By Second Docs
Source: https://docs.second.tech/ark-protocol/forfeits-connectors/
A user's surrender transaction is a pre-signed transaction used to refresh VTXOs and exit the market, allowing Ark providers to control the user's VTXOs . Providers retain these surrender transactions but do not immediately broadcast them to the network to mitigate malicious withdrawal attempts. While a surrender transaction transfers control of a VTXO to the provider, the provider cannot immediately access the Bitcoins held within it—they must wait for the VTXO to expire.
A "connector" is a special output that provides a cryptographic guarantee that aborted transactions will only become valid transactions if the user's intended transaction is completed; such intended transactions could be:
- A new VTXO is included in a new round of transactions , and the transaction is confirmed by the blockchain.
- An exit output, which is the output of the round transaction and the transaction is confirmed by the blockchain
The result is that users can securely sign waiver transactions without trusting any third party — ensuring the entire process is atomic (either completely successful or completely unchanged), autonomous, and free of counterparty risk.
The connector ensures that Alice's abstention transaction only becomes valid after (for example) the new VTXO's round transaction is confirmed on the blockchain.
Ark internal payments do not use abandonment transactions
Ark internal payments don't involve users atomically relinquishing a VTXO to initiate a payment. Instead, the user pre-signs a new off-chain transaction with the Ark service provider, deriving a leaf from one of their existing VTXOs. If the user wishes to initiate a Lightning Payment, the Ark protocol applies custom HTLC-based spending conditions to the leaf to ensure atomic execution.
Waiver Transaction
If you are familiar with the concept of penalty transactions in lightning channels, you should already be able to imagine what waiver transactions in the Ark protocol are like.
To spend renounced stakes, each VTXO’s “ exit transaction ” (leaf) has two spending paths:
- Spend Path 1 : This path is a 2-of-2 multi-signature signed by the user (VTXO owner) and the Ark service provider. The user uses this path to sign a relinquishment transaction, transferring the bitcoins in this VTXO to the Ark service provider. Note that this spend path has no time lock. Even if the user posts an exit transaction to the network, the Ark service provider can still issue a relinquishment transaction before the user can withdraw the bitcoins.
- Spend Path 2 : This path is completely controlled by the user, allowing them to unilaterally withdraw (assuming the user never signs a relinquishment transaction). This path has a relative timelock of
60blocks (approximately 10 elapsed). This timelock is implemented in Bitcoin Script using the OP_CHECKSEQUENCEVERIFY (CSV) opcode.
- How do spending conditions in the outputs (leaves) of exit transactions support abstention operations?
Abandonment transactions are generally not published to the network
Under normal circumstances, transactions based on these two spending paths will not be broadcast to the network, even if the user wants to give up their VTXO. Instead, the Ark service provider will use an on-chain transaction to clear all funds in a round transaction after the absolute time lock of the round transaction expires (that is, clearing all funds in the VTXO based on the round transaction at once).
The user's signed waiver transaction is merely an "insurance" for the Ark service provider to deal with unusual situations where the user has already waived and then attempts to unilaterally withdraw.
How to prevent malicious withdrawal in waiver transactions
If a user attempts a malicious exit, they will first broadcast all branch transactions of their VTXO. However, once they publish the leaf transaction (exit transaction), they must wait for the relative time lock to expire before sending all funds in the leaf transaction output to an on-chain address that only they control.
In Second's Ark implementation, we anticipate setting this exit time lock to approximately 10 hours. This will give Ark providers ample time to detect malicious exit attempts and broadcast a user-signed abandon transaction; because users must wait, abandon transactions will transfer funds from exit transaction outputs more quickly.
While abort transactions provide some security for Ark providers, they are not ideal: if a malicious exit occurs, the provider can no longer withdraw all funds from the corresponding round's transaction outputs in a single transaction, requiring additional on-chain transactions. However, the on-chain fees required to broadcast multiple transactions (from branch transactions to leaf transactions) should be sufficient to dissuade users from doing this frequently!
Connectors
Now that we understand the waiver process, let's look at how the "connector" ensures the waiver process is atomic. We'll use the refresh process as an example, but the exit process is exactly the same.
The atomicity of the abstention operation is achieved by binding it to the intended round transaction. As long as the relevant round transaction has not yet been confirmed (for example, it is still in the transaction pool of each node), the abstention transaction is invalid. Even if it is broadcast, it will be rejected by nodes in the network (it will not be forwarded). Of course, when the round transaction is not confirmed, the new VTXO is not a valid value carrier!
- If the round transaction has not been confirmed by the blockchain, the abstention transaction is not a valid transaction and the new VTXO has not been generated. -
(Translator's note: This is because the abort transaction uses a small output of the round transaction, also known as a connector, as its own input. If the round transaction is not confirmed, the abort transaction is spending a non-existent input, which is invalid.)
However, as long as the round transaction is confirmed by the blockchain, the waiver transaction becomes a valid transaction and a new VTXO is generated.
- Once the round transaction is confirmed by the block, the abandonment operation and the generation of new VTXO are completed at the same time-
Optimize trace/block space usage
To save space, we want all connectors to be bundled into a single output. However, we need to do this efficiently. A single Ark round can involve hundreds or thousands of users, and a carelessly constructed connector could result in a very large (and expensive) round transaction.
The following image illustrates a poor design. Even with multiple connectors bundled into a single output, the transaction size can still bloat quickly:
Therefore, the Ark protocol uses a "connector chain"—a series of transactions where each transaction has a connector output. The figure below illustrates this well-designed bundling strategy—which ultimately results in a smaller round transaction that still embeds the data necessary to link all abort transactions.
The trade-off is that it requires more interaction: a user relinquishing a VTXO must sign a relinquishment transaction for every connector output on the chain.
In the figure below, you can see how the Ark service provider responds when a user attempts a malicious exit. For example, it must broadcast C1 and F1 to the blockchain network.
Waiver transactions and connectors only appear occasionally
Normally, only round transactions are broadcast to the Bitcoin network. Transactions from the connector chain will only appear on-chain if a user attempts to maliciously spend a relinquished VTXO.
