- Author(s): @evanmcc, Helium Team
- Start Date: 2021-01-11
- Category: economic, technical
- Original HIP PR: #110
- Tracking Issue: #111
- Frequently Asked Questions: FAQ
- Status: Deployed (audit)
Add a new class of actors to the network, called Validators. These will be staked actors, with the intention being to run them on stronger hardware with better network connections than the current Hotspots. They will serve the dual purpose of being eligible for block production and also, in the future, acting as proxies for lightweight (non-chain-following) gateways.
At the current rate of growth, running block production directly on the Hotspot network is rapidly becoming unsustainable. Gossip network usage grows linearly with the size of the network, and slow addressing updates are a common cause of long block interval times.
Legacy hardware power and size also put sharp limits on the size of the group (and hence its security). The fact that addresses aren't static also makes it difficult to reconnect when a Block Producer crashes, also leading to longer block times. Low powered hardware on consumer-grade internet backhaul is much more subject to DoS attacks than high-end servers on cloud-grade connections.
There are also several sub-optimal measures the core team has had to take in order to keep block times consistent on the current hardware, such as a timeout on PoC transaction validation and adjusting the PoC challenge interval, that have led to undesirable side effects.
Lastly, the network is today heavily dependent on our libp2p implementation and its ability to navigate consumer firewalls, proxies and NAT configurations. Given the complexity and variety of these setups, as well as the design of the PoC system, this has led to an appreciable percentage of all PoC challenges failing to have a corresponding receipt. While not all of these can be attributed to this situation, we believe a significant number of them are. By moving to the Validator model (and eventual changes to PoC challenge construction), Hotspots will no longer be dependent on delivering PoC receipts to other Hotspots via libp2p.
While this HIP affects everyone in the network, the only real effect is that ordinary Hotspots will not be able to participate in block production, leading to a loss of the “random” HNT flow (6% of total HNT mined) to the Hotspot pool. The participants most affected by this change are those interested in running Validators.
We also expect the Testnet process, wherein we will stand up a separate network of Validators for testing purposes and to allow Validator runners to gain operational experience, to generate interest from outside of the community, as there exist professional Staking and Validator Pools for other blockchains.
To make this happen, we would make a new ledger entry type for the Validators. This entry would have the Validator's stake level and the owning account, and any other required metadata. All HNT earned by the Validator will automatically go into the owning account and is immediately liquid.
We will add 5 new transactions:
gen_validator_v1
: validator pubkey, owner pubkey, stake: genesis-only txn creating a validator for testing.stake_validator_v1
: validator pubkey, owner pubkey, stake. Owner account is the funding account and description is a short public string that can be used to identify the validator., creates the validatortransfer_validator_stake_v1
: new validator pubkey, old validator pubkey, old owner pubkey, new owner pubkey, stake, payment: moves a stake from validator to validator and optionally a new owner and paymentunstake_validator_v1
: validator pubkey, owner pubkey, stake, release height: this starts the unlock process for the stake, returning it to the owner's account after some withdrawal period. The validator is immediately unable to join block production groupsvalidator_heartbeat_v1
: validator pubkey, height, version: this provides the participants in the chain information about an individual validator's version and online status
These chain variables are used to govern the qualifications of validators on the Helium blockchain:
- Validator Version (
validator_version
): This version variable will be used to control the roll out of validators. Initially this value will be1
in order to allow staking transactions to be accepted by the blockchain in advance of activating validators. When this version is updated to2
, validators will be selected as Block Producers and this HIP is officially launched. We propose that the transition from version1
to version2
be the longer of 2 weeks or the period needed to have at least 100 validators staked and producing heartbeats. - Stake (
validator_minimum_stake
): the amount of HNT that needs to be staked for the Validator to be considered for Block Producer elections. This value will initially be fixed at 10,000 HNT and there will be no benefit of over or under staking. - Stake Withdrawal Period (
stake_withdrawal_cooldown
): This will be the minimum number of blocks after unstaking when the stake will be returned to the owner's account. This will be set to 250,000 blocks at the launch of staking (atvalidator_version
=1
) and a block height deadline needs to be provided by the validator owner at unstaking. An additional variable (stake_withdrawal_max
) will also be available to prevent validator operators to set their withdrawal deadline too far in the future.
These variables are tuning parameters that will be used to manage validators during and after launch. They primarily manage liveness and penalties for poor performance that will be taken into account during elections:
validator_liveness_interval
validator_liveness_grace_period
validator_penalty_probability_factor
penalty_history_limit
dkg_penalty
tenure_penalty
Details about these variables will be provided in developer documentation.
Stake is unlimited, however in the current proposal there are no benefits to overstaking. Overstaking and other features such as delegation will be subject to the HIP community approval process.
Please see open questions for how overstake may be applied to returns. We expect a discussion in the community to help resolve exactly how this should work and will update the HIP to reflect that discussion.
Validator nodes will need large disks for storing the chain and the ledger, and strong (but relatively modest by modern server standards) CPUs and RAM. An AWS T2.large or xlarge should work fine.
The node will need to have a static IP and few ports (currently 2154 and eventually port 443) open to the internet. A DNS resolvable hostname is strongly recommended. Networking speed is variable, but load is largely symmetrical when producing blocks, so good upstream is recommended. Most cloud machines will be fine, but e.g. a cable modem might struggle. We don't recommend running these machines on consumer network connections.
While this does lock "average" users out of the block producer's pool of returns, that pool shrinks, relative to each individual spot, as the network grows.
Realistically, there is no alternative that allows for large network growth other than getting block production onto bigger and more secure CPUs.
- What other designs have been considered and what is the rationale for not choosing them?
Other designs:
- Cloud Miners: Each Hotspot has a proxy in the cloud that is responsible for running its block production responsibilities and watching the chain for PoC responsibilities. Since each cloud validator is rarely in the consensus group, this leads to weird provisioning scenarios and multi-tenancy issues. If a miner can assume that it will be in the group relatively regularly, it's easier to cost out and simpler to do capacity planning for (and avoids collisions where an overcommitted cloud miner cluster gets too many members at once).
- Most DIY Hotspot setups follow the same model as Cloud Miners
- Switching to another chain to run on has been determined to be currently infeasible due to limitations on storage and private computation
-
Why is this design the best in the space of possible designs?
- I've added some details in the above section, but in addition to those benefits, this also leads to a very clean separation of responsibilities between spot owners and validator runners, whose jobs do not look especially similar.
- Allows us to scale the network better as more light gateways and full nodes get added to the network.
-
What is the impact of not doing this?
More and more resources will need to be poured into the P2P aspect of the design, and we'll eventually need to add a layer of "stronger" validators in any case to keep up with transaction scaling. Since we're always going to be held back by slow/lower memory group members, we will be limited in the complexity of the features that we can add and the stability of the network will continue to suffer.
- How does overstake affect election chances? Linearly? Diminishing returns? etc.
- What are the most desirable evolutions for this feature that are too complicated for the initial version?
- Do we want to limit (at least initially) the number of nodes in order to put a floor under earnings? We could link this to the on-chain oracle price, potentially.
Deployment impact will be minimal, other than an increase in the stability of block times.
We should see an increase in the stability of block times.
We should be able to increase the number of validators in the block production group without disruption.
We should see people eagerly staking new validators as a measure of the appeal of the idea.
A: In the current proposal Validator nodes will earn the 6% rewards for consensus group participation. This is the same percentage that Hotspots/Gateways currently earn for performing the same work.
A: Technically yes, but practically it is increasingly unlikely your Hotspot would have been chosen among the 16 out of the entire pool of Hotspots. With the current pool there's a 0.034% chance and this percentage decreases as the network continues to grow. Also, with the Validators block production becomes more stable which means mining rewards are allocated on a more consistent basis.
A: The current proposal is 100 with no cap to the maximum number of Validators that can participate. We will have a separate chain var that we will activate Consensus Group election via Validator that can be manually activated after we reach the proposed threshold.
A: The current proposal is 10,000 HNT.
A: Initially there will be no overstaking. We'll decide at a later time via the community process if there's overstaking, what kind we'd allow, and what it will mean.
A: The current proposal is for 250,000 blocks which is approximately 5 months.
A: It depends on the number of Validators and how often a Validator is randomly chosen to participate in the consensus group.
Q: After staking and the block cooldown period would the Validator need to restake the 10k HNT to keep operating?
A: The stake for a validator is perpetual rather than periodically renewed. Unstaking requires submitting an unstake transaction, after which the cooldown period begins. After the cooldown period, the initial stake is returned to the owners account.
A: Rewards are not locked up and if your Validator node is elected into the Consensus Group, the rewards will be allocated at the end of the epoch.
A: Validators will be randomly chosen similarly to how Hotspots/Gateways are chosen. For the initial mainnet launch there will be 16 but this number will quickly increase.
A: Yes.
A: Stay tuned we will have signup and instructions in the coming weeks.
A: Check out the miner software and run it on the server you want to use. Note you'll also need a recent Rust and a C/C++ tool chain. Currently supported erlang version, OTP 22.
A: Running a Validator node will be up to the user to choose to DIY, either on premise or in the cloud. We will learn more after running the testnet, but based on early tests at least:
- an AWS EC2 instance T2 large or xlarge
- Stable IP and few ports (currently 2154 and eventually port 443) open to internet
- DNS resolvable hostname strongly recommended
- Running on stable network connections (without things like proxies, NAT, firewalls, etc.), load is largely symmetrical when producing blocks, so good upstream recommended.
- It is not suitable or recommended to attempt to run from a home internet connection.