Safe Head: happy case

Basic definitions and notation

We will use

S

for slots,

B

for blocks,

E

for epochs. Often times we will use

S

for the block at slot

S

abusing notation when no confusion could arise. For example, a forkchoice diagram of the form

denotes a reorg where the block in slot 13 has the block in slot 11 as parent. We will say things like The parent of

$S$ is
$T$ to mean the parent of the block in slot

S

is the block in slot

T

All our forkchoice diagrams will have time going from left to right, that is a block

T

to the right of a block

S

will correspond to a slot

T > S

For a slot

S

we will denote by

H_{S}

the canonical head during

S

. When this depends on the time withing the slot, eg. if the block has arrived or not, we will explicitly specify it.

LMD Weights
For a block

B

at slot

S

, that is a leaf of the forkchoice tree, we will write

L M D_{B} = L M D_{S}

to mean the LMD GHOST weight of the branch supporting this head. That is, in terms of the forkchoice implementation the node's weight*

For example, assuming that each node in the diagram above was voted by a single validator with 10ETH of effective balance, we would have

L M D_{14} = 50

and

L M D_{12} = 40

For two different tips at

S

and

S^{'}

with equal FFG information (that is equal justification and finalization checkpoints) we have

L M D_{S} > L M D_{S^{'}}

implies that

S

is preferred over

S^{'}

as the current canonical head. In the example above, the node at

14

would be preferred over that at

12

We will abuse notation and also use

L M D_{S}

to denote the LMD weight of a node even when it is not a tip of forkchoice. With the same assumptions as above we would have

L M D_{9} = 10

and

L M D_{13} = 40

. Recall that when a validator cast a vote, its previous vote is removed from the corresponding forkchoice node's balance and weight. Consider a chain without any forks, there are exactly 32 validators

v_{i}

i = 0, \dots, 31

with 10 ETH effective balance and each has voted sequentially, that is validator

i

voted at slot

i (32)

for each one of the blocks.

In this case, the weight of the vote at slot

1

was removed from this slot and assigned to slot

33

when validator

v_{1}

voted during epoch

1

. Then it was removed from block

33

and assigned to

65

during Epoch

2

and finally removed from

65

and assigned to

97

during epoch

3

. We see that

L M D_{97} = 320

(the total effective balance) and

L M D_{1} = 0

For a block

B

with parent

P

, we will define

B A L_{B} = L M D_{B} - L M D_{P}

. That is the total stake that voted directly for

B

and we will refer to it as the balance of
$B$ . In the first example above, the balance of every node is

10

. However, in the last example we have

B A L_{1} = B A L_{33} = B A L_{65} = 0

while

B A L_{97} = 10

More generally for a slot/block

S

and its ancestor

T

we will write

L M D_{T, S} := L M D_{S} - L M D_{T}

, that is, the relative weight of votes cast for blocks supporting

S

after

T

. In particular we have

B A L_{S} = L M D_{P, S}

. In the last example above we have

L M D_{1, 97} = 320

and

L M D_{95, 97} = 20

Safety Assumptions
Let

T o t

be the total effective balance of validators divided by 32, this is roughly the total stake attesting per slot.

We use PB to denote the proposer boost weight, currently set on mainnet to

0.4

Let

β

be percentage staked by malicious validators. We assume that

β < \frac{32 - P B}{64} ≃ 0.49 .

We assume that validators are online and attesting, this is measured below by the amount of stake of missing attestations that we will keep at a minimum (eg below 5% of the total stake).

We assume that validators are equidistributed, each committee has the same proportion of honest/dishonest validators.

Safe Head definition

Setup
Let

S_{0} \geq 32

be the current slot,

E_{0} := ⌊ \frac{S_{0}}{32} ⌋

be the current epoch. The current canonical head is

H_{0} = H (S_{0})

at slot

S_{0}

, and its parent block is

B

at slot

S_{0} - 1

We assume that

E_{0} - 1

is justified, ie. the current justified checkpoint is of the form

(Root: R, Epoch: E_{0} - 1)

Let

γ

be the total stake of attestations that could have been cast in the last 32 slots and have not been acounted for, that is, those attestations have not been seen yet either over gossip nor included in any block that is currently in forkchoice.

Let

η

be the total stake of attestations (only the last possible vote of each validator) that have been cast for non-canonical blocks.

Lemma 1. Let

T

be any ancestor of

B

, we have that

L M D_{T, B} \geq max (S_{0} - 1 - T, 32) \cdot T o t - γ - η

Proof. This is simply the fact that the maximum possible number of votes is given by

max (S_{0} - 1 - T, 32) - η

and from these votes the worst that can happen is that the attestations that weren't accounted for (ie

γ

) are given to non-canonical blocks.

QED

A simple variation of this Lemma is
Lemma 2. Let

S

be any contending block of

B

with common ancestor

T

, then

L M D_{B} - L M D_{S} \geq max (S_{0} - 1 - T, 32) \cdot T o t - γ - 2 η .

Proof. The proof is the same as Lemma 1, the only difference is the extra

η

votes that not only do not count for

B

but may count for the contending branch of

S

QED

Theorem 2. Under the above conditions, let

κ

be the highest LMD weight of any head contending with

B

or any ancestor of

B

(excluding

B

itself)

γ + κ + (2 β - 1) \cdot T o t + P B \cdot T o t \leq L M D_{B} .

the block

B

is final.

Proof. We want to prove the following. For any slot

S

, let

H (S)

be the canonical head (from the point of view of an honest validator) at

S

. Then

H (S)

is a descendant of

B

for

S \geq S_{0}

S = S_{0}

, there is nothing to prove. Let

S > S_{0}

be a slot that does not satisfy the hipothesis, that is

H (S)

does not descend from

B

. Let

C

be the slot of their common ancestor, let

H_{B}

be the best head descending from

B

at the time

S

, and let

S^{'}

be the best head on the chain of

S

at slot

S_{0} - 1

, so that we have

Here notice that

H_{B}

may not to descend from

S_{0}

and the slot of

H_{B}

is less than

S

Without loss of generality we may assume that

S

is the minimal slot with this property. This implies that

S_{0} + i

either was in the chain of

B

or was not the canonical head during

S_{0} + i

. for all

i \geq 0

such that

S_{0} + i \leq S

For simplicity of exposition, let us first make the following assumptions:

both
$S$ and
$H_{B}$ have the same justified checkpoint
$(R, E - 1)$ . In this case we must have
$L M D (S) > L M D (H_{B})$ .
All of
$C$ ,
$S$ and
$H_{B}$ are slots in the same epoch
$E$ .
There are only two viable heads at all times (that is, we have a simple fork)

For each

i = 0, . . ., S - S_{0} - 1

, honest validators voted for the block

H_{S_{0} + i}

during

S_{0} + i

, and this block is a descendant of

B

by hypothesis. Some of these votes however may have been supporting the

S

branch before, that is, any vote from an honest validator that was before

C

would have supported the branch

S

and no longer does. Honest validators votes on slots between

C + 1

and

B

however, were not supporting the chain of

S

before, and will therefore not change the difference in the LMD weight of the chain of

B

with respect to that of

S

. On the other hand, all validators that vote between slots

S_{0}

and

S - 1

are votes during epoch

E

. By our assumptions, their previous votes were cast during epoch

E - 1

, therefore before slot

C

. The votes that are added to the chain of

B

(not changing its weight) and subtracted from the chain of

S

are then

(1 - β) \cdot T o t \cdot (S - S_{0})

On the other hand, malicious validators would be voting for the contending branch of

S

, and for each vote they cast that was previously voting for the B branch, it would now count towards

S

. In the worst case scenario, every single malicious vote, shifts from the B branch to the S branch. These votes, with total weight

β \cdot T o t \cdot (S - S_{0}),

will be removed from the

B

branch and added to the LMD weight of the

S

branch (without changing its weight since they were already counted towards

S

We can assume also that all of the witheld attestations were malicious, were valid, and could be added to the

S

branch, and that also the block at

S

was timely, thus proposer boosted. This accounts for a total LMD weight for the branch of

S

at the start of its slot of at most

L M D_{H_{S}} \leq L M D_{S ´} - (1 - β) \cdot T o t \cdot (S - S_{0}) + γ + P B \cdot T o t .

On the other hand the branch supporting

B

will have weight at least

L M D_{H_{B}} \geq L M D_{B} - β \cdot T o t \cdot (S - S_{0}) .

From

L M D_{H_{S}} > L M D_{H_{B}}

it follows that

γ + L M D_{S^{'}} + (2 β - 1) \cdot T o t \cdot (S - S_{0}) + P B \cdot T o t > L M D_{B}

Since

2 β < 1

we obtain

γ + L M D_{S^{'}} + (2 β - 1) \cdot T o t + P B \cdot T o t > L M D_{B} .

We now have reduced the problem to prove that our assumptions above were not necessary. Let us first deal with the second assumption, that is that

C

S

and

H_{B}

are all in the same epoch

E

. Let us suppose first that

C

and

S_{0}

are on the same epoch

E

, but not necessarily is the case for

H_{B}

and

S

, that is, the fork is long enough to cross epoch boundaries but the common ancestor is close to the block

B

which we want to prove is final. Notice that for each slot during epoch

E

and after slot

S_{0}

, the difference of LMD weight between the tip of the chain supporting

B

and the chain supporting

S

increases by an amount of

(1 - 2 β) \cdot T o t > 0

. Since

E - 1

was justified, and all votes during

E

are for the same target, when crossing the epoch boundary to

E + 1

we have that the justification of the

B

chain is at least the justification of the

S

chain, that is

H_{B} . justified_checkpoint.Epoch \geq H_{S} . justified_checkpoint.Epoch

This is because

β < 0.5

and honest validators are attesting on the

B

chain. It follows that honest validators will continue voting during

E + 1

on the

B

chain, while malicious validators can continue voting on the

S

chain. At the start of epoch

E + 1

, the difference on LMD weights of both chains has increased by

(1 - 2 β) \cdot T o t \cdot (32 (E + 1) - S_{0})

(accounting for the slots between the

S_{0}

and the start of

E + 1

During

E + 1

, validators that had voted up to slot

C

during

E

will account for a difference in LMD weights of

(1 - 2 β) \cdot T o t \cdot (C + 1 - 32 E)

Malicious validators that had voted during

E

on the chain supporting

B

, that is between the slots

C + 1

and

S_{0} - 1

, can shift their vote during

E + 1

to the chain of

S

, these will increase the weight on

S

and decrease it from

B

, the maximum difference caused by these is

2 β \cdot T \cdot (S_{0} - 1 - C)

It follows that during a slot

S

in epoch

E + 1

we have

L M D_{H_{B}} - L M D_{S}

is at least

L M D_{B} - L M D_{S^{'}} + (1 - 2 β) \cdot T o t \cdot (33 + C - S_{0}) - 2 β \cdot T o t \cdot (S_{0} - 1 - C)

By Lemma 2 we have

L M D_{B} - L M D_{S^{'}} \geq (S_{0} - 1 - C) \cdot T o t - γ - 2 η .

From where we obtain that during epoch

E + 1

we have

L M D_{H_{B}} - L M D_{S} \geq 32 (1 - 2 β) \cdot T o t - P B \cdot T o t - 2 γ - 2 η

where we have added another

γ

terms of withdeld votes that counted for the

S

branch and proposer boost to the last block produced by the malicious branch. We see that the RHS is positive if

2 (γ + η) < (32 (1 - 2 β) - P B) \cdot T o t,

which is guaranteed by our assumptions on

β

If the slot

S

is in an epoch higher than

E + 1

, the situation does not change, since malicious validators have already been accounted for the branch

S

and honest validators for the branch

B

, thus the LMD difference will continue to increase, and the same argument can be applied for justification.

Safe Head: happy case

Basic definitions and notation

Safe Head definition

Read more

ePBS: the case for Glamsterdam

The case for EIP-7732 in Fusaka

The handwavy case for EIP 7732

Validator performance tracking