Skip to main content

Continuity and Trustless Recovery Through Common Interest Protocol

The Common Interest Protocol (CIP) allows anyone who holds more than 2 collateralized SLOT of a KNOT to request the KNOT’s Consensus Layer signing key, and assumes the control of validator node management. The intention is that if the original owner of a KNOT does not do a good job and the KNOT loses more than 2 collateralized SLOT, then someone else can top up the slashed SLOT, request the KNOT’s signing key, and then run the validator or rage-quit the KNOT. Common Interest Protocol is a standalone system that has interdependence to the Stakehouse protocol but remains independent for its operation. A reasonable way to reference CIP, is to think of it as an ondemand trustless validator signing key recovery mechanism for Stakehouse KNOT collateralized SLOT holders.

There is a clear separation of concern between validation continuity and trustless recovery in the Stakehouse protocol. Validation continuity has a broader scope and is handled by the in-protocol mechanism through collateralized SLOT vault dynamics. As explained above, the redemption rate of a house is a critical factor in ensuring the continuous monitoring of its health and efficiency. It exposes an inversely proportional payoff rate assigned to every SLOT (sETH) associated with the house for market reflexivity. Trustless recovery has a narrower scope; Focusing on a KNOT that requires immediate access to the validator signing key for its node administration such as patching up vulnerabilities, node reassignment, or performing a voluntary exit from the Consensus layer.

The validation continuity mechanism is inspired by the discouragement attack paper1 by Vitalik Buterin. It leverages the Stakehouse registry’s continuous public monitoring feature and arbitrage opportunities. These opportunities are brought to life by SLOT slashing and the in protocol top-up mechanism providing large incentives for a market actor to engage. SLOT tokens’ high earning potential from Ethereum network transaction ordering will outweigh any long-range attack. SLOT slashing and top-ups are permissionless, where every KNOT’s on-chain validator balances are publicly available for anyone using Ethereum nodes.

Trustless recovery has a few sets of rules managed by on-chain CIP smart contracts and an off-chain Zero Knowledge-Safebox managed using ECC threshold signing protocol. This has a hybrid encryption scheme; The signers are represented by Stakehouse SLOT owners themselves in its permissionless version for decryption request signing via CIP contracts. Its contracts will process the request for decryption based on the requester’s active SLOT token balance. CIP has no access to an asset owned by the Stakehouse, nor does it have any other privileges to interfere with the Stakehouse. Its only involvement is with a community signer for their house or Stakehouse efficiency at large assessed by their earning reputation. CIP needs to attain a critical mass to have sufficient decentralized signers in the system to have sybil resistance to any unforeseeable manipulation. Hence the recovery is enabled with a semi-trusted Distributed Key Generation (DKG) committee at the genesis. This exists until the Stakehouse attains a release candidate(RC) that could provide at least 100 guardians with a minimum of one SLOT. Each must be from a combination of a unique KNOT and ECDSA to sufficiently exit to the community. As CIP only accepts collateralized SLOT owners for both decryption and signers, there is a progressive permissionless path for enabling; This is considering the fact that any validator leakage of more than 2 ETH will take a year under current stake growth. A recent security model assessment is available on our recent audit2, and the detailed specification of CIP can be found in the Common Interest Protocol paper.

CIP serves as SLOT owner's first refuge for an immediate opportunity to mitigate validation inefficiency of node maintenance while simultaneously encouraging other SLOT owners to actively contribute to this signing network. They are encouraged to serve their own self interest in limiting their SLOT(sETH) payoff rate decay caused by the second-order effect of the slashing of a house’s KNOT. From a generalized perspective, it enables a community mount response for Stakehouse validators to more easily coordinate to fight back against attacks, by saying "I'm willing to join only if enough others join at the same time to defeat this attacker with me.".