AFAIK there is no penalty other than forfeiting staking reward from a validator trying to attack the network (double spending). This is different from other PoS networks, wouldn’t that lead to decreased network security (even Avalanche consensus cannot tolerate too many bad actors)?
Great question, and this is a great opportunity to set straight some common misconceptions.
Before I discuss slashing, let me remind you: Avalanche can actually tolerate an extremely large amount of Byzantine actors. Your statement about Avalanche not tolerating a large number of Byzantine nodes is incorrect, but that is another post.
Now, regarding slashing: it’s misguided. Let’s understand why.
Byzantine systems are built to tolerate a certain number of bad nodes. These nodes can behave entirely arbitrarily, and yet the system will just work. There’s two sets of events that can happen:
Scenario 1: Misbehavior by a minority set of nodes
Suppose you implement slashing. Then Alice, who’s a minority stakeholder, misbehaves and gets slashed. However, Alice was unable to create any issues in the first place, since the system is Byzantine fault tolerant (BFT).
In this universe, slashing effectively “smooths out” minority misbehavior. But unfortunately, this buys us nothing. In fact, it makes running nodes riskier. Therefore, implementing no slashing is strictly superior.
Scenario 2: Misbehavior by a majority set of nodes
Suppose you implement slashing. Then Alice, who’s a majority stakeholder, can misbehave and – since she has majority control – gets to both double-spend AND to ignore slashing transactions. Therefore, slashing was ineffective. This is because we violated the very assumption of the BFT system, which is that the majority of the system is correct.
There’s incentivizing people with sticks and there’s incentivizing with carrots.
In Bitcoin, there’s no “stick”. If you decide to double-spend, you do not get your funds taken away from you. Yes, if your double-spend was unsuccessful, you merely had some sunken cost in electricity which you would have otherwise consumed regardless. Bitcoin has worked incredibly well by just using a “carrot”.
In PoS, there’s no need for a stick either. Having ownership in a PoS system is sufficient financial alignment that misbehaving as a majority stakeholder could end up easily destroying the confidence in the system and thus the value associated with your stake.
Slashing isn’t used as a double-spend deterrent, it’s used to solve against the nothing at stake problem. Nothing at stake is an obvious issue with longest chain consensus, I’d like to hear your take on why it wouldn’t be an issue under the Avalanche protocol.
Slashing is supposed to disincentivise bad behaviour whether that be from having the node go offline to performing attacks on the network. Implementations have shown it’s ineffective though.
With regards to uptime, the loss of staking rewards is the deterrent without needing to implement slashing and the risk of bugs causing downtime as seen with a number of projects.
With regards to nothing at stake problem, Avalanche’s implementation is actually far better solution than platforms that use slashing such as Polkadot. Not only is there a minimum amount to AVAX required stake to become a validator, but importantly the maximum amount of stake that can be delegated to your node is based on a proportion of the operators own stake. Therefore, to have a large amount of control, they have no option other than have a significant amount of AVAX staked themselves. Whereas with Polkadot there are node operators with 10% of the stake yet have less than $1000 dollars worth of DOT of their own stake as discussed in this article - https://medium.com/@CryptoSeq/polkadot-an-early-in-depth-analysis-part-three-limitations-and-issues-d8b0a795a3e
All slashing does in this scenario is put all the risk onto the delegators, an attacker can gain control of a huge share of the network at minimal cost through offering 0% delegation fees and slashing provides no deterrent for the attacker. Unfortunately, delegators are misinformed of the risks involved plus it’s very difficult to actually verify identity / setup, and even then, it could just be a front to then later attack the network when offered a large bribe etc.
Minimum delegation fees also ensure it’s not a race to the bottom and still viable to run a node as minimal hardware requirements. Plus the advantages of the Avalanche consensus protocol enables far better decentralisation allowing anyone to run a node and participate in consensus rather than being restricted to a small number of nodes where it’s not possible to acquire enough stake through delegations to be able to participate in consensus. You aren’t forced to trust a node operator in Avalanche and everyone is encouraged to run their own node as the consensus protocol makes that possible.
This still doesn’t directly address the nothing at stake problem. Without slashing, the GTO strategy for longest chain POS consensus is to validate every fork, whether you have a large or a small stake. There’s no incentive in “choosing the right one” and validating 2 conflicting chains is beneficial since getting 2x the block reward makes it worth it.
My understanding is that Avalanche’s design, which doesn’t have block rewards, makes it resistant to that attack. Somehow I don’t see any mention of this in the slashing responses provided by the team, which makes it sound like they’re addressing a different issue.
The argument that slashing isn’t necessary seems to assume that the only possibilities are that a minority that can’t cause harm is slashed or a majority that can’t be punished is slashed. But those aren’t the circumstances under which slashing is typically used and it’s based on an unrealistic understanding of what a “majority” is.
For example, think about bitcoin. Are the set of miners a majority that can’t be punished or a minority that can’t do harm? They’re clearly neither. They can do harm – they can double spend. But they can be punished – the real stakeholders of bitcoin (the people who pay for the bitcoins the miners mine) can change the mining algorithm, turning the miners ASICs into expensive space heaters.
The same is true of non-PoW networks. For example, one common application of slashing is to allow a small group to act as delegates for a large group. Small groups can act faster than larger groups with less message traffic, less overhead, and thus smaller transaction fees. But smaller groups can be easier to corrupt, so a larger group (that can’t act as quickly or cheaply) can retain ultimate control, slashing the members of the smaller group if they act improperly. This gives you the speed of a small group of validators, the security of a large group of validators, and a cost somewhere in-between.
So the argument made is wrong because it assumes that any group is either a powerless minority or an omnipotent majority. In reality, omnipotent majorities don’t really exist in public blockchains.
There are no block rewards as you say and so there is no incentive to double vote. Avalanche also doesn’t have a leader to create the next block and decide which chain to build on. All the dishonest votes can do is try to outvote the honest nodes, but the Avalanche consensus protocol quickly converges to the right decision with repeat subsampling of the network. If there are conflicting votes proposed honest nodes will check they are spendable and reject them if not.
The voting is weighted based on the stake of the node, and as the maximum amount of stake that can be delegated to your node is based on a proportion of the operators own stake then if they also attack the network then they will lose out financially as well with loss of value of the token.