dig-slashing 0.1.0

Validator slashing, attestation participation, inactivity accounting, and fraud-proof appeals for the DIG Network L2 blockchain.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293

//! Pending-slash book + lifecycle-state types.
//!
//! Traces to: [SPEC.md §3.8 + §7.1](../docs/resources/SPEC.md),
//! catalogue rows
//! [DSL-024](../docs/requirements/domains/lifecycle/specs/DSL-024.md),
//! [DSL-146](../docs/requirements/domains/lifecycle/specs/DSL-146.md),
//! [DSL-147](../docs/requirements/domains/lifecycle/specs/DSL-147.md),
//! [DSL-161](../docs/requirements/domains/).
//!
//! # Role
//!
//! Optimistic slashing is reversible during the 8-epoch appeal window
//! (`SLASH_APPEAL_WINDOW_EPOCHS`). The manager holds one
//! `PendingSlash` per admitted evidence until it transitions to
//! `Finalised` (DSL-029) or `Reverted` (DSL-070). The
//! [`PendingSlashBook`] provides the keyed storage + a secondary
//! by-window-expiry index for efficient `expired_by` scans at
//! finalisation.

use std::collections::{BTreeMap, HashMap};

use dig_protocol::Bytes32;
use serde::{Deserialize, Serialize};

use crate::error::SlashingError;
use crate::evidence::envelope::SlashingEvidence;
use crate::evidence::verify::VerifiedEvidence;
use crate::manager::PerValidatorSlash;

/// Lifecycle status of an admitted slash.
///
/// Traces to [SPEC §3.8](../../docs/resources/SPEC.md). State machine:
///
/// ```text
///   Accepted ──(first appeal)──►  ChallengeOpen
///      │                              │
///      ├──(window expires, no sustained appeal)──► Finalised
///      │                              │
///      └────────(sustained appeal)────► Reverted
/// ```
///
/// `Accepted` is the starting state on admission (DSL-024).
/// `ChallengeOpen` tracks appeal attempts (DSL-072). `Finalised`
/// locks the slash in (DSL-029..032). `Reverted` undoes it
/// (DSL-064..067).
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Hash)]
pub enum PendingSlashStatus {
    /// No appeals filed yet. Transitions to `ChallengeOpen` on first
    /// appeal, `Finalised` on window expiry.
    Accepted,
    /// At least one appeal has been filed; the window may still be
    /// open and further appeals may arrive up to
    /// `MAX_APPEAL_ATTEMPTS_PER_SLASH`.
    ChallengeOpen {
        /// Epoch the FIRST appeal was filed.
        first_appeal_filed_epoch: u64,
        /// Number of appeals filed so far.
        appeal_count: u8,
    },
    /// Sustained appeal — slash was rolled back via `credit_stake`
    /// (DSL-064). Terminal.
    Reverted {
        /// Hash of the winning appeal.
        winning_appeal_hash: Bytes32,
        /// Epoch the reversal was applied.
        reverted_at_epoch: u64,
    },
    /// No sustained appeal within the window. Correlation penalty
    /// applied, exit lock scheduled. Terminal.
    Finalised {
        /// Epoch the finalisation ran.
        finalised_at_epoch: u64,
    },
}

/// Adjudication outcome for an individual appeal attempt.
///
/// Traces to [SPEC §3.8](../../docs/resources/SPEC.md).
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Hash)]
pub enum AppealOutcome {
    /// Appeal sustained → slash reverted. DSL-064..070.
    Won,
    /// Appeal rejected → slash persists. `reason_hash` summarises the
    /// adjudicator's decision for downstream analytics / audit.
    Lost {
        /// Hash of the adjudication reason bytes.
        reason_hash: Bytes32,
    },
    /// Appeal filed but adjudication not yet run (manager sees it in
    /// this state only within a single run_epoch_boundary transaction).
    Pending,
}

/// One appeal attempt attached to a `PendingSlash`.
///
/// Traces to [SPEC §3.8](../../docs/resources/SPEC.md).
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct AppealAttempt {
    /// Hash of the appeal envelope (SPEC §3.7).
    pub appeal_hash: Bytes32,
    /// Validator index of the appellant.
    pub appellant_index: u32,
    /// Epoch the appeal was filed.
    pub filed_epoch: u64,
    /// Adjudication outcome.
    pub outcome: AppealOutcome,
    /// Appellant bond mojos locked for this attempt.
    pub bond_mojos: u64,
}

/// A slash record held in the pending book during its appeal window.
///
/// Traces to [SPEC §3.8](../../docs/resources/SPEC.md). One
/// `PendingSlash` per admitted evidence hash; key uniquity enforced
/// by the manager's `processed` map (DSL-026).
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct PendingSlash {
    /// Content-addressed identity of the evidence envelope —
    /// matches `evidence.hash()`. Serves as the book's primary key.
    pub evidence_hash: Bytes32,
    /// Full evidence envelope. Retained so appeal adjudication
    /// (DSL-064..067) has the raw bytes without a separate store.
    pub evidence: SlashingEvidence,
    /// Verifier output captured at admission. Replaying
    /// `verify_evidence` is unnecessary.
    pub verified: VerifiedEvidence,
    /// Current lifecycle state.
    pub status: PendingSlashStatus,
    /// Epoch `submit_evidence` admitted the record — `self.current_epoch`
    /// at insertion.
    pub submitted_at_epoch: u64,
    /// Epoch after which the slash finalises if no sustained appeal
    /// arrives. Equals `submitted_at_epoch + SLASH_APPEAL_WINDOW_EPOCHS`
    /// (DSL-024).
    pub window_expires_at_epoch: u64,
    /// Per-validator debits applied at admission (DSL-022). Each
    /// entry is reversible on a sustained appeal (DSL-064 credits
    /// `base_slash_amount` back).
    pub base_slash_per_validator: Vec<PerValidatorSlash>,
    /// Reporter bond escrowed at admission (DSL-023). Returned on
    /// finalisation (DSL-031) or forfeited on sustained appeal (DSL-068).
    pub reporter_bond_mojos: u64,
    /// Appeals filed so far. Empty on admission.
    pub appeal_history: Vec<AppealAttempt>,
}

/// Keyed book of admitted pending slashes.
///
/// Traces to [SPEC §7.1](../../docs/resources/SPEC.md). Two-layer
/// index:
///
///   - `pending: HashMap<Bytes32, PendingSlash>` — primary keyed by
///     evidence hash.
///   - `by_window_expiry: BTreeMap<u64, Vec<Bytes32>>` — secondary,
///     drives the `expired_by(epoch)` scan at finalisation (DSL-029).
///
/// Capacity-bounded at `MAX_PENDING_SLASHES` (4_096); insert at
/// capacity returns `SlashingError::PendingBookFull` (DSL-027).
#[derive(Debug, Clone, Default)]
pub struct PendingSlashBook {
    pending: HashMap<Bytes32, PendingSlash>,
    by_window_expiry: BTreeMap<u64, Vec<Bytes32>>,
    capacity: usize,
}

impl PendingSlashBook {
    /// New book with the given capacity.
    ///
    /// Traces to [DSL-146](../../docs/requirements/domains/lifecycle/specs/DSL-146.md).
    /// Capacity of `0` is legal and produces a book that rejects
    /// every insert — useful for property tests of the full-book
    /// rejection branch.
    #[must_use]
    pub fn new(capacity: usize) -> Self {
        Self {
            pending: HashMap::with_capacity(capacity.min(1_024)),
            by_window_expiry: BTreeMap::new(),
            capacity,
        }
    }

    /// Insert a new pending slash.
    ///
    /// Returns `Err(PendingBookFull)` at capacity (DSL-027). Does NOT
    /// check for duplicate keys — caller (the manager) must consult
    /// `processed` first (DSL-026).
    pub fn insert(&mut self, record: PendingSlash) -> Result<(), SlashingError> {
        if self.pending.len() >= self.capacity {
            return Err(SlashingError::PendingBookFull);
        }
        let hash = record.evidence_hash;
        let expiry = record.window_expires_at_epoch;
        self.pending.insert(hash, record);
        self.by_window_expiry.entry(expiry).or_default().push(hash);
        Ok(())
    }

    /// Immutable lookup by evidence hash.
    #[must_use]
    pub fn get(&self, hash: &Bytes32) -> Option<&PendingSlash> {
        self.pending.get(hash)
    }

    /// Mutable lookup — used by DSL-034..073 appeal code to update
    /// `status` + `appeal_history` in place.
    pub fn get_mut(&mut self, hash: &Bytes32) -> Option<&mut PendingSlash> {
        self.pending.get_mut(hash)
    }

    /// Remove by evidence hash. Returns the record and cleans up the
    /// secondary index.
    pub fn remove(&mut self, hash: &Bytes32) -> Option<PendingSlash> {
        let record = self.pending.remove(hash)?;
        if let Some(vec) = self
            .by_window_expiry
            .get_mut(&record.window_expires_at_epoch)
        {
            vec.retain(|h| h != hash);
            if vec.is_empty() {
                self.by_window_expiry
                    .remove(&record.window_expires_at_epoch);
            }
        }
        Some(record)
    }

    /// Hashes of every pending slash whose `submitted_at_epoch` is
    /// STRICTLY greater than `new_tip_epoch`. Used by DSL-129
    /// `SlashingManager::rewind_on_reorg` to enumerate the slashes
    /// that need to be rewound when the fork-choice tip moves
    /// backwards.
    ///
    /// Returns a `Vec<Bytes32>` rather than an iterator because
    /// the caller (`rewind_on_reorg`) then mutates `self.remove`
    /// on each entry, which would conflict with a live borrow.
    #[must_use]
    pub fn submitted_after(&self, new_tip_epoch: u64) -> Vec<Bytes32> {
        self.pending
            .values()
            .filter(|p| p.submitted_at_epoch > new_tip_epoch)
            .map(|p| p.evidence_hash)
            .collect()
    }

    /// Current record count.
    #[must_use]
    pub fn len(&self) -> usize {
        self.pending.len()
    }

    /// `true` iff no records are held.
    #[must_use]
    pub fn is_empty(&self) -> bool {
        self.pending.is_empty()
    }

    /// Book capacity.
    #[must_use]
    pub fn capacity(&self) -> usize {
        self.capacity
    }

    /// Evidence hashes with `window_expires_at_epoch < current_epoch`.
    ///
    /// Implements
    /// [DSL-147](../../docs/requirements/domains/lifecycle/specs/DSL-147.md).
    /// Drives the finalisation sweep at epoch boundary (DSL-029).
    /// Order is ascending by window_expiry — earliest-expiring first.
    #[must_use]
    pub fn expired_by(&self, current_epoch: u64) -> Vec<Bytes32> {
        // Range `..current_epoch` is strict less-than → boundary
        // case (`window_expires == current`) is EXCLUDED per
        // DSL-147. BTreeMap range is ascending-ordered by key,
        // giving deterministic output without an explicit sort.
        //
        // Filter Accepted + ChallengeOpen only — Reverted /
        // Finalised terminal statuses stay in the book for
        // audit trails but must not be re-surfaced to
        // finalise_expired_slashes (DSL-029).
        self.by_window_expiry
            .range(..current_epoch)
            .flat_map(|(_, hashes)| hashes.iter())
            .filter(|hash| {
                matches!(
                    self.pending.get(hash).map(|p| &p.status),
                    Some(PendingSlashStatus::Accepted)
                        | Some(PendingSlashStatus::ChallengeOpen { .. }),
                )
            })
            .copied()
            .collect()
    }
}