Unbrick Collective

Ecosystem
1

Unbrick Collective

Overview

This proposal is aiming to add a new Unbrick Collective to the Polkadot Collectives chain. The main duty of this collective is to help parachain teams to replace their head state and/or wasm to unbrick a bricked parachain. It is not expected for this collective to receive funding support from the Polkadot treasury.

Motivation

Since the initial launch of Polkadot parachains, there has been many incidients causing parachains to be bricked and many occurrences that requires Polkadot governance to update the parachain state/wasm. This can be due to many reasons range from bad genesis registered, inability to use sudo key, bad runtime migration, bad weight configuration, and bug in Substrate/Polkadot-SDK. Currently root origin is required to perform such action and the governance process to invoke root origin is very time consuming. The long voting and enactment time could result significant damage to the parachain and its users. There were some previous discussions about how we can improve such situation. As a result, the idea of Unbrick Collective was proposed with minimal scope to ease the process of setting this up.

Explanation

The collective is unranked.

The members are not paid by the Polkadot treasury.

A number of features and changes shall be implemented:

  • An extrinsic to allow parachain manager (only when unlocked) or parachain origin to opt-in to allow Unbrick Collective to set its head state and wasm
  • A new track and origin named ā€œWhitelistedUnbrickCallerā€ shall be added to the relaychain governance
  • Another new origin named Unbrick
  • Add new extrinsic paras.unbrick(paraId: ParaId, wasm: Option<Vec<u8>>, head: Option<Vec<u8>>)
    • Require ā€œUnbrickā€ origin
    • Require no new block from this para id for N relay blocks (two hour?)
  • Modify the whitelist pallet so that the execute origin depends on the dispatch origin. And configure it that the execute origin shall be Root when dispatch origin is the WhitelistedCaller origin and Unbrick origin for WhitelistedUnbrickCaller.
    • This allows us to reuse the existing whitelist pallet without a new instance and extra configurations

This will allow bricked parachain to be rescued with following steps:

  • The parachain should opt-in to allow the Unbrick Collective to modify its head state and wasm first
  • One of the Unbrick Collective member can make motion to whitelist the a call to invoke paras.unbrick
  • Anyone can make proposal to the WhitelistedUnbrickCaller track to dispatch the whitelisted call
  • The parachain state / wasm shall be updated

Member requirement

The collective will be created without members. There will be additional governance proposal to setup the seed members.

Three origins can modify the members:

  • Fellows track (Approved by >=3 rank Core Fellowship Members)
  • Root track
  • More than 2/3 of the existing Unbrick Collective

The members are responsible to verify technical details of the unbrick requests. e.g. verify the wasm hash or the new chain state. Therefore they must have the technical capability to perform such task.

Suggested requirements to become a member:

  • Rank 3 or above in the Core Fellowship
  • OR CTO / Tech lead of a parachain team that have opt-in to allow Unbrick Collective to control the wasm/state

Additional Notes

The Unbrick Collective may be upgraded to Ecosystem Fellowship, which could be a paid and ranked collective. If that heppens, the Unbrick Collective members could become high rank members of the future Ecosystem Fellowship directly.

The ability to wasm head state and/or wasm means arbitrary modification of the parachain. e.g. take control the native parachain token or any bridged assets in the parachain. This could introduce a new attack vector and therefore such great power needs to be handled carefully.

Questions

  • What are the parameters for the WhitelistedUnbrickCaller track?
  • Any other methods that shall be updated to accept Unbrick origin?
  • Any other requirements to be come a member?
  • We would like to keep this simple so no funding support from the Polkadot treasury. But do we want to compensate the members somehow? e.g. Allow parachain teams to donate to the collective
  • Do we want to have this collective offer additional technical support to help bricked parachains? e.g. help debug the code, create the rescue plan, create postmortem report, provide resources on how to avoid getting bricked

Previous draft with some comments: https://hackmd.io/@xlc/ry0FZSeAT

5 Likes