serai/docs/protocol/Validator Sets.md

70 lines
3.2 KiB
Markdown
Raw Normal View History

2022-07-20 05:45:07 +00:00
# Validator Sets
Validator Sets are defined at the protocol level, with the following parameters:
- `bond` (Amount): Amount of bond per key-share.
- `network` (Network): The network this validator set operates
over.
- `participants` (Vec\<SeraiAddress>): List of participants within this set.
2022-07-20 05:45:07 +00:00
Validator Sets are referred to by `NetworkId` yet have their data accessible via
`ValidatorSetInstance`.
2022-07-20 05:45:07 +00:00
### Participation in consensus
2022-07-20 05:45:07 +00:00
All Validator Sets participate in consensus. In the future, a dedicated group
to order Serai is planned.
### Multisig
Every Validator Set is expected to form a `t`-of-`n` multisig, where `n` is the
amount of key shares in the Validator Set and `t` is `n * 2 / 3 + 1`, for each
of its networks. This multisig is secure to hold coins up to 67% of the
Validator Set's bonded value. If the coins exceed that threshold, there's more
value in the multisig than in the supermajority of bond that must be put forth
to control it. Accordingly, it'd be no longer financially secure, and it MUST
reject newly added coins which would cross that threshold.
### Multisig Creation
Multisigs are created by processors, communicating via their Coordinators.
They're then confirmed on chain via the `validator-sets` pallet. This is done by
having 100% of participants agree on the resulting group key. While this isn't
fault tolerant, a malicious actor who forces a `t`-of-`n` multisig to be
`t`-of-`n-1` reduces the fault tolerance of the multisig which is a greater
issue. If a node does prevent multisig creation, other validators should issue
slashes for it/remove it from the Validator Set entirely.
Due to the fact multiple key generations may occur to account for
faulty/malicious nodes, voting on multiple keys for a single coin is allowed,
with the first key to be confirmed becoming the key for that coin.
Placing it on chain also solves the question of if the multisig was successfully
created or not. Processors cannot simply ask each other if they succeeded
without creating an instance of the Byzantine Generals Problem. Placing results
within a Byzantine Fault Tolerant system resolves this.
### Multisig Lifetime
The keys for a Validator Set remain valid until its participants change. If a
Validator Set adds a new member, and then they leave, the set's historical keys
are not reused.
### Multisig Handoffs
Once new keys are confirmed for a given Validator Set, they become tracked and
the recommended set of keys for incoming coins. The old keys are still eligible
to receive coins for a provided grace period, requiring the current Validator
Set to track both sets of keys. The old keys are also prioritized for handling
outbound transfers, until the end of the grace period, at which point they're
no longer eligible to receive coins and they forward all of their coins to the
new set of keys. It is only then that validators in the previous instance of the
set, yet not the current instance, may unbond their stake.
### Vote (message)
- `coin` (Coin): Coin whose key is being voted for.
- `key` (Key): Key being voted on.
Once a key is voted on by every member, it's adopted as detailed above.