TIP-1017 Validator Config V2#2181
Merged
SuperFluffy merged 28 commits intomainfrom Feb 9, 2026
Merged
Conversation
SuperFluffy
force-pushed
the
janis/val-cfg-v2
branch
2 times, most recently
from
e61f62b to
9824220
Compare
jenpaff
reviewed
Jan 20, 2026
SuperFluffy
force-pushed
the
janis/val-cfg-v2
branch
3 times, most recently
from
920281b to
983e145
Compare
SuperFluffy
commented
Jan 21, 2026
SuperFluffy
commented
Jan 21, 2026
SuperFluffy
force-pushed
the
janis/val-cfg-v2
branch
from
983e145 to
7ec1892
Compare
dankrad
reviewed
Jan 21, 2026
dankrad
reviewed
Jan 21, 2026
Co-authored-by: dankrad <mail@dankradfeist.de>
SuperFluffy
force-pushed
the
janis/val-cfg-v2
branch
from
57d29ca to
cbf2d15
Compare
legion2002
reviewed
Jan 23, 2026
Zygimantass
reviewed
Jan 23, 2026
Zygimantass
reviewed
Jan 23, 2026
Zygimantass
reviewed
Jan 23, 2026
| at the boundary height: | ||
|
|
||
| ``` | ||
| if chainspec.is_allegro_active_at_timestamp(block.timestamp) { |
Member
There was a problem hiding this comment.
Suggested change
| if chainspec.is_allegro_active_at_timestamp(block.timestamp) { | |
| if chainspec.is_hardfork_active_at_timestamp(contract_upgrade_hardfork, block.timestamp) { |
Contributor
Author
There was a problem hiding this comment.
Why the extra contract_upgrade_hardfork argument?
howydev
reviewed
Jan 26, 2026
howydev
reviewed
Jan 26, 2026
howydev
reviewed
Jan 26, 2026
howydev
reviewed
Jan 27, 2026
howydev
reviewed
Jan 27, 2026
## Summary **Manual migration**: Admin migrates validators one at a time via `migrateValidator(valIdx)`, then calls `initialize()` to flip the flag. CL reads from V1 until the flag is set. | Change | Description | |--------|-------------| | **Read before init** | CL reads directly from V1 (no proxying in V2) | | **migrateValidator(valIdx)** | Migrates single validator; copies owner on first call; reverts if `valIdx != validatorsArray.length` | | **initialize()** | Copies `nextDkgCeremony` from V1, sets `initialized = true` | | **Active validators** | `addedAtHeight = 0`, `deletedAtHeight = 0` | | **Inactive validators** | `addedAtHeight = deletedAtHeight = block.timestamp` | | **Filter logic** | `v.addedAtHeight <= H && (deletedAtHeight == 0 \|\| deletedAtHeight > H)` | ## Migration Steps (Existing Networks) 1. Release new node software with Allegro hardfork support 2. Schedule the fork by updating chainspec with target `allegroTime` 3. At fork activation: CL reads from V1 (since `isInitialized() == false`) 4. Admin migrates validators: `migrateValidator(0)`, `migrateValidator(1)`, ... 5. Admin calls `initialize()` → sets `initialized = true`, CL reads from V2 6. Post-migration: All reads/writes use V2 state directly ## New Networks 1. Initialize V2 at genesis with the initial validator set (set `initialized = true`) 2. Set `allegroTime = 0` to activate V2 immediately 3. V1 Validator Config contract/precompile is not necessary --------- Co-authored-by: Amp <amp@ampcode.com> Co-authored-by: Richard Janis Goldschmidt <github@aberrat.io> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com>
SuperFluffy
force-pushed
the
janis/val-cfg-v2
branch
from
8c6d695 to
5160339
Compare
howydev
approved these changes
Feb 6, 2026
hamdiallam
approved these changes
Feb 6, 2026
malleshpai
reviewed
Feb 7, 2026
| function deactivateValidator(address validatorAddress) external; | ||
|
|
||
| /// @notice Rotate a validator to a new identity (owner or validator only) | ||
| /// @dev Atomically deletes the specified validator entry and adds a new one. This is equivalent |
Contributor
There was a problem hiding this comment.
If you do it this way, and I rotate a validator mid-epoch, i would be ineligible to participate in the next DKG right? is that intentional? the fact that you're saying it is equivalent to delete and then add suggests that it is intentional, but given our current thin margins is this safe (we might have too few players available for the next dkg)
Contributor
There was a problem hiding this comment.
nevermind now i understand. it might be worth explaining to validators that rotation involves a one epoch worth of deactivation (if it wasn't explained somewhere that i missed) but i think no change needed here.
Contributor
There was a problem hiding this comment.
maybe worth a test case?
Contributor
Author
There was a problem hiding this comment.
It is briefly explained in the doc, but I agree - we should make this part of the docs so people understand.
But you pointing this out raises a point about how this spec wants to make deactivation immediate while leaving 1 epoch to warmup the new validator:
- in epoch
E: callrotateValidator($old, $new) - in epoch
E+1:$oldleaves the set of players (it is still a validator + dealer in this epoch);$newis not a player, merely registered as a peer and receives votes and certificates allowing it to sync up - in epoch
E+2:$olddropped out of the committee;$newis a player and will receives shares from the other dealers to acknowledge - in epoch
E+3:$newis in the committee.
This means there is a forced downtime of 1 epoch.
malleshpai
reviewed
Feb 7, 2026
| 14. **Address update**: `transferValidatorOwnership` updates the address of an existing | ||
| validator without changing any other fields. This is useful for updating | ||
| addresses post-migration or correcting address assignments. | ||
|
|
Contributor
There was a problem hiding this comment.
this clashes with invariant 2?
Contributor
Author
There was a problem hiding this comment.
Good catch! I updated invariant 2 and moved 14 into position 3 to clarify this point: validatorAddress is only mutable by the contract owner to address post-migration fixes. It cannot be changed by the owner of the entry.
malleshpai
approved these changes
Feb 8, 2026
| function deactivateValidator(address validatorAddress) external; | ||
|
|
||
| /// @notice Rotate a validator to a new identity (owner or validator only) | ||
| /// @dev Atomically deletes the specified validator entry and adds a new one. This is equivalent |
Contributor
There was a problem hiding this comment.
maybe worth a test case?
| 8. **Historical consistency**: For any height H, the active validator set | ||
| consists of validators where `addedAtHeight <= H && (deactivatedAtHeight == 0 || | ||
| deactivatedAtHeight > H)`. Validators with `addedAtHeight == deactivatedAtHeight` are | ||
| never considered active. |
Contributor
There was a problem hiding this comment.
should add !=0 here right? otherwise you rule out migrated vals...
Contributor
Author
There was a problem hiding this comment.
Thank you once more. This, too, was incorrect. addedAtHeight = block.height always: f80ecc4
| )) | ||
| ``` | ||
|
|
||
| The old validator is identified by `msg.sender`, which must be an existing active validator. |
Contributor
There was a problem hiding this comment.
i think this contradicts invariant 11?
Contributor
Author
There was a problem hiding this comment.
Removed that comment - unnecessary and confusing: d57544c
|
|
||
| --- | ||
|
|
||
| # Invariants |
Contributor
There was a problem hiding this comment.
Amp suggested this: "For validators added via addValidator, addedAtHeight > 0. addedAtHeight == 0 is reserved for validators migrated from V1
Contributor
Author
There was a problem hiding this comment.
I changed this in f80ecc4: addedAtHeight is now always set to block.height. While this might be confusing for historical backlook, this is fine from CL's point of view because we only care about looking forward.
…n/deletion of validators
SuperFluffy
commented
Feb 9, 2026
| **Validator Addition and Deactivation**: When validators are added or deleted (this also applies to rotation), | ||
| there is no warmup period: deactivated validators are immediately removed from the set of players on the next epoch, | ||
| while activated validators are immediately added on the next epoch. This means that compared to validator config V1, | ||
| there is no cooldown and no warmup period. |
Contributor
Author
There was a problem hiding this comment.
@Zygimantass for confirmation: there is no cooldown and warmup period anymore.
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
This was referenced Feb 11, 2026
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 12, 2026
Prepares peer management for the changes in #2181 (TIP 1017) by moving it to a self standing actor: after the hardfork, it will check every finalized block for changes to IP addresses in the peer set and update its tracked peers accordingly. For now there are no other changes other than delegating messages to the peer manager to its wrapped p2p oracle.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 12, 2026
Prepares peer management for the changes in #2181 (TIP 1017) by moving it to a self standing actor: after the hardfork, it will check every finalized block for changes to IP addresses in the peer set and update its tracked peers accordingly. For now there are no other changes other than delegating messages to the peer manager to its wrapped p2p oracle.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 13, 2026
… state (#2638) Migrates the DKG actor's state from a continuous journal to a `Metadata` object. The journal had unnecessary extra complexity that was not needed. The `Metadata` object is simpler to reason about. This migration is non-breaking: the journal is migrated to metadata and deleted. If a metadata object is already present it is not overwritten. As part of the migration, the DKG actor no longer tracks the socket addresses of dealers and players. This information is available in the execution layer state and can be read from there. These changes are in preparation for the Validator Config V2 where address tracking will be moved out of the DKG actor. Related #2181, #2617
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rendered TIP-1017