# Electra Weak Subjectivity Calculations _Special thanks to Mikhail Kalinin and Justin Traglia for correcting several mistakes._ The __Weak Subjectivity Period (WSP)__ is the period of time a node can stop observing the chain for and when they return not be tricked by an adversary as to who is and isn't a validator. To execute a weak subjectivity attack, an attacker creates two diverging chains starting the moment the chain was last observed such that a minimal amount of their attacking balance needs to equivocate (and be slashed) in order for the attack to succeed. When a node is following the chain and is thus fully aware of all validator balances, the minimum amount of balance that needs to equivocate and be slashed is $\frac 1 3$ of the total active balance. As two divergent chains each need $\frac 2 3$ of the balance to finalize an epoch and the minimum intersection of $\frac 2 3$ and $\frac 2 3$ of the same set is $\frac 1 3$. The WSP is parameterized by the __Decay Parameter__ $D, \; \left(0<D<\frac 1 3 \right)$, which determines by how much we're willing to weaken the normal $\frac 1 3$ slashing guarentee for nodes that stop viewing the chain for the duration of the WSP. A typical value would be $D=10\%$, which means that if a node goes offline for the duration of the WSP, an attacker would have to equivocate with $\frac 1 3 - 10\% \approx 23\%$ of the total active balance in order to convince the returning node that a different chain to the canonical one is true. ## How the attack works At the moment the WSP starts (ie. a node stops observing the network), an attacker creates two chains, one public fork (___Chain A___) which is the canonical chain that online nodes follow and another private one (___Chain B___). When the offline node returns, the attacker reveals _Chain B_ to that node which is deceived into believing this is canonical as it is believable given what they knew about validator balances when they were last online and plausible changes since then. This requires the attacker to equivocate with some of their balance by voting on both _Chain A_ and _Chain B_ with the same validators for which they will likely be slashed. An attacker minimizes the amount of balance that needs to equivocate by making sure that the intersection between validators on _Chain A_ and _Chain B_ is as small as possible. They do this by activating new validators on _Chain A_ which aren't on _Chain B_ while simultaneously activating new validators on _Chain B_ which aren't on _Chain A_. They simultaneously do the same but with exiting validators. The per-epoch rate at which new validators can enter the chain is bounded by `get_balance_churn_limit(state)`, measured in `gwei`, which we will call $\delta$. The same limit applies to exits. Therefore _Chain A_ can activate $\delta$ new validators while simultaneously exiting $\delta$ validators, resulting in a total chainge of $2\delta$. _Chain B_ does the same, but with different validators, and therefore they diverge from one-another at a rate of $2\delta + 2\delta = 4\delta$ per epoch. ## The Math Let $\delta$ be the per epoch churn limit (in `gwei`) Let $n$ represent the number of epochs since the start of the WSP Let $\sigma_n$ be the total active balance after $n$ epochs Thus, $\sigma_0$ is the total active balance when the WSP begins At the start of an attack ($n=0$), the slashable balance is $\frac 1 3 \sigma_0$. As explained above, the attacker reduces the size of the intersecting balance by $4\delta$ per epoch and therefore after $n$ epochs, the slashable balance is: $$ \begin{align*} \text{slashable balance}\; & = \frac 1 3 \sigma_0 - \underbrace{2n\delta}_{\text{Chain A}} - \underbrace{2n\delta}_{\text{Chain B}} \\ \text{slashable balance}\; & = \frac 1 3 \sigma_0 - 4n\delta \end{align*} $$ By definition, a node is inside the WSP iff at least $\frac 1 3 - D$ fraction of the total staked balance is slashable. Thus, we require that: $$ \require{cancel} \begin{align*} \text{WSP threshold balance} & < \text{slashable balance} \\ \sigma_0 \left( \frac 1 3 - D \right) & < \frac 1 3 \sigma_0 -4n\delta \\ \cancel{\frac 1 3 \sigma_0} - \sigma_0 D & < \cancel{\frac 1 3 \sigma_0} -4n\delta \\ 4n\delta & < \sigma_0 D \\ n & < \frac{\sigma_0 D}{4\delta} \end{align*} $$ ## Appendix: Consolidations vs Activations and Exits In terms of the divergence capable with consolidations, consolidating balance $b$ into $a$ results in a total change to the validator set of $2b$. It counts twice as the set of validator balances changes by $b$ first by going from $V = \{ a, b, \dots \}$ to $V^\prime = \{ a, 0, \dots \}$ and again by $b$ when going to $V^{\prime\prime} = \{ a+b, 0, \dots \}$. Therefore, for the purposes of the WSP a consolidation can be modeled as both an activation and an exit at the same time and is bound by the same churn rate, $\delta$. Thus, consolidations on each chain change the set of balances by $2\delta$. The `consensus_specs` enforce that the sum of the churn due to activations, exits, and consolidations be less than or equal to $\delta$, the above WSP limit calculations suffice to capture the effects of both.
Last changed by  
Carl Beekhuizen
38

Read more

RFC (from L2s) on BLS Subgroup checks

The L1 core devs are having discussions around subgroup checks for the BLS precompiles scheduled to be included via EIP-2537 in the Pectra upgrade. The issue is including a subgroup check into the MSM doing so means that we largely loose the sub-linear benefits of the MSM as the sub-group checks start to be a large component of the total computation. That said, they do have to be done at some point for every input, so the question is whether it is worth building them into the pre-compile to avoid having a foot-gun or whether they would be used in a way where the costs of doing the subgroup checks on every MSM (even if already verified) is not worth it. Proposals Some of the ideas proposed are: a. Just have the subgroup check be included b. have a flag to disable the check as a part of the precompile c. have two separate precompiles, one with and one without the check d. no subgroup checks, and we ask devs to be very careful

10/23/2024
RollCall #6 Summary

Details Recording: https://youtu.be/k-7z6lgleLw Agenda: https://github.com/ethereum/pm/issues/1071 L1 Blob Basefee spike event on June 20: Breif overview of the spike and the fixes coming up in the Pectra upgrade Discussion about the posibility of have the target blob basefee be something other than the max basefee//2 (as per the discussions in PeerDAS Breakout Room #3)

7/10/2024
Contributing to the KZG Ceremony using an air-gapped machine

🚨🚨Steps 0 and 1 should be done well ahead of your contribution slot🚨🚨 This document will guide you through the process of contributing to the KZG Ceremony using Ignacio Hagopian's go-kzg-ceremony-client on an air-gapped computer. Step 0: Check your slot has been scheduled correctly for your address: Verify that your Ethereum address that you will use to contribute is included in the scheduled slots and that the date (in UTC - convert to your timezone here) is correct: [{"address":"0xcab81f14a3fc98034a05bab30f8d0e53e978c833","nonce":"0x4000","start_time":"2023-04-14T12:00:00Z","end_time":"2023-04-14T16:00:00Z"}, {"address":"0x32262672c6d1b814019f4ca4e2fc53285a919704","nonce":"0x4000","start_time":"2023-04-14T12:00:00Z","end_time":"2023-04-14T16:00:00Z"}, {"address":"0x051f77131b0ea6d149608021E06c7206317782CC","nonce":"0x4000","start_time":"2023-04-09T08:00:00Z","end_time":"2023-04-09T12:00:00Z"},

4/14/2023
KZG Summoning Ceremony Timeline

subject to change gantt title Timeline dateFormat YYYY-MM-DD axisFormat %m-%y section Dev Crypto Dev :2022-05-17, 2022-08-15 Crypto Audit Fixes :2022-08-29, 1w

1/16/2023
Read more from Carl Beekhuizen
Published on HackMD