Attributes
- Author(s): @Andrew
- Parameter: SlashFractionDoubleSign
- Current Value: 0.05
- New Value: 0.000001
Summary
Slash_fraction_double_sign is the percentage of the validators stake that will be slashed upon reporting of double vote Evidence type from Tendermint, where a double vote on a block is/can be a submission for two differing states, transactions, apphashes, etc and result in a forked network. Reducing the value of slash_fraction_double_sign will minimize the risk of validators force unstaking due to false positives.
Abstract
As it is, slash_fraction_double_sign is currently at a dangerously high level. Given the observations of non-attacker false-positives, the number of parties staked in close proximity to the minimum, and the admission of oversight by the founding genesis team who instilled the parameter values, 5% of a user’s stake for double evidence is too severe and needs to be reduced significantly. The new proposed value (.000001) will provide sufficient disincentive of this attack while still remaining conservative in early days of the network. This proposal comes with a recommendation to revisit the value closer to network maturity.
Motivation
In its infancy, Pocket Network is vulnerable to many misconfigured validators. To date (Aug 1, 2020), PNI observed 2 different instances of false positives of double sign evidence. In both cases, the user committed a resync from start to finish while being staked as a validator. In one of the cases, the evidence should have not gone through due to the evidence expiration, however Tendermint evidence is currently under heavy development on that front (see #4150). In the most recent case, the false positive resulted in one of our Bootstrap partners force unstaking on block 312 of Mainnet, causing them to lose their validator and its subsequent stake. Application level evidence handling is optional in Tendermint and is seen as a security mechanism within the Pocket Network protocol. However, in this current stage of the network’s lifecycle, a value of 5% burn could result in a repeat of the event witnessed on Block 312 of Mainnet with any of the genesis validator participants in close proximity to the minimum stake of 15,000 POKT. Considering the KYC of the genesis validators and the % of voting power they hold, the new proposed value (.000001) will provide sufficient disincentive of this attack while still remaining conservative in the early days of the network. This proposal comes with a recommendation to revisit the value closer to network maturity.
Rationale
At the minimum stake rate of 15K POKT, .000001 is 1.5 * the default transaction fee. It is also the same agreed upon value of the slash_fraction_downtime.
Dissenting Opinions
Double Signing is a classic blockchain attack that can directly result in a fork if given too many (33%+ in Pocket Network’s Case) malicious validators. By lowering this value, we make this attack that much more feasible. A value this low means that a validator could double sign hundreds of blocks before burning 5 POKT.
Analyst(s)
Andrew Nguyen, Genesis Validator, PNI Lead Protocol and Blockchain Developer
Luis De Leon, Genesis Validator, PNI CTO
Copyright
Copyright and related rights waived via CC0.
