cosmos-sdk/docs/spec/slashing/01_concepts.md

# Concepts

## States

At any given time, there are any number of validators registered in the state machine.
Each block, the top `n = MaximumBondedValidators` validators who are not jailed become *bonded*, meaning that they may propose and vote on blocks.
Validators who are *bonded* are *at stake*, meaning that part or all of their stake and their delegators' stake is at risk if they commit a protocol fault.

## Tombstone Caps

In order to mitigate the impact of initially likely categories of non-malicious protocol faults, the Cosmos Hub implements for each validator
a *tombstone* cap, which only allows a validator to be slashed once for a double sign fault. For example, if you misconfigure your HSM and double-sign
a bunch of old blocks, you'll only be punished for the first double-sign (and then immediately tombstombed).  This will still be quite expensive and desirable
to avoid, but tombstone caps somewhat blunt the economic impact of unintentional misconfiguration.

Liveness faults do not have caps, as they can't stack upon each other.  Liveness bugs are "detected" as soon as the infraction occurs, and the validators are immediately put in jail, so it is not possible for them to commit multiple liveness faults without unjailing in between.

## ASCII timelines

*Code*

*[*   : timeline start  
*]*   : timeline end  
*C<sub>n</sub>* : infraction `n` committed  
*D<sub>n</sub>* : infraction `n` discovered  
*V<sub>b</sub>* : validator bonded  
*V<sub>u</sub>* : validator unbonded  

*Single Double Sign Infraction*

<----------------->   
[----------C<sub>1</sub>----D<sub>1</sub>,V<sub>u</sub>-----]

A single infraction is committed then later discovered, at which point the validator is unbonded and slashed at the full amount for the infraction.

*Multiple Double Sign Infractions*

<--------------------------->   
[----------C<sub>1</sub>--C<sub>2</sub>---C<sub>3</sub>---D<sub>1</sub>,D<sub>2</sub>,D<sub>3</sub>V<sub>u</sub>-----]

Multiple infractions are committed and then later discovered, at which point the validator is jailed and slashed for only one infraction.
Because the validator is also tombstoned, they can not rejoin the validator set.
Merge PR #3683: spec-spec update, spec file reorg, TOC updates * spec reorg * ... * PENDING.md * @alexanderbez comments 2019-02-20 10:21:57 -08:00			`# Concepts`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
Merge PR #3683: spec-spec update, spec file reorg, TOC updates * spec reorg * ... * PENDING.md * @alexanderbez comments 2019-02-20 10:21:57 -08:00			`## States`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
			`At any given time, there are any number of validators registered in the state machine.`
			Each block, the top `n = MaximumBondedValidators` validators who are not jailed become bonded, meaning that they may propose and vote on blocks.
			`Validators who are bonded are at stake, meaning that part or all of their stake and their delegators' stake is at risk if they commit a protocol fault.`

Merge PR #3683: spec-spec update, spec file reorg, TOC updates * spec reorg * ... * PENDING.md * @alexanderbez comments 2019-02-20 10:21:57 -08:00			`## Tombstone Caps`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
			`In order to mitigate the impact of initially likely categories of non-malicious protocol faults, the Cosmos Hub implements for each validator`
R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`a tombstone cap, which only allows a validator to be slashed once for a double sign fault. For example, if you misconfigure your HSM and double-sign`
			`a bunch of old blocks, you'll only be punished for the first double-sign (and then immediately tombstombed). This will still be quite expensive and desirable`
			`to avoid, but tombstone caps somewhat blunt the economic impact of unintentional misconfiguration.`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`Liveness faults do not have caps, as they can't stack upon each other. Liveness bugs are "detected" as soon as the infraction occurs, and the validators are immediately put in jail, so it is not possible for them to commit multiple liveness faults without unjailing in between.`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
Merge PR #3683: spec-spec update, spec file reorg, TOC updates * spec reorg * ... * PENDING.md * @alexanderbez comments 2019-02-20 10:21:57 -08:00			`## ASCII timelines`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
			`Code`

			`[ : timeline start`
			`] : timeline end`
			C<sub>n</sub> : infraction `n` committed
			D<sub>n</sub> : infraction `n` discovered
			`V<sub>b</sub> : validator bonded`
			`V<sub>u</sub> : validator unbonded`

R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`Single Double Sign Infraction`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
			`<----------------->`
			`[----------C<sub>1</sub>----D<sub>1</sub>,V<sub>u</sub>-----]`

			`A single infraction is committed then later discovered, at which point the validator is unbonded and slashed at the full amount for the infraction.`

R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`Multiple Double Sign Infractions`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00
Change ASCII diagram slightly 2018-08-23 13:45:38 -07:00			`<--------------------------->`
Address @rigelrozanski comments 2018-08-23 04:43:01 -07:00			`[----------C<sub>1</sub>--C<sub>2</sub>---C<sub>3</sub>---D<sub>1</sub>,D<sub>2</sub>,D<sub>3</sub>V<sub>u</sub>-----]`

R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`Multiple infractions are committed and then later discovered, at which point the validator is jailed and slashed for only one infraction.`
Merge PR #3683: spec-spec update, spec file reorg, TOC updates * spec reorg * ... * PENDING.md * @alexanderbez comments 2019-02-20 10:21:57 -08:00			`Because the validator is also tombstoned, they can not rejoin the validator set.`