Owner: @Álvaro Castro-Castilla

This is a continuation of this work, which proposed solutions that are now known to be flawed.

The Two Problems

The problems with our current consensus algorithm, Cryptarchia, stem from the fact that nodes know far in advance (at least one epoch ~5 days) for what slots they are being elected as leaders. Consequently, we face two issues:

1. Lazy validation. If validators know whether they will be leaders or not so far in advance, they can choose to participate only when they are elected. This hurts decentralization and network stability.
2. Unbounded MEV profits. When a validator knows in advance that it will have the option to choose between fork A (known to everyone else) and fork B (only known to itself), MEV becomes trivial and extremely profitable, with no risk for the validator. If the election is unknown a priori (as in PoW), the validator has to take an economic risk. If it is known, the option is free. Consequently this issue is of extremely high importance.

Example Attack

1. Heavy validator (or coalition of) is elected in 26 of the next 50 blocks, knowing that in advance. Withholds all these blocks, so nobody else is aware of this. While it will temporarily lose the block rewards, it will be able to recover them later.
2. The network makes progress unaware of this mischievous operator, and right after the honest portion of the network has been making progress for 25 blocks, the malicious operator releases the longer fork, forcing all honest validators to switch forks.
3. This validator either has an Executor or has colluded with one, so it can extract as much MEV from swaps or any transaction that can be favorably reverted. In other words, this attack is easily profitable. The simplest way is to bet bi-directionally for any asset, and just choose the fork that makes the profit. The profit is guaranteed and unbounded.
4. In addition to this MEV, it can exert damage by rewriting the entire history of other Zones. It may include the same transactions or it may not, forcing these Zones to rebuild the entire state of all those discarded blocks.

Single-Proposer

In the first solution we intend to keep the single-proposer principle that Cryptarchia is built on. While many proposers can win the lottery at every slot, only one is meant to be the true winner of the slot if they happen to be in the longest chain over time. This follows the typical longest-chain protocols, akin to Nakamoto consensus.

The Protocol

The protocol is defined by modifying Cryptarchia with the following rules:

1. Forks from slot s are used as input in the VRF for slot s+1. That is, the leader(s) for slot s+1 are defined by as many forks of slot s as possible. Contrary to previously explored solutions, we don't use the last proposal in the fork to generate the fresh randomness, which essentially bifurcates the chain into separate sets of leaders. The randomness is eventually consistent and common to all blocks in slot s+1, regardless of the fork that will be extended.
2. Converge to a single VRF. Since nodes will (at least temporarily) disagree on the existence of forks at slot s (or might have reasons to disregard a fork for their own benefit, such as self-selection), we need a set of rules and incentives to converge:
   1. At slot s+1, each node in the network takes the forks that it has seen as ordered input for the VRF and checks if it has been selected. We call this fork references (or just refs). This must be verifiable as part of the PoL (both the number and the specific forks).
   2. We define the weight of a block as the amount of these references to the forks of the previous slot. Fork length should be substituted by fork weight, which is the sum of all the weights of each block in the fork.
      1. Given two or more forks of different weights, higher weight wins.
      2. Given two or more forks of equal weight, higher length wins.
      3. Given two or more forks of equal weight and length, we apply the fork-choice rule of current Cryptarchia.

![The chain is formed by the yellow forks. The grey fork is invalid. The discontinuous lines are fork references for the slot s_i + 1 PoL.

• Fork 2A is invalid, 2B has weight 1 and 2C has weight 3.
• Fork 3A has weight 1 and 3B has weight 2
• The canonical chain is formed by 1B → 2C → 3B, which has a weight of w_{1B} + 5](https://prod-files-secure.s3.us-west-2.amazonaws.com/1518abd9-c08f-4989-93c1-96525e62bce5/35eb4ca7-ed36-4efc-b4ac-47dcbe3fe18d/happy_path.png)

The chain is formed by the yellow forks. The grey fork is invalid. The discontinuous lines are fork references for the slot s_i + 1 PoL.

• Fork 2A is invalid, 2B has weight 1 and 2C has weight 3.
• Fork 3A has weight 1 and 3B has weight 2
• The canonical chain is formed by 1B → 2C → 3B, which has a weight of w_{1B} + 5

Two important properties are expected from these rules:

• Nodes will want to try if they win the next election by combining several forks (which is costly), but the leader(s) that takes most forks will always produce a heavier fork. The network will see more proposals, but the number of heaviest ones will be the same as normal Cryptarchia.