[PASSED] CO-PIP5: Upgrade Staking Program in Mainnet to add Staking for data integrity

CO-PIP-5: Upgrade Staking Program in Mainnet to add Staking for data integrity

Abstract

In response to the proposal and the design by CMS of a community integrity staking program that aims at making the Pyth Network the most robust and secure oracle network to its DeFi users, Douro Labs has now completed the implementation of the staking program and proposes its deployment to mainnet. The new staking program for oracle integrity is independent of the current staking program for Governance, enabling Pyth DAO members to stake in both programs.

The audited implementation is inline with the original design proposed. The proposed deployment includes a number of parameters that are suggested given simulations that Douro Labs team has performed and that anyone in the community can replicate.

The success of the new staking program is dependent on a reward pool being funded and adoption by the Pyth community.

Rationale

  • Staking for the integrity of data and its accuracy bolsters protections for quality data production for consumers
  • Douro Labs has been the biggest code contributor to the Pyth Network to date. We deeply care about making DeFi safer for everyone through the Pyth Network
  • This staking program will establish the Pyth Network as the first secured oracle for its users

Description

The implementation of the staking program follows the original design proposed by the community.

1. Design Principles

The program’s economic design is focused on encouraging data accuracy. The implementation assumes an open-ended reward pool that distributes rewards for helping to secure the quality of the data produced, and slashes stake to penalise failure to maintain data accuracy.

As a recap, the core design principles behind the program proposed include the following:

  • All current and future price feeds produced currently by the Pyth Network are secured by Integrity Staking
  • Data publishers and stakers facilitate data accuracy
  • Rewards and penalties are proportionate to the stake assigned to each publisher
  • A higher number of publishers for each price feed contributes positively to the security of such feed
  • Staking for integrity is complementary to staking for governance and such eligible PYTH tokens can be used for both purposes
  • The ability to slash stake requires unlocked PYTH tokens, whereas staking for governance can use both locked and unlocked PYTH tokens
  • All parameters related to the protocol are subject to the governance of the Pyth DAO
  • Slashing rules and procedures are also subject to the governance of the Pyth DAO. Their implementation is delegated to the Pythian Council

2. Proposed Implementation

The proposed implementation follows the structure described below:

  1. The same 7-day epoch for governance voting applies to staking for oracle integrity. All parameters used in the protocol are captured at each start of the epoch on Thursdays 0:00 UTC and remain constant until the end of the epoch. Staking is subject to warmup and cooldown period prior and post epoch respectively
  2. Each publisher is programmatically assigned a staking pool where they can self-stake and to which other stakers can delegate
    • The staking pool assigned to each publisher covers all price feeds that the publisher contributes data to
    • Each staking pool has at a soft cap. Such cap dynamically expand and shrink given number of symbols published by the assigned publisher
    • Adding coverage for a price feed with a low number of publishers contribute more to the cap’s expansion
    • Staking into the pool can exceed the soft cap, however no rewards are distributed for the excess stake
    • Self-stake attributed to a publisher is prioritised when rewards are distributed to the publisher’s pool
    • All staking pools charge the same delegation fee for stakers who are delegating stake to one or many pools
  3. The rate of rewards paid each epoch to each pool, exclusive of any excessive stake, has a hard cap
  4. The total amount of rewards paid to all pools is bound by the same cap relative to the amount of rewards available to the protocol
  5. Slashing of stake has a maximum rate and only impacts pools that assigned to publishers responsible for the poor data quality. Both self-stakers and delegators are also slashed proportionally to their staked amount in the impacted pools

3. Mathematical Representation

  • Let Publishers be the set of data publishers in the Pyth Network
  • Let P be the number of data publishers in the Pyth Network, equal to the number of publisher pools in the system, or P = |Publishers|
  • Let $S_p$ be the stake assigned to the pool assigned to publisher p , made of self-staked amount $S^{p}_{p}$ and delegated stake $S^{d}_{p}$ , or $S_{p} = S^{p}_{p} + S^{d}_{p}$
  • Let $C_p$ be the stake cap for the pool assigned to publisher p
  • Let $R_{p}$ be the reward paid to the pool assigned to publisher p , while $R^{d}_{p}$is the reward allocated to delegated stake, or $R^{d}_{p} = R_{p} - R^{p}_{p}$
  • Let $SL_p$ be the amount slashed from the pool assigned to publisher p
  • Let y be the yearly cap to the rate of rewards for any pool
  • Let wbe the cap to the slashing percentage from any pool
  • Let Symbols_p be the set of price feeds produced by the Pyth Network where p is a publisher (each of them identified by symbol s)
  • Let $n_s$ be the number of publishers for symbol s
  • Let f be the delegation fee charged to delegated stake, as a percentage of the pool’s rewards from delegation, making the delegation fee amount equal to $f \cdot R^d_p$
  • Let $\Pi^p_p$ and $\Pi^d_p$ be the rewards net of slashing distributed by the pool to the publisher and its delegators respectively

The stake cap $C_p$ for each pool explained in 2.2.b is represented by the following:

C_p = M \cdot \sum_{s \in \text{Symbols\_p}} \frac{1}{\max(n_s, Z)}

where

  • M is a constant parameter representing the target stake per symbol
  • Z is a constant parameter to control cap contribution from symbols with a low number of publishers

The reward $R_p$ paid to each pool in 2.2.c follows the formula below:

R_p = y \cdot \min(S_p, C_p)

while the total amount of such rewards is bounded per 2.2.d:

\sum_{p \in \text{Publishers}} R_p \leq y \cdot \min(NumSymbols \cdot M, \sum_{p=1}^{P} S_p)

The reward component relative the amount self-staked by the publisher p is:

R^{p}_{p} = y \cdot \min(S^p_p, C_p) = R_p - R^d_p

The slashed amount $SL_p$ from each pool in 2.2.e follows the formula below

SL_p = w \cdot S_p = w \cdot (S^{p}_{p} + S^{d}_{p})

and is uniformly allocated to both the self-staking publisher and delegators in the pool, pro-rata to their respective stake.

Subsequently, the rewards received by a publisher and delegators into a pool, net of any slashed amounts can be expressed as below

\Pi^p_p = ( R^p_p + f \cdot R^d_p ) - w \cdot S^p_p

\Pi^d_p = R^d_p - ( f \cdot R^d_p + w \cdot S^d_p )

4. Suggested Parameters and Simulation Results

Douro Labs suggests that the Pyth DAO sets the program parameters to the following:

  • M = 1800000 as the target stake per symbol
  • Z = 10 as the parameter to control cap contribution from symbols with a low number of publishers
  • y = 1000bps as the yearly cap to the rate of rewards for any pool, or 19.24bps for each epoch
  • f = 2000bps as the delegation fee charged by the pool for delegated stake
  • w = 500bps as the maximum slashing percentage from any pool

Given the program parameters above and assuming

  • a total reward pool of 100M tokens,
  • a 100% growth in the number symbols supported by the Pyth Network,
  • a 30% growth in the number of publishers on the Network,
  • a normal distribution of amounts staked per pool ranging from 500k to 30M tokens, and
  • no slashing event

the P95 rate of return for one year relative to the total amount staked is simulated as shown in the figure below:

If we assume the reward pool is halved at 50M, the results change as below:

Implementation Plan

  1. DAO constitution changes to add Staking for data integrity: link
  2. Security Audit report: link
  3. Technical deployment:

Proposal ID - 7WRmpgAno6hYFeGkmub5N6XkhneAsfsAhycMoFMXgpNZ

5 Likes

this is a big step for Pyth Network!

i kinda understood most of it but definitely not the Mathematical Representation! :sweat_smile:

i have one request, is it possible to have an explanation about the simulation? looking at the graph, but i cannot understand it.

Also, saw the realms voting already, can we also have the link of the on-chain voting here?
Realms has the link to the forum, might also be good to have it here.
just a suggestion.

Edit:
one more thing, i think you forgot the Constitutional-pip tag

thank you

2 Likes

the proposal above includes the proposal ID with the link to Realms for voting.

the simulation results included in the proposal aim to illustrate one of the properties of the staking program as designed by the community:

  • the annual rate of return is subject the size of the reward pool, the total stake, the amount slashed, and the number of publisher pools and the staking cap for each of the pools

  • for instance, the rate of rewards decreases as the amount staked into the program increases: such increase could be result of more publishers in the network, and/or more symbols published allowing for higher staking cap, and/or changes in parameters like M which allow to expand/downsize the staking cap

  • The rate at which the rate of return changes is also subject to the total rewards available to distribute (in the first figure the assumption was for 100M PYTH tokens in the reward pool, while the second assumes half that amount)

1 Like

We, Pingu Exchange, support this proposal. Adding more utility to the PYTH token is a smart move, but what’s even better is how it strengthens network security by tying rewards to data integrity. This approach not only builds trust in the data, but also encourages more community engagement. It’s a win-win for everyone involved and helps build a stronger, more secure network.

5 Likes

well i’ve missed the link in the proposal ID, sorry!

thanks for the explanation about the simulation.

one more question,
read that suggestion for the max slashing percentage is 5% (w = 500bps)
but i cannot see any formula on how it is being computed
(please excuse if i am being blind again)

thank you

Edit:
Read the docs again, looks like it will depend on the council.

from the above, the slashable amount is a maximum of 500bps of the total stake in the pools of those publishers responsible for the data misprint:

SL_p = w \cdot S_p = w \cdot (S^{p}_{p} + S^{d}_{p})

The slashing is uniformly allocated to both the self-staking publisher and delegators in the pool, pro-rata to their respective stake.

The updated Pyth DAO Constitution in this proposal delegates the review, execution and reporting over slashing to the Pythian Council. Any slashed amount is sent to the DAO treasury.

sorry i might not be clear with my question

I was asking for the formula for w
but form the docs, i saw that council will decide on it
with max being 5%

so its all good. thanks!

  • In the case that the evidence corroborates, the Pythian Council will identify the publishers responsible for the slashing and define a slashable amount, up to 5% of the total amount staked into the pools of the publishers responsible the event

source:
https://docs.pyth.network/home/oracle-integrity-staking/slashing-rulebook

to @Pyth-DAO

for questions regarding OIS
do we bring it to OIS Category of the forum?
it looks like and idea forum more so than a discussion forum
i might have some other questions about OIS and would love to post on the correct forum

thank you

1 Like