Struct SlashingProtection 

pub struct SlashingProtection { /* private fields */ }

Per-validator local slashing-protection state.

Implements DSL-094 (+ DSL-095/096/097 in later commits). Traces to SPEC §14.

Fields

• last_proposed_slot — largest slot the validator has proposed at. check_proposal_slot requires a strictly greater slot before signing a new proposal.

Future DSLs add last_source_epoch, last_target_epoch, attested_hash_by_target and similar fields as their guards come online.

Default

Default::default() → last_proposed_slot = 0. Any slot > 0 passes check_proposal_slot on a fresh instance.

Implementations

impl SlashingProtection

pub fn new() -> Self

Construct with last_proposed_slot = 0.

pub fn last_proposed_slot(&self) -> u64

Last slot at which the validator proposed. Used for introspection + persistence round-trips.

pub fn check_proposal_slot(&self, slot: u64) -> bool

true iff the caller MAY sign a new proposal at slot.

Implements DSL-094.

Predicate

slot > self.last_proposed_slot — strict greater-than so the same slot cannot be signed twice (that would be the canonical proposer-equivocation offense).

Fresh validators have last_proposed_slot = 0, so any slot > 0 is safe to sign.

pub fn record_proposal(&mut self, slot: u64)

Record a successful proposal at slot. Subsequent check_proposal_slot(s) calls with s <= slot will return false.

Implements DSL-094. Persistence semantics land in DSL-097.

pub fn last_attested_source_epoch(&self) -> u64

source.epoch of the last recorded attestation.

pub fn last_attested_target_epoch(&self) -> u64

target.epoch of the last recorded attestation.

pub fn last_attested_block_hash(&self) -> Option<&str>

Lowercase 0x-prefixed hex of the last recorded attestation’s block hash. None when no attestation has been recorded.

pub fn check_attestation( &self, source_epoch: u64, target_epoch: u64, block_hash: &Bytes32, ) -> bool

true iff the caller MAY sign an attestation at (source_epoch, target_epoch, block_hash).

Implements DSL-095 (same-(src, tgt) different-hash self-check). DSL-096 (surround-vote self-check) extends this method in a later commit.

DSL-095 rule

When the candidate FFG coordinates match the stored last-attested pair EXACTLY, the attestation is allowed only if the candidate block hash matches the stored hash (case-insensitive hex compare). This is the “re-sign the same vote” carve-out — a validator restarting mid-epoch may re-emit its own attestation, but may NOT switch to a different block at the same source/target pair (that would be an AttesterDoubleVote, DSL-014).

If no prior attestation is stored (last_attested_* = 0, None), the check falls through to the surround guard (DSL-096 — currently a no-op stub) and returns true.

pub fn record_attestation( &mut self, source_epoch: u64, target_epoch: u64, block_hash: &Bytes32, )

Record a successful attestation. Updates last_attested_source_epoch, last_attested_target_epoch and last_attested_block_hash.

Implements the DSL-095/096 persistence primitive. DSL-097 pins the full contract (including the proposer-side record_proposal companion).

pub fn rewind_proposal_to_slot(&mut self, new_tip_slot: u64)

Rewind the proposal watermark on fork-choice reorg.

Previews DSL-156 — DSL-099 composes this fn alongside [rewind_attestation_to_epoch] (DSL-098) inside [reconcile_with_chain_tip]. The DSL-156 dedicated test file lands in Phase 10.

Semantics

Caps last_proposed_slot at new_tip_slot using strict > so the boundary (stored == tip) is a no-op and already-lower slots remain untouched. Reconcile must never RAISE a watermark — doing so would weaken slashing protection.

No hash-equivalent to clear on the proposal side: DSL-094 only tracks the slot, not a block binding.

pub fn save(&self, path: &PathBuf) -> Result<()>

Persist slashing-protection state to disk as pretty-printed JSON.

Implements DSL-101. Traces to SPEC §14.4.

On-disk format

JSON, pretty-printed for operator debuggability. All fields are primitive (u64) except last_attested_block_hash, which is stored as the canonical 0x<lowercase-hex> form produced by [record_attestation]. External tooling that rewrites the hash to uppercase is tolerated on reload via [check_attestation]’s case-insensitive compare.

Errors

Returns any I/O error raised by the underlying std::fs write. Serialization is infallible (every field is serde-safe by construction).

Companion load

The inverse of this call. load handles the missing-file case by returning Self::default() so a first-boot validator does not need a bootstrap branch.

pub fn load(path: &PathBuf) -> Result<Self>

Load slashing-protection state from disk.

Implements DSL-101.

Behaviour

• Path exists: decode the file via serde_json::from_slice. Uses the same schema as save; DSL-100 handles legacy JSON lacking last_attested_block_hash via #[serde(default)] on that field.
• Path does NOT exist: return Self::default(). This is the intentional first-boot path — a validator with no prior state calls load and gets a clean instance, avoiding an explicit bootstrap branch at every call site.

Errors

• std::fs::read errors (permission, I/O) propagate.
• Deserialization errors surface as InvalidData via serde_json. NOTE: a legitimate legacy file triggers #[serde(default)], not an error.

pub fn reconcile_with_chain_tip(&mut self, tip_slot: u64, tip_epoch: u64)

Reconcile local slashing-protection state with the canonical chain tip on validator startup or after a reorg.

Implements DSL-099. Traces to SPEC §14.3.

Semantics

Composes [rewind_proposal_to_slot] (DSL-156) with [rewind_attestation_to_epoch] (DSL-098) under a single entry point. Net effect:

• last_proposed_slot capped at tip_slot (never raised).
• last_attested_source_epoch / last_attested_target_epoch capped at tip_epoch (never raised).
• last_attested_block_hash cleared unconditionally — the hash binds to a specific block that the reorg invalidates.

Idempotent by construction: both legs are caps, and a second call with the same (tip_slot, tip_epoch) finds the state already satisfying both caps.

Called by:

• validator boot sequence (rejoin canonical chain after downtime),
• DSL-130 global-reorg orchestration.

pub fn rewind_attestation_to_epoch(&mut self, new_tip_epoch: u64)

Rewind attestation state on fork-choice reorg or chain-tip refresh.

Implements DSL-098. Traces to SPEC §14.3.

Semantics

The stored (source, target, hash) triple is the validator’s local memory of “what I already signed.” When a reorg drops the chain back below the attested epochs, that memory is a ghost watermark — the block the hash points to no longer exists on the canonical chain. Keeping it would block honest re-attestation through DSL-095/096.

Two legs:

1. Cap last_attested_source_epoch and last_attested_target_epoch at new_tip_epoch. Use strict > so the boundary case (stored == tip) is a no-op — the cap must never RAISE a watermark, only lower it.
2. Clear last_attested_block_hash unconditionally. The hash binds to a specific block; a reorg invalidates that binding regardless of epoch ordering.

After rewind, a re-attestation on the new canonical tip passes [check_attestation].

Companion DSL-099 (reconcile_with_chain_tip) calls this alongside the proposal-rewind DSL-156; DSL-130 triggers the whole bundle on global reorg.

Trait Implementations

impl Clone for SlashingProtection

fn clone(&self) -> SlashingProtection

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SlashingProtection

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SlashingProtection

fn default() -> SlashingProtection

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for SlashingProtection

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for SlashingProtection

fn eq(&self, other: &SlashingProtection) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for SlashingProtection

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl Eq for SlashingProtection

impl StructuralPartialEq for SlashingProtection