Write Slashing Spec Tracking

[cwgoes]

Including:

• Definitions (unbonding period, revocation, equivocation, discovery)
• Specification of when a delegation or validator is slashable
• Specification of how successive slashing works
• Implementation psuedocode for double sign slashing & downtime slashing
• Example "network attack" scenarios and what would happen in each one

Sub-concerns:

• Normalize slashing penalties by total supply #1348
• Slashing: special kind of slashing-by-transaction for infractions older than an unbonding period #1378
• Slashing: differentiating between stake bonded at the time of infraction and since the time of infraction #1440
• Ensure that unbonding-delegations/redelegations for removed validators are still slashable #1673
• Add document about how Unbonding works and why its crucial for PoS systems #1678
• Delay validator set changes by 1 block in the SDK to reflect changes in Tendermint #1789
• Clarify downtime slashing with one-block (soon to be two) delayed signing validators #1814
• Faulty slashing when ex-validator is reintroduced into the validator set #1867
• Slashing spec changes: capped slashing-per-period #1896

[rigelrozanski]

Sounds comprehensive 👍 - we should structure the spec to be consistent with the other specs - to have detailed outline of the state, and reference all transactions/events as to how they affect that state.

[ebuchman]

Sounds like some of this is in https://github.com/cosmos/cosmos-sdk/pull/1263/files but we should go through it again and make sure every thing is clear

[cwgoes]

We haven't thought through / categorized "network attack scenarios" yet, I think that would be useful.

[cwgoes]

Also still to-do in the spec: slashing transactions (MsgUnrevoke).

[cwgoes]

also ref #1348

[cwgoes]

More reasons to write a precise "slashing security model": #1378, #1440

[rigelrozanski]

thanks for posting these links - commented on both

[cwgoes]

Another note: the Tendermint validator-set-delayed-by-a-block changes need to change the slashing rules, since stake now contributes to voting power a block after it was unbonded/redelegated.

[cwgoes]

Also tagging tendermint/tendermint#2112 which would need to be implemented by the SDK also if we decide to add it to Tendermint.

[jackzampolin]

Just a couple more items here!

[cwgoes]

Just a couple more items here!

Well, yes and no. The logic is relatively well specified, but we have little of the attack scenario enumeration, economic cost analysis, and light client-related explanation (successfully lying to a light client should always be a slashable offense).

[jackzampolin]

More work has been done here right @cwgoes? Do you mind updating this issue with the remaining Slashing spec work to be done?

[cwgoes]

I think we still lack a comprehensive explanation of the incentive design rationale. The original issue's list of requirements are accurate.

I plan to work on this while rectifying staking/slashing code / spec, hopefully next week.