Dusk’s security model lies a clear assumption: the safety of the network depends not just on cryptography, but on how stake is distributed and behaves over time. Unlike simplistic proof-of-stake designs that assume all validators are either honest or malicious in the abstract, Dusk’s provisioner system explicitly models different categories of stake and uses those assumptions to reason about consensus safety.
@Dusk separates stake into conceptual groups to understand how the network behaves under adversarial conditions. In the theoretical model, total active stake represents all DUSK that is currently eligible to participate in block generation and validation. Within this active set, stake is further divided into honest stake and Byzantine stake. Honest stake belongs to provisioners that follow the protocol rules, while Byzantine stake represents provisioners that may behave maliciously, collude, or attempt to disrupt consensus.
This distinction is critical because consensus security is not about eliminating malicious actors, but about ensuring they can never gain enough influence to break safety or liveness. Dusk assumptions are designed so that as long as honest stake outweighs Byzantine stake beyond a defined threshold, the protocol can guarantee correct block agreement and finality. The system does not need to know who is honest or dishonest in practice. It only needs the economic reality that controlling a majority of stake is prohibitively expensive.
Importantly, these stake categories exist only in the theoretical security model. On the actual network, there is no function that labels a provisioner as honest or Byzantine. The protocol treats all provisioners the same and relies on cryptographic proofs, randomized committee selection, and economic incentives to ensure correct behavior. This separation between theory and implementation is intentional. It allows formal reasoning about security without introducing trust assumptions or identity-based judgments into the live system.
Eligibility windows also play a major role in Dusk assumptions. Stake is not permanently active. Provisioners must commit stake for defined periods, after which eligibility expires. This limits long-term attack strategies and prevents adversaries from accumulating dormant influence. By enforcing clear entry and exit conditions for active stake, Dusk ensures that security assumptions remain valid across time rather than degrading silently.
Another key aspect is committee-based participation. Even if an attacker controls a portion of total stake, they must also be selected into the right committees at the right time to cause harm. Because committee selection is randomized and private, Byzantine stake cannot reliably position itself where it would be most effective. This turns stake-based attacks into probabilistic gambles rather than deterministic strategies, dramatically increasing their cost and uncertainty.
From a system design perspective, these assumptions allow #dusk to deliver fast, irreversible finality without exposing validators or relying on centralized oversight. The protocol does not attempt to detect malicious intent directly. Instead, it assumes rational economic behavior and structures incentives so that honest participation is consistently more profitable than attacking the network.
Stake-based security in $DUSK is not built on trust in participants, but on measurable economic limits and statistical guarantees. By modeling honest and Byzantine stake at the theoretical level and enforcing neutrality at the protocol level, Dusk network achieves a consensus system that is both robust against attacks and practical for real-world financial use.
