Secure Decentralized Oracles and Reliably Triggering Smart Contracts @ CESC

chainlink.md

Secure Decentralized Oracles and Reliably Triggering Smart Contracts

Sergey Nazarov

The Smart Contract Connectivity Problem

• Smart contracts can't connect with external data, so off-chain resources are not easily usable.
• 80%+ of smart contract use cases need external resources.

Blockchain Middleware Creates Connectivity

• Can connect smart contracts to critical external data
• Can also connect to widely accepted bank payments
• Connect smart contracts from different networks to each other (interoperability)

End-to-end reliability

• Every part of the smart contract ecosystem needs to be secure and reliable. This includes the contract code and the triggering method (often an off-chain data source).
• Centralized oracles don't work
  • Obvious single point of failure / maliciousness
• Instead: Secure Decentralized Oracle Network
  • Get 3, 5, 10, 50 oracles all verifying the same input, coming to consensus about the input
    • This should provide additional assurance
• Chainlink has a large collection of possible inputs and outputs
  • Analogous to web developers composing APIs
  • Includes Bitcoin, Paypal, Visa, SWIFT, SMS messages, etc.

Layering defense in depth using Trusted Execution Environments (TEEs)

• Uses Intel SGX to secure the individual nodes running the Chainlink oracle network
• What does TEE enable?
  • Limits the attack surface area that someone can use to attack your application
  • OS, hypervisors, etc. can no longer access your application
  • Your application is run in a separate location that operates on encrypted data and can perform commands, but computations are private and secure from all other resources on the system
• Practically speaking, it means that Chainlink node operators can now run an oracle without knowing what it's doing
  • Uses TownCrier underneath the hood
  • Allows this oracle functionality within Intel SGX

Threat Model

• The only thing node operators can do in Chainlink is turn off their node
  • They don't know what their node is doing, and they can't manipulate their node operation
• Confidential for credential management
  • If you want to store credentials that can manage money in the real world—the credentials used for payments in the SGX model are in a reliable, confidential environment
• Control of private keys
  • If a Chainlink that uses TownCrier and sees a smart contract wants to pay in Bitcoin, the SGX enclave can hold a private key that signs a multisig on Bitcoin
  • This enables trustless multi-chain operations

Splitting Smart Contracts into On-Chain and Off-Chain

• Private smart contract code can be executed off-chain in the oracle network
• Scalable smart contract execution off-chain
• Well-tested libraries can be used from within a TEE (e.g., using a certain randomness generation library)

Summary

• Chainlink! Oracle networks! Huzzah!

God speed, Sergey.