-
Notifications
You must be signed in to change notification settings - Fork 933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A possible change to how validator balances are stored #685
Comments
Minor suggestions:
def get_balance(state: BeaconState, index: ValidatorIndex) -> Gwei:
return state.validator_registry[index].high_balance + state.low_balances[index] def set_balance(state: BeaconState, index: ValidatorIndex, balance: Gwei) -> None:
validator = state.validator_registry[index]
if validator.high_balance > balance or validator.high_balance + 15 * 10**8 < balance:
validator.high_balance = balance - balance % 10**9
state.low_balances[index] = balance - validator.high_balance |
My understanding is that light clients and the fork choice rule will follow the
This second issue can be addressed by shifting the hysteresis down by 0.25. (ie. x+0.75 and x+1.25) whilst still preserving the 0.5 ETH separation for the "on-edge attacks". |
That's doable though would require negative low balances which seems like it would add more complication. In general this would be at most a ~1-3% benefit to the attacker so it's not close to a critical security issue; the fact that attackers with 16 ETH balances can be proposers as often as validators with 32 ETH may be more significant. The reason neither of these issues are a big deal is that ultimately keeping your balance close to an integer, or pushing your balance down to 16 ETH, requires sacrificing revenue or deliberately incurring penalties, so in practice it's like slashing yourself by the amount by which you're gaining an unfair advantage. |
I wholeheartedly agree that none of these issues propose a serious threat it was more a comment on how it well be cool if we could design around it. I didn't think of the negative low balances, I agree it's not pretty. |
In theory an attacker could use deposits and transfers to make their balances close to integers prior to launching an attack. This may be a (small) argument for having |
True, though that would only allow one deliberate change per deposit -> exit cycle, so minimum ~once per ~520 epochs. And a deposit/exit cycle would require two fork choice metadata updates and four branch updates anyway. Perhaps this is a rationale for a minimum deposit period equal to one custody period before exiting is allowed (didn't we have this in an earlier version anyway, to ensure shard proposal committee grinding resistance?), to bump that up to minimum once per ~2568 epochs. Would be a one-line change to implement. |
Add to the validator registry a value
rounded_balance
, and reduce theuint64
invalidator_balances
tounit32
, renaming the arrayvalidator_fractional_balances
.Redefine
validator_balances[i]
with the following function:Replace
validator_balances[i] = x
(or+= x
) with the following function:Motivation
The goal is to split the balance into two components, one an integer number of ETH and the other a fractional part. This accomplishes three functions:
validator_balances
by 50%validator_registry
, reducing the number of Merkle branches per validator they need to download from 3 to 2 (actually often from ~2.01 to ~1.01, because when fetching a committee the Merkle branches inactive_index_roots
are mostly shared), achieving a very significant decrease in light client bandwidth costsThe "slack mechanism" (the rounded balance is adjusted down when the balance falls below x, but is adjusted up when it goes above x + 1.5) ensures that a full 0.5 ETH of balance adjustment is required to cause the rounded balance to change. This prevents "on-the-edge attacks" where an attacker maintains a large set of validators whose balances oscillate between x+0.000001 and x-0.000001 for some integer x, causing very frequent changes of the rounded balance and hence very frequent (i) relatively expensive validator registry re-hashings, and (ii) relatively expensive fork choice metadata adjustments.
The text was updated successfully, but these errors were encountered: