vote_deactivate: drop collateral gate, trust validator quorum#62
Merged
Conversation
Remove the `collateral >= min_collateral` check from vote_deactivate so validator consensus alone is authoritative. Same trust envelope as vote_activate / vote_reserve — abuse protection comes from the quorum threshold, not a contract-level precondition. Frees the validator layer to use deactivation for any remediation case (min-raise, protocol abuse, operational emergencies) without needing a new on-chain gate per case. Drops the now-unused Error::SufficientCollateral variant and renumbers the Python error-variant map accordingly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remove the
collateral >= min_collateralprecondition fromvote_deactivateso validator consensus alone is authoritative. The contract trusts the quorum — the threshold itself is the abuse protection, same envelope asvote_activate/vote_reserve.Why
The original gate was designed to prevent validator collusion against compliant miners, but it narrows
vote_deactivateto exactly one remediation case (min-raise cleanup). Removing it gives the validator layer freedom to invoke deactivation for any reason the quorum deems valid — min-raise, protocol abuse, operational emergencies — without needing a new on-chain gate per case.Miner protection against malicious quorum unchanged in practice: the validator set is already trusted for reserve / initiate / confirm / slash paths. If the quorum is compromised, there are bigger problems than one extra deactivate vector.
Changes
smart-contracts/ink/lib.rs— drop theif miner_collateral >= self.min_collateral { Err(SufficientCollateral) }check fromvote_deactivate; keep the!miner_active → InvalidStatusguard.smart-contracts/ink/errors.rs— remove the now-unusedSufficientCollateralvariant.allways/contract_client.py— drop the variant fromCONTRACT_ERROR_VARIANTS(renumbersHasActiveSwapfrom 29 → 28,CurrentlyReservedfrom 30 → 29). Updatevote_deactivateclient docstring.plans/scoring-simplification-and-contract-hardening.md— reflect the simplified semantics (local-only file, not in repo).Follow-ups
Test plan
cargo check— contract compilespytest -q— 279 tests passruff check— clean