simd: '0204' title: Slashable event verification authors:
This proposal describes an enshrined on-chain program to verify proofs that a validator committed a slashable infraction. This program creates reports on chain for use in future SIMDs.
This proposal does not modify any stakes or rewards, the program will only verify and log infractions.
There exists a class of protocol violations that are difficult to detect synchronously, but are simple to detect after the fact. In order to penalize violators we provide a means to record these violations on chain.
This also serves as a starting point for observability and discussions around the economics of penalizing these violators. This is a necessary step to implement slashing in the Solana Protocol.
None
create_slashing_program:
sProgVaNWkYdP2eTRAy1CPrgb3b9p8yXCASrPEqo6VJOn the epoch boundary where the create_slashing_program feature flag is first
activated the following behavior will be executed in the first block for the new
epoch:
Create a new program account at S1ashing11111111111111111111111111111111111
owned by the default upgradeable loader with an upgrade authority set to None,
and create the associated program data account.
Verify that the buffer account
S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgv has a verified build hash of
192ed727334abe822d5accba8b886e25f88b03c76973c2e7290cfb55b9e1115f [1]
Serialize the contents of S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgv into
the program data account for S1ashing11111111111111111111111111111111111
Invoke the loader to deploy the new program account and program data account. This step also updates the program cache.
Zero out the buffer account S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgv, and
update the changes to capitalization and account data lengths accordingly.
This is the only protocol change that clients need to implement. The remaining proposal describes the function of this program, hereafter referred to as the slashing program.
The buffer account S1asHs4je6wPb2kWiHqNNdpNRiDaBEDQyfyCThhsrgv will hold the
v1.0.0 release of the slashing program
https://github.com/solana-program/slashing/releases/tag/v1.0.0
This slashing program supports two instructions DuplicateBlockProof, and
CloseViolationReport.
DuplicateBlockProof requires 2 accounts, the Instructions sysvar, and the
system program :
proof_account, expected to be previously initialized with the proof data.report_account, the PDA in which to store the violation report. See the below
section for details. Must be writable.instructions, Instructions sysvarsystem_program_account, required to create the violation report.DuplicateBlockProof has an instruction data of 305 bytes, containing:
0x01, a fixed-value byte acting as the instruction discriminatoroffset, an unaligned eight-byte little-endian unsigned integer indicating
the offset from which to read the proofslot, an unaligned eight-byte little-endian unsigned integer indicating the
slot in which the violation occurednode_pubkey, an unaligned 32 byte array representing the public key of the
node which committed the violationreporter, an unaligned 32 byte array representing the account to credit
as the first reporter of this violation if a successful slashing report is
written.destination, an unaligned 32 byte array representing the account to reclaim
the lamports if a successful slashing report account is created and then later
closed.shred_1_merkle_root, an unaligned 32 byte array representing the merkle root
of the first shred in the proof_accountshred_1_signature, an unaligned 64 byte array representing the signature
of node_pubkey on the first shred in the proof_accountshred_2_merkle_root, an unaligned 32 byte array representing the merkle root
of the second shred in the proof_accountshred_2_signature, an unaligned 64 byte array representing the signature
of node_pubkey on the second shred in the proof_accountWe expect the contents of the proof_account when read from offset to
deserialize to two byte arrays representing the duplicate shreds.
The first 4 bytes correspond to the length of the first shred, and the 4 bytes
after that shred correspond to the length of the second shred.
struct DuplicateBlockProofData {
shred1_length: u32 // Unaligned four-byte little-endian unsigned integer,
shred1: &[u8] // `shred1_length` bytes representing a shred,
shred2_length: u32 // Unaligned four-byte little-endian unsigned integer,
shred2: &[u8] // `shred2_length` bytes representing a shred,
}
Users are expected to populate the proof_account themselves, using an onchain
program such as the Record program.
DuplicateBlockProof aborts if:
slot is greater than 1 epoch's
worth of slots as reported by the Clock sysvardestination is equal to the address of pda_accountoffset is larger than the length of proof_accountproof_account[offset..] does not deserialize cleanly to a
DuplicateBlockProofData.slot.After deserialization the slashing program will attempt to verify the proof, by
checking that shred1 and shred2 constitute a valid duplicate block proof for
slot and are correctly signed by node_pubkey. This is similar to logic used
in Solana's gossip protocol to verify duplicate block proofs for use in fork choice.
shred1 and shred2 constitute a valid duplicate block proof if any of the
following conditions are met:
LAST_SHRED_IN_SLOT flag setNote: We do not verify that node_pubkey was the leader for slot. Any node that
willingly signs duplicate shreds for a slot that they are not a leader for is
eligible for slashing.
In order to verify that shred1 and shred2 were correctly signed by
node_pubkey we use instruction introspection.
Using the Instructions sysvar we verify that the previous instruction of
this transaction are for the program ID
Ed25519SigVerify111111111111111111111111111
For this instruction, verify the instruction data:
0x020x00Verify that the remaining instruction data represents two signature offsets which is specified as 2 byte little-endian unsigned integers:
struct Ed25519SignatureOffsets {
signature_offset: u16, // offset to ed25519 signature of 64 bytes
signature_instruction_index: u16, // instruction index to find signature
public_key_offset: u16, // offset to public key of 32 bytes
public_key_instruction_index: u16, // instruction index to find public key
message_data_offset: u16, // offset to start of message data
message_data_size: u16, // size of message data
message_instruction_index: u16, // index of instruction data to get message
// data
}
We wish to verify that these instructions correspond to
verify(pubkey = node_pubkey, message = shred1.merkle_root, signature = shred1.signature)
verify(pubkey = node_pubkey, message = shred2.merkle_root, signature = shred2.signature)
We use the deserialized offsets to calculate [3] the pubkey,
message, and signature of each instruction and verify that they correspond
to the node_pubkey, merkle_root, and signature specified by the shred payload.
The instruction indices must point to the DuplicateBlockProof instruction and
the offsets into the instruction data where these values are stored.
If both proof and signer verification succeed, we continue on to store the incident.
After verifying a successful proof we store the results in a program derived
address for future use. The PDA is derived using the node_pubkey, slot, and
the violation type:
let (pda, _) = find_program_address(&[
node_pubkey.to_bytes(), // 32 byte array representing the public key
slot.to_le_bytes(), // Unsigned little-endian eight-byte integer
1u8, // Byte representing the violation type
])
If the pda is not equal to the addres of the pda_account then we abort.
At the moment DuplicateBlock is the only violation type but future work will
add additional slashing types.
We expect the pda account to be prefund-ed by the user to contain enough lamports
to store a ProofReport.
If the pda account has any data, is owned by the slashing program, and the version
number is non zero then we abort as the violation has already been reported.
Otherwise we allocate space in the account, and assign the slashing program as
the owner. In this account we store the following:
struct ProofReport {
version: u8, // 1 byte specifying the version number,
// currently 1
reporter: Pubkey, // 32 byte array representing the pubkey of the
// Fee payer, who reported this violation
destination: Pubkey, // 32 byte array representing the account to
// credit the lamports when this proof report
// is closed.
epoch: Epoch, // Unaligned unsigned eight-byte little endian
// integer representing the epoch in which this
// report was created
violator: Pubkey, // 32 byte array representing the pubkey of the
// node that committed the violation
slot: Slot, // Unaligned unsigned eight-byte little endian
// integer representing the slot in which the
// violation occured
violation_type: u8, // Byte representing the violation type
}
immediately followed by a DuplicateBlockProofData.
This proof data provides an on chain trail of the reporting process, since the
proof_account supplied in the DuplicateBlockProof instruction could later
be modified.
The pubkey is populated with the node_pubkey. For future violation types that
involve votes, this will instead be populated with the vote account's pubkey.
The work in SIMD-0180 will allow the node_pubkey to be translated to a vote account
if needed.
In a future SIMD the reports will be used for runtime processing. This is out of
scope, but after this period has passed, the initial fee payer may wish to close
their ProofReport account to reclaim the lamports.
They can accomplish this via the CloseViolationReport instruction which requires
two accounts
report_account: The PDA account storing the report: Writable, owned by the
slashing programdestination_account: The destination account to receive the lamports: WritableCloseViolationReport has an instruction data of one byte, containing:
0x00, a fixed-value byte acting as the instruction discriminatorWe abort if:
report_account is not owned by the slashing programreport_account does not deserialize cleanly to ProofReportreport_account.destination does not match destination_accountreport_account.epoch + 3 is greater than the current epoch reported from
the Clock sysvar. We want to ensure that these accounts do not get closed before
they are observed by indexers and dashboards.The three epoch window is somewhat arbitrary, we only need the report_account to
last at least one epoch in order to for it to be observed by the runtime as part
of a future SIMD.
Otherwise we set the owner of report_account to the system program, rellocate
the account to 0 bytes, and credit the lamports to destination_account
This proposal deploys the slashing program in an "enshrined" account, only upgradeable through code changes in the validator software. Alternatively we could follow the SPL program convention and deploy to an account upgradeable by a multisig. This allows for more flexibility in the case of deploying hotfixes or rapid changes, however allowing upgrade access to such a sensitive part of the system via a handful of engineers poses a security risk.
A new program will be enshrined at S1ashing11111111111111111111111111111111111.
Reports stored in PDAs of this program might be queried for dashboards which could incur additional indexing overhead for RPC providers.
None
None
The feature is not backwards compatible
[1]: Sha256 of program data, see https://github.com/Ellipsis-Labs/solana-verifiable-build/blob/214ba849946be0f7ec6a13d860f43afe125beea3/src/main.rs#L331 for details.
[2]: The slashing program will support any combination of merkle shreds, chained merkle shreds, and retransmitter signed chained merkle shreds, see https://github.com/anza-xyz/agave/blob/4e7f7f76f453e126b171c800bbaca2cb28637535/ledger/src/shred.rs#L6 for the full specification.
[3]: Example of offset calculation can be found here https://docs.solanalabs.com/runtime/programs#ed25519-program