Settings

Simplified Active Validator Cap and Rotation Proposal

The goal of this proposal is to cap the active validator set to some fixed value (eg. 219 validators) while at the same time ensuring (i) an economic finality guarantee where close to 1/3 of the cap must be slashed to finalize two conflicting blocks, (ii) low long-term variance in validator income and (iii) maximum simplicity.

Constants

Constant Value Notes
MAX_VALIDATOR_COUNT 2**19 (= 524,288) ~16.7M ETH
ROTATION_RATE 2**6 (= 64) Up to 1.56% per epoch
FINALIZED_EPOCH_VECTOR_LENGTH 2**16 (= 65,536) 32 eeks ~= 291 days
FINALITY_LOOKBACK 2**3 (= 8) Measured in epochs

Definition of get_awake_validator_indices and helpers

get_awake_validator_indices returns a subset of get_active_validator_indices. The function and helpers required for it are defined as follows.

state.is_epoch_finalized is a new BeaconState member value of type BitList[FINALIZED_EPOCH_VECTOR_LENGTH]. We add to the weigh_justification_and_finalization function the lines:

When state.finalized_checkpoint is updated to new_checkpoint, we update:

current_epoch_position = get_current_epoch(state) % FINALIZED_EPOCH_VECTOR_LENGTH
state.is_epoch_finalized[current_epoch_position] = False
# In all cases where we do `state.finalized_checkpoint = new_checkpoint`
new_finalized_epoch_position = new_checkpoint.epoch % FINALIZED_EPOCH_VECTOR_LENGTH
state.is_epoch_finalized[new_finalized_epoch_position] = True

We now define helpers.

First, the “was this epoch finalized?” helper:

def did_epoch_finalize(state: BeaconState, epoch: Epoch) -> bool:
    assert epoch < get_current_epoch(state)
    assert epoch + FINALIZED_EPOCH_VECTOR_LENGTH > get_current_epoch(state)
    return state.is_epoch_finalized[epoch % FINALIZED_EPOCH_VECTOR_LENGTH]

This next function outputs a set of validators that get slept in a given epoch (the output is nonempty only if the epoch has been finalized). Note that we use the finality bit of epoch N and the active validator set of epoch N+8; this ensures that by the time the active validator set that will be taken offline is known there is no way to affect finality.

def get_slept_validators(state: BeaconState,
                         epoch: Epoch) -> Set[ValidatorIndex]:
    assert get_current_epoch(state) >= epoch + MAX_SEED_LOOKAHEAD * 2
    active_validators = get_active_validators(state, epoch + FINALITY_LOOKBACK)
    if len(active_validators) >= MAX_VALIDATOR_COUNT:
        excess_validators = len(active_validators) - MAX_VALIDATOR_COUNT
    else:
        excess_validators = 0
    if did_epoch_finalize(state, epoch):
        seed = get_seed(state, epoch, DOMAIN_BEACON_ATTESTER)
        validator_count = len(active_validators)
        return set(
            active_validators[compute_shuffled_index(i, validator_count, seed)]
            for i in range(len(excess_validators // ROTATION_RATE))
        )
    else:
        return set()

This next function outputs the currently awake validators. The idea is that a validator is awake if they have not been slept in one of the last ROTATION_RATE finalized epochs.

def get_awake_validator_indices(state: BeaconState,
                                epoch: Epoch) -> Set[ValidatorIndex]:
    o = set()
    finalized_epochs_counted = 0
    search_start = FINALITY_LOOKBACK
    search_end = min(epoch + 1, FINALIZED_EPOCH_VECTOR_LENGTH)
    for step in range(search_start, search_end):
        check_epoch = epoch - step
        if did_epoch_finalize(check_epoch):
            o = o.union(get_slept_validators(state, finalized_epoch))
            finalized_epochs_counted += 1
            if finalized_epochs_counted == ROTATION_RATE:
                break            
    return [v for v in get_active_validator_indices(state, epoch) if v not in o]

The intention is that get_awake_validator_indices contains at most roughly MAX_VALIDATOR_COUNT validators (possibly slightly more at certain times, but it equilibrates toward that limit), and it changes by at most 1/ROTATION_RATE per finalized epoch. The restriction to finalized epochs ensures that two conflicting finalized blocks can only differ by at most an extra 1/ROTATION_RATE as a result of this mechanism (it can also be viewed as an implementation of the dynasty mechanism from the original Casper FFG paper).

Protocol changes

All existing references to get_active_validator_indices are replaced with get_awake_validator_indices. Specifically, only awake indices are shuffled and put into any committee or proposer selection algorithm. Rewards and non-slashing penalties for non-awake active validators should equal 0. Non-aware active validators should still be vulnerable to slashing.

Economic effects

Last changed by  
vbuterin
1119

Read more

Verkle tree integration

Simple Summary Introduce a new Verkle state tree alongside the existing hexary Patricia tree. After the hard fork, the Verkle tree stores all edits to state and a copy of all accessed state, and the hexary Patricia tree can no longer be modified. This is a first step in a multi-phase transition to Ethereum exclusively relying on Verkle trees to store execution state. Motivation Verkle trees solve the key problem standing in the way of Ethereum being stateless-client-friendly: witness sizes. A witness accessing an account in today's hexary Patricia tree is, in the average case, close to 3 kB, and in the worst case it may be three times larger. Assuming a worst case of 6000 accesses per block (15m gas / 2500 gas per access), this corresponds to a witness size of ~18 MB, which is too large to safely broadcast through a p2p network within a 12-second slot. Verkle trees reduce witness sizes to ~200 bytes per account in the average case, allowing stateless client witnesses to be acceptably small. Specification Verkle tree definition We define a Verkle tree here by providing the function to compute the root commitment given a set of 32-byte keys and 32-byte values. Algorithms for updating and inserting values are up to the implementer; the only requirement is that the root commitment after the update must continue to match the value computed from this specification. We will then define an embedding that provides the 32-byte key at which any particular piece of state information (account headers, code, storage) should be stored.

Nov 24, 2022
Paths toward single-slot finality

Special thanks to Justin Drake, Dankrad Feist, Alex Obadia, Hasu, Anders Elowsson and miscellaneous hackmd anons for feedback and review of various versions of this post. Today, Ethereum blocks take 64-95 slots (~15 minutes) to finalize. This was justified as picking a compromise position on the decentralization / finality time / overhead tradeoff curve: 15 minutes is not too long and it's comparable to existing exchanges' confirmation times, it allows users to run nodes on regular computers, even with the large number of validators arising from a deposit size of 32 ETH (as opposed to the earlier value of 1500 ETH). However, there are a lot of good arguments for decreasing the finality time to a single slot. This is a state-of-research post reviewing the roadmap for how to do so. How and why Ethereum staking works today Ethereum's LMD GHOST + Casper FFG consensus is a compromise between the two major styles of consensus popular in proof of stake blockchains: Chain-based consensus, where one message (the block) is produced during each slot (a pre-determined interval of time, eg. 12 seconds in Ethereum). Chain-based consensus maximizes the number of participants and minimizes chain load, but easily forks and does not have any notion of finality. Traditional BFT consensus, where each validator makes two messages ("attestations") per slot in addition to one validator making a block, and one slot's block gets irreversibly "finalized" before the next slot begins. Traditional BFT consensus minimizes time to finality, but at the cost of high chain load and only supporting a small number of participants.

Oct 20, 2022
The road to account abstraction

Account abstraction allows us to use smart contract logic to specify not just the effects of the transaction, but also the fee payment and validation logic. This allows many important security benefits, such as multisig and smart recovery wallets, being able to change keys without changing wallets, and quantum-safety. Many approaches to account abstraction have been proposed and implemented to various degrees, see: EIP-86, EIP-2938, and this doc from two years ago. Today, development on EIPs is stalled due to a desire to focus on the merge and sharding, but an alternative that does not require any consensus changes has seen great progress: ERC-4337. ERC-4337 attempts to do the same thing that EIP-2938 does, but through extra-protocol means. Users are expected to send off-chain messages called user operations, which get collected and packaged in bulk into a single transaction by either the block proposer or a builder producing bundles for block proposers. The proposer or builder is responsible for filtering the operations to ensure that they only accept operations that pay fees. There is a separate mempool for user operations, and nodes connected to this mempool do ERC-4337-specific validations to ensure that a user operation is guaranteed to pay fees before forwarding it. ERC-4337 can do a lot as a purely voluntary ERC. However, there are a few key areas where it is weaker than a truly in-protocol solution: Existing users cannot upgrade without moving all their assets and activity to a new account Extra gas overhead (~42k for a basic UserOperation compared to ~21k for a basic transaction)

Oct 1, 2022
Proposals to adjust memory gas costs

Currently, we limit the memory consumption of the EVM in two ways: a quadratic memory expansion cost and a de-facto call stack depth limit enforced with the EIP-150 "63/64 rule". These mechanisms are reasonably effective at their desired goal, but are both needlessly complicated and inefficient, punishing regular users too much and DoS attackers too little. This post proposes some alternative designs that better meet the key goal of limiting EVM memory usage. How does memory gas pricing work today? Quadratic memory expansion cost Extending memory in a callframe to $L$ chunks (so, $L * 32$ bytes) requires paying $\lfloor \frac{L^2}{512} \rfloor + 3L$ gas. This is charged in real time. For example, if memory is currently 16 chunks long, and a MSTORE op fills bytes 682...713, then memory is extended to 23 chunks, and $(\lfloor \frac{23^2}{512} \rfloor + 3 * 23) - (\lfloor \frac{16^2}{512} \rfloor + 3 * 16) =$ $(1 + 69) - (0 + 48) = 22$ extra memory expansion gas is charged. See implementation here. Note that this is on a per-call-frame basis: if a call makes a child call, memory in the child call is initialized as empty and pricing for it starts from zero.

Jul 30, 2022
Read more from vbuterin
Published on HackMD