Decision
AContentBlacklist contract supports global (network-wide) and regional (jurisdiction-scoped) takedown. Standard governance entries have a 24-hour compliance window; the emergency multisig path takes effect immediately with a 2-hour slash window.
Why on-chain
The blacklist must be:- Non-repudiable. A compromised node operator cannot claim “I didn’t know” if the entry is publicly readable.
- Atomic per-node. Every node polls the same source of truth. No partial propagation.
- Auditable. Anyone can see what has been blacklisted and when.
Entry types
| Type | Added by | Active at | Auto-expiry |
|---|---|---|---|
| Standard governance | Governor | 24 h after vote execution (compliance window) | None (governance can remove) |
| Regional | Regional governance body | 24 h | None |
| Emergency | 3-of-5 multisig | Immediately (with 2 h slash grace) | 14 days |
| Emergency (CSAM / terrorist) | 3-of-5 multisig | Immediately | 90 days |
Why the 2-hour slash grace
The emergency path takes effect immediately in terms of “don’t serve this”, but the first 2 hours cannot result in a slash. This absorbs gossip propagation lag and clock skew — a node that genuinely hasn’t seen the entry yet is given a realistic reaction window before liability attaches.Regional scoping
A regional entry applies only to nodes that advertise a matchingregion in their NodeAnnounce. The contract maintains a mapping {region_code → BLACKLIST_ROLE_holder}, and BLACKLIST_ROLE is granted to regional governance bodies on a per-region basis.
A node serving a globally-blacklisted hash is always slashable. A node in region: DE serving a DE-regional entry is slashable; that same node serving the entry via a US client is a gray area — current guidance is that operators adopt the strictest jurisdiction their node’s region subjects them to.