-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathP8-commentary.txt
51 lines (43 loc) · 2.82 KB
/
P8-commentary.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Protocol update commentary
Protocol Version: 8
Builds on Protocol Version: 7
Protocol version 8 adds support for suspending inactive validators. Inactive
validators degrade the performance and reliability of the blockchain, and
it is therefore desirable to exclude them where possible.
The protocol for suspending validators requires them to miss producing blocks
multiple times in succession. A validator with a low stake has a
correspondingly low chance of being the leader in any particular round, and so
it may take many days of inactivity before it reaches the threshold for being
suspended. On the other hand, a validator with a high stake may reach the
threshold in minutes or hours of inactivity.
In any case, if the validator reaches the threshold by a payday, it is
considered "primed for suspension". This means that, if it remains inactive
until the next snapshot epoch, it will be suspended from the validator
committee, as determined at the snapshot epoch and effective from the
following (payday) epoch. If the validator becomes active before the snapshot,
as evidenced by producing a block or having its signature included in a quorum
certificate in a block, then it will no longer be considered primed for
suspension, and thus not be suspended. For a validator with a low stake that
is not included in the finalization committee, even if the node is brought
back on-line, it may not be round leader in that time, and so cannot prove
that it is active and thus avoid suspension. For a validator with a high
stake, especially if it is in the finalization committee, there will be ample
opportunities to prove itself to be active, and thus avoid suspension.
In summary, a validator with a high stake could be suspended with a little
more than 23 hours of inactivity, while validators with lower stakes will
require longer. High-stake validators effectively have a grace period of
23 hours after hitting the threshold for missed blocks. Low-stake validators
may not be able to take advantage of the grace period after hitting the
threshold, but have to be inactive for a longer period of time to reach the
threshold in the first place.
A suspended validator can be resumed manually by sending a transaction to do
so. A suspended validator will always be suspended for at least one epoch, but
otherwise incurs no specific penalty. Any accounts that delegate stake to a
suspended validator will remain delegating to it (unless they update their
delegation).
Suspending inactive validators is intended to protect against validators that
are inactive as a result of accident or carelessness; it does not protect
against malicious validators.
Note that it is impossible for more than one third of the stake to be
automatically suspended simultaneously. This is because if more than one third
of the stake was inactive, then the blockchain would halt.