-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add params to proposals * Start rewriting intro * Finish overview and terminology * Write up generics about PSS and power shaping * Add more info about top N and optin * Nit: apostrophe * Clarify governance proposal process for Opt In chains * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Add missing newlines * Update docs/docs/features/partial-set-security.md Co-authored-by: insumity <[email protected]> * Update docs/docs/features/power-shaping.md Co-authored-by: insumity <[email protected]> * Use Interchain Security instead of ICSv2 * docs: Add PSS docs (Part 2) (#1861) * first version * first commit * one more warning on having all validators opt out * Update docs/docs/validators/partial-set-security-for-validators.md Co-authored-by: Philip Offtermatt <[email protected]> * Update docs/docs/validators/partial-set-security-for-validators.md Co-authored-by: Philip Offtermatt <[email protected]> * Update docs/docs/validators/partial-set-security-for-validators.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update docs/docs/validators/partial-set-security-for-validators.md Co-authored-by: Philip Offtermatt <[email protected]> * Update docs/docs/frequently-asked-questions.md Co-authored-by: Philip Offtermatt <[email protected]> * Update docs/docs/validators/partial-set-security-for-validators.md Co-authored-by: Philip Offtermatt <[email protected]> * Update docs/docs/frequently-asked-questions.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update docs/docs/validators/partial-set-security-for-validators.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * took into account some comments * small comment changes --------- Co-authored-by: Philip Offtermatt <[email protected]> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Add warning that vals have to manually opt out if going out of top N * Add short PSS FAQ * Add FAQ on how many chains vals can opt in on * Change first to third person * Fix typo * Add missing comma * added a warning * Add more guidelines to 'how to choose the power shaping parameters' * Mention list-consumer-chains query * Add tip about default commission rate --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: insumity <[email protected]>
- Loading branch information
1 parent
c05de0e
commit 1294f90
Showing
9 changed files
with
329 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
--- | ||
sidebar_position: 5 | ||
--- | ||
|
||
# Partial Set Security | ||
|
||
Partial Set Security (PSS) allows consumer chains to leverage only a subset of validators from the provider chain, which offers more flexibility than the traditional Replicated Security model. By introducing the top_N parameter, each consumer chain can choose the extent of security needed: | ||
|
||
* Top N: Requires the top N% validators from the provider chain to secure the consumer chain. This guarantees that the validators with the most power on the provider will validate the consumer chain, while others can voluntarily opt in. | ||
|
||
* Opt-In: If the `top_N` parameter is set to zero, no validator is mandated to secure the consumer chain. Instead, any validator from the provider chain can opt in using a dedicated transaction. | ||
|
||
An advantage of a Top N chain is that the consumer chain is guaranteed to receive at least a certain fraction of the market cap of the provider chain in security. In turn, this chain needs to be approved by governance, since validators will be forced to run the chain. Thus, Top N chains should typically expect to need to provide a strong case for why they should be added to the provider chain, and they should make sure they offer enough rewards to incentivize validators and delegators to vote for their proposal. | ||
|
||
Opt-In chains, on the other hand, are more flexible. While for technical reasons, they are also currently added via governance proposals, since validators are never forced to validate these chains and simply opt in if they want to, they should typically expect to get their proposals approved much more easily compared to Top N chains, since validators that do not want to validate the chain can simply choose not to opt in. | ||
However, opt in chains do not get a fixed amount of security as a relation of the market cap of the provider as top N chains do, so opt in chains might want to keep an eye on how many validators have opted in to validate their chain and adjust their reward emissions accordingly to incentivize validators. | ||
|
||
:::tip | ||
Partial Set Security is handled only by the provider chain - the consumer chains are simply sent validator sets, and they are not aware that this represents only a subset of the provider chain's validator set. | ||
::: | ||
|
||
:::caution | ||
Both Opt In and Top N chains currently require a governance proposal to be added to the provider chain. | ||
|
||
For Top N chains, this is also the long term vision for how they are launched. | ||
|
||
For Opt In chains, this is a temporary measure to prevent issues around chain ID squatting. Eventually, the plan is to allow launching Opt In chains permissionlessly without going through governance, with quality control being handled by the market of validators deciding which chains they would like to validate on. | ||
::: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# Power Shaping | ||
|
||
To give consumer chains more flexibility in choosing their validator set, Interchain Security offers | ||
several "power shaping" mechanisms for consumer chains. | ||
|
||
These are: | ||
1) **Capping the size of the validator set**: The consumer chain can specify a maximum number of validators it | ||
wants to have in its validator set. This can be used to limit the number of validators in the set, which can | ||
be useful for chains that want to have a smaller validator set for faster blocks or lower overhead. | ||
*Note*: This is only applicable to Opt In chains (chains with Top N = 0). | ||
1) **Capping the fraction of power any single validator can have**: The consumer chain can specify a maximum fraction | ||
of the total voting power that any single validator in its validator set should have. | ||
This is a security measure with the intention of making it harder for a single large validator to take over a consumer chain. This mitigates the risk of an Opt In chain with only a few validators being dominated by a validator with a large amount of voting power opting in. | ||
For example, setting this fraction to e.g. 33% would mean that no single validator can have more than 33% of the total voting power, | ||
and thus there is no single validator who would stop the chain by going offline. | ||
Note that this is a soft cap, and the actual power of a validator can exceed this fraction if the validator set is small (e.g. there are only 3 validators and the cap is 20%). | ||
1) **Allowlist and denylist**: The consumer chain can specify a list of validators that are allowed or disallowed from participating in the validator set. If an allowlist is set, all validators not on the allowlist cannot validate the consumer chain. If a validator is on both lists, the denylist takes precedence, that is, they cannot validate the consumer chain. If neither list is set, all validators are able to validate the consumer chain. | ||
|
||
:::warning | ||
Note that if denylisting is used in a Top N consumer chain, then the chain might not be secured by N% of the total provider's | ||
power. For example, consider that the top validator `V` on the provider chain has 10% of the voting power, and we have a Top 50% consumer chain, | ||
then if `V` is denylisted, the consumer chain would only be secured by at least 40% of the provider's power. | ||
::: | ||
|
||
All these mechanisms are set by the consumer chain in the `ConsumerAdditionProposal`. They operate *solely on the provider chain*, meaning the consumer chain simply receives the validator set after these rules have been applied and does not have any knowledge about whether they are applied. | ||
|
||
Each of these mechanisms is *set during the consumer addition proposal* (see [Onboarding](../consumer-development/onboarding.md#3-submit-a-governance-proposal)), and is currently *immutable* after the chain has been added. | ||
|
||
The values can be seen by querying the list of consumer chains: | ||
```bash | ||
interchain-security-pd query provider list-consumer-chains | ||
``` | ||
|
||
## Guidelines for setting power shaping parameters | ||
|
||
When setting power shaping parameters, please consider the following guidelines: | ||
* Do not cap the validator set size too low: Notice that this number is the **maximum* number of validators that will ever validate the consumer chain. If this number is too low, the chain will be very limited in the | ||
amount of stake that secures it. The validator set size cap should only be used if there are strong reasons to prefer fewer validators. Consider that setting the cap will mean that | ||
even if the whole validator set of the provider wants to validate on the chain, some validators will simply not be able to. | ||
* Capping the fraction of power any single validator can have is a decent security measure, but it's good to be aware of the interactions with the size of the validator set. | ||
For example, if there are only 3 validators, and the cap is 20%, this will not be possible (since even splitting the power fairly would mean that each validator has 33% of the power, so is above the cap). | ||
However, the cap can be a good measure to prevent a single large validator from essentially taking over the chain. | ||
In general, values under 33% make sense (since a validator that has 33% of the chains power would halt the chain if they go offline). | ||
Notice that the smaller this value is, the more the original voting power gets distorted, which could discourage large validators from deciding to opt in to the chain. | ||
* If the allowlist is *empty*, all validators can validate the chain. If it is *non empty*, then *only* validators on the allowlist can validate the chain. | ||
Thus, an allowlist containing too few validators is a security risk. In particular, consider that if the validators on the allowlist lose a lot of stake or stop being validators, | ||
an allowlist that is too short can very quickly become outdated and leave too few validators, or validators with too little stake, to secure the chain in a decentralized way. | ||
* If the denylist is too full, this can likewise be problematic. If too many large validators are denylisted, the chain might not be secured by a large enough fraction of the provider's power, in particular when | ||
the power distribution on the provider shifts and the denylisted validators gain more power. | ||
|
||
In general, when setting these parameters, consider that the voting power distribution in the future might be very different from the one right now, | ||
and that the chain should be secure even if the power distribution changes significantly. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.