Skip to content

[Hackathon] brettleehari: fair-ordering a red-team of the coordination layer + the primitive that closes it#69

Open
brettleehari wants to merge 1 commit into
projnanda:mainfrom
brettleehari:hackathon/brettleehari-fair-ordering
Open

[Hackathon] brettleehari: fair-ordering a red-team of the coordination layer + the primitive that closes it#69
brettleehari wants to merge 1 commit into
projnanda:mainfrom
brettleehari:hackathon/brettleehari-fair-ordering

Conversation

@brettleehari

@brettleehari brettleehari commented Jul 5, 2026

Copy link
Copy Markdown

[Hackathon] brettleehari: fair-ordering — a red-team of the coordination layer + the primitive that closes it

Thesis

In an agent marketplace the sequencer sets the execution order of a batch — and whoever authors that order can extract value from it (front-running / MEV). Every coordination plugin in the tree assumes an honest sequencer: contract_net and hotstuff (merged), plus the open consensus/auction PRs (sealed-bid #5, PBFT #45, NandaQuorum #44, ResonanceBFT #58). None addresses ordering fairness — they answer who agrees and who wins, never what if the orderer is the adversary?

This PR doesn't add another "fair sequencer" (any single design breaks — I broke five). It ships a systematic red-team of the ordering design space and the one primitive that survives it, with an integrity oracle keyed on the engine's forge-proof corr — never on anything the sequencer wrote.

The red-team result (six witnesses, one theorem)

Scheme Who authors the order Result
sort commitments by hash grinding trader (nonce grind) pos 0 in tens of hashes, 100% — degenerates to a priority-gas-auction
beacon over public commits last-mover trader pos 0 in ~N hashes
beacon over private commits omniscient sequencer (holds all commits) pos 0 in ~N hashes
beacon + sequencer-commits-first sequencer via selective inclusion pos 0, 28/30 seeds
FIFO by sequencer-polled commits sequencer via emission order reverses arrival for free (on the real engine)
FIFO by self-broadcast commits the engine (corr id) survives — arrival order holds regardless of sequencer behavior

Theorem (empirically witnessed): whoever authors the order exploits it. Every sequencer-authored scheme leaks. The escape is the last row — author the order with something the sequencer cannot see or forge.

Evidence scope (honest): rows 1–4 are offline red-team scripts (pure-Python, stdlib-only, deterministic), reproducible on request and detailed in the appendix — not committed, per charter (no offline deps in the diff). Rows 5–6 are proven in-repo by the committed scenario + tests (test_neutral_order_is_engine_authored_not_sequencer) — so the survivor and the break of sequencer-polled FIFO are reproducible here.

The survivor: engine-authored FIFO

Tier-1 stamps every broadcast with a monotonic, engine-assigned corr id the sequencer cannot forge (the trace has no seq field and all ts are 0.0, so corr is the only neutral order signal). Traders self-broadcast in on_start, so arrival order is authored by corr, not the sequencer — confirmed on the real engine: a predatory sequencer emitting in reverse can reorder under polling but cannot under self-broadcast, which is why the scenario uses it. The integrity validator reconstructs arrival order from the submit corrs and asserts the executed order matches.

What's in the PR

  • coordination/fifo_fair.pyFifoFairCoordination (survivor: executes in arrival order) + PredatoryCoordination (matched attacker: reorders by descending price).
  • scenarios_builtin/fair_ordering.py + scenarios/fair_ordering.yaml — 1 sequencer + 8 traders; traders self-broadcast, sequencer finalizes.
  • Two corr-keyed validatorsfair_ordering_integrity (executed order == engine arrival order) and fair_ordering_no_injection (every submit executed exactly once; no censorship, no phantoms).
  • Tests — plugin units + scenario/discrimination/determinism/robustness.

The discrimination (the teeth)

Same scenario, swap one line — this ranks three plausible sequencers, not just the absent default:

coordination: fair_ordering_integrity fair_ordering_no_injection
fifo_fair PASS PASS
predatory FAIL (reordered) PASS (reorders, doesn't drop)
contract_net FAIL (no order:*) FAIL

Robustness (I red-teamed my own validator)

The verdict rests on two keys, so both are validated as forge-resistant, not trusted:

  • corr (neutral order): missing / malformed / duplicate corr on a submit FAILS loudly — never silently bucketed — so a mangled corr can't collapse the order and slip a reorder past.
  • pos (execution order): must be numeric, unique, and a clean 0..n-1 bijection; gaps / out-of-range / duplicates FAIL. pos is the sequencer's claim, only ever checked against the corr-derived truth.

Guard tests: test_integrity_fails_on_malformed_corr, test_integrity_fails_on_duplicate_pos, test_integrity_fails_on_non_bijection_pos.

Scope, stated honestly

In zero-latency Tier-1, arrival order collapses to a fixed registration order, so this delivers unmanipulability (anti-MEV) — no party can alter the order — not egalitarian fairness. Real-latency first-come-first-served is the deployment reading; the fixed order is the Tier-1 model of it. Timestamp trust is engine-provided here; a real network needs trusted receipt timestamps — named, not assumed. The complete answer against a self-interested sequencer is an encrypted order flow (Shutter / Aequitas) — a privacy × coordination cross-layer step this PR points at but does not claim.

How to verify

uv run nest run scenarios/fair_ordering.yaml -o traces/fair.jsonl
uv run python -c "
from pathlib import Path
from nest_core.validators import validate_trace
for r in validate_trace(Path('traces/fair.jsonl'), 'fair_ordering'):
    print(('PASS' if r.passed else 'FAIL'), r.name, '—', r.detail)
"
# edit fair_ordering.yaml: coordination: fifo_fair -> predatory (or contract_net), re-run, watch integrity flip.

Determinism: same seed → byte-identical trace (test_determinism_byte_identical). make ci-local green: ruff check, ruff format --check, pyright (0 errors, strict), pytest (all pass).

Persona: market-microstructure / adversary engineer — leads with the threat model, ships the attacker beside the defender, and the validator's whole posture is "trust the engine's record, never the sequencer's narration."

Appendix: reproduce the red-team (rows 1–4, offline)

Pure-Python, stdlib-only, deterministic (fixed seeds). Not committed per charter (no offline deps in the diff); available on request. Each reproduces one witness:

  • row 1 — sort-by-hash grind: a trader brute-forces a nonce whose hash sorts first. Reaches position 0 in tens of sha256 calls, 100% of runs; with competing grinders the biggest CPU budget wins (a priority-gas-auction).
  • rows 2–3 — beacon grind: beacon = sha256(sorted(all commit hashes)), position = sha256(H_i‖beacon). A public-commit last-mover, and a private-commit omniscient sequencer, each randomize their slot per attempt → ~N tries to land position 0.
  • row 4 — selective inclusion: a commit-first sequencer drops ≤3 commits to reshuffle the beacon in its favour → position 0 in 28/30 seeds.
  • rows 5–6 (in-repo): test_neutral_order_is_engine_authored_not_sequencer proves a predatory sequencer reorders arrival under polling but cannot under self-broadcast — the survivor, on the real engine.

@brettleehari brettleehari changed the title [Hackathon] brettleehari: fair-ordering — a red-team of the coordination layer + the primitive that closes it [Hackathon] brettleehari: fair-ordering a red-team of the coordination layer + the primitive that closes it Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant