diff --git a/proposals/0180-vote-account-leader-schedule.md b/proposals/0180-vote-account-leader-schedule.md new file mode 100644 index 000000000..c017557f1 --- /dev/null +++ b/proposals/0180-vote-account-leader-schedule.md @@ -0,0 +1,106 @@ +--- +simd: '0180' +title: Vote Account Address Keyed Leader Schedule +authors: Justin Starry (Anza) +category: Standard +type: Core +status: Review +created: 2024-10-03 +feature: (fill in with feature tracking issues once accepted) +--- + +## Summary + +The epoch leader schedule for block production will be migrated from being keyed +by validator identity addresses to being keyed by vote account addresses. The +expected block signer for a given slot will be determined by the vote account's +designated validator identity. + +## Motivation + +Using validator identity addresses in the leader schedule means there is no +straightforward way to map a block producer to a particular vote account and its +delegated stake. This is because the same validator identity could be designated +by multiple vote accounts. By migrating the leader schedule to being keyed by +vote account addresses, we know exactly what delegated stake led to a +validator's leader schedule slot allocation. This will make certain protocol +improvements much easier to design like how to distribute block rewards and how +to slash validators that produce duplicate blocks. + +## New Terminology + +NA + +## Detailed Design + +### Leader Schedule Generation + +The leader schedule MUST continue to be generated at epoch boundaries with the +existing stake weighted randomized leader schedule algorithm. However, the stake +weights used in this algorithm MUST be adjusted to be accumulated by delegated +vote account address rather than accumulating all stake by validator identity +address. As before, delegated vote accounts MUST be valid to be included in the +leader schedule generation algorithm. + +### Valid Vote Accounts + +For reference, valid vote accounts are defined as accounts with the following +requirements: + +- non-zero lamport balance +- owned by the vote program (`Vote111111111111111111111111111111111111111`) +- either: + - data size of 3731 bytes and `data[4..86] != [0; 82]` + - data size of 3762 bytes and `data[4..118] != [0; 114]` + +### Validator Identity Address Lookup + +Block shreds MUST still be signed by the validator identity private key and +block rewards MUST still be collected into the validator identity account (also +known as fee collection account). + +Once the leader schedule is keyed by vote account addresses, validator identity +pubkey's will need to be looked up by loading the vote account state for the +designated vote account address for a particular leader slot. Since the vote +program allows updating the validator identity address at any time after leader +schedule generation, the vote account state from the beginning of the previous +epoch MUST be used. + +Since only valid vote accounts are used during leader schedule generation, a +valid vote account is guaranteed to exist in epoch stakes and its validator +identity address can be fetched from its account state. + +### RPC Migration + +Existing leader schedule and slot leader RPC endpoints SHOULD continue returning +the resolved validator identity address to avoid breaking downstream users of +these endpoints that expect the leader schedule to use validator identity. +However, new RPC endpoints for fetching the new leader schedule keyed by vote +account addresses SHOULD be added. + +## Alternatives Considered + +Alternatively, the protocol could create a strict one-to-one mapping between +validator identity addresses and vote account addresses. However this would +require quite a lot of onchain program and account state changes to be able to +enforce this mapping. And migrating existing one-to-many relationships is not +very straightforward and would likely require validators to manually migrate +which could take a long time. + +## Impact + +Negligible impact expected. There will be some extra overhead to looking up / +caching the validator identity address for each vote account address. + +## Security Considerations + +NA + +## Drawbacks *(Optional)* + +NA + +## Backwards Compatibility *(Optional)* + +Feature gate will be required to enable this migration since leader schedule +generation will be different.