Polkadot is based on the GRANDPA finality gadget. In the formal paper GRANDPA is proven to be safe (no conflict blocks can be finalized) regardless of network conditions (you do need some assumptions for liveness). My question is - GRADPA is used within a committee (formed by the NPoS algorithm), so the safety proof is valid as long as you keep the same committee (the same set of players that are running GRANDPA). How can you prove that the system is still safe after you switch a committee? What prevents the new committee from finalizing blocks that conflicts with the finalization of the previous committee? For example, due to some network issues the new committee is not aware to the last decision of the old committee… Does the safety relies on some hidden assumption, such as that the new committee is composed mainly from old committee members, or that it is aware to all decisions by old committee once it starts working?
The new committee have to be signed by the old committee. So for example the new committee cannot finalize a block without an ancestor block that signed by old committee to approve the new committee.
Thanks for the reply. It makes more sense now. So the committee switch must be asynchronous I assume? A validator of the new committee must wait to see a supermajority of the old committee approvals (of the new committee) before it can start performing.
I don’t know all the details and I didn’t actually check code/spec so very likely I am wrong on this.
But I think the new validators will be announced beforehand and then enactment so everyone knows the upcoming committee.