docs(protocol): proposer liveness design (dense blocks, ETH bond, fast takeover)

[dantaik]

Summary

Design doc for closing the silent-no-show gap in Taiko's proposer permissioning, so the chain can credibly aim for "Ethereum validators only" (Q1) while removing the subjective Blacklist overseer role (Q2).

The four components:

• Dense-derivation rule — every L2 second must be filled by a block. Makes "missing" structurally detectable; pairs with an RLE empty-block manifest to keep DA cost flat at 1s block time.
• LivenessSlasher — new URC ISlasher peer to PreconfSlasherL1 and LookaheadSlasher, routed via UnifiedSlasher. Bond denominated in ETH, shared with existing safety/lookahead slashers in the same URC collateral pool. No new TAIKO coupling.
• GapSlash fault — objective on-chain proof of an L2 timestamp gap inside an attributed window. Commitment is derived from the on-chain lookahead rather than signed per-window, so a silent operator cannot escape accountability by withholding evidence. EIP-4788 beacon-root oracle excises any L1 missed-slot intervals (reuses the existing pattern from PreconfSlasherL1.sol:88-92).
• Fast takeover in Inbox.propose — two-stage trigger on head staleness (TAKEOVER_DELAY = 24s → next assignee may step in; TAKEOVER_OPEN_DELAY = 48s → fully permissionless). The takeover transaction may optionally carry GapEvidence for an atomic URC slash on handoff, eliminating any off-chain challenger race. Shrinks the existing 25.6-hour permissionlessInclusionMultiplier backstop into a sub-minute liveness mechanism.

The doc covers terminology, the dense-derivation timestamp rule and RLE encoding, the LivenessSlasher interface and UnifiedSlasher routing, the full GapSlash verification flow, parameter calibration, and a 4-milestone roll-out (M1 substrate → M2 dense blocks → M3 fast takeover + atomic slash → M4 retire Blacklist).

Style and depth match packages/protocol/docs/preconfirmation_lookahead.md. File-by-file contract change scaffold included; no code changes in this PR.

Test plan

• Protocol team reviews design choices and parameter calibration (§11).
• Confirm anchor cadence interaction with RLE empty-runs (§4.5, open question §14.2).
• Confirm URC challenger-payout split semantics for LivenessSlasher (§14.3).
• Confirm MAX_GAP value against historical L1 missed-slot distribution (§14.1).
• Confirm cutover plan for BLOCK_TIME_TARGET 2s → 1s (§14.4).
• Sign-off on the M4 sequencing for retiring the Blacklist overseer role (§13).

https://claude.ai/code/session_01TBxdfr5aeUEWq4MsfAmHYd

---

Generated by Claude Code

[github-actions]

🐋 DeepSeek Code Review

🔴 Critical Issues

• Unresolved URC commitment model breaks the entire slashing path. The design relies on a liveness commitment derived from the on-chain lookahead hash, not a per‑window signed attestation from the operator. URC’s slashCommitment entrypoint currently expects a signed commitment, so the proposed LivenessSlasher has no way to trigger a valid slash (open question 14.4). Until URC is confirmed to accept a standing opt‑in or per‑window pre‑signatures, the atomic slash in Inbox.propose will always fail (and the try/catch will silently degrade liveness restoration to a slash‑free takeover). This is a showstopper—resolve the authentication gap before any implementation.

• Ambiguous takeover edge case can stall the chain. In the stale takeover path, the rescuer inherits the delinquent’s endOfSubmissionWindowTimestamp. If the delinquent’s window has already fully elapsed when TAKEOVER_DELAY fires, that deadline is in the past, making the proposal permanently invalid. The document acknowledges the problem (“the stale branch as drafted would return endOfSubmissionWindowTimestamp = windowEnd (in the past)”) and offers two possible fixes, but leaves the final choice to the implementation. An incomplete fix here would block any handoff and extend the chain stall indefinitely. This edge case must be specified exhaustively and tested before M3.

• Liveness gap from sparse manifests still lacks a slashing deterrent. The design collapses all faults into NoProposal and punishes sparse intra‑window submissions only with a soft penalty (default‑manifest replacement, lost MEV). An operator who posts a sparse manifest that skips seconds can still earn MEV from the blocks they do include while letting the rest be default‑filled. If MEV_per_second > 0 for the blocks they produce, the soft penalty alone may not deter the behavior—and the slasher provides no bond loss. The document’s invariant PER_SECOND_PENALTY > MEV/s applies only to full silence, not to selective sparseness. This could allow operators to systematically degrade liveness for users without losing URC collateral.

🟡 Warnings

• try/catch on the atomic slash masks deep URC non‑conformance. If URC’s slashCommitment reverts because the commitment format is fundamentally unsupported (not just a transient “collateral drained”), the slash is silently discarded forever—no retry can work. The AtomicSlashFailed event should emit a clear distinguishable error code so that operators and watchtowers know whether the fault is permanently un‑slashable.

• Full lookahead array in GapEvidence may discourage rescuers. Carrying the entire LookaheadSlot[] (up to 32 entries) in calldata adds significant cost to the takeover transaction. Until the Merkle‑proof optimization (open question 14.6) is implemented, atomic slashes will be expensive, weakening the incentive for rescuers to include evidence. The Merkle upgrade should be prioritized or, at minimum, a calldata‑cost simulation included in the M3 readiness criteria.

• RLE decoding complexity introduces new attack surface. A malicious or buggy EmptyBlockRun could be crafted to produce an incorrect number of empty blocks while still passing the dense‑derivation check, potentially corrupting L2 state or spiking prover work. Fuzz the RLE decoder against edge cases (e.g., overflow in count, mismatched startTimestamp) before deploying M2.

• Collateral‑insufficient operators can still operate for one window. After a slashing event that pushes an operator’s URC collateral below MIN_URC_COLLATERAL, they fall out of future lookaheads but remain eligible for the remainder of their current posted lookahead window. A malicious actor could therefore burn their remaining collateral in one final, undeterred window (e.g., a safety fault with no bond left to slash). While inherent to URC’s delayed eligibility check, this deserves explicit acknowledgement in the security considerations.

🔵 Suggestions

• Use bytes32 instead of bytes26 for the lookahead hash. bytes26 offers lower collision resistance without a clear benefit; using a full bytes32 simplifies on‑chain reasoning and matches every other hash in the system.

• Cap the EIP-4788 slot loop to the actual window size, not the epoch. The gap interval’s L1‑slot walk is bounded by MAX_GAP plus the window length, but in practice the maximum penaltyable gap is capped by TAKEOVER_OPEN_DELAY (< 48s). Restricting the loop to windowEnd - windowStart (≤ 144s) would save gas and avoid paying for slots that cannot affect the penalty.

• Raise TAKEOVER_DELAY slightly during the soft‑launch phase. Blob propagation can occasionally exceed 2 L1 slots under congestion; a 36s (3‑slot) delay during the monitor‑only M1/M2 period would generate fewer false‑positive takeovers while the system collects real‑world data. The value can be tuned down later if safe.

• Make the slashingEnabled flag immutable after M2. The monitor‑only mode is critical for safe calibration; ensure the flag cannot be accidentally toggled by an operator or early governance.

---

Automatically triggered on PR update • model: deepseek-v4-pro

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 149b07d1e8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Add an authenticated source for L2 block timestamps

The GapSlash verifier is specified to compute gaps from beforeGap.firstBlockTs / lastBlockTs, but IInbox.Proposal only stores the L1 proposal timestamp plus blob references; the L2 block timestamps live in derivation manifests/blobs and are not authenticated by the proposal hash in a way this verifier describes. In any implementation following this flow, the slasher either cannot compile against Proposal or must trust caller-supplied timestamps, so sparse/silent proposers remain unverifiable unless the design also stores first/last L2 timestamps or verifies the relevant manifest/blob evidence on-chain.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Do not rely on unsigned commitments for URC slashing

This makes the liveness commitment explicitly not signed, but the URC path used elsewhere in this repo debits collateral through IRegistry.slashCommitment(registrationRoot, ISlasher.SignedCommitment, evidence) (for example PreconfSlasherL1.onMessageInvocation), so a silent operator has no signed commitment that the registry can authenticate before calling the slasher. As written, the atomic slash in §7.2 would fail or require a different URC entry point/delegation model; deriving a hash from the lookahead alone is not enough to make URC slash the operator's collateral.

Useful? React with 👍 / 👎.