Staking risks

Slashing and liquidation are not punitive and are designed to prevent bad actors in the network.

Random Beacon

Overview

The random beacon is a service to generate strong randomness in a distributed setting via a distributed signature generation. Nodes are put into signing groups of 64 members, which then jointly generate a signing key used whenever a new entry (name used for the randomness in the contracts) is requested.

At the moment, this randomness is mostly used to randomly select operators for keeps.

Risks

A slash is a penalty for signing group misbehavior. It results in the removal of a portion of your delegated KEEP tokens (usually one minimum stake). If you’re using a staking provider, you shouldn’t need to worry about slashing.

Slashing vectors are kept minimal, and only seriously punitive in nature if malicious behavior is suspected. As long as a Random Beacon group (64 members) produces an entry, you won't be slashed if you had down time and were part of the group selected to produce an entry.

The risks of running a tBTC/ECDSA signer node are:

Event

Slashing (KEEP)

more than 50% of beacon group members are offline for 6 * 64 blocks (~90 minutes with 14s block time)

fraudulent signature is generated (requires collusion of > 50% of group members)

Refer to the minimum staking intervals chart at the bottom of the page to see what the minimum stake would be at a given creation date.

TBTC / ECDSA

Overview

The two services offered by operators are depositing and redemption of BTC. Depositing BTC into custody produces a DepositToken (TDT), which can be exchanged for TBTC. Redemption then requires a TDT and burning of TBTC.

Risks

In both cases described above, operators can misbehave or fail and thus violating protocol needs to be discouraged. Slashing only occurs in the case of malicious behavior. Here we try to outline these mechanisms for node operators, in order for them to better assess the risks of providing these services.

The risks of running a tBTC/ECDSA signer node are:

Event

Slashing

Lose collateral (ETH)

failing to create signing groups (3 hours grace period)

❌

βœ… (only setup fee paid by user)

collateral price peg breaking

❌

βœ… (all stake)

βœ… (all stake)

βœ… (split between submitter and auction winner)

failing to honor a redemption request (signature, 2 hour grace period; spv proof, 6 hour grace period)

❌

βœ… (redeemer gets tBTC and bond is auctioned off, auction remains are split between fraud reporter and signer group)

βœ… (all stake)

βœ… (redeemer gets full bond)

A note on "all stake"

Please note that "all stake" in the above charts refers to the stake locked in during the creation of the keep. Each keep creation locks the minimum stake at the time, so slashing all stake here means slashing 100% of the minimum stake at keep creation date.

Learn more about staking minimums:

pageStaking minimums

For more reading on risks for operators, please refer to the Keep community created doc authored by Discord user @ssh. You can read it here.

Last updated