Late-observation consensus slashes happen with perverse-incentive timing
Prompted by this discussion:
The below (to my knowledge, based on a search for IncSlashPoints
) affects
handler_errata_tx.go,
handler_network_fee.go,
handler_solvency.go,
handler_tss.go,
~~handler_tss_keysign.go,~~
as well as handler_observed_txin.go and handler_observed_txout.go .
|
[Edit: On closer inspection handler_tss_keysign.go (used only for fail keysign messages)
wipes the signers upon consensus to allow reuse, thus does not appear appropriate for modification in this way.]
Comparing the current code and my proposed code, these are the same:
- Trying to sign a voter a second time increments slash points that are never decremented (net increase).
- Signing a voter before consensus increments slash points that are decremented if consensus is reached.
- Bringing a voter to consensus by signing it increments and then immediately decrements slash points (net no change).
- Signing a voter late within the ObservationDelayFlexibility period results in no net slash point change.
- Signing a voter later after the ObservationDelayFlexibility period results in a net slash points increase.
These however are different:
The proposed code increments slash points for all non-signers upon consensus,
whether or not they later sign, and only decrements them if signing within the ObservationDelayFlexibility period.
|
The current code only increments slash points if they do sign, not if they don't.
The current code has nodes which fell behind (e.g. not observing a chain) and didn't participate in consensus experiencing a rush of slash points if they fix the problem and catch up,
representing negative feedback (and a perverse incentive to never fix the problem and receive the slash points, especially when a lot were 'owed' and/or there might be churn out soon).
|
The proposed code would increment these same slash points as their corresponding consensuses were reached,
increasing the motivation to fix the problem (and no new slash points from catching up).
Further consideration:
For further context please note the LackObserving
function,
behaviour of which I currently think to be unaffected by these proposed changes.
I found the judgeLateSigner
logic noteworthy (albeit being for FailKeygenSlashPoints rather than ObserveSlashPoints).
In the situation where {instead of broadcasting the same message ID late} a node broadcasts a different/wrong message ID on time,
currently there are slash points from the ID broadcast and not from the consensus reached.
The proposal would treat the separate IDs as separate conversations,
with one increment of slash points for saying something wrong and one increment of slash points for not saying something right,
worse than either saying the right thing late or not saying anything at all.
|
(Again, LackObserving
I currently think to have unchanged behaviour for current and proposed code.)
My specific code proposal for this has been !2722
'Slash non-signers upon consensus'.