Slashing is implemented as a deterrent for validators to misbehave. Slashes are applied to a validator’s total stake (own + nominated) and can range from as little as 0.01% or rise to 100%. In all instances, slashes are accompanied by a loss of nominators.

A slash may occur under four circumstances:

  1. Unresponsiveness – Slashing starts when 10% of the active validators set are offline and increases in a linear manner until 44% of the validator set is offline; at this point, the slash is held at 7%.
  2. Equivocation – A slash of 0.01% is applied with as little as a single evocation. The slashed amount increases to 100% incrementally as more validators also equivocate.
  3. Malicious Action – This may result from a validator trying to represent the contents of a block falsely. Slashing penalties of 100% may apply.
  4. Application Related (bug or otherwise) – The amount is unknown and may manifest as scenarios 1, 2, and 3 above.

This section provides some best practices to prevent slashing based on lessons learned from previous slashes from the Polkadot network. It provides comments and guidance for all circumstances except for malicious action by the node operator.

Unresponsiveness

An offline event occurs when a validator does not produce a BLOCK or IMONLINE message within an EPOCH. Isolated offline events do not result in a slash; however, the validator would not earn any work points while offline. A slash for unresponsiveness occurs when 10% or more of the active validators are offline at the same time.

The following are recommendations to validators to avoid slashing under liveliness for servers that have historically functioned:

  • Utilize systems to host your validator instance. Systemd should be configured to auto reboot the service with a minimum 60-second delay. This configuration should aid with re-establishing the instance under isolated failures with the binary.
  • A validator instance can demonstrate un-lively behaviour if it cannot sync new blocks. This may result from insufficient disk space or a corrupt database.
  • Monitoring should be implemented that allows node operators to monitor connectivity network connectivity to the peer-to-peer port of the validator instance. Additionally, monitoring should ensure that there is a drift of less than 50 blocks between the target and best blocks. If either event produces a failure, the node operator should be notified.

The following are recommendations to validators to avoid liveliness for new servers / migrated servers:

  • Ensure that the --validator flag is used when starting the validator instance.
  • If switching keys, ensure that the correct session keys are applied.
  • If migrating using a two-server approach, ensure that you don’t switch off the original server too soon.
  • Ensure that the database on the new server is fully synchronized.
  • It is highly recommended to avoid hosting on providers that other validators may also utilize. If the provider fails, there is a probability that one or more other validators would also fail due to liveliness building to a slash.

Equivocation

Equivocation events can occur when a validator produces two or more identical blocks; in this case, it is called a BABE equivocation. Equivocation may also happen when a validator signs two or more of the identical consensus votes; in this case, it is called a GRANDPA Equivocation. Equivocations usually occur when duplicate signing keys reside on the validator host. If keys are never duplicated, the probability of an equivocation slash decreases to near 0.

The following are scenarios that build towards slashes under equivocation:

  • Cloning a server, i.e., copying all contents when migrating to new hardware, should be avoided. If an image is desired, it should be taken before keys are generated.
  • High Availability (HA) Systems – Equivocation can occur if there are any concurrent operations, either when a failed server restarts or if a false positive event results in both servers being online simultaneously. HA systems are to be treated with extreme caution and are not advised.
  • The keystore folder is copied when attempting to copy a database from one instance to another.

Note: Equivocation slashes occur with a single incident. This can happen if duplicated key stores are used for only a few seconds.

The following are advised to node operators to ensure that they obtain pristine binaries or source code and to ensure the security of their node:

  • Always download either source files or docker images from the official Root Network repository
  • Verify the hash of downloaded files.
  • Use the W3F secure validator setup or adhere to its principles
  • Ensure that essential security items are checked, including the use of a firewall, proper management of user access, and the implementation of SSH certificates.
  • Avoid using your server as a general-purpose system. Hosting a validator on your workstation or one that hosts other services increases the risk of maleficence.