DarkFi's first ever fully decentralized testnet has arrived.
The release includes an anonymous proof-of-stake blockchain and several applications that showcase the power of DarkFi's anti-fragile smart contract architecture, including:
- Anonymous payments
- Anonymous swaps
- Anonymous DAOs
Testnet v0.1a is completely decentralized, anonymous and peer-to-peer. Its blockchain is based on a modified version of Ouroboros Crypsinous, an anonymous and censorship-resistant blockchain protocol.
Follow this guide to join the testnet. You can send money around, do anonymous atomic swaps and create anonymous DAOs with your own parameters.
We believe this is the dawn of a new paradigm in cryptocurrency. The era of the transparent blockchain is over. Anonymous engineering is becoming tangible for the first time.
Testnet v0.1a is a result of a huge development effort by the DarkFi community. We dedicate this effort to Jstark1809.
In his words:
If something unfortunate happens to one individual, another individual will take his place... It's a hydra you cannot completely kill. You cut off one head, other head pops up. We are impossible to stop.
Dark Consensus
DarkFi's consensus algorithm is based on Ouroboros Crypsinous, a privacy-preserving proof-of-stake blockchain protocol.
The core of Ouroboros Crypsinous is anonymous leader selection. Participants can stake on the network and contribute to blockchain security without revealing their identity.
Each node runs a leader selection algorithm to determine if they are the block producer, known as the slot leader. The algorithm works as follows:
- Nodes generate a random y output, derived from blockchain randomness.
- Nodes check whether y is less that a target T. T is a function of the nodes' stake, relative to the total network stake.
If this is successful slot leaders then generate a proof and the corresponding block for the slot.
A discrete PID controller has been implemented to stabilize the leader selection frequency. In simple terms, the controller is auto-tuning to produce a single leader per slot as often as possible.
In the case of multiple leaders we have a fork handling logic to take care of reorgs. The process is described in our docs. In the case of a node being selected as a leader and then going offline it simply results in the assigned slot not containing a block.
In the current version stake is a dummy arbitrary value that can be assigned to nodes ad-hoc. This means that nodes can contribute to consensus without any stake. We simply assign a nominal stake value to nodes so they have better chance of becoming leaders. In the next release we will move to a smart contract-based staking system that will allow users to stake and unstake the network native token.
We are also actively mitigating protocol drawbacks in regards to finalization consistency by researching and developing a protocol upgrade called Khonsu. This will act as a leader-producing mechanism, enabling instant finality on the DarkFi blockchain.
The current blockchain implementation focuses on algorithm performance. We consider reorgs and the behavior of nodes at the infrastructure layer, such as the exchanging and processing of protocol data.
Smart contracts
General-purpose anonymous smart contracts are the backbone of the DarkFi network. All operations, including normal payments, swaps, etc. are done through smart contract calls. The contracts' code ensures that state transitions are properly verified and valid and enforces certain rule sets depending on the operation.
The smart contracts' code is written in Web-Assembly (WASM). Once compiled the smart contract gets deployed on the blockchain. This way every node in the network has the same reference and can deterministically perform the same execution as any other node in the network.
In testnet v0.1a we have deployed native contracts for anonymous payments, anonymous atomic swaps and anonymous DAOs. In the next iteration we will enable the infrastructure for anyone to be able to deploy their own custom smart contracts also written in WASM.
The current contracts for payments, swaps, and DAOs can be found in the repository.
Along with WASM we have our own general-purpose zkVM which creates and verifies zero-knowledge proofs written in our zkas language.
This language enables developers to write circuits in a simple and straightforward way without having to worry about small intricacies that are commonly encountered with other zero-knowledge languages or proving systems. Using zkas, developers can quickly prototype and build zero-knowledge circuits that become part of the smart contracts.
Our zkVM is built as a generic halo2 circuit and supports various opcodes that are necessary for anonymous engineering. Examples of these can also be found in the repository where they are integrated with WASM smart contracts.
To put this in practice let's see how a basic payment gets executed.
Payments
Alice wants to send 100 ALICE tokens to Bob. This means that Alice has some parameters that represent her 100 ALICE tokens and these parameters exist in the current blockchain state.
To spend the tokens she has to create two zero-knowledge proofs. The first represents the tokens she wants to spend (100 ALICE). The seconds represents the tokens she wants to send to Bob (also 100 ALICE).
Using the parameters of the tokens she owns she creates a Burn proof stating that she owns 100 ALICE and she wants to spend them and a Mint proof stating that 100 ALICE are minted to Bob.
In a common transparent blockchain these statements would obviously be linkable. Anyone that can read the blockchain would be able to see which tokens have been spent, by whom, and where these tokens are being sent to.
However, using zero-knowledge proofs we can make this transaction anonymous and unlinkable. Our smart contract simply enforces the correctness of the state. Zero-knowledge proofs prove the validity of the state transition without actually revealing what has been burned and minted. This concept gives us anonymous payments.
A more technical explanation of this can be found in our book:
Atomic swaps
We can create atomic swaps by expanding on the above payments feature. Atomic swaps are simply two payment contract calls combined into one, where two parties wish to exchange their tokens.
Let's say Alice wants to exchange 100 ALICE for Bob's 50 BOB tokens. Alice can then create one half of the transaction which burns 100 ALICE tokens and mints 50 BOB tokens. She sends this half of the transaction to Bob. Bob creates the other half which burns 50 BOB tokens and mints 100 ALICE tokens.
These halves can then be combined into a single transaction and signed by Bob. Once Bob has signed he sends it back to Alice and she can add her own signature.
The transaction is considered valid once both parties have signed. It can then be broadcasted on the blockchain. Once executed, the atomic swap happens and Alice and Bob have successfully exchanged their tokens.
DAO
The commit-and-reveal scheme we use above for payments and swaps can be generalized to represent complex relations. We call these objects bulla after the clay seals used for financial transactions in ancient Sumer.
Each bulla is an anonymized object that exists on-chain. You can operate on these bullas and prove facts about them.
To create a DAO we simply mint an on-chain bulla that contains the DAO parameters. This includes the required voting threshold or minimum governance tokens needed to create a vote.
Nobody except DAO members can see these parameters. There is just a random hash on-chain. Once the DAO is created people who know its hash can send money to the treasury. The money the DAO receives is completely anonymous and untraceable.
To enable apps like the DAO to deal with tokens on-chain we invented a zero-knowledge form of protocol-owned liquidity.
Any DAO member with the required number of governance tokens specified by the DAO can make a proposal to the treasury. This proposal is by default only visible to DAO members but it can also be made visible to the public or any wider group of people at the discretion of the DAO.
Assuming the proposal is valid, a proposal bulla appears on-chain as an anonymous hash. Nothing about the proposal or even to which DAO it is connected is leaked.
Everybody in the DAO can vote anonymously on the proposal. Nothing is revealed on-chain. Once the proposal meets the minimum threshold of required votes and passes the approval ratio (both parameters set in the DAO's creation) then the proposal is considered a success.
Any DAO member is then able to execute the transfer, which is again fully anonymous. Nobody outside the DAO knows that funds have been transferred. The voter info — who voted for what and the amounts — are all completely dark.
The DAO is a pretty basic prototype with just three parameters:
- proposer limit: minimum number of governance tokens required to make a proposal.
- quorum: minimum amount of tokens that must be allocated to a proposal for the proposal to pass.
- approval ratio: ratio of yes/no votes required for a proposal to pass.
The current implementation is lacking more advanced features like trusted reviewers, rage-quit mechanism and so on. We plan to expand its operation gradually.
Furthermore there are two information leaks we plan to fix:
-
Proposals are completely anonymous on-chain with no info revealed about them. Votes are the same, however, votes and proposals are linkable. People can see there is a proposal with some level of activity without learning anything else. You can split your votes to obfuscate your activity so maybe it's not a big deal.
-
Currently all voting results are revealed to DAO members. Ideally vote results are hidden until voting is closed. This problem is more difficult to fix and might involve the use of novel cryptography.
Additionally, proposals currently don't have an expiry time. This
should be easy to fix by allowing a close smart contract call that
can end the vote if the specified time is up.
Apart from these tweaks the DAO is completely anonymous and can be used as a multisig with additional features.
Network Anonymity
Strict anonymity requires a tight cohesive design and full control of your software stack. Existing blockchain solutions leak anonymity so DarkFi could not survive on them. We had to create our own infrastructure and tooling.
This includes the network stack. We were not satisfied with existing ecosystem solutions both from a security and anonymity standpoint. Many of them mistakenly introduce too much abstraction and statefulness into network protocols that by their nature should be simple and robust.
Our p2p network stack allows us to plug into any existing network transports such as Tor or Nym easily. The applications we build on top are deliberately designed with no concept of identity or IP addresses. This forces us to invent new solutions to problems that are considered "solved".
Our p2p network is designed in such a way that we can modify and expand it very quickly. We can quickly iterate and create complex p2p apps rather than being limited by existing network layers.
All our developer communication happens through our own p2p anonymous chat. We feel anonymity teams using Discord is a contradiction. We are currently using GitHub but our plan is to gradually migrate to a fully p2p anonymous paradigm.
Overview
The following image describes DarkFi's architectural stack. The
core library contains the p2p network, blockchain and smart
contract architecture. A DarkFi full node is a synthesis of these
components. The full node is interacted with using a command-line
tool called drk.
Next steps
We want people to try out testnet v0.1a so we can receive feedback on usability and UX and include that in our next iterations. Our plan is to extend the smart contract infrastructure and our other tooling which will enable some cool things for users and developers.
This includes:
- Ability to deploy custom smart contracts
- Khonsu consensus as an upgradeable WASM smart contract
- DHT network for file and metadata storage
- Decentralized tasks, accounting, and wiki
- Spam protection for anonymous protocols
- Nym gateway service
- Anonymous NFTs
- Anonymous DEX
- Ethereum bridge
This is our first testnet release which is marked 0.1 alpha. Going on from here our next major release will be beta before we go onto our mainnet 1.0 release. See info on our release cycle.