From 6c145a5ec3d28e4c71b5d5ad287cbb14367736d8 Mon Sep 17 00:00:00 2001 From: Luke Parker Date: Tue, 14 Jan 2025 11:44:13 -0500 Subject: [PATCH] Disable offline, disruptive slashes Reasoning commented in codebase --- .../primitives/src/slash_points.rs | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/substrate/validator-sets/primitives/src/slash_points.rs b/substrate/validator-sets/primitives/src/slash_points.rs index d6fd0d68..20bb4e72 100644 --- a/substrate/validator-sets/primitives/src/slash_points.rs +++ b/substrate/validator-sets/primitives/src/slash_points.rs @@ -84,12 +84,17 @@ impl Slash { - Hours 12-24 are penalized as if they're hours 12-36. - Hours 24-36 are penalized as if they're hours 36-96. - Hours 36-48 are penalized as if they're hours 96-168. + + /* Commented, see below explanation of why. - Hours 48-168 are penalized for 0-2% of stake. - 168-336 hours of slashes, for a session only lasting 168 hours, is penalized for 2-10% of stake. This means a validator offline has to be offline for more than two days to start having their stake slashed. + */ + + This means a validator offline for two days will not earn any rewards for that session. */ const MULTIPLIERS: [u64; 4] = [1, 2, 5, 6]; @@ -117,6 +122,7 @@ impl Slash { }) }; + /* let slash_points_for_entire_session = SESSION_LENGTH.as_secs() / downtime_per_slash_point.as_secs(); @@ -159,6 +165,32 @@ impl Slash { .checked_div(u128::from(slash_points_for_entire_session)) .unwrap_or(0) }; + */ + + /* + We do not slash for being offline/disruptive at this time. Doing so allows an adversary + to DoS nodes to not just take them offline, yet also take away their stake. This isn't + preferable to the increased incentive to properly maintain a node when the rewards should + already be sufficient for that purpose. + + Validators also shouldn't be able to be so disruptive due to their limiting upon + disruption *while its ongoing*. Slashes as a post-response, while an arguably worthwhile + economic penalty, can never be a response in the moment (as necessary to actually handle + the disruption). + + If stake slashing was to be re-enabled, the percentage of stake which is eligible for + slashing should be variable to how close we are to losing liveness. This would mean if + less than 10% of validators are offline, no stake is slashes. If 10% are, 2% is eligible. + If 20% are, 5% is eligible. If 30% are, 10% is eligible. + + (or similar) + + This would mean that a DoS is insufficient to cause a validator to lose their stake. + Instead, a coordinated DoS against multiple Serai validators would be needed, + strengthening our assumptions. + */ + let offline_slash = 0; + let disruptive_slash = 0; // The penalty is all slashes, but never more than the validator's balance // (handles any rounding errors which may or may not exist) @@ -225,6 +257,7 @@ fn test_penalty() { Amount(168) ); + /* // A full week of slash points should slash 2% let week_of_slash_points = 14 * twelve_hours_of_slash_points; assert_eq!( @@ -243,6 +276,13 @@ fn test_penalty() { Slash::Points(u32::MAX).penalty(validators, Amount(1000), Amount(168)), Amount(100 + 168) ); + */ + + // Anything greater should still only slash the rewards + assert_eq!( + Slash::Points(u32::MAX).penalty(validators, Amount(u64::MAX), Amount(168)), + Amount(168) + ); } }