1. DRAFT: Authorization to Blacklist Validators for Mempool Participation and Other Malicious Behaviors
2. Abstract
This Jito Improvement Proposal (JIP) seeks to empower a working group of validators and community members to blacklist validators from the Jito Stake Pool who are found to be engaged in behaviors deemed harmful to the Solana ecosystem, such as private mempool participation and vote lagging.
This working group will be responsible for maintaining and updating the blacklist that will be implemented by Jito Labs through StakeNet if JIP-3 passes.
3. Motivation
An investigation conducted by Jito Labs recently found that roughly ~10% of Jito Stake Pool validators are currently engaged in private mempool participation, among other adverse behaviors to the ecosystem.
The motivation behind this proposal is to disincentivize behaviors that negatively impact the Solana network and JitoSOL stakeholders. Private mempools and similar behaviors are undisclosed, reduce rewards to JitoSOL stakers, and promote centralization.
Implementing a blacklist will enhance network integrity, reward positive-sum validator behavior, and strengthen trust in the JitoSOL ecosystem.
4. Key Terms
Solana: Solana is a credibly neutral blockchain.
Jito Foundation: The Jito Foundation is an opinionated legal entity whose mandate includes promoting productive adoption of Jito Network products as well as the broader Solana ecosystem.
Blacklist: A list of validators prohibited from receiving stake from JitoSOL network due to harmful behaviors.
Private Mempool: Non-public mempools in which transactions are broadcast to searchers ahead of finality, providing an opportunity for searchers to execute harmful MEV strategies such as sandwich attacks.
Working Group: A group of Jito delegates and community members responsible for managing the blacklist.
Appeal Process: A procedure allowing blacklisted validators to contest their inclusion on the blacklist.
5. Specification
Working Group Formation
This proposal will lead to the establishment of a working group of 4-10 respected Solana validators, prioritizing current governance delegates from the validator community and initially selected by the Jito Foundation.
The working group will be responsible for periodically reviewing data from Jito Labs and other relevant parties regarding Solana validators to assess whether validators are engaged in malicious behavior, and if so, to assign those validators to the blacklist.
The initial working group members will be disclosed within 2 weeks of this posting so voters have 2 weeks to assess their qualifications prior to deciding on JIP-4.
Blacklist Criteria
Validators may be blacklisted for behaviors including, but not limited to:
Private mempool participation
Vote lagging (this should become irrelevant once SIMD-033 takes effect; expected by Q4 2024)
Commission rugging: Raising commissions to a high level without disclosure in attempt to steal staking rewards
Any behavior deemed not in the best interest of the Jito Network and the broader Solana community. This final criteria is, unfortunately, lacking specificity, but given the rapidly-evolving nature of validator behavior, pre-approval for specific activities impairs the ability of JitoSOL to react in a timely manner. An example of such behavior would be validators unbundling Jito bundles to steal profits or internalizing sandwiches without disclosure and retaining those profits. These decisions will be reversable via governance if the community disagrees with specific stances.
Blacklist Management
The working group will periodically publicize the blacklist and the reasons for blacklisting, maintaining confidentiality on detection methodologies in order to maintain effectiveness.
Blacklisted validators will have the right to appeal to the working group for re-evaluation if they wish to contest the decision.
Blacklist will operate with a âthree strikeâ system: first time offenders are blacklisted for six months, second time offenders for nine months, and third time offenders permanently blacklisted.
Collaboration with Other Protocols
The working group will explore collaboration with other major stakers such as the Solana Foundation Delegation Program, mSOL, and bSOL to develop a unified blacklist across protocols.
This may be step 1 in a broader validator reputation scoring system that creates an ecosystem coalition to establish non-performance based standards for validator ranking. This would be positive for JitoSOL but also a public good for all stakers in the Solana ecosystem.
Performance Milestones
Initial Setup: Formation of the working group and establishment of the initial blacklist within one month of proposal acceptance.
Quarterly Reviews: Regular reviews and updates of the blacklist and criteria.
Community Involvement: Ongoing engagement with the community and other major stakers for feedback and collaboration. Additionally, the DAO can modify the Blacklist Committee specifications at any point via a governance vote, and the Foundation will seek to evaluate and potentially restructure the Blacklist Committee construction and parameters after a period of six months.
6. Benefits/Risks
Benefits:
Enhanced Network Integrity: Reducing harmful behaviors will improve the overall health, performance and decentralization of the Solana network.
Fair Rewards Distribution: Ensuring all validators play by the same rules will promote a fair distribution of rewards.
Community Trust: Increased transparency and proactive management will enhance trust in the JitoSOL ecosystem and the broader Solana network.
Risks:
Centralization Risk: Because the detection methods have to remain private by nature, blacklist committee participation entails a high-trust position.
Conflict of Interest: Members of the working group may face backlash from blacklisted validators/their colleagues in the community.
7. Outcomes
Successful implementation of this proposal will result in the establishment of a reliable blacklist system, promoting fair practices within the JitoSOL network. This system will be adaptable, with regular reviews and updates based on community feedback and evolving network conditions.
8. Cost Summary
The implementation of this proposal will initially require no financial resources but may involve compensation for the working group members if the workload becomes substantial.
Future related proposals may request additional funds for community audits and expanded working group roles.
I think the effort is noble and helpful for the community.
I would feel more comfortable if a set of watchers would sit in on the committee meetings/chat rooms, forming an oversight subcommittee to the blacklist committee of sophisticated validator experts. Here is a suggested structure:
Oversight Subcommittee:
⢠Include 3 rotating, non-validator delegate members selected randomly to be present at meetings or chat rooms for blacklisting.
Rotating Membership:
⢠Rotate non-validator members annually (maybe quarterly? not sure how often the blacklist gets updated) to maintain objectivity.
Whistleblower Protections:
⢠Ability for any of the 3 delegates to post an anon tg message with any concerns they have in the message rooms or meetings.
Compensation and Serious Engagement:
⢠Compensate non-validator delegate members to ensure their presence and active participation.
Enhances the transparency, fairness, and overall credibility of the blacklist committee.
I am in favor of this proposalâs direction. Generally, I advocate for action over analysis, with the readiness to implement changes if substantial community feedback necessitates it.
The path dependency Jito Labs has taken with the deprecation of their own mempool is important for the networkâs general counter positioning to Ethereum with regards to sandwich attacks, âtoxic mevâ, etc. Especially considering there is no native mempool to Solana - so why add one now? However, if there is a counterpoint to this I would gladly hear it out from a direct proponent of these practices.
I donât think itâs controversial to say the introduction of new private mempools, vote-lag timing games, or âcommission ruggingâ is counterintuitive to userâs best interests.
I think the 3 strike rule is well-intended, but wouldnât advocates of these practices just continue to depreciate blacklisted validators, and spin up new ones (assuming they arenât heavily reliant on external stake delegation & the practice is profitable enough to continue) ? - perhaps thatâs the point of this committee in the first place lol
On that last point, it would also be nice to have rough estimates on the $ amount of âtoxic mevâ taking place so appropriate resources are allocated. Would also agree with Mike on the point of rotating committee members to avoid bureaucratic entrenchment - but ample knowledge transfer would also need to take place to get new members up to speed.
Overall, for this proposal, but the ultimate outcome should be establishing a robust enough system through the right partners where itâs simply not economical to have these practices take place, and then the committee can be wound down. Easier said than done, but thatâs what a successful outcome looks like in my opinion.
Looking forward to what others have to say on the topic!
I love this proposal and how it fits into the original Jito mission to create âmore fair MEVâ systems (on Solana). I also like the whistleblower protection mentioned in the comments, as one of the conflicts of interest missing from the Risks section pertains to collusion among the Working Group to increase their stake by wrongfully accusing others.
Suggestion regarding Working Group Formation: explicitly state that one of the 4-10 members will not run the Jito client to ensure client diversity among the voting members.
The âguilty until proven innocentâ approach implied by the proposal increases the risk of inadvertent reputation and financial damage should the WG make a mistake. Perhaps thereâs a way to add a probationary period in order to allow some benefit of the doubt? Iâve never seen the data and it must be quite damning to immediately jump to a 6mo. ban. However future incidents may not be as high contrast and having the flexibility to put some âfirst strikeâ offenders into probation might be valuable, despite adding administrative overhead.
A short probation for validators with less clear-cut violations, probably pre-ban, with a flag that can be removed prior to marking the permanent record (if possible, obv. does not work once in StakeNet). 4-5 epochs perhaps. It could even be silent to see if the pattern of violation continues after some portion of possible pool collaborators are immediately banned.
I like the starting point of this draft. Perhaps the prohibition period Otto mentioned can be applied to the âAny behavior deemed not in the best interest of the Jito Network and the broader Solana community,â situations. Additionally itâs important to push educational content regarding the scoring parameters for validators on StakeNet to ensure understanding and transparency. So a further breakdown and dissemination of information of the transgressions that can land you on the Blacklist is important. I do not want to veer too far off topic but I would like to add new value to the conversation. Based on JIP-3 and this topic there are more indicators pointing towards some sort of reputation system to assess validators. Hereâs what weâve come up with at Chainflow in regards to it:
Implement a Validator Reputation Score System
To complement the blacklist and provide a more nuanced approach to validator behavior management, implement a Validator Reputation Score System. This system will provide a transparent and objective measure of each validatorâs performance and behavior, promoting good practices and reducing reliance on blacklists alone.
Details of the Suggestion:
1. Reputation Score Metrics:
Performance Metrics: Uptime, missed slots, and response times.
Behavioral Metrics: Participation in private mempools, vote lagging, and commission rugging.
Community Engagement: Contributions to the community, participation in governance, and support for new validators.
2. Scoring System:
Weighted Scores: Assign different weights to each metric based on their importance.
Transparency: Make the scoring algorithm and individual scores publicly available to ensure transparency and trust.
3. Integration with Blacklist:
Threshold for Blacklisting: Set a reputation score threshold below which a validator would be considered for blacklisting.
Grace Period: Provide a grace period for validators who fall below the threshold to improve their scores before blacklisting is considered.
4. Appeal and Review Mechanism:
Regular Reviews: Conduct regular reviews of reputation scores and blacklist decisions.
Appeal Process: Allow validators to appeal their scores or blacklist status, providing evidence to contest the decision.
5. Incentives for Good Behavior:
Rewards and Recognition: Recognize and reward top-performing validators with additional stake delegations, public recognition, and other incentives.
Educational Programs: Offer educational programs and resources to help validators improve their scores and adhere to best practices.
6. Collaboration and Feedback:
Community Involvement: Involve the community in developing and refining the reputation score system, ensuring it reflects the collective values and goals of the JitoSOL network.
Feedback Mechanism: Establish a feedback mechanism for continuous improvement of the scoring system based on community input.
Benefits:
Holistic Assessment: Provides a more comprehensive assessment of validator behavior beyond blacklisting.
Positive Reinforcement: Encourages positive behavior through rewards and recognition.
Transparency and Fairness: Ensures a transparent and fair approach to validator management.
Community Trust: Builds trust within the community by promoting transparency and accountability.
Risks:
Implementation Complexity: Developing and maintaining the scoring system could be complex and resource-intensive.
Subjectivity: Ensuring objectivity in the scoring system may be challenging.
Adaptation Period: Validators may need time to understand and adapt to the new scoring system.
By integrating a Validator Reputation Score System, we can enhance the management of validator behavior in the JitoSOL network, promoting fairness, transparency, and community trust while reducing reliance on blacklisting alone.
Disclaimer: this could be a bit too future-focused, but I think having an idea of what this reputation system COULD look like will make the integration of the Blacklist easier.
Thank you to the delegates for their thoughtful feedback.
The Foundation has ultimately elected to alter the fundamental nature of the proposal. Initially, this was written to:
Empower a group of delegates to review evidence in order to make an âemergencyâ decision to blacklist a group of validators, and
Provide a loose framework for future proposals that might put in place more effective oversight for a longer-term blacklist committee structure.
However, the broader Solana community has begun organizing in recent days to form a group that would arguably have greater reach and social layer authority than any committee formed by the Jito DAO alone. This meta-committee will be finalizing its structure and members in coming weeks, and from then on will be periodically publishing a list of blacklisted validators.
As such, a the Foundation will be putting forth a future proposal concerning what to do with the meta-committeeâs blacklist: if the DAO accepts it blindly, requests a seat on the meta-committee via DAO delegates, how it enforces a strike system or similar, and if the DAO should partially fund the committee, etc. However, the DAO no longer has to be the sole entity responsible for the publication and maintenance of the blacklist.
This does leave the immediate need to blacklist the current crop of validators. The current proposal has been updated to reflect that it seeks to empower a one-time group to review evidence and enforce the current blacklist, and that future blacklist decisions â based on data provided and vetted by the meta-committee â will depend on a future proposal.
Iâd like to thank @multichainmike, and @Otto, @Chainflow, and @Ian for their feedback on the forums, and note that their ideas for how to structure Jito DAOâs hypothetical committee will be considered in the construction of the meta-committee. Iâd also like to thank everyone who weighed in on the recent Delegate Call to build consensus on the Jito DAO taking an opinionated stance.