Tenderbake#
This page contains a summary of the changes brought by the Tenderbake merge request (!3738). Please refer to the documentation and to this blog post for an overview of the Tenderbake consensus algorithm and its motivation.
Note that the notion of “attestation” was called “endorsement” at the time when Tenderbake was introduced. Hence, this page still uses the old term, which has been renamed only later.
Protocol#
The whole incentives scheme has been updated. In particular the security deposit mechanism has been overhauled. See the documentation.
Rolls do not play an essential role anymore, in that the computation of delegates’ rights is based directly on the delegates’ stake. Snapshots are still used: it is the entire delegate’s stake that is snapshot. Rolls still play the following roles:
A delegate can participate in consensus (receiving baking and endorsing rights) if it has at least
tokens_per_roll
tez.A delegate’s voting power in the governance process is still in terms of rolls, as in Hangzhou.
Baking and endorsing rights are no longer independent of each other:
delegates that participate in consensus at a given level are called
validators in Tenderbake and validator rights in
Tenderbake are similar to endorsing rights in Emmy*. Baking rights are
deduced from endorsing rights: the baker at round r
is the
validator that owns the endorsing slot r
.
Operations#
The layout of the endorsement operations has changed. It consists of a level, a round, a slot, and a payload hash. A validator emits at most one endorsement per round, but can emit more endorsements per level; therefore, the current high-water mark mechanism used by the signer has been adapted (see Signer).
There is a new consensus operation, preendorsement
, with the same layout as an endorsement.
There is a new anonymous operation, double preendorsement evidence
, with the same layout as a double endorsement evidence.
There is a new manager operation, set deposits limit
, which takes an
optional positive integer argument. When the limit argument is given,
the given limit on the signer’s security deposit is set. When the
limit argument is not present, the previous limit is unset and no
limit is imposed.
The branch
field of non-consensus operations is set by default by
the Octez client to HEAD~2
. Setting the branch
field to
HEAD
or HEAD~1
may result in the operation not being included
because it will not be anchored on a block belonging to the
chain. (The blocks at the current and previous levels are not
necessary final.)
Block headers#
The block fitness (included in the shell part of the block header) changes, mainly to allow block candidates to be accepted by nodes.
The protocol part of the block header changes as follows:
it no longer contains the priority entry.
it contains two additional fields:
payload_hash
is the hash of the sequence of the block’s non-consensus operations
payload_round
is the round at which the block’s payload has been first proposed (at the current level); it is equal to the block’s round in case of a fresh proposal and it is strictly smaller in case of a reproposal.
As in Emmy*, a block includes a set of endorsements for the predecessor block. These endorsements constitute a quorum and serve as a justification that the previous block has been agreed upon. In case of a reproposal, a block also includes a quorum of preendorsements for the same round to justify that the payload is indeed a reproposal.
Parameters#
The following protocol parameters have been removed:
time_between_blocks
endorsers_per_block
blocks_per_roll_snapshot
(it is replaced byblocks_per_stake_snapshot
)block_security_deposit
endorsement_security_deposit
baking_reward_per_endorsement
endorsement_reward
The following protocol parameters have been introduced:
baking_reward_fixed_portion
= 10 tezbaking_reward_bonus_per_slot
= 0.004286 tezendorsing_reward_per_slot
= 0.002857 tezdelay_increment_per_round
= 15minimal_participation_ratio
= 2/3consensus_committee_size
= 7000consensus_threshold
= 4667max_slashing_period
= 2 cyclesfrozen_deposits_percentage
= 10double_baking_punishment
= 640 tezratio_of_frozen_deposits_slashed_per_double_endorsement
= 1/2
The parameter minimal_block_delay
is reused to specify the duration of round 0.
The values of the following protocol parameters has changed:
tokens_per_roll
has changed from 8000 to 6000 tez.
Metadata#
The receipt of a block has a new field: proposer
, which is the
public key hash of the block’s payload
producer. Recall that the payload producer
may be different from the block producer, which is stored in the field
baker
.
Previously, some internal transfers of tokens did not generate balance updates. Also, a credit balance update was not always balanced by a debit balance update. In order to make token movements easier to audit, we have remedied that by introducing new ‘kinds’ and ‘types’ of balance updates. Hence, balance updates in the metadata are now always balanced, i.e. the sum of credits is equal to the sum of debits.
The balance updates have been updated as follows:
The new balance categories
legacy_rewards
,legacy_deposits
, andlegacy_fees
correspond to the oldrewards
,deposits
, andfees
categories, and are only generated during migration (theirorigin
field ismigration
).There is a new type of
origin
, calledsimulation
which is for internal use only (when a smart contract simulation run is performed via the RPC../helpers/scripts/run_code
). Thisorigin
will not appear in metadata during normal operation on mainnet.The following new balance types have been introduced:
deposits, with the kind
freezer
, categorydeposits
, and 3rd fielddelegate
;nonce revelation rewards, with the kind
minted
and categorynonce revelation rewards
;double signing evidence rewards, with the kind
minted
and categorydouble signing evidence rewards
;endorsing rewards, with the kind
minted
and categoryendorsing rewards
;baking rewards, with the kind
minted
and categorybaking rewards
;baking bonuses, with the kind
minted
and categorybaking bonuses
;block fees, with the kind
accumulator
and categoryblock fees
;storage fees, with the kind
burned
and categorystorage fees
;double signing punishments, with the kind
burned
and categorypunishments
;lost endorsing rewards, with the kind
burned
, categorylost endorsing rewards
, 3rd fielddelegate
, 4th fieldparticipation
(a boolean with valuetrue
if and only if the reward was lost because of insufficient participation), and 5th fieldrevelation
(a boolean with valuetrue
if and only if the reward was lost because of unrevealed nonces);liquidity baking subsidies, with the kind
minted
and categorysubsidy
;commitments, with the kind
commitment
and categorycommitment
;invoices, with the kind
minted
and categoryinvoice
;
The following new balance types are for internal use, they will not appear in the metadata during normal operation on mainnet, but may appear on test networks, or in sandboxed mode:
“bootstrap” with the kind
minted
and categorybootstrap
;“initial commitments”, with the kind
minted
and categorycommitment
;“burned”, with the kind
burned
and categoryburned
;“minted”, with the kind
minted
and categoryminted
The following balance types represent external sources of tokens that can only be debited : nonce revelation rewards, endorsing rewards, baking rewards, baking bonuses, liquidity baking subsidies, invoices, initial commitments, bootstrap, minted
The following balance types represent destinations of tokens burned that can only be credited : storage fees, double signing punishments, lost endorsing rewards, burned
The receipt for (pre)endorsement operations contains three fields:
balance_updates
, which is always empty;delegate
, the signer’s public key hash;(pre)endorsement_power
, the number of slots the delegate had at the corresponding level.
The receipt for double preendorsement evidence operations has the same format as for double endorsement evidence operations.
The receipt for set deposits limit operations has one field: the consumed_gas
.
A more detailed documentation of balance updates is available here.
RPCs#
The following RPCs have been removed or renamed:
../minimal_valid_time
has been removed../context/delegates/<pkh>/frozen_balance_by_cycle
has been removed../context/delegates/<pkh>/frozen_balance
, has been renamed tofrozen_deposits
../context/delegates/<pkh>/balance
, renamed tofull_balance
The following RPCs have changed:
../helpers/baking_rights
:Instead of an optional list of
cycle
arguments, the RPC only takes one optionalcycle
argument.The argument
max_priority
has been renamed tomax_round
.The output field
priority
has been renamed toround
.
../helpers/endorsing_rights
:Instead of an optional list of
cycle
arguments, the RPC only takes one optionalcycle
argument.The output is now grouped per level. For each level, the output contains the delegates’ rights and the estimated time at which the rights can be exercised. For each delegate that has some rights at the given level, the output contains the delegate’s public key hash, the delegate’s first slot, and the delegate’s endorsing power.
The following RPCs are new:
../helpers/round
: gives the round of a block.../helpers/validators
: is a variant ofendorsing_rights
RPC, used by the Octez baker daemon.../context/delegates/<pkh>/current_frozen_deposits
: gives the current amount of the delegate’s frozen deposits, in contrast to../<pkh>/frozen_deposits
which returns the initial amount (that is, at the beginning of a cycle) of the frozen deposits. The two amounts are different only when the delegate has been punished.../context/delegates/<pkh>/frozen_deposits_limit
: gives the frozen deposits limit of a registered delegate.../context/delegates/<pkh>/participation
: gives information on the participation (in consensus) of a registered delegate, as follows:expected_cycle_activity
indicates the number of endorsing slots the delegate is expected to have in the cycle based on its active stake. This number does not necessary equal the number of slots the delegate actually has, which are also dependent on the cycle’s seed.minimal_cycle_activity
indicates the minimal endorsing slots in the cycle required to get endorsing rewards. It is computed based on theexpected_cycle_activity
.missed_slots
indicates the number of missed endorsing slots in the cycle so far.missed_levels
indicates the number of missed levels for endorsing in the cycle so far.remaining_allowed_missed_slots
indicates the remaining amount of endorsing slots that can be missed in the cycle before forfeiting the rewards.expected_endorsing_rewards
indicates the endorsing rewards that will be distributed at the end of the cycle if activity at that point will be greater than the minimal required; if the activity is already known to be below the required minimum, then the rewards are zero.
Signer#
The signer’s messages were of the form
<magic_byte><chain_id><block|endorsement>
and are now of the form
<magic_byte><chain_id><block|preendorsement|endorsement>
, where
the magic byte has changed from 0x01
for blocks and 0x02
for
endorsements, to 0x11
for blocks, 0x12
for preendorsements,
0x13
for endorsements.
The high-water mark for blocks and (pre)endorsements is now given by both the level and the round of the signed block, respectively of the signed (pre)endorsement. The signer is authorized to sign whenever the level is strictly higher than the previous level, or the level is the same, but the round is strictly higher.
Daemons#
There is no endorser daemon anymore. Its role is performed by the baker daemon. The baker daemon takes the same options as in Hangzhou.
Client#
The command octez-client bake for
has been changed:
It takes a (possibly empty) list of delegate references. It then bakes a block and (pre)endorses this block, using the rights of all the specified delegates. When the list is empty is does so for all delegates whose secret keys are known.
It performs a full consensus round: it “proposes” a block (that is, it injects a block candidate), it preendorses the block, and it endorses the block, if possible.
The following commands have been added:
octez-client propose for
: forge and inject a candidate block (aproposal
).octez-client preendorse for
: forge and inject a preendorsement operation.octez-client endorse for
: forge and inject an endorsement operation.octez-client set deposits limit for <src> to <deposits_limit>
: sets the deposits limit for a registered delegate.octez-client unset deposits limit for <src>
: remove the deposits limit of a registered delegate.