Michael Dietz

My understanding is mitigating mining centralization vectors was the reason core loosened mempool policy in first place, but I don't know if I’ve seen it clearly articulated. The strong push (off brand) makes me curious if there are responsibly disclosed vulnerabilities more serious than the obvious one: - large pool collects non-standard transactions via private channels (eg Slipstream) -packs block with them causing compact block reconstruction failures on nodes and increasing propagation delay -uses delay to get head start on next block, extends hidden chain, then releases it (built with standard txns for fast relay), gaining selfish-mining advantage -boosts pool's profitability and hash power efficiency which creates feedback loop I haven’t paid close attention to this, have you seen this case made? And do you agree that widely adopted v30 would nip it in the bud?

I understand this, the core of what I outlined is the bonded btc. As I typed all this out it made me wonder if something like this would have product market fit or be something organization would actually want to adopt. I'm not sure but Lowery's ideas have always been interesting to me this is what I came up with trying to imagine practical applications

Right now we're in a world where "some dev manager" maybe does have the power and ability to send out an OTA update to the entire fleet (and maybe it comes down to a single sig and a trusted server). Which kinda makes Lowery's point. And in the near future think Optimus, Neuralink, etc... I expect this won't cut it for the most critical "control authority" in the near future. The dev manager may coordinate the update and form the transaction, but I expect other entities will need to sign-off in critical cases like these. And the funding of this transaction will not come from the signers (some SIGHASH flag and involvement from another entity to fund)

The core security improvement you can't get "traditionally" comes from staking a significant bond with this transaction. In this example the device requires a large fraction of Tesla's bitcoin reserves, 1k BTC, to be staked with the transaction to consider the associated OTA package "valid". If a malicious entity gets access to the signing keys they must control enough BTC, which they are forced to sacrifice because Tesla will claim it. For Tesla this is a lossless process. Practically speaking leveraging bitcoin infrastructure and tooling for the signing, multi sigs, financial stakes, etc... is a major benefit because at the end of the day you have devs implementing all of this. Integrating bitcoin core and watching for certain transactions in the device's OTA manager to check a hash is simple, reasonable, and transparent. I'm being brief and leaving a lot of room to fill in gaps (eg custody of Tesla's bitcoin reserves is a different entity than the signers of this transaction even though it funds it)

How does Tesla "secure" an over-the-air software update to their fleet of autonomous vehicles? At minimum the update package is signed with a private key and checked by each vehicle before being applied. But if this key leaks and access is gained to server(s) can a malicious update be pushed to the fleet that enables "kamikaze mode" at a specific time for all cars? And in x years when there are millions of Optimus robots among us capable of "defense"? Given nation-state level attackers, are current security practices enough? Now imagine a lightweight bitcoin node runs independently on each device. This node watches a multi-sig of defined entities (can include regulator(s) and entities external to Tesla in this example) that must sign and stake a significant bond with the transaction that includes a hash of the update package. Now each device checks the hash of the update package it downloads from the trusted server against the hash included in the transaction (that meets all requirements enforced by device) as an additional layer of security before applying the update