Polkadot Whitepaper

Thursday, November 5, 2020
Download document
Save for later
Add to list
Whitepaper.io is a project of OpenBook

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 DR. GAVIN WOOD FOUNDER, ETHEREUM & PARITY [email protected] Abstract. Present-day blockchain architectures all suffer from a number of issues not least practical means of extensi- bility and scalability. We believe this stems from tying two very important parts of the consensus architecture, namely canonicality and validity, too closely together. This paper introduces an architecture, the heterogeneous multi-chain, which fundamentally sets the two apart. In compartmentalising these two parts, and by keeping the overall functionality provided to an absolute minimum of security and transport, we introduce practical means of core extensibility in situ. Scalability is addressed through a divide-and-conquer approach to these two functions, scaling out of its bonded core through the incentivisation of untrusted public nodes. The heterogeneous nature of this architecture enables many highly divergent types of consensus systems interop- erating in a trustless, fully decentralised “federation”, allowing open and closed networks to have trust-free access to each other. We put forward a means of providing backwards compatibility with one or more pre-existing networks such as Ethereum. We believe that such a system provides a useful base-level component in the overall search for a practically implementable system capable of achieving global-commerce levels of scalability and privacy. 1. Preface technological promise and grand talk, we have yet to see significant real-world deployment of present technology. This is intended to be a technical “vision” summary We believe that this is down to five key failures of present of one possible direction that may be taken in further de- technology stacks: veloping the blockchain paradigm together with some ra- tionale as to why this direction is sensible. It lays out in Scalability: How much resources are spent globally as much detail as is possible at this stage of development on processing, bandwidth and storage for the sys- a system which may give a concrete improvement on a tem to process a single transaction and how many number of aspects of blockchain technology. transactions can be reasonably processed under It is not intended to be a specification, formal or oth- peak conditions? erwise. It is not intended to be comprehensive nor to be a Isolatability: Can the divergent needs of multiple final design. It is not intended to cover non-core aspects parties and applications be addressed to a near- of the framework such as APIs, bindings, languages and optimal degree under the same framework? usage. This is notably experimental; where parameters Developability: How well do the tools work? Do are specified, they are likely to change. Mechanisms will the APIs address the developers’ needs? Are ed- be added, refined and removed in response to community ucational materials available? Are the right inte- ideas and critiques. Large portions of this paper will likely grations there? be revised as experimental evidence and prototyping gives Governance: Can the network remain flexible to us information about what will work and what not. evolve and adapt over time? Can decisions be This document includes a core description of the pro- made with sufficient inclusivity, legitimacy and tocol together with ideas for directions that may be taken transparency to provide effective leadership of a to improve various aspects. It is envisioned that the core decentralised system? description will be used as the starting point for an initial Applicability: Does the technology actually ad- series of proofs-of-concept. A final “version 1.0” would be dress a burning need on its own? Is other “mid- based around this refined protocol together with the ad- dleware” required in order to bridge the gap to ditional ideas that become proven and are determined to actual applications? be required for the project to reach its goals. In the present work, we aim to address the first two 1.1. History. issues: scalability and isolatability. That said, we believe the Polkadot framework can provide meaningful improve- • 09/10/2016: 0.1.0-proof1 ments in each of these classes of problems. • 20/10/2016: 0.1.0-proof2 Modern, efficient blockchain implementations such as • 01/11/2016: 0.1.0-proof3 the Parity Ethereum client [17] can process in excess of • 10/11/2016: 0.1.0 3,000 transactions per second when running on perfor- mant consumer hardware. However, current real-world 2. Introduction blockchain networks are practically limited to around 30 Blockchains have demonstrated great promise of util- transactions per second. This limitation mainly origi- ity over several fields including “Internet of Things” nates from the fact that the current synchronous consen- (IoT), finance, governance, identity management, web- sus mechanisms require wide timing margins of safety on decentralisation and asset-tracking. However, despite the the expected processing time, which is exacerbated by the 1

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 2 desire to support slower implementations. This is due to the reader should be aware that certain mechanisms may the underlying consensus architecture: the state transi- be described (for example interoperation with other pub- tion mechanism, or the means by which parties collate lic networks) which are not directly relevant to Polkadot and execute transactions, has its logic fundamentally tied when deployed under non-public (“permissioned”) situa- into the consensus “canonicalisation” mechanism, or the tions. means by which parties agree upon one of a number of possible, valid, histories. This applies equally to both proof-of-work (PoW) sys- 2.2. Previous work. Decoupling the underlying consen- tems such as Bitcoin [15] and Ethereum [5, 23] and proof- sus from the state-transition has been informally proposed of-stake (PoS) systems such as NXT [8] and Bitshares [12]: in private for at least two years—Max Kaye was a pro- all ultimately suffer from the same handicap. It is a simple ponent of such a strategy during the very early days of strategy that helped make blockchains a success. However, Ethereum. by tightly coupling these two mechanisms into a single unit A more complex scalable solution known as Chain of the protocol, we also bundle together multiple different fibers, dating back to June 2014 and first published later actors and applications with different risk profiles, differ- that year1, made the case for a single relay-chain and mul- ent scalability requirements and different privacy needs. tiple homogeneous chains providing a transparent inter- One size does not fit all. Too often it is the case that in a chain execution mechanism. Decoherence was paid for desire for broad appeal, a network adopts a degree of con- through transaction latency—transactions requiring the servatism which results in a lowest-common-denominator coordination of disparate portions of the system would optimally serving few and ultimately leading to a failing take longer to process. Polkadot takes much of its ar- in the ability to innovate, perform and adapt, sometimes chitecture from that and the follow-up conversations with dramatically so. various people, though it differs greatly in much of its de- Some systems such as e.g. Factom [21] drop the state- sign and provisions. transition mechanism altogether. However, much of the While there are no systems comparable to Polkadot utility that we desire requires the ability to transition state actually in production, several systems of some relevance according to a shared state-machine. Dropping it solves have been proposed, though few in any substantial level of an alternative problem; it does not provide an alternative detail. These proposals can be broken down into systems solution. which drop or reduce the notion of a globally coherent It seems clear, therefore, that one reasonable direction state machine, those which attempt to provide a globally to explore as a route to a scalable decentralised compute coherent singleton machine through homogeneous shards platform is to decouple the consensus architecture from and those which target only heterogeneity. the state-transition mechanism. And, perhaps unsurpris- ingly, this is the strategy that Polkadot adopts as a solu- tion to scalability. 2.2.1. Systems without Global State. Factom [21] is a sys- 2.1. Protocol, Implementation and Network. Like tem that demonstrates canonicality without the according Bitcoin and Ethereum, Polkadot refers at once to a net- validity, effectively allowing the chronicling of data. Be- work protocol and the (hitherto presupposed) primary cause of the avoidance of global state and the difficulties public network that runs this protocol. Polkadot is in- with scaling which this brings, it can be considered a scal- tended to be a free and open project, the protocol speci- able solution. However, as mentioned previously, the set fication being under a Creative Commons license and the of problems it solves is strictly and substantially smaller. code being placed under a FLOSS license. The project is Tangle [18] is a novel approach to consensus systems. developed in an open manner and accepts contributions Rather than arranging transactions into blocks and form- where ever they are useful. A system of RFCs, not unlike ing consensus over a strictly linked list to give a glob- the Python Enhancement Proposals, will allow a means of ally canonical ordering of state-changes, it largely aban- publicly collaborating over protocol changes and upgrades. dons the idea of a heavily structured ordering and instead Our initial implementation of the Polkadot protocol pushes for a directed acyclic graph of dependent trans- will be known as the Parity Polkadot Platform and will actions with later items helping canonicalise earlier items include a full protocol implementation together with API through explicit referencing. For arbitrary state-changes, bindings. Like other Parity blockchain implementations, this dependency graph would quickly become intractable, PPP is designed to be a general-purpose blockchain tech- however for the much simpler UTXO model2 this becomes nology stack, neither uniquely for a public network nor for quite reasonable. Because the system is only loosely co- private/consortium operation. The development of it thus herent and transactions are generally independent of each far has been funded by several parties including through other, a large amount of global parallelism becomes quite a grant from the British government. natural. Using the UTXO model does have the effect This paper nonetheless describes Polkadot under the of limiting Tangle to a purely value-transfer “currency” context of a public network. The functionality we envi- system rather than anything more general or extensible. sion in a public network is a superset of that required in Furthermore without the hard global coherency, interac- alternative (e.g. private and/or consortium) settings. Fur- tion with other systems—which tend to need an absolute thermore, in this context, the full scope of Polkadot can degree knowledge over the system state—becomes imprac- be more clearly described and discussed. This does mean tical. 1https://github.com/ethereum/wiki/wiki/Chain-Fibers-Redux 2 unspent transaction output, the model that Bitcoin uses whereby the state is effectively the set of address associated with some value; transactions collate such addresses and reform them into a new set of addresses whose sum total is equivalent

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 3 2.2.2. Heterogeneous Chain Systems. Side-chains [3] is a remains unseen as to how Casper will iterate in the future proposed addition to the Bitcoin protocol which would al- and what it will look like should it finally be deployed. low trustless interaction between the main Bitcoin chain While Casper and Polkadot both represent interest- and additional side-chains. There is no provision for any ing new protocols and, in some sense, augmentations of degree of ‘rich’ interaction between side-chains: the in- Ethereum, there are substantial differences between their teraction would be limited to allowing side-chains to be ultimate goals and paths to deployment. Casper is an custodians of each other’s assets, effecting—in the local Ethereum Foundation-centered project originally designed jargon—a two-way peg 3. The end vision is for a frame- to be a PoS alteration to the protocol with no desire to work where the Bitcoin currency could be provided with create a fundamentally scalable blockchain. Crucially, it is additional, if peripheral, functionality through pegging it designed to be a hard-fork, rather than anything more ex- onto some other chains with more exotic state transition pansive and thus all Ethereum clients and users would be systems than the Bitcoin protocol allows. In this sense, required to upgrade or remain on a fork of uncertain adop- side-chains addresses extensibility rather than scalability. tion. As such, deployment is made substantially more dif- Indeed, there is fundamentally no provision for the va- ficult as is inherent in a decentralised project where tight lidity of side-chains; tokens from one chain (e.g. Bitcoin) coordination is necessary. held on behalf of a side-chain are secured only by the Polkadot differs in several ways; first and foremost, side-chain’s ability to incentivise miners to canonicalise Polkadot is designed to be a fully extensible and scalable valid transitions. The security of the Bitcoin network blockchain development, deployment and interaction test cannot easily be transitioned to work on behalf of other bed. It is built to be a largely future-proof harness able to blockchains. Furthermore, a protocol for ensuring Bitcoin assimilate new blockchain technology as it becomes avail- miners merge-mine (that is duplicate their canonicalisa- able without over-complicated decentralised coordination tion power onto that of the side-chain) and, more impor- or hard forks. We already envision several use cases such tantly, validate the side-chain’s transitions is outside the as encrypted consortium chains and high-frequency chains scope of this proposal. with very low block times that are unrealistic to do in Cosmos [10] is a proposed multi-chain system in the any future version of Ethereum currently envisioned. Fi- same vein as side-chains, swapping the Nakamoto PoW nally, the coupling between it and Ethereum is extremely consensus method for Jae Kwon’s Tendermint algorithm. loose; no action on the part of Ethereum is necessary to Essentially, it describes multiple chains (operating in enable trustless transaction forwarding between the two zones) each using individual instances of Tendermint, to- networks. gether with a means for trust-free communication via a In short, while Casper/Ethereum 2.0 and Polkadot master hub chain. This interchain communication is lim- share some fleeting similarities we believe their end goal ited to the transfer of digital assets (“specifically about to- is substantially different and that rather than competing, kens”) rather than arbitrary information, however such in- the two protocols are likely to ultimately co-exist under a terchain communication does have a return path for data, mutually beneficial relationship for the foreseeable future. e.g. to report to the sender on the status of the transfer. Validator sets for the zoned chains, and in particular 3. Summary the means of incentivising them, are, like side-chains, left as an unsolved problem. The general assumption is that Polkadot is a scalable heterogeneous multi-chain. This each zoned chain will itself hold a token of value whose in- means that unlike previous blockchain implementations flation is used to pay for validators. Still in the early stages which have focused on providing a single chain of varying of design, at present the proposal lacks comprehensive de- degrees of generality over potential applications, Polkadot tails over the economic means of achieving the scalable itself is designed to provide no inherent application func- certainty over global validity. However, the loose coher- tionality at all. Rather, Polkadot provides the bedrock ence required between the zones and the hub will allow “relay-chain” upon which a large number of validatable, for additional flexibility over the parameters of the zoned globally-coherent dynamic data-structures may be hosted chains compared to that of a system enforcing stronger side-by-side. We call these data-structures “parallelised” coherence. chains or parachains, though there is no specific need for them to be blockchain in nature. In other words, Polkadot may be considered equiva- 2.2.3. Casper. As yet no comprehensive review or side- lent to a set of independent chains (e.g. the set containing by-side comparison between Casper [6] and Polkadot Ethereum, Ethereum Classic, Namecoin and Bitcoin) ex- have been made, though one can make a fairly sweeping cept for two very important points: (and accordingly inaccurate) characterisation of the two. Casper is a reimagining of how a PoS consensus algorithm • Pooled security; could be based around participants betting on which fork • trust-free interchain transactability. would ultimately become canonical. Substantial consider- These points are why we consider Polkadot to be “scal- ation was given to ensuring that it be robust to network able”. In principle, a problem to be deployed on Polka- forks, even when prolonged, and have some additional de- dot may be substantially parallelised—scaled out—over gree of scalability on top of the basic Ethereum model. As a large number of parachains. Since all aspects of each such, Casper to date has tended to be a substantially more parachain may be conducted in parallel by a different seg- complex protocol than Polkadot and its forebears, and a ment of the Polkadot network, the system has some ability substantial deviation from the basic blockchain format. It to scale. Polkadot provides a rather bare-bones piece of 3 as opposed to a one-way peg which is essentially the action of destroying tokens in one chain to create tokens in another without the mechanism to do the converse in order to recover the original tokens

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 4 infrastructure leaving much of the complexity to be ad- offloaded into middleware, placed through a dressed at the middleware level. This is a conscious de- parachain or introduced in a later optimisation. cision intended to reduce development risk, enabling the General: no unnecessary requirement, constraint requisite software to be developed within a short time span or limitation should be placed on parachains; and with a good level of confidence over its security and Polkadot should be a test bed for consensus sys- robustness. tem development which can be optimised through making the model into which extensions fit as ab- stract as possible. 3.1. The Philosophy of Polkadot. Polkadot should Robust: Polkadot should provide a fundamentally provide an absolute rock-solid foundation on which to stable base-layer. In addition to economic sound- build the next wave of consensus systems, right through ness, this also means decentralising to minimise the risk spectrum from production-capable mature designs the vectors for high-reward attacks. to nascent ideas. By providing strong guarantees over se- curity, isolation and communication, Polkadot can allow 4. Participation in Polkadot parachains to select from a range of properties themselves. Indeed, we foresee various experimental blockchains push- There are four basic roles in the upkeep of an Polkadot ing the properties of what could be considered sensible network: collator, fisherman, nominator and validator. In today. one possible implementation of Polkadot, the latter role We see conservative, high-value chains similar to may actually be broken down into two roles: basic valida- Bitcoin or Z-cash [20] co-existing alongside lower-value tor and availability guarantor; this is discussed in section “theme-chains” (such marketing, so fun) and test-nets 6.5.3. with zero or near-zero fees. We see fully-encrypted, “dark”, consortium chains operating alongside—and even Collator Fisherman Nominator providing services to—highly functional and open chains such as those like Ethereum. We see experimental new provides block VM-based chains such as a subjective time-charged wasm candidates reports for chain being used as a means of outsourcing difficult com- monitors bad approves pute problems from a more mature Ethereum-like chain behaviour to or a more restricted Bitcoin-like chain. To manage chain upgrades, Polkadot will inherently support some sort of governance structure, likely based Validators Validators (this group) becomes (other groups) on existing stable political systems and having a bicam- eral aspect similar to the Yellow Paper Council [24]. As the ultimate authority, the underlying stakable token hold- Figure 1. The interaction between the ers would have “referendum” control. To reflect the users’ four roles of Polkadot. need for development but the developers’ need for legiti- macy, we expect a reasonable direction would be to form 4.1. Validators. A validator is the highest charge and the two chambers from a “user” committee (made up of helps seal new blocks on the Polkadot network. The val- bonded validators) and a “technical” committee made up idator’s role is contingent upon a sufficiently high bond of major client developers and ecosystem players. The being deposited, though we allow other bonded parties to body of token holders would maintain the ultimate legit- nominate one or more validators to act for them and as imacy and form a supermajority to augment, reparam- such some portion of the validator’s bond may not neces- eterise, replace or dissolve this structure, something we sarily be owned by the validator itself but rather by these don’t doubt the eventual need for: in the words of Twain nominators. “Governments and diapers must be changed often, and for A validator must run a relay-chain client implementa- the same reason”. tion with high availability and bandwidth. At each block Whereas reparameterisation is typically trivial to ar- the node must be ready to accept the role of ratifying range within a larger consensus mechanism, more qualita- a new block on a nominated parachain. This process tive changes such as replacement and augmentation would involves receiving, validating and republishing candidate likely need to be either non-automated “soft-decrees” (e.g. blocks. The nomination is deterministic but virtually un- through the canonicalisation of a block number and the predictable much in advance. Since the validator cannot hash of a document formally specifying the new protocol) reasonably be expected to maintain a fully-synchronised or necessitate the core consensus mechanism to contain a database of all parachains, it is expected that the valida- sufficiently rich language to describe any aspect of itself tor will nominate the task of devising a suggested new which may need to change. The latter is an eventual aim, parachain block to a third-party, known as a collator. however, the former more likely to be chosen in order to Once all new parachain blocks have been properly rat- facilitate a reasonable development timeline. ified by their appointed validator subgroups, validators Polkadot’s primary tenets and the rules within which must then ratify the relay-chain block itself. This involves we evaluate all design decisions are: updating the state of the transaction queues (essentially Minimal: Polkadot should have as little functional- moving data from a parachain’s output queue to another ity as possible. parachain’s input queue), processing the transactions of Simple: no additional complexity should be present the ratified relay-chain transaction set and ratifying the in the base protocol than can reasonably be final block, including the final parachain changes.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 5 A validator not fulfilling their duty to find consensus the existence of fishermen, we expect events of misbe- under the rules of our chosen consensus algorithm is pun- haviour to happen seldom, and when they do only due to ished. For initial, unintentional failures, this is through the bonded party being careless with secret key security, withholding the validator’s reward. Repeated failures re- rather than through malicious intent. The name comes sult in the reduction of their security bond (through burn- from the expected frequency of reward, the minimal re- ing). Provably malicious actions such as double-signing or quirements to take part and the eventual reward size. conspiring to provide an invalid block result in the loss of Fishermen get their reward through a timely proof that the entire bond (which is partially burnt but mostly given at least one bonded party acted illegally. Illegal actions to the informant and the honest actors). include signing two blocks each with the same ratified par- In some sense, validators are similar to the mining pools ent or, in the case of parachains, helping ratify an invalid of current PoW blockchains. block. To prevent over-rewarding or the compromise and illicit use of a session’s secret key, the base reward for 4.2. Nominators. A nominator is a stake-holding party providing a single validator’s illegally signed message is who contributes to the security bond of a validator. They minimal. This reward increases asymptotically as more have no additional role except to place risk capital and as corroborating illegal signatures from other validators are such to signal that they trust a particular validator (or provided implying a genuine attack. The asymptote is set set thereof) to act responsibly in their maintenance of the at 66% following our base security assertion that at least network. They receive a pro-rata increase or reduction two-thirds of the validators act benevolently. in their deposit according to the bond’s growth to which Fishermen are somewhat similar to “full nodes” in they contribute. present-day blockchain systems that the resources needed Together with collators, next, nominators are in some are relatively small and the commitment of stable uptime sense similar to the miners of the present-day PoW net- and bandwidth is not necessary. Fishermen differ in so works. much as they must post a small bond. This bond prevents sybil attacks from wasting validators’ time and compute 4.3. Collators. Transaction collators (collators for short) resources. It is immediately withdrawable, probably no are parties who assist validators in producing valid more than the equivalent of a few dollars and may lead parachain blocks. They maintain a “full-node” for a par- to reaping a hefty reward from spotting a misbehaving ticular parachain; meaning that they retain all necessary validator. information to be able to author new blocks and execute 5. Design Overview transactions in much the same way as miners do on cur- rent PoW blockchains. Under normal circumstances, they This section is intended to give a brief overview of the will collate and execute transactions to create an unsealed system as a whole. A more thorough exploration of the block, and provide it, together with a zero-knowledge system is given in the section following it. proof, to one or more validators presently responsible for 5.1. Consensus. On the relay-chain, Polkadot achieves proposing a parachain block. low-level consensus over a set of mutually agreed valid The precise nature of the relationship between colla- blocks through a modern asynchronous Byzantine fault- tors, nominators and validators will likely change over tolerant (BFT) algorithm. The algorithm will be inspired time. Initially, we expect collators to work very closely by the simple Tendermint [11] and the substantially more with validators, since there will be only a few (perhaps involved HoneyBadgerBFT [14]. The latter provides an only one) parachain(s) with little transaction volume. The efficient and fault-tolerant consensus over an arbitrarily initial client implementation will include RPCs to allow a defective network infrastructure, given a set of mostly be- parachain collator node to unconditionally supply a (relay- nign authorities or validators. chain) validator node with a provably valid parachain For a proof-of-authority (PoA) style network, this alone block. As the cost of maintaining a synced version of would be sufficient, however Polkadot is imagined to be all such parachains increases, we expect to see additional also deployable as a network in a fully open and public infrastructure in place which will help separate out the situation without any particular organisation or trusted duties to independent, economically-motivated, parties. authority required to maintain it. As such we need a Eventually, we expect to see collator pools who vie to means of determining a set of validators and incentivising collect the most transaction fees. Such collators may be- them to be honest. For this we utilise PoS based selection come contracted to serve particular validators over a pe- criteria. riod of time for an on-going share in the reward proceeds. Alternatively, “freelance” collators may simply create a 5.2. Proving the Stake. We assume that the network market offering valid parachain blocks in return for a com- will have some means of measuring how much “stake” petitive share of the reward payable immediately. Simi- any particular account has. For ease of comparison to larly, decentralised nominator pools would allow multiple pre-existing systems, we will call the unit of measurement bonded participants to coordinate and share the duty of a “tokens”. Unfortunately the term is less than ideal for a validator. This ability to pool ensures open participation number of reasons, not least that being simply a scalar leading to a more decentralised system. value associated with an account, there is no notion of individuality. 4.4. Fishermen. Unlike the other two active parties, We imagine validators be elected, infrequently (at most fishermen are not directly related to the block-authoring once per day but perhaps as seldom as once per quarter), process. Rather they are independent “bounty hunters” through a Nominated Proof-of-Stake (NPoS ) scheme. In- motivated by a large one-off reward. Precisely due to centivisation can happen through a pro-rata allocation of

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 6 Transaction (submitted by external actor) Propagated transactions Collator Block candidate submission Propagated block Validator swarm Fisherman (each coloured by its 2nd order designated parachain) Relay-chain Parachain community Account Inbound transaction Interchain transactions (managed by validators) Relay chain Outbound transaction Parachain Parachain queues and I/O Parachain bridge Virtual parachain (e.g. Ethereum) Figure 2. A summary schematic of the Polkadot system. This shows collators collecting and propa- gating user-transactions, as well as propagating block candidates to fishermen and validators. It also shows how an account can post a transaction which is carried out of its parachain, via the relay-chain and on into another parachain where it can be interpreted as a transaction to an account there. funds coming from a token base expansion (up to 100% Long-range “nothing-at-stake” attacks4 are circum- per year, though more likely around 10%) together with vented through a simple “checkpoint” latch which pre- any transaction fees collected. While monetary base ex- vents a dangerous chain-reorganisation of more than a pansion typically leads to inflation, since all token owners particular chain-depth. To ensure newly-syncing clients would have a fair opportunity at participation, no token- are not able to be fooled onto the wrong chain, regular holder would need to suffer a reduction in value of their “hard forks” will occur (of at most the same period of the holdings over time provided they were happy to take a validators’ bond liquidation) that hard-code recent check- role in the consensus mechanism. A particular proportion point block hashes into clients. This plays well with a fur- of tokens would be targeted for the staking process; the ther footprint-reducing measure of “finite chain length” or effective token base expansion would be adjusted through periodic reseting of the genesis-block. a market-based mechanism to reach this target. Validators are bonded heavily by their stakes; exiting 5.3. Parachains and Collators. Each parachain gets validators’ bonds remain in place long after the valida- similar security affordances to the relay-chain: the tors’ duties cease (perhaps around 3 months). This long parachains’ headers are sealed within the relay-chain block bond-liquidation period allows future misbehaviour to be ensuring no reorganisation, or “double-spending”, is possi- punished up until the periodic checkpointing of the chain. ble following confirmation. This is a similar security guar- Misbehaviour results in punishment, such as reduction of antee to that offered by Bitcoin’s side-chains and merge- reward or, in cases which intentionally compromise the mining. Polkadot, however, also provides strong guaran- network’s integrity, the validator losing some or all of its tees that the parachains’ state transitions are valid. This stake to other validators, informants or the stakeholders happens through the set of validators being cryptograph- as a whole (through burning). For example, a validator ically randomly segmented into subsets; one subset per who attempts to ratify both branches of a fork (sometimes parachain, the subsets potentially differing per block. This known as a “short-range” attack) may be identified and setup generally implies that parachains’ block times will punished in the latter way. be at least as long as that of the relay-chain. The specific means of determining the partitioning is outside the scope 4Such an attack is where the adversary forges an entirely new chain of history from the genesis block onwards. Through controlling a relatively insignificant portion of stake at the offset, they are able to incrementally increase their portion of the stake relative to all other stakeholders as they are the only active participants in their alternative history. Since no intrinsic physical limitation exists on the creation of blocks (unlike PoW where quite real computational energy must be spent), they are able to craft a chain longer than the real chain in a relatively short timespan and potentially make it the longest and best, taking over the canonical state of the network.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 7 of this document but would likely be based either around Account sends post: Account receives post: a commit-reveal framework similar to the RanDAO [19] or entry placed in entry removed from use data combined from previous blocks of each parachain egress Merkle tree ingress Merkle tree for destination under a cryptographically secure hash. parachain Such subsets of validators are required to provide a parachain block candidate which is guaranteed valid (on Source: shares Destination: gets egress pain of bond confiscation). Validity revolves around two data with next block’s data from prior important points; firstly that it is intrinsically valid—that validators ingress block’s validators. all state transitions were executed faithfully and that all external data referenced (i.e. transactions) is valid for in- clusion. Secondly, that any data which is extrinsic to its proof-of-post stored in routed reference placed candidate, such as those external transactions, has suffi- parachain egress Merkle in destination parachain’s ciently high availability so that participants are able to tree ingress Merkle tree download it and execute the block manually.5 Valida- tors may provide only a “null” block containing no ex- Figure 3. A basic schematic showing ternal “transactions” data, but may run the risk of get- the main parts of routing for posted ting a reduced reward if they do. They work alongside transactions (”posts”). a parachain gossip protocol with collators—individuals who collate transactions into blocks and provide a non- To ensure minimal implementation complexity, min- interactive, zero-knowledge proof that the block consti- imal risk and minimal straight-jacketing of future tutes a valid child of its parent (and taking any transaction parachain architectures, these interchain transactions are fees for their trouble). effectively indistinguishable from standard externally- It is left to parachain protocols to specify their own signed transactions. The transaction has an origin seg- means of spam-prevention: there is no fundamental no- ment, providing the ability to identify a parachain, and tion of “compute-resource metering” or “transaction fee” an address which may be of arbitrary size. Unlike com- imposed by the relay-chain. There is also no direct en- mon current systems such as Bitcoin and Ethereum, in- forcement on this by the relay-chain protocol (though it terchain transactions do not come with any kind of “pay- is unlikely that the stakeholders would choose to adopt ment” of fee associated; any such payment must be man- a parachain which didn’t provide a decent mechanism). aged through negotiation logic on the source and desti- This is an explicit nod to the possibility of chains unlike nation parachains. A system such as that proposed for Ethereum, e.g. a Bitcoin-like chain which has a much sim- Ethereum’s Serenity release [7] would be a simple means pler fee model or some other, yet-to-be-proposed spam- of managing such a cross-chain resource payment, though prevention model. we assume others may come to the fore in due course. Polkadot’s relay-chain itself will probably exist as an Interchain transactions are resolved using a simple Ethereum-like accounts and state chain, possibly an EVM- queuing mechanism based around a Merkle tree to ensure derivative. Since the relay-chain nodes will be required to fidelity. It is the task of the relay-chain maintainers to do substantial other processing, transaction throughput move transactions on the output queue of one parachain will be minimised partly through large transaction fees into the input queue of the destination parachain. The and, should our research models require, a block size limit. passed transactions get referenced on the relay-chain, how- ever are not relay-chain transactions themselves. To pre- vent a parachain from spamming another parachain with transactions, for a transaction to be sent, it is required that the destination’s input queue be not too large at the time of the end of the previous block. If the input queue is too large after block processing, then it is con- sidered “saturated” and no transactions may be routed to it within subsequent blocks until reduced back below the limit. These queues are administered on the relay-chain allowing parachains to determine each other’s saturation status; this way a failed attempt to post a transaction 5.4. Interchain Communication. The critical final in- to a stalled destination may be reported synchronously. gredient of Polkadot is interchain communication. Since (Though since no return path exists, if a secondary trans- parachains can have some sort of information channel be- action failed for that reason, it could not be reported back tween them, we allow ourselves to consider Polkadot a to the original caller and some other means of recovery scalable multi-chain. In the case of Polkadot, the commu- would have to take place.) nication is as simple as can be: transactions executing in a parachain are (according to the logic of that chain) able to 5.5. Polkadot and Ethereum. Due to Ethereum’s Tur- effect the dispatch of a transaction into a second parachain ing completeness, we expect there is ample opportu- or, potentially, the relay-chain. Like external transactions nity for Polkadot and Ethereum to be interoperable with on production blockchains, they are fully asynchronous each other, at least within some easily deducible secu- and there is no intrinsic ability for them to return any rity bounds. In short, we envision that transactions from kind of information back to its origin. Polkadot can be signed by validators and then fed into 5Such a task might be shared between validators or could become the designate task of a set of heavily bonded validators known as availability guarantors.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 8 Ethereum where they can be interpreted and enacted by In this model, Polkadot’s validator nodes would have a transaction-forwarding contract. In the other direction, to do little other than sign messages. To get the trans- we foresee the usage of specially formatted logs (events) actions actually routed onto the Ethereum network, we coming from a “break-out contract” to allow a swift veri- assume either validators themselves would also reside on fication that a particular message should be forwarded. the Ethereum network or, more likely, that small bounties be offered to the first actor who forwards the message on 5.5.1. Polkadot to Ethereum. Through the choice of a to the network (the bounty could trivially be paid to the BFT consensus mechanism with validators formed from a transaction originator). set of stakeholders determined through an approval voting mechanism, we are able to get a secure consensus with an 5.5.2. Ethereum to Polkadot. Getting transactions to be infrequently changing and modest number of validators. forwarded from Ethereum to Polkadot uses the simple no- In a system with a total of 144 validators, a block time of tion of logs. When an Ethereum contract wishes to dis- 4 seconds and a 900-block finality (allowing for malicious patch a transaction to a particular parachain of Polkadot, behaviour such as double-votes to be reported, punished it need simply call into a special “break-out contract”. and repaired), the validity of a block can reasonably be The break-out contract would take any payment that may considered proven through as little as 97 signatures (two- be required and issue a logging instruction so that its ex- thirds of 144 plus one) and a following 60-minute verifica- istence may be proven through a Merkle proof and an as- tion period where no challenges are deposited. sertion that the corresponding block’s header is valid and Ethereum is able to host a “break-in contract” which canonical. can maintain the 144 signatories and be controlled by Of the latter two conditions, validity is perhaps the them. Since elliptic curve digital signature (ECDSA) re- most straightforward to prove. In principle, the only re- covery takes only 3,000 gas under the EVM, and since quirement is for each Polkadot node needing the proof we would likely only want the validation to happen on a (i.e. appointed validator nodes) to be running a fully syn- super-majority of validators (rather than full unanimity), chronised instance of a standard Ethereum node. Unfor- the base cost of Ethereum confirming that an instruction tunately, this is itself a rather heavy dependency. A more was properly validated as coming from the Polkadot net- lightweight method would be to use a simple proof that the work would be no more than 300,000 gas—a mere 6% of header was evaluated correctly through supplying only the the total block gas limit at 5.5M. Increasing the num- part of Ethereum’s state trie needed to properly execute ber of validators (as would be necessary for dealing with the transactions in the block and check that the logs (con- dozens of chains) inevitably increases this cost, however tained in the block receipt) are valid. Such “SPV-like”6 it is broadly expected for Ethereum’s transaction band- proofs may yet require a substantial amount of informa- width to grow over time as the technology matures and tion; conveniently, they would typically not be needed at infrastructure improves. Together with the fact that not all: a bond system inside Polkadot would allow bonded all validators need to be involved (e.g. only the highest third-parties to submit headers at the risk of losing their staked validators may be called upon for such a task) the bond should some other third-party (such as a “fisher- limits of this mechanism extend reasonably well. man”, see 6.2.3) provide a proof that the header is invalid Assuming a daily rotation of such validators (which is (specifically that the state root or receipt roots were im- fairly conservative—weekly or even monthly may be ac- postors). ceptable), then the cost to the network of maintaining On a non-finalising PoW network like Ethereum, the this Ethereum-forwarding bridge would be around 540,000 canonicality is impossible to proof conclusively. To ad- gas per day or, at present gas prices, ✩45 per year. A ba- dress this, applications that attempt to rely on any kind sic transaction forwarded alone over the bridge would cost of chain-dependent cause-effect wait for a number of “con- around ✩0.11; additional contract computation would cost firmations”, or until the dependent transaction is at some more, of course. By buffering and bundling transactions particular depth within the chain. On Ethereum, this together, the break-in authorisation costs can easily be depth varies from 1 block for the least valuable transac- shared, reducing the cost per transaction substantially; tions with no known network issues to 1200 blocks as was if 20 transactions were required before forwarding, then the case during the initial Frontier release for exchanges. the cost for forwarding a basic transaction would fall to On the stable “Homestead” network, this figure sits at around ✩0.01. 120 blocks for most exchanges, and we would likely take One interesting, and cheaper, alternative to this multi- a similar parameter. signature contract model would be to use threshold sig- So we can imagine our Polkadot-side Ethereum- natures in order to achieve the multi-lateral ownership se- interface to have some simple functions: to be able to mantics. While threshold signature schemes for ECDSA accept a new header from the Ethereum network and val- are computationally expensive, those for other schemes idate the PoW, to be able to accept some proof that a such as Schnorr signatures are very reasonable. Ethereum particular log was emitted by the Ethereum-side break- plans to introduce primitives which would make such out contract for a header of sufficient depth (and forward schemes cheap to use in the upcoming Metropolis hard- the corresponding message within Polkadot) and finally fork. If such a means were able to be utilised, the gas costs to be able to accept proofs that a previously accepted but for forwarding a Polkadot transaction into the Ethereum not-yet-enacted header contains an invalid receipt root. network would be dramatically reduced to a near zero To actually get the Ethereum header data itself (and overhead over and above the basic costs for validating the any SPV proofs or validity/canonicality refutations) into signature and executing the underlying transaction. the Polkadot network, an incentivisation for forwarding 6SPV refers to Simplified Payment Verification in Bitcoin and describes a method for clients to verify transactions while keeping only a copy of all blocks headers of the longest PoW chain.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 9 data is needed. This could be as simple as a payment between the two networks, though nonetheless a substan- (funded from fees collected on the Ethereum side) paid tial effort with an uncertain timeline and quite possibly to anyone able to forward a useful block whose header is requiring the cooperation of the stakeholders within that valid. Validators would be called upon to retain informa- network. tion relating to the last few thousand blocks in order to be able to manage forks, either through some protocol- intrinsic means or through a contract maintained on the 6. Protocol in Depth relay chain. The protocol can be roughly broken down into three parts: the consensus mechanism, the parachain interface 5.6. Polkadot and Bitcoin. Bitcoin interoperation and interchain transaction routing. presents an interesting challenge for Polkadot: a so-called “two-way peg” would be a useful piece of infrastructure 6.1. Relay-chain Operation. The relay-chain will to have on the side of both networks. However, due to likely be a chain broadly similar to Ethereum in that it the limitations of Bitcoin, providing such a peg securely is is state-based with the state mapping address to account a non-trivial undertaking. Delivering a transaction from information, mainly balances and (to prevent replays) a Bitcoin to Polkadot can in principle be done with a pro- transaction counter. Placing accounts here fulfils one pur- cess similar to that for Ethereum; a “break-out address” pose: to provide accounting for which identity possesses controlled in some way by the Polkadot validators could what amount of stake in the system.7 There will be no- receive transferred tokens (and data sent alongside them). table differences, though: SPV proofs could be provided by incentivised oracles and, together with a confirmation period, a bounty given for • Contracts cannot be deployed through transac- identifying non-canonical blocks implying the transaction tions; following from the desire to avoid applica- has been “double-spent”. Any tokens then owned in the tion functionality on the relay-chain, it will not “break-out address” would then, in principle, be con- support public deployment of contracts. trolled by those same validators for later dispersal. • Compute resource usage (“gas”) is not accounted; The problem however is how the deposits can be se- since the only functions available for public usage curely controlled from a rotating validator set. Unlike will be fixed, the rationale behind gas accounting Ethereum which is able to make arbitrary decisions based no longer holds. As such, a flat fee will apply in upon combinations of signatures, Bitcoin is substantially all cases, allowing for more performance from any more limited, with most clients accepting only multi- dynamic code execution that may need to be done signature transactions with a maximum of 3 parties. Ex- and a simpler transaction format. tending this to 36, or indeed thousands as might ulti- • Special functionality is supported for listed con- mately be desired, is impossible under the current proto- tracts that allows for auto-execution and network- col. One option is to alter the Bitcoin protocol to enable message outputs. such functionality, however so-called “hard forks” in the In the event that the relay-chain has a VM and it be Bitcoin world are difficult to arrange judging by recent at- based around the EVM, it would have a number of mod- tempts. One possibility is the use of threshold signatures, ifications to ensure maximal simplicity. It would likely cryptographic schemes to allow a singly identifiable public have a number of built-in contracts (similar to those at key to be effectively controlled by multiple secret “parts”, addresses 1-4 in Ethereum) to allow for platform-specific some or all of which must be utilised to create a valid sig- duties to be managed including a consensus contract, a nature. Unfortunately, threshold signatures compatible validator contract and a parachain contract. with Bitcoin’s ECDSA are computationally expensive to If not the EVM, then a WebAssembly [2] (wasm) back- create and of polynomial complexity. Other schemes such end is the most likely alternative; in this case the overall a Schnorr signatures provide far lower costs, however the structure would be similar, but there would be no need timeline on which they may be introduced into the Bitcoin for the built-in contracts with Wasm being a viable target protocol is uncertain. for general purpose languages rather than the immature Since the ultimate security of the deposits rests with and limited languages for the EVM. a number of bonded validators, one other option is to Other likely deviations from the present Ethereum pro- reduce the multi-signature key-holders to only a heavily tocol are quite possible, for example a simplification of the bonded subset of the total validators such that threshold transaction-receipt format allowing for the parallel execu- signatures become feasible (or, at worst, Bitcoin’s native tion of non-conflicting transactions within the same block, multi-signature is possible). This of course reduces the as proposed for the Serenity series of changes. total amount of bonds that could be deducted in repara- It is possible, though unlikely, that a Serenity-like tions should the validators behave illegally, however this “pure” chain be deployed as the relay-chain, allowing for a is a graceful degradation, simply setting an upper limit of particular contract to manage things like the staking token the amount of funds that can securely run between the balances rather than making that a fundamental part of two networks (or indeed, on the % losses should an attack the chain’s protocol. At present, we feel it is unlikely this from the validators succeed). will offer a sufficiently great protocol simplification to be As such we believe it not unrealistic to place a reason- worth the additional complexity and uncertainty involved ably secure Bitcoin interoperability “virtual parachain” in developing it. 7As a means of representing the amount a given holder is responsible for the overall security of the system, these stake accounts will inevitably encode some economic value. However, it should be understood that since there is no intention that such values be used in any way for the purpose of exchanging for real-world goods and services, it should be accordingly noted that the tokens not be likened to currency and as such the relay-chain retain its nihilistic philosophy regarding applications.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 10 There are a number of small pieces of functionality re- part. At the beginning of each session (sessions would quired for administrating the consensus mechanism, val- happen regularly, perhaps as often as once per hour) the idator set, validation mechanism and parachains. These validator slots would be filled according to each would-be could be implemented together under a monolithic proto- validator’s stake and payout rate. One possible algorithm col. However, for reasons of auguring modularity, we de- for this would be to take those with the lowest offers who scribe these as “contracts” of the relay-chain. This should represent a stake no higher than the total stake targeted be taken to mean that they are objects (in the sense of divided by the number of slots and no lower than a lower- object-orientated programming) managed by the relay- bound of half that amount. If the slots cannot be filled, chain’s consensus mechanism, but not necessarily that the lower bound could be repeatedly reduced by some fac- they are defined as programs in EVM-like opcodes, nor tor in order to satisfy. even that they be individually addressable through the 6.2.2. Nominating. It is possible to trustlessly nominate account-system. ones staking tokens to an active validator, giving them 6.2. Staking Contract. This contract maintains the val- the responsibility of validators duties. Nominating works idator set. It manages: through an approval-voting system. Each would-be nomi- • which accounts are currently validators; nator is able to post an instruction to the staking contract • which are available to become validators at short expressing one or more validator identities under whose notice; responsibility they are prepared to entrust their bond. • which accounts have placed stake nominating to Each session, nominators’ bonds are dispersed to be a validator; represented by one or more validators. The dispersal al- • properties of each including staking volume, ac- gorithm optimises for a set of validators of equivalent total ceptable payout-rates and addresses and short- bonds. Nominators’ bonds become under the effective re- term (session) identities. sponsibility of the validator and gain interest or suffer a It allows an account to register a desire to become a punishment-reduction accordingly. bonded validator (along with its requirements), to nom- 6.2.3. Bond Confiscation/Burning. Certain validator be- inate to some identity, and for preexisting bonded val- haviour results in a punitive reduction of their bond. If idators to register their desire to exit this status. It also the bond is reduced below the allowable minimum, the includes the machinery itself for the validation and canon- session is prematurely ended and another started. A non- icalisation mechanism. exhaustive list of punishable validator misbehaviour in- 6.2.1. Stake-token Liquidity. It is generally desirable to cludes: have as much of the total staking tokens as possible to be • Being part of a parachain group unable to provide staked within the network maintenance operations since consensus over the validity of a parachain block; this directly ties the network security to the overall “mar- • actively signing for the validity of an invalid ket capitalisation” of the staking token. This can easily parachain block; be incentivised through inflating the currency and hand- • inability to supply egress payloads previously ing out the proceeds to those who participate as valida- voted as available; tors. However, to do so presents a problem: if the token • inactivity during the consensus process; is locked in the Staking Contract under punishment of re- • validating relay-chain blocks on competing forks. duction, how can a substantial portion remain sufficiently Some cases of misbehaviour threaten the network’s in- liquid in order to allow price discovery? tegrity (such as signing invalid parachain blocks and val- One answer to this is allowing a straight-forward de- idating multiple sides of a fork) and as such result in ef- rivative contract, securing fungible tokens on an underly- fective exile through the total reduction of the bond. In ing staked token. This is difficult to arrange in a trust- other, less serious cases (e.g. inactivity in the consensus free manner. Furthermore, these derivative tokens can- process) or cases where blame cannot be precisely allot- not be treated equally for the same reason that differ- ted (being part of an ineffective group), a small portion ent Eurozone government’s bonds are not fungible: there of the bond may instead be fined. In the latter case, this is a chance of the underlying asset failing and becoming works well with sub-group churn to ensure that malicious worthless. With Eurozone governments, there could be a nodes suffer substantially more loss than the collaterally- default. With validator-staked tokens, the validator may damaged benevolent nodes. act maliciously and be punished. In some cases (e.g. multi-fork validation and invalid Keeping with our tenets, we elect for the simplest so- sub-block signing) validators cannot themselves easily de- lution: not all tokens be staked. This would mean that tect each others’ misbehaviour since constant verification some proportion (perhaps 20%) of tokens will forcibly re- of each parachain block would be too arduous a task. Here main liquid. Though this is imperfect from a security per- it is necessary to enlist the support of parties external to spective, it is unlikely to make a fundamental difference in the validation process to verify and report such misbe- the security of the network; 80% of the reparations possi- haviour. The parties get a reward for reporting such ac- ble from bond-confiscations would still be able to be made tivity; their term, “fishermen” stems from the unlikeliness compared to the “perfect case” of 100% staking. of such a reward. The ratio between staked and liquid tokens can be tar- Since these cases are typically very serious, we envi- geted fairly simply through a reverse auction mechanism. sion that any rewards can easily be paid from the con- Essentially, token holders interested in being a validator fiscated bond. In general we prefer to balance burning would each post an offer to the staking contract stating (i.e. reduction to nothing) with reallocation, rather than the minimum payout-rate that they would require to take attempting wholesale reallocation. This has the effect of

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 11 increasing the overall value of the token, compensating the happen, however it is designed to be a safeguard least network in general to some degree rather than the specific there be some intractable problem in a parachain’s vali- party involved in discovery. This is mainly as a safety dation system. The most obvious instance where it might mechanism: the large amounts involved could lead to ex- be needed is a consensus-critical difference between im- treme and acute behaviour incentivisation were they all plementations leading validators to be unable to agree on bestowed on a single target. validity or blocks. Validators would be encouraged to use In general, it is important that the reward is suffi- multiple client implementations in order that they are able ciently large to make verification worthwhile for the net- to spot such a problem prior to bond confiscation. work, yet not so large as to offset the costs of fronting a Since suspension is an emergency measure, it would be well-financed, well-orchestrated ”industrial-level” criminal under the auspices of the dynamic validator-voting rather hacking attack on some unlucky validator to force misbe- than a referendum. Re-instating would be possible both haviour. from the validators or a referendum. In this way, the amount claimed should generally be no The removal of parachains altogether would come only greater than the direct bond of the errant validator, lest a after a referendum and with which would be required a perverse incentive arise of misbehaving and reporting one- substantial grace period to allow an orderly transition to self for the bounty. This can be combated either explicitly either a standalone chain or to become part of some other through a minimum direct bond requirement for being a consensus-system. The grace period would likely be of validator or implicitly by educating nominators that val- the order of months and is likely to be set out on a per- idators with little bonds deposited have no great incentive chain basis in the parachain registry in order that different to behave well. parachains can enjoy different grace periods according to their need. 6.3. Parachain Registry. Each parachain is defined in this registry. It is a relatively simple database-like con- struct and holds both static and dynamic information on 6.4. Sealing Relay Blocks. Sealing refers, in essence, each chain. to the process of canonicalisation; that is, a basic data Static information includes the chain index (a simple transform which maps the original into something funda- integer), along with the validation protocol identity, a mentally singular and meaningful. Under a PoW chain, means of distinguishing between the different classes of sealing is effectively a synonym for mining. In our case, parachain so that the correct validation algorithm can be it involves the collection of signed statements from val- run by validators consigned to putting forward a valid can- idators over the validity, availability and canonicality of a didate. An initial proof-of-concept would focus on placing particular relay-chain block and the parachain blocks that the new validation algorithms into clients themselves, ef- it represents. fectively requiring a hard fork of the protocol each time an The mechanics of the underlying BFT consensus al- additional class of chain were added. Ultimately, though, gorithm is out of scope for the present work. We will it may be possible to specify the validation algorithm in instead describe it using a primitive which assumes a a way both rigorous and efficient enough that clients are consensus-creating state-machine. Ultimately we expect able to effectively work with new parachains without a to be inspired by a number of promising BFT consensus hard-fork. One possible avenue to this would be to specify algorithms in the core; Tangaora [9] (a BFT variant of the parachain validation algorithm in a well-established, Raft [16]), Tendermint [11] and HoneyBadgerBFT [14]. natively-compiled, platform-neutral language such as We- The algorithm will have to reach an agreement on mul- bAssembly. Additional research is necessary to determine tiple parachains in parallel, thus differing from the usual whether this is truly feasible, however if so, it could bring blockchain consensus mechanisms. We assume that once with it the tremendous advantage of banishing hard-forks consensus is reached, we are able to record the consensus for good. in an irrefutable proof which can be provided by any of Dynamic information includes aspects of the transac- the participants to it. We also assume that misbehaviour tion routing system that must have global agreement such within the protocol can be generally reduced to a small as the parachain’s ingress queue (described in section 6.6). group containing misbehaving participants to minimise The registry is able to have parachains added only the collateral damage when dealing out punishment.8 through full referendum voting; this could be managed The proof, which takes the form of our signed state- internally but would more likely be placed in an external ments, is placed in the relay-chain block’s header together referendum contract in order to facilitate re-usage under with certain other fields not least the relay-chain’s state- more general governance components. The parameters to trie root and transaction-trie root. voting requirements (e.g. any quorum required, majority The sealing process takes place under a single required) for registration of additional chains and other, consensus-generating mechanism addressing both the less formal system upgrades will be set out in a “master relay-chain’s block and the parachains’ blocks which make constitution” but are likely to follow a fairly traditional up part of the relay’s content: parachains are not sepa- path, at least initially. The precise formulation is out of rately “committed” by their sub-groups and then collated scope for the present work, but e.g. a two thirds super- later. This results in a more complex process for the relay- majority to pass with more than one third of total system chain, but allows us to complete the entire system’s con- stake voting positively may be a sensible starting point. sensus in a single stage, minimising latency and allowing Additional operations include the suspension and re- for quite complex data-availability requirements which are moval of parachains. Suspension would hopefully never helpful for the routing process below. 8Existing PoS-based BFT consensus schemes such as Tendermint BFT and the original Slasher fulfill these assertions.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 12 The state of each participant’s consensus machine may The conclusion is a set of signatures demonstrating be modelled as a simple (2-dimensional) table. Each par- canonicality. The relay-chain block may then be sealed ticipant (validator) has a set of information, in the form and the process of sealing the next block begun. of signed-statements (“votes”) from other participants, re- garding each parachain block candidate as well the relay- 6.5. Improvements for Sealing Relay Blocks. While chain block candidate. The set of information is two pieces this sealing method gives strong guarantees over the sys- of data: tem’s operation, it does not scale out particularly well since every parachain’s key information must have its Availability: does this validator have egress availability guaranteed by over one-third of all validators. transaction-post information from this block so This means that every validator’s responsibility footprint they are able to properly validate parachain can- grows as more chains are added. didates on the following block? They may vote While data availability within open consensus networks either 1(known) or 0 (not yet known). Once they is essentially an unsolved problem, there are ways of miti- vote 1, they are committed to voting similarly for gating the overhead placed on validator nodes. One simple the rest of this process. Later votes that do not solution is to realise that while validators must shoulder respect this are grounds for punishment. the responsibility for data availability, they need not actu- Validity: is the parachain block valid and is all ally store, communicate or replicate the data themselves. externally-referenced data (e.g. transactions) Secondary data silos, possibly related to (or even the very available? This is only relevant for validators as- same) collators who compile this data, may manage the signed to the parachain on which they are voting. task of guaranteeing availability with the validators pro- They may vote either 1 (valid), -1 (invalid) or 0 viding a portion of their interest/income in payment. (not yet known). Once they vote non-zero, they However, while this might buy some intermediate scal- are committed to voting this way for the rest of ability, it still doesn’t help the underlying problem; since the process. Later votes that do not respect this adding more chains will in general require additional val- are grounds for punishment. idators, the ongoing network resource consumption (par- ticularly in terms of bandwidth) grows with the square of All validators must submit votes; votes may be resub- the chains, an untenable property in the long-term. mitted, qualified by the rules above. The progression of Ultimately, we are likely to keep bashing our heads consensus may be modelled as multiple standard BFT con- against the fundamental limitation which states that for sensus algorithms over each parachain happening in par- a consensus network to be considered available safe, the allel. Since these are potentially thwarted by a relatively ongoing bandwidth requirements are of the order of total small minority of malicious actors being concentrated in validators times total input information. This is due to a single parachain group, the overall consensus exists to the inability of an untrusted network to properly distrib- establish a backstop, limiting the worst-case scenario from ute the task of data storage across many nodes, which sits deadlock to merely one or more void parachain blocks (and apart from the eminently distributable task of processing. a round of punishment for those responsible). The basic rules for validity of the individual blocks 6.5.1. Introducing Latency. One means of softening this (that allow the total set of validators as a whole to come to rule is to relax the notion of immediacy. By requir- consensus on it becoming the unique parachain candidate ing 33%+1 validators voting for availability only eventu- to be referenced from the canonical relay): ally, and not immediately, we can better utilise exponen- tial data propagation and help even out peaks in data- • must have at least two thirds of its validators vot- interchange. A reasonable equality (though unproven) ing positively and none voting negatively; may be: • must have over one third validators voting posi- tively to the availability of egress queue informa- (1) latency = participants × chains tion. Under the current model, the size of the system scales If there is at least one positive and at least one nega- with the number of chains to ensure that processing is tive vote on validity, an exceptional condition is created distributed; since each chain will require at least one val- and the whole set of validators must vote to determine idator and we fix the availability attestation to a constant if there are malicious parties or if there is an accidental proportion of validators, then participants similarly grows fork. Aside from valid and invalid, a third kind of votes with the number of chains. We end up with: are allowed, equivalent to voting for both, meaning that the node has conflicting opinions. This could be due to the (2) latency = size2 node’s owner running multiple implementations which do not agree, indicating a possible ambiguity in the protocol. Meaning that as the system grows, the bandwidth re- After all votes are counted from the full validator set, if quired and latency until availability is known across the the losing opinion has at least some small proportion (to network, which might also be characterised as the number be parameterised; at most half, perhaps significantly less) of blocks before finality, increases with its square. This is of the votes of the winning opinion, then it is assumed to a substantial growth factor and may turn out to be a no- be an accidental parachain fork and the parachain is au- table road blocker and force us into “non-flat” paradigms tomatically suspended from the consensus process. Oth- such as composing several “Polkadotes” into a hierarchy erwise, we assume it is a malicious act and punish the for multi-level routing of posts through a tree of relay- minority who were voting for the dissenting opinion. chains.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 13 6.5.2. Public Participation. One more possible direction 6.5.5. Overweight Blocks. If a validator set is compro- is to enlist public participation in the process through a mised, they may create and propose a block which though micro-complaints system. Similar to the fishermen, there valid, takes an inordinate amount of time to execute and could be external parties to police the validators who claim validate. This is a problem since a validator group could availability. Their task is to find one who appears un- reasonably form a block which takes a very long time to able to demonstrate such availability. In doing so they execute unless some particular piece of information is al- can lodge a micro-complaint to other validators. PoW or ready known allowing a short cut, e.g. factoring a large a staked bond may be used to mitigate the sybil attack prime. If a single collator knew that information, then which would render the system largely useless. they would have a clear advantage in getting their own candidates accepted as long as the others were busy pro- 6.5.3. Availability Guarantors. A final route would be to cessing the old block. We call these blocks overweight. nominate a second set of bonded validators as “availability Protection against validators submitting and validat- guarantors”. These would be bonded just as with the nor- ing these blocks largely falls under the same guise as for mal validators, and may even be taken from the same set invalid blocks, though with an additional caveat: Since (though if so, they would be chosen over a long-term pe- the time taken to execute a block (and thus its status as riod, at least per session). Unlike normal validators, they overweight) is subjective, the final outcome of a vote on would not switch between parachains but rather would misbehaviour will fall into essentially three camps. One form a single group to attest to the availability of all im- possibility is that the block is definitely not overweight— portant interchain data. in this case more than two-thirds declare that they could This has the advantage of relaxing the equivalence be- execute the block within some limit (e.g. 50% of the to- tween participants and chains. Essentially, chains can tal time allowed between blocks). Another is that the grow (along with the original chain validator set), whereas block is definitely overweight—this would be if more than the participants, and specifically those taking part in data- two-thirds declare that they could not execute the block availability testament, can remain at the least sub-linear within said limit. One final possibility is a fairly equal and quite possibly constant. split of opinion between validators. In this case, we may choose to do some proportionate punishment. To ensure validators can predict when they may be 6.5.4. Collator Preferences. One important aspect of this proposing an overweight block, it may be sensible to re- system is to ensure that there is a healthy selection of quire them to publish information on their own perfor- collators creating the blocks in any given parachain. If a mance for each block. Over a sufficient period of time, single collator dominated a parachain then some attacks this should allow them to profile their processing speed become more feasible since the likelihood of the lack of relative to the peers that would be judging them. availability of external data would be less obvious. One option is to artificially weight parachain blocks in a pseudo-random mechanism in order to favour a wide va- riety of collators. In the first instance, we would require 6.5.6. Collator Insurance. One issue remains for valida- as part of the consensus mechanism that validators favour tors: unlike with PoW networks, to check a collator’s parachain block candidates determined to be “heavier”. block for validity, they must actually execute the trans- Similarly, we must incentivise validators to attempt to actions in it. Malicious collators can feed invalid or over- suggest the weightiest block they can find—this could be weight blocks to validators causing them grief (wasting done through making a portion of their reward propor- their resources) and exacting a potentially substantial op- tional to the weight of their candidate. portunity cost. To ensure that collators are given a reasonable fair To mitigate this, we propose a simple strategy on the chance of their candidate being chosen as the winning part of validators. Firstly, parachain block candidates sent candidate in consensus, we make the specific weight of a to validators must be signed from a relay chain account parachain block candidate determinate on a random func- with funds; if they are not, then the validator should drop tion connected with each collator. For example, taking it immediately. Secondly, such candidates should be or- the XOR distance measure between the collator’s address dered in priority by a combination (e.g. multiplication) of and some cryptographically-secure pseudorandom number the amount of funds in the account up to some cap, the determined close to the point of the block being created number of previous blocks that the collator has success- (a notional “winning ticket”). This effectively gives each fully proposed in the past (not to mention any previous collator (or, more specifically, each collator’s address) a punishments), and the proximity factor to the winning random chance of their candidate block “winning” over ticket as discussed previously. The cap should be the same all others. as the punitive damages paid to the validator in the case To mitigate the sybil attack of a single collator “min- of them sending an invalid block. ing” an address close to the winning ticket and thus being To disincentivise collators from sending invalid or over- a favourite each block, we would add some inertia to a col- weight block candidates to validators, any validator may lator’s address. This may be as simple as requiring them place in the next block a transaction including the offend- to have a baseline amount of funds in the address. A more ing block alleging misbehaviour with the effect of transfer- elegant approach would be to weight the proximity to the ring some or all of the funds in the misbehaving collator’s winning ticket with the amount of funds parked at the account to the aggrieved validator. This type of trans- address in question. While modelling has yet to be done, action front-runs any others to ensure the collator cannot it is quite possible that this mechanism enables even very remove the funds prior to the punishment. The amount of small stakeholders to contribute as a collator. funds transferred as damages is a dynamic parameter yet

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 14 to be modelled but will likely be a proportion of the val- Possibly going via randomly selected other val- idator block reward to reflect the level of grief caused. To idators for proof of attempt. prevent malicious validators arbitrarily confiscating colla- • V alidatorV : Accept candidate proofs for this tors’ funds, the collator may appeal the validator’s deci- block proof [Chain[n][V ]]. Vote block validity sion with a jury of randomly chosen validators in return • V alidatorV : Accept candidate egress data for for placing a small deposit. If they find in the valida- next block: FOR EACH subgroup s, accept tor’s favour, the deposit is consumed by them. If not, the egress[n][s][N ]. Vote block egress availability; re- deposit is returned and the validator is fined (since the publish among interested validators v such that validator is in a much more vaulted position, the fine will Chain[n + 1][v] = Chain[n + 1][V ]. likely be rather hefty). • V alidatorV : UNTIL CONSENSUS Where: egress[n][f rom][to] is the current egress queue information for posts going from parachain ‘from‘, to 6.6. Interchain Transaction Routing. Interchain parachain ‘to‘ in block number ‘n‘. CollatorS is a col- transaction routing is one of the essential maintenance lator for parachain S. V alidators[n][s] is the set of val- tasks of the relay-chain and its validators. This is the idators for parachain s at block number n. Conversely, logic which governs how a posted transaction (often short- Chain[n][v] is the parachain to which validator v is as- ened to simply “post”) gets from being a desired output signed on block number n. block.egress[to] is the egress from one source parachain to being a non-negotiable in- queue of posts from some parachain block block whose put of another destination parachain without any trust destination parachain is to. requirements. Since collators collect (transaction) fees based upon We choose the wording above carefully; notably we their blocks becoming canonical they are incentivised to don’t require there to have been a transaction in the source ensure that for each next-block destination, the subgroup’s parachain to have explicitly sanctioned this post. The only members are informed of the egress queue from the present constraints we place upon our model is that parachains block. Validators are incentivised only to form a consen- must provide, packaged as a part of their overall block sus on a (parachain) block, as such they care little about processing output, the posts which are the result of the which collator’s block ultimately becomes canonical. In block’s execution. principle, a validator could form an allegiance with a col- These posts are structured as several FIFO queues; the lator and conspire to reduce the chances of other collators’ number of lists is known as the routing base and may be blocks becoming canonical, however this is both difficult around 16. Notably, this number represents the quantity to arrange due to the random selection of validators for of parachains we can support without having to resort to parachains and could be defended against with a reduc- multi-phase routing. Initially, Polkadot will support this tion in fees payable for parachain blocks which hold up kind of direct routing, however we will outline one possible the consensus process. multi-phase routing process (“hyper-routing”) as a means of scaling out well past the initial set of parachains. 6.6.1. External Data Availability. Ensuring a parachain’s We assume that all participants know the sub- external data is actually available is a perennial issue with groupings for next two blocks n, n + 1. In summary, the decentralised systems aiming to distribute workload across routing system follows these stages: the network. At the heart of the issue is the availability • CollatorS : Contact members of V alidators[n][S] problem which states that since it is neither possible to • CollatorS : FOR EACH subgroup s: ensure at make a non-interactive proof of availability nor any sort least 1 member of V alidators[n][s] in contact of proof of non-availability, for a BFT system to properly • CollatorS : FOR EACH subgroup s: assume validate any transition whose correctness relies upon the egress[n − 1][s][S] is available (all incoming post availability of some external data, the maximum number data to ‘S‘ from last block) of acceptably Byzantine nodes, plus one, of the system • CollatorS : Compose block candidate b for S: must attest to the data being available. (b.header, b.ext, b.proof, b.receipt, b.egress) For a system to scale out properly, like Polkadot, this • CollatorS : Send proof information invites a problem: if a constant proportion of validators proof [S] = (b.header, b.ext, b.proof, b.receipt) to must attest to the availability of the data, and assuming V alidators[n][S] that validators will want to actually store the data be- • CollatorS : Ensure external transaction data b.ext fore asserting it is available, then how do we avoid the is made available to other collators and validators problem of the bandwidth/storage requirements increas- • CollatorS : FOR EACH subgroup s: ing with the system size (and therefore number of valida- Send egress information egress[n][S][s] = tors)? One possible answer would be to have a separate set (b.header, b.receipt, b.egress[s]) to the re- of validators (availability guarantors), whose order grows ceiving sub-group’s members of next block sublinearly with the size of Polkadot as a whole. This is V alidators[n + 1][s] described in 6.5.3. • V alidatorV : Pre-connect all same-set members We also have a secondary trick. As a group, colla- for next block: let N = Chain[n + 1][V ]; connect tors have an intrinsic incentive to ensure that all data is all validators v such that Chain[n + 1][v] = N available for their chosen parachain since without it they • V alidatorV : Collate all data ingress for this are unable to author further blocks from which they can block: FOR EACH subgroup s: Retrieve collect transaction fees. Collators also form a group, mem- egress[n − 1][s][Chain[n][V ]], get from other val- bership of which is varied (due to the random nature of idators v such that Chain[n][v] = Chain[n][V ]. parachain validator groups) non-trivial to enter and easy

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 15 to prove. Recent collators (perhaps of the last few thou- operation since it is likely that collators will share such sand blocks) are therefore allowed to issue challenges to data.) the availability of external data for a particular parachain Collator: M + kN : M for a connection to each relevant block to validators for a small bond. parachain block validator, kN for seeding the egress pay- Validators must contact those from the apparently of- loads to some subset of each parachain validator group for fending validator sub-group who testified and either ac- the next block (and possibly some favoured collator(s)). quire and return the data to the collator or escalate the As such, the data path ways per node grow linearly matter by testifying to the lack of availability (direct re- with the overall complexity of the system. While this is fusal to provide the data counts as a bond-confiscating of- reasonable, as the system scales into hundreds or thou- fence, therefore the misbehaving validator will likely just sands of parachains, some communication latency may be drop the connection) and contacting additional validators absorbed in exchange for a lower complexity growth rate. to run the same test. In the latter case, the collator’s bond In this case, a multi-phase routing algorithm may be used is returned. in order to reduce the number of instantaneous pathways Once a quorum of validators who can make such non- at a cost of introducing storage buffers and latency. availability testimonials is reached, they are released, the 6.6.4. Hyper-cube Routing. Hyper-cube routing is a mech- misbehaving sub-group is punished, and the block re- anism which can mostly be build as an extension to the verted. basic routing mechanism described above. Essentially, 6.6.2. Posts Routing. Each parachain header includes an rather than growing the node connectivity with the num- egress-trie-root; this is the root of a trie containing the ber of parachains and sub-group nodes, we grow only with routing-base bins, each bin being a concatenated list the logarithm of parachains. Posts may transit between of egress posts. Merkle proofs may be provided across several parachains’ queues on their way to final delivery. parachain validators to prove that a particular parachain’s Routing itself is deterministic and simple. We begin by block had a particular egress queue for a particular desti- limiting the number of bins in the ingress/egress queues; nation parachain. rather than being the total number of parachains, they At the beginning of processing a parachain block, each are the routing-base (b) . This will be fixed as the number other parachain’s egress queue bound for said block is of parachains changes, with the routing-exponent (e) in- merged into our block’s ingress queue. We assume strong, stead being raised. Under this model, our message volume probably CSPR9, sub-block ordering to achieve a deter- grows with O(be ), with the pathways remaining constant ministic operation that offers no favouritism between any and the latency (or number of blocks required for delivery) parachain block pairing. Collators calculate the new queue with O(e). and drain the egress queues according to the parachain’s Our model of routing is a hypercube of e dimensions, logic. with each side of the cube having b possible locations. The contents of the ingress queue is written explicitly Each block, we route messages along a single axis. We into the parachain block. This has two main purposes: alternate the axis in a round-robin fashion, thus guaran- firstly, it means that the parachain can be trustlessly syn- teeing worst-case delivery time of e blocks. chronised in isolation from the other parachains. Secondly, As part of the parachain processing, foreign-bound it simplifies the data logistics should the entire ingress messages found in the ingress queue are routed imme- queue not be able to be processed in a single block; val- diately to the appropriate egress queue’s bin, given the idators and collators are able to process following blocks current block number (and thus routing dimension). This without having to source the queue’s data specially. process necessitates additional data transfer for each hop If the parachain’s ingress queue is above a threshold on the delivery route, however this is a problem itself amount at the end of block processing, then it is marked which may be mitigated by using some alternative means saturated on the relay-chain and no further messages may of data payload delivery and including only a reference, be delivered to it until it is cleared. Merkle proofs are rather than the full payload of the post in the post-trie. used to demonstrate fidelity of the collator’s operation in An example of such a hyper-cube routing for a system the parachain block’s proof. with 4 parachains, b = 2 and e = 2 might be: Phase 0, on each message M : 6.6.3. Critique. One minor flaw relating to this basic • sub0 : if Mdest ∈ {2, 3} then sendTo(2) else keep mechanism is the post-bomb attack. This is where all • sub1 : if Mdest ∈ {2, 3} then sendTo(3) else keep parachains send the maximum amount of posts possible • sub2 : if Mdest ∈ {0, 1} then sendTo(0) else keep to a particular parachain. While this ties up the target’s • sub3 : if Mdest ∈ {0, 1} then sendTo(1) else keep ingress queue at once, no damage is done over and above a standard transaction DoS attack. Phase 1, on each message M : Operating normally, with a set of well-synchronised and • sub0 : if Mdest ∈ {1, 3} then sendTo(1) else keep non-malicious collators and validators, for N parachains, • sub1 : if Mdest ∈ {0, 2} then sendTo(0) else keep N × M total validators and L collators per parachain, we • sub2 : if Mdest ∈ {1, 3} then sendTo(3) else keep can break down the total data pathways per block to: • sub3 : if Mdest ∈ {0, 2} then sendTo(2) else keep Validator: M −1+L+L: M −1 for the other validators The two dimensions here are easy to see as the first in the parachain set, L for each collator providing a can- two bits of the destination index; for the first block, the didate parachain block and a second L for each collator higher-order bit alone is used. The second block deals of the next block requiring the egress payloads of the pre- with the low-order bit. Once both happen (in arbitrary vious block. (The latter is actually more like worst-case order) then the post will be routed. 9cryptographically secure pseudo-random

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 16 6.6.5. Maximising Serendipity. One alteration of the basic reduction in safety coming from having only a single “ref- proposal would see a fixed total of c2 − c validators, with erence” implementation). c−1 validators in each sub-group. Each block, rather than The process takes the previous block’s header and ver- there being an unstructured repartitioning of validators ifies its identity through the recently agreed relay-chain among parachains, instead for each parachain sub-group, block in which its hash should be recorded. Once the par- each validator would be assigned to a unique and different ent header’s validity is ascertained, the specific parachain parachain sub-group on the following block. This would class’s validation function may be called. This is a sin- lead to the invariant that between any two blocks, for any gle function accepting a number of data fields (roughly two pairings of parachain, there exists two validators who those given previously) and returning a simple Boolean have swapped parachain responsibilities. While this can- proclaiming the validity of the block. not be used to gain absolute guarantees on availability Most such validation functions will first check the (a single validator will occasionally drop offline, even if header-fields which are able to be derived directly from benevolent), it can nonetheless optimise the general case. the parent block (e.g. parent hash, number). Following This approach is not without complications. The addi- this, they will populate any internal data structures as tion of a parachain would also necessitate a reorganisation necessary in order to process transactions and/or posts. of the validator set. Furthermore the number of valida- For an Ethereum-like chain this amounts to populating a tors, being tied to the square of the number of parachains, trie database with the nodes that will be needed for the would start initially very small and eventually grow far full execution of transactions. Other chain types may have too fast, becoming untenable after around 50 parachains. other preparatory mechanisms. None of these are fundamental problems. In the first case, Once done, the ingress posts and external transac- reorganisation of validator sets is something that must be tions (or whatever the external data represents) will be done regularly anyway. Regarding the size of the validator enacted, balanced according to chain’s specification. (A set, when too small, multiple validators may be assigned sensible default might be to require all ingress posts be to the same parachain, applying an integer factor to the processed before external transactions be serviced, how- overall total of validators. A multi-phase routing mecha- ever this should be for the parachain’s logic to decide.) nism such as Hypercube Routing, discussed in 6.6.4 would Through this enactment, a series of egress posts will be alleviate the requirement for large number of validators created and it will be verified that these do indeed match when there is a large number of chains. the collator’s candidate. Finally, the properly populated header will be checked against the candidate’s header. With a fully validated candidate block, the validator 6.7. Parachain Validation. A validator’s main purpose can then vote for the hash of its header and send all requi- is to testify, as a well-bonded actor, that a parachain’s site validation information to the co-validators in its sub- block is valid, including but not limited to any state tran- group. sition, any external transactions included, the execution of any waiting posts in the ingress queue and the final state of the egress queue. The process itself is fairly simple. 6.7.1. Parachain Collators. Parachain collators are un- Once the validator sealed the previous block they are free bonded operators who fulfill much of the task of miners to begin working to provide a candidate parachain block on the present-day blockchain networks. They are specific candidate for the next round of consensus. to a particular parachain. In order to operate they must Initially, the validator finds a parachain block candi- maintain both the relay-chain and the fully synchronised date through a parachain collator (described next) or one parachain. of its co-validators. The parachain block candidate data The precise meaning of “fully synchronised” will de- includes the block’s header, the previous block’s header, pend on the class of parachain, though will always in- any external input data included (for Ethereum and Bit- clude the present state of the parachain’s ingress queue. coin, such data would be referred to as transactions, how- In Ethereum’s case it also involves at least maintaining ever in principle they may include arbitrary data struc- a Merkle-tree database of the last few blocks, but might tures for arbitrary purposes), egress queue data and inter- also include various other data structures including Bloom nal data to prove state-transition validity (for Ethereum filters for account existence, familial information, logging this would be the various state/storage trie nodes re- outputs and reverse lookup tables for block number. quired to execute each transaction). Experimental evi- In addition to keeping the two chains synchronised, it dence shows this full dataset for a recent Ethereum block must also “fish” for transactions by maintaining a transac- to be at the most a few hundred KiB. tion queue and accepting properly validated transactions Simultaneously, if not yet done, the validator will be from the public network. With the queue and chain, it is attempting to retrieve information pertaining to the pre- able to create new candidate blocks for the validators cho- vious block’s transition, initially from the previous block’s sen at each block (whose identity is known since the relay- validators and later from all validators signing for the chain is synchronised) and submit them, together with the availability of the data. various ancillary information such as proof-of-validity, via Once the validator has received such a candidate block, the peer network. they then validate it locally. The validation process is con- For its trouble, it collects all fees relating to the trans- tained within the parachain class’s validator module, a actions it includes. Various economics float around this consensus-sensitive software module that must be written arrangement. In a heavily competitive market where there for any implementation of Polkadot (though in principle is a surplus of collators, it is possible that the transaction a library with a C ABI could enable a single library to fees be shared with the parachain validators to incentivise be shared between implementations with the appropriate the inclusion of a particular collator’s block. Similarly,

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 17 some collators may even raise the required fees that need of that parachain to discover and share block can- to be paid in order to make the block more attractive to didates. validators. In this case, a natural market should form • A <-> P[s] | C | A: Each availability guarantor with transactions paying higher fees skipping the queue will need to collect consensus-sensitive cross-chain and having faster inclusion in the chain. data from the validators assigned to it; collators may also optimise the chance of consensus on their 6.8. Networking. Networking on traditional blockchains block by advertising it to availability guarantors. like Ethereum and Bitcoin has rather simple requirements. Once they have it, the data will be disbursed to All transactions and blocks are broadcast in a simple undi- other such guarantor to facilitate consensus. rected gossip. Synchronisation is more involved, especially • P[s] <-> A | P[s✬]: Parachain validators will with Ethereum but in reality this logic was contained in need to collect additional input data from the pre- the peer strategy rather than the protocol itself which re- vious set of validators or the availability guaran- solved around a few request and answer message types. tors. While Ethereum made progress on current protocol of- • F[s] <-> P: When reporting, fishermen may place ferings with the devp2p protocol, which allowed for many a claim with any participant. subprotocols to be multiplexed over a single peer connec- • M <-> M | P | A: General relay-chain clients dis- tion and thus have the same peer overlay support many burse data from validators and guarantors. p2p protocols simultaneously, the Ethereum portion of • S[s] <-> S[s] | P[s] | A: Parachain clients dis- the protocol still remained relatively simple and the p2p burse data from the validator/guarantors. protocol as a while remains unfinished with important • L[s] <-> L[s] | S[s]: Parachain light clients functionality missing such as QoS support. Sadly, a de- disburse data from the full clients. sire to create a more ubiquitous “web 3” protocol largely To ensure an efficient transport mechanism, a “flat” failed, with the only projects using it being those explicitly overlay network—like Ethereum’s devp2p—where each funded from the Ethereum crowd-sale. node does not (non-arbitrarily) differentiate fitness of its The requirements for Polkadot are rather more sub- peers is unlikely to be suitable. A reasonably extensible stantial. Rather then a wholly uniform network, Polkadot peer selection and discovery mechanism will likely need has several types of participants each with different re- to be included within the protocol as well as aggressive quirements over their peer makeup and several network planning an lookahead to ensure the right sort of peers “avenues” whose participants will tend to converse about are “serendipitously” connected at the right time. particular data. This means a substantially more struc- The precise strategy of peer make-up will be differ- tured network overlay—and a protocol supporting that— ent for each class of participant: for a properly scaled-out will likely be necessary. Furthermore, extensibility to fa- multi-chain, collators will either need to be continuously cilitate future additions such as new kinds of “chain” may reconnecting to the accordingly elected validators, or will themselves require a novel overlay structure. need on-going agreements with a subset of the validators While an in-depth discussion of how the networking to ensure they are not disconnected during the vast ma- protocol may look is outside of the scope of this docu- jority of the time that they are useless for that valida- ment, some requirements analysis is reasonable. We can tor. Collators will also naturally attempt to maintain one roughly break down our network participants into two sets or more stable connections into the availability guarantor (relay-chain, parachains) each of three subsets. We can set to ensure swift propagation of their consensus-sensitive also state that each of the parachain participants are only data. interested in conversing between themselves as opposed to Availability guarantors will mostly aim to maintain a participants in other parachains: stable connection to each other and to validators (for con- • Relay-chain participants: sensus and the consensus-critical parachain data to which • Validators: P, split into subsets P[s] for each they attest), as well as to some collators (for the parachain parachain data) and some fishermen and full clients (for dispersing • Availability Guarantors: A (this may be repre- information). Validators will tend to look for other val- sented by Validators in the basic form of the pro- idators, especially those in the same sub-group and any tocol) collators that can supply them with parachain block can- • Relay-chain clients: M (note members of each didates. parachain set will also tend to be members of M) Fishermen, as well as general relay-chain and parachain • Parachain participants: clients will generally aim to keep a connection open to a • Parachain Collators: C[0], C[1], . . . validator or guarantor, but plenty of other nodes similar • Parachain Fishermen: F[0], F[1], . . . to themselves otherwise. Parachain light clients will simi- • Parachain clients: S[0], S[1], . . . larly aim to be connected to a full client of the parachain, • Parachain light-clients: L[0], L[1], . . . if not just other parachain light-clients. In general we name particular classes of communication will tend to take place between members of these sets: 6.8.1. The Problem of Peer Churn. In the basic proto- • P | A <-> P | A: The full set of valida- col proposal, each of these subsets constantly alter ran- tors/guarantors must be well-connected to domly with each block as the validators assigned to verify achieve consensus. the parachain transitions are randomly elected. This can • P[s] <-> C[s] | P[s]: Each validator as a mem- be a problem should disparate (non-peer) nodes need to ber of a given parachain group will tend to gossip pass data between each other. One must either rely on with other such members as well as the collators a fairly-distributed and well-connected peer network to

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 18 ensure that the hop-distance (and therefore worst-case la- On its own this isn’t so useful since we cannot read- tency) only grows with the logarithm of the network size ily assume that the off-chain caller has available to them (a Kademlia-like protocol [13] may help here), or one must whatever value mechanism is recognised by the break-in introduce longer block times to allow the necessary con- contract. However, we can imagine a secondary “break- nection negotiation to take place to keep a peer-set that out” contract in the source chain. The two contracts to- reflects the node’s current communication needs. gether would form a bridge, recognising each other and Neither of these are great solutions: long block times providing value-equivalence. (Staking-tokens, available to being forced upon the network may render it useless for each, could be used to settle up the balance-of-payments.) particular applications and chains. Even a perfectly fair Calling into another such chain would mean proxying and connected network will result in substantial wastage through this bridge, which would provide the means of of bandwidth as it scales due to uninterested nodes having negotiating the value transfer between chains in order to to forward data useless to them. pay for the computation resources required on the desti- While both directions may form part of the solution, nation parachain. a reasonable optimisation to help minimise latency would be to restrict the volatility of these parachain validator 7.2. Additional Chains. While the addition of a sets, either reassigning the membership only between se- parachain is a relatively cheap operation, it is not free. ries of blocks (e.g. in groups of 15, which at a 4 second More parachains means fewer validators per parachain block time would mean altering connections only once per and, eventually, a larger number of validators each with a minute) or by rotating membership in an incremental fash- reduced average bond. While the issue of a smaller coer- ion, e.g. changing by one member at a time (e.g. if there cion cost for attacking a parachain is mitigated through are 15 validators assigned to each parachain, then on av- fishermen, the growing validator set essentially forces a erage it would be a full minute between completely unique higher degree of latency due to the mechanics of the un- sets). By limiting the amount of peer churn, and ensur- derlying consensus method. Furthermore each parachain ing that advantageous peer connections are made well in brings with it the potential to grief validators with an advance through the partial predictability of parachain over-burdensome validation algorithm. sets, we can help ensure each node keep a permanently As such, there will be some “price” that validators serendipitous selection of peers. and/or the stake-holding community will extract for the addition of a new parachain. This market for chains will 6.8.2. Path to an Effective Network Protocol. Likely the possibly see the addition of either: most effective and reasonable development effort will fo- cus on utilising a pre-existing protocol rather than rolling • Chains that likely have zero net contribution pay- our own. Several peer-to-peer base protocols exist that ing (in terms of locking up or burning staking to- we may use or augment including Ethereum’s own devp2p kens) to be made a part (e.g. consortium chains, [22], IPFS’s libp2p [1] and GNU’s GNUnet [4]. A full re- Doge-chains, app-specific chains); view of these protocols and their relevance for building a • chains that deliver intrinsic value to the network modular peer network supporting certain structural guar- through adding particular functionality difficult antees, dynamic peer steering and extensible sub-protocols to get elsewhere (e.g. confidentiality, internal scal- is well beyond the scope of this document but will be an ability, service tie-ins). important step in the implementation of Polkadot. Essentially, the community of stakeholders will need to be incentivized to add child chains—either financially or 7. Practicalities of the Protocol through the desire to add featureful chains to the relay. 7.1. Interchain Transaction Payment. While a great It is envisioned that new chains added will have a very amount of freedom and simplicity is gained through drop- short notice period for removal, allowing for new chains to ping the need for a holistic computation resource account- be experimented with without any risk of compromising ing framework like Ethereum’s gas, this does raise an im- the medium or long-term value proposition. portant question: without gas, how does one parachain avoid another parachain from forcing it to do computa- 8. Conclusion tion? While we can rely on transaction-post ingress queue buffers to prevent one chain from spamming another with We have outlined a direction one may take to author a transaction data, there is no equivalent mechanism pro- scalable, heterogeneous multi-chain protocol with the po- vided by the protocol to prevent the spamming of trans- tential to be backwards compatible to certain, pre-existing action processing. blockchain networks. Under such a protocol, participants This is a problem left to the higher level. Since chains work in enlightened self-interest to create an overall sys- are free to attach arbitrary semantics on to the incoming tem which can be extended in an exceptionally free man- transaction-post data, we can ensure that computation ner and without the typical cost for existing users that must be paid-for before started. In a similar vein to the comes from a standard blockchain design. We have given model espoused by Ethereum Serenity, we can imagine a rough outline of the architecture it would take including a “break-in” contract within a parachain which allows a the nature of the participants, their economic incentives validator to be guaranteed payment in exchange for the and the processes under which they must engage. We have provision of a particular volume of processing resources. identified a basic design and discussed its strengths and These resources may be measured in something like gas, limitations; accordingly we have further directions which but could also be some entirely novel model such as sub- may ease those limitations and yield further ground to- jective time-to-execute or a Bitcoin-like flat-fee model. wards a fully scalable blockchain solution.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 19 8.1. Missing Material and Open Questions. Net- [5] Vitalik Buterin. Ethereum: A next-generation smart contract work forking is always a possibility from divergent im- and decentralized application platform. https://github.com/ ethereum/wiki/wiki/White-Paper, 2013. plementations of the protocol. The recovery from such an [6] Vitalik Buterin. Ethereum 2.0 mauve paper. 2016. exceptional condition was not discussed. Given the net- [7] Vitalik Buterin. Serenity poc2. 2016. [8] Nxt community. Whitepaper: Nxt. http://wiki.nxtcrypto. work will necessarily have a non-zero period of finalisation, org/wiki/Whitepaper:Nxt, 2013. it should not be a large issue to recover from the relay- [9] Christopher Copeland and Hongxia Zhong. Tangaroa: a chain forking, however will require careful integration into byzantine fault tolerant raft. http://www.scs.stanford.edu/ 14au-cs244b/labs/projects/copeland_zhong.pdf, 2016. the consensus protocol. [10] Ethan Buchman Jae Kwon. Cosmos: A network of Bond-confiscation and conversely reward provision has distributed ledgers. https://github.com/cosmos/cosmos/blob/ not been deeply explored. At present we assume rewards master/WHITEPAPER.md, 2016. [11] Jae Kwon. Tendermint: Consensus without mining. http: are provided under a winner-takes-all basis: this may not //tendermint.com/docs/tendermint.pdf, 2014. give the best incentivisation model for fishermen. A short- [12] Daniel Larimer. Bitshares. http://docs.bitshares.org/ bitshares/history.html, 2013. period commit-reveal process would allow many fishermen [13] Petar Maymounkov and David Mazières. Kademlia: A peer- to claim the prize giving a fairer distribution of rewards, to-peer information system based on the xor metric. In IPTPS however the process could lead to additional latency in the ’01 Revised Papers from the First International Workshop on Peer-to-Peer Systems, pages 53–65, 2002. discovery of misbehaviour. [14] Andrew Miller, Yu Xia, Kyle Croman, Elaine Shi, and Dawn Song. The honey badger of bft protocols. Technical report, 8.2. Acknowledgments. Many thanks to all of the Cryptology ePrint Archive 2016/199, 2016. proof-readers who have helped get this in to a vaguely [15] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash sys- tem. https://bitcoin.org/bitcoin.pdf, 2008. presentable shape. In particular, Peter Czaban, Björn [16] Diego Ongaro and John Ousterhout. In search of an un- Wagner, Ken Kappler, Robert Habermeier, Vitalik Bu- derstandable consensus algorithm. In 2014 USENIX Annual terin, Reto Trinkler and Jack Petersson. Thanks to all Technical Conference (USENIX ATC 14), pages 305–319, 2014. the people who have contributed ideas or the beginnings [17] Parity. Parity ethereum client. https://parity.io, 2016. thereof, Marek Kotewicz and Aeron Buchanan deserve es- [18] Serguei Popov. The tangle. https://www.iotatoken.com/IOTA_ pecial mention. And thanks to everyone else for their help Whitepaper.pdf, 2016. [19] Youcai Qian. Randao. https://github.com/randao/randao, along the way. All errors are my own. 2015. Portions of this work, including initial research into [20] Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. consensus algorithms, was funded in part by the British Zerocash: Decentralized anonymous payments from bitcoin. Government under the Innovate UK programme. In 2014 IEEE Symposium on Security and Privacy, pages 459–474. IEEE, 2014. References [21] Paul Snow, Brian Deery, Jack Lu, David Johnston, and Peter Kirb. Factom: Business processes secured by immutable audit [1] The specs for libp2p and associated submodules. https:// trails on the blockchain. https://raw.githubusercontent. github.com/libp2p/specs. com/FactomProject/FactomDocs/master/Factom_Whitepaper.pdf, [2] Webassembly. http://webassembly.org/, 2016. 2014. [3] Adam Back, Matt Corallo, Luke Dashjr, Mark Friedenbach, [22] Gavin Wood. Devp2p wire protocol. https://github.com/ Gregory Maxwell, Andrew Miller, Andrew Poelstra, Jorge Ti- ethereum/wiki/wiki/libp2p-Whitepaper, 2014. mon, and Pieter Wuille. Enabling blockchain innovations with [23] Gavin Wood. Ethereum: a secure decentralised generalised pegged sidechains. 2014. transaction ledger. http://gavwood.com/paper.pdf, 2014. [4] Krista Bennett, Christian Grothoff, Tzvetan Horozov, Ioana [24] Gavin Wood. Yellow paper committee. https://github.com/ Patrascu, and Tiberiu Stef. Gnunet-a truly anonymous net- gavofyork/curly-engine, 2016. working infrastructure. In In: Proc. Privacy Enhancing Tech- nologies Workshop (PET. Citeseer, 2002. Appendix A. Functional Components Seen from a high-level, the Parity Polkadot Platform stack has a number of functional components and any develop- ment of it will require a substantial amount of research and development prior to it being completed. Some components are dependent on others existing, others are independent. Some are very important for the platform to function properly, others are nice-to-haves. Some are of indeterminate complexity and have not yet been deemed feasible, others are relatively straight-forward. Here we’ll try to list as many such components as possible along with where they would fit into our development roadmap. Networking subsystem: This is the means by which a peer network is formed and maintained. Simple alterations of existing peer-to-peer networking libraries (devp2p most likely) will be sufficient for an initial system. However, additional research and development will be necessary to ensure that as the network grows, the network topology becomes increasingly structured allowing for optimal data logistics. For the final deployment, adaptations of libp2p, devp2p and GNUnet should be first considered. If requirements are not likely to be met then a new protocol should be considered. Consensus mechanism: Proof-of-authority consensus mechanism supporting rich validator statements and al- lowing multiple independent items to be agreed upon under a single series based upon subjective reception of the partial set of validator statements. The mechanism should allow the proof of misbehaviour for the dismissal of malicious validators but need not involve any staking mechanism. A substantial amount of research and prototyping will precede the development of this component. Proof-of-stake chain: Extending the consensus mechanism into proof-of-stake territory; this module includes staking tokens, managing entry and exit from the validator pool, a market mechanism for determining validator rewards, finalising the approval-voting nomination mechanism and managing bond-confiscation and dismissal. It includes a substantial amount of research and prototyping prior to final development.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 20 Parachain implementation: A first parachain implementation, likely to be based heavily on an existing blockchain protocol such as Bitcoin or (more likely, since it provides for rich transactions) Ethereum. This will include an integration with the proof-of-stake chain, allowing the parachain to gain consensus without its own internal consensus mechanism. Transaction processing subsystem: An evolution of the parachain and relay-chain, this will allow for trans- actions to be sent, received and propagated. It includes the designs of transaction queuing and optimised transaction routing on the network layer. Transaction-routing subsystem: This introduces more specifics into the relay-chain’s behaviour. Initially, adding transactability into parachains will be needed. Following that, with two parachains hard-coded into the relay-chain, it will include the management of the ingress/egress queues. Eventually this will develop along with the network protocol into a means of directed transaction propagation, ensuring independent parachain collators are not overly exposed to transactions that are not of interest. Relay chain: This is the final stage of the relay-chain, allowing the dynamic addition, removal and emergency pausing of parachains, the reporting of bad behaviour and includes implementation of the “fisherman” function- ality. Independent collators: This is the delivery of an alternative chain-specific collator functionality. It includes proof creation (for collators), parachain misbehaviour detection (for fishermen) and the validation function (for validators). It also includes any additional networking required to allow the two to discover and communicate. Network dynamics modelling and research: The overall dynamics of this protocol should be researched thor- oughly. This can happen both through offline network modelling and through empirical evidence through simu- lated nodes. The latter is dependent on the relay-chain and will include the development of a structured logging protocol allowing nodes to submit detailed reports on their actions to a central hub for collation. Network intelligence: As a complex decentralised multi-party network, a network intelligence hub similar to http://ethstats.net is needed to monitor the life-signs of the network as a whole and flag potentially disruptive behaviour. Structured logging should be used to generate and visualise this data in real-time for maximum efficiency. It is dependent on the relay-chain being in a reasonably complete state. Information publication platform: This is a mechanism for publishing data relating to the blockchain, and effectively means a decentralised content-discovery network. Initially it can be handled by basic peer-to-peer lookups but for deployment will likely require a more structured and robust solution since availability will become a critical piece of information. IPFS integration may be the most sensible means of achieving these goals. Javascript interaction bindings: The main means of interacting with the network will likely follow the example of Ethereum and as such high-quality Javascript bindings are critical to have. Our bindings will cover interactions with the relay-chain and the initial parachain and as such depends on them. Governance: Initially, this will be a meta-protocol on the relay-chain for managing exceptional events such as hard-forks, soft-forks and protocol reparameterisation. It will include a modern structure to help manage conflict and prevent live-lock. Ultimately, this may become a full meta-protocol layer able to enact changes normally reserved for hard-forks. Requires the relay chain. Interaction platform: A platform by which “typical” users are able to interact with the system, along with minimal functionality to facilitate common tasks such as entering the bond process, voting, nomination, becoming a validator, fisherman or collator and staking token transfer. Depends upon having a functional relay-chain. Light clients: Light-client technology for both the relay-chain and any parachains developed. This will allow clients to be able to gain information regarding activity on the chains with a high degree of trust-freedom and without any substantial requirement of storage or bandwidth. Depends upon the relay-chain. Parachain UI: A multi-chain, multi-token wallet and identity management system. It requires light-client tech- nology and the interaction platform. This is not needed for any initial network deployment. On-chain Dapp services: There may be various services that will need to be deployed on any initial parachains such as registration hubs for APIs, names, natural-language specifications and code. This depends on the parachain but is not strictly needed for any initial network deployment. Application development tools: This includes various bits of software required to help developers. Examples include compilers, key management tools, data archivers and VM simulators. Many others exist. These will need to be developed as required. Technologies will be chosen partly to minimise the need for such tools. Many will not be strictly required. Ethereum-as-a-parachain: Trust-free bridge to Ethereum and back again, allowing posted transactions to be routed from parachains into Ethereum (and treated like any other transaction of external origin) and allow Ethereum contracts to be able to post transactions to parachains and the accounts therein. Initially, this will be modelled to ascertain feasibility and get any structural limitations based around the number of validators required by the consensus process, a component on which it is dependent. A proof-of-concept can be built following this and final development will be dependent on the relay-chain itself. Bitcoin-RPC compatibility layer: A simple RPC compatibility layer for the relay-chain allowing infrastructure already built using that protocol to be interoperable with Polkadot and as such minimise effort for support. A stretch goal requiring the relay-chain.

POLKADOT: VISION FOR A HETEROGENEOUS MULTI-CHAIN FRAMEWORK DRAFT 1 21 Web 2.0 bindings: Bindings into common Web 2.0 technology stacks to facilitate the usage of Polkadot infras- tructure with legacy systems. A stretch goal dependent on the initial parachains and any on-chain infrastructure to be exposed. zk-SNARK parachain example: A parachain utilising the properties of zk-SNARKs in order to ensure identities of transactors on it are kept private. A stretch goal dependent on the relay-chain. Encrypted parachain example: A parachain that keeps each item of state encrypted and signed. These ensure the enforcement of access controls over inspection and modification of the data therein allowing commercial regulated operations to conform as necessary. Would include proof-of-authority mechanisms to allow Polkadot validators to guarantee some degree of correctness of state transitions without gaining exposure to the underlying information. A stretch goal depending on the relay-chain. Trust-free Bitcoin bridge: Trust-free Bitcoin “two-way-peg” functionality. This would possibly use threshold signatures or alternatively an n of m multi-signature Bitcoin account together with SPV proofs & specialised fishermen. Development is predicated on an initial feasibility analysis giving a favourable result. Some additional functionality may need to be added to (or unlocked from) the Bitcoin protocol to support this functionality. Abstract/low-level decentralised applications: Trust-free token exchange, asset-tracking infrastructure, crowd- sale infrastructure. Contract language: Certainly not an integral part of the project, but a nice stretch-goal nonetheless. Would include a safe contract language together with tutorials, guidelines and educational tools. It may include means of making formal proofs as per the original Solidity language vision or could be based around some other programming paradigm which helps minimise critical process errors such as functional programming or condition- orientated programming. IDE: Based on the contract language, this would facilitate editing, collaboration, publication and debugging of contracts on the parachains. A far stretch goal. Appendix B. Frequently Asked Questions Is Polkadot designed to replace (insert blockchain here): No. The goal of Polkadot is to provide a frame- work under which new blockchains may be created and to which existing blockchains can, if their communities desire, be transitioned. Is Polkadot designed to replace (insert crypto-currency here): No. Polkadot tokens are neither intended nor designed to be used as a currency. They would make a bad currency: most will remain illiquid in the staking system and those that are liquid will face substantial fees for transfer of ownership. Rather, the purpose of Polkadot tokens is to be a direct representation of stake in the Polkadot network. What is the inflation rate for Polkadot staking tokens: The Polkadot staking token base expansion is un- limited. It rises and lowers according to market effects in order to target a particular proportion of tokens held under long-term bond in the validation process. Why does staking token ownership reflect stakeholding: This is a mechanism realised by the fact that they underpin the network’s security. As such their value is tied to the overall economic value that Polkadot provides. Any actors who gain overall value from Polkadot operating correctly are incentivised to ensure it continues to do so. The best means of doing so is to take part in the validation process. This generally implies ownership of staking tokens.