PolkaDot-6.2-Staking Contract

6.2. Staking Contract. This contract maintains the validator set. It manages:

  • which accounts are currently validators;
  • which are available to become validators at short notice;
  • which accounts have placed stake nominating to a validator;
  • properties of each including staking volume, acceptable payout-rates and addresses and shortterm (session) identities.

It allows an account to register a desire to become a bonded validator (along with its requirements), to nominate to some identity, and for preexisting bonded validators to register their desire to exit this status. It also includes the machinery itself for the validation and canonicalisation mechanism.

6.2. 质押合约。该合约维护着验证人集群。它管理:

  • 那些目前是验证人的账户;
  • 那些可以在短时间内成为验证人的账户;
  • 那些已将权益提名给验证人的账户。
  • 每个账户的属性,包括质押量,可接受的支付率和地址以及短期(会话)身份。

它允许一个账户注册成为保税验证人(有担保的)的愿望(以及它的要求),提名到一些身份,并允许预先存在的保税验证人注册他们退出这种状态的愿望。它还包括验证和规范化机制的机制本身。

6.2.1 Stake-token Liquidity. It is generally desirable to have as much of the total staking tokens as possible to be staked within the network maintenance operations since this directly ties the network security to the overall “market capitalisation" of the staking token. This can easily be incentivised through in ating the currency and handing out the proceeds to those who participate as validators. However, to do so presents a problem: if the token is locked in the Staking Contract under punishment of reduction, how can a substantial portion remain suciently liquid in order to allow price discovery?

One answer to this is allowing a straight-forward derivative contract, securing fungible tokens on an underlying staked token. This is dicult to arrange in a trustfree manner. Furthermore, these derivative tokens cannot be treated equally for the same reason that dierent Eurozone government’s bonds are not fungible: there is a chance of the underlying asset failing and becoming worthless. With Eurozone governments, there could be a default. With validator-staked tokens, the validator may act maliciously and be punished. Keeping with our tenets, we elect for the simplest solution: not all tokens be staked. This would mean that some proportion (perhaps 20%) of tokens will forcibly remain liquid. Though this is imperfect from a security perspective, it is unlikely to make a fundamental dierence in the security of the network; 80% of the reparations possible from bond-conscations would still be able to be made compared to the \perfect case" of 100% staking.

The ratio between staked and liquid tokens can be targeted fairly simply through a reverse auction mechanism. Essentially, token holders interested in being a validator would each post an oer to the staking contract stating the minimum payout-rate that they would require to take part. At the beginning of each session (sessions would happen regularly, perhaps as often as once per hour) the validator slots would be lled according to each would-be validator’s stake and payout rate. One possible algorithm for this would be to take those with the lowest oers who represent a stake no higher than the total stake targeted divided by the number of slots and no lower than a lowerbound of half that amount. If the slots cannot be lled, the lower bound could be repeatedly reduced by some factor in order to satisfy.

6.2.1 质押代币的流动性。一般来说,网络维护运营中最好能有尽可能多的质押代币,因为这直接将网络安全与质押代币的整体 "市值 "挂钩。这可以很容易地通过入驻货币,并将收益派发给作为验证者参与的人来激励。然而,这样做会带来一个问题:如果代币在减持惩罚下被锁定在质押合约中,那么如何保持相当一部分的流动性,以便允许价格发现?

其中一个答案是允许直接的衍生品合约,在底层的质押代币上确保可互换的代币。这是很难以无信任的方式安排的。此外,这些衍生代币不能被平等对待,原因与不同欧元区政府的债券不可互换一样:有可能出现基础资产失败并变得毫无价值。对于欧元区政府,可能会出现违约。对于验证者标记的代币,验证者可能会采取恶意行为并受到惩罚。秉承我们的宗旨,我们选择最简单的解决方案:不是所有的代币都被盯上。这将意味着有一部分(可能是20%)的代币会被强制保持流动性。虽然从安全的角度来看,这是不完美的,但它不可能对网络的安全性产生根本性的影响;与100%被质押的 "完美情况 "相比,担保合约可能产生的80%的补偿仍然可以进行。

通过反向拍卖机制,可以很简单地确定质押代币和流通代币之间的比例。本质上,有兴趣成为验证者的代币持有者将在质押合约上发布一个声明,说明他们需要参与的最低支付率。在每个交易会开始时(交易会定期进行,可能每小时一次),验证者名额将根据每个潜在验证者的赌注和支付率进行分配。一种可能的算法是取那些最低的赌注者,他们的赌注不高于目标的总赌注除以老虎机的数量,并且不低于该金额的一半的下限。如果老虎机不能被选中,则下限可以反复降低一些系数,以满足。

6.2.2. Nominating. It is possible to trustlessly nominate ones staking tokens to an active validator, giving them the responsibility of validators duties. Nominating works through an approval-voting system. Each would-be nominator is able to post an instruction to the staking contract expressing one or more validator identities under whose responsibility they are prepared to entrust their bond.

Each session, nominators’ bonds are dispersed to be represented by one or more validators. The dispersal algorithm optimises for a set of validators of equivalent total bonds. Nominators’ bonds become under the effective responsibility of the validator and gain interest or suer a punishment-reduction accordingly.

6.2.2. 提名。可以将自己的质押代币无信任地提名给一个活跃的验证者,给他们以验证人的职责。提名工作通过审批投票制度实现。每个潜在的提名人能够向质押合同发布指令,明示一个或多个验证者身份,准备将自己的担保金委托到其名下。

每届会话,提名人的保证金都会被分散到一个或多个验证人身上。分散算法对一组和总保证金量相当的验证者进行优化。提名人的保证金由验证人承担实际责任,并获得相应的利息或减免惩罚。

6.2.3. Bond Confiscation/Burning. Certain validator behaviour results in a punitive reduction of their bond. If the bond is reduced below the allowable minimum, the session is prematurely ended and another started. A nonexhaustive list of punishable validator misbehaviour includes:

  • Being part of a parachain group unable to provide consensus over the validity of a parachain block;
  • actively signing for the validity of an invalid parachain block;
  • inability to supply egress payloads previously voted as available;
  • inactivity during the consensus process;
  • validating relay-chain blocks on competing forks.

Some cases of misbehaviour threaten the network’s integrity (such as signing invalid parachain blocks and validating multiple sides of a fork) and as such result in effective exile through the total reduction of the bond. In other, less serious cases (e.g. inactivity in the consensus process) or cases where blame cannot be precisely allotted (being part of an ineective group), a small portion of the bond may instead be fined. In the latter case, this works well with sub-group churn to ensure that malicious nodes suer substantially more loss than the collaterallydamaged benevolent nodes.

In some cases (e.g. multi-fork validation and invalid sub-block signing) validators cannot themselves easily detect each others’ misbehaviour since constant verfiication of each parachain block would be too arduous a task. Here it is necessary to enlist the support of parties external to the validation process to verify and report such misbehaviour. The parties get a reward for reporting such activity; their term, ”fishermen" stems from the unlikeliness of such a reward.

Since these cases are typically very serious, we envision that any rewards can easily be paid from the confiscated bond. In general we prefer to balance burning (i.e. reduction to nothing) with reallocation, rather than attempting wholesale reallocation. This has the effect of increasing the overall value of the token, compensating the network in general to some degree rather than the specic party involved in discovery. This is mainly as a safety mechanism: the large amounts involved could lead to extreme and acute behaviour incentivisation were they all bestowed on a single target.

In general, it is important that the reward is sufficiently large to make verification worthwhile for the network, yet not so large as to oset the costs of fronting a well-financed, well-orchestrated “industrial-level” criminal hacking attack on some unlucky validator to force misbehaviour.

In this way, the amount claimed should generally be no greater than the direct bond of the errant validator, lest a perverse incentive arise of misbehaving and reporting oneself for the bounty. This can be combated either explicitly through a minimum direct bond requirement for being a validator or implicitly by educating nominators that validators with little bonds deposited have no great incentive to behave well.

6.2.3.没收/烧毁保证金。验证者的某些行为导致其保证金的惩罚性减少。如果保证金减少到可允许的最低限度以下,则该次会话提前结束,并开始另一次会话。可能受惩罚的验证者不当行为的非详尽清单,包括: 没收/烧毁保证金。验证者的某些行为导致其保证金的惩罚性减少。如果保证金减少到可允许的最低限度以下,则该次会话提前结束,并开始另一次会话。可受惩罚的验证者不当行为的非详尽清单包括。

  • 作为平行链组的一部分,无法对平行链区块的有效性提供共识 ;
  • 主动为无效的平行链区块的有效性签名。
  • 无法提供出口有效载荷,而之前投票时为可用。
  • 在共识过程中不活动。
  • 验证竞争分叉上的中继链块。

一些行为不当的情况会威胁到网络的完整性(如签署无效的平行链块和验证一个分叉的多个面),因此会导致通过完全减少保证金的有效流放。在其他不那么严重的情况下(例如在共识过程中不活跃),或者无法精确分配责任的情况下(属于无效组),反而可以对一小部分保证金进行罚款。在后一种情况下,这与子组搅动配合得很好,以确保恶意节点比联合受损的诚实节点承受更多的损失。

在某些情况下(如多叉验证和无效的子块签名),验证者本身无法轻易地检测到对方的不当行为,因为对每个准链区块进行不断的验证将是一项过于艰巨的任务。在这里,有必要争取验证过程外部各方的支持,来验证和报告这种不当行为。当事人通过报告这种活动获得奖励,他们的术语 "钓鱼人"源于这种奖励的不可能性。

由于这些案件通常非常严重,我们设想任何奖励都可以轻易地从没收的保证金中支付。一般来说,我们更倾向于平衡燃烧(即减少到一无所有)和重新分配,而不是尝试批发重新分配。这样做的效果是增加代币的整体价值,在一定程度上补偿了整个网络,而不是参与发现的规范方。这主要是作为一种安全机制:如果将所有的代币都授予一个目标,涉及的大量金额可能会导致极端和严重的行为激励。

总的来说,重要的是,奖励足够大,足以使网络验证值得,但也不至于太大,以至于无法承担对一些不幸的验证器进行的资金充足、精心策划的“工业级”犯罪黑客攻击,迫使其行为不端。

这样一来,索要的金额一般不应高于犯错验证者的直接保证金,以免产生不守规矩、举报自己以获取赏金的不正当激励。要解决这个问题,既可以通过明文规定成为验证人的最低直接保证金要求,也可以通过教育提名人,让交纳保证金少的验证人没有太大的动机去好好表现。

Tangle [18] is a novel approach to consensus systems. Rather than arranging transactions into blocks and forming consensus over a strictly linked list to give a globally canonical ordering of state-changes, it largely abandons the idea of a heavily structured ordering and instead pushes for a directed acyclic graph of dependent transactions with later items helping canonicalise earlier items through explicit referencing. For arbitrary state-changes, this dependency graph would quickly become intractable, however for the much simpler UTXO model this becomes quite reasonable. Because the system is only loosely coherent and transactions are generally independent of each other, a large amount of global parallelism becomes quite natural. Using the UTXO model does have the effect of limiting Tangle to a purely value-transfer “currency" system rather than anything more general or extensible. Furthermore without the hard global coherency, interaction with other systems|which tend to need an absolute degree knowledge over the system state|becomes impractical.

Tangle[18]是一种新颖的共识系统方法。它没有将交易排序后再打包入块,也没有在严格的链式列表上形成共识,以给出状态变化的全局规范排序,而是在很大程度上放弃了高度结构化排序的想法,而是推出一个有向无环图,后续的有依赖的交易通过明确的指向,来帮助前面的交易达成一致。对于任意的状态变化,这种依赖图很快就会变得难以处理,然而对于简单得多的UTXO模型来说,这就变得非常合理。由于系统只是松散的连贯性,而且交易一般都是相互独立的,因此大量的全局并发变得非常自然。使用UTXO模型的效果是将Tangle限制在一个纯粹的价值转移 "货币 "系统中,而不是任何更通用或可扩展的系统。此外,如果没有硬性的全局一致性,与其他系统的交互(这些系统往往需要对系统状态有绝对程度的了解)将变得不切实际。