Bond Management #19
Description
Bond Management for multi-round disputes
Background and Goals
One important goal for an optimistic dispute game is to provide incentive compatibility -- that is, the ability for an honest player to at least break even on gas while successfully challenging/securing the chain. This generally requires that the initial proposer posts a bond, which can be redeemed by the proposer if there are no challenges, or by a successful (honest) challenger. An additional, perhaps obvious, goal, is that the bond be finite and bounded to a reasonable size.
In the single-round context, this was fairly straightforward to implement -- because there is only one valid challenge for a given assertion, it's easy to require that the proposal is bonded, and that the challenger gets paid out. Here's where the OVM v1 did this.
Problem Statement
In a multi-round context, the problem is a little harder to solve. The core issue is that disputes no longer have a single "honest" outcome; depending on how the malicious proposer interacts/responds to a challenge, there may be multiple outcomes. This is especially true for dispute games in which the players do not commit to the full execution trace (i.e. post a merkle root of all execution steps) up front.
Assume that an initial (malicious) proposer has posted a finite bond which is enough to cover the gas of an initial challenge. While there is only one "correct" challenge that an honest party should post, there are infinitely many possible responses. What we need to do is make sure that only the person who made the "correct" challenge is paid out. Otherwise, an attacker could challenge their own malicious proposal many times and make it unprofitable for the honest challenger.
Intuitions for Solution
These are not very precisely stated, but I think we can safely make the following claims about a bond management system which solves the above goals. Consider an malicious proposer M who has made a malicious claim, and is adopting a strategy whereby they challenge themself via a puppet address P, in attempt to steal their own bond away from an honest challenger H.
1. Honest challengers must combat dishonest challengers
Imagine that M does not respond to either P or H for the remainder of the challenge period. It should be clear that the L1 contract has no way to decide who to give the bond to. Therefore, it must be the case that H should be able to play out the remainder of the game against the puppet to prove they are making the wrong challenge.
In the case where P challenges an earlier point in the execution than H, I think the strategy that H should follow is identical to what they would do if defending on behalf of M. If P challenges M at a later point, then this is not the case, and H needs a way to challenge M on an earlier point than what M and P are claiming to agree upon.
2. Interactions must each have a bond
Due to to 1. in combination with wanting a finite bond size, it must be the case that each interaction on-chain has a bond, as opposed to one big bond at the top. Otherwise, the attacker could simply create bond_size/interaction_gas_gost + 1 puppet challenges to make H lose money.