Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can bonded validators be slashed for infractions more than an unbonding period in the past? #1022

Closed
cwgoes opened this issue May 18, 2018 · 9 comments

Comments

@cwgoes
Copy link
Contributor

cwgoes commented May 18, 2018

I'm not clear on the exact conditions under which a validator can be slashed. Two options:

  1. While bonded or unbonding, a validator can be slashed for any infraction which took place while they were bonded (including e.g. a double signature of a four-week-old block discovered now, as long as the validator is still bonded).
  2. A validator, regardless of bonding status, can only be slashed for an infraction discovered less than a bonding period after it was committed (so a double-signature of a four-week-old block discovered now would not cause a validator to be slashed).
@ebuchman
Copy link
Member

Are these mutually exclusive ?

We defintely want (2), so we can get people in their unbonding period, but if someone hasn't unbonded and they equivocated longer than the unbonding period ago, we could still punish them.

Only thing is Tendermint keeps a parameter which is how far back evidence can come from to prevent DoS

@cwgoes
Copy link
Contributor Author

cwgoes commented May 18, 2018

The difference is whether or not bonded validators can be slashed for equivocations more than a bonding period in the past at the time of discovery.

We certainly can punish still-bonded validators for older infractions, IIRC one concern discussed in the validator working group was dealing with compromised signing keys. If we always impose a limitation of a bonding period on slashing, validators who rotate their signing keys (and stay bonded) don't need to worry about the security of keys last used more than a bonding period in the past. Without that limitation, they need to keep all past keys secure until they unbond.

edit: see Zaki's comment

@zmanian
Copy link
Member

zmanian commented May 21, 2018

If we can incentivize validators to destroy keys after rotation, it decreases the subjectivity of the chain.

@cwgoes
Copy link
Contributor Author

cwgoes commented May 22, 2018

If we can incentivize validators to destroy keys after rotation, it decreases the subjectivity of the chain.

Agreed. Do you think the best way to incentivize this is by not having a 3-week limit? That way validators who rotate and delete old keys approximately every bonding period can maintain the same level of assurance (assuming they delete their keys correctly!), and choosing not to delete their old keys incurs risk.

@cwgoes
Copy link
Contributor Author

cwgoes commented Jun 5, 2018

Limited somewhat by the necessity of ignoring evidence past a certain age in Tendermint to prevent spam, but we could still elect to slash bonded validators for infractions more than a bonding period and less than the Tendermint limit.

@cwgoes
Copy link
Contributor Author

cwgoes commented Aug 17, 2018

Tabled to post-launch, see #1378.

@cwgoes cwgoes removed their assignment Aug 29, 2018
@jackzampolin
Copy link
Member

Is there utility in continuing this discussion?

@cwgoes
Copy link
Contributor Author

cwgoes commented May 28, 2019

Is there utility in continuing this discussion?

I think there's a lot of utility in having a general incentive discussion; I suspect our current incentives are not perfect (in many ways, this perhaps one of them). I don't know if it really belongs on the SDK repo though.

@jackzampolin
Copy link
Member

Closing this as out of scope for the SDK repo. Moving to Gaia

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants