Aligning epochs and payment cycles
Closed this issue · 1 comments
Right now, epochs (defined by the Darknode Registry contract) are not aligned with payment cycles (defined by the Darknode Payment contract): epochs are approximately one day, and payment cycles are approximately one month.
The Ren dev team believes that it is necessary to align these two. This would mean extending the epoch to be the same as the payment cycle (4 weeks). This post aims to explain the motivations and the changes required.
Motivation
As long as a Darknode can affect the safety/liveliness of RenVM (i.e. it has a share of an active distributed pubkey) it needs to be able to be slashed for misbehaviour. Currently, with epochs set to 24 hours, this means that a Darknode can misbehave, submit a request to de-register immediately, and then after only 2-3 days have no risk of being punished. This worked in the past for previous versions of the protocol, but we believe it is no longer sufficient because it has two key problems:
- A distributed pubkey can only last on the order of days, because afterwards there can be no guarantee that a Darknode with a share of an active distributed pubkey is actually registered (and punishable).
- Malicious behaviour might be noticeable in 2-3 days, but, if punishing that behaviour requires bug fixes or patches to the protocol, then there is no chance to achieve this in 2-3 days.
Extending the epoch to 4 weeks alleviates these concerns. It would be possible for distributed pubkeys to last on the order of weeks (while we may not want it to last this long, it gives us plenty of room to work with, since changing the distributed pubkey everyday is probably too frequent).
Changes
This would have no effect on registration, since whitelisting registrations happens at the pace of payment cycles anyway. However, we could simplify the Darknode Registry and Darknode Payment contract implementations to remove the concept of whitelisting.
De-registration will take longer than 48-72 hours. After submitting a request to deregister, a Darknode would still be expected to actively participate until the end of the current epoch. Additionally, they would be expected to be online for the next epoch to handle any left over requests but will not be included in any new set of signatories (in practice, de-registered Darknodes can go offline after the distributed pubkey is rebased to a new set of signatories, and this usually takes a couple of minutes). In the next epoch, the Darknode is not expected to be online, but the REN bond should remain locked up. In the next epoch, the Darknode owner can now withdraw the bond and the de-registration process is complete.
In total, de-registration would take 12 weeks. This is comparable to the de-registration time of other networks, so we do not believe it is unreasonable.
See renproject/darknode-sol#73 for implementation.