Thanks to Joseph Schweitzer and Danny Ryan for their review.
Glad to see you again! After discussing the design philosophy of Eth2 last timethe focus today is on eth2’s incentives through the prism of this philosophy. More specifically, we look at the incentives affecting eth2 and how they are implemented in the form of rewards, penalties, and discounts.
We then explain how and why validators are incentivized to stay online, why you won’t be minimized to be offline, and more. Let’s dig.
If not for being offline, when do slashings occur? ⚔️
Slashing serves two purposes: (1) making the eth2 attack prohibitively expensive, and (2) preventing validators from being lazy in verifying that they actually perform their functions. Reducing a validator amounts to destroying (part of) the validator’s stake if they act in a manner provable destructive way. The two main ways a validator can behave maliciously within eth2 phase 0 are double voting and surround voting (read the original paper To learn more about how Casper FFG works in detail:
Double voting this is when a validator votes for two different blocks within the same epoch, meaning they are signaling their support for two different versions of reality. The simplest example of why this is prohibited is a validator sending a transaction in block And in block Or And spend the same ETH. This is the Proof of Stake version of the classic double spend attack.
Cut from surround the votes also prevents two versions of the chain from being finalized by punishing validators who create votes presenting multiple different versions of the reality they claim to be true at the same time. Specifically, attestations (votes for blocks) are surround votes when a validator attests to one version of reality and later attests to another version, but in a way that does not clearly show that it no longer believes in the first.
Double and surround voting is the only way that validators can be shrunk during phase 0, but additional rules are added in later phases to ensure that validators actually store and make available the fragmentation data they sign (which prevents validators from being lazy or withholding information). ).
A validator that correctly follows the protocol never issues a slashable vote in normal operation. If it is not an intentionally malicious action, the formation of a slashable message only occurs as a result of a bug or accident. To minimize the consequences of such errors, the amount of stake destroyed is proportional to the number of other validators reduced at approximately the same time. If a small number of validators commit a slashable offense, they are unlikely to attempt to attack eth2 because a successful attack requires many validators. Outages that occur in small numbers are therefore considered honest mistakes and are lightly punished (a minimum of 1 ETH). On the other hand, if many validators commit a violation in a similar period, a large portion of their stake is burned (down to their total balance), as this is an attack on the network .
Validators who are cut off can no longer participate in the protocol and are forced to leave the protocol. In the case of an honest mistake, this prevents the offending validators from causing themselves further harm by being hit again; while in the malicious case, it removes malicious validators from the protocol.
So what happens to validators that are offline? 🚫👩💻
Validators who are offline when they are supposed to participate in the protocol are penalized, but in the normal case, these validators they only risk losing what they would have gained in reward if they had participated correctly in the protocol. This means that validators who are online >50% of the time will still see their stake increase over time.
Thanks to this mechanism, Validator clients that need to disconnect for maintenance, etc., are generally better off disconnecting for a short period of time instead of leaving and rejoining the protocol (both of which have associated delays)..
This means that validators don’t need to go to extreme lengths with backup clients or redundant internet connections because the repercussions of being offline aren’t that severe. In fact, any system in which two entities can sign messages can be detrimental in that the primary and backup clients could end up both being online at the same time and casting slashable votes (via the double voting mechanism explained previously), as was the case with the first sharp Cosmos.
This offline penalty regime holds provided that the blocks are finalized (2/3 of the validators (weighted by issue) are online and their votes are counted). This is the expected state of eth2 during normal operation. If less than 2/3 of the nodes are online, then something is catastrophically wrong in the eth2 domain. The family of consensus protocols of which Eth’s Casper is a part can no longer reach an agreement under these conditions.
What does eth2 do if > 1/3 of validators are offline? 💣
This is where the inactivity leak mentioned at the beginning of the article comes into play. idle leak reduces offline node balances over time so that the ratio of online validators to total validators (stake-weighted) can again exceed 2/3 so that eth2 can continue to make decisions as a protocol.
Inactivity leaks are one of the ways eth2 was designed to survive a World War III type event. If such an event were to eliminate more than a third of all validators, then offline validators would find that their balances decreased to the point that their participation was no longer necessary for eth2 to continue as a chain.
Anti-correlation and decentralization
The slashing mechanism and idle leak encourage validators to make decisions that cause their nodes to fail in a different way than others.. In other words, to guarantee the smallest possible denominations and avoid inactivity leaks, a validator must attempt to fail its clients in a different way from others.
This puts pressure on all validators to decentralize all aspects of the validator profession, because, for example, validators who rely on the same source of truth like Infura or who use AWS to host their clients will be in a worse situation if something goes wrong.
With all the many ways to be punished, why would anyone want to become a validator? 📈
As stated in the first article, “validators will be lazy, take bribes, and attempt to attack the system unless they have an incentive not to.” The penalties discussed so far discourage bad behavior, but rewards are needed to encourage validators to perform actions that benefit eth2.
There are 3 main classes of rewards:
Whistleblower Rewards 🚓
A validator who raises the alarm on another validator by providing proof that causes them to be reduced is rewarded for their efforts in cleaning up the eth2 streets.
Nominator Rewards ⬜️⛓⬛️⛓⬜️
Validators are randomly assigned the task of producing a block; the chosen validator is called the proposing. A nominator is rewarded for their efforts in the following ways:
- Including proof of a whistleblower slashing a validator
- Including new attestations from other validators
These rewards encourage validators to provide useful information to the chain when they are chosen to produce a block.
Certification Rewards ✔
Attestations are votes that signal that a validator agrees with a decision in eth2. These types of messages form the basis of consensus and are rewarded in 5 different ways:
- Obtain your certificate on chain
- Agree with other validators on the history of the chain
- Agree with others on channel head
- Put your certificate on chain quickly
- Pointing to the correct block in the assigned partition
Validator Revenue Scaling 💸
There are two common approaches to paying validators in PoS systems: fixed rewards and fixed inflation. In the fixed reward model, validators receive a fixed amount for doing their work, and the inflation rate then depends on the number of validators who sign up. This raises the problem of how to correctly set the reward rate. If the reward rate is too low, too few validators will participate, while a reward rate that is too high encourages extensive validation beyond required security and wastes money.
The complementary model is the one with a fixed inflation rate where a portion of the total reward is divided among active validators. This model has the advantage of allowing market forces to find the right amount to pay validators, as they all make individual decisions about whether to participate or not based on their current income. There are drawbacks to this model. Validator revenues can be irregular, making profitability decisions difficult for individual validators. This model also makes the protocol vulnerable to attacks of discouragement in which validators attempt to prevent each other from participating to increase their own profit (even to their own temporary loss).
eth2 aims to have the best of both worlds by choosing a reward model in which validator rewards are proportional to the square root of the total amount of ETH staked. This hybrid model attempts to remove variations in inflation and validator return rates while allowing market forces to determine the correct amount to pay each validator for the security provided.
Hope for the best, but expect the worst 🛡️
Each facet of Eth2’s incentive system is the result of designing a protocol according to the philosophy outlined in the last article. Examples of this include anti-correlation mechanisms encouraging decentralization and inactivity leaks helping eth2 survive World War III, but the main idea behind how incentives work is the assumption that “the Validators will be lazy, take bribes and try to attack the system unless they have an incentive not to do so. If someone attacks eth2 in any of the ways discussed here, they better be prepared to throw away a lot of ETH because one way or another they are going to lose everything.
