Known issues & limitations
Please be aware of the following limitations before running hydra-node
on the Cardano --mainnet; as an incredibly technical project, Hydra
in its current form requires an elevated level of understanding of the
underlying infrastructure. Without the expertise required to operate a
hydra-node, users may put their funds at risk if they are unfamiliar
with the implementation and usage process.
Head protocol
Layer-1/Layer-2
The current transaction size on mainnet is limited to 16KB, a limitation which has the following consequences:
- The protocol can only handle a maximum number of participants in a
Head (see cost of collectcom
transaction). Upon
startup, the
hydra-nodewill inform you of the current configured maximum when trying to configure too many peers. - Each party can only commit zero or one UTxO into a Head.
It's currently possible to be denied access to funds by other protocol participants at various stages in a Hydra Head because of the complexity or size of the UTxO being committed or created while the Head is open:
- The head cannot be finalized if holding more than ~60 assets (see cost of fanout transaction for latest numbers), although it can be closed
- If one or more participants commit UTxO too large to be processed
together in a
CollectComorAborttransaction, the Head will be stuck in the initialising stage - Tokens minted and not burnt in an open head will prevent it from being finalized
- Committing reference scripts from L1 to a Head is problematic and
the hydra-node will prevent this should a client try to do
so. Note that a
Committransaction could perfectly be crafted outside of the hydra-node and would therefore put the Head in an uncloseable state - Using reference scripts on the L2 is non problematic as they will be committed back on the L1 along with all the other UTxO
There are couple of items in the roadmap around reducing the risk of loosing funds in a Hydra Head:
Networking
The messages exchanged through the Hydra Network layer between participants are neither authenticated, authorized, nor encrypted which means communications between Hydra nodes are not protected. It's advised that operators requiring confidentiality and/or identification of participants run hydra-node connected through some kind of VPN or on top of encrypted channels until this is addressed in the software (see #727)
Also, while the Hydra Head protocol guarantees safety of a participant's funds, it does not guarantee liveness, so all parties involved in a Hydra Head must be online and reactive for the protocol to make progress. This means that, should one or several participants' Hydra node crash, become unreachable from other Hydra nodes, or is disconnected from the Cardano network, no more transactions can happen in the Head and it must be closed.
hydra-node
Independently from the Head protocol itself, the way the hydra-node is implemented has the following consequences:
- There is a hard-coded limit on mainnet network where you can only commit up to 100 ADA into the Hydra head. This is only a safety precaution and is going to be increased as we gain more experience in running Hydra heads on the mainnet.
- The internal wallet of
hydra-nodewhich is used to drive Hydra protocol transactions requires a UTXO to be marked as "fuel" (see user manual
hydra-tui
TUI crashes when user tries to post a new transaction wihout any UTXO remaining.
Recipient addresses to send money to in the TUI are inferred from the current UTXO set. If a party does not commit a UTXO or consumes all its UTXO in a Head, it won't be able to send or receive anything anymore.