Links

Validators & Auctions (SSOD)

Validators are Chainflip State Chain blockchain nodes. Anyone can run the validator software and move their validator through different states based on the outcome of Auctions.
Possible Validator/State Chain Client States

What the Validators Do and Why It’s Important

At any given time, Chainflip is secured by up to 150 Validator nodes forming the Authority Set. These nodes collectively secure the state of the Chainflip internal chain (called the State Chain), as well as the capital in the system (Liquidity) provided by Liquidity Providers. In return for this, Validators earn a reward from emissions.
The Validator network makes up the key infrastructure of Chainflip. Validators regulate: block production by consensus; all ingress; all egress; all of the swapping logic; all of the witnessing logic; all of the staking; all of the emissions and rewards; and all of the network upgrades.
That’s a lot of responsibility. Economic security is paramount in Chainflip, as the vaults depend on an honest superminority of Validators to remain secure. The greater the number of Validators, the safer the system is from collusion.
Why Not Have One Million Nodes?
On the flipside, more Validators means worse scaling. The MPC and threshold signature schemes employed scale progressively worse with every signatory that gets added. A 1000 node signing set compared to a 100 node signing set is much more than an order of magnitude slower when producing signatures. With Taproot now running on Bitcoin, we can eliminate support for GG20, which greatly improves scaling possibilities, and therefore the potential node count and networks that can be supported. However, there are still limitations that must be considered.
Like all other decentralised projects, a tradeoff must be made between decentralisation and scalability. Chainflip’s Validator count at launch will be 150. This may increase over time with improvements to threshold schemes, but in the meantime, we’re presented with a challenging economics question to answer: how should these Validator slots be allocated in a permissionless system?

What is the Validator Auction?

The Validator Auction is a rolling 14-day Auction, whereby the highest 150 bidders at the end of each Auction are selected as the Validators for the next 14 days (1 Epoch). The price of a slot (the Minimum Active Bid) is thus the lowest bid out of the highest 150 bids.
Validators will place their bids on the Ethereum network with the ERC20 token FLIP. These bids are recorded by the current Validators via the witnessing process.
Bidding is a passive process, with Validators encouraged to lock the maximum they’re willing to pay for the slot with a single transaction.
If a Validator’s bid is higher than or equal to the Minimum Active Bid at the conclusion of an Auction, that Validator is then (assuming the key creation ceremonies go well) a part of the Authority Set for the next Epoch. Any bid amounts locked beyond the Minimum Active Bid at the conclusion of an Auction can be withdrawn by the bidder.
If a Validator’s bid is lower than the Minimum Active Bid, their entire balance is redeemable after the Auction concludes.
In either case, any amounts not removed by the bidder will be considered as an implicit bid in the next Auction, including any rewards the Validator has earned from their node. This still means that current Validators might have to top up their bid between auctions to keep their slot, but if it’s high enough, do not need to do anything extra in each auction cycle.

How much $FLIP will I need?

Given that the network is not live, it is impossible to answer this question with any finality. The prices of slots will also change from Auction to Auction, and thus there will never be a definitive answer.
Chainflip leaves any speculation about the amount of $FLIP necessary for a Validator slot up to the reader. There will be 150 slots initially, and 90m tokens at TGE, and you can use those figures as a starting point to estimate the cost of a slot. If you expect 10% of tokens to be locked, then you’d expect it would be 10% of 90m $FLIP/150 slots. If you expect 50% to be locked, then of course that figure goes up a lot. This is covered in more detail in our Token Economics section, which will be deployed in the future.

Can I delegate my $FLIP to another Validator?

No. The reason for this is that it removes the necessity for Validator node operators themselves to have a stake in the FLIP network. This makes their own risk for attempting malicious cooperation much lower, as they’re gambling with other people’s stake and not their own.
It may be possible to provide other lockup incentives for $FLIP in the future, but delegated staking for Validators will likely remain out of the question.

The Auction System: Allocating Validator Slots

There’s a range of ways that protocols allocate positions of relative authority in consensus networks. DPoS, PoA, Eth2.0 style PoS, and unlimited node counts with fixed staking requirements are just a handful of examples. With the exception of the few collusion-prone blockchains that have a tiny Validator set for hypercharged mega-totally-safe-and-scalable blockchains of the future, most permissionless networks don’t have a cap on the number of Validators allowed on the network. Chainflip does, which places some constraints on the allocation system, and means we have to think a little outside the box to come up with a workable plan.
The goals of the allocation system are as follows:
  • Maximise the collateral locked in Validator nodes
  • Encourage a relatively even distribution of collateral across the Validator network
  • Minimise active involvement in the auction process for adequately collateralised nodes (reduce the mental bandwidth required to run a node)
  • Encourage a stable Validator set without excluding new entrants
  • Minimise gas costs associated with participating in the process
To achieve this set of goals, we’ve designed a minimally-interactive system to allow market dynamics to handle much of the process of allocating slots. It’s been partly inspired by the winners of the 2020 Nobel Prize in Economics, Robert Wilson and Paul Milgrom, who through their studies in auction theory designed a system for equitably selling off a set of partially-fungible slots in a finite set called SMR (Simultaneous Multi-Round) Auctions. The most prominent example of this was when the FCC sold off broadcasting frequencies in the US to great effect using this system. Here’s a sweet video from Economics Explained about it and also some broader concepts on Auction Theory.
Chainflip’s auction process shares some concepts with SMR auctions but does have notable differences. Perhaps a better name for this style of auction could be a Simultaneous Single-Round Open Dutch (SSOD) Auction, as while participants are only participating in a single continuous round, they are incentivised to openly place the maximum bid they can as there is no downside risk to paying too much. Here are the rules for the auction process:
  1. 1.
    The auction starts halfway between the start and the expected end of the Epoch.
  2. 2.
    Any amount that is staked at the start of the auction will be automatically counted as a bid and remains locked for the duration of the auction (this includes existing Authorities and any rewards they earned before the auction started).
  3. 3.
    New bids that are placed either top up existing bids or enter a new candidate into the auction. Additional bids can be placed at any time during the auction, however once placed, they remain locked until the end of the auction.
  4. 4.
    The auction resolves at the end of the epoch, as follows:
    1. 1.
      The bounds for the number of bidders included in the next authority set are determined according to the previous set size and the maximum of 150 bidders. Where the previous set size is smaller than 150, the growth of the set size is limited to an additional 50% of open slots.
    2. 2.
      The token bond amount is defined as the minimum bid of all winning bids (Minimum Active Bid). The bond amount is the amount of tokens that are locked for each Authority Member and cannot be withdrawn for the duration of an Epoch.
  5. 5.
    The new proposed authority set is then required to cooperate to generate new aggregate threshold keys. If, during this key generation process, there are any nodes that fail to participate, these nodes are added to an exclusion list, and we begin including Backup Validators to try and fill the remaining slots. They will have less than the minimum bond, but will still be included in the new Authority Set. Only a maximum of the top 1/3rd of Backup Validators from the auction resolution will be included to replace offline bidders that would have otherwise become Authority members.
  6. 6.
    After the key generation ceremony is complete, the auction is deemed successful, and all failed bidders may withdraw their stakes. All Authorities may also withdraw any amount of tokens in excess of the now-locked bond from their stake.
This system is used because it avoids expensive on-chain last minute bidding wars with all participants trying to stake the minimum possible whilst winning slots. In this SSOD Auction system, each Validator should just bid the absolute maximum they can because at the end of the auction, they always have the option of withdrawing whatever they didn’t need. It’s only the bottom set of Validators that may need to quickly top up their bids before the end of auctions in order to protect their existing slots. It should also lead to a relatively even spread of collateral across all Authority Set Validators.
What This Looks Like In Practice
To illustrate how it works, let’s look at a hypothetical Validator set of just 7 nodes, labelled A-G:
Round 1 Auction Cycle Results
The figure above showcases a system where all nodes which successfully bid, are paid the same in rewards, irrespective of the size of their stake. So long as they have a Validator slot, the Validator gains no extra reward for staking more. However, that doesn’t mean there are no advantages: Validators that have a higher stake are much less likely to be outbid in the next auction cycle. Let’s explore that by looking at a following auction cycle. For the sake of the example, we will assume that all returns from the last auction cycle will be reinvested into the next cycle, and not unlocked:
Round 2 Auction Cycle Results
The figure above showcases that during the last Validator epoch, the active Validators earned 4k $FLIP each. However, Validator F added another 7k $FLIP to their bid, jumping up to Slot 5 and knocking out Validator E, who didn’t top up their bid. Through the process, the Minimum Active Bid has risen from 120k $FLIP to 125k $FLIP with just a single new bid and a single node slot being cycled.
This achieves a range of the stated goals:
  • Maximise the collateral locked in Validator nodes — by automatically including the rewards of Validators into the next auction cycle, there is a natural tendency for Validators who do not unstake rewards to drive up the Minimum Active Bid each cycle.
  • Encourage a relatively even distribution of collateral across the Validator network — Because all Validators earn the same rewards, there is no inherent incentive to stake a large number of tokens into a single Validator. Validators at the very top of the ladder may have enough to unstake what they don’t need and use it to bid for a second slot, which levels out the average distribution of bids.
  • Minimise active involvement in the auction process for adequately collateralised nodes (reduce the mental bandwidth required to run a node) — Most Validators won’t even have to pay attention to the process if they do not withdraw their rewards. Most Validators will not need to execute more than one on-chain staking transaction. This includes prospective bidders who should also stake whatever amount they can afford straight away.
  • Encourage a stable Validator set without excluding new entrants — The system, while permissionless, does favour those that haven’t been previously slashed and keep their rewards staked. This helps foster a stable and secure network that makes it challenging for malicious actors to try and outbid large chunks of the slots, whilst still remaining competitive on the lower end of the Validator set.
  • Minimise gas costs associated with participating in the process — Most Validators will not need to execute more than one on-chain staking transaction. This includes prospective bidders who should also stake whatever amount they can afford straight away.
What Happens If I’m Unsuccessful?
One of the downsides with this auction design is that it leaves would-be Validators with insufficient capital empty handed after each auction cycle. This is bad, as these prospective Validators are earning no rewards and thus have no incentive to maintain the Validator node they have spent time and energy setting up. The same goes for Validators which have been outbid. This means they’ll be less likely to stick around and bid again in the next auction, as they still have to pay for and maintain their infrastructure in the meantime.
Further to this, because an Emergency Rotation is always possible (if enough of the network goes offline during an Epoch), our design should make sure that there are always some extra nodes on standby ready to fill slots which are freed up by an emergency rotation scenario, or by otherwise successful bidders being offline during the Key Generation step in the process.
Thus, we need an incentive for these so-called ‘Backup Validators.’ By defining a set of nodes which are not included in the Authority Set, but are given a small reward for being around and staying alive, we ensure that getting outbid, being offline, or failing to bid enough to join the set could still be a profitable exercise for these operators. It also ensures that there’s always a set of online nodes monitoring the state chain and ready to participate.

Backup Validators

Instead of paying an equal reward to the Backup Validators, a fixed reward is distributed proportionally to Backup Validators based on their stake size. This is because we want to incentivise these Backup Validators to have the highest amount they can in case of an Emergency Rotation, in which the highest bidding backup nodes would be included first, and also to incentivise the nodes to hold onto their stakes and await the next auction.
For Backup Validators, we also allow bids to be placed outside of the normal auction cycle, and immediately reflect increased bids for Backup Validators in the rewards they are paid. This provides a direct and immediate incentive to stake as much as possible as soon as possible, both increasing total bidding and increasing the likelihood that these more active and collateralised Backup Validators will be included in the next set.
The rules for Backup Validators are as follows:
  • A fixed reward of FLIP (much less than the Active Set reward) is allocated to the Backup Validators for a given Epoch.
  • There is a limit on the number of Backup Validator slots - 1/3rd of the current Authroity Set size. Any bidding node outside this limit at the end of the auction is treated as a Passive Validator.
  • So long as Backup Validator remains alive and staked, rewards will be paid to it based on their stake, proportional to their share of staked FLIP in the total number of FLIP staked in Backup Validators (It should be noted that Backup Validators will never earn more than Active Validators).
  • A Backup Validator will not earn rewards if it does not remain alive. Backup Validators can come back online at any time and resume earning rewards.
  • Backup Validators can unstake themselves at any time outside of the regular auction window just like the Authority Set. However, once the next auction begins, they must wait until the end of the auction to unstake, as their stake (including unclaimed rewards) will be automatically treated as a bid.
  • Like in a regular Auction, in an Emergency Rotation, only the top third of Backup Validators will be included in the Emergency Set. This is to prevent mass deregistration events allowing large numbers of low-collateral nodes to form a superminority in the vast majority of cases.
Going back to our example, with the Backup Validator system in place, our third round might look something like this:
Round 3 Auction Cycle Results
As you can see, Validator E is earning enough rewards to stay close to the Minimum Active Bid. If one of the Active-Online Validators were to unstake or be deregistered, the Minimum Active Bid would drop to 124k $FLIP, if no new bids are placed at all.
The design addition of rewards for Backup Validators solves for the remaining problems with Chainflip’s SSOD Auctions, better addressing the key goals of the design and ensuring a more stable and redundant network composition, whilst encouraging competition even among participants bidding below the Minimum Active Bid threshold.
In Summary
Chainflip’s SSOD Auction system should produce a range of positive behaviour from Validators, with the effect of furthering the defined goals of the network. It provides a simple and effective framework for Validators to maintain long term positions within the network, whilst also naturally encouraging the reinvestment of rewards back into the Validator slots. It is fair and predictable to new entrants who, after the first few auction cycles, should be able to accurately estimate their performance in auction rounds before they start.
Coupled with additional rewards, the SSOD auction creates incentives for Backup Validators to remain active. This will help keep the minimum bid higher when other Validators drop out (or in the case of an Emergency Rotation), making for more sustainable collateralisation of the network.
Higher collateral means higher liquidity security. In turn, this maximises the number of assets that Chainflip can support and allows for better pricing for users. Better prices should mean more volume, and more volume means more destroyed FLIP. Destroying FLIP should serve to increase the overall collateralisation of the network. You can hopefully see that this has the potential to form a strong positive feedback loop.