Concepts

States

At any given time, there are any number of validators registered in the state machine. Each block, the top n = MaximumBondedValidators validators who are not jailed become bonded, meaning that they may propose and vote on blocks. Validators who are bonded are at stake, meaning that part or all of their stake and their delegators' stake is at risk if they commit a protocol fault.

Tombstone Caps

In order to mitigate the impact of initially likely categories of non-malicious protocol faults, the Cosmos Hub implements for each validator a tombstone cap, which only allows a validator to be slashed once for a double sign fault. For example, if you misconfigure your HSM and double-sign a bunch of old blocks, you'll only be punished for the first double-sign (and then immediately tombstombed). This will still be quite expensive and desirable to avoid, but tombstone caps somewhat blunt the economic impact of unintentional misconfiguration.

Liveness faults do not have caps, as they can't stack upon each other. Liveness bugs are "detected" as soon as the infraction occurs, and the validators are immediately put in jail, so it is not possible for them to commit multiple liveness faults without unjailing in between.

ASCII timelines

Code

[ : timeline start
] : timeline end
Cn : infraction n committed
Dn : infraction n discovered
Vb : validator bonded
Vu : validator unbonded

Single Double Sign Infraction

<----------------->
[----------C1----D1,Vu-----]

A single infraction is committed then later discovered, at which point the validator is unbonded and slashed at the full amount for the infraction.

Multiple Double Sign Infractions

<--------------------------->
[----------C1--C2---C3---D1,D2,D3Vu-----]

Multiple infractions are committed and then later discovered, at which point the validator is jailed and slashed for only one infraction. Because the validator is also tombstoned, they can not rejoin the validator set.

Last Updated: 2/21/2019, 2:21:57 AM