Appreciation to Joseph Schweitzer and Danny Ryan for their review.
Greetings again! After examining eth2’s design philosophy previously, our topic today is the incentives of eth2 through the perspective of that philosophy. Specifically, we will investigate the incentives influencing eth2 and how they are expressed in terms of rewards, punishments, and slashing.
Next, we will explore how and why validators are motivated to stay online, why you won’t face slashing for being offline, and much more. Let’s delve deeper.
If not due to being offline, when do slashing events happen? ⚔️
Slashing serves two main objectives: (1) to create a significant financial barrier against attacking eth2, and (2) to deter validators from negligence by ensuring they fulfill their responsibilities. Slashing a validator involves confiscating (part of) their stake if they act in a provably harmful way. The primary malicious behaviors that could lead a validator to be slashed in eth2 phase 0 include double voting and surrounding voting (refer to the original document for a detailed explanation of the Casper FFG):
Double voting occurs when a validator endorses two separate blocks within the same epoch, indicating support for two conflicting realities. A straightforward illustration of why this is not permitted is a validator transmitting transaction in block and in block where and utilize the same ETH. This represents the Proof of Stake variant of the traditional double-spend assault.
Slashing due to surround votes also hinders the finalization of two different chain versions by penalizing validators who cast votes that present multiple contradictory realities simultaneously. More explicitly, attestations (votes for blocks) are classified as surrounding votes when a validator attests to one reality and subsequently attests to another, without clarifying their disbelief in the first.
Double and surround voting are the sole methods by which validators may be slashed in phase 0, yet additional regulations are incorporated in subsequent phases to guarantee that validators properly retain and provide access to the shard data they endorse (to prevent laziness or withholding information).
A validator that adheres correctly to the protocol will never produce a slashable vote during standard operations. Unless a deliberate malicious act is involved, generating a slashable message typically results from an error or mishap. To reduce the repercussions of such mistakes, the amount of stake forfeited correlates with the number of other validators slashed at the same time. If a limited number of validators engage in a slashable infraction, it’s improbable they are attempting to attack eth2 since a successful attack necessitates numerous validators. Therefore, slashing events involving only a few are presumed to be honest errors and receive a minor penalty (at least 1 ETH). Conversely, if many validators commit an infraction simultaneously, a significant portion of their stake can be forfeited (up to their entire balance) since it is assumed to be an assault on the network.
Validators subjected to slashing are barred from further participation in the protocol and are forcibly removed. In cases of honest mistakes, this protects offending validators from incurring further penalties by being slashed again; whereas in cases of malign intent, it eliminates harmful validators from the protocol.
So, what transpires with validators who go offline? 🚫👩💻
Validators that are offline when they are expected to participate in the protocol face penalties, but under normal circumstances, these validators only risk losing the rewards they would have earned had they participated appropriately in the protocol. This indicates that validators who are online more than 50% of the time will still observe growth in their stake over time.
As a consequence of this system, validator clients that require going offlinefor upkeep etc., are typically better off if they simply go offline for a brief duration rather than exiting and re-entering the protocol (both of which incur delays).
This implies that validators need not exert themselves excessively with supplementary clients or redundant internet connections since the consequences of going offline are not overly harsh. In fact, any system where two parties can authenticate messages can be counterproductive as primary and backup clients could both remain online simultaneously and produce slashable votes (through the double voting mechanism described previously) as occurred with the initial Cosmos slashing.
This scheme of offline penalties remains valid as long as blocks are being finalized (2/3 of validators (weighted by stake) are online and their votes are being tallied). This is the anticipated condition of eth2 during standard operation. If fewer than 2/3 of nodes are online, then a significant failure has occurred within the eth2 ecosystem. The consensus protocols’ family to which Eth’s Casper belongs can no longer achieve consensus under these circumstances.
What does eth2 do if > 1/3 of validators are offline? 💣
This is where the inactivity leak mentioned at the outset of the article becomes relevant. The inactivity leak diminishes the balances of the offline nodes over time so that the ratio of active validators to total validators (weighted by stake) can once again surpass 2/3, allowing eth2 to persist in making decisions as a protocol.
Inactivity leaks represent one of the methods eth2 has been engineered to endure a WW3-like scenario. Should such an event incapacitate more than 1/3 of all validators, then the offline validators would discover that their balances diminished to the extent that their involvement was no longer necessary for eth2 to maintain its chain.
Anti-correlation and decentralization
Both the slashing mechanism and the inactivity leak motivate validators to make choices that lead to their nodes failing in ways that differ from others. In other words — to minimize the potential for slashing and to avert inactivity leaks, a validator should aim for their clients to fail in manners distinct from those of others.
This compels all validators to decentralize every facet of their validation process because, for instance, validators who depend on the same data source like Infura or utilize AWS to host their clients will suffer more if an issue arises.
With all the numerous ways to be penalized, why would anyone want to be a validator? 📈
As mentioned in the initial article, “validators will be negligent, accept bribes, and they will attempt to compromise the system unless they are otherwise incentivized not to.” The penalties addressed thus far dissuade negative conduct, yet incentives are essential to motivate validators to take actions that benefit eth2.
There are three primary categories of rewards:
Whistleblower rewards 🚓
A validator who raises an alert regarding another validator by presenting evidence that leads to their slashing is compensated for their efforts in maintaining the integrity of eth2.
Proposer rewards ⬜️⛓⬛️⛓⬜️
Validators are randomly designated with the responsibility of generating a block; the selected validator is termed the proposer. A proposer is rewarded for their contributions in the following manners:
- Including evidence from a whistleblower that leads to a validator’s slashing
- Incorporating new attestations from other validators
These rewards incentivize validators to supply valuable information to the chain when selected to generate a block.
Attester rewards ✔
Attestations are votes that indicate a validator’s agreement with a decision made in eth2. These messages are fundamental to consensus and are rewarded in five distinct ways:
- Getting your attestation recorded on-chain
- Concur with other validators regarding the history of the chain
- Align with others about the current head of the chain
- Getting your attestation processed on-chain swiftly
- Pointing to the accurate block in the designated shard
Scaling validator earnings 💸
There are two prevalent strategies for compensating validators within PoS frameworks: fixed rewards and consistent inflation. In the fixed reward framework, validators receive a specific sum for fulfilling their roles, and the inflation rate subsequently depends on the number of validators participating. This presents a challenge regarding how to appropriately set the reward level. If the reward level is overly low, too few validators will engage, whereas an excessively high reward level incentivizes unnecessary validation beyond what is essential for security, resulting in financial waste.
The complementary approach consists of a standardized inflation rate where a total reward is allocated among the active validators. This model benefits from allowing market dynamics to determine the suitable compensation for validators, as they each make independent choices about whether to engage based on their current earnings. However, this model has drawbacks. Validator earnings can be unpredictable, complicating profitability decisions for individual validators. Furthermore, this model exposes the protocol to discouragement attacks where validators may attempt to hinder one another’s participation to enhance their own profits (even at a temporary loss to themselves).
eth2 aspires to achieve a balance by adopting a reward model where validator rewards are proportional to the square root of the total ETH staked. This hybrid approach aims to mitigate fluctuations in inflation and validator return rates while still permitting market factors to determine the appropriate remuneration for each validator based on the security provided.
Hope for the best, but prepare for the worst 🛡️
Each aspect of eth2’s incentive structure stems from designing a protocol based on the principles articulated in the prior article. Examples of this encompass the anti-correlation strategies that promote decentralization and inactivity leaks that enable eth2 to withstand a World War 3 scenario, yet the overarching principle that drives the incentives is the belief that “validators will be negligent, accept bribes, and will attempt to undermine the system unless sufficiently motivated not to.” If someone attempts to assault eth2 in any of the manners explored here, they better be ready to part with a substantial amount of ETH, as they are likely to lose everything one way or another.
