At 0530UTC on March 1st, 2019, IRISNet launched the IRISHub, the first global, permissionless, public Tendermint blockchain. We are excited to be participating in this groundbreaking part of the Cosmos Internet of Blockchains vision.
IRISNet has been aggressively developing their fork of the Cosmos SDK for more than a year, and over the past few months they have been shipping relentlessly. In contrast to the large and high profile Cosmos Game of Stakes, IRIS has run a series of incentivized testnets, each building on the last. Figment has participated throughout the process, and earned enough IRIS to contribute to the mainnet launch as a genesis validator.
As we prepared for mainnet launch, key management was a vital concern. IRIS shares much of its code and tooling with Cosmos, so work we’ve done to prepare for Game of Stakes and the upcoming Cosmos launch was mostly portable. However, up until a week before launch, IRIS did not have support for hardware key management of account or validator signing keys. With a few days to spare, Adrian Brink of Cryptium Labs contributed code to port the open source Tendermint KMS and Ledger Nano-S support over to IRIS, and the core team decided to postpone the launch by a few days in order to give validators time to integrate and test the hardware solutions. This valuable contribution from Cryptium has greatly improved the security of IRISHub.
The decision to use the Ledger Nano-S to store and manage IRISHub account keys was easy. The Cosmos app for the Ledger is relatively mature and we view the Ledger as a well proven tool for managing user accounts and native coin balances. The decision regarding validator signing keys was a little more complicated. The Ledger validator app is less mature than the user account app, and while it promises double sign prevention in the Ledger’s secure hardware, there are downsides to the use of consumer hardware like the Ledger in an always on, lights out server environment. We are committed to using the YubiHSM2 enterprise HSM on the Cosmos mainnet, and if possible we wanted to deploy the same solution on the IRISHub.
Any hardware key manager depends on TMKMS, which is in active development, with new features being implemented frequently. As of this writing, double sign prevention has not yet been implemented in TMKMS. In our view it is critical that the key management system implement double sign prevention in order to protect against potentially disastrous software bugs or operational errors. We have been testing our own proprietary double sign code on Cosmos testnets, and we are confident that it’s ready for mainnet operation. After careful consideration, we decided to use TMKMS with YubiHSM2 for key storage and signing, and to deploy our own double sign prevention code.
Preparing the HSM is a fairly straight forward process. Like everything involving private keys, it is critical to avoid sloppy errors and make sure that private key material is never exposed to an online system. The HSM provides strong guarantees of key security, but only if appropriately deployed and managed. We will write up our process and review in a future post.
In preparation for launch we provisioned physical servers to run the KMS and the validator in our tier-3 IDC in Toronto. Our private network is linked to a number of cloud providers by a diverse network of private links. In support of our validator we provisioned cloud sentry nodes across 3 different service providers in Singapore, Frankfurt, Toronto and Las Vegas.
We are very pleased to say that the launch of the IRISHub went off without a hitch. The network started to produce blocks within a few minutes of genesis. The IRIS foundation helped to started the network by running large validators to ensure stability, and they are encouraging decentralization by reducing that activity as quickly as is prudent. The foundation is re-delegating to reliable validators who make contributions to the community, and we are honored to be one of the validators that the IRIS Foundation has trusted with this responsibility.
Congrats to IRISNet, and to all the validator teams who have worked long and hard to get here. We feel privileged to have played a small part the launch of the first Cosmos mainnet hub, and excited to be preparing for the launch of the Cosmos Network Hub in the coming weeks.
Next up, we’ll be writing in detail about key management, our IRISHub infrastructure, and our plans for IRISNet and Cosmos. We are working on porting Hubble to IRISHub. Expect an announcement soon!
*A note about open source — for the moment we are keeping our double sign prevention patch to TMKMS closed source. We’re confident enough to use it ourselves, but we want to test more thoroughly before making it available to others. As mentioned, TMKMS is in active development, and this feature is next up on the roadmap. The TMKMS implementation is sure to be more thorough than ours, and to fit into the architecture as a building block for the future, rather than a simple patch. If we think our patch is useful to other validators we’ll happily release it, but at this point we’re hanging on in deference to the TMKMS core contributors.