CIP: Relayer Incentivisation Middleware

Celestia Improvement Proposals (CIPs)
6

Here is my attempt at applying a more exhaustive security considerations framework to Relayer Incentivization Middleware (RIM).

Battle Tested

Chain RIM
Cosmos Hub No
DYDX No
Noble No
Osmosis No

A more exhaustive list sourced from Numia data of chains that do have RIM enabled:

  1. cheqd/cheqd-node
  2. archway-network/archway
  3. cosmic-horizon/QWOYN
  4. CosmosContracts/juno
  5. EmpowerPlastic/empowerchain
  6. sge-network/sge
  7. ChihuahuaChain/chihuahua
  8. oraichain/orai
  9. KYVENetwork/chain
  10. comdex-official/comdex
  11. classic-terra/core
  12. desmos-labs/desmos
  13. lum-network/chain
  14. persistenceOne/persistenceCore
  15. crypto-org-chain/chain-main
  16. xpladev/xpla
  17. regen-network/regen-ledger
  18. notional-labs/dig
  19. rizon-world/rizon
  20. JackalLabs/canine-chain
  21. noislabs/noisd
  22. TERITORI/teritori-chain
  23. scrtlabs/SecretNetwork
  24. White-Whale-Defi-P…/migaloo-chain
  25. Team-Kujira/core
  26. crypto-org-chain/cronos
  27. nymtech/nyxd
  28. ixofoundation/ixo-blockchain
  29. Source-Protocol-Co…/source
  30. terra-money/core
  31. UnUniFi/chain

Blast radius

Based on CIP-12 it seems like a scenario could result in the inability for a relayer to collect fees:

In the event that the counterparty chain itself incorrectly sends the forward relayer address, this will cause relayers to not collect fees on source chain for relaying packets.

I’m wondering if there are other scenarios worth considering:

  • Could RIM cause a chain halt?
  • Could RIM result in a loss of user funds?
  • Could RIM result in a loss of relayer funds?
  • Could RIM degrade IBC channel performance or cause channel closures?

Audit history

RIM hasn’t been audited. A TLA+ spec for RIM exists at informalsystems/ics29-fee-tla.

Complexity

The RIM implementation is in the cosmos/ibc-go repo. It spans:

  • 50 Go files for implementation + tests + types
  • 24 Go files for implementation
  • 3282 Go lines for implementation

Note: file / line count is an extremely crude proxy for complexity.

Demand

The specification is implemented as a middleware that is added to both ends of an IBC channel.

I infer this to mean that RIM can’t be used for an incentivized channel until both chains adopt RIM. Based on map of zones it looks like the top 5 IBC peers for Celestia based on total IBC volume are:

  1. Osmosis
  2. Neutron
  3. Stride
  4. Dymension Hub
  5. Injective

and a crude analysis of if they have RIM enabled:

Chain RIM enabled
Osmosis No
Neutron No
Stride No
Dymension Hub No
Injective ? (I can’t find source code)

Conclusion

I’m in favor of adopting RIM but I don’t think it needs to occur in the Lemongrass hardfork.

If we delay adopting RIM until a subsequent hard-fork (TBD on when that is) we can use the interim time to fundraise an audit of RIM. Delaying Celestia’s adoption of RIM would allow more time for it to be used in production on other chains.

3 Likes