Cross-Shard Transactions in Hyperscale-rs

⏱️ Duration: 1.5–2 hours 📊 Difficulty: Intermediate 🎯 Hyperscale-rs Specific

Learning Objectives

Understand provision-based cross-shard atomicity in hyperscale-rs (no 2PC coordinator)
Map a complex Radix manifest to shards, provisioning, and coordination
See how protocol order (ShardGroupId) differs from manifest instruction order
Understand livelock prevention in cross-shard flow
Trace cross-shard flow in the codebase (types, topology, execution, provisions)

How atomic composability works (cross-shard)

The diagram in Transaction Flow emphasizes that cross-shard atomicity depends on correct order of communication and when state updates are applied. Below is the same flow as a flowchart (consistent with Transaction Flow):

Cross-shard atomic execution (provision-based; no 2PC coordinator)

1. State provisioning

When a block commits with cross-shard txs, each validator in the source shard produces and sends a StateProvision (signed proof with merkle inclusion proofs) to target shards—effectively a vote; the target aggregates 2f+1 to form a CommitmentProof.

↓

2. Provision verification

ProvisionCoordinator on each node receives provisions, verifies QC signature and merkle proofs against the committed state root, and tracks quorum per required shard. When it has quorum from every required shard, it marks ProvisioningComplete.

↓

3. Deterministic execution

With provisioned state, validators execute the tx and create an ExecutionVote (merkle root of execution results).

↓

4. Vote aggregation

When 2f+1 voting power agrees on the same merkle root, an ExecutionCertificate is created and broadcast to remote participating shards.

↓

5. Finalization

Validators collect ExecutionCertificates from all participating shards. When all are received, a TransactionCertificate is created. Atomicity comes from this provision + vote + certificate flow; there is no separate 2PC coordinator in hyperscale-rs.

Hyperscale-rs uses a provision-based atomic execution protocol (execution crate: five phases above). There is no 2PC coordinator—no prepare/commit/abort round. Atomicity is achieved by StateProvisions from source shards, ProvisionCoordinator checklist, then execution and certificate aggregation.

ProvisionCoordinator (the only coordinator in cross-shard flow)

In hyperscale-rs, cross-shard flow has one coordinator concept: ProvisionCoordinator (provisions crate). There is no 2PC coordinator; the code uses the five-phase provision-based protocol above.

ProvisionCoordinator (provisions crate). A sub-state machine on every node, not a single elected node. After a shard commits its block (with part of a cross-shard tx), each validator in that shard produces a signed proof (StateProvision) and sends it to other shards. ProvisionCoordinator on each node keeps a checklist: "For this tx, do we have quorum of provisions from shard 1? From shard 2? …" (required_shards = all other participating shards). When it has enough from every required shard, it emits ProvisioningComplete so the execution crate can proceed (Phase 3–5). So it answers "can this shard complete its part?" — we have the proofs we need from prerequisite shards.

Nuance: Why "centralized" ProvisionCoordinator? The provisions crate doc calls it centralized in the sense that on each node, one sub-state machine (ProvisionCoordinator) owns all provision tracking and verification for that node—instead of scattering that logic across execution, BFT, and mempool. There is no single network-wide coordinator; each validator runs its own ProvisionCoordinator. Pros: Single place to join provisions with remote headers, verify QC + merkle proofs, and emit ProvisioningComplete; consistent with execution crate (which registers and waits on it); livelock can query txs_with_provisions_from in one place. Cons: All provision state and verification complexity lives in one component per node; backpressure for cross-shard txs is handled by mempool (which calls has_any_verified_provisions), not inside the coordinator—so the design splits "have we got provisions?" (provisions crate) from "should we relax limits?" (mempool).

State Provision flow (same style as Transaction Flow): After a shard commits its block, each validator in that shard produces a signed proof (StateProvision) and sends it to other shards. ProvisionCoordinator on each node tracks whether it has quorum of provisions from each required shard; when complete, it emits ProvisioningComplete so execution can proceed.

Multi-shard finality in rounds: Yes — a multi-shard tx is effectively finalized in multiple rounds, one per shard that holds a part of it. Shard 0 finalizes its block (and thus its part of the tx and the outgoing receipt); each validator in Shard 0 then sends a StateProvision (attesting to that receipt/state) to Shard 1. Shard 1 can only complete its part after it has those provisions; when Shard 1’s block that applies the receipt is finalized, that part is final too. So each “round” is a block finalized on one shard. The transaction as a whole is finalized only when every such block (on every involved shard) is finalized.

Provisions / ProvisionCoordinator

1. Shard commits block

A shard finalizes its block containing (part of) a cross-shard tx.

↓

2. Produce StateProvision

Each validator in the source shard produces a StateProvision (signed proof of the state it wrote) and sends it to the target shards.

↓

3. ProvisionCoordinator checklist

On each node, ProvisionCoordinator (provisions crate) keeps a checklist: for this tx, do we have quorum of provisions from shard 1? From shard 2? … (required_shards = all other participating shards).

↓

4. ProvisioningComplete

When the node has provisions from every required shard, it emits ProvisioningComplete so execution can proceed. Shard 3 cannot finish its view of the cross-shard tx until it has proofs from shards 1 and 2.

Multiple source shards: A target shard can have multiple source shards. Example: tx touches shards 0, 1, 2; shard 2’s step depends on both shard 0 and shard 1. Then required_shards for shard 2 = {0, 1}. ProvisionCoordinator on shard 2 waits until it has quorum of provisions from shard 0 and quorum from shard 1. Those provisions can arrive in parallel (in any order); it is not “first shard 0, then shard 1.” As soon as the checklist is complete (every required shard has delivered quorum), ProvisioningComplete fires.

How is the order fixed? Order is determined by a deterministic rule (e.g. by ShardGroupId): consensus_shards, required_shards, and certificate collection all use the same ordering so every node agrees. There is no separate coordinator that "drives" prepare/commit—atomicity is achieved by the provision-based protocol (phases 1–5 above).

How is order determined for composite (cross-shard) transactions? In the Radix manifest, instructions are in a fixed order (e.g. withdraw from A → split → put in staking vault → put in LP → return IOUs). The Radix Engine runs those instructions sequentially when executing; data dependencies are implicit (instruction 2 sees the result of instruction 1). For Hyperscale (consensus), the transaction is turned into a RoutableTransaction by instruction analysis (crates/types/src/transaction.rs): the manifest is walked and every NodeId read or written is collected into declared_reads and declared_writes. Those are sets (deduplicated); instruction order is not preserved at the consensus layer. Shard sets are then derived: consensus_shards = unique shards of declared_writes; provisioning_shards = shards of declared_reads that are not write shards. Both are stored in BTreeSets, so the protocol order is by ShardGroupId (numeric). So: we do not derive "Account_A shard first, then Staking_VAULT shard, then LP shard" from the manifest order—we get a deterministic order by shard ID. Prerequisites are enforced by provisions: a shard that needs remote state (reads from another shard) must receive quorum of provisions from that shard before it can complete; which shards are "required" is the set of all other participating shards. Parallelism: each shard runs BFT and execution independently; cross-shard atomicity is achieved by provisioning (quorum of StateProvisions from each required shard via ProvisionCoordinator) and then execution and certificate aggregation—no 2PC coordinator in hyperscale-rs. Refs: crates/types/src/topology.rs (consensus_shards, provisioning_shards, all_shards_for_transaction), crates/types/src/transaction.rs (analyze_instructions_v1 / analyze_instructions_v2).

See the Transaction Flow diagram for the full step-by-step from user to finality.

Example: complex Radix manifest and Hyperscale provisioning

Consider a composite transaction that splits funds from a user account into staking and liquidity:

# Simplified Radix-style manifest (conceptual)
1. CallMethod(Account_A, "withdraw", XRD, amount)     # → NodeID_Account_A, vault
2. TakeFromWorktop(XRD, amount)
3. SplitBucket(amount1, amount2)                        # worktop
4. CallMethod(StakingVault, "stake", bucket1)          # → NodeID_Staking_VAULT
5. CallMethod(LiquidityPool, "contribute", bucket2)    # → NodeID_LP_COMPONENT
6. CallMethod(Account_A, "deposit", staking_IOU)        # → NodeID_Account_A
7. CallMethod(Account_A, "deposit", lp_IOU)             # → NodeID_Account_A

Radix Engine: Runs these instructions in order. Data flow is implicit (e.g. step 4 uses the bucket from step 3; step 6–7 deposit what step 4–5 returned).

Instruction analysis (Hyperscale): The manifest is walked and every NodeId read or written is collected into declared_reads and declared_writes (crates/types/src/transaction.rs: analyze_instructions_v1 / analyze_instructions_v2). The result is sets (no duplicate NodeIds—each node appears at most once); instruction order is not preserved at the consensus layer. Assume:

declared_writes: Account_A, Staking_VAULT, LP_COMPONENT (and possibly resource/vault NodeIds)
declared_reads: any read-only touched nodes (e.g. package, resource type)

Shard mapping (topology): Each NodeId maps to a shard via shard_for_node(node_id, num_shards) (crates/types/src/topology.rs). Suppose Account_A → shard 1, Staking_VAULT → shard 2, LP_COMPONENT → shard 3. Then:

consensus_shards = {1, 2, 3} (unique shards of declared_writes), ordered as 1, 2, 3 (BTreeSet by ShardGroupId).
provisioning_shards = read-only shards (if any) not in that set.
all_shards_for_transaction = consensus ∪ provisioning, again in shard-ID order.

Provisioning and coordination:

The tx is sent to shards 1, 2, 3 (step 6 in the tx flow). Each shard runs BFT and execution for its part. When a shard commits its block containing this tx, it produces a StateProvision (signed proof of the state it wrote) and sends it to the other shards.
ProvisionCoordinator on each node (e.g. on shard 3) keeps a checklist: “Do we have quorum of provisions from shard 1? From shard 2?” When it has provisions from every other participating shard (required_shards in TxRegistration), it emits ProvisioningComplete so execution can proceed. So shard 3 cannot “finish” its view of the cross-shard tx until it has proofs from shards 1 and 2—that’s the prerequisite.
Execution and certificate aggregation proceed in the same deterministic order (by shard ID); there is no 2PC coordinator—only ProvisionCoordinator and the five-phase protocol.

So: the manifest defines the logical flow (withdraw → split → stake → LP → deposit); the engine runs it sequentially; Hyperscale uses shard ID order for coordination and provisions to enforce “everyone has proof from everyone else” before completion.

Order: manifest vs protocol

As above: instruction order is not preserved at consensus; protocol order is by ShardGroupId. Prerequisites are enforced by provisions; required_shards is the set of all other participating shards (start_cross_shard_execution in crates/execution/src/state.rs).

Livelock in this codebase

Livelock here means a cycle of cross-shard dependencies that would block progress: e.g. Shard A commits TX₁ (needs state from C) and Shard C commits TX₂ (needs state from A) → A is waiting on C and C on A. The livelock crate handles this:

When a shard gets a provision (proof that another shard committed a cross-shard tx), it runs cycle detection: “Do we have a committed tx that needs their state, and do they have one that needs ours?” If both are true, that’s a cycle.
To break it, one of the transactions is deferred (e.g. the one with the larger hash “loses” and is retried later). Both shards use the same deterministic rule so they agree without extra messages.
TransactionDefer / TransactionAbort and retry are in the livelock and execution crates; the mempool tracks original vs retry for status and eviction.

The simulator’s --analyze-livelocks flag reports how often such cycles occurred in a run.

Concepts in the Flow

Shards — The network is split into shards; each shard has its own validators and ordering. Your tx is assigned to a shard (e.g. by account or payload). Each shard has its own BFT consensus state: its own view number, its own block chain, and its own proposer per round. So shard A and shard B run independent BFT instances; they don't share a single global "view."
Proposer (block leader) — For each round (view), one validator in that shard is the proposer. It builds the block and broadcasts it; the other validators in the shard vote. Proposer selection is deterministic: typically a function of the current view number and the shard's validator set, e.g. proposer = validators[view % validators.len()] (round-robin by index) or by validator identity. That way everyone agrees on who the leader is without extra messages.
Validator identity (consensus) — In the consensus layer, "which validator" is identified by a validator ID (from the node's public key or protocol assignment). That identity is used for the validator set, proposer selection (e.g. round-robin), and routing. In Hyperscale-rs, types that refer to "which node" in the sense of "which validator" use this.
NodeID in Radix (on-chain) — In Radix, NodeID often means something different: it refers to addresses of on-chain entities — components, resources, packages, accounts. Those are "nodes" in the ledger's state graph (e.g. a component instance, a resource type). So: validator identity = which machine runs consensus; NodeID/address in Radix = which component, resource, or package you're talking about on the ledger. Don't confuse the two when reading Radix docs.
Cross-shard transactions & atomic composability — If a tx touches NodeIDs on different shards, it is cross-shard: sent to each involved shard (step 6); each runs BFT and execution for its part (steps 7–12). Atomicity across shards: provision-based protocol (StateProvision, ProvisionCoordinator, then execution and certificate aggregation)—no 2PC coordinator in hyperscale-rs (see "How atomic composability works" and "ProvisionCoordinator" above).
ProvisionCoordinator — See the "ProvisionCoordinator" section above. It is the only coordinator in cross-shard flow: a checklist on every node for "Do we have quorum of provisions (proofs) from each required shard?" so execution can proceed. Order is deterministic (e.g. by shard ID); there is no separate 2PC coordinator.
Finality — Once a block has a quorum certificate (2f+1 votes from that shard's validators), it is final. No reorg under normal BFT assumptions.

Quiz: Cross-shard and provisioning

Answer based on the content above. Pass threshold: 70%.