Protocol: updating LAO properties is not robust in concurrence scenarios

[pierluca]

This issue relates to the LAO properties update logic.

LAO properties update flow

When an organizer (front-end) wants to suggest changes to the LAO, it publishes the suggested changes in a lao/update_properties message data object, collects signatures from witnesses on that object, and when a quorum is reached it broadcasts a lao/state message data object. Any client receiving a valid lao/state message will consider the properties to be correctly updated.

The problem

Several lao/update_properties and lao/state message data objects could be sent concurrently. The last lao/state to be received by a given participant will take precedence over the others, and this means that different participants will have a different "view" of what the LAO properties are.

This means the system is essentially not robust and the functionality is not safe.

Suggested solution

I would suggest to insert a field in lao/update_properties called modifies_id, which references the message_id field of the lao/state or the lao/create message that this message intends to modify. This creates an implicit ordering of modifications, where witnesses could not legitimately sign two different lao/update_properties that modify the state at the same time.

However, this is only a partial solution. In fact, it doesn't solve the problem of having witnesses agree on which of two different lao/update_properties they should sign. That requires consensus among witnesses, which we might need to explore as part of the network resilience effort.

Let's discuss !

What do you think ?