polkadot icon indicating copy to clipboard operation
polkadot copied to clipboard

Published 20 hours ago verified publisher icon paritytech

disputes: implement validator disabling

Open ordian opened this issue 3 years ago • 4 comments

Once a dispute is concluded and an offence is submitted with DisableStrategy::Always, a validator will be added to DisabledValidators list.

Implement on-chain and off-chain logic to ignore dispute votes for X sessions. Optionally, we can ignore backing and approval votes and remove from the reserved validator set on the network level.

Possibly outdated: https://github.com/paritytech/polkadot/issues/5946

  • [ ] Gather requirements across stack
  • [ ] Design unified disabling strategy (likely) substrate
  • [ ] Read disabled status from the runtime and apply on node side, for ignoring votes for example in dispute-coordinator.

Possibly related paper here.

ordian avatar Aug 31 '22 14:08 ordian

Also disable validators who repeatedly vote against valid. Disabling means in general that we should not accept any votes/statements from that validator for some time, those include:

  • backing
  • approval
  • explicit dispute statements

In addition, depending on how quickly we disable a validator, it might already have raised thousands of disputes (if it disputes every single candidate for a few blocks), we should also consider deleting already existing disputes (at the dispute-coordinator) in case one side of the dispute consists only and exclusively of disabled validators - so we apply disabling to already pending participations, not just new ones.

This might be tricky to get right (sounds like it could be racy). The reason we should at least think about this a bit, is that so many disputes will delay finality for a significant amount of time resulting in DoS.

Things to consider:

  • How quickly do we disable?
  • How much does the rate limiting in dispute-distribution help?
  • Is the risk worth the complication?

eskimor avatar Sep 01 '22 07:09 eskimor

Also disable validators who repeatedly vote against valid.

That's tracked in #5946 and is purely runtime changes.

How quickly do we disable?

We can disable as soon as a dispute (reaching threshold) concludes.

This might be tricky to get right (sounds like it could be racy)

Indeed. I'd be in favor of not complicated this unnecessarily.

ordian avatar Sep 01 '22 10:09 ordian