From 98bc1948934794c5bc1fb1242dab990f771b44a4 Mon Sep 17 00:00:00 2001 From: Filippo Date: Wed, 8 May 2024 12:31:53 +0200 Subject: [PATCH] edits --- docs/learn/learn-offenses.md | 115 +++++++++++++++++------------------ 1 file changed, 56 insertions(+), 59 deletions(-) diff --git a/docs/learn/learn-offenses.md b/docs/learn/learn-offenses.md index f66238f1d4b1..d3cf4fe5c2d7 100644 --- a/docs/learn/learn-offenses.md +++ b/docs/learn/learn-offenses.md @@ -9,14 +9,14 @@ slug: ../learn-offenses :::info Content subject to change -The material provided here bases on the changes introduced by Step 2 of the _Disabling_ feature. See -[this page](https://github.com/orgs/paritytech/projects/119/views/15?pane=issue&itemId=61684472) for -more information. +The material provided here is based on the changes introduced by Step 2 of the _Disabling_ feature. +See [this page](https://github.com/orgs/paritytech/projects/119/views/15?pane=issue&itemId=61684472) +for more information. ::: {{ polkadot: Polkadot :polkadot }}{{ kusama: Kusama :kusama }} is a public permissionless network. -As such, it has a mechanism to disincentivize offenses and incentivize good behaviour. Below you can +As such, it has a mechanism to disincentivize offenses and incentivize good behavior. Below, you can find a summary of punishments for specific offenses: | Offense | [Slash (%)](#slashing) | [On-chain Disabling](#disabling) | Off-chain Disabling | [Rep](#rep) | @@ -41,8 +41,8 @@ On {{ polkadot: Polkadot :polkadot }}{{ kusama: Kusama :kusama }}, there are six shown below. - Backing Invalid: A para-validator is backing an invalid block. -- ForInvalid Vote: A validator (secondary checker) is voting in favour of a block that is invalid. -- AgainstInvalid Vote: A validator (secondary checker) is voting against of a block that is invalid. +- ForInvalid Vote: A validator (secondary checker) votes in favor of an invalid block. +- AgainstInvalid Vote: A validator (secondary checker) is voting against an invalid block. - Equivocation: A validator produces two or more of the same block or vote. - GRANDPA and BEEFY Equivocation: A validator signs two or more votes in the same round on different chains. @@ -67,7 +67,7 @@ rep. ### Slashing -**Slashing** removes part of a validator’s total stake (own + nominated), and can range from as +**Slashing** removes part of a validator’s total stake (own + nominated) and can range from as little as 0.01% or rise to 100%. In all instances, slashes are accompanied by a loss of nominators. Slashing will happen if a validator misbehaves in the network. They and their nominators will get @@ -76,21 +76,20 @@ slashed by losing a percentage of their staked Any slashed {{ polkadot: DOT :polkadot }}{{ kusama: KSM :kusama }} will be added to the [Treasury](./archive/learn-treasury.md). The rationale for this (rather than burning or distributing -them as rewards) is that slashes may then be reverted by simply paying out from the Treasury. This -would be useful in situations such as faulty slashes. In the case of legitimate slashing, it moves -tokens away from malicious validators to those building the ecosystem through the normal Treasury -process. +them as rewards) is that slashes may be reverted by simply paying out from the Treasury. This would +be useful in situations such as faulty slashes. In the case of legitimate slashing, tokens are moved +away from malicious validators to those building the ecosystem through the normal Treasury process. Slashing only occurs for active validations for a given nominator, and slashes are not mitigated by having other inactive or waiting nominations. They are also not mitigated by the validator operator -running separate nodes; each node is considered its own entity for purposes of slashing. +running separate nodes; each node is considered its own entity for slashing purposes. :::info Multiple Active Nominations -In rare instances, with very large bonds, a nominator may be actively nominating several validators -in a single era. In this case, the slash is proportionate to the amount staked to that specific -validator. Note that you cannot control the percentage of stake you have allocated to each validator -or choose who your active validator will be (except in the trivial case of nominating a single +In rare instances, with very large bonds, a nominator may actively nominate several validators in a +single era. In this case, the slash is proportionate to the amount staked to that specific +validator. Note that you cannot control the percentage of stake allocated to each validator or +choose who your active validator will be (except in the trivial case of nominating a single validator). Staking allocations are controlled by the [Phragmén algorithm](learn-phragmen.md). ::: @@ -98,7 +97,7 @@ validator). Staking allocations are controlled by the [Phragmén algorithm](lear Once a validator gets slashed, it goes into the state as an "unapplied slash". You can check this via [Polkadot-JS UI](https://polkadot.js.org/apps/?rpc=wss%3A%2F%2Frpc.polkadot.io#/staking/slashes). -The UI shows it per validator and then all the affected nominators along with the amounts. While +The UI shows it per validator, followed by all the affected nominators and the amounts. While unapplied, a governance proposal can be made to reverse it during this period ({{ polkadot: :polkadot }}{{ kusama: :kusama }} days). After the grace period, the slashes are applied. @@ -108,7 +107,7 @@ A slash may occur under the circumstances below: 1. Equivocation – A slash of 0.01% is applied with as little as a single evocation. The slashed amount increases to 100% incrementally as more validators also equivocate. 2. Malicious action – This may result from a validator trying to represent the contents of a block - falsely. Slashing penalties of 100% may apply. + falsely . Slashing penalties of 100% may apply. 3. Application related (bug or otherwise) – The amount is unknown and may manifest as scenarios 1 and 2 above. @@ -116,14 +115,14 @@ A slash may occur under the circumstances below: The following levels of offense are [defined](https://research.web3.foundation/Polkadot/security/slashing/amounts). However, these -particular levels are not implemented or referred to in the code or in the system; they are meant as +particular levels are not implemented or referred to in the code or the system; they are meant as guidelines for different levels of severity for offenses. -- Level 1: Isolated equivocation, slashes a very small amount of the stake. -- Level 2: misconducts unlikely to be accidental, but which do not harm the network's security to - any large extent. Examples include concurrent equivocation or isolated cases of unjustified voting - in [GRANDPA](learn-consensus.md). Slashes a moderately small amount of the stake. -- Level 3: misconduct that poses serious security or monetary risk to the system, or mass collusion. +- Level 1: Isolated equivocation slashes a minimal amount of the stake. +- Level 2: Misconducts unlikely to be accidental but do not harm the network's security to any large + extent. Examples include concurrent equivocation or isolated cases of unjustified voting in + [GRANDPA](learn-consensus.md). Slashes a moderately small amount of the stake. +- Level 3: misconduct that poses severe security or monetary risk to the system or mass collusion. Slashes all or most of the stake behind the validator. The following are scenarios that build towards slashes under equivocation: @@ -131,15 +130,15 @@ The following are scenarios that build towards slashes under equivocation: 1. Cloning a server, i.e., copying all contents when migrating to new hardware. This action should be avoided. If an image is desired, it should be taken before keys are generated. 2. High Availability (HA) Systems – Equivocation can occur if there are any concurrent operations, - either when a failed server restarts or if false positive event results in both servers being + either when a failed server restarts or if a false positive event results in both servers being online simultaneously. HA systems are to be treated with extreme caution and are not advised. 3. The keystore folder is copied when attempting to copy a database from one instance to another. It is important to note that equivocation slashes occur with a single incident. This can happen - if duplicated keystores are used for only a few seconds. A slash can result in losing - nominators, and funds, removal from the Thousand Validator Programme, and reputational damage. + if duplicated keystores are used for only a few seconds. A slash can result in losing nominators + and funds, removal from the Thousand Validator Programme, and reputational damage. -To understand how slash amounts for equivocations are calculated, see next section. If you want to -know more details about slashing, please look at our +See the next section to understand how slash amounts for equivocations are calculated. If you want +to know more details about slashing, please look at our [research page](https://research.web3.foundation/Polkadot/security/slashing/amounts). #### Slash Calculation for Equivocation @@ -150,29 +149,27 @@ Both GRANDPA and BABE equivocation use the same formula for calculating the slas min((3 * x / n )^2, 1) -As an example, assume that there are 100 validators in the active set, and one of them equivocates -in a slot (for our purposes, it does not matter whether it was a BABE or GRANDPA equivocation). This -is unlikely to be an attack on the network, but much more likely to be a misconfiguration of a +For example, assume that there are 100 validators in the active set, and one equivocates in a slot +(for our purposes, it does not matter whether it was a BABE or GRANDPA equivocation). This is +unlikely to be an attack on the network but much more likely to be a misconfiguration of a validator. The penalty would be min(3 \* 1 / 100)^2, 1) = 0.0009, or a 0.09% slash for that validator (i.e., the stake held by the validator and its nominators). -Now assume that there is a group running several validators, and all of them have an issue in the -same slot. The penalty would be min((3 \* 5 / 100)^2, 1) = 0.0225, or a 2.25% slash. If 20 -validators equivocate, this is a much more serious offense and possibly indicates a coordinated -attack on the network, and so the slash will be much greater - min((3 \* 20 / 100)^2, 1) = 0.36, or -a 36% slash on all of these validators and their nominators. All slashed validators will also be -chilled. +Now, assume that a group is running several validators, and they all have an issue in the same slot. +The penalty would be min((3 \* 5 / 100)^2, 1) = 0.0225, or a 2.25% slash. If 20 validators +equivocate, this is a much more serious offense and possibly indicates a coordinated attack on the +network, and so the slash will be much greater - min((3 \* 20 / 100)^2, 1) = 0.36, or a 36% slash on +all of these validators and their nominators. All slashed validators will also be chilled. -From the example above, the risk of nominating or running many validators in the active set are -apparent. While rewards grow linearly (two validators will get you approximately twice as many -staking rewards as one), slashing grows exponentially. A single validator equivocating causes a -0.09% slash, two validators equivocating does not cause a 0.09 \* 2 = 0.18% slash, but rather a -0.36% slash - 4x as much as the single validator. +The example above shows the risk of nominating or running many validators in the active set. While +rewards grow linearly (two validators will get you approximately twice as many staking rewards as +one), slashing grows exponentially. A single validator equivocating causes a 0.09% slash, two +validators equivocating does not cause a 0.09 \* 2 = 0.18% slash, but rather a 0.36% slash - 4x as +much as the single validator. -Validators may run their nodes on multiple machines to make sure they can still perform validation -work in case one of their nodes goes down, but validator operators should be extremely careful in -setting these up. If they do not have good coordination to manage signing machines, equivocation is -possible. +Validators may run their nodes on multiple machines to ensure they can still perform validation work +if one of their nodes goes down. Still, validator operators should be cautious when setting these +up. Equivocation is possible if they do not have good coordination in managing signing machines. #### Good Practices to Avoid Slashing @@ -192,36 +189,36 @@ Below are some examples of small equivocations that happened in the past. | Network | Era | Event Type | Details | Action Taken | | -------- | ---- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | Polkadot | 774 | Small Equivocation | [The validator](https://matrix.to/#/!NZrbtteFeqYKCUGQtr:matrix.parity.io/$165562246360408hKCfC:matrix.org?via=matrix.parity.io&via=corepaper.org&via=matrix.org) migrated servers and cloned the keystore folder. The on-chain event can be viewed [here](https://polkadot.subscan.io/extrinsic/11190109-0?event=11190109-5). | The validator did not submit a request for the slash to be canceled. | -| Kusama | 3329 | Small Equivocation | The validator operated a test machine with cloned keys; the test machine was online at the same time as the primary, which resulted in a slash. Details can be found [here](https://kusama.polkassembly.io/post/1343). | The validator requested a cancellation of the slash, but the council declined. | -| Kusama | 3995 | Small Equivocation | The validator noticed several errors, after which the client crashed, and a slash was applied. The validator recorded all events and opened GitHub issues to allow for technical opinions to be shared. Details can be found [here](https://kusama.polkassembly.io/post/1733). | The validator requested to cancel the slash. The council approved the request as they believed the error was not operator related. | +| Kusama | 3329 | Small Equivocation | The validator operated a test machine with cloned keys; the test machine was online at the same time as the primary, which resulted in a slash. Details can be found [here](https://kusama.polkassembly.io/post/1343). | The validator requested a slash cancellation, but the council declined. | +| Kusama | 3995 | Small Equivocation | The validator noticed several errors, after which the client crashed, and a slash was applied. The validator recorded all events and opened GitHub issues to allow for technical opinions to be shared. Details can be found [here](https://kusama.polkassembly.io/post/1733). | The validator requested to cancel the slash. The council approved the request as they believed the error was not operator-related. | #### Slashing Across Eras -There are 3 main difficulties to account for with slashing in NPoS: +There are three main difficulties to account for with slashing in NPoS: - A nominator can nominate multiple validators and be slashed via any of them. - Until slashed, the stake is reused from era to era. Nominating with N coins for E eras in a row does not mean you have N\*E coins to be slashed - you've only ever had N. - Slashable offenses can be found after the fact and out of order. -To balance this, we only slash for the maximum slash a participant can receive in some time period, +To balance this, we only slash for the maximum slash a participant can receive in some time period rather than the sum. This ensures protection from overslashing. Likewise, the period over which -maximum slashes are computed is finite and the validator is chilled with nominations withdrawn after -a slashing event, as stated in the previous section. This prevents rage-quit attacks in which, once -caught misbehaving, a participant deliberately misbehaves more because their slashing amount is +maximum slashes are computed is finite, and the validator is chilled with nominations withdrawn +after a slashing event, as stated in the previous section. This prevents rage-quit attacks in which, +once caught misbehaving, a participant deliberately misbehaves more because their slashing amount is already maxed out. ### Disabling -**Disabling** stops validators to perform specific actions. Disabling is further divided into: +**Disabling** stops validators from performing specific actions. Disabling is further divided into: -- On-chain disabling, lasts for a whole era and stops validators from block authoring, backing +- On-chain disabling lasts for a whole era and stops validators from block authoring, backing through runtime filtering, initiating a dispute, and backing. It also makes other nodes ignore backing statements. -- Off-chain disabling, lasts for a sessions, is caused by losing a dispute, and it stops validators - from initiating a dispute. +- Off-chain disabling lasts for a session, is caused by losing a dispute, and stops validators from + initiating a dispute. -Off-chain disabling is always lower priority than on-chain disabling. Off-chain disabling +Off-chain disabling is always a lower priority than on-chain disabling. Off-chain disabling prioritizes disabling first backers, then ForInvalid, then AgainstValid. ### Rep