Validator epochs/ZIP25 #1298

theo-zil · 2024-08-14T19:41:31Z

Preliminary draft of the new validator state machine, implementing epochs.

The validator committee no longer changes except at epoch boundary blocks.
Joining or leaving the committee is now subject to a waiting queue of no less than 1 epoch (and currently, no more than 2). Thus, at any given epoch, it is possible to mostly (see Staking: fix total_stake change on slashing #1338) know the validator set for the next epoch.
Epoch changes are handled by a tick_epoch() function in the deposit contract.

An important consequence of all this is that our consensus now depends on an EVM call succeeding. Inline comment on this in the code below.

Further work out of scope of this PR:

Fill out missing integration tests - Additional integration tests for staking #1341
Implement unsuspend, and consensus-based suspend - Staking: implement suspension features #1337
Epoch length tracking in EVM - part of Move consensus config on-chain (into shard contract) #1135. (Currently, the epoch length is hardcoded in deposit.sol.)
Improving staker address and pubkey validation on registration - Improve validator address verification in deposit contract #1297
Allowing validators to change their registered addresses - Control and reward address changes for validators #1301
Adjust slashing and suspension queues - Staking: fix total_stake change on slashing #1338
Consider implementing churn limits on the validator set - Queue/churn limits in deposit.sol #1300
Improving epoch change transaction tracking - Gas (and account) tracking for epoch changes #1299
Slashing mechanisms - currently, this reuses the previous mechanism where any validator with >=10% of total stake can slash any other validator. Additionally, slashed funds are not kept track of (effectively, burned).
Add an unbonding period to unstaked funds - Deposit contract: implement unbonding period #1328
Allow reusing instaked-but-not-yet-withdrawn funds - Deposit: allow reusing unstaked balance #1329
Not directly necessary, but somewhat related: block number tracking - Review block-related constants passed to the EVM; potentially fix epoch ticking #1339

…ip25

theo-zil · 2024-08-14T19:59:23Z

zilliqa/src/consensus.rs

+        if self.block_is_first_in_epoch(parent.number() + 1) {
+            // Here we ignore any errors and proceed with block creation, under the philosophy that
+            // it is better to have the network run but with broken epochs, than it would be to
+            // crash the entire network on a failing epoch transition.
+            match state.tick_epoch() {
+                Ok(()) => (),
+                Err(e) => error!("Unable to transition the epoch - EVM error: {e}"),
+            };
+        }


Our consensus now depends on successful EVM calls - and not just read-only checks as before, but a complex write transaction.

This raises the question of what to do if the tick_epoch() call fails for any reason. Should we assume that it must never fail, and crash the node if it does (potentially crashing the network if a buggy state is reached)? The approach taken here is to soft-ignore errors; the network then will remain alive, but with a static validator set since epoch changes will be broken. Measures can then be taken to upgrade to fix the root cause of the issue (e.g. upgrading the deposit contract) to restore normal functionality.

But, especially right now in the early testnet phases, perhaps hard-crashing the network on any bugs might be preferable to discover any issues immediately.

…ers) and unstaking (full balance withdrawal).

…ip25

DrZoltanFazekas

I was only reviewing the deposit contract, will continue with the rest tomorrow

DrZoltanFazekas · 2024-09-23T15:34:37Z