To quote,
|
If this contains a slash for a Serai validator, check its integrity. |
|
|
|
This is awkward. `serai-validator-sets-pallet` never sees this `reason` and is accordingly |
|
unable to validate it. This is intentional as the reason is explicitly intended to be not |
|
part of the codified protocol. The only requirement for acceptance on-chain is intended to |
|
be that it's included in a block a supermajority of validators agreed on (and finalized). |
|
|
|
At the same time however, for matters of feasibility, as of now, it _is_ codified within |
|
the Serai protocol here, in this very spot. We treat it as an inherent transaction, being |
|
checked when the block's execution begins, but also as an unsigned transaction, propagating |
|
it across mempools and checking it when it enters the mempool. |
|
|
|
Ideally, in the future, this is moved entirely into the node. For now, as it is present in |
|
the runtime, it likely would have been better to make use of the `ValidateUnsigned` within |
|
`serai-validator-sets-pallet`. |
This isn't fundamentally broken. It's a poor design which codifies something into the protocol, which isn't intended to be, and technically limits the power of slashes as slashes are not issued by a supermajority (as intended) but rather per literal evidence. While that enables them to act as unsigned transactions, being propagated and accepted into mempools, it doesn't allow a supermajority of validators with cause but without a pre-defined instance of evidence (a BABE or GRANDPA equivocation proof) to perform a slash.
Unfortunately, correcting this is non-trivial as we do have to codify competent mempool acceptance rules and logic around the inherents itself. This can be done in the future, without becoming incompatible with the current protocol (so long as no such slashes with not-currently-defined evidence are attempted, as that would cause a split between those who don't understand them and those who widened their parameters), so it has been so deferred, it's just annoying and something we still have to track and be mindful of.
To quote,
serai/substrate/runtime/src/wasm/mod.rs
Lines 223 to 237 in e962cf4
This isn't fundamentally broken. It's a poor design which codifies something into the protocol, which isn't intended to be, and technically limits the power of slashes as slashes are not issued by a supermajority (as intended) but rather per literal evidence. While that enables them to act as unsigned transactions, being propagated and accepted into mempools, it doesn't allow a supermajority of validators with cause but without a pre-defined instance of evidence (a BABE or GRANDPA equivocation proof) to perform a slash.
Unfortunately, correcting this is non-trivial as we do have to codify competent mempool acceptance rules and logic around the inherents itself. This can be done in the future, without becoming incompatible with the current protocol (so long as no such slashes with not-currently-defined evidence are attempted, as that would cause a split between those who don't understand them and those who widened their parameters), so it has been so deferred, it's just annoying and something we still have to track and be mindful of.