Sign Up For Our Newsletter

Verifying Proofs On-Chain with Axiom

by Kevin Ayling
on

In optimistic rollups, the primary mechanism for protecting against invalid state transitions is through the use of fraud proofs. Take, for example, Arbitrum, a notable L2 rollup. It employs a specific time frame known as the 'challenge window'. During this window, Arbitrum allows for the submission of fraud proofs that can alter or rectify state commitments on the rollup before they are finalized on the Ethereum mainnet (L1). This process is integral to ensuring the integrity and security of the transactions processed in the L2 environment.

The utility of optimistic protocols transcends the realm of rollups, proving effective in scenarios that require the efficient generation and verification of fraud proofs. This post delves into a particular application of these protocols: naive intent solving using Axiom storage proofs. Intent solving is a mechanism by which the user states their desired outcome and a specialized third-party called a solver determines how to fulfill it. Intent solving can be accomplished using a decentralized network of workers that leverages fraud proofs to ensure optimal solutions are executed. Axiom storage proofs allow a smart contract to trustlessly verify on-chain data. This capability enables protocols to run fraud proofs on-chain - allowing networks like our intent solving example to run transparently, which empowers anyone to verify their integrity.

In this context, we establish a decentralized network for protocol execution, composed of solvers—autonomous entities committed to resolving a problem and presenting their solutions to the protocol. However, a pivotal challenge emerges in selecting a solver's proposal for execution.

To grasp the situation fully, it's essential to recognize the broader framework. Utilizing a fraud proof to contest the solution approved by the authority becomes viable when equipped with information about the chosen solution. If the authority confirms and announces a receipt for the selected proposal on-chain, this data becomes available, thus requiring a mechanism to create a proof from on-chain activities.

Enter Axiom— a platform that empowers developers to run computations and construct Zero-Knowledge (ZK) proofs using historical Ethereum state as input. This capability enables anyone to craft a fraud proof to challenge the solution endorsed by the authority.

Overview

In our decentralized solver-based protocol, two entities play crucial roles: the auctioneer and solvers.  The solvers are tasked with conducting off-chain computations to identify solutions and submit them to the auctioneer. The auctioneer's role is to verify each submission, select and publish the best solution on-chain, then execute the necessary operations to fulfill it.

The auctioneer performs off-chain simulations of each submitted proposal on the Ethereum Virtual Machine to ensure their integrity. Once a proposal is validated, the solver who submitted it receives a signed receipt detailing the solution's input and output. The auctioneer then announces the winning proposal on-chain, triggering its execution.

To illustrate, imagine a scenario where our intent is to find the most efficient way to perform a swap. In this example, we have a network of solvers, each akin to participants in a competitive bidding process. They submit their proposed solutions, and the auctioneer acts as a judge to choose the best one. This process ensures the protocol's operations are executed with maximum efficiency.

Problem Statement

In the scenario described above, there are several problems we would like to address:

  1. Trust in Centralized Decision-Making:
    • How can we trust the centralized auctioneer to consistently select the optimal solution? 
  1. Solvers' Alignment with Protocol Interests:
    • How can we trust the solvers to consistently act in the best interest of the protocol rather than pursuing their own interests? 
    • What mechanisms can be put in place to ensure solvers prioritize the protocol's objectives?
  1. Verification of Optimal Solutions:
    • How can we establish a robust method to challenge a solution and verify its optimality?

Solution

We can use Axiom storage proofs to generate a proof that a solver had a better solution for a particular intent. This will allow anyone to challenge a chosen solution to show that there existed a better solution at the time it was chosen.

A solver who wishes to protest a chosen solution submits a challenge or fraud proof. This challenge is a ZK proof generated off-chain and submitted to the auctioneer, which will verify the proof on-chain.

The challenge mechanism allows for transparency within the auctioneer, instilling trust among protocol members in the centralized entity responsible for decision-making. 

We can implement rewards for chosen solutions and slashing for punishing solvers who post solutions that are not optimal. This provides the right incentives so that solvers will act in the best interest of the protocol.

Implementation

Winner Selection

The diagram below shows the flow for the auctioneer selecting a winner for an intent. Note that we rely on the receipts provided by the auctioneer in the next step in order to perform the challenge.

Winner Selection

Challenge

The diagram below shows how the challenge mechanism is fulfilled. The challenge will succeed if the challenger provides a receipt from the auctioneer that has a better outcome than the chosen solution. In this example, the outcome is an amount of the token we are swapping to.

Challenge

Code

The code below shows part of the implementation of the ZK circuit to challenge a solution:

function _axiomV2Callback(
    uint64 sourceChainId,
    address callerAddr,
    bytes32 querySchema,
    bytes32 queryHash,
    bytes32[] calldata axiomResults,
    bytes calldata callbackExtraData
) internal virtual override {
    // Parse results
    address userEventAddress = address(uint160(uint256(axiomResults[0])));
    uint32 blockNumber = uint32(uint256(axiomResults[1]));
    uint256 auctionId = uint256(axiomResults[2]);
    uint256 challengerSellingAmount = uint256(axiomResults[3]);
    uint256 challengerBuyingAmount = uint256(axiomResults[4]);
    address challenger = address(uint160(uint256(axiomResults[5])));

    // Validate the results 
    require(userEventAddress == callerAddr, "AuctioneerChallenge: Invalid user address for event");
    require(blockNumber - block.number <= 18515, "AuctioneerChallenge: Block number for transaction receipt must be less than 3 days");
    require(challengerSellingAmount == auctionIdToWinnerData[auctionId].sellingAmount, "AuctioneerChallenge: Selling amount does not match");
    require(challengerBuyingAmount > auctionIdToWinnerData[auctionId].buyingAmount, "AuctioneerChallenge: Buying amount does not match");

    uint256 ageExp = (((blockNumber - block.number) * 36900) / 100000).exp();
    uint256 constantExp = EXPONENT_CONSTANT.exp();
    uint256 punishmentAmount = ((ageExp.mul(constantExp)).mul(367879)).div(1000000);

    (bool sent, bytes memory data) = challenger.call{value: punishmentAmount}("");
    require(sent, "Failed to send Ether");

    emit AuctioneerPunished(
        challenger,
        auctionId,
        punishmentAmount,
        axiomResults
    );
}

AuctioneerChallenge.sol

Auctioneer Contract (Goerli):  0x28CeE427fCD58e5EF1cE4C93F877b621E2Db66df

Source Code: rishotics/provable_solving/contracts/AuctioneerChallenge.sol

Axiom Repl: Source, Repl

Summary

In this optimistic solver-based protocol, Axiom allows us to create a proof that will allow anyone to verify the integrity of the centralized auctioneer and the solvers who provide solutions. By implementing rewards and slashing, we can create a network in which each participant is incentivized to perform actions that will benefit the protocol. 

The implementation we have provided can be extended beyond the example discussed and could be used for a wide range of use cases, not limited to DeFi. This protocol can be used for naive intent solving—so that blockchain users can submit their intentions, instead of transactions, and allow the protocol to fulfill their intention in the most optimal way based on the solutions provided by the network of solvers. 

Axiom allows us to construct an ecosystem of trust and efficiency using fraud proofs that use on-chain commitments and attestations as input and can be run and verified on-chain. This enables developers to create a new type of fraud proof that leverages historical information on the Ethereum blockchain. 

Credits

This project was the result of the Axiom ZK Intensive program. It was a collaborative effort between the following team members:

- Rishabh (github)

- Harry G (github)

- Feng (github)

- Charles (github)

- Kevin (github)

Special thanks to the Axiom team for inspiring and supporting this project.

Author
Kevin Ayling
Filed Under
R&D
Disclaimer
This post is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. Specific investments described herein do not represent all investment decisions made by Standard Crypto. The reader should not assume that investment decisions identified and discussed were or will be profitable. There is no guarantee that the investment objectives discussed herein will be achieved. Moreover, past performance is not a guarantee or indicator of future results. Specific investment advice references provided herein are for illustrative purposes only and are not necessarily representative of investments that will be made in the future. This post reflects the current opinion(s) of the author(s) and is not made on behalf of Standard Crypto Management LP (“Standard Crypto”) or its affiliates. The opinions reflected herein are subject to change without being updated.