My opinion on IOTA Smart Contract Protocol (ISCP) — security improvement proposal

First, I want to say, I’m a big supporter of the entire IOTA protocol and in my opinion, this is one of the few projects that try to innovate in this space.

ISCP is IOTA’s take to bring Smart Contracts to their DLT.

Smart Contracts can be thought of as state machines, where the code defines how and when the state is changed. In essence, they make code law. Given a set of inputs (ordered) and following the rules (code) written in the Smart Contract you can deterministically change (update) the state.

There are numerous things to love about ISCP from being able to run multiple chains in parallel which all operate independently from one another while still allowing trustless interoperability across different chains. Each chain can run different Virtual Machines (VMs) from Rust and Go to Solidity VMs (currently, in the future potentially even more). Each Smart Contract chain is governed by a committee of (WASP) nodes. When the committee reaches consensus, they update the state and publish a hash to the Tangle as proof that they’ve reached consensus. The committee uses a leaderless BFT consensus, a variation of the HoneyBadger consensus to come to a randomly sorted list of inputs. Once they agree on the list of inputs and the order, they all independently apply the list to the current state to derive the next state. All honest committee members will generate the same state. Each committee member signs of on the new state and when a supermajority of signatures are collected the hash of the new state gets added to the Tangle. MEV (Miner Extractable Value) is solved at the cost of additional message overhead while reaching consensus on the randomly ordered list of inputs.

ISCP can also be thought of as one of IOTA’s sharding solutions not only for Smart Contracts but also for regular value transactions. Everything is configurable in ISCP. You can have a permissioned set of validators (committee members) or you can have a permissionless and select them from the open market. You can have 0 fees or you can set up your fee structure and charge for your services…

All of this is great, but essentially unusable if you don’t trust the committee because the committee is law (not the code). Code is law only if a supermajority of the committee nodes are honest. Currently, there is no mechanism to punish malicious committees. This isn’t a problem if you run a permissioned set of validators (you already know the members), but this is a problem in the permissionless setting.

You have to understand when you interact with a Smart Contract on ISCP you essentially send funds to the Smart Contract chain that is governed by the committee. Once the funds are sent to the Smart Contract chain the committee controls them. Not you. If they’re honest then yes code is law, if they’re not then they can do whatever they want. Their signatures move your funds on the Tangle (not yours).

You have to ask yourself, what is the point of Smart Contracts if code is NOT law?

The biggest problem in DLTs currently is how do you shard without compromising security.

Global consensus (everyone sees everything) is secure but doesn’t scale.

How can we scale without compromising security?

The current idea is to force committee members to stake tokens as collateral. As long as they manage less funds than they have staked, we can assume the Smart Contract chain is secure. If they misbehave their collateral is used to repay the affected parties. How is that determined we still don’t know. This leads to other problems as the committee now has to stake large amounts to prove they’re trustworthy. Those funds are locked so they endure opportunity cost so most likely the committee will have to charge higher fees to compensate for that cost. Also, if the funds they control become somehow worth more than their collateral, from a game theory perspective it pays to collude and steal all the funds and forfeit their collateral. This can happen due to many reasons. Someone sends more tokens to the Smart Contract chain unaware that it would put managed funds over the committee’s collateral. Another example would be, because the committee doesn’t only manage IOTA tokens, but also colored tokens/digital assets/ NFTs and those assets fluctuate in the open market. Without any additional deposits, those tokens/digital assets/NFTs can become worth more than the IOTA tokens staked, so again it would pay to collude and steal the funds.

Another question is who would manage the committee that overseas, judges and reaches verdicts on all of this?

Let’s tackle the same problem a bit differently. We’ll start with a high-level abstraction and after that propose concrete implementations.

The basic concept would be for Layer1 (the Tangle) to not only act as the final settlement layer but also as the Supreme Court.

Each Smart Contract chain is required to stake a certain amount. This amount doesn’t have to be large nor is it required for it to be larger than the managed funds. This is only ‘skin in the game’ and spam prevention.

When misbehavior is detected and reported to the Tangle, goshimmer nodes can deterministically check whether the ISCP committee acted maliciously or not. In the case that misbehavior is detected, Layer1 can revert the ‘malicious’ state to the last honest one, elect a new committee to govern the Smart Contract chain under the same conditions, and liquidate the malicious committee’s collateral. The liquidated collateral could be divided in many ways. For instance, part of the collateral could go to the new committee as a reward for accepting to take over the Smart Contract chain (the new committee still needs to stake tokens for the same reason as above), the other part of the liquidated funds could go to the entity that reported the malicious intent and finally considering that L1 is feeless and goshimmer nodes don’t get anything for their work the last part could go to fund the Community Treasury.

Anyone who detects misbehavior can submit it, but each submission would require a fee to be paid as in real life when you sue someone in court. In the end, the guilty party pays all the fees, but some fees have to be paid for the work done by the court (L1 in this case). If the submitted ‘lawsuit’ is without merit, the submitter would pay the fee which would in this case entirely go to the Treasury Fund to support community DAO. Otherwise, if the entity who submitted the ‘lawsuit’ proves misbehavior, the committee is substituted for a new committee while their collateral is liquidated as described above, while the entity who submitted the ‘law suit’ gets its initial deposit (fee) back + part of the liquidated collateral as a reward.

How does this scale?

It scales in the same wait the ISCP already scales. Many ISCP chains run in parallel independently from one another. Layer1 simply assumes that all ISCP chains are trustworthy and it doesn’t monitor them (aside from regular posting of state hashes to the Tangle), nor does it inspect any chain until someone reports it. Entities that report these misbehaviors don’t have to be goshimmer nodes nor WASP nodes. They can be independent entities running their own software trying to find deterministic misbehavior in a chance to prove it and earn some profit. This scales naturally.

How is this secure?

It’s secure because you know that in the case of misbehavior that Layer1 will resolve the conflict and transfer the last valid state to the new committee under the exact same rules. You as the user wouldn’t even know.

In the end, you don’t care which committee is executing your Smart Contracts as long as it’s under the same conditions you accepted and that you know code is law.

You can even run your own validators to check whether every state update follows the rules just to be safe and in the process, you may even end up earning a reward if you prove misbehavior.

What is needed to have this implemented?

Only the concept of Extended UTXO on Layer1 as introduced by Cardano.

Extended UTXOs allow us to define who and how can consume the eUTXO and how to produce the next eUTXO (state).

From the perspective of the committee, they’d interact with the eUTXO in the same way as defined in the current ISCP spec. They’d consume the latest state eUTXO (State “i” in the picture), a new eUTXO would be created for State “i+1”, any withdrawal requests would also be created as an eUTXO, and a copy of the current state with minimal balance so that L1 doesn’t prune it until time delta elapses.

Withdrawal requests would be also locked for time delta to allow for misbehavior to be detected. After time delta has elapsed and no misbehavior is detected the owner of the funds can consume the eUTXO and use his funds as normal on Layer1. The copied state “ i’ ” (in the picture) could be consumed and the dust balance added to the next state that the committee produces so that the old state can be pruned from L1.

You report misbehavior by consuming the latest eUTXO state produced by the committee, submit your cryptographic proof of misbehavior and consume all locked eUTXOs from the moment that you detected misbehavior to the newest state to essentially produce the last honest state. You have the right to elect the new committee which you’ll define in the new eUTXO and the new committee continues to govern the chain. Rewards are distributed as described above.

Once again, it doesn’t matter which committee is elected if “code is law” is preserved and all the same conditions apply. If the new committee misbehaves it will also go through the same process.

Note that due to the power of eUTXO you have the right to consume all locked eUTXOs when submitting the claim to prove misbehavior. (You do not need to wait for time delta because the eUTXO is programmed to allow immediate execution if the submitted proof is valid and you don’t need to be the owner of the eUTXO in THIS case).

If you submit proof that is not valid, you’ll consume the latest eUTXO state produced by the committee and produce the exact same state and additionally lose the fee which you paid for submitting the proof. (The fee should go to the Treasury, but it can even be burned)

I’ve made a video explaining this. (https://www.youtube.com/watch?v=lLzRmwsFGqg)

The inspiration behind this is the concept of an optimistic rollup used in Ethereum and the Extended UTXO model introduced by Cardano.

Hope this starts many interesting discussions and serves as inspiration for new ideas.

Luka