AMA with Gym
Recently Elaine Egan, our Senior Brand Ambassador sat down with Gym, Solar Core lead developer to talk about Solar Core and it’s importance
Elaine prepared a few questions for Gym by way of an introduction to the topic.
Elaine's Questions
Q: Gym, can you introduce yourself to the community and explain what it is you do for the Solar project? What does it mean to be Core lead Developer.
A: Hi, I am the lead developer for Solar Core, which means it is my responsibility to build the Solar Core blockchain, along with the other Solar Core developers. In real terms that means I write the features you guys ask about, like adding NFT support and things like that. Since I am the lead, it also means I review the work of others to make sure everything works properly and does not introduce any bugs or security weaknesses into Solar Core.
Q: Can you give us an idea of what Solar Core actually is. Its importance to the project? Maybe explain it to me like I’m five.
A: Solar Core is the beating heart of Solar! There could be no Solar without Solar Core. Its importance cannot be overstated. It is an application that is run on servers, and it hosts the entire blockchain. It stores the blocks and transactions, verifies them to make sure they are valid, and it is what the desktop wallet and other services connect to in order to operate via the Public API. Since you are only 5, you might need an explanation that the Public API is a service used by people and programs to interact with the blockchain.
Q: Can you tell us what programming languages Solar uses and why they were chosen? Maybe you could explain their pros and cons. Have you considered using other programming languages such as Rust or Go?
A: It is written in TypeScript, with client and crypto libraries also available in Python. Really, we did not decide the language, because Solar is a fork of ARK, which used TypeScript. It was originally written in JavaScript, but TypeScript gives many more pros, such as static typing so bugs can be found much more easily. The language is also extremely popular, often taught in web development classes, and with that we can get more eyes on the code and contributors building on it using a language they are familiar with. Python is also taught at schools and features in hackathons, so it is an obvious fit for the libraries as well. A con is that it is not the fastest language in the world, but we use native bindings for computationally expensive procedures like cryptography, which makes it much faster. We have not considered using other languages for Solar Core, firstly because those are not what our Core developers specialise in, and as mentioned, we inherited code from ARK which was not written in them.
Q: We noticed that the Solar Core GitHub repository has not had as much activity as usual. Can you explain to me why please?
A: Well, Solar Core 4.x is fairly stable now so it’s full steam ahead working on 5.0, which will be a huge update. We recently opened up a public 5.0 branch on GitHub where completed changes can be showcased to the public, but at the moment most of the work is taking place in private repositories for strategic reasons as there are so many huge new changes and features, a lot of parallel development is taking place and until all the pieces fit together, they won’t be seen in the public repository. But when they do, everyone will be able to understand how monumental it is and they will see that Solar Core 5.0 is, without a doubt, one of the most advanced TypeScript based blockchains in existence. Previous versions of Core will look geriatric by comparison.
But as well as Core development, some of my time has been taken up with writing because I was recently commissioned to write a security and analysis report for Solar Core. It explains Solar’s backstory with ARK Core, how it has been modified and improved in a security context, outlining the flaws in ARK Core and how Solar Core has resolved them. The report was finalised last weekend and although I am not privy to external discussions, I believe it was submitted to business partners to give them reassurance about the long-term viability of the blockchain platform, perhaps with a view to potentially support staking and other very interesting features in the future.
I don’t have clearance to publicly publish the report at the moment, but as soon as I do, it will be made available for everybody to read. I think it will be interesting because a lot of people — notably the very active Turkish and Korean groups — often ask questions about the security of Solar Core. It gives a detailed insight into that as well as some previously unrevealed information about some of the features planned for Solar Core 5.0. When I say it is detailed, I really mean it. It’s 72 pages.
Q: What excites you the most about working with blockchain technology and specifically Solar Core?
A: Blockchain technology brings us openness, transparency and immutability. It is a permanent ledger. It opens the doors for many innovations and possibilities, but also makes life much simpler in so many ways. Knowing there is an audit trail for absolutely everything, for example, it will soon unfortunately be time once again to file my annual taxes and I don’t have to worry about misplacing an invoice and then accidentally failing to declare something, because I can quickly and easily see every transaction for any time period by consulting the blockchain. And this can be automated, making it a literal 5-minute job.
In particular with Solar Core, we are lucky that we have an energised community, especially some of the local country groups on Telegram, which is quite rare among many delegated proof of stake networks which are more like ghost towns these days. Like all communities, there are different viewpoints, and it is certainly not an echo chamber (and that is definitely a good thing). But more importantly, it is motivational to see that people care, they are there and mostly appreciating what we do.
Speaking of communities, and I appreciate this is tangential, so bear with me…
There is something that I feel has to be said. Yesterday we disclosed an unfortunate incident affecting the BEP20 to SXP mainnet coin swap. In some crypto communities, you might have expected a panic or a riot, but our amazing community remained calm, understanding that everything is well under control, it has been handled, there was no breach of security, no risk to user funds and no long-term damage whatsoever. Ironically, the only shred of negativity yesterday came from an ARK delegate in the ARK discord server who, armed with absolutely no knowledge of the subject outside of the published announcement, made a particularly disparaging and completely misinformed comment about the situation, and added a factually untrue allusion about the Solar Core developers who were not involved in the incident whatsoever. It is very unfortunate that an apparent tribal rivalry seems to be emerging between ARK and Solar, rather reminiscent of another grudge they hold with Lisk. I really don’t wish to dwell on this for long, since this is a Solar AMA, but since several of our own delegates who will be in this audience tonight witnessed his remarks that brought into question the topic of trustworthiness, alluding that ARK Core developers are somehow more “honest” than Solar Core developers, I think it is my duty to respond more fully, and I choose this place to do it rather than ARK’s discord server because I have always been respectful in that place, keeping references about Solar to a minimum, since nobody likes to see someone continually talking about another project on their own turf.
Now, as you know, I am the lead developer of Solar Core. I am a Core developer. There are two other developers that also work on Core at the moment, so colloquially they are also Core developers in a group that I coordinate. I don’t intend for this to turn into an attack piece on ARK, but when one of ARK’s delegates — therefore a representative of that network — makes unfounded statements or indirectly implies falsehoods about our Core developers, i.e., either myself or any of the developers that I manage, they must not and will not be left unchallenged, and it is my obligation to rebut them fully and robustly. And since it is about “honesty”, let me briefly tell a story that happened to ARK a few years ago. In late 2018, I discovered an “unlimited money” bug in ARK Core. That could have been used to mint as many unauthorised ARK coins as I wanted, potentially grossly inflating the supply and destroying the project. Of course, I did the right thing and did not abuse it. I have always been white hat, so I reported it to the developers. I remember staying awake all night so that I could be online to liaise with them as soon as they came online the next day. I demonstrated the vulnerability to Rok Cernec (a really great guy, by the way — happy birthday for tomorrow if you read this), who put me in touch with their lead developer at the time, Brian Faust. One of the first things Brian asked was how he could possibly write a Git commit message without revealing what had happened. Then, several of us, myself, @biz_classic and his business partner “Moon” had to fight behind the scenes with their team in Slack just to get them to publicly disclose vulnerabilities and to set up a public security vulnerability repository to keep a record of disclosures.
Contrast that with Solar, where we don’t try to brush things under the carpet and there are no lingering doubts about what happened. All the circumstances and actors are fully known, none of which were involved with Solar Core in any way, and an immediate disclosure was made which was transparent and as detailed as legally possible at the time. I have a feeling that more questions might pop up about this incident, so I will park the discussion about it for now. However, looping back to what I said earlier about the security and analysis report I wrote for Solar Core, reading between the lines of the subsequent messages I’ve received from people at ARK, it is crystal clear that one or more recipients of the report forwarded it to them and empirically we can confirm this by observing recent pull requests that popped up in their ARK Core repository, addressing a very specific issue raised in the report. Subsequently, and again based on the private comments, behaviour and actions of a specific ARK employee, combined with original research, it is evident that multiple exchanges have suspended deposits and/or withdrawals of ARK due to the very critical nature of some of the vulnerabilities and weaknesses that the report highlighted as being fixed in Solar but still existing in ARK, despite all security concerns having been reported to ARK many months, and in some cases, years ago.
But, when the community — oblivious to the real reason — asked them why deposits were closed, the only public response given was that “maintenance happens all the time”.
I think that speaks volumes about the matter of honesty and transparency, don’t you?
With that said, and apologies for going off on a tangent there, let’s focus on Solar. Let ARK be ARK, we wish them success in whatever they do, and even if that is not reciprocated, our door remains open for constructive collaboration. I will continue to remain respectful to them by not divulging any of the many open security issues that remain in their product until I receive clearance to do so, but I won’t spend any more of my time on them in this AMA
Q: Can we touch on this a little more, the incident you just mentioned. You recently shared a document with the community concerning unauthorised BEP20 swap transactions we understand that due to legal reasons you cannot divulge too much information, but can you please outline to the community what happened and what steps have been put in place to prevent this happening again?
A: Yes, I can elaborate in a bit more detail beyond the original announcement now. When someone swaps their ERC20 or BEP20 tokens to mainnet SXP coins, the Solar nodes have to perform a cross-chain check to make sure the swap details are valid. Since Solar nodes do not contain the full BSC and ETH transaction data, as that would be impractical due to their huge size, the swap system must request data from other servers which do contain full copies of the BSC and ETH transaction data. Unfortunately, a BSC server was manipulated to report that some non-existent transactions really did exist, and this information was passed to the swap system which believed that they existed based on this data.
For a timeline, we became aware of the issue at 18:19 UTC on 29th November. The swap infrastructure was immediately disabled at that point to prevent additional unauthorised activity. By 18:45 UTC, we had ascertained how it had happened, and by 19:22 UTC, the full details were known to us, such as who did it, how they did it and how much SXP was affected.
The affected server has been forensically isolated to preserve evidence and we will continue to follow the legal process until its conclusion, in which we expect to recover the SXP. In the event that this occurs prior to the close of the swap window, it will be re-added to the Swap Wallet. If it occurs after the swap window has closed, I expect that the amount would be burned. In the extremely unlikely event that the eventual recovery is incomplete, there is a separate contingency plan which I cannot publicly discuss at the moment, which will also reduce the supply to the level it would have been without these unauthorised swaps.
Owing to the fact that the server has been forensically isolated, and the provisioning of a new server will take some time due to the large requirements and time to sync, the swap service will remain offline until further notice. One unfortunate side effect of this is that it is currently not possible to synchronise a new Solar node to the mainnet since it will not be able to verify the previous swaps, however we can provide instructions in Discord if anybody needs to do this until a new Core release is made in the next days to address this.
To answer your question about the steps taken to prevent this happening again, let me explain that the day-to-day management of the server had been delegated to an outside third party with experience of handling large blockchain nodes with pruning and other matters that are necessary to maintain those types of blockchain nodes. Any other servers used for anything associated with Solar that were also handled by this third party have been securely destroyed and cleanly reprovisioned. All servers used for anything associated with Solar are now under the exclusive control of Solar, with appropriate access controls.
Additional safeguards will be established before the swap system is reactivated to ensure this cannot happen again, even in the event of a compromised server in the future. More details will be shared with the community prior to the resumption of the swap system.
Having a decentralised swap system that relies on data from another blockchain network means that the system is only as good as the information that is fed to it, and unfortunately on this occasion it was fed manipulated data. While operational changes have been made to ensure that this cannot occur again, with additional changes also planned for the future prior to the reactivation of the swap system, it is worth mentioning that it was a requirement from a major stakeholder that the swap system must be run in this decentralised manner rather than a centralised swap system as seen on other platforms, which also carry their own risk of exploitation for different reasons such as social engineering, mnemonic theft or simply going rogue. Nevertheless, I think this incident highlights the fact that we need to permanently close the swap window sooner rather than later and I am advocating that a date should be announced in the near future at which point no more swaps will be accepted.
It is worth mentioning once again that this was not a hack or breach of Solar Core’s security, or that of the Solar Network mainnet.
Community Questions
The Telegram channel was opened up for the community so they could have an opportunity to ask Gym questions about Solar Core.
Q1: Will the updated Solar Ledger Protocol be included in Core 5.0?
A:Yes.
Q2: There are many L1 blockchains available today that offer both decentralisation and scalability, so what makes Solar unique and why would developers build their apps on SXP instead of other blockchains?
A: Solar will be one of the most advanced and easily accessible blockchains to build on. At the moment you can already build plugins in JavaScript/TypeScript, as mentioned earlier this is a very popular programming language with a lot of utility. But also in the future those familiar with Solidity will also be able to do that, giving the best of everything. All while being a decentralised, eco-friendly and sustainable blockchain.
Q3: When will SLP be released, and can you give information about it?
A: SLP in its original form will not be implemented, but a more advanced version of the same concept will ship with Core 5.0.
Q4: Will NFT support be in 4.XX or 5.XX?
A: 5.0.
Q5: When will we see projects developing on the ecosystem?
A: I don’t believe that “if we build it they will come”. I believe once it is built, we have to be outwardly attractive to encourage them to come. That starts with firstly getting Core 5.0 out of the door, and then I know we already have some great community developers here already who I am sure can build great things like @biz_classic, @mtaylan, @osrnx, emsy and others, getting Solar’s name out there, and then natural adoption can follow.
Q6: How would you recommend that TypeScript developers could get started with Solar?
A: Read our docs, get acquainted with testnet, join Discord and show us what you can do. We don’t want to just see empty words from people promising the earth. Show us what you can really do, and we’ll take it from there.
Q7: Will Solar Core 5.0 make it easier for developers to store and link data to on chain wallets which then can be used in projects such as games?
A: Probably. The specification is still in flux to some extent which means it can be adapted for use cases, much like how we added the memo to all transactions at the request of @hp_pj a while ago. Reach out and we’ll see what we can do.
We thank Gym and Elaine for this AMA. Follow our various channels for more news. If you enjoyed this article please give it some claps.
Twitter: https://twitter.com/SolarNetwork
Medium: https://blog.solar.org
Telegram: https://t.me/Solar & https://t.me/@Solar_Network
Facebook: https://www.facebook.com/OfficialSolarNetwork
Instagram: https://www.instagram.com/solarnetworkofficial/
LinkedIn: https://www.linkedin.com/company/solarnetworkofficial
Discord: https://discord.solar.org
Website: https://solar.org