Specific TOKEN amounts, slash percentages, and fee splits on this page are not finalized. Tokenomics is under active review — see tokenomics for status. Treat numbers here as illustrative of the leading candidate model, not committed.
Decision
All four slashable offenses now have concrete on-chain evidence paths:- Corrupted delivery
- Phantom announcement (claimed
has_blob=true, failed to deliver) - Rate manipulation (charged rate ≠ advertised rate)
- Blacklist violation (served a blacklisted hash after the compliance window)
SlashJudge contract adjudicates all four types and calls StakingRegistry.slash() on resolution.
Dual-key slash signatures
Ed25519 signatures (from iroh NodeIds) are not cheaply EVM-verifiable — a Solidity Ed25519 library runs ~500k–1M gas. secp256k1ecrecover is ~3,000 gas.
Protocol messages (ProbeResponse, StreamResponse, RateChange) therefore carry an optional secp256k1 slash_sig — an EIP-712 signature over the same security-relevant fields as the ed25519 wire signature. On-chain evidence uses slash_sig; wire authentication uses the ed25519 signature.
The slash_sig is wire-optional. For RateChange specifically, a valid slash_sig is required to serve as on-chain counter-evidence in rate-manipulation challenges.
Immediate vs. deferred offenses
| Offense | Counter window | Rationale |
|---|---|---|
| Phantom announcement | None — immediate | ProbeResponse + StreamError pair is self-contained evidence |
| Blacklist violation | None — immediate | Serving a blacklisted hash after window is self-evident |
| Corrupted delivery | 24 h | Let the accused submit a counter-receipt |
| Rate manipulation | 24 h | Let the accused submit the actual RateChange between disputed timestamps |
Corruption counter-evidence
The accused submits a signedDeliveryReceipt from the requester. The contract verifies:
Rate manipulation counter-evidence
The accused submits a signedRateChange gossip message proving a legitimate rate change occurred between the disputed timestamps. This is why slash_sig on RateChange is required rather than optional.
Evidence staleness
MAX_EVIDENCE_AGE_US bounds how old evidence can be at submission. This is strictly less than the unbonding period — otherwise an accused could deregister and withdraw before being slashable.
Challenger incentives
Challenge bonds:- 50 TOKEN.
- Bond is slashed if the challenge fails (griefing protection).
- On success,
StakingRegistry.slash()returns 50% of the slash tomsg.sender(SlashJudge), which forwards it to the challenger.
0x000...dEaD). This is distinct from the buyback-and-burn flow, which converts USDC protocol fees into TOKEN and then burns the TOKEN — slashed stake is already TOKEN and goes straight to burn.
Per-offense challenge functions
SlashJudge exposes one challenge function per offense type:
submitPhantomChallenge(...)submitRateChallenge(...)submitBlacklistChallenge(...)submitCorruptionChallenge(...)
resolveChallenge() for post-window resolution of the deferred types.
Source ADR: 014-on-chain-verification.md