Chain Specific Guardian Sets

[claudijd]

Current State

The Wormhole Guardian Set is a global set, meaning that on each chain, there is the same set of recognized Guardians in Wormhole core. This also means that on each chain, the same set of public/private key pairs is used for each Guardian on each connected chain.

Problem Case

As wormhole connects new chains, to have a healthy level of fault tolerance, it is ideal/required for Guardians to support all connected chains. This means that the operational cost to be a guardian and thus the barrier of entry to be a guardian gets higher over time.

Proposed State

What if WH supported the concept of chain-specific signers, such that Guardians could decide what chains they want to sign for and there would be no requirement for Guardians to sign for a network they don't want to support.

The Guardian Set, could then turn from a simple list of global authorized signers to a map with per-chain signers...

{
"chain1": [pub1, pub2, pub3, pub4, ...]
"chain2": [pub1, pub2, pub3, pub4, ...]
"chain3": [pub1, pub2, pub3, pub4, ...]
}

I think such a map would still need to be propagated as a global state to all networks such that the destination chain can validate the source chain set of signers.

This would also help reduce the cost and burden for WH Guardians to support all networks and allow them to focus on validating for the networks they are most vested in supporting. This could also open the door for L1s to provide direct incentives for Guardians to validate their network or for L1s or large staking providers on various ecosystems to become Guardians.

I suspect this also could see benefits in having more than 19 Guardians willing to validate for larger networks, increasing the network security for transactions emitting from those chains.

Caveats

• Governance decisions would likely need to be structured in a fair way (TBD)
• Setting of Governor limits from a chain might need to be based on some set of minimum validators (to prevent collusion from a smaller chain with a smaller set of validators having contagion to other chains)
• Governance actions to update the global map might be operationally painful
• On chains with a low number of validators (not 19) would have a higher risk of collusion, censorship, and denial of service risk.

Let me preface this discussion by saying this proposal is a big architectural change to wormhole and how guardians operate. This is not an intent to get immediate action but to begin the process of getting feedback from the WH community about such an approach such that it can be considered.

[jumpsiegel]

Thoughts/Questions:

The governance required to set the governance sets should/would not be chain specific but from the Worm Dao
The VAA to register an emitter (for the token bridge) would then be signed from the guardians of that chain

Now that I am thinking about this, the vaa standard does not have the source chain in the header. I would not have any way to figure out which guardian set to validate against...

We would have to "hack" it into the 4 bytes we are given for the index? The top byte would be the chain and the bottom three bytes the governance set for that chain?

[jumpsiegel]

We would use the source chain from the body... it is just odd

[SEJeff]

The operational overhead of running 1 or (more reasonably) 2 nodes for every mainnet chain is challenging, especially for smaller guardians. Being able to split it up is a reasonable goal towards further decentralization of the network, and I like the idea of L1s helping incentivize guardians. This makes things more sustainable if done properly.

However, I don't think you'd want to have some chains have less than 19 guardians. If we decide to do this, it should be to improve decentralization and security. Also, this is a humongous amount of engineering effort given the existing bridges and node software.

I'm a fan of this idea if we can come up with a concrete way to go from where we are now to this proposal. The 👿 is always in the details.