3.11. Bitcoin checkpoints

Sequentia relies on partial synchronous communication and implements checkpoints to prevent long-range attacks in case of attempted posterior corruption.

Synchronous protocols have defined time boundaries in which transactions and blocks are approved by specific nodes (usually, the leader in a round). However, the relativity of time for each node may produce convergence issues, causing a persistence problem (blocks are reorganized following an alternative chain). In asynchronous protocols, however, nodes approve transactions when a certain threshold number of nodes have acknowledged the block as valid. Consequently, they may have a liveness problem, stalling if the quorum is not met. Sequentia solves permanent stalls with the so-called escaping stall clause, with the trade-off of potentially introducing a convergence problem. The possibility of certifying blocks through the escaping stall clause opens the possibility of divergences that might also be exploited as an attack vector. For example, long-range attacks with posterior corruption are possible in case the keys used for the cryptographic sortition of committee members and leaders are sold to a malicious attacker and reused in the future to perform an attack with nothing at stake. Therefore, to protect the network from these potential issues, checkpoints are enforced in Sequentia as described as follows.

Anyone is free to include a marker on the Bitcoin blockchain with the hash of a Sequentia block at any height (let us say height X). To this end, it is necessary to execute a Bitcoin transaction tx with an OP_RETURN and include this transaction in a Bitcoin block. The block proposer generating a Sequentia block at height X+n with n as a positive integer is free to include a reference to said tx in that block. Other nodes will acknowledge the Sequentia block as a checkpoint request, distinguished from standard blocks precisely because it includes two hashes of the Bitcoin blockchain rather than only one. The checkpoint request is at height Z, equal to X+n, but the checkpoint will be enforced at height X. When a checkpoint is in place, a validator may prune the chain starting from height X.

Before nodes locally enforce a checkpoint, an event that we shall refer to as "checkpoint chain consolidation” shall occur. It will happen when nodes receive the 2016th confirmation on the Bitcoin network since block Z (in solar time, this corresponds to around two weeks): at that point, every Sequentia node configured to accept checkpoints will consolidate the blockchain up to block X, which means it does not allow rollbacks affecting the chain before that block, by placing a checkpoint on its local node. In order to reach 2016 blocks, the node counts only new Bitcoin blocks hashes after block X, which are included in the header of a Sequentia block.

Note that the Bitcoin anchoring mechanism has a priority over checkpoints, so if a Sequentia block with a consolidated checkpoint references a Bitcoin block that is no longer valid, the checkpoint is also invalid. If a marker included in a Bitcoin transaction is orphaned from the Bitcoin blockchain, then the checkpoint associated with that marker is no longer valid in Sequentia. However, validators may prune the portion of the chain that is antecedent to the height of a consolidated checkpoint, so they might lose crucial information if Bitcoin reorganizes the chain at a greater depth than the checkpoint; this is why the checkpoint should be “buried deep enough” in the past. A depth of about two weeks (2016 Bitcoin blocks) may seem reasonable since a two-week reorganization in Bitcoin would be such a rare event that it would likely require manual intervention from the entire ecosystem, at least by miners, professional services, and sidechain nodes, amongst others.

The SEQ token lock-in period for participants in the network, as well as the period required before a block creator can spend the block reward, shall be longer than 2016 Bitcoin blocks. This ensures the correct game theory incentives to follow the mainchain rather than trying to fork the network with long-range attacks.

Last updated