number of those proxy servers.

Another function that the metadata proxy servers provide is filtering malicious entries: it is possible to embed a variety of malicious content in the metadata, and in particular via the link to the stake pool’s homepage. Should it become known that a particular pool hosts dangerous or illegal content15, maintainers of a metadata proxy can filter that entry and not provide it to wallets. This is an advantage over writing the metadata directly to the chain, in which case there would be no way to protect wallet users from visiting malicious sites directly from their wallet.

4.3 Display of Stake Pools in the Wallet

The wallet software will maintain a set of all the active stake pools. For each, it will perform a lookup of the contained sks to retrieve the corresponding metadata to display to the user.

In order for stakeholders to be able to delegate their stake to a pool, the wallet will provide a listing of stake pools, in a section of the UI called the delegation centre. In order to make it easy for users to do a rational choice when delegating, this listing will be ordered by the rewards that the user should expect from delegating to each pool. In particular, we use the non-myopic pool member rewards, Equation (3) in Section 5.6.1. Since this ordering depends not only on the costs and margin set by the stake pool operator, but also on the performance of the pool and on the amount of stake that it already has accumulated, this will promote pools that are reliable, have not yet reached saturation, and have a low cost and margin. In other words, the users selfish interest to pick a stake pool that is promising large rewards is aligned with the goal of placing the system in the hands of a number of reliable stake pool operators, and of avoiding centralisation. The influence of the stake pool operator’s pledge on the rewards provides protection against a Sybil attack on the stake pool level (Section 2.2.1).

When calculating the expected rewards, the wallet will use the best data available:

• The cost, margin, and pledged stake will be taken from the most recent stake pool registra- tion certificate of the pool.

• The performance of the pool will be taken as the moving average, as described in Sec- tion 5.6.5.

• The stake of the pool, and the amount of stake that the owners of the pool contribute (in order to check whether their pledge is honoured) is taken from the current stake distribution (calculated from the current UTxO set and delegation relation on demand when the wallet performs the ordering).

• The member stake t in Equation (3) is taken to be the stake that the user is about to delegate.For listings outside of the wallet, for informational purposes of which pools are generally desirable, we can instead divide off the factor t in Equation (3)16 and get the reward per stake delegated to a pool, assuming that the delegated stake is small enough to not push the pool over the saturation threshold.When the wallet is running and the user has delegated to a stake pool, the wallet should monitor the non-myopic rewards regularly. Should the stake pool become less favourable (by missing blocks, or even becoming inactive, or by changing its cost/margin), the wallet should notify the user, and ask them to consider changing their delegation.We had considered adding some jittering to the ordered list of stake pools, in order to prevent a situation where a slight difference in the expected rewards would lead to stakeholders all delegating to the same, slightly more preferable, pool. We decided against this, since

• Our incentive structure will have stake pools saturating anyway.

• Randomising the order of display makes it more difficult for stake pool operators to behave rationally when setting their cost and margin.

That’s quite reassuring then.

In order to avoid those proxy servers to become a point of centralisation of the system, we will encourage third parties (stake pools, people in the community) to run metadata proxy servers, and provide code and binaries for the proxies. Wallets should be configurable to query a number of those proxy servers.

Ok I get that. That’s not ideal, but that’s better than nothing.

I find it a blessing to have a centralised way to prevent someone (consider 1PCT* pools for example - having created 20+ pull requests to create a cartel of pools) to create unlimited amount of stake pools, or some known bad/malicious actors from creating pools.

Well if the security of the chain relies on that, that’s not reassuring though. PoW and PoS are supposed to be ways to avoid Sybill in the first place, not needing a central point. Now of course in case of PoS with delegation, if users blindly delegate to any pool (without knowing at least slightly the maintainer), then it kinda voids the point, because someone may open as many pool as he wants trusting that some random users will delegate to it. Anyway I hardly see how in practice the maintainers of the GitHub list may find out if 20+ pools in their list are controlled by the same person while disguised as belonging to different people.

But I guess there’s more since the doc says " The influence of the stake pool operator’s pledge on the rewards provides protection against a Sybil attack on the stake pool level (Section 2.2.1)." The 2.2.1 section says “It is conceivable that an adversary might try to take over the network by registering a large number of stake pools, hoping to accumulate enough stake to mount an attack just by people randomly delegating to them.This Sybil attack on the level of stake pools should be made infeasible, by requiring stake pool operators to allocate a finite resource to each individual pool they register. In particular, this resource cannot be the cost of operating a node, since it is possible to run multiple pools with one node, so that cost would be constant in the number of pools an adversary is registering.” But it does not precise what solution is or will be chosen.

At first sight I would think that it would be a good thing to force pools to have a minimum percentage of stake that is not delegated but that they own directly.

For this part of your response , I think you missed the first sentence of my response (in italics) stating “in absence of implementation of a0 parameter” . This exactly addresses the concern you talk about - but isnt live on testnet yet, hope that clarifies

Ok thank’s for you answers!