Skip to main content
Specific TOKEN amounts, slash percentages, and fee splits on this page are not finalized. Tokenomics is under active review — see tokenomics for status. Treat numbers here as illustrative of the leading candidate model, not committed.

Decision

All four slashable offenses now have concrete on-chain evidence paths:
  1. Corrupted delivery
  2. Phantom announcement (claimed has_blob=true, failed to deliver)
  3. Rate manipulation (charged rate ≠ advertised rate)
  4. Blacklist violation (served a blacklisted hash after the compliance window)
A unified SlashJudge contract adjudicates all four types and calls StakingRegistry.slash() on resolution.

Dual-key slash signatures

Ed25519 signatures (from iroh NodeIds) are not cheaply EVM-verifiable — a Solidity Ed25519 library runs ~500k–1M gas. secp256k1 ecrecover is ~3,000 gas. Protocol messages (ProbeResponse, StreamResponse, RateChange) therefore carry an optional secp256k1 slash_sig — an EIP-712 signature over the same security-relevant fields as the ed25519 wire signature. On-chain evidence uses slash_sig; wire authentication uses the ed25519 signature. The slash_sig is wire-optional. For RateChange specifically, a valid slash_sig is required to serve as on-chain counter-evidence in rate-manipulation challenges.

Immediate vs. deferred offenses

OffenseCounter windowRationale
Phantom announcementNone — immediateProbeResponse + StreamError pair is self-contained evidence
Blacklist violationNone — immediateServing a blacklisted hash after window is self-evident
Corrupted delivery24 hLet the accused submit a counter-receipt
Rate manipulation24 hLet the accused submit the actual RateChange between disputed timestamps

Corruption counter-evidence

The accused submits a signed DeliveryReceipt from the requester. The contract verifies: 
receipt.requester == challenge.challenger  // prevents cross-requester receipt reuse
The challenger must have been the requester. For high-value disputes the evidence path upgrades to an interactive keccak256 Merkle proof over 1024-byte chunks — the chunk size matches the BLAKE3 leaf size used for verified streaming (content addressing).

Rate manipulation counter-evidence

The accused submits a signed RateChange gossip message proving a legitimate rate change occurred between the disputed timestamps. This is why slash_sig on RateChange is required rather than optional.

Evidence staleness

MAX_EVIDENCE_AGE_US bounds how old evidence can be at submission. This is strictly less than the unbonding period — otherwise an accused could deregister and withdraw before being slashable.

Challenger incentives

Challenge bonds:
  • 50 TOKEN.
  • Bond is slashed if the challenge fails (griefing protection).
  • On success, StakingRegistry.slash() returns 50% of the slash to msg.sender (SlashJudge), which forwards it to the challenger.
The remaining 50% of the slashed TOKEN is sent directly to the burn address (0x000...dEaD). This is distinct from the buyback-and-burn flow, which converts USDC protocol fees into TOKEN and then burns the TOKEN — slashed stake is already TOKEN and goes straight to burn.

Per-offense challenge functions

SlashJudge exposes one challenge function per offense type:
  • submitPhantomChallenge(...)
  • submitRateChallenge(...)
  • submitBlacklistChallenge(...)
  • submitCorruptionChallenge(...)
Plus resolveChallenge() for post-window resolution of the deferred types. Source ADR: 014-on-chain-verification.md