Three tiers of participation:
1. Validator seats — capped at N (configurable; default 100), gated by
a transferable NFT. Only seat holders sign blocks and participate in
Quasar finality.
2. Delegators — open, anyone can delegate LUX to a validator to earn
a share of rewards minus commission. Delegations back validator stake
for consensus weight and slashing.
3. Read-only replicas — open, anyone can run a full node that syncs
state, verifies Quasar certs, serves RPC, and distributes light-client
proofs. No seat needed.
This gives bounded consensus cost (always N validators) with unbounded
economic participation (delegation) and unbounded service capacity
(replicas).
Fully permissionless validator sets (Ethereum-style) have two problems:
1. Unbounded consensus cost — more validators means more signatures,
more gossip, more state to track.
2. Validator quality drift — low barrier to entry attracts unreliable
operators.
Fully permissioned sets (old Diem, early Cosmos Hub) solve those but lose:
1. Economic openness — ordinary users can't contribute capital.
2. Service scaling — only the N validators can serve data, limiting
RPC/archival throughput.
The three-tier design captures the bounded-consensus benefit while
preserving open economic participation and horizontal service scaling.
No ERC-721 contract. The seat is a native X-Chain asset defined at genesis:
Genesis asset: SEAT
Name: LuxValidatorSeat
Symbol: LVS
Denomination: 0 (indivisible, NFT-like)
FixedCap: true
InitialSupply: N (default 100)
Mint: disabled after genesis (fixed supply)
OutputType: NFTTransferOutput (each unit has a unique token ID)
Each of the N seats is a distinct UTXO holding 1 × SEAT with a unique
token ID (0 to N-1). Transfers are standard X-Chain BaseTx consuming and
producing NFTTransferOutputs. No EVM, no contract.
Seats are:
lock (NFT is locked while its holder is an active validator + unbonding
period of 21 days).
can expand N via supermajority vote (P-Chain governance tx mints
additional SEAT NFTs).
be forfeited by governance vote (NFT burned and reissued).
Validators register on P-Chain by atomically importing their SEAT from
X-Chain and posting a self-bond:
AddPermissionedValidatorTx {
NodeID ids.NodeID
SeatImport *atomic.Input // X-Chain UTXO containing 1 × SEAT
SelfBond []*lux.TransferableInput // ≥ min_bond × LUX
CommissionBps uint16
MLDSAPubKey []byte
BLSPubKey []byte // both keys for PQ upgrade path
VRFKey []byte
Endpoints []Endpoint
Duration uint64 // seconds; max 1 year per registration
}
P-Chain verifies:
1. The imported UTXO contains exactly 1 × SEAT with a token ID not currently
bound to an active validator.
2. Self-bond is at least min_bond LUX.
3. Public keys are well-formed.
4. The signer controls both the imported UTXO and the self-bond inputs.
On success, the SEAT + self-bond are locked in a stake output on P-Chain
until the registration expires. At expiry (or via StopValidatorTx), the
SEAT is exported back to X-Chain and the LUX self-bond (minus any slashing)
is returned.
Delegators send LUX only — no SEAT required:
AddDelegatorTx {
NodeID ids.NodeID // which validator to back
LuxStake []*lux.TransferableInput // ≥ 10 LUX minimum
Duration uint64
}
The delegated stake is locked for the delegation duration + unbonding
period. Delegators share the validator's block and signing rewards minus
the validator's published commission rate.
Seats can be revoked for:
A revoked seat returns to the NFT pool for re-issuance.
Anyone holding LUX can delegate to any active validator:
Delegation {
Delegator common.Address
ValidatorSeat uint256
Amount uint64
StartTime uint64
}
Delegated LUX is locked for the duration of the delegation plus the
unbonding period. Delegators receive:
delegator_reward = (1 - commissionBps/10000) * share_of_validator_reward
validator_reward = commissionBps/10000 * delegator_reward + self_bond_share
When a validator is slashed, the slash hits:
1. Self-bond first (up to 100% of offense penalty)
2. Delegated stake proportionally (if self-bond insufficient)
This ensures validators eat their own risk first, then delegators share
residual penalty.
Delegators can initiate unbonding at any time. Funds become liquid after
the unbonding period (default 21 days) during which they remain slashable
for offenses committed during the bond period.
A read-only replica:
What it does NOT do:
The 100 validator nodes handle a fixed consensus workload. An unlimited
number of replicas can fan out the service workload:
The consensus cost (cert verification per block) is amortized across all
replicas, but signing cost stays with the 100 validators.
Replicas can earn revenue by:
1. Service fees — charge clients for RPC, archival queries, or
light-client proofs (set their own rate).
2. Data marketplace — sell archival indexes or custom data products.
3. Cross-chain relay — forward messages across chains (R-Chain pays).
4. Bridge attestation — watch for external chain events (B-Chain pays).
None of this is mandatory. Replicas that run purely for personal use pay
no fees but also earn none.
The seat count N is a P-Chain governance parameter, changeable via:
Requires 2/3 supermajority.
minted until N drops below target.
known, vetted operators.
Annual protocol rewards: 100M LUX distributed across C1-C4 work classes
(LP-047).
Per-seat share (assuming uniform stake):
Total seat revenue: ~540k LUX / year before commission.
At 500 bps (5%) commission:
For a delegator who stakes 100k LUX (0.01% of network):
Pure cost center unless the replica opts into service monetization.
With N=100 validators and k=32 committee per block:
The permissioned set size N=100 is small enough that light-client verify
time is dominated by the committee cost k=32, not N.
Fee distribution (LP-047) routes rewards to specific work classes. Under
permissioned validators:
the service
This keeps LP-047 unchanged; LP-048 just restricts who can hold C1-C5
work classes (seat NFT required).
A permissioned validator set changes the consensus threat model substantially.
When all 100 signers are vetted, bonded, identifiable institutions, the
attack surface is dominated by institutional security (legal, operational,
custody) rather than cryptographic security (can the primitive be broken).
This means the per-block consensus signature does not need to be PQ in the
same way a permissionless chain's does:
BLS12-381 aggregate signature is the pragmatic choice:
per-block cert = BLS_aggregate({sig_i | i in committee})
cert size = 96 bytes
verify time = ~1 ms (single pairing check)
Over ML-DSA at k=32 (~650 µs verify, 77 kB cert), BLS wins on both size
and operational simplicity. The PQ-safe alternative costs 100× in bytes
and 50% more in verify time for security that only matters after a
quantum adversary materialises AND subverts the institutional layer.
The protocol retains an upgrade capability so consensus can switch
to ML-DSA + Pulsar (per LP-045) if quantum materialises:
contract ConsensusPrimitive {
enum Scheme { BLS, MLDSA, Hybrid }
Scheme public current = Scheme.BLS;
// Activated by governance supermajority
function upgrade(Scheme newScheme) external onlyGovernance {
require(newScheme > current, "can only strengthen");
current = newScheme;
emit ConsensusUpgraded(newScheme);
}
}
Each seat NFT holder registers BOTH a BLS and ML-DSA key at seat
activation so the upgrade is a flag-flip, not a hard fork requiring
new registrations.
Regardless of active consensus primitive, era archival proofs are always
Groth16/PLONK over the era's block certs. This keeps long-term state
commitments PQ-safe even if consensus is BLS today.
or be freely transferable subject to unbonding? Lean toward free transfer
with economic bond.
avoids favoritism but may concentrate seats among well-capitalized
operators.
their revenue with replicas that serve their RPC? Not in the initial
design; replicas earn separately if they choose.
high friction (2/3 supermajority + 90-day notice) to preserve stability.