cosmos-sdk/docs/spec/slashing/04_begin_block.md

# Begin-Block

## Evidence handling

Tendermint blocks can include
[Evidence](https://github.com/tendermint/tendermint/blob/develop/docs/spec/blockchain/blockchain.md#evidence), which indicates that a validator
committed malicious behavior. The relevant information is forwarded to the
application as [ABCI
Evidence](https://github.com/tendermint/tendermint/blob/develop/abci/types/types.proto#L259) in `abci.RequestBeginBlock`
so that the validator an be accordingly punished.

For some `evidence` to be valid, it must satisfy:

`evidence.Timestamp >= block.Timestamp - MAX_EVIDENCE_AGE`

where `evidence.Timestamp` is the timestamp in the block at height
`evidence.Height` and `block.Timestamp` is the current block timestamp.

If valid evidence is included in a block, the validator's stake is reduced by `SLASH_PROPORTION` of 
what their stake was when the infraction occurred (rather than when the evidence was discovered).
We want to "follow the stake": the stake which contributed to the infraction should be
slashed, even if it has since been redelegated or started unbonding. 

We first need to loop through the unbondings and redelegations from the slashed validator
and track how much stake has since moved:

```
slashAmountUnbondings := 0
slashAmountRedelegations := 0

unbondings := getUnbondings(validator.Address)
for unbond in unbondings {

    if was not bonded before evidence.Height or started unbonding before unbonding period ago {
        continue
    }

    burn := unbond.InitialTokens * SLASH_PROPORTION
    slashAmountUnbondings += burn

    unbond.Tokens = max(0, unbond.Tokens - burn)
}

// only care if source gets slashed because we're already bonded to destination
// so if destination validator gets slashed our delegation just has same shares
// of smaller pool.
redels := getRedelegationsBySource(validator.Address)
for redel in redels {

    if was not bonded before evidence.Height or started redelegating before unbonding period ago {
        continue
    }

    burn := redel.InitialTokens * SLASH_PROPORTION
    slashAmountRedelegations += burn

    amount := unbondFromValidator(redel.Destination, burn)
    destroy(amount)
}
```

We then slash the validator and tombstone them:

```
curVal := validator
oldVal := loadValidator(evidence.Height, evidence.Address)

slashAmount := SLASH_PROPORTION * oldVal.Shares
slashAmount -= slashAmountUnbondings
slashAmount -= slashAmountRedelegations

curVal.Shares = max(0, curVal.Shares - slashAmount)

signInfo = SigningInfo.Get(val.Address)
signInfo.JailedUntil = MAX_TIME
signInfo.Tombstoned = true
SigningInfo.Set(val.Address, signInfo)
```

This ensures that offending validators are punished the same amount whether they
act as a single validator with X stake or as N validators with collectively X
stake.  The amount slashed for all double signature infractions committed within a
single slashing period is capped as described in [overview.md](overview.md) under Tombstone Caps.

## Uptime tracking

At the beginning of each block, we update the signing info for each validator and check if they've dipped below the liveness threshold over the tracked window.  If so, they will be slashed by `LivenessSlashAmount` and will be Jailed for `LivenessJailPeriod`.  Liveness slashes do NOT lead to a tombstombing.

```
height := block.Height

for val in block.Validators:
  signInfo = SigningInfo.Get(val.Address)
  if signInfo == nil{
        signInfo.StartHeight = height
  }

  index := signInfo.IndexOffset % SIGNED_BLOCKS_WINDOW
  signInfo.IndexOffset++
  previous = MissedBlockBitArray.Get(val.Address, index)

  // update counter if array has changed
  if !previous and val in block.AbsentValidators:
    MissedBlockBitArray.Set(val.Address, index, true)
    signInfo.MissedBlocksCounter++
  else if previous and val not in block.AbsentValidators:
    MissedBlockBitArray.Set(val.Address, index, false)
    signInfo.MissedBlocksCounter--
  // else previous == val not in block.AbsentValidators, no change

  // validator must be active for at least SIGNED_BLOCKS_WINDOW
  // before they can be automatically unbonded for failing to be
  // included in 50% of the recent LastCommits
  minHeight = signInfo.StartHeight + SIGNED_BLOCKS_WINDOW
  maxMissed = SIGNED_BLOCKS_WINDOW / 2
  if height > minHeight AND signInfo.MissedBlocksCounter > maxMissed:
    signInfo.JailedUntil = block.Time + DOWNTIME_UNBOND_DURATION
    signInfo.IndexOffset = 0
    signInfo.MissedBlocksCounter = 0
    clearMissedBlockBitArray()
    slash & jail the validator

  SigningInfo.Set(val.Address, signInfo)
```
End block to begin block, add README 2018-08-13 07:04:35 -07:00			`# Begin-Block`
transaction stake updates 2018-05-25 15:52:34 -07:00
Update links 2018-08-13 07:12:59 -07:00			`## Evidence handling`
transaction stake updates 2018-05-25 15:52:34 -07:00
docs/spec/slashing: point to Tendermint evidence 2018-06-15 23:26:09 -07:00			`Tendermint blocks can include`
			`[Evidence](https://github.com/tendermint/tendermint/blob/develop/docs/spec/blockchain/blockchain.md#evidence), which indicates that a validator`
Fix typos 2018-08-20 06:07:23 -07:00			`committed malicious behavior. The relevant information is forwarded to the`
docs/spec/slashing: point to Tendermint evidence 2018-06-15 23:26:09 -07:00			`application as [ABCI`
End block to begin block, add README 2018-08-13 07:04:35 -07:00			Evidence](https://github.com/tendermint/tendermint/blob/develop/abci/types/types.proto#L259) in `abci.RequestBeginBlock`
			`so that the validator an be accordingly punished.`
transaction stake updates 2018-05-25 15:52:34 -07:00
Merge PR #1463: docs: Fix dependencies, from monorepo merge Closes #1456 2018-06-29 13:02:45 -07:00			For some `evidence` to be valid, it must satisfy:
transaction stake updates 2018-05-25 15:52:34 -07:00
			`evidence.Timestamp >= block.Timestamp - MAX_EVIDENCE_AGE`

			where `evidence.Timestamp` is the timestamp in the block at height
			`evidence.Height` and `block.Timestamp` is the current block timestamp.

Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00			If valid evidence is included in a block, the validator's stake is reduced by `SLASH_PROPORTION` of
			`what their stake was when the infraction occurred (rather than when the evidence was discovered).`
			`We want to "follow the stake": the stake which contributed to the infraction should be`
			`slashed, even if it has since been redelegated or started unbonding.`
transaction stake updates 2018-05-25 15:52:34 -07:00
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00			`We first need to loop through the unbondings and redelegations from the slashed validator`
			`and track how much stake has since moved:`
docs/spec/slashing 2018-06-14 20:26:21 -07:00
transaction stake updates 2018-05-25 15:52:34 -07:00			```
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00			`slashAmountUnbondings := 0`
			`slashAmountRedelegations := 0`
transaction stake updates 2018-05-25 15:52:34 -07:00
docs/spec/slashing 2018-06-14 20:26:21 -07:00			`unbondings := getUnbondings(validator.Address)`
			`for unbond in unbondings {`
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00
			`if was not bonded before evidence.Height or started unbonding before unbonding period ago {`
docs/spec/slashing 2018-06-14 20:26:21 -07:00			`continue`
			`}`
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00
docs/spec/slashing 2018-06-14 20:26:21 -07:00			`burn := unbond.InitialTokens * SLASH_PROPORTION`
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00			`slashAmountUnbondings += burn`

Fix two typos, ensure nonnegative tokens 2018-06-15 14:26:14 -07:00			`unbond.Tokens = max(0, unbond.Tokens - burn)`
docs/spec/slashing 2018-06-14 20:26:21 -07:00			`}`

			`// only care if source gets slashed because we're already bonded to destination`
			`// so if destination validator gets slashed our delegation just has same shares`
			`// of smaller pool.`
			`redels := getRedelegationsBySource(validator.Address)`
			`for redel in redels {`

Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00			`if was not bonded before evidence.Height or started redelegating before unbonding period ago {`
docs/spec/slashing 2018-06-14 20:26:21 -07:00			`continue`
			`}`

			`burn := redel.InitialTokens * SLASH_PROPORTION`
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00			`slashAmountRedelegations += burn`
docs/spec/slashing 2018-06-14 20:26:21 -07:00
			`amount := unbondFromValidator(redel.Destination, burn)`
			`destroy(amount)`
			`}`
			```
transaction stake updates 2018-05-25 15:52:34 -07:00
R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`We then slash the validator and tombstone them:`
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00
			```
			`curVal := validator`
			`oldVal := loadValidator(evidence.Height, evidence.Address)`

			`slashAmount := SLASH_PROPORTION * oldVal.Shares`
			`slashAmount -= slashAmountUnbondings`
			`slashAmount -= slashAmountRedelegations`

			`curVal.Shares = max(0, curVal.Shares - slashAmount)`
R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00
			`signInfo = SigningInfo.Get(val.Address)`
			`signInfo.JailedUntil = MAX_TIME`
			`signInfo.Tombstoned = true`
			`SigningInfo.Set(val.Address, signInfo)`
Merge PR #1278: Slashing v2 Implement semifinal Gaia slashing spec (#1263), less #1348, #1378, and #1440 which are TBD. 2018-06-29 20:34:55 -07:00			```

			`This ensures that offending validators are punished the same amount whether they`
			`act as a single validator with X stake or as N validators with collectively X`
R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`stake. The amount slashed for all double signature infractions committed within a`
			`single slashing period is capped as described in [overview.md](overview.md) under Tombstone Caps.`
Clarify which offenses utilize the slashing period 2018-08-20 09:37:16 -07:00
Update links 2018-08-13 07:12:59 -07:00			`## Uptime tracking`
transaction stake updates 2018-05-25 15:52:34 -07:00
Merge PR #3912: Fix a bunch of typos while skimming through the docs 2019-03-15 10:10:11 -07:00			At the beginning of each block, we update the signing info for each validator and check if they've dipped below the liveness threshold over the tracked window. If so, they will be slashed by `LivenessSlashAmount` and will be Jailed for `LivenessJailPeriod`. Liveness slashes do NOT lead to a tombstombing.
transaction stake updates 2018-05-25 15:52:34 -07:00
			```
Move over slashing spec changes from #1011 2018-05-30 15:54:46 -07:00			`height := block.Height`
transaction stake updates 2018-05-25 15:52:34 -07:00
			`for val in block.Validators:`
docs/spec/slashing: separate out a proper state.md 2018-06-15 03:22:06 -07:00			`signInfo = SigningInfo.Get(val.Address)`
docs/spec/slashing 2018-06-14 20:26:21 -07:00			`if signInfo == nil{`
			`signInfo.StartHeight = height`
			`}`

Move over slashing spec changes from #1011 2018-05-30 15:54:46 -07:00			`index := signInfo.IndexOffset % SIGNED_BLOCKS_WINDOW`
			`signInfo.IndexOffset++`
Bugfix; update slashing spec 2018-10-15 14:01:29 -07:00			`previous = MissedBlockBitArray.Get(val.Address, index)`
Move over slashing spec changes from #1011 2018-05-30 15:54:46 -07:00
			`// update counter if array has changed`
Update spec 2018-10-11 16:04:57 -07:00			`if !previous and val in block.AbsentValidators:`
Bugfix; update slashing spec 2018-10-15 14:01:29 -07:00			`MissedBlockBitArray.Set(val.Address, index, true)`
Update spec 2018-10-11 16:04:57 -07:00			`signInfo.MissedBlocksCounter++`
			`else if previous and val not in block.AbsentValidators:`
Bugfix; update slashing spec 2018-10-15 14:01:29 -07:00			`MissedBlockBitArray.Set(val.Address, index, false)`
Update spec 2018-10-11 16:04:57 -07:00			`signInfo.MissedBlocksCounter--`
Move over slashing spec changes from #1011 2018-05-30 15:54:46 -07:00			`// else previous == val not in block.AbsentValidators, no change`

			`// validator must be active for at least SIGNED_BLOCKS_WINDOW`
Merge PR #1463: docs: Fix dependencies, from monorepo merge Closes #1456 2018-06-29 13:02:45 -07:00			`// before they can be automatically unbonded for failing to be`
Move over slashing spec changes from #1011 2018-05-30 15:54:46 -07:00			`// included in 50% of the recent LastCommits`
			`minHeight = signInfo.StartHeight + SIGNED_BLOCKS_WINDOW`
Update spec 2018-10-11 16:04:57 -07:00			`maxMissed = SIGNED_BLOCKS_WINDOW / 2`
Back to greater than 2018-10-12 12:15:39 -07:00			`if height > minHeight AND signInfo.MissedBlocksCounter > maxMissed:`
Move over slashing spec changes from #1011 2018-05-30 15:54:46 -07:00			`signInfo.JailedUntil = block.Time + DOWNTIME_UNBOND_DURATION`
Bugfix; update slashing spec 2018-10-15 14:01:29 -07:00			`signInfo.IndexOffset = 0`
			`signInfo.MissedBlocksCounter = 0`
			`clearMissedBlockBitArray()`
R4R: Tombstone Implementation (#3225) 2019-01-10 17:22:49 -08:00			`slash & jail the validator`
docs/spec/slashing 2018-06-14 20:26:21 -07:00
docs/spec/slashing: separate out a proper state.md 2018-06-15 03:22:06 -07:00			`SigningInfo.Set(val.Address, signInfo)`
transaction stake updates 2018-05-25 15:52:34 -07:00			```