Voltaire Update: Security-Relevant Changes to CIP-1694

On 6 February 2024, updates focused on strengthening operational security were pushed to CIP-1694. A new set of security-relevant protocol parameters has been established that requires ratification by all governance bodies if they want to be changed. This means that Delegated Representatives (DReps), Stake Pool Operators (SPOs), and the Constitutional Committee (CC) need to approve changes to this set. Meanwhile, only the CC and DRep approval is required for all other protocol parameter changes.

The security-relevant parameters include:

  • Maximum block body size (maxBlockSize)
  • Maximum transaction size (maxTxSize)
  • Maximum block header size (maxBHSize)
  • Maximum serialized asset value size (maxValSize)
  • Governance action deposit (govActionDeposit)
  • Limits on memory units per block (maxBlockExUnits)
  • Additional transaction fee per byte (minFeeA)
  • Base transaction fee (minFeeB)
  • Minimum Lovelace deposit per byte of serialized UTxO (coinsPerUTxOByte)
  • Minimum fee for referencing scripts (minFeeRefScriptsCoinsPerByte)

If you are wondering about who decided which parameters are security-relevant, it’s best to check out what Andre Knispel (IOG) commented on the pull-request:

This list of security-relevant parameters comes from multiple sessions with security researchers where we analyzed how the chain might break if certain parameters were set to bad values. There were some strict criteria for a parameter to be included, one of which being unrecoverability. govActionDeposit is unrecoverable if set too high: set it to a number over the total amount of lovelace in the system and you can never propose a governance action again. Other deposits don’t have this problem, and they don’t affect anyone who isn’t already registered. There are issues with raising these too high, but the change is reversible.

While this may sound unrealistic, the point of the security-relevant parameters is to cover all possible attacks that satisfy these criteria. You only need to trust the SPOs to trust that the chain will not suffer from these attacks, no matter what happens with DReps & the CC. (Source: https://github.com/cardano-foundation/CIPs/pull/622)

Another change that impacted the Constitutional Committee members is that as we advance, they can be linked with a native or Plutus Script credential, similar to DReps. Additionally, the Constitutional Committee won’t automatically enter a state of no-confidence if its active membership falls below the required minimum. Instead, the committee cannot ratify governance actions until the minimum is met again.

2 Likes

Helpful summary- thanks and great to see that serious thought has been put into threats

2 Likes