optimism icon indicating copy to clipboard operation
optimism copied to clipboard
verified publisher icon ethereum-optimism

Draft Audit Scope Document for MT-Cannon

Open Inphi opened this issue 1 year ago • 1 comments

Write out the scope of a potential audit for MT-Cannon. This should also cover the 64-bit port, including the smart contract implementation and the overall specification of MT-Cannon.

Inphi avatar Oct 15 '24 15:10 Inphi

I like what @Inphi share with us on slack and I think it can be used a starting point for the scoping document for auditors:

MT-Cannon is our next iteration of the Cannon Fault Proof VM (FPVM). It replaces the Cannon VM that's currently in-use on op-mainnet. We'd like an audit of the VM implementation and its impact on the op-program.

MT-Cannon specification is shared here: https://github.com/ethereum-optimism/specs/blob/main/specs/experimental/cannon-fault-proof-vm-mt.md

The motivation to do this is to allow the Go garbage collector to run asynchronously (and cooperatively rather than in parallel) with the main OP derivation routine. This alleviates memory usage concerns in the guest, ensuring that unused objects in the op-program are collected and restoring memory available for further allocation. The other reason to do this is to improve the quality of emulating Linux/MIPS for the op-program. Currently, (single-threaded) Cannon employs a set of patches that disable the Go GC and other functionality and we'd like to stop relying on these patches.

Another big change we're making alongside MT-Cannon, is support for 64-bit MIPS emulation. Both multi-threaded and 64-bit features will be implemented in MT-Cannon.We're looking for an eval in two areas; the MT-Cannon Solidity implementation, and the MT-Cannon specification.

Unlocking asynchrony in the op-program, even deterministically, introduces risks of concurrency bugs including deadlocks w/ thread starvation, livelocks, and so on. We'd like an evaluation that considers these factors, specific to emulating the op-program on a Linux/MIPS64 machine, that can prevent a fault proof from being generated. Overall, the audit we're interested in involves a couple interacting components including the MT-Cannon VM implementation, the Go runtime, and op-program behavior on Linux/MIPS.

@mbaxter @pauldowman let me know if this helps, as a starting point. 🙏

BlocksOnAChain avatar Oct 17 '24 12:10 BlocksOnAChain