| simd | title | authors | category | type | status | created | feature | |
|---|---|---|---|---|---|---|---|---|
0204 |
Slashable event verification |
|
Standard |
Core |
Review |
2024-11-26 |
(fill in with feature tracking issues once accepted) |
This proposal describes an enshrined on-chain program to verify proofs that a validator committed a slashable infraction. This program creates reports on chain for use in future SIMDs.
This proposal does not modify any stakes or rewards, the program will only verify and log infractions.
There exists a class of protocol violations that are difficult to detect synchronously, but are simple to detect after the fact. In order to penalize violators we provide a means to record these violations on chain.
This also serves as a starting point for observability and discussions around the economics of penalizing these violators. This is a necessary step to implement slashing in the Solana Protocol.
None
create_slashing_program:
sProgVaNWkYdP2eTRAy1CPrgb3b9p8yXCASrPEqo6VJ
On the epoch boundary where the create_slashing_program feature flag is first
activated the following behavior will be executed in the first block for the new
epoch:
-
Create a new program account at
S1ashing11111111111111111111111111111111111owned by the default upgradeable loader with an upgrade authority set toNone, and create the associated program data account. -
Verify that the buffer account
S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgvhas a verified build hash of192ed727334abe822d5accba8b886e25f88b03c76973c2e7290cfb55b9e1115f[1] -
Serialize the contents of
S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgvinto the program data account forS1ashing11111111111111111111111111111111111 -
Invoke the loader to deploy the new program account and program data account. This step also updates the program cache.
-
Zero out the buffer account
S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgv, and update the changes to capitalization and account data lengths accordingly.
This is the only protocol change that clients need to implement. The remaining proposal describes the function of this program, hereafter referred to as the slashing program.
The buffer account S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgv will hold the
v1.0.0 release of the slashing program
https://github.com/solana-program/slashing/releases/tag/v1.0.0
This slashing program supports two instructions DuplicateBlockProof, and
CloseViolationReport.
DuplicateBlockProof requires 2 accounts, the Instructions sysvar, and the
system program :
proof_account, expected to be previously initialized with the proof data.pda_account, the PDA in which to store the violation report. See the below section for details. Must be writable.instructions, Instructions sysvarsystem_program_account, required to create the violation report.
DuplicateBlockProof has an instruction data of 305 bytes, containing:
0x01, a fixed-value byte acting as the instruction discriminatoroffset, an unaligned eight-byte little-endian unsigned integer indicating the offset from which to read the proofslot, an unaligned eight-byte little-endian unsigned integer indicating the slot in which the violation occurednode_pubkey, an unaligned 32 byte array representing the public key of the node which committed the violationreporter, an unaligned 32 byte array representing the account to credit as the first reporter of this violation if a successful slashing report is written.destination, an unaligned 32 byte array representing the account to reclaim the lamports if a successful slashing report account is created and then later closed.shred_1_merkle_root, an unaligned 32 byte array representing the merkle root of the first shred in theproof_accountshred_1_signature, an unaligned 64 byte array representing the signature ofnode_pubkeyon the first shred in theproof_accountshred_2_merkle_root, an unaligned 32 byte array representing the merkle root of the second shred in theproof_accountshred_2_signature, an unaligned 64 byte array representing the signature ofnode_pubkeyon the second shred in theproof_account
We expect the contents of the proof_account when read from offset to
deserialize to two byte arrays representing the duplicate shreds.
The first 4 bytes correspond to the length of the first shred, and the 4 bytes
after that shred correspond to the length of the second shred.
struct DuplicateBlockProofData {
shred1_length: u32 // Unaligned four-byte little-endian unsigned integer,
shred1: &[u8] // `shred1_length` bytes representing a shred,
shred2_length: u32 // Unaligned four-byte little-endian unsigned integer,
shred2: &[u8] // `shred2_length` bytes representing a shred,
}Users are expected to populate the proof_account themselves, using an onchain
program such as the Record program.
DuplicateBlockProof aborts if:
- The difference between the current slot and
slotis greater than 1 epoch's worth of slots as reported by theClocksysvar - The
destinationis equal to the address ofpda_account offsetis larger than the length ofproof_accountproof_account[offset..]does not deserialize cleanly to aDuplicateBlockProofData.- The resulting shreds do not adhere to the Solana shred format [2] or are legacy shred variants.
- The resulting shreds specify a slot that is different from
slot. - The resulting shreds specify different shred versions.
After deserialization the slashing program will attempt to verify the proof, by
checking that shred1 and shred2 constitute a valid duplicate block proof for
slot and are correctly signed by node_pubkey. This is similar to logic used
in Solana's gossip protocol to verify duplicate block proofs for use in fork choice.
shred1 and shred2 constitute a valid duplicate block proof if any of the
following conditions are met:
- Both shreds specify the same index and shred type, however their payloads differ
- Both shreds specify the same FEC set, however their merkle roots differ
- Both shreds specify the same FEC set and are coding shreds, however their erasure configs conflict
- The shreds specify different FEC sets, the lower index shred is a coding shred, and its erasure meta indicates an FEC set overlap
- The shreds specify different FEC sets, the lower index shred has a merkle root that is not equal to the chained merkle root of the higher index shred
- The shreds are data shreds with different indices and the shred with the lower
index has the
LAST_SHRED_IN_SLOTflag set
Note: We do not verify that node_pubkey was the leader for slot. Any node that
willingly signs duplicate shreds for a slot that they are not a leader for is
eligible for slashing.
In order to verify that shred1 and shred2 were correctly signed by
node_pubkey we use instruction introspection.
Using the Instructions sysvar we verify that the previous instruction of
this transaction are for the program ID
Ed25519SigVerify111111111111111111111111111
For this instruction, verify the instruction data:
- The first byte is
0x02 - The second byte (padding) is
0x00
Verify that the remaining instruction data represents two signature offsets which is specified as 2 byte little-endian unsigned integers:
struct Ed25519SignatureOffsets {
signature_offset: u16, // offset to ed25519 signature of 64 bytes
signature_instruction_index: u16, // instruction index to find signature
public_key_offset: u16, // offset to public key of 32 bytes
public_key_instruction_index: u16, // instruction index to find public key
message_data_offset: u16, // offset to start of message data
message_data_size: u16, // size of message data
message_instruction_index: u16, // index of instruction data to get message
// data
}We wish to verify that these instructions correspond to
verify(pubkey = node_pubkey, message = shred1.merkle_root, signature = shred1.signature)
verify(pubkey = node_pubkey, message = shred2.merkle_root, signature = shred2.signature)
We use the deserialized offsets to calculate [3] the pubkey,
message, and signature of each instruction and verify that they correspond
to the node_pubkey, merkle_root, and signature specified by the shred payload.
The instruction indices must point to the DuplicateBlockProof instruction and
the offsets into the instruction data where these values are stored.
If both proof and signer verification succeed, we continue on to store the incident.
After verifying a successful proof we store the results in a program derived
address for future use. The PDA is derived using the node_pubkey, slot, and
the violation type:
let (pda, _) = find_program_address(&[
node_pubkey.to_bytes(), // 32 byte array representing the public key
slot.to_le_bytes(), // Unsigned little-endian eight-byte integer
1u8, // Byte representing the violation type
])If the pda is not equal to the addres of the pda_account then we abort.
At the moment DuplicateBlock is the only violation type but future work will
add additional slashing types.
We expect the pda account to be prefund-ed by the user to contain enough lamports
to store a ProofReport.
If the pda account has any data, is owned by the slashing program, and the version
number is non zero then we abort as the violation has already been reported.
Otherwise we allocate space in the account, and assign the slashing program as
the owner. In this account we store the following:
struct ProofReport {
version: u8, // 1 byte specifying the version number,
currently 1
reporter: Pubkey, // 32 byte array representing the pubkey of the
Fee payer, who reported this violation
destination: Pubkey, // 32 byte array representing the account to
credit the lamports when this proof report
is closed.
epoch: Epoch, // Unaligned unsigned eight-byte little endian
integer representing the epoch in which this
report was created
pubkey: Pubkey, // 32 byte array representing the pubkey of the
node that committed the violation
slot: Slot, // Unaligned unsigned eight-byte little endian
integer representing the slot in which the
violation occured
violation_type: u8, // Byte representing the violation type
}immediately followed by a DuplicateBlockProofData.
This proof data provides an on chain trail of the reporting process, since the
proof_account supplied in the DuplicateBlockProof instruction could later
be modified.
The pubkey is populated with the node_pubkey. For future violation types that
involve votes, this will instead be populated with the vote account's pubkey.
The work in SIMD-0180 will allow the node_pubkey to be translated to a vote account
if needed.
In a future SIMD the reports will be used for runtime processing. This is out of
scope, but after this period has passed, the initial fee payer may wish to close
their ProofReport account to reclaim the lamports.
They can accomplish this via the CloseViolationReport instruction which requires
two accounts
report_account: The PDA account storing the report: Writable, owned by the slashing programdestination_account: The destination account to receive the lamports: Writable
CloseViolationReport has an instruction data of one byte, containing:
0x00, a fixed-value byte acting as the instruction discriminator
We abort if:
report_accountis not owned by the slashing programreport_accountdoes not deserialize cleanly toProofReportreport_account.destinationdoes not matchdestination_accountreport_account.epoch + 3is greater than the current epoch reported from theClocksysvar. We want to ensure that these accounts do not get closed before they are observed by indexers and dashboards.
The three epoch window is somewhat arbitrary, we only need the report_account to
last at least one epoch in order to for it to be observed by the runtime as part
of a future SIMD.
Otherwise we set the owner of report_account to the system program, rellocate
the account to 0 bytes, and credit the lamports to destination_account
This proposal deploys the slashing program in an "enshrined" account, only upgradeable through code changes in the validator software. Alternatively we could follow the SPL program convention and deploy to an account upgradeable by a multisig. This allows for more flexibility in the case of deploying hotfixes or rapid changes, however allowing upgrade access to such a sensitive part of the system via a handful of engineers poses a security risk.
A new program will be enshrined at S1ashing11111111111111111111111111111111111.
Reports stored in PDAs of this program might be queried for dashboards which could incur additional indexing overhead for RPC providers.
None
None
The feature is not backwards compatible
[1]: Sha256 of program data, see https://github.com/Ellipsis-Labs/solana-verifiable-build/blob/214ba849946be0f7ec6a13d860f43afe125beea3/src/main.rs#L331 for details.
[2]: The slashing program will support any combination of merkle shreds, chained merkle shreds, and retransmitter signed chained merkle shreds, see https://github.com/anza-xyz/agave/blob/4e7f7f76f453e126b171c800bbaca2cb28637535/ledger/src/shred.rs#L6 for the full specification.
[3]: Example of offset calculation can be found here https://docs.solanalabs.com/runtime/programs#ed25519-program