A recent unintended ledger fork in the Stellar network led to a temporary disruption of its transaction system and a broader debate about the integrity of the Ripple consensus protocol.
The debate began on 5th December, when Stellar Development Foundation (SDF) executive director Joyce Kim published a blog post outlining a fork in the Stellar network that the company attributed to problems within the Ripple consensus protocol.
Both Ripple Labs and Stellar use the open-source protocol to provide competing transaction networks that allow fiat money to be sent over the blockchain. The development calls into question the viability of technology both companies hope will appeal to individuals and businesses seeking a powerful way to reduce the costs of moving money, though the incident last week only impacted the Stellar network.
A core question that resulted was whether Stellar’s network problems are possible in Ripple’s as well, or whether the issues arose from changes in the consensus protocol code. Stellar itself is a modified fork of Ripple, an initiative led by Jed McCaleb following his exit in 2013 from Ripple Labs, which he co-founded.
Unsurprisingly given the history of disputes between the organisations, Ripple Labs has contested the Stellar team’s conclusions in a response blog post penned by Ripple Labs chief technology officer Stefan Thomas. Thomas argued that the problems lie in Stellar’s changes to the consensus protocol prior to implementation and said that the Ripple network has not experienced these problems in the past.
New protocol needed?
According to Stellar’s initial report, network nodes failed to agree on a common ledger, essentially creating twin transaction histories that the development team later corrected over a period of several hours. This process resulted in the loss of customer funds on at least one exchange that offers a marketplace for Stellar’s token asset, stellars, and the deletion of transactions that were included on the eventually altered chain.
McCaleb, who also founded now-defunct bitcoin exchange Mt Gox, later released a technical assessment that pointed to a persistent stability issue within the stellar network.
“We’ve seen the nodes exhibit a tendency to get out of sync since at least September. The network would split three or four ways and then eventually come back together, but it would do so relatively quickly and without loss. Last week’s fork was a case of this happening but the ledger was not able to come together quickly.”
He reiterated that the Ripple consensus protocol is to blame, pointing to a flaw by which nodes verify transactions based on data from a smaller pool of nodes than originally intended. McCaleb added that the Stellar team is working to “make the code safe”.
As a result of the incident, the SDF will redouble efforts on a replacement consensus protocol being led by David Mazières of Stanford University’s Secure Computing Group.
In the meantime, the Stellar transaction network will run on a single verifying node in order to avoid similar problems while the new protocol is being developed.
Criticism focuses on protocol safety
The consensus protocol forms the basis for how transactions are verified in both the Stellar and Ripple networks, with participating nodes agreeing on rounds of transactions that are then hard-coded into the respective ledgers of those networks.
In Stellar’s initial post on the fork, Kim stated that the Ripple protocol has two primary issues: the minimization of transaction safety in favor of system activity and node integrity, and that the ability of the consensus algorithm to achieve correctness.
“The existing Ripple/Stellar consensus algorithm is implemented in a way that favors fault tolerance and termination over safety. This means it prioritizes ledger closes and availability over everyone actually agreeing on what the ledger is—thus opening up several potential risk scenarios.”
Kim added that research conducted by Mazières “reached the conclusion that the existing algorithm was unlikely to be safe under all circumstances”. A new white paper featuring the proposed consensus protocol, as well as its code are expected to be released in the next few months, she continued.
Ripple Labs CTO Thomas wrote in the company’s rebuttal that some of the assertions in Stellar’s blog posts were misleading or incorrect, citing its white paper as sufficient proof that its consensus protocol is secure.
“We have not reviewed Stellar’s modified version of Ripple consensus, but as far as the Ripple consensus algorithm is concerned, the protocol provides safety and fault tolerance assuming the validators are configured correctly.”
Thomas also disputed the mechanism by which nodes in the network reach consensus on transaction rounds, and said that the Ripple team looks forward to reviewing the findings prepared by Mazières.
Ripple chief cryptographer David Schwartz later told CoinDesk in a statement that systems like the Ripple consensus protocol “only work reliably when a sufficiently large percentage of validators or miners are working properly”.
“Based on the information available, we suspect a large percentage of Stellar’s validators failed, which caused the ledger fork,” he said.
Image via Shutterstock