NEAR uses slashing for two kinds of misbehavior:
- Double signing
- Invalid state transition
The latter only makes sense when there’s more than one shard (or, more specifically, once we have scaled to an extent that most of the block producers cannot track most of the shards).
The slashing is disabled on the mainnet today.
The primary issue with slashing is that once slashing is enabled, way fewer people will be willing to stake or delegate (assuming delegators are also risking their funds in the event their validator is slashed). Thus, in this post I want to start a discussion of one approach how to significantly reduce the risk of getting slashed for misconfiguration (e.g. an incorrect failover resulting in a double sign), while keeping the security benefits of slashing.
The proposal is the following: in the event that a validator is caught misbehaving (a cryptographic proof of a double sign or an invalid state transition is presented), their funds are not slashed, but rather they are locked on their account, and the validator is removed from the active set.
Then the validators in the next epoch vote on whether to release the funds, or burn them. The validators in the next epoch cannot withdraw their funds unless they have voted. Once the total number of votes reaches 2/3, the dominant vote is used: either the funds of the validator that misbehaved are released or they are burned.
Generally, an intentional misbehavior is obvious (e.g. if a single validator double signed, it’s almost certainly an accident, while if several validators double signed around the same time, it’s likely a collusion).
The issue I see with it is that validators have an incentive to slash the validator even if it’s clear that the misbehavior was an accident – after all, a validator being slashed burns quite a few tokens, and thus the price will go up. And the validators that vote have lots of NEAR as well, so the slight uptick in the price is quite noticeable for them.
However, I think the validators have a stronger incentive to vote properly, because a precedent of voting to burn the stake of a vaoidator that hasn’t intentionally committed a slashable behavior will likely result in similar outcomes in the future, and each validator operates under a risk of being on the other side of the vote in the future.
Curious about the opinions re: the proposal above, as well as other ideas how to make slashing detract fewer people from participation