Cryptoeconomics Series P2: Validator Auction Theory
With Simon Harman
Welcome back dear reader to the second edition of the Chainflip Cryptoeconomics series. Every part in this series is paired with its own topic in the new Chainflip Governance Forum. If after reading this you have comments, questions, or things to add, head on over and join the discussion.
To avoid writing a 2.3 million page long article (trust me nobody wants that), I’ve had to break down the discussion of Chainflip’s cryptoeconomics into multiple, limited pieces. I’ll try to avoid jumping between topics, but given the tightly coupled nature of the Chainflip project as a whole, we may have to brush over certain related topics and get back to them in another part. Let’s get back into it!
Part 2: Validator Auction Theory (you’re here!)
Part 3: Swapping Logic (doesn’t exist yet!)
Part 4: Liquidity Incentive Structure (doesn’t exist yet!)
Part 5: Economic Security (doesn’t exist yet!)
P2: Validator Auction Theory
Earlier on, we released a quick explainer around Validator Auctions. That article gives a pretty good overview of the basics, but today I wanted to get stuck into the theory behind the design and explore what we think the outcomes will be and what we’re trying to optimise for.
What the Validators Do and Why It’s Important
The Validator network makes up the key infrastructure of Chainflip. Validators regulate: all deposits; all outgoing transactions; all of the swapping logic; all of the witnessing logic; all of the staking; all of the emissions and rewards; and all of the network upgrades.
That’s a lot of responsibility. Economic security is paramount in Chainflip, as the vaults depend on an honest superminority of Validators to remain secure. The greater the number of Validators, the safer the system is from collusion.
Why Not Have One Million Nodes?
On the flipside, more Validators means worse scaling. MPC and threshold signature schemes get progressively worse with every signatory that gets added. A 1000 node signing set compared to a 100 node signing set is more than an order of magnitude slower when producing signatures. With Taproot going through on Bitcoin, we can eliminate support for GG20, which greatly improves scaling possibilities, and therefore the potential node count and networks that can be supported. However, there are still limitations that must be considered.
Like all other decentralised projects, a tradeoff must be made between decentralisation and scalability. Chainflip’s Validator count at launch will be 150. This may increase over time with improvements to threshold schemes, but in the meantime, we’re presented with a challenging economics question to answer: how should these Validator slots be allocated in a permissionless system?
Allocating Validator Slots
There’s a range of ways that protocols allocate positions of relative authority in consensus networks. DPoS, PoA, Eth2.0 style PoS, and unlimited node counts with fixed staking requirements are just a handful of examples. With the exception of the few collusion-prone blockchains that have a tiny Validator set for hypercharged mega-totally-safe-and-scalable blockchains of the future, most permissionless networks don’t have a cap on the number of Validators allowed on the network. Chainflip does, which places some constraints on the allocation system, and means we have to think a little outside the box to come up with a workable plan.
The goals of the allocation system are as follows:
- Maximise the collateral locked in Validator nodes
- Encourage a relatively even distribution of collateral across the Validator network
- Minimise active involvement in the auction process for adequately collateralised nodes (reduce the mental bandwidth required to run a node)
- Encourage a stable Validator set without excluding new entrants
- Minimise gas costs associated with participating in the process
To achieve this set of goals, we’ve designed a minimally-interactive system to allow market dynamics to handle much of the process of allocating slots. It’s been partly inspired by the winners of the 2020 Nobel Prize in Economics, Robert Wilson and Paul Milgrom, who through their studies in auction theory designed a system for equitably selling off a set of partially-fungible slots in a finite set called SMR (Simultaneous Multi-Round) Auctions. The most prominent example of this was when the FCC sold off broadcasting frequencies in the US to great effect using this system. Here’s a sweet video from Economics Explained about it and also some broader concepts on Auction Theory.
Chainflip’s auction process shares some concepts with SMR auctions but does have notable differences. Perhaps a better name for this style of auction could be a Simultaneous Single-Round Open Dutch (SSOD) Auction, as while participants are only participating in a single continuous round, they are incentivised to openly place the maximum bid they can as there is no downside risk to paying too much. Here are the rules for the auction process:
- Only the top 150 bidding nodes will be included in the next superset
- The auction starts 14 days before the end of the auction cycle
- Any amount that is staked at the start of the auction will be automatically counted as a bid and remains locked for the duration of the auction (this includes existing Validators and any rewards they earned before the auction started)
- New bids that are placed either top up existing bids or start new Validators. Once they are placed, they remain locked until the end of the auction. Additional bids can be placed at any time during the auction.
- When the auction ends, the top 150 bidders are included in the next superset. When sorted by size in descending order, the value of the 150th bid (called the Minimum Active Bid) defines the number of tokens that will remain locked for each Validator during this Epoch.
- If, during the key generation ceremony for this new superset, there are 1 or more nodes that fail to participate, the next highest bidders will be included in the superset until either all slots fill or a threshold of failures is reached. In this case, the number of Validators will be below the 150 target for this superset. If either of these cases happen, the Minimum Active Bid is still valued at the number of tokens staked by the lowest successful bidder — even if that lowest bidder was dropped in the key creation ceremony.
- After the auction is over, all failed bidders may withdraw their stakes. All active Validators may also withdraw any amount of tokens from their stake, so long as they still have no less than the Minimum Active Bid worth of tokens staked.
This system is interesting because it avoids expensive on-chain last minute bidding wars with all participants trying to stake the minimum possible whilst winning slots. In this SSOD Auction system, each Validator should just bid the absolute maximum they can because at the end of the auction, they always have the option of withdrawing whatever they didn’t need. It’s only the bottom set of Validators that may need to quickly top up their bids in order to protect their existing slots.
What This Looks Like In Practice
To illustrate how it works, let’s look at a hypothetical Validator set of just 10 nodes:
Round 1 results:
- Slot 1: Validator A 140k
- Slot 2: Validator B 138k
- Slot 3: Validator C 122k
- Slot 4: Validator D 121k
- Slot 5: Validator E 120k
- Slot 6: Validator F 120k
- Slot 7: Validator G 110k
- Slot 8: Validator H 105k
- Slot 9: Validator I 100k
- Slot 10: Validator J 98k
- Failed bidder: Validator K 90k
- Failed bidder: Validator L 80k
- Failed bidder: Validator M 20k
We have a system where all nodes are paid the same rewards irrespective of the size of their stake. So long as they have a Validator slot, the Validator gains no extra reward for staking more. However, that doesn’t mean there are no advantages: Validators that have a higher stake are much less likely to be outbid in the next auction cycle. Let’s explore that by looking at a following auction cycle (keeping in mind that Validators will have returns from this cycle that mean their stake is now higher if they didn’t unlock any):
Round 2 results (rewards added for Validators A-J):
- Slot 1: Validator A 144k
- Slot 2: Validator B 142k
- Slot 3: Validator C 126k
- Slot 4: Validator D 125k
- Slot 5: Validator E 124k
- Slot 6: Validator F 124k
- Slot 7: Validator G 114k
- Slot 8: Validator K 110k (20k Bid added)
- Slot 9: Validator H 109k
- Slot 10: Validator I 104k
- Failed bidder: Validator J 102k
- Failed bidder: Validator L 80k
- Failed bidder: Validator M 20k
In this example, we see in the second auction round that during the last Validator epoch, the active Validators earned 4k FLIP each. However, Validator K added another 20k to their bid, jumping up to Slot 8 and knocking out Validator J who didn’t top up their bid. Through the process, the Minimum Active Bid has risen from 98k FLIP to 104k FLIP with just a single new bid and a single node slot being cycled.
This achieves a range of the stated goals:
- Maximise the collateral locked in Validator nodes — by automatically including the rewards of Validators into the next auction cycle, there is a natural tendency for Validators who do not unstake rewards to drive up the Minimum Active Bid each cycle.
- Encourage a relatively even distribution of collateral across the Validator network — Because all Validators earn the same amount, there is no inherent incentive to stake heaps into a single Validator. Validators at the very top of the ladder may have enough to unstake what they don’t need and use it to bid for a second slot, which levels out the average distribution of bids.
- Minimise active involvement in the auction process for adequately collateralised nodes (reduce the mental bandwidth required to run a node) — Most Validators won’t even have to pay attention to the process if they do not withdraw their rewards. Most Validators will not need to execute more than one on-chain staking transaction. This includes prospective bidders who should also stake whatever amount they can afford straight away.
- Encourage a stable Validator set without excluding new entrants — The system, while permissionless, does favour those that haven’t been previously slashed and keep their rewards staked. This helps foster a stable and secure network that makes it challenging for malicious actors to try and outbid large chunks of the slots, whilst still remaining competitive on the lower end of the Validator set.
- Minimise gas costs associated with participating in the process — Most Validators will not need to execute more than one on-chain staking transaction. This includes prospective bidders who should also stake whatever amount they can afford straight away.
What Happens If I’m Unsuccessful?
One of the downsides with this auction design is that it leaves would-be Validators with insufficient capital empty handed after each auction cycle. This is bad, as these prospective Validators are earning no rewards and thus have no incentive to maintain the Validator node they have spent time and energy setting up. The same goes for Validators which have been outbid. This means they’ll be less likely to stick around and bid again in the next auction, as they still have to pay for and maintain their infrastructure in the meantime.
Further to this, because an Emergency Rotation is always possible (if enough of the network goes offline during an Epoch), our design should make sure that there are always some extra nodes on standby ready to fill slots which are freed up by an emergency rotation scenario.
Thus, we need an incentive for these so-called ‘Backup Validators.’ By defining a set of nodes which are not actively included in the Validator set, but are given a small reward for being around and staying alive, we ensure that getting outbid or failing to bid enough to join the set could still be a profitable exercise for these operators. It also ensures that there’s always a set of online nodes monitoring the state chain and ready to participate.
Instead of paying an equal reward to the Backup Validators, a fixed reward would be distributed proportionally to Backup Validators based on their stake size. This is because we want to incentivise these Backup Validators to have the highest amount they can in case of an Emergency Rotation, in which the highest bidding backup nodes would be included first, and also to incentivise the nodes to hold onto their stakes and await the next auction.
For Backup Validators, we also allow bids to be placed outside of the normal auction cycle, and immediately reflect increased bids for Backup Validators in the rewards they are paid. This provides a direct and immediate incentive to stake as much as possible as soon as possible, both increasing total bidding and increasing the likelihood that these more active and collateralised nodes will be included in the next set.
The rules for Backup Validators are as follows:
- A fixed reward of FLIP (much less than the Active Set reward) is allocated to the Backup Validators at a regular interval.
- There is no limit on the number of Backup Validator slots. So long as a Backup Validator remains alive and staked, rewards will be paid to it based on their stake, proportional to their share of staked FLIP in the total number of FLIP staked in Backup Validators (It should be noted that Backup Validators will never earn more than Active Validators).
- A Backup Validator will not earn rewards if it does not remain alive. Backup Validators can come back online at any time and resume earning rewards.
- Backup Validators can unstake themselves at any time outside of the regular auction window just like Active Validators. However, once the next auction begins, they must wait until the end of the auction to unstake, as their stake (including unclaimed rewards) will be automatically treated as a bid.
- In an Emergency Rotation, only the top 30% of Backup Validators will be included in the Emergency Set. This is to prevent mass deregistration events allowing large numbers of low-collateral nodes to form a superminority (yes, that’s a word!) in the network in the vast majority of cases.
Going back to our example, with the Backup Validator system in place, our third round might look something like this:
Round 3 results (Rewards added for all Validators):
- Slot 1: Validator A 148k
- Slot 2: Validator B 146k
- Slot 3: Validator C 130k
- Slot 4: Validator D 129k
- Slot 5: Validator E 128k
- Slot 6: Validator F 128k
- Slot 7: Validator G 118k
- Slot 8: Validator K 114k
- Slot 9: Validator H 113k
- Slot 10: Validator I 108k
- Backup Validator: Validator J 104k
- Backup Validator: Validator L 83k
- Backup Validator: Validator M 20.5k
As you can see, Validator J is earning enough rewards to stay closer to the Minimum Active Bid even if nothing else changes. If one of the Active Nodes were to unstake or be deregistered, the Minimum Active Bid would still be 104k, even if no new bids are placed at all.
Validator M on the other hand isn’t likely to be included in an Emergency Rotation, and they are also only earning negligible rewards compared to Validators J and L, who are much closer to the Minimum Active Bid. Validator M needs to bid more in order to remain competitive and see any real upside from participation.
The design addition of rewards for Backup Validators solves for the remaining problems with Chainflip’s SSOD Auctions, better addressing the key goals of the design and ensuring a more stable and redundant network composition, whilst encouraging competition even amongst participants bidding below the Minimum Active Bid threshold.
How We Expect the Rollout to Play Out
What I’ve tried to describe in this post is the general theory behind Chainflip’s auction system. How it pans out in practice will be very hard to accurately model, with not all constants having been defined yet, and no way to predict the initial composition of the Validator set. However, based on simple supply and demand, the rewards that will be paid out for each Validator slot will be predictable; it is one of the few defined constants in Chainflip’s economic system, and can be used to easily model expected rates of return given a given Validator stake.
I think, loosely speaking, this is what will happen:
- The initial auction cycle will be bidding for defined rewards (6% of total supply per annum) with undefined competition (no minimum stake). It may be that not all slots fill immediately, which means greater rewards for the first validator set, incentivising more to come on board. If the first 100 Validators are all making 200% APYs, that’s a huge signal to jump in and become a Validator.
- The Sandstorm release has shorter, 7-day auction cycles, meaning more frequent bidding opportunities, and thus more opportunities to win slots.
- The total FLIP staked in validators should dramatically increase over the first few auction cycles until an equilibrium is reached. It’s impossible to know exactly where this equilibrium will be. Each network is different and node operators expect different rewards for participation based on the perceived future value of the staked token. This will affect how much FLIP gets locked up in Validators — our stated goal being as much as possible. For Chainflip I think a 20% APY is a very safe estimate for the equilibrium, but 6% APYs wouldn’t be out of the question either down the road. If it’s somewhere in the range of 10–20% during Sandstorm, we’d see a lockup ratio anywhere between ~30% and ~50% of FLIP’s supply.
- When the Ibiza update rolls out, we also expect to increase validator rewards. We want to increase the incentive to bid and thus the network’s overall collateralisation in preparation for swaps and liquidity provision to go live.
Chainflip’s SSOD Auction system should produce a range of positive behaviour from Validators, with the effect of furthering the defined goals of the network. It provides a simple and effective framework for Validators to maintain long term positions within the network, whilst also naturally encouraging the reinvestment of rewards back into the Validator slots. It is fair and predictable to new entrants who, after the first few auction cycles, should be able to accurately estimate their performance in auction rounds before they start.
Coupled with additional rewards, the SSOD auction creates incentives for Backup Validators to remain active. This will help keep the minimum bid higher when other Validators drop out (or in the case of an Emergency Rotation), making for more sustainable collateralisation of the network.
Higher collateral means higher liquidity security. In turn, this maximises the number of assets that Chainflip can support and allows for better pricing for users. Better prices should mean more volume, and more volume means more destroyed FLIP. Destroying FLIP should serve to increase the overall collateralisation of the network. You can hopefully see that this has the potential to form a strong positive feedback loop.
I haven’t actually decided what’s next in this series. I’ve enjoyed writing it so far and hope you’ve enjoyed reading it too. If you have any questions, thoughts or comments, or ideas for the next instalments of this series, head on over to the Chainflip Governance Forum!