FUSION Chain Split Events
I’m going to write about what is possibly one of the toughest challenges on a technical level the the Fusion Blockchain has faced so far, and I’m going to look at it from several different angles. Asking these questions: Why does it happen? Who can cause it to happen? Are there benefits in allowing it to happen? How dire a problem is it?
- Why does it happen?
Chain splits happen whenever nodes disagree on whether a node successfully validates a block or not. Many blockchains utilize something called pBFT (practical Byzantine fault tolerance) to prevent it from occuring, essentially forcing the nodes into consensus before moving on. FUSION uses another approach, and simply moves on and nodes punish each other by retreating tickets whenever disagreements occur. A common disagreement is about what time it is. Sometimes a node will have an entierly different idea about the time than all the other nodes, and as a consquence it’ll likely get continually punished, while at the same time inflicting some damage on a few other nodes. This type of “laissez faire” approach saves a lot of resources and allows the chain to be quite scalable, perhaps in part explaining how transaction fees continuosly remain so low and speed so high despite the fact that the network is quite heavily used by now.
These chain splits happen quite often on a small scale, but usually after 4–10 blocks they will already be resolved and any node that happened to be on the “losing side” of the split will perform what appears (from their perspective) to be a roll-back in order to synch with the majority of nodes who holds the more accepted version of what happened. The exact content of these blocks in these minor splits will be exactly the same, as the only thing being disagreed upon will typically be the exact time.
2. Who can cause it to happen?
In two occasions FUSION has seen MAJOR chain split events, where almost every active staking ticket in the whole network was retreated. The first time this happened was in mid 2020 and the last one took place just under 2 weeks ago. Both times a single node held close to about half the staking tickets active on FUSION. In mid 2020 the node belonged to WeDeFi, and in the recent event it belonged to Chainge Finance. When such a big node starts disagreeing with the rest of the network about time, the nodes will start taking turns in retreating one anothers tickets. Validators will typically get the message “Mining too far into the future…” to alarm them that this is happening. The only real action you can take in such a time is 1. Contact whoever runs the biggest node, and let them know that it’s happening. 2. Turn off auto-buy tickets, so that any tickets that are not retreated will be spared for the time being. Then once the network has stabilized again, they can be re-activated.
Though this type of attack might seem like an attack, it’s an attack that can only be made by the absolute major holder of FSN, and though they can easily do this attack “by accident” (as has happened twice), it’s not something that could be done by anyone who isn’t the major holder of FSN. This should be reassuring because, though, accidents are bad, they won’t result in real and lasting consequences unless the attacker has bad intent, which is unlikley for the most major holder of FSN to have (you don’t want to attack what is essentially yourself on purpose).
3. Are there benefits of allowing it to happen?
It’s easy to get caught in what’s bad about this sort of thing, but if we try to look at it from a positive angle, we can see that despite this type of major bad chain split already having happened two times, it has caused no permanent damage or attack on the network, which the whole time functioned exactly as intended from the user perspective. And if the benefit is higher scalability and usability compared to other similar networks, maybe that is a worthwhile trade-off as long as we have a large set of active and decentralized nodes who are ready to defend the network in times of troubles like this. To some extent FUSION has demonstrated in both these major times, that the decentralized FUSION network was more safe and overcame the flaws of the occasions where “the big centralized node” (WeDeFi and Chainge Finance respectively) were somehow malfunctioning and in the wrong, and despite those nodes being so dominant, the more decentralized parts of the network overcame and won out in the end. Seen in this perspective, you might even want to call both these events as a kind of “victory for decentralization”.
4. How dire a problem is it?
Currently the network has the same issue after getting back on its feet again, the hidden Chainge Finance node holds about half the tickets and the rest of the nodes about half. So if a disagreement over time happens again with the big node, we’d see a wind-down of retreated tickets once again (though I’d imagine Chainge is a bit extra watchful about this at the moment). Still it’s plausible that we continue to see a similar division of tickets in the future and that the threat of this occuring hovers.
The problems it causes though, is probably more superficial than truly jeapordizing anything fundamentally. Here are some issues it does cause.
1. Nodes not involved in staking but merely watching the chain, such as CEX nodes who have adopted FUSION experience roll-backs whenever chain splits occur (both small and big ones). These roll-backs give them a pretty good scare, because they’re afraid of double spending events, where they first accept a deposit as valid, but some moments later that deposit is no longer valid. Since, typically, disagreements are about the time and not what transactions occured they don’t really cause any risk for double spending. Nevertheless it can indeed appear as a risk and theoretically a major FUSION node could probably induce something like this while getting punished for it. But as long as the CEXs have proper limits around how many blocks they need to verify (100 should be more than good) and limits on max value transfer, there is no way it’d be worthwhile for anyone to try this type of attack. In its essence roll-back/doublespending is a thinkable risk, but not a practical risk and in 4 years of the chain running there is 0 instances of any known double spending event. Even so these apparent rollbacks have many times in the past caused FUD for CEXs, because they’re not used to it and it could explain to an extent the slowness at which FUSION has been adopted, because it’s not easy to trust what is not well understood and behaves different from what you would expect. So I hope this article can bring better light on it and make it better understood.
Another problem it causes is that stakers end up losing tickets. This is not neccessarily just a temporary 30 day issue, because the events could cause stakers to get fed up with staking FSN and choose instead to stop doing it. I would be surprised if the two big chain split events are also not the two most major factors in why those who stoped staking FSN stoped doing it. The network effect of that is that FUSION becomes less decentralized and therefore also even more vulnerable to error caused by the most major node. But there is also one small benefit here and that is that while there is few active tickets, it becomes more beneficial for new stakers to get started, since during these times the rewards will be greater for anyone who was lucky enough to not get their tickets retreated (which of course also includes completely new nodes). There is also yet another silver lining, and that is that very active node keepers, are more likely to pick up on what’s going on and can defend their tickets by turning off auto-buy during these “bad times”, in order to get percentual advantage in the coming “low ticket month”. Effectively it benefits active nodes over inactive nodes, which ultimately should be a good thing.
3. Could it cause the whole network to come to a complete standstill? Or cause someone to take the opportunity to attack it? Though these big chain split events seem scary, and when the ticket count becomes really low it might seem like the network would go down completely. It does seem very unlikely to happen in practise, because one node would always remain in the end, and even if that node was the problem, those who saved their tickets during the crisis, can combine forces to overcome it. What does happen in the aftermath (right now) though is that it lowers the cost of trying to dominate the network. Right now you only need around 600 tickets (3 million FSN) to become the most dominant node on FUSION. Is that a low enough amount for a “rich hacker” to accumulate that much FSN plus build a malicious version of FUSION and try to make it the dominant version? Maybe, maybe not? It’s at the very least the best of opportunities right now to do so. But, if nobody does that now at the most opportune moment ever, we probably never need to fear it, which might not be reassuring right now, but it should be reassuring in 2o days when it probably still hasn’t happened and the opportunity is gone.
4. I think overall the worste effect this type big chain split has is that it causes a general FUD against FUSION and I think we’ve actually been surpisingly spared form it. But to fight this I want to re-iterate the “good points”.
- I sincerely believe that every problem chain split events seemingly cause is superficial and true security is never jeapordized. Any presumed permanent damage, network ending, or hacking opportunity effects are purely theoretical.
- The way chain splits resolve demonstrate a victory of decentralization over centralization.
- The lack of pBFT allows FUSION to be more scalable.
All this said, I do hope that we will in the not so distant future introduce some changes to the network that will make major chain splits less likley to happen. I don’t know exactly what that will look like, or what it will involve, but I do think a change will be needed to fully rebuild trust lost after the major chain split events. But, I also think it’s important to not rush those changes. If introduced, they truly need to make things better, and not be happening just for the heck of it.