The AIOZ Network is based on Tendermint (opens in a new tab), which relies on a set of validators to secure the network. The role of validators is to run a full-node and participate in consensus by broadcasting votes which contain cryptographic signatures signed by their private key. Validators commit new blocks in the blockchain and receive revenue in exchange for their work. They must also participate in governance by voting on proposals. Validators are weighted according to their total stake.
The AIOZ Network is a public Proof-Of-Stake (PoS) blockchain, meaning that the weight of validators is determined by the amount of staking tokens (AIOZ) bonded as collateral. These AIOZ can be self-delegated directly by the validator or delegated to them by other AIOZ holders.
Any user in the system can declare their intention to become a validator by sending a
create-validator transaction. From there, they become validator candidates.
The weight (i.e., voting power) of a validator determines whether or not they are an active validator. Initially, only the top 50 validators with the most voting power will be active.
A full node is a program that fully validates transactions and blocks of a blockchain. It is distinct from a light node that only processes block headers and a small subset of transactions. Running a full node requires more resources than a light node but is necessary to be a validator. In practice, running a full node only implies running a non-compromised and up-to-date software version with low network latency and without downtime.
Of course, users can be encouraged to run full nodes even if they do not plan to be validators.
Delegators are AIOZ holders who cannot or do not want to run a validator themselves. AIOZ holders can delegate AIOZ to a validator and obtain a part of their revenue in exchange (for more detail on how revenue is distributed, see What is the incentive to stake? and What are validators commission? sections below).
Because they share revenue with their validators, delegators also share risks. Should a validator misbehave, each of their delegators will be partially slashed in proportion to their delegated stake. This is why delegators should perform due diligence on validators before delegating, as well as spreading their stake over multiple validators.
Delegators play a critical role in the system, as they are responsible for choosing validators. Being a delegator is not a passive role: Delegators should actively monitor the actions of their validators and participate in governance. For more, read the delegator's faq (opens in a new tab).
AIOZ Network Blockchain supports validator configuration policies as follows: governance and non-governance. Governance policy requires new participants to submit their proposals to become validator candidates, and all current validators must vote to approve new candidates.
Then, the new validator candidate can send
create-validator transaction and delegate $AIOZ to become the top 50 validators.
Meanwhile, under the non-governance policy, any participant in the network can become a validator without any approval from current validators.
Here are parameters of
PubKey: The private key associated with this Tendermint
PubKeyis used to sign prevotes and precommits.
- Validator's Address: Application-level address. This is the address used to identify your validator publicly. The private key associated with this address is used to delegate, unbond, claim rewards, and participate in governance.
- Validator's name (moniker)
- Validator's website (Optional)
- Validator's description (Optional)
- Initial commission rate: The commission rate on block rewards and fees charged to delegators.
- Maximum commission: The maximum commission rate which this validator can charge. This parameter cannot be changed after
- Commission max change rate: The maximum daily increase of the validator commission. This parameter cannot be changed after
- Minimum self-delegation: Minimum amount of AIOZ the validator needs to have bonded at all times. If the validator's self-delegated stake falls below this limit, their entire staking pool will unbond.
Once a validator is created, AIOZ holders can delegate aioz to them, effectively adding stake to their pool. The total stake of an address is the combination of AIOZ bonded by delegators and AIOZ self-bonded by the entity which designated itself.
Out of all validator candidates that signaled themselves, the 50 with the most total stake are the ones who are designated as validators. They become validators If a validator's total stake falls below the top 50 then that validator loses their validator privileges: they don't participate in consensus and generate rewards anymore. Over time, the maximum number of validators may be increased via an on-chain governance proposal.
The Testnet is a great environment to test your validator setup before launch.
We view testnet participation as a great way to signal to the community that you are ready and able to operate a validator. You can find all relevant information about the testnet here and here (opens in a new tab).
In short, there are two types of keys:
- Tendermint Key: This is a unique key used to sign consensus votes.
- It is associated with a public key
aiozvalconspub(Get this value with
aiozd tendermint show-validator)
- It is generated when the node is created with aiozd init.
- It is associated with a public key
- Application key: This key is created from
aiozdand used to sign transactions. Application keys are associated with a public key prefixed by
aiozpuband an address. Both are derived from account keys generated by
aiozd keys add.
Note: A validator's operator key is directly tied to an application key, but
uses reserved prefixes solely for this purpose:
After a validator is created with a
create-validator transaction or
create validator proposal, they can be in three states:
in validator set: Validator is in the active set and participates in consensus. Validator is earning rewards and can be slashed for misbehavior.
jailed: Validator misbehaved and is in jail, i.e., outside of the validator set. If the jailing is due to being offline for too long, the validator can send an
unjailtransaction in order to re-enter the validator set. If the jailing is due to double signing, the validator cannot unjail.
unbonded: Validator is not in the active set, and, therefore, not signing blocs. Validator cannot be slashed, and does not earn any reward. It is still possible to delegate AIOZ to this validator. Un-delegating from an
unbondedvalidator is immediate.
Self-delegation is a delegation from a validator to themselves. This amount can be increased by sending a
delegate transaction from your validator's
The minimum is
Delegators are free to choose validators according to their own subjective criteria. This said, criteria anticipated to be important include:
- Amount of self-delegated AIOZ: Number of AIOZ a validator self-delegated to themselves. A validator with a higher amount of self-delegated AIOZ has more skin in the game, making them more liable for their actions.
- Amount of delegated AIOZ: Total number of AIOZ delegated to a validator. A high voting power shows that the community trusts this validator, but it also means that this validator is a bigger target for hackers. Bigger validators also decrease the decentralization of the network.
- Commission rate: Commission applied on revenue by validators before it is distributed to their delegators.
- Track record: Delegators will likely look at the track record of the validators they plan to delegate to. This includes seniority, past votes on proposals, historical average uptime, and how often the node was compromised.
Apart from these criteria, there will be a possibility for validators to signal a website address to complete their resume. Validators will need to build reputation one way or another to attract delegators. For example, it would be good practice for validators to have their setup audited by third parties. However, the AIOZ team will not approve or conduct any audit themselves.
No, they do not. Each delegator will value validators based on their own criteria. Validators can register a website address when they nominate themselves so they can advertise their operation as they see fit. Some delegators may prefer a website that clearly displays the team operating the validator and their resume, while others might prefer anonymous validators with positive track records.
Validators have two main responsibilities:
- **Be able to constantly run a correct version of the software:**Validators need to make sure that their servers are always online and their private keys are not compromised.
- Actively participate in governance: Validators are required to vote on every proposal.
Additionally, validators are expected to be active members of the community. They should always be up-to-date with the current state of the ecosystem so that they can easily adapt to any change.
Validators on the AIOZ Network can vote on proposals to change operational parameters (such as the block gas limit), coordinate upgrades, or make a decision on any given matter.
Validators play a special role in the governance system. Being the pillars of the system, they are required to vote on every proposal. It is especially important since delegators will inherit the vote of their validator.
Staking AIOZ can be thought of as a safety deposit on validation activities. When a validator or a delegator wants to retrieve part or all of their deposit, they send an
unbonding transaction. Then, AIOZ undergoes a 4 weeks unbonding period during which they are liable to be slashed for potential misbehaviors committed by the validator before the unbonding process starts.
Validators, and by association delegators, receive block rewards, fees, and have the right to participate in governance. If a validator misbehaves, a certain portion of their total stake is slashed. This means that every delegator that bonded AIOZ to this validator gets penalized in proportion to their bonded stake. Delegators are therefore incentivized to delegate to validators that they anticipate will function safely.
By delegating to a validator, a user delegates voting power. The more voting power a validator has, the more weight they have in the consensus and governance processes. This does not mean that the validator has custody of their delegators' AIOZ. By no means can a validator run away with its delegator's funds.
Even though delegated funds cannot be stolen by their validators, delegators are still liable if their validators misbehave.
How often will a validator be chosen to propose the next block? Does it go up with the quantity of bonded AIOZ?
The validator that is selected to propose the next block is called the proposer. Each proposer is selected deterministically, and the frequency of being chosen is proportional to the voting power (i.e., amount of bonded AIOZ) of the validator. For example, if the total bonded stake across all validators is 100 AIOZ and a validator's total stake is 10 AIOZ, then this validator will propose ~10% of the blocks.
Each member of a validator's staking pool earns different types of revenue:
- Block rewards: Native tokens of applications run by validators (e.g. AIOZ on the AIOZ Network) are inflated to produce block provisions. These provisions exist to incentivize AIOZ holders to bond their stake, as non-bonded AIOZ will be diluted over time.
- Transaction fees: The AIOZ Network maintains a whitelist of token that are accepted as fee payments. The initial fee token is the
This total revenue is divided among validators' staking pools according to each validator's weight. Then, within each validator's staking pool the revenue is divided among delegators in proportion to each delegator's stake. A commission on delegators' revenue is applied by the validator before it is distributed.
Validators earn proportionally more revenue than their delegators because of commissions.
Validators also play a major role in governance. Delegators inherit the vote from their validator. This gives validators a major responsibility in the ecosystem.
Revenue received by a validator's pool is split between the validator and their delegators. The validator can apply a commission on the part of the revenue that goes to their delegators. This commission is set as a percentage. Each validator is free to set their initial commission, maximum daily commission change rate and maximum commission. The AIOZ Network enforces the parameter that each validator sets. Only the commission rate can change after the validator is created.
Block rewards are distributed proportionally to all validators relative to their voting power. This means that even though each validator gains aioz with each reward, all validators will maintain equal weight over time.
Let us take an example where we have 10 validators with equal voting power and a commission rate of 1%. Let us also assume that the reward for a block is 1000 AIOZ and that each validator has 20% of self-bonded AIOZ. These tokens do not go directly to the proposer. Instead, they are evenly spread among validators. So now each validator's pool has 100 AIOZ. These 100 AIOZ will be distributed according to each participant's stake:
100 * 80% * 1% = 0.8 AIOZ
- Validator gets:
100 * 20% + Commission = 20.8 AIOZ
- All delegators get:
100 * 80% - Commission = 79.2 AIOZ
Then, each delegator can claim their part of the 79.2 AIOZ in proportion to their stake in the validator's staking pool.
Fees are similarly distributed with the exception that the block proposer can get a bonus on the fees of the block they propose if they include more than the strict minimum of required precommits.
When a validator is selected to propose the next block, they must include at least 2/3 precommits of the previous block. However, there is an incentive to include more than 2/3 precommits in the form of a bonus. The bonus is linear: it ranges from 1% if the proposer includes 2/3rd precommits (minimum for the block to be valid) to 5% if the proposer includes 100% precommits. Of course, the proposer should not wait too long or other validators may timeout and move on to the next proposer. As such, validators must find a balance between wait time to get the most signatures and risk losing out on proposing the next block. This mechanism aims to incentivize non-empty block proposals, better networking between validators, and mitigate censorship.
Let's take a concrete example to illustrate the aforementioned concept. In this example, there are 10 validators with equal stakes. Each of them applies a 1% commission rate and has 20% of self-delegated AIOZ. Now comes a successful block that collects a total of 1025.51020408 AIOZ in fees.
First, a 2% tax is applied. The corresponding AIOZ goes to the reserve pool. Reserve pool's funds can be allocated through governance to fund bounties and upgrades.
2% * 1025.51020408 = 20.51020408AIOZ go to the reserve pool.
1005 AIOZ now remain. Let's assume that the proposer included 100% of the signatures in its block. It thus obtains the full bonus of 5%.
We have to solve this simple equation to find the reward R for each validator:
9*R + R + R*5% = 1005 ⇔ R = 1005/10.05 = 100
- For the proposer validator:
- The pool obtains
R + R * 5%: 105 AIOZ
105 * 80% * 1%= 0.84 AIOZ
- Validator's reward:
105 * 20% + Commission= 21.84 AIOZ
- Delegators' rewards:
105 * 80% - Commission= 83.16 AIOZ (each delegator will be able to claim its portion of these rewards in proportion to their stake)
- The pool obtains
- For each non-proposer validator:
- The pool obtains R: 100 AIOZ
100 * 80% * 1%= 0.8 AIOZ
- Validator's reward:
100 * 20% + Commission= 20.8 AIOZ
- Delegators' rewards:
100 * 80% - Commission= 79.2 AIOZ (each delegator will be able to claim their portion of these rewards in proportion to their stake)
If a validator misbehaves, their delegated stake will be partially slashed. There are currently two faults that can result in the slashing of funds for a validator and their delegators:
- Double signing: If someone reports on chain A that a validator signed two blocks at the same height on chain A and chain B, and if chain A and chain B share a common ancestor, then this validator will get slashed by 5% on chain A.
- Downtime: If a validator misses more than 50% of the last 17,280 blocks, they will get slashed by 0.01%.
Yes, they do need to self-delegate at least
1 aioz. Even though there is no obligation for validators to self-delegate more than
1 aioz, delegators should want their validator to have more self-delegated AIOZ in their staking pool. In other words, validators should have skin in the game.
For delegators to have some guarantee about how much skin-in-the-game their validator has, the latter can signal a minimum amount of self-delegated AIOZ. If a validator's self-delegation goes below the predefined limit, this validator and all of its delegators will unbond.
For now the community is expected to behave in a smart and self-preserving way. When a mining pool in Bitcoin gets too much mining power, the community usually stops contributing to that pool. The AIOZ Network will rely on the same effect initially. Other mechanisms are in place to smoothen this process as much as possible:
- Penalty-free re-delegation: This allows delegators to easily switch from one validator to another, reducing validator stickiness.
- UI warning: Wallets can implement warnings that will be displayed to users if they want to delegate to a validator with a significant amount of staking power.
Validators should expect to provide one or more data center locations with redundant power, networking, firewalls, HSMs, and servers.
We expect that a modest level of hardware specifications will be needed initially and that they might rise as network use increases. Participating in the testnet is the best way to learn more.
In addition to running an AIOZ Network node, validators should develop monitoring, alerting, and management solutions.
The AIOZ network has the capacity for very high throughput relative to chains like Ethereum or Bitcoin.
We recommend that the data center nodes only connect to trusted full nodes in the cloud or other validators that know each other socially. This relieves the data center node from the burden of mitigating denial-of-service attacks.
Ultimately, as the network becomes more heavily used, multi-gigabyte per day bandwidth is very realistic.
A successful validator operation will require the efforts of multiple highly skilled individuals and continuous operational attention. This will be considerably more involved than running a bitcoin miner for instance.
Running an effective operation is the key to avoiding unexpectedly unbonding or being slashed. This includes being able to respond to attacks, outages, as well as to maintain security and isolation in your data center.
Validators should expect to perform regular software updates to accommodate upgrades and bug fixes. There will inevitably be issues with the network early in its bootstrapping phase that will require substantial vigilance.
Denial-of-service attacks occur when an attacker sends a flood of internet traffic to an IP address to prevent the server at the IP address from connecting to the internet.
An attacker scans the network, tries to learn the IP address of various validator nodes, and disconnects them from communication by flooding them with traffic.
One recommended way to mitigate these risks is for validators to carefully structure their network topology in a so-called sentry node architecture.
Validator nodes should only connect to full nodes they trust because they operate them themselves or are run by other validators they know socially. A validator node will typically run in a data center. Most data centers provide direct links to the networks of major cloud providers. The validator can use those links to connect to sentry nodes in the cloud. This shifts the burden of denial-of-service from the validator's node directly to its sentry nodes, and may require new sentry nodes be spun up or activated to mitigate attacks on existing ones.
Sentry nodes can be quickly spun up or changed their IP addresses. Because the links to the sentry nodes are in private IP space, an internet-based attack cannot disturb them directly. This will ensure validator block proposals and votes always make it to the rest of the network.
It is expected that good operating procedures on that part of validators will completely mitigate these threats.