Casper &

Smart Contract Consensus

1.

Hybrid Casper Overview

Running PoW and PoS at the same time with

Casper The Friendly Finality Gadget

Casper Validator 1,000 foot overview

• Users deposit an amount of ETH to become a validator
• Validators vote on the canonical chain, weighted by their deposit
• Validators can withdraw deposits after a quiet period where they don’t validate
• Validators make money for converging and building a single blockchain
• Validators lose money for not converging, or forming two blockchains

Casper + PoW

Casper’s rollout will be incremental, and not immediately replace proof of work

• PoS rewards slowly scaled up over time
• PoW rewards slowly scaled down over time
• Reduces complexity
• Boil your frogs ;)

1. a.

Finality

What is finality?

Why doesn’t proof of work have it?

Finality guarantees that history will never be changed.

Why do we want finality?

Fun finality fact:

• Assurances that if I am paid, that record will not be erased
• Reduced uncertainty for coordination

​

​

• Proof of work provides no economic finality guarantees

​

Real world finality

• UASF is a great example which demonstrates finality’s importance
• If the user fork grows long enough, it could revert all transactions/blocks on the miner fork

​

Before

Miner

User

After

Reverted

chain

User & miner

Head

Head

• b.

Checkpointing PoW

How we get finality in PoW by checkpointing with PoS

Hybrid Architecture Overview

• The first rollout of Casper will *not* remove PoW
• Instead it will provide finality “checkpoints” to specific blocks
• A checkpoint is applied every 100 PoW blocks, called an epoch
• A checkpoint cannot be reverted without at least ⅓ of validator’s deposits being slashed
• These are Casper’s “safety” guarantees

Casper’s checkpointing

…98 blocks later ...

…98 blocks later ...

…98 blocks later ...

Validators

Miners

One

Epoch

Some fun attacks

• What if miners censor all validator transactions?
• Validators can collude to validate a chain with much less PoW that “honest” miners validate
• What if validators collude with miners and censor a subset of validator transactions?
• We will examine this later when we get into slashing conditions and censorship resistance

​

Validators are in charge.

• c.

Casper Messages

The two messages required for Casper validators to come to consensus: Prepare & Commit

PREPARE

Casper’s checkpointing

…98 blocks later ...

…98 blocks later ...

…98 blocks later ...

[“PREPARE”, 2, 0xaa…68a41, 1]

0xaa…68a41

0xbe…728cc

0x…..

0x…..

0x…..

0x…..

0x…..

0x…..

PREPARE

Casper’s checkpointing

…98 blocks later ...

…98 blocks later ...

…98 blocks later ...

[“PREPARE”, 3, 0xbe...728cc, 1]

0xaa…68a41

0x…..

0xbe…728cc

0x…..

0x…..

0x…..

0x…..

0x…..

Prepares can reference any previous epoch

COMMIT

Casper’s checkpointing

…98 blocks later ...

…98 blocks later ...

…98 blocks later ...

[“COMMIT”, 2, 0xaa…68a41]

0xaa…68a41

0xbe…728cc

0x…..

0x…..

0x…..

0x…..

0x…..

0x…..

⅔ COMMITs on a single [epoch, HASH] means a checkpoint has been

finalized

• d.

Providing Safety with Slashing Conditions

How we punish validators that validate our finality guarantees

Economic Finality means that for finality to be violated, at least ⅓ of the validators funds will be slashed (aka destroyed)

“

Four Slashing Conditions

• Prepare REQ
• Commit REQ
• Prepare Commit Consistency
• No Double Prepare

​

We will go over each of these individually.

​

For more information see: https://medium.com/@VitalikButerin/minimal-slashing-conditions-20f0b500fc6c

Prepare REQ

The epoch_source of each prepare must itself have at least ⅔ prepares

NOTE: Each box in this diagram is an EPOCH not a block

⅘ prepares

Valid prepare

Valid prepare

⅓ prepares

Invalid prepare

Invalid prepare

Commit REQ

The HASH of each commit must have received at least ⅔ prepares

NOTE: Each box in this diagram is an EPOCH not a block

⅘ prepares

Valid commit

⅓ prepares

Invalid commit

Prepare Commit Consistency

You must never submit a prepare such that:

prepare_epoch_source < commit_epoch < prepare_epoch

NOTE: Each box in this diagram is an EPOCH not a block

My last commit

My Invalid prepare

epoch source

epoch

No Double Prepare

You must never submit two prepares for the same epoch

NOTE: Each box in this diagram is an EPOCH not a block

My second prepare for epoch X will get me slashed

My first prepare for epoch X is OK

​

• d.

Providing Availability: Negative Interest

How can we punish validators for not finalizing blocks

Overview of Availability concerns

• If checkpoints do not finalize, validators should be punished
• Finalizing every 20 minutes vs finalizing every day seriously harms usability
• Validators should be paid in proportion to the utility they are providing to the blockchain
• The protocol cannot differentiate between being offline and being censored

Cases in which we need to penalize

These

• When the network doesn’t finalize, everyone is punished
• We can’t tell the difference between censorship & being offline. This is why we have to punish validators who both Prepare & Commit in the < ⅔ commits case

Summary

• Users join and stake their ETH
• Validators which break safety get slashed
• Validators which prevent availability lose money
• Proof of work will be slowly phased out
• Validators make money if they form a single, unalterable blockchain!

• e.

Validator Rotation

How the validator set can change over time

1,000 foot overview for dynamic validator sets

• Each validator set is called a ‘dynasty’
• Validators change when there are 2 finalized epochs is a row

• f.

Putting it together with a fork choice rule

How clients and validators decide which chain is the “the longest”

Fork Choice

1. Iterate over all dynasties to find the most recent validator set
2. Iterate over all epochs looking for ones with more commits (deposit size of validators who committed)
3. Proof of work

Most recent dynasty change

30% commits

35% commits

50% commits

10% commits

5% commits

HEAD

PoW for

subsequent

blocks till

next epoch

Success!

That’s Casper!

So how does this thing work when it’s all

inside a smart contract?

“

2.

Consensus in a Smart Contract

How you can use a smart contract in order to provide consensus

Important Concepts

• Smart contract computes payouts
• Smart contract records finalized hashes

​

• Validator decides which fork to build on
• Validators send normal Ethereum transactions

How to visualize yourself as a consensus forming contract

In each block, the Casper smart contract can only see its particular history

How to visualize yourself as a consensus forming contract

How to visualize yourself as a consensus forming contract

How to visualize yourself as a consensus forming contract

How to visualize yourself as a consensus forming contract

How to visualize yourself as a consensus forming contract

How to visualize yourself as a validator choosing a fork

Smart contract, how many commits do you have?

30% commits

How to visualize yourself as a validator choosing a fork

Smart contract, how many commits do you have?

30% commits

40% commits

How to visualize yourself as a validator choosing a fork

Smart contract, how many commits do you have?

75%!

I’m finalized!

And so on, and so on...

That’s

Casper

The Friendly

Finality Gadget

This is just the tip of the iceberg when it comes to consensus in smart contracts….

Build your own!

Yay! Fun!

Thanks!

Questions?