Attributes
-
Author(s): PoktFund (BaaS Pools LLC)
-
Recipient(s): PoktFund (BaaS Pools LLC)
-
Category: Reimbursement
-
Asking Amount: 7M [TBD until actual proposal] POKT
Prerequisites:
If you do not have context about what Lean Pocket is, we highly recommend reading the blog for Lean Pocket as well as Chocolate Rain security vulnerability. This will help you navigate the proposal with more clarity.
Summary
BaaS Pools LLC, also known as PoktFund, is asking for a 7,000,000 POKT reimbursement from the DAO Treasury for the extensive research and implementation efforts associated with Lean Pocket as well as the security vulnerability known as Chocolate Rain. This proposal seeks to highlight the history of the team, the significant impact that Lean Pocket has had on the Pocket Network and ecosystem, the risk Chocolate Rain imposed, as well as explain the rationale behind the requested amount of POKT.
History
PoktFund was established in 2022 with the aim of making a substantial impact on the Pocket Network blockchain ecosystem. The company has demonstrated its dedication to this goal through the development of open-source applications, such as a mobile wallet and a monitoring utility for node operators.
PoktFund has made a substantial contribution to the Pocket Network protocol by designing and implementing “LeanPokt,” a solution that significantly reduces the computational resources required for node operation by nearly 99%. This optimization has increased the cost-effectiveness of nodes to the network, making it more accessible for a wider range of participants, reducing infrastructure costs, inviting institutional stakes, and pushing for sustainable node economics.
The company has also demonstrated its commitment to the security of the Pocket Network by identifying and reporting high-critical security vulnerabilities (chocolate rain attack), proposing effective fixes, and communicating these findings to the core development team.
In summary, PoktFund has brought a substantial level of engineering talent to the Pocket Network ecosystem and plans to continue making meaningful contributions in the future. We started from a small team 2-3 active contributors and have grown that strategically to 10+ over the course of nearly a year.
Abstract
Lean Pocket
The PoktFund team devoted significant time and effort to the development of Lean Pocket between Feb 2022 and Dec 2022. The team demonstrated the substantial improvements achieved through Lean Pocket at InfraCon 2022, held in the Dominican Republic. Shortly after, the team engaged in discussions with the core development team to make Lean Pocket publicly available, and it has been available to users as of version 0.9.2 and later releases.
Chocolate Rain
The PoktFund team recognized a security vulnerability where an unbounded amount of POKT can be
minted by “overservicing” node(s). This is a critical level vulnerability by PNI and we were awarded $10k USD (roughly ~90k POKT). To elaborate further on this vulnerability, this meant that a unlimited amount of POKT could be minted under the correct conditions. We tested and validated it on Localnet RC V0.8.2 before submitting documentation to the core team containing all the necessary details to replicate and implement the fix. It was fixed in 0.9.0.
We also led research into reimbursement for bug bounties in which we scrape and normalize data on the rewards amounts in Web3, Please read here for further details.
Motivation
LeanPocket
Initial posts about a light client being possible were skeptical and unoptimistic (see responses here). Regardless, the team saw the potential and opportunity and has worked relentlessly to make it possible. Without the attention of PoktFund, it would not be an overstatement to say this optimization would have never made it to light in V0. Today, Lean Pocket has significantly reduced resource requirements, making it possible for nodes to operate at scale more easily and efficiently. Lean Pocket has reduced infrastructure costs by approximately 98 to 99.3%.
The team was motivated to work on this project due to recognizing the high, unneeded cost to the node running economics. Recognizing the limited resources available to the core development team working on V0, PoktFund diverted existing internal plans and shifted gears to reduce the operational overhead for node operators without breaking consensus. It was deemed important to bring this optimization to the attention of the public in order to avoid a scenario in which competitiveness of node operators would lead to privatization of this valuable optimization. Fast forward to today, this contribution has pushed the frontier to making Pocket a more open space to contribute… i.e. the creation of core contributor hours, contribution guidelines, and so on (Credits to the PNI team for structuring thus, of course). Lean Pocket also made the network more attractive to new participants and laid the foundation for future optimizations, such as GeoMesh (all credits to Poktscan for geomesh of course).
PoktFund has also continued to support Lean Pocket after development through all the beta releases and up until the actual release of v0.9.3. A prime example of this is when the chain was halted due to the non custodial update. Many of the node operators were already running the Lean Pocket optimization, and so the PoktFund team was prevalent to ensuring that LeanPocket was readily available so that consensus could continue.
We sampled at block height 73506 on who was running LeanPOKT and at least 37.95%+ (10218 / 26917 nodes) of the network was confirmed to have adopted LeanPOKT before it was even available as a official RC, proving the urgency needed to save compute and storage costs by the network. (Attached is our snapshot taken)
As of block 84748, there are 11991 out of 22697 nodes who have adopted BETA v0.9.2 or v0.9.3 which is nearly ~ 52% of the network. We believe the actual percentage is more considering node runners have shifted over to Geomesh for economic incentives reasons, but keep in mind Geomesh also incorporates LeanPOKT under the hood - if you account for these nodes, the number sits around ~90%+ of the network (all credits to Poktscan for geomesh of course).
Ultimately, the contribution has had multiple impacts from contribution-friendliness to the entirety of node economics. By saving nearly 99% in costs, the cost to run nodes was significantly reduced - preventing a risk of a complete downwards spiral when it comes to profitability, retail and institutional investments, and so on. We won’t touch base on this too much, but hopefully one can realize the magnitude of the impacts this contribution made to the ecosystem.
Chocolate Rain
For chocolate rain, the motivation is easy to understand and not much needs to be said. If the security vulnerability made it into the hands of a bad actor, the consequences could of been catastrophic and the end of Pocket’s reputation as a network. PNI was prompted to create their own bug bounty program as a result of our whitehat disclosure, ultimately leading to more formalized processes to ensure a secure network. (All creds to PNI for this process.)
Note from their blog post: PNF may also choose to define its own bug bounty program independently of PNI and the DAO. Until PNF has its own bug bounty program, PNI’s bug bounty program will cover PNF-hosted software.
As a followup, we did a fair analysis of existing bug bounties to ensure that our asking amount is within reasonable levels of the current industry market and provide guidance on how we can leverage the DAO treasury to fund bug bounties as well.
Budget
The funds being asked in this proposal will be used to reimburse BaaS Pools LLC for the work done between the dates of Feb 2022 to December 2022.
7,000,000 POKT will be disbursed to BaaS Pools LLC.
Dissenting Opinions
Why does this proposal not include ThunderHead in Lean Pocket?
Note: ThunderHead has requested that we remove references to them in the body of this proposal, hence the lack of mention aside from this section. We do not know if they will or when they will submit their version of the proposal. The asking amount reflected is only for BaaS Pools LLC
Rationale: Previously, we submitted a joint proposal (PEP-35) amongst both organizations with the expectation that the DAO would reward us with $2m. This is no longer the case and hence one of the reasons why we’re decoupling the proposal. PoktFund has decided to proceed with this separate proposal-based approach due to the feedback from PEP-35 and how the DAO perceives value.
Clarity: BaaS Pools LLC is a completely separate entity from ThunderHead and does not share any resources or finances with each other. To be fully clear, we did not receive any funds from TH nor did we agree to ever receive funds from them. Our company released LeanPocket for the community with always the expectation that later the DAO would reimburse us for our work. In submitting a separate proposal, we believe this allows for a more granular depiction of the work completed and reflects the contributions and expenses of Poktfund for not only LeanPocket but our security disclosure as well. This in return will provide more transparency to the DAO to make a decision for an reimbursement. This follows a similar structure how MSA and Liquifiy separated their proposals for PIP-22.
PoktFund already profited so much from having a headstart on this optimization.
The company did not seek to limit access to or profit from the optimization as a node operator. We have kept communications open and transparent during the entire ordeal. As a result, this means that we consciously put a hold on starting any node operator/provider business until it was publicly avaliable for use, and missed a large opportunity to capture revenue for months during a vulnerable period when many node runners were raising their revenue share/costs. In fact, once LeanPocket was avaliable to the public, we were helping all node runners and even major node providers to quickly adopt this feature. Additionally, it is important to note that we did not receive any compensation from any organization in exchange for early access or private implementations of Lean Pocket. The intention was always to keep it transparent, open source and later be compensated by the DAO for our work. We hope that the DAO can realize this lost opportunity cost when considering the reimbursement ask.
Why was lean pocket closed source initially?
The core team advised we kept it closed source until it was reviewed thoroughly to ensure that the contribution was safe and to minimize any protocol disruptions, Post for reference
After multiple v0 core contributions and code review calls and revisions(led by Luis - [ex] PNI CTO himself), LP was made available to the public as soon as it was deemed safe enough for the entire ecosystem to use.
A Note from the team:
Thank you all for supporting PoktFund throughout this incredible journey. We hope that you are to understand and support us through this DAO ask.
This is only the start of something truly magnificent. We have grown from just a small company to something that becomes more sustainable and lucrative if we are able to get our reimbursement.
Title | HC |
---|---|
Engineering | 6 |
PM | 1 |
UX Designer | 1 |
Sales | 1 |
On call / as needed basis engs / advisors | 3 |
Above is our active headcount (actively contributing). We have even more products and plans that we’re going to be discussing and executing on. We’ve been in close contact with multiple organizations in the ecosystem on collaboration ideas, hell - we may even be doing more protocol work as V1 matures. We’ve stepped into advisory for node running, protocol advice, infrastructure optimizations, and now even hopping into calls with PNF to discuss our roadmap for this year. While we are looking for reimbursement in this proposal, please keep in mind this undoubtedly helps motivate our organization and incentizes us to focus on driving value to the network and being active participants in the ecosystem.
Deliverable(s)
Lean Pocket
Initial Research ( design doc, validator design doc, github proposal)
Proof of Concept (Infracon showcase)
Code Implementation with Code Review (Pull request)
Unit tests / integration tests (Pull request)
Community support on Discord/Telegram/DM
Collaborating and reviewing LP documentation with PNI
Release (0.9.2+)
Chocolate Rain
Tested on the local net
Proof of concept and remediation docs sent to core team
Crisis averted in 0.9.0
Bug bounty reimbursement research (forum post)
Copyright
Copyright and related rights waived via CC0.