Centurion Phase 1 Validator Topology Optimization Report¶
Recommendation¶
Recommended profile: recommended_safe. Optimal total validator count: 48. Risk-adjusted annual net value: 86.52 CTN. Protected-scenario minimum active validators: 32 with minimum protected margin 0 to the configured scenario threshold and 0 to theoretical 2/3 finality.
The selected topology uses AWS_A/AWS_B/AWS_C as combined_node core nodes, GCP_A/GCP_B as combined_node / combined_node, and HOME as validator_client_only with an intentionally small validator allocation. Home improves margin and decentralization, but the home-down scenarios remain protected, so normal finality does not depend on home availability.
Recommended topology¶
| Site | Role | Validators | Beacon endpoints used by VC |
|---|---|---|---|
| AWS_A | combined_node | 8 | AWS_A, AWS_B, AWS_C, GCP_A, GCP_B |
| AWS_B | combined_node | 8 | AWS_A, AWS_B, AWS_C, GCP_A, GCP_B |
| AWS_C | combined_node | 8 | AWS_A, AWS_B, AWS_C, GCP_A, GCP_B |
| GCP_A | combined_node | 8 | AWS_A, AWS_B, AWS_C, GCP_A, GCP_B |
| GCP_B | combined_node | 8 | AWS_A, AWS_B, AWS_C, GCP_A, GCP_B |
| HOME | validator_client_only | 8 | AWS_A, AWS_B, AWS_C, GCP_A, GCP_B |
Beacon dependency graph¶
Every VC group is configured to use every full/beacon endpoint that is healthy and reachable in the scenario model. This intentionally avoids making GCP or home VCs AWS-only beacon dependents and lets AWS VCs fail over to GCP/home beacons when AWS beacon endpoints are degraded but AWS VC hosts remain alive.
Economics¶
- Gross expected annual validator rewards: 184.32 CTN
- Annual infrastructure cost: $7200.00 / 28.80 CTN
- Monthly infrastructure cost: $600.00 / 2.40 CTN
- Annual capital opportunity cost: 46.08 CTN
- Principal/capital required: 1536.00 CTN
- Expected downtime penalty: 17.56 CTN
- Slashing risk penalty: 1.44 CTN
- Operational risk penalty: 0.96 CTN
- Provider concentration penalty: 1.12 CTN
- Failure-domain concentration penalty: 0.64 CTN
- Operational complexity penalty: 2.40 CTN
- Beacon diversity bonus: 1.20 CTN
- Risk-adjusted annual net value: 86.52 CTN
Protected scenario matrix¶
| Scenario | Family | Protected | Active | Threshold | Margin vs threshold | Margin vs 2/3 | Survives |
|---|---|---|---|---|---|---|---|
| baseline_no_failure | baseline | True | 48 | 35 | 13 | 16 | True |
| aws_a_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| aws_b_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| aws_c_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| gcp_a_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| gcp_b_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| home_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| home_internet_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| home_power_down | single_failure | True | 40 | 35 | 5 | 8 | True |
| beacon_aws_a_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| beacon_aws_b_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| beacon_aws_c_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| beacon_gcp_a_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| beacon_gcp_b_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| beacon_home_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| vc_aws_a_unavailable | single_failure | True | 40 | 35 | 5 | 8 | True |
| vc_aws_b_unavailable | single_failure | True | 40 | 35 | 5 | 8 | True |
| vc_aws_c_unavailable | single_failure | True | 40 | 35 | 5 | 8 | True |
| vc_gcp_a_unavailable | single_failure | True | 40 | 35 | 5 | 8 | True |
| vc_gcp_b_unavailable | single_failure | True | 40 | 35 | 5 | 8 | True |
| vc_home_unavailable | single_failure | True | 40 | 35 | 5 | 8 | True |
| full_aws_a_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| full_aws_b_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| full_aws_c_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| full_gcp_a_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| full_gcp_b_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| full_home_unavailable | beacon_dependency | True | 48 | 35 | 13 | 16 | True |
| aws_a_down_plus_home_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_b_down_plus_home_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_c_down_plus_home_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_a_down_plus_gcp_a_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_a_down_plus_gcp_b_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_b_down_plus_gcp_a_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_b_down_plus_gcp_b_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_c_down_plus_gcp_a_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_c_down_plus_gcp_b_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_a_down_plus_beacon_aws_b_unavailable | critical_double | True | 40 | 32 | 8 | 8 | True |
| aws_b_down_plus_beacon_aws_c_unavailable | critical_double | True | 40 | 32 | 8 | 8 | True |
| aws_c_down_plus_beacon_aws_a_unavailable | critical_double | True | 40 | 32 | 8 | 8 | True |
| home_unavailable_plus_beacon_aws_a_unavailable | critical_double | True | 40 | 32 | 8 | 8 | True |
| two_aws_regions_down_ab | critical_double | True | 32 | 32 | 0 | 0 | True |
| two_aws_regions_down_ac | critical_double | True | 32 | 32 | 0 | 0 | True |
| two_aws_regions_down_bc | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_a_down_plus_remote_vc_partition_from_aws_beacons | critical_double | True | 40 | 32 | 8 | 8 | True |
| aws_b_down_plus_remote_vc_partition_from_aws_beacons | critical_double | True | 40 | 32 | 8 | 8 | True |
| aws_c_down_plus_remote_vc_partition_from_aws_beacons | critical_double | True | 40 | 32 | 8 | 8 | True |
| aws_a_down_plus_gcp_a_beacon_unavailable | critical_double | True | 40 | 32 | 8 | 8 | True |
| aws_b_down_plus_gcp_b_beacon_unavailable | critical_double | True | 40 | 32 | 8 | 8 | True |
| gcp_a_and_gcp_b_unavailable | critical_double | True | 32 | 32 | 0 | 0 | True |
| aws_network_degradation_remote_to_aws_beacons | correlated | True | 48 | 35 | 13 | 16 | True |
| gcp_provider_wide_failure | correlated | True | 32 | 32 | 0 | 0 | True |
| all_aws_beacon_endpoints_unavailable | correlated | True | 48 | 35 | 13 | 16 | True |
Evaluated but not fully survived residual/correlated risks¶
These are not claimed as protected by the recommended profile:
- aws_provider_wide_failure: active 24/48, threshold 32
- shared_cl_client_bug: active 0/48, threshold 32
- shared_el_client_bug: active 0/48, threshold 32
- bad_config_deployed_to_all_aws_core_nodes: active 24/48, threshold 32
- bad_config_deployed_to_all_nodes: active 0/48, threshold 32
Tradeoff table¶
| Candidate | Status | Validators | AWS_A | AWS_B | AWS_C | GCP_A | GCP_B | HOME | GCP roles | Protected failed | Net CTN/yr |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 3 AWS nodes with 15 validators each | fails_some_protected | 45 | 15 | 15 | 15 | 0 | 0 | 0 | off, off | 10 | 98.36 |
| optimized validator count on 3 AWS nodes only | fails_some_protected | 63 | 21 | 21 | 21 | 0 | 0 | 0 | off, off | 10 | 145.16 |
| 3 AWS nodes + home VC | fails_some_protected | 42 | 12 | 12 | 12 | 0 | 0 | 6 | off, off | 16 | 81.44 |
| 3 AWS nodes + 2 GCP VC-only nodes | fails_some_protected | 40 | 8 | 8 | 8 | 8 | 8 | 0 | validator_client_only, validator_client_only | 16 | 76.09 |
| 3 AWS nodes + 1 GCP full node + 1 GCP VC-only node | fails_some_protected | 40 | 8 | 8 | 8 | 8 | 8 | 0 | combined_node, validator_client_only | 11 | 77.13 |
| 3 AWS nodes + 2 GCP combined nodes | fails_some_protected | 40 | 8 | 8 | 8 | 8 | 8 | 0 | combined_node, combined_node | 11 | 77.46 |
| 3 AWS nodes + 2 GCP nodes + home VC | survives_protected | 48 | 8 | 8 | 8 | 8 | 8 | 8 | combined_node, combined_node | 0 | 86.52 |
| maximum safe reward topology under the configured budget | optimal | 48 | 8 | 8 | 8 | 8 | 8 | 8 | combined_node, combined_node | 0 | 86.52 |
| optimizer-discovered superior fixed-budget layout | optimal | 48 | 8 | 8 | 8 | 8 | 8 | 8 | combined_node, combined_node | 0 | 86.52 |
Profile conclusions¶
- Minimal viable: use only the 3 AWS combined nodes with a small, evenly split validator count when the sole goal is theoretical finality through one AWS host loss. This is cheaper but has no preferred operational margin and no provider-independent beacon path.
- Recommended Phase 1: use 3 AWS combined nodes + 2 GCP combined nodes + HOME as validator_client_only. This is the best modeled net-value topology under the protected scenario set.
- Maximum reward under current safety constraints: identical to, or no better than, the recommended robust allocation because critical double-failure constraints cap safe validator count before the configured capital limit is exhausted.
- Higher-resilience: shifts stake away from AWS to survive an AWS provider-wide outage at hard finality, but the reduced validator count lowers modeled net value and it still cannot honestly claim survival of every all-provider/all-client correlated fault.
- Not worth using: GCP VC-only expansion without a non-AWS beacon endpoint. It adds validators but preserves AWS beacon dependency and fails AWS-beacon-degradation scenarios.
Explicit hidden correlated-risk warnings¶
The model can evaluate but does not claim to solve all catastrophic correlated events. A bad deployment pushed to every node, a shared CL/EL client bug affecting all full nodes, duplicate-key operational mistakes outside the generated assignment plan, or a broad network partition can still break liveness/finality. The model assumes distinct validator keys per site allocation and all-to-all beacon failover configuration; implementation drift from those assumptions invalidates the recommendation.