GP007: Hybrid Consensus

Summary:

Proposal GP007 seeks to further the Zilliqa network’s commitment to security and decentralisation by proposing the incorporation of Staked Seed Nodes (SSNs) into the consensus mechanism. A robust hybrid consensus can enhance security, limit the dominance of larger mining pools and foster greater decentralisation across the network. The proposed changes will initially be voluntary, but the eventual aim of the proposal is to make the participation of SSN’s in the consensus process mandatory.

Abstract:

We proposed to find a role for SSNs by allowing them to help secure the network.

Specification:

Given the recent shifts in the Ethash mining landscape and the anticipated transition of Zilliqa to a Proof of Stake (PoS) network with Zilliqa 2.0, it’s pivotal to ensure that our consensus mechanism remains resilient against centralisation threats while preparing for the future PoS framework.

ZIP-22 introduces the concept of forming mixed validator committees comprising both mining nodes and SSNs. This proposed hybrid consensus seeks to further diversify the network’s validation process, strengthening its decentralisation and security.

It’s crucial to ensure that while we integrate SSNs into the committee, we maintain a balance. By including SSNs that meet the required minimum stake, we believe we can ensure a fair representation and uphold the integrity of our consensus mechanism.

The pBFT commit rule, which necessitates over 2/3 of the committee members to reach consensus on a block, will be supplemented with a stake-weighted voting system. This addition requires consensus to not only be based on the number of nodes but also on the stake they hold, further ensuring that a single entity or group cannot dominate the consensus process.

Recognising the added value SSNs bring to the consensus mechanism, this proposal introduces a graduated rewards system. This initiative not only incentivises participation but also ensures that nodes that actively contribute to the consensus are fairly rewarded.

The hybrid consensus mechanism proposed offers a blend of the best attributes from different consensus types, promising heightened security, balanced decentralisation and active stakeholder participation, while laying the foundation for a smooth transition to Zilliqa 2.0:.

Enhanced Decentralisation: The hybrid approach proposed aims to dilute the dominance of the largest mining pools in the DS committee, ensuring a balanced and decentralised consensus process.

Future-Proofing Zilliqa 2.0: With SSNs acting as the torchbearers for the future PoS validators, this transition will allow for a smoother shift to Zilliqa 2.0 while ensuring network stability.

Motivating Active Participation: By tying staking rewards to active contributions, we can motivate SSNs to play an active role in the consensus mechanism, boosting the overall security and robustness of the network.

With the upcoming transition to Zilliqa 2.0, the integration of Staked Seed Nodes (SSNs) into a new consensus mechanism represents a timely and strategic move. This hybrid approach paves the way for a more balanced and democratic consensus process, mitigating the dominance of larger players and encouraging active stakeholder participation.

Just to say that until they are merged, you can find the two new ZIPs - 22 and 23 - in Add ZIP-22 (hybrid consensus) and ZIP-23 (desharding) by rrw-zilliqa · Pull Request #70 · Zilliqa/ZIP · GitHub

What share of DS committee is going to managed by SSN?

There are details in ZIP-22 and ZIP-23; DS blocks will be validated by both the miners and the SSNs - both have to agree for a block to be accepted.

Thanks, found it. Is it correct to say that each SSN node equals 1 spot in DS Committee if stake is > 10m ZIL?

Not quite - votes of the SSNs are weighted by stake, not by number, so more than 2/3 of the staked ZIL
(that is prepared to vote - but we intend to make that virtually all the staked ZIL ASAP) needs to vote yes for a block to pass.

Ah, okay

Currently, the pBFT commit rule requires more than 2/3 of the committee members to agree on a proposed block. This rule will be extended with a second condition (stake-weighted voting). In addition to the first condition, the second condition requires that more than 2/3 of the stake held by the committe must agree on the same block.

You introduce a second condition of consensus which is actually a very nice idea. In regards of:

Not quite - votes of the SSNs are weighted by stake, not by number, so more than 2/3 of the staked ZIL(that is prepared to vote - but we intend to make that virtually all the staked ZIL ASAP) needs to vote yes for a block to pass.

Requiring virtuall all the staked ZIL to vote on a proposed block enables an attack vector to DDoS the blockchain and halt all processing of the transactions by just voting against each next block. PoS does not work without penalties. Even 1/3(Top 2 nodes) of the stake can collude and stop the blockchain just for fun because there is virtually no penalty. Or think of more probable case when both nodes are hosted in the same DC and it goes down for couple hours — the blockchain would not be able to proceed.

I suggest to add penalties for Staking nodes. Otherwise there is a temination state of the blockchain where blocks can’t be processed at all and there is no way to get out of it — no way to kick out malicious node from the consensus.

I agree with you @vp_ezil regarding the PoS validator penalties and as I mentioned in https://github.com/Zilliqa/ZIP/blob/master/zips/zip-22.md#future-work, we’re already working on a model for Zilliqa 2.0

@zf007, great that we’re on the same page. Then it’s too risky to start running PoS alongside with PoW while you’re working on penalties model. It does not improve mentioned security and introduces new risks for the protocol. In order to start onboarding staking node operators, I suggest a transition period when staking nodes are validating blocks but their votes are not considered when a new block is confirmed. Such approach enables building staking nodes community.

If SSNs fail to fulfill their duties in the hybrid consensus, they can be removed from the committee as proposed in GP009: Minor updates to SSNs. It’s not riskier than having penalties/slashing that reduce the culprits’ weight in the PoS consensus.

@zf007
Such mechanism requires more details:

1. How malicious staking nodes can be removed if blockchain does not produce any blocks?
2. How do you know that staking nodes are actually malicious?
3. Is DS consensus having power over staking consensus?

It’s not a matter of being malicious. One can detect faulty nodes by the signatures they fail to deliver during consensus. SSNs that do not provide a signature before the timeout, preventing block production, are excluded from the committee until the end of the DS epoch. Consequently, they don’t receive any rewards during the time of their exclusion, which is a kind of penalty.

Thanks for explanation, then liveness is not at the risk now. The question that remains on the table is what would happen if DS committee disagrees with Staking nodes?

This proposal has been up for > 3 days and has 25 votes for and none against, so I’ve created an official poll at:
https://governance.zilliqa.com/#/gzil/proposal/QmSLRvp8s3yphvbvFrknfwrz6NUDQpSPggbgeUgYqsbErh

please vote!