Stake Guarantee Window

In our previous post we introduced a 17.5 day withdrawal and deallocation delay for stakers and Operators, respectively. This post explains how that number was determined through the lens of slashable stake guarantees. Additionally, we show that, with reasonable assumptions, this window can be reduced to 14 days.

AVS Sync

Assume there is an Operator Set with a single Operator that allocates slashable stake from one Strategy. The AVS periodically syncs with EigenLayer to update its view of the slashable stake allocated to the Operator Set. Since each sync incurs a cost, the AVS chooses to sync once every AVS Sync Window days. During this period, the AVS assigns tasks to the Operator Set based on the information from the latest sync. The time from when a task is assigned to an Operator Set to when it can be completed is called the Task Completion Window. We assume that for any task assigned within an AVS Sync Window, the Task Completion Window ends before the next sync.

Given the monetary cost of syncing, we assume the AVS syncs once every 7 days, and syncing happens instantaneously.

Slashability Window

The Slashability Window is the period between when an Operator completes a task and when it is slashed for misbehavior. If misbehavior occurs, we assume an observer instantly submits a fraud proof to the AVS contracts which creates a slashing request. This process takes a certain number of days to finalize on-chain, which we refer to as the Fraud Proof Window. Once the fraud proof is finalized, AVS governance deliberates locally for some time, called the Governance Window, to decide whether to forward or cancel the slashing request. We assume that whatever mechanism is used for governance is initiated the instant the fraud proof is finalized. Once a decision is made, governance submits a transaction to forward or cancel the slashing request. The amount of time it takes for this transaction to finalize on Ethereum is called the Slashing Request Window. Thus, the length of Slashability Window is:

\text{Slashability Window}= \text{Fraud Proof Window}+\text{Governance Window}+\text{Slashing Request Window}

Stake Guarantee Window

Properly parameterized, EigenLayer can guarantee a minimum amount of stake will be available to slash for any task that is completable within an AVS Sync Window. This period, set globally, is called the Stake Guarantee Window. To determine the length of this period we make assumptions about the lengths of the AVS Sync Window and Slashability Window:

\text{Stake Guarantee Window}= \text{AVS Sync Window}+\text{Slashability Window}

Therefore, for this guarantee to hold, an AVS must ensure that the sum of its Sync Window and Slashability Window is less than or equal to the globally defined Stake Guarantee Window.

Desired property

To guarantee an amount of slashable stake for a particular task, we need to make an additional assumption about withdrawals and deallocations. A magnitude deallocation and a withdrawal of delegated stake result in an arbitrary reduction of the Operator Set’s slashable stake. Therefore, the Stake Guarantee Window needs to be shorter than or equal to the time it takes for a staker’s withdrawal to be non-slashable and the amount of time it takes for a deallocation to take effect. Otherwise, an Operator or staker could evade slashing by deallocating or withdrawing, respectively, before the Stake Guarantee Window ends:

\text{Stake Guarantee Window} \le \min(\text{withdrawal delay}, \text{deallocation delay})

where withdrawal delay is the time between a withdrawal being queued by a staker and the corresponding stake no longer being subject to slashing and similarly for the deallocation delay. For simplicity, we will assume withdrawal and deallocation delays are the same and refer to both as the withdrawal delay. In our planned production implementation, these parameters are identical. Also, to note the obvious tradeoff, the longer our Stake Guarantee Window, the longer the withdrawal and deallocation delays need to be.

As mentioned here, the protocol allows only one allocation or deallocation at a time, and deposits to Operators are effective immediately. Therefore, the AVS needs to know the pending deallocation, if there is one, and withdrawals from an Operator that have been made between withdrawal delay days ago and today.

Thus, the minimum amount of slashable stake that EigenLayer can guarantee will be available for the time between when an AVS syncs and the end of the Stake Guarantee Window:

\text{stake}_{\text{guaranteed}}=(\text{stake}_{\text{now}}-\text{withdrawals}_{\text{pending}}) \times\frac{\text{magnitude}_{\text{now}}-\text{deallocation}_{\text{pending}}}{\text{total magnitude}_\text{now}}

where \text{withdrawals}_{\text{pending}} and \text{deallocation}_{\text{pending}} are the withdrawals and deallocation that can be completed within the Stake Guarantee Window. The total amount of slashable stake that can be guaranteed by EigenLayer is the sum of guaranteed stake across Operators for each strategy. However, this amount is guaranteed when the AVS syncs to EigenLayer. Between syncs, the amount of guaranteed stake is \text{stake}_{\text{guaranteed}} at the most recent sync minus the amount that it has slashed since.

Duration

Since we assume the AVS syncs once every 7 days, we need to determine an appropriate Slashability Window. We assume that no individual can be censored on Ethereum for more than 3.5 days, possibly discontiguous, within a 7 day period. Thus, we can assume 3.5 days for each Fraud Proof Window, Governance Window, and Slashing Request Window. This is assuming that once the Governance Window ends, governance instantly forwards the slashing request. This results in a Slashability Window of 10.5 days and a Stake Guarantee Window of 17.5 days. We assume the AVS does not consider any fraud proofs that are confirmed after the Fraud Proof Window.

This is how we came up with 17.5 days in our previous forum post on allocating slashable stake. Figure 1 demonstrates how this process would work for two tasks assigned during a particular AVS Sync Window. The first task is assigned immediately after the AVS syncs and a second task is completable immediately before the next AVS sync.

figure_12128×1286 216 KB

Alternatively, we can loosen our censorship assumption to be that no group can be censored for more than 3.5 days, possibly discontiguous, within a 7 day period. Also, we can assume that governance is a single centralized entity and can instantly decide whether or not to cancel or forward the slashing request. Thus, the Governance Window is equal to 0. Also, our new assumption guarantees that the Fraud Proof Window and Slashing Request Window take 3.5 days, collectively. The Stake Guarantee Window is then 10.5 days as shown in Figure 2.

figure_22098×1350 212 KB

Suggested duration

However, we propose a more reasonable set of assumptions that yields an additional beneficial property. We assumed that governance deliberates and forwards or cancels the slashing request. If governance is not the entity that submitted the fraud proof, then it requires two parties to submit a transaction: the fraud proof submitter and governance. However, let us assume that governance does not need to sign a transaction to forward the slashing request in the event of legitimate misbehavior. Once the governance period is over and it is decided that they will not cancel the slashing request, the fraud proof submitter can then forward the slashing request to EigenLayer. This only requires the weak assumption that no individual can be censored for more than 3.5 days, possibly discontiguous, within a 7 day period. Then, the Slashability Window would include 3.5 days for the fraud proof submitter to sign the fraud proof and forward the slashing request, collectively, plus the 3.5 days it takes for governance to decide to cancel the slashing request or not. Thus, the Slashability Window is 7 days, resulting in a Stake Guarantee Window of 14 days.

With a Slashability Window of 7 days, if there is a bug in the fraud proof allowing an attacker to generate a false positive, the attacker would try and get their fraud proof confirmed right before the end of the Fraud Proof Window in which case governance would need to instantly submit a transaction cancelling the slashing request which, given our censorship assumption, would take at most 3.5 days.

We suggest setting the Stake Guarantee Window, and thus the withdrawal and deallocation delays, equal to 14 days.

Other thoughts & future directions

There are several other issues and features to consider. For example, rate limiting withdrawals and allowing AVSs to set custom withdrawal delays. Also, at any point in time, there can be a difference in the guaranteed minimum amount of slashable stake and the actual amount of slashable stake, with the latter always being greater than or equal to the former by definition. So, if AVSs make decisions based on the guaranteed minimum amount then slashable stake is not being used efficiently. We also assumed that AVSs sync every 7 days, but they can sync more or less often than that.

Additionally, perhaps more intuitively, instead of referring to the window between syncs as the AVS Sync Window, we can just call that whole period the Task Completion Window. For example, reframing would result in the Stake Guarantee Window being the sum of the Task Completion Window and the Slashability Window.

Inquiry

We have outlined how we think about determining the Stake Guarantee Window and how it relates to other time parameters. We encourage feedback and alternative perspectives. For example: how long does the Slashability Window have to be for your specific use case? Or how do you plan on involving governance to cancel slashing? Any thoughts and discussion are encouraged!

Disclaimer

The Eigen Labs Research Team uses the Forum as a space to share research on the protocol, to preview elements and ideas that may or may not become part of upcoming releases, and to explore ways of using, analyzing, and thinking about the EigenLayer protocol and ecosystem. Unlike our blog posts and social media announcements, which focus on formal updates and decisions, the Forum will be more interactive and experimental, allowing us to exchange ideas and gather feedback from a wider group.

Can you clarify this point? The protocol currently does enforce only 1 delegation at a time to a single Operator. However it currently supports multiple withdrawals to be processed in parallel.

Of course! If I understand your question correctly.

At any point in time an Operator can only have a single allocation OR deallocation pending for a specific Strategy. When I refer to “withdrawals” here I’m talking about an action taken by a staker to remove a certain amount (or all) of stake that it has delegated to an Operator. For a single Strategy, a staker can have multiple withdrawals pending at a time.

Let me know if this answers your question

Yep, thanks for clarifying. I just wanted to make sure this didn’t imply the withdrawal logic would be altered for stakers.

Hey @bmpalatiello, thanks for sharing the team’s research regarding the withdrawal and deallocation delay recommendations for stakers and operators. We appreciate all the work.

After reviewing these recommendations, we have a couple of questions:

• On task assignment window: Can you clarify how broad task assignment is? It’s unclear to us that an AVS would want to be able to assign tasks once every 7 days. For example an oracle service could process multiple oracle updates within that 7-day period. Similarly, for a Solver network, if task assignment refers to “solve this task” instead of “solve this class of tasks” then 7 days is far too long.
• On slashing request window: Can you elaborate on why a request window of 3.5 days is required after governance approves the request? If the slashing action is irreversible after gov confirmation, there might be an opportunity to shorten this period.
• On finality period: The referenced doc for this 3.5-day duration points to a post on OP stack’s Fault Proof system. Given that Ethereum finality of 2 epochs or ~13min is significantly faster than finality on typical optimistic rollups (the original ref uses a 7-day bisection game model for its fault dispute game), can you explain the rationale for using the same 3.5 days as the finality benchmark?
• An alternative design worth exploring: instead of defining a global SGW parameter for all stake, let’s define the SGW for shared (non-unique) stake only, and let the AVS configure slashing window for their unique stake (i.e., define as part of the slashing rule of operator sets with unique stake)
  • With this customizable option, each service can define the length of stake guarantee that most suits their tasks. This is similar to the EpochDuration parameter for symbiotic vaults.

On task assignment window: Can you clarify how broad task assignment is? It’s unclear to us that an AVS would want to be able to assign tasks once every 7 days. For example an oracle service could process multiple oracle updates within that 7-day period. Similarly, for a Solver network, if task assignment refers to “solve this task” instead of “solve this class of tasks” then 7 days is far too long.

• Yes, there are certainly idiosyncrasies but to be clear an AVS can assign any number of tasks at any point in time during the AVS Sync Window. It’s just that to get the slashable stake guarantee from the information in the latest sync tasks must be completeable within that AVS Sync Window. The AVS can sync more frequently if it prefers but it doesn’t necessarily change the frequency of task assignment, slashable stake guarantees will just be based on more recent information. The AVS Sync Window (or Task Completion Window) isn’t a global parameter. We’re demonstrating a conservative AVS to determine the (at this point) globally enforced withdrawal/deallocation delays.

On slashing request window: Can you elaborate on why a request window of 3.5 days is required after governance approves the request? If the slashing action is irreversible after gov confirmation, there might be an opportunity to shorten this period.

• The assumption is that the slashing request needs to be forwarded (submit a transaction) to the core protocol by someone after governance confirms the slashing request. So our censorship assumptions apply to that transaction as well.

On finality period: The referenced doc for this 3.5-day duration points to a post on OP stack’s Fault Proof system. Given that Ethereum finality of 2 epochs or ~13min is significantly faster than finality on typical optimistic rollups (the original ref uses a 7-day bisection game model for its fault dispute game), can you explain the rationale for using the same 3.5 days as the finality benchmark?

• A simple and conservative explanation . Just as an Optimistic Rollup attempts to set the challenge period > amount of time an attacker can censor all challengers, determining the latter exactly is difficult.

An alternative design worth exploring: instead of defining a global SGW parameter for all stake, let’s define the SGW for shared (non-unique) stake only, and let the AVS configure slashing window for their unique stake (i.e., define as part of the slashing rule of operator sets with unique stake)

• The SGW isn’t “globally defined” by the protocol, as it’s not something the protocol explicitly knows about. But by drawing inferences from a conservative AVS we can set a global upper bound on the SGW via the withdrawal and deallocation delays which, at this point, are set globally in the protocol. So, an AVS can configure their own assumptions within this window. The lever would be for the AVS to set the withdrawal/deallocation window at the OperatorSet level which we are actively discussing.

Thank you for the prompt response and insights.

We look forward to seeing more releases on OperatorSet parameters as we believe customizability is key to onboarding AVS use cases and thus increasing stake utilization.