(NOTE: The design in this article is preliminary and already outdated. The latest design of Harmony’s EPoS staking mechanism is here)
Since the release of our technical whitepaper, we have been busy with implementing core protocol features including FBFT consensus with BLS multi-sig, distributed randomness generation, sharded p2p network and much more. We’ve also launched multiple testnet versions which have been running smoothly since January 2019.
In the meantime, we were also polishing our token economics and incentives design. We did research on staking models and incentives of existing PoS-based public blockchains such as Cosmos, Tezos, EOS, IoTex and ETH 2.0. However, as the first sharding-based PoS blockchain to launch soon, we need to be extra diligent in our design since validators in our blockchain will be decentralized and diverse in their hardware and network specs.
This article describes some of the design thinking and ideas about Harmony’s staking mechanism and validator incentives.
Voting Share Bonding and Staking
Harmony is a Proof-of-Stake blockchain with a sharded network where each shard contains a large group of validators (~400 at initial mainnet launch). Validators validate new blocks and vote to reach consensus using our FBFT algorithm where a 2/3 quorum of votes is needed for consensus.
To be able to vote, validators need to have voting shares bonded to them. One bonded voting share grants one vote for a validator to cast in the FBFT consensus. A voting share will stay bonded to a validator for the bonding period of 7 epochs. After the bonding period ends, the voting share will be released and be available to re-bond. For each shard, there will be roughly 400 bonded voting shares used for consensus.
As detailed in our whitepaper, Harmony blockchain runs in epochs and one epoch lasts for roughly a day. Within an epoch, the validators in each shard stay the same and run consensus repeatedly. When epoch changes, new validators with newly bonded voting shares will be randomly assigned to join the shards. The existing validators without any bonded voting shares will exit the shards.
When the blockchain enters a new epoch, the expiring voting shares (those at the end of bonding period) will be released and become available to bond. The way to acquire the available voting shares is through bidding, where the potential validators specify their bidding price by sending the corresponding Harmony tokens to the bonding/staking smart contract. The available voting shares will be bonded to the highest bidders and stay bonded for a bonding period of 7 epochs. The tokens from the successful bidder will be staked throughout the bonding period, and the tokens from the rest of the bidders will be available for withdraw.
The benefits of using bidding as the way to distribute the voting power are two fold:
- Compared to a fixed-price staking requirement like the 32 ether in Eth 2.0, the market will dynamically determine a fair price of a voting share.
- Given an efficient market, the voting power will eventually be taken by the validators with the best operating efficiency who can optimize their return and cost.
During the bonding period, the validators participate in the consensus using their voting shares and get token rewards in proportion to the number of bonded voting shares they have. The tokens being staked for the voting shares may be slashed if the validators do not follow the protocol.
After the bonding period ends, the voting shares will be released and become available for bidding. The corresponding staked tokens will enter the 1-epoch cooldown period after which the staked tokens will become available to withdraw. For the validators who don’t want to become idle during the cooldown period, they can choose to immediately rebid for new voting shares using their already staked tokens at the epoch right before the cooldown period.
Grace Period for Resharded Nodes
In a sharded blockchain, a single shard only contains a subset of the network validators and is more vulnerable to single-shard takeover attacks (1% attack) compared to a non-sharded blockchain. Harmony counters this problem by adopting a periodic resharding mechanism where a subset of the shard validators will be reassigned to other shards every epoch. Since Harmony is a blockchain with state sharding, the resharded validators need to download the state of the new shard before they can validate for the new shard. With our fast state synchronization mechanism, we’ve cut down this process from days to around 1–2 hours. Nonetheless, it’s still 1–2 hours of absent time for the new validators and it may leave them slashed. To accommodate this problem, there will be a grace period of 1/12 of an epoch for the resharded validators to download new state. During the grace period, the validator’s absence on signing the blocks won’t be counted into the slashing rule.
Consensus Leader Rotation
In our initial mainnet launch, each shard will be assigned roughly 400 voting shares and we only allow one voting share per validator address. Thus, each shard will have around 400 validators. At the start of a new epoch, the validators are randomly permuted based on the randomness from the DRG protocol and forms a random sequence. Starting from the first position of the sequence, the validators take turns to be the leader for FBFT consensus and each validator stays as the leader for 40 blocks. Given our epoch time of 16384 blocks and an estimated 5s block interval (UPDATE: now the epoch time is 32768 blocks with an average 2s block interval), this setup ensures that each validator will have one chance of being the leader during an epoch.
When a leader is offline or being malicious such as double-signing blocks, the whole validator group will initiate a view-change protocol to skip that leader and move on to the next leader in the sequence. The skipped leader will be slashed on its staked tokens according to the slashing rules. The view-change protocol will ensure that an offline leader can be immediately preempted before it lives through the 40 blocks period.
One thing to note is the reason why Harmony changes the leader for every 40 blocks rather than doing it for every block like in other protocols (e.g. Cosmos, Tezos and EOS). As one of the first sharding-based blockchain adopting Proof-of-Stake, we face different challenges from other PoS blockchains.
Compared to the validator set of 21 to 100+ in other PoS blockchains, Harmony will be much more decentralized with 1000s of validators across different shards. As we welcome all kinds of validators, small or big, to be able to validate for Harmony, we cannot require that every validator in our network to be professionally managed superpower machine with 99.99% uptime. In our network, the expected percentage of offline nodes in our network will be higher than other non-sharded blockchains. Assume we have 5% offline node in a shard, if we change the leader for every block, then we will have overall 5% of the epoch during which no blocks are proposed. However, with our view-change or leader preemption mechanism, the expected downtime rate is only 0.125%, which significantly helps with the reliability and performance of our blockchain.
Token Incentives and Slashing
Besides the staking mechanism and validator organization discussed above, here is a list of token incentives and slashing rules that we are planning to include in our mainnet:
- When a new block is confirmed, all validators will share the block reward (~ 30 ONE given a 6% annual inflation rate) and the transaction fees.
- The leader who proposed the block will get another 5% of block reward.
- Block reward will increase with more signatures signed on the block to incentivize the leader to collect more votes.
- Inflation rate (or block reward) will increase when the ratio of totally staked tokens to the circulating tokens is low.
- VRF submission rewards: 5% more block rewards are given to the leader who submit his VRF randomness at the first block when it became the leader.
- VDF submission rewards: 10% more block rewards are given to any account who is able to submit a correct VDF within the predetermined range of time.
- When the leader/validators double-sign blocks.
- When the leader is offline (not proposing blocks).
- When a validator fails to sign on 90% of the blocks during the last 4096 blocks (~ 6 hours).
- When the leader fails to submit the VRF result.
- When the leader fails to include a VDF result within the predetermined range of time.
The above is just the start of our token incentives and staking design. It’s nowhere near the finalized version. We are working closely with our foundational node validators to polish up the design so that our blockchain is secure and all stake holders are positively incentivized.