Validator Audits & Penalties
Auditing as an obligated validator duty — random audit sampling, deterministic fraud proofs, and fact-layer penalties that feed back into diffusion policy.
Optimistic diffusion claims shift heavy computation to provers, but the protocol still needs reliable verification at high volume. In mature markets, relying on a voluntary challenger ecosystem can suffer from free-riding (the “verifier’s dilemma”).
Local Protocol addresses this by making auditing an obligated validator duty, enforced by standard consensus incentives (rewards + slashing).
Audit sampling (unpredictable, canonical)
At epoch boundary
: all diffusion claims included during epoch : audit budget (a fixed count or fraction per epoch)
Using
Audit assignment (obligations, not volunteers)
Each audited claim
Assigned auditors must publish an AuditAttestation by a strict deadline, or be slashable.
What auditors verify (bounded work)
Claims are market-relative: each claim is verified in a market context marketId = m, using the market’s committed teleport distribution
Auditors verify a bounded subset of transcript walks/steps derived canonically, and check the opened transitions against the committed snapshot roots. The transcript format and commitment rules live in the claim protocol:
Audit outcomes and accountability
Auditors publish one of:
- VALID: with transcript fragments sufficient for anyone to reproduce the checks
- INVALID: a concrete fraud proof (openings + proofs showing a violation)
Fraud proofs are deterministic
A fraud proof is valid iff any full node can deterministically replay the sampled checks and obtain a mismatch. Concretely, a fraud proof includes:
claimId,txid,epoch: t,, and the claim parameter commitment (e.g., ParamsHash)- the sampled walk indices (or enough data to recompute them from
) - the opened transcript fragments (Merkle openings from
TranscriptRoot) - the Merkle/alias openings required to verify market-scoped transitions against
and teleport sampling against the market seed root (opened via )
This is the standard optimistic “fraud proof” pattern (e.g., Truebit, Arbitrum), specialized to sampled Monte Carlo transcripts rather than full VM traces.
Audit deadline and claim finality (fail-closed for audited claims)
Audited claims finalize under a fail-closed rule:
- rewards are escrowed at submission time
- if a claim is in
, it cannot finalize as VALID by timeout alone - the claim becomes:
- INVALID immediately upon inclusion of a valid fraud proof
- VALID once at least one assigned auditor posts a VALID attestation and the deadline passes without any valid fraud proof
- PENDING (locked) if the deadline passes with no VALID attestation (and no-show auditors are slashable)
To prevent rubber-stamping:
- No-show: assigned auditor misses deadline → slashable
- False attestation: auditor attests VALID but a fraud proof is later posted → slashable
Penalties (fact-layer) and how they affect future trust
When an audited claim fails, the protocol applies objective penalties and then feeds them back into diffusion policy.
1) Edge slashing
For a failed edge
2) Bond slashing
The claim bond
3) Penalty vector (ledger fact)
Maintain a per-node penalty score
Optional bounded neighbor spillover:
4) How penalties modify policy inputs
Penalty-adjusted seed weights (before normalization):
Risk-based claim constraints (examples):