Off Chain Agents

The Synapse Interchain System has 3 different kinds of off-chain agents.
  • Notary - Attests to the validity of snapshots submitted by guards.
  • Guard - Submits snapshots of the state of the network to Origin contracts, watches for fraud.
  • Executor - Executes completed messages on the destination chain

Deployment

Right now, the easiest way to deploy the agents is with our helm charts available on artifact hub. Work is being done on a one-click devnet in the meantime that uses docker-compose instead of helm.
Making Changes
Because of the careful incentives around speed & security implicit in the system, it's likely client diversity will emerge very quickly. To enable this, the codebase exports as much functionality as possible through godoc (including our e2e go-based contract testing suite in ethergo & custom github actions to minimize the probability of issues.
Devcontainers are built daily to enable one click runs from github codespaces for any developer interested in contributing to or hacking on the synapse interchain network standard.
Developers can reach out through GitHub issues or the Synapse Discord with questions.

Security

Supply Chain Security

Similarly to contract security, a number of automated & manual systems are used to minimize risks of root of trust compromise when running any of the off-chain agents.
These include:
  • Snyk, Sonarqube and Codeql are all used for static analysis + dependency analysis on every pull request and issues are carefully reviewed.
  • Software Bill of Materials are exported with every release & scanned continuously
  • All containers are built using either distroless or scratch containers in order to minimize the risk of supply chain attacks on docker images.
  • All binaries are built using a custom goreleaser image to avoid supply chain attacks in builder images

Devops security

We've also taken extraordinary steps to ensure users have a secure deployment environment for offchain agents. This has included the creation of 3 different terraform providers aimed at using workload identity authorization for private key management:
  • Terraform-kubreproxy-provider: Allows the configuration of kubernetes clusters through terraform while utilziing an iap bastion host (something previously impossible)
  • Terraform-helmproxy-provider: Allows the configuration of deployment of helm charts while utilziing an iap bastion host (something previously impossible)
We've also open-sourced workload-identity based Ethereum ECDSA signers for both GCP and AWS.

RPC Security

One other root of trust in any interchain system is the place data is being received from the origin chain. To this end, we built OmniRPC, a way to specify a threshold of different RPC providers that need to return the same data about a query before it's trusted.
Operational Security
In order to enable operators of off-chain agents to operate as seamlessly as possible, extensive work has been done around the introduction of distributed tracing through otel + jaeger to quickly identify & remediate any issues that might result in slashing of offchain agents. This includes a custom pyroscope + Jaeger image for especially hard to find issues + dockerized tracing.
Additionally, all modules export metrics via Prometheus + Grafana to make setting up alerts as easy as possible.
Last modified 5mo ago