

Safety, liveness and fault tolerance—the consensus choices - soroushjp
https://www.stellar.org/blog/safety_liveness_and_fault_tolerance_consensus_choice/

======
bachback
The Ripple / Stellar protocol is bad, so this is not a surprise. Ripple was
invented before Bitcoin. Ripple/Stellar requires explicit trust, where Bitcoin
does not. Also the distribution was widely known to be gameable (I know many
people involved who managed to get free stellar). The only surprising thing is
that Stripe and Ravikant invested in a technology which is obviously inferior
to Bitcoin. Prof. Mazieré and JedMcCaleb have no significant background in
economic research and it shows.

~~~
argonaut
I don't agree that Stellar is an "obviously inferior" technology. Stellar just
makes different tradeoffs.

I particularly enjoy this quote from
[http://adamierymenko.com/decentralization-i-want-to-
believe/](http://adamierymenko.com/decentralization-i-want-to-believe/):

 _A centralized alternative to Bitcoin would be a simple SQL database with a
schema representing standard double-entry accounting and some meta-data
fields. The entire transaction volume of the Bitcoin network could be handled
by a Raspberry Pi in a shoebox._

 _Instead, we have a transaction volume of a few hundred thousand database
entries a day being handled by a compute cluster comparable to those used to
simulate atomic bomb blasts with physically realistic voxel models or
probabilistically describe a complete relationship graph for the human
proteome._

~~~
drcode
I agree that stellar-like systems might have a role to play in the future, but
surely a coin with an incident of corrupted transaction logs is inferior to
one without such an incident, all else being equal.

EDIT:

To those pointing out the 2013 Bitcoin fork, good point.

However, in cryptocurrency land, 2013 is ancient history, and I'd argue
standards are higher already.

~~~
moreati
Yes, but note that Bitcoin had a blockchain fork in 2013
[http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-
bl...](http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-blockchain-
fork/). Without knowing the details of Stellar's fork I make no comment on the
relative severities/merits.

------
dsr_
" Any distributed consensus system on the Internet must sacrifice one of these
features."

is incomplete: a distributed consensus system (which is, at heart, a
distributed database) _can not_ have all three features... but there is no
guarantee that a distributed database has _any_ of those features.

As with everything else, execution matters.

If you're going to be recording history for financial transactions, you need
to put immutability as your first goal. This is not compatible with unlimited
space-time separation of trusted inputs, so the second thing you need is to
decide how you're going to resolve inconsistent histories. Doing so _always_
involves a centralized trusted system, even if it is fed from a distributed
system: someone needs to decide what transactions really happened. You can
claim that you have a distributed algorithm to do so (consensus) but that
itself will always fall into the same distribution problem.

And that's what seems to have happened here.

~~~
drcode
> ...how you're going to resolve inconsistent histories. Doing so always
> involves a centralized trusted system

False, the Bitcoin system resolves inconsistent histories in a completely
decentralized manner.

~~~
wcoenen
One could argue that a block chain fork could invalidate an arbitrary number
of blocks at any time, and therefore the Bitcoin protocol does not by itself
have this property of being able to tell which transactions really happened.

To limit the number of blocks that could be invalidated in this way, the
bitcoin reference implementation contains checkpoint hashes. These are indeed
decided centrally.

If you accept the core assumption in bitcoin that an attacker will never
control a majority of the hashing power, then there probably isn't a problem
and the checkpoint s aren't needed.

~~~
oafitupa
"One could argue that a block chain fork could invalidate an arbitrary number
of blocks at any time, and therefore the Bitcoin protocol does not by itself
have this property of being able to tell which transactions really happened."

No, one could not argue that. The economic majority will decide which fork is
valid. That's the opposite of centralization.

"To limit the number of blocks that could be invalidated in this way, the
bitcoin reference implementation contains checkpoint hashes. These are indeed
decided centrally.

If you accept the core assumption in bitcoin that an attacker will never
control a majority of the hashing power, then there probably isn't a problem
and the checkpoint s aren't needed."

You fail to realize you are not forced to download anything you don't want to.
And the checkpoints are hundreds of blocks deep. They don't decide anything
the network hasn't already decided (6 blocks deep transactions are considered
practically irreversible). The checkpoints ARE needed as an anti-DOS measure
(they protect the storage of full nodes from being flooded by forks that could
suddenly start to appear at low block numbers). I don't know why people are so
eager to spit opinions on things they don't know anything about.

------
taspeotis
I don't know what Stellar is. I had a look at their website. It's a
decentralised [1] currency something or other. But this blog post states:

> We were able to replay most of these rolled back transactions on chain B to
> minimize the impact

And

> To ensure no ledger forks going forward in Stellar, we have decided to
> temporarily only run one validating node until the new consensus algorithm
> is live

I don't see the decentralisation here?

[1]
[https://www.stellar.org/learn/#Decentralized_network](https://www.stellar.org/learn/#Decentralized_network)
"This means that the Stellar network does not depend on any single entity"

~~~
bhouston
They have de-decentralized so that there are no more ledger splits. Sort of
embarrassing but understandable. It is understood that they will re-
decentralize once they get a new consensus algorithm I guess.

~~~
joyce
Joyce from Stellar here. Yes, that is correct. When given the choice between
temporary centralization and guaranteeing the security of the protocol and
therefore user funds, the choice is obvious. Once the new consensus algorithm
is complete, it will be safe to run with more than one node again.

~~~
taspeotis
How'd you centralize your decentralized system? It sounds like something that
shouldn't be possible unless it's actually centralized to begin with.

I'm a layperson when it comes to crypto currencies, but my impression is that
most people would consider the fact that you can centralize a bug (separate to
the hiccup you had in the article).

~~~
polymathist
I'm just guessing here, and I hope that Joyce or someone from Stellar could
correct me if I'm wrong. It could be as simple as announcing that you're going
to make this change to de-decentralize, describing what that process entails,
and asking all the invested parties (in this case validating nodes) to follow
suit. I imagine that the process is similar to when bitcoin has done a hard
fork in the past. The bitcoin core developers see the need for a hard fork,
announce the hard fork, and ask everyone to update. If the majority of nodes
agree than the hard fork was successful. So in Stellar's case, they could be
asking people who run validating nodes to update their software, or to simply
modify their UNL to point to only a single node (similar to seeding your
bitcoin client with only a single peer). I think (and hope) that the Stellar
Foundation doesn't have the ability to actually force people to de-
decentralize.

~~~
joyce
Howdy - so at the time of the ledger fork, the Foundation was running all 5 of
the validating nodes and there were other parties not associated with us that
were running non-validating nodes.

We do not have the ability nor do we want the ability to control other
people's nodes.

Since Stellar only launched 4 months ago, the number nodes in the network was
still small. In the future, when the network is on the new consensus system
and able to run safely in a truly decentralized, then it would be up to
individual nodes to decide what to do.

Hope that clarifies things.

~~~
themusicgod1
Why wasn't anyone else running a validating node? Where is the code for the
validating node?

------
marco_salvatori

      "Prof. Mazières’s research indicated some risk that consensus could fail, though we were nor certain if the required circumstances for such a failure were realistic."
    

I'm surprised to see the above statement in a press release; maybe it was not
worded quite right. At the scale of 100s of thousands, or a millions of
transactions a day, "some risk" will manifest itself on operation timescales
itself. So when one is "not certain" it's always best to assume that problems
will show up and it will take less time than expected.

    
    
      "We are still investigating the triggers for this consensus failure, but believe it is caused by the innate weaknesses of the Ripple/Stellar consensus system outlined above compounded by the number of accounts in the network."
    

Also not great wording. Saying the system had "innate weaknesses" and we
"believe" kind of implies engineers are still guessing on the trigger. Your
building a financial corporation and if you lose you loose everything

------
rfugger
Ripple Labs' response:

[https://ripple.com/why-the-stellar-forking-issue-does-not-
af...](https://ripple.com/why-the-stellar-forking-issue-does-not-affect-
ripple/)

(Ripple Labs develops the software that Stellar modifies for their own use,
and the original Ripple network still runs on unmodified Ripple Labs software.
Stellar was started by Jed McCaleb, who founded Ripple Labs, but broke with
the CEO last year.)

The Ripple consensus protocol puts certain requirements on the topology of the
network of transaction-validating nodes in order to work properly. They are
still investigating, but it's possible Stellar's network fell outside the
workable range. Ripple Labs manages their network topology more carefully than
Stellar, and this incident may validate their approach. We'll have to see what
actually happened.

------
ghshephard
I'm somewhat familiar with Bitcoin, and I've heard of Stellar, and my sense is
they are related - both a decentralized consensus based ledger system. I'm
wondering if the problem that Stellar encountered is something that Bitcoin
has some resistance to. Anybody have some insight?

~~~
bachback
Stellar is not decentralized. If problems like this occur, there is the
Stellar organization /corporation, to enforce consenus. Whenever there is a
legal entity behind it, it's not de-central. Bitcoin has solved all these
problems. Ripple was invented before Bitcoin. Stellar is a Ripple fork.

~~~
soroushjp
Stellar is not _currently_ decentralized. The use of a single validating node
is a temporary measure while they rewrite their consensus algorithm. This is
obviously far from ideal, but the Stellar foundation has been transparent that
this is a temporary measure. In the original design, and in their stated
mission that they've never wavered from, this will be a open protocol where
anyone can join as a validating node. But they needed a stop gap measure while
they fixed this ledger fork issue. Again, far from ideal, but let's not jump
to harsh conclusions either.

------
yc1010
Well it was to be expected, Ripple scammed thousands of users with similar
promises

They re-branded as "Stellar" \+ somehow got Stripe to give them a mention and
the scam repeats

------
subnatant
Scary! I just pulled my money out of ripple.

