[Proposal] Restrict block from having timestamp earlier than previous block

Protocol proposals Consensus
1

TLDR

It’s a known vulnerability that Iron Fish allow blocks with timestamps that are earlier than timestamps from previous block. Miners are incentivized to exploit it by manipulating the block timestamps to consistently gain more mining rewards. I propose to update the block header verification in consensus layer to only allow blocks with timestamps that are greater than their previous block timestamp

Terminology

  • Block header timestamp: timestamp according to the miner who mined the block. The timestamp is in millisecond. Miners must verify that it is an appropriate distance to the previous blocks timestamp.

  • Block mine time: This is calculated by the interval of current block timestamp from the previous block timestamp. When the timestamp of the current block header is earlier than the timestamp of previous block, it will result in negative block mine time.

Problems

There are speculation among miners that negative block mine time can potentially manipulate the mining difficulty. People believe that the ability to create a block with negative mine time gives these miners an edge in a “tie-breaking” scenario since making the timestamp low enough might increase the block’s mining difficulty. Miners are incentivized to set the timestamp as early as possible to gain the system with possible more mining rewards.

This negative mine time in the block header causes confusing for users. For example, in Iron Fish block explorer, It will cause negative duration for ‘Mined In’ column in The Iron Fish block explorer. The same issue exists for the Oreoscan. In Iron Fish CLI, it also use the block timestamp to display the time a transaction occurred in wallet:transactions, this led to less reliable creation time for transaction.

Screen Shot 2023-07-18 at 10.55.58 AM
Screen Shot 2023-07-18 at 10.55.58 AM1802×956 64.5 KB

Screen Shot 2023-07-18 at 10.57.47 AM
Screen Shot 2023-07-18 at 10.57.47 AM1758×1340 163 KB

Proposed Changes

I propose following changes in the consensus layer to address the problems

  • Only allow block header with a timestamp greater than the timestamp of the previous block.
    • The block header verification in the consensus will check if the block timestamp > the timestamp of the previous block.
  • Support backward compatibility. For all the existing blocks with negative timestamp, they are still valid and not affected by the new rule.
    • Enforce the new rule based on the block sequence to achieve backward compatible

Advantage

  • Prevent mining pools to potentially cheat the system by manipulating the block timestamp
  • Have reasonable values for block mine time
  • Have more reliable creation times for transactions in a block

Potential Impact on Mining Manager

For mining pools that is not using the official mining manager, the logic that sets the timestamp in a new block template will need to be updated to comply the new consensus rule.

For the official mining manager in the SDK, it will change the way it sets the timestamp in a new block template before the new rule rolls out.

Hard Fork

This change would require hard fork since it change the consensus. A block with negative mine time that is considered valid before the soft fork activates will be considered invalid after the hard fork activates.

1 Like
2

This is meaningless i think. Difficulty difference from 15 seconds block timestamp is really ignorable when the network hashrate is about 1.5-2PH/s. It’s really meaningless to hardfork the chain for this reason. On my side, the most meaningful expected hardfork is for bridges :smiley:

1 Like
3

You can change everything you can, nonce, graffiti, timestamp, coinbase transaction memo etc, to get a valid block target which meets the chain difficulty. This is known to all crypto miners since btc mining.

4

Meanwhile, this can be caused by time drift in such a decentralized system. I agree that someone including me uses a future block timestamp, but time draft can be reason for this too.

5

This is meaningless i think. Difficulty difference from 15 seconds block timestamp is really ignorable when the network hashrate is about 1.5-2PH/s. It’s really meaningless to hardfork the chain for this reason. On my side, the most meaningful expected hardfork is for bridges :smiley:

It seems your concern is this change not worth a hard fork upgrade. Thanks for pointing that out, but that will not be an issue since we will batch all the changes together and schedule a hard fork upgrade. I did not include the release plan for this change in the proposal because it will be part of a hard fork. There will be a separate proposal and project for the next hard fork upgrade. It will list out all the changes in that hard fork and detailed release plan.

6

This proposal is not to remove the freedom to set timestamp, it simply restricts the valid window for a block timestamp. Currently the consensus allows to set block timestamp earlier than previous block, this is not an ideal design for the sequential blockchain. In the ideal world, each block should have their timestamps in the order of the chain sequence. This proposal is to achieve at least block timestamp is not earlier than previous one.

The negative block mine time can be a time drift, or time skew among all the servers. However, it also can be intentional. As I mentioned in the proposal, miners are incentivized to set the timestamp as early as possible to gain the system with possible more mining rewards. With this new change, miners can still set the timestamp as early as possible. However, no matter how early they set, it wont cause any negative block mine time.

7

Generally a hardfork upgrade does include multiple features. It’s always good practice to label if a feature would require a hardfork so they can be tracked and considered for the next upgrade.

1 Like
8

Alright, makes sense now

1 Like