Open autholykos opened 9 months ago
I generally like the proposal, especially for what concerns not punishing excessively for missed blocks and for excluding ghost provisioners from sortition.
But I'm not sure I agree with the disparity in treating provisioners with rewards and those without. Especially punishing more provisioners with rewards is kind of weird to me: we punish those who actually helped producing blocks, while we don't punish (except from the exclusion from the sortition) those who never contributed to the network.
Personally, I'd prefer to have a common treatment in all cases. With such treatment that being the exclusion from the sortition process. That is, if the provisioner misses the block, it is excluded from sortition for the rest of this epoch.
In this respect (but also in the original proposal), exclusion can be aimed at not only "removing ghost provisioners from the game" but also "punishing ghost provisioners" by having them missing future opportunities to win rewards". For the first case, disabling the stake for a certain amount of time (i.e., one epoch) is enough. But if we want exclusion to be a form of punishment, we might want to ensure the provisioner is "deprived" of the chance of producing a block (and earn rewards), regardless of whether this is going to be in this epoch or not. In other words, if he get extracted, we ignore it and extract another provisioner. This strategy would make the provisioner miss a block reward whenever this occurs.
I tend to distinguish between ghost stakes and disconnected Provisioners. The former don't actually have a node running, while the latter have had a node running and successfully participated to the consensus by generating blocks, or voting (or both), but failed to generate a block.
Especially after introducing rewards for voting, I am not quite sure whether slashing a modest amount from disconnected Provisioners' stake would be a harsher penalty compared to forcing them to inactivity for the reminder of the epoch.
I see your point. Probably slashing a small amount from the reward is indeed a milder punishment than excluding from the block generation. In this view, if a disconnected Provisioner reaches 0 rewards due to slashing (that is, it earned some rewards but than stayed disconnected for a while), it is considered as a ghost and punished with the exclusion. I think it makes sense.
Nonetheless, I would ensure that exclusion is applied even if the next extraction as a block generator is after the end of the epoch. Otherwise, a ghost provisioner that gets extracted only once per epoch would not get any real punishment (nor we would alleviate consensus from its absence). So I'd "invalidate the next 1 (or more) extractions as generator" rather than excluding for the current epoch.
Partially implemented here https://github.com/dusk-network/rusk/pull/1363
Summary
This DIP (Dusk Improvement Proposal) introduces a modification to the current slashing mechanism within the Dusk's SA consensus protocol. Specifically, it proposes that slashing for missing block generation should only affect the rewards accrued by Provisioners and, in the absence of rewards, make their stake inactive with an additional eligibility period for participation in consensus until the next epoch.
Motivation
The existing slashing mechanism for missed blocks does not adequately address the issue of ghost Provisioners —users who have staked tokens but do not actively participate in the consensus process. Some users might enable staking through their wallets but without running an active node, thus contributing to potential slowdowns or disruptions in block production.
The current countermeasure of slashing directly from the stake:
Acknowledging that nodes that have no rewards have a higher probability to be ghost stakes is a good starting point for more effective preventive measures.
Details
This proposal outlines a more nuanced approach to slashing for missing blocks that aims to maximize active participation while minimizing excessively harsh penalties:
Slashing Rewards Only: Initially, slashing will only deduct from the Provisioner's accrued rewards. This ensures that active, contributing provisioners are incentivized to maintain their participation, while those who are less active risk losing their potential earnings without immediately affecting their staked capital.
Inactive Stake for Zero Rewards: If a Provisioner has no accrued rewards at the time of a slashing event, their stake will become inactive for the remainder of the current epoch. This measure targets ghost stakes by removing their ability to participate in the consensus process until they re-qualify for active status.
Additional Eligibility Period: Provisioners whose stake has been made inactive must wait until the next epoch to become eligible again for participation in the consensus process. This waiting period serves as a cooling-off phase, encouraging users to ensure they are capable and ready to actively contribute before re-engaging.
Potential Impacts and Considerations
Network Stability: This proposal could lead to an increase in network stability by immediately removing ghost stakes and the presence of inactive nodes that contribute to block production delays.
UX: Adjusting the slashing mechanism to be less punitive for inexperienced users could remove community backlashes.
Security Considerations: It is essential to evaluate whether this change could be exploited by malicious actors. For example, Provisioners with no intention of active participation might repeatedly stake, become inactive, and re-enter, potentially disrupting consensus without significant penalties. To prevent this scenario, a variant of the current proposal could take into considerations a number of consecutive eligibility shifts (e.g. 10) before slashing the whole of an inactive stake.
Conclusion
This DIP aims to refine the slashing mechanism within Dusk to better align with the goals of network stability, security, and a positive UX. By focusing on rewards for initial penalties and introducing additional measures for inactive stakes, the proposal seeks to solve the problem of ghost stakes and foster consistent participation in the network's consensus process.