referrerpolicy=no-referrer-when-downgrade

pallet_staking_async/pallet/
mod.rs

1// This file is part of Substrate.
2
3// Copyright (C) Parity Technologies (UK) Ltd.
4// SPDX-License-Identifier: Apache-2.0
5
6// Licensed under the Apache License, Version 2.0 (the "License");
7// you may not use this file except in compliance with the License.
8// You may obtain a copy of the License at
9//
10// 	http://www.apache.org/licenses/LICENSE-2.0
11//
12// Unless required by applicable law or agreed to in writing, software
13// distributed under the License is distributed on an "AS IS" BASIS,
14// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15// See the License for the specific language governing permissions and
16// limitations under the License.
17
18//! `pallet-staking-async`'s main `pallet` module.
19
20use crate::{
21	asset, session_rotation::EraElectionPlanner, slashing, weights::WeightInfo, AccountIdLookupOf,
22	ActiveEraInfo, BalanceOf, EraPayout, EraRewardPoints, ExposurePage, Forcing,
23	LedgerIntegrityState, MaxNominationsOf, NegativeImbalanceOf, Nominations, NominationsQuota,
24	PositiveImbalanceOf, RewardDestination, StakingLedger, UnappliedSlash, UnlockChunk,
25	ValidatorPrefs,
26};
27use alloc::{format, vec::Vec};
28use codec::Codec;
29use frame_election_provider_support::{ElectionProvider, SortedListProvider, VoteWeight};
30use frame_support::{
31	assert_ok,
32	pallet_prelude::*,
33	traits::{
34		fungible::{
35			hold::{Balanced as FunHoldBalanced, Mutate as FunHoldMutate},
36			Mutate, Mutate as FunMutate,
37		},
38		Contains, Defensive, DefensiveSaturating, EnsureOrigin, Get, InspectLockableCurrency,
39		Nothing, OnUnbalanced,
40	},
41	weights::Weight,
42	BoundedBTreeSet, BoundedVec,
43};
44use frame_system::{ensure_root, ensure_signed, pallet_prelude::*};
45pub use impls::*;
46use rand::seq::SliceRandom;
47use rand_chacha::{
48	rand_core::{RngCore, SeedableRng},
49	ChaChaRng,
50};
51use sp_core::{sr25519::Pair as SrPair, Pair};
52use sp_runtime::{
53	traits::{StaticLookup, Zero},
54	ArithmeticError, Perbill, Percent,
55};
56use sp_staking::{
57	EraIndex, Page, SessionIndex,
58	StakingAccount::{self, Controller, Stash},
59	StakingInterface,
60};
61
62mod impls;
63
64#[frame_support::pallet]
65pub mod pallet {
66	use core::ops::Deref;
67
68	use super::*;
69	use crate::{
70		session_rotation::{self, Eras, Rotator},
71		IsValidatorInactive, PagedExposureMetadata, SnapshotStatus,
72	};
73	use codec::HasCompact;
74	use frame_election_provider_support::{ElectionDataProvider, PageIndex};
75	use frame_support::{traits::ConstBool, weights::WeightMeter, DefaultNoBound, PalletError};
76
77	/// Dimensionless weight from the validator self-stake incentive curve. Same underlying type as
78	/// `BalanceOf<T>` for arithmetic compatibility, but represents the output of the sqrt weight
79	/// function.
80	pub(crate) type IncentiveWeight<T> = BalanceOf<T>;
81
82	/// Represents the current step in the era pruning process
83	#[derive(Encode, Decode, Clone, Copy, PartialEq, Eq, Debug, TypeInfo, MaxEncodedLen)]
84	pub enum PruningStep {
85		/// Pruning ErasStakersPaged storage
86		ErasStakersPaged,
87		/// Pruning ErasStakersOverview storage
88		ErasStakersOverview,
89		/// Pruning ErasValidatorPrefs storage
90		ErasValidatorPrefs,
91		/// Pruning ClaimedRewards storage
92		ClaimedRewards,
93		/// Pruning ErasValidatorReward storage
94		ErasValidatorReward,
95		/// Pruning ErasRewardPoints storage
96		ErasRewardPoints,
97		/// Pruning single-entry storages
98		SingleEntryCleanups,
99		/// Pruning ValidatorSlashInEra storage
100		ValidatorSlashInEra,
101		/// Pruning ErasValidatorIncentiveWeight storage
102		ErasValidatorIncentiveWeight,
103	}
104
105	/// The in-code storage version.
106	const STORAGE_VERSION: StorageVersion = StorageVersion::new(18);
107
108	#[pallet::pallet]
109	#[pallet::storage_version(STORAGE_VERSION)]
110	pub struct Pallet<T>(_);
111
112	/// Possible operations on the configuration values of this pallet.
113	#[derive(TypeInfo, Debug, Clone, Encode, Decode, DecodeWithMemTracking, PartialEq)]
114	pub enum ConfigOp<T: Default + Codec> {
115		/// Don't change.
116		Noop,
117		/// Set the given value.
118		Set(T),
119		/// Remove from storage.
120		Remove,
121	}
122
123	#[pallet::config(with_default)]
124	pub trait Config: frame_system::Config {
125		/// The old trait for staking balance. Deprecated and only used for migrating old ledgers.
126		#[pallet::no_default]
127		type OldCurrency: InspectLockableCurrency<
128			Self::AccountId,
129			Moment = BlockNumberFor<Self>,
130			Balance = Self::CurrencyBalance,
131		>;
132
133		/// The staking balance.
134		#[pallet::no_default]
135		type Currency: FunHoldMutate<
136				Self::AccountId,
137				Reason = Self::RuntimeHoldReason,
138				Balance = Self::CurrencyBalance,
139			> + FunMutate<Self::AccountId, Balance = Self::CurrencyBalance>
140			+ FunHoldBalanced<Self::AccountId, Balance = Self::CurrencyBalance>;
141
142		/// Overarching hold reason.
143		#[pallet::no_default_bounds]
144		type RuntimeHoldReason: From<HoldReason>;
145
146		/// Just the `Currency::Balance` type; we have this item to allow us to constrain it to
147		/// `From<u64>`.
148		type CurrencyBalance: sp_runtime::traits::AtLeast32BitUnsigned
149			+ codec::FullCodec
150			+ DecodeWithMemTracking
151			+ HasCompact<Type: DecodeWithMemTracking>
152			+ Copy
153			+ MaybeSerializeDeserialize
154			+ core::fmt::Debug
155			+ Default
156			+ From<u64>
157			+ TypeInfo
158			+ Send
159			+ Sync
160			+ MaxEncodedLen;
161
162		/// Convert a balance into a number used for election calculation. This must fit into a
163		/// `u64` but is allowed to be sensibly lossy. The `u64` is used to communicate with the
164		/// [`frame_election_provider_support`] crate which accepts u64 numbers and does operations
165		/// in 128.
166		/// Consequently, the backward convert is used convert the u128s from sp-elections back to a
167		/// [`BalanceOf`].
168		#[pallet::no_default_bounds]
169		type CurrencyToVote: sp_staking::currency_to_vote::CurrencyToVote<BalanceOf<Self>>;
170
171		/// Something that provides the election functionality.
172		#[pallet::no_default]
173		type ElectionProvider: ElectionProvider<
174			AccountId = Self::AccountId,
175			BlockNumber = BlockNumberFor<Self>,
176			// we only accept an election provider that has staking as data provider.
177			DataProvider = Pallet<Self>,
178		>;
179
180		/// Something that defines the maximum number of nominations per nominator.
181		#[pallet::no_default_bounds]
182		type NominationsQuota: NominationsQuota<BalanceOf<Self>>;
183
184		/// Number of eras to keep in history.
185		///
186		/// Following information is kept for eras in `[current_era -
187		/// HistoryDepth, current_era]`: `ErasValidatorPrefs`, `ErasValidatorReward`,
188		/// `ErasRewardPoints`, `ErasTotalStake`, `ClaimedRewards`,
189		/// `ErasStakersPaged`, `ErasStakersOverview`.
190		///
191		/// Must be more than the number of eras delayed by session.
192		/// I.e. active era must always be in history. I.e. `active_era >
193		/// current_era - history_depth` must be guaranteed.
194		///
195		/// If migrating an existing pallet from storage value to config value,
196		/// this should be set to same value or greater as in storage.
197		#[pallet::constant]
198		type HistoryDepth: Get<u32>;
199
200		/// Tokens have been minted and are unused for validator-reward.
201		///
202		/// Only used in legacy minting mode (`DisableMinting = false`).
203		#[pallet::no_default_bounds]
204		type RewardRemainder: OnUnbalanced<NegativeImbalanceOf<Self>>;
205
206		/// Handler for the unbalanced reduction when slashing a staker.
207		#[pallet::no_default_bounds]
208		type Slash: OnUnbalanced<NegativeImbalanceOf<Self>>;
209
210		/// Handler for the unbalanced increment when rewarding a staker.
211		/// NOTE: in most cases, the implementation of `OnUnbalanced` should modify the total
212		/// issuance.
213		///
214		/// Only used in legacy minting mode (`DisableMinting = false`).
215		#[pallet::no_default_bounds]
216		type Reward: OnUnbalanced<PositiveImbalanceOf<Self>>;
217
218		/// Number of sessions per era, as per the preferences of the **relay chain**.
219		#[pallet::constant]
220		type SessionsPerEra: Get<SessionIndex>;
221
222		/// Number of sessions before the end of an era when the election for the next era will
223		/// start.
224		///
225		/// - This determines how many sessions **before** the last session of the era the staking
226		///   election process should begin.
227		/// - The value is bounded between **1** (election starts at the beginning of the last
228		///   session) and `SessionsPerEra` (election starts at the beginning of the first session
229		///   of the era).
230		///
231		/// ### Example:
232		/// - If `SessionsPerEra = 6` and `PlanningEraOffset = 1`, the election starts at the
233		///   beginning of session `6 - 1 = 5`.
234		/// - If `PlanningEraOffset = 6`, the election starts at the beginning of session `6 - 6 =
235		///   0`, meaning it starts at the very beginning of the era.
236		#[pallet::constant]
237		type PlanningEraOffset: Get<SessionIndex>;
238
239		/// Number of eras that staked funds must remain bonded for.
240		///
241		/// This is the bonding duration for validators. Nominators may have a shorter bonding
242		/// duration when [`AreNominatorsSlashable`] is set to `false` (see
243		/// [`StakingInterface::nominator_bonding_duration`]).
244		#[pallet::constant]
245		type BondingDuration: Get<EraIndex>;
246
247		/// Number of eras nominators must wait to unbond when they are not slashable.
248		///
249		/// This duration is used for nominators when [`AreNominatorsSlashable`] is `false`.
250		/// When nominators are slashable, they use the full [`Config::BondingDuration`] to ensure
251		/// slashes can be applied during the unbonding period.
252		///
253		/// Setting this to a lower value (e.g., 1 era) allows for faster withdrawals when
254		/// nominators are not subject to slashing risk.
255		#[pallet::constant]
256		type NominatorFastUnbondDuration: Get<EraIndex>;
257
258		/// Number of eras that slashes are deferred by, after computation.
259		///
260		/// This should be less than the bonding duration. Set to 0 if slashes
261		/// should be applied immediately, without opportunity for intervention.
262		#[pallet::constant]
263		type SlashDeferDuration: Get<EraIndex>;
264
265		/// The origin which can manage less critical staking parameters that does not require root.
266		///
267		/// Supported actions: (1) cancel deferred slash, (2) set minimum commission.
268		#[pallet::no_default]
269		type AdminOrigin: EnsureOrigin<Self::RuntimeOrigin>;
270
271		/// The payout for validators and the system for the current era.
272		/// See [Era payout](./index.html#era-payout).
273		///
274		/// Only used in legacy minting mode (`DisableMinting = false`).
275		/// Should be set to () in non-minting mode.
276		#[pallet::no_default]
277		type EraPayout: EraPayout<BalanceOf<Self>>;
278
279		/// When `true`, staking does not mint. It expects an external source to fund
280		/// the general reward pot. At era boundary, rewards are snapshotted from
281		/// the pot. `EraPayout` is not called.
282		///
283		/// When `false`, staking uses the legacy path: `EraPayout` computes inflation,
284		/// tokens are minted on-the-fly during payout.
285		///
286		/// **Irreversible**: once set to `true`, must never be switched back. Eras
287		/// created in non-minting mode have funded reward pots — switching to legacy
288		/// would orphan those pots and cause double-minting.
289		#[pallet::constant]
290		type DisableMinting: Get<bool>;
291
292		/// Handler for unclaimed era rewards (non-minting mode only).
293		///
294		/// When era pots are cleaned up past `HistoryDepth`, remaining funds are
295		/// withdrawn and passed to this handler.
296		#[pallet::no_default_bounds]
297		type UnclaimedRewardHandler: OnUnbalanced<NegativeImbalanceOf<Self>>;
298
299		/// Provider for generating reward pot account IDs (non-minting mode only).
300		///
301		/// Provides both general pots (funded by an external source like pallet-dap)
302		/// and era-specific pots (snapshotted at era boundaries).
303		#[pallet::no_default]
304		type RewardPots: crate::PotAccountProvider<Self::AccountId>;
305
306		/// Calculator for staker rewards.
307		///
308		/// Determines how staking rewards are distributed between validators and nominators.
309		#[pallet::no_default_bounds]
310		type StakerRewardCalculator: sp_staking::StakerRewardCalculator<BalanceOf<Self>>;
311
312		/// The maximum size of each `T::ExposurePage`.
313		///
314		/// An `ExposurePage` is weakly bounded to a maximum of `MaxExposurePageSize`
315		/// nominators.
316		///
317		/// For older non-paged exposure, a reward payout was restricted to the top
318		/// `MaxExposurePageSize` nominators. This is to limit the i/o cost for the
319		/// nominator payout.
320		///
321		/// Note: `MaxExposurePageSize` is used to bound `ClaimedRewards` and is unsafe to
322		/// reduce without handling it in a migration.
323		#[pallet::constant]
324		type MaxExposurePageSize: Get<u32>;
325
326		/// The absolute maximum of winner validators this pallet should return.
327		///
328		/// As this pallet supports multi-block election, the set of winner validators *per
329		/// election* is bounded by this type.
330		#[pallet::constant]
331		type MaxValidatorSet: Get<u32>;
332
333		/// Something that provides a best-effort sorted list of voters aka electing nominators,
334		/// used for NPoS election.
335		///
336		/// The changes to nominators are reported to this. Moreover, each validator's self-vote is
337		/// also reported as one independent vote.
338		///
339		/// To keep the load off the chain as much as possible, changes made to the staked amount
340		/// via rewards and slashes are not reported and thus need to be manually fixed by the
341		/// staker. In case of `bags-list`, this always means using `rebag` and `putInFrontOf`.
342		///
343		/// Invariant: what comes out of this list will always be a nominator.
344		#[pallet::no_default]
345		type VoterList: SortedListProvider<Self::AccountId, Score = VoteWeight>;
346
347		/// WIP: This is a noop as of now, the actual business logic that's described below is going
348		/// to be introduced in a follow-up PR.
349		///
350		/// Something that provides a best-effort sorted list of targets aka electable validators,
351		/// used for NPoS election.
352		///
353		/// The changes to the approval stake of each validator are reported to this. This means any
354		/// change to:
355		/// 1. The stake of any validator or nominator.
356		/// 2. The targets of any nominator
357		/// 3. The role of any staker (e.g. validator -> chilled, nominator -> validator, etc)
358		///
359		/// Unlike `VoterList`, the values in this list are always kept up to date with reward and
360		/// slash as well, and thus represent the accurate approval stake of all account being
361		/// nominated by nominators.
362		///
363		/// Note that while at the time of nomination, all targets are checked to be real
364		/// validators, they can chill at any point, and their approval stakes will still be
365		/// recorded. This implies that what comes out of iterating this list MIGHT NOT BE AN ACTIVE
366		/// VALIDATOR.
367		#[pallet::no_default]
368		type TargetList: SortedListProvider<Self::AccountId, Score = BalanceOf<Self>>;
369
370		/// The maximum number of `unlocking` chunks a [`StakingLedger`] can
371		/// have. Effectively determines how many unique eras a staker may be
372		/// unbonding in.
373		///
374		/// Note: `MaxUnlockingChunks` is used as the upper bound for the
375		/// `BoundedVec` item `StakingLedger.unlocking`. Setting this value
376		/// lower than the existing value can lead to inconsistencies in the
377		/// `StakingLedger` and will need to be handled properly in a runtime
378		/// migration. The test `reducing_max_unlocking_chunks_abrupt` shows
379		/// this effect.
380		#[pallet::constant]
381		type MaxUnlockingChunks: Get<u32>;
382
383		/// The maximum amount of controller accounts that can be deprecated in one call.
384		type MaxControllersInDeprecationBatch: Get<u32>;
385
386		/// Something that listens to staking updates and performs actions based on the data it
387		/// receives.
388		///
389		/// WARNING: this only reports slashing and withdraw events for the time being.
390		#[pallet::no_default_bounds]
391		type EventListeners: sp_staking::OnStakingUpdate<Self::AccountId, BalanceOf<Self>>;
392
393		/// Maximum allowed era duration in milliseconds.
394		///
395		/// This provides a defensive upper bound to cap the effective era duration, preventing
396		/// excessively long eras from causing runaway inflation (e.g., due to bugs). If the actual
397		/// era duration exceeds this value, it will be clamped to this maximum.
398		///
399		/// Example: For an ideal era duration of 24 hours (86,400,000 ms),
400		/// this can be set to 604,800,000 ms (7 days).
401		///
402		/// Only used in legacy minting mode (`DisableMinting = false`).
403		#[pallet::constant]
404		type MaxEraDuration: Get<u64>;
405
406		/// Maximum number of storage items that can be pruned in a single call.
407		///
408		/// This controls how many storage items can be deleted in each call to `prune_era_step`.
409		/// This should be set to a conservative value (e.g., 100-500 items) to ensure pruning
410		/// doesn't consume too much block space. The actual weight is determined by benchmarks.
411		#[pallet::constant]
412		type MaxPruningItems: Get<u32>;
413
414		/// Interface to talk to the RC-Client pallet, possibly sending election results to the
415		/// relay chain.
416		#[pallet::no_default]
417		type RcClientInterface: pallet_staking_async_rc_client::RcClientInterface<
418			AccountId = Self::AccountId,
419		>;
420
421		#[pallet::no_default_bounds]
422		/// Filter some accounts from participating in staking.
423		///
424		/// This is useful for example to blacklist an account that is participating in staking in
425		/// another way (such as pools).
426		type Filter: Contains<Self::AccountId>;
427
428		/// Weight information for extrinsics in this pallet.
429		type WeightInfo: WeightInfo;
430
431		/// Check if validator was inactive at some era.
432		///
433		/// This check is used by `chill_inactive` extrinsic to check which
434		/// validators can be chilled.
435		type IsValidatorInactive: IsValidatorInactive<Self::AccountId>;
436	}
437
438	/// A reason for placing a hold on funds.
439	#[pallet::composite_enum]
440	pub enum HoldReason {
441		/// Funds on stake by a nominator or a validator.
442		#[codec(index = 0)]
443		Staking,
444	}
445
446	/// Default implementations of [`DefaultConfig`], which can be used to implement [`Config`].
447	pub mod config_preludes {
448		use super::*;
449		use frame_support::{derive_impl, parameter_types, traits::ConstU32};
450		pub struct TestDefaultConfig;
451
452		#[derive_impl(frame_system::config_preludes::TestDefaultConfig, no_aggregated_types)]
453		impl frame_system::DefaultConfig for TestDefaultConfig {}
454
455		parameter_types! {
456			pub const SessionsPerEra: SessionIndex = 3;
457			pub const BondingDuration: EraIndex = 3;
458			pub const NominatorFastUnbondDuration: EraIndex = 2;
459			pub const MaxPruningItems: u32 = 100;
460		}
461
462		#[frame_support::register_default_impl(TestDefaultConfig)]
463		impl DefaultConfig for TestDefaultConfig {
464			#[inject_runtime_type]
465			type RuntimeHoldReason = ();
466			type CurrencyBalance = u128;
467			type CurrencyToVote = ();
468			type NominationsQuota = crate::FixedNominationsQuota<16>;
469			type HistoryDepth = ConstU32<84>;
470			type RewardRemainder = ();
471			type Slash = ();
472			type Reward = ();
473			type UnclaimedRewardHandler = ();
474			type StakerRewardCalculator = ();
475			type DisableMinting = ConstBool<false>;
476			type SessionsPerEra = SessionsPerEra;
477			type BondingDuration = BondingDuration;
478			type NominatorFastUnbondDuration = NominatorFastUnbondDuration;
479			type PlanningEraOffset = ConstU32<1>;
480			type SlashDeferDuration = ();
481			type MaxExposurePageSize = ConstU32<64>;
482			type MaxUnlockingChunks = ConstU32<32>;
483			type MaxValidatorSet = ConstU32<100>;
484			type MaxControllersInDeprecationBatch = ConstU32<100>;
485			type MaxEraDuration = ();
486			type MaxPruningItems = MaxPruningItems;
487			type EventListeners = ();
488			type Filter = Nothing;
489			type WeightInfo = ();
490			type IsValidatorInactive = ();
491		}
492	}
493
494	/// The ideal number of active validators.
495	#[pallet::storage]
496	pub type ValidatorCount<T> = StorageValue<_, u32, ValueQuery>;
497
498	/// Map from all locked "stash" accounts to the controller account.
499	///
500	/// TWOX-NOTE: SAFE since `AccountId` is a secure hash.
501	#[pallet::storage]
502	pub type Bonded<T: Config> = StorageMap<_, Twox64Concat, T::AccountId, T::AccountId>;
503
504	/// The minimum active bond to become and maintain the role of a nominator.
505	#[pallet::storage]
506	pub type MinNominatorBond<T: Config> = StorageValue<_, BalanceOf<T>, ValueQuery>;
507
508	/// The minimum active bond to become and maintain the role of a validator.
509	#[pallet::storage]
510	pub type MinValidatorBond<T: Config> = StorageValue<_, BalanceOf<T>, ValueQuery>;
511
512	/// The minimum active nominator stake of the last successful election.
513	#[pallet::storage]
514	pub type MinimumActiveStake<T> = StorageValue<_, BalanceOf<T>, ValueQuery>;
515
516	/// The minimum amount of commission that validators can set.
517	///
518	/// If set to `0`, no limit exists.
519	#[pallet::storage]
520	pub type MinCommission<T: Config> = StorageValue<_, Perbill, ValueQuery>;
521
522	/// The maximum commission that validators can set.
523	///
524	/// If not set, defaults to `Perbill::one()` (100%), i.e. no upper limit.
525	#[pallet::storage]
526	pub type MaxCommission<T: Config> = StorageValue<_, Perbill, ValueQuery, MaxCommissionDefault>;
527
528	/// Default for MaxCommission: 100% (no restriction).
529	pub struct MaxCommissionDefault;
530	impl Get<Perbill> for MaxCommissionDefault {
531		fn get() -> Perbill {
532			Perbill::one()
533		}
534	}
535
536	/// Safety guard: the era from which legacy minting is permanently disabled on the
537	/// payout side. **Irreversible** — once set, should never be cleared.
538	///
539	/// Separate from [`Config::DisableMinting`] which controls the `end_era` path.
540	/// This storage guards against minting during payout for eras that were created
541	/// in DAP mode. Set automatically by `end_era_dap` on first successful pot snapshot.
542	/// In legacy mode (Kusama), this is never set and the guard is inactive.
543	#[pallet::storage]
544	pub type DisableMintingGuard<T: Config> = StorageValue<_, EraIndex>;
545
546	/// Optimum self-stake threshold for validators.
547	///
548	/// Below this threshold, the incentive weight grows as `sqrt(self_stake)`.
549	/// Above it, growth is dampened by [`SelfStakeSlopeFactor`].
550	#[pallet::storage]
551	pub type OptimumSelfStake<T: Config> = StorageValue<_, BalanceOf<T>, ValueQuery>;
552
553	/// Hard cap on effective validator self-stake.
554	///
555	/// Self-stake above this value receives no additional reward benefit (plateau).
556	#[pallet::storage]
557	pub type HardCapSelfStake<T: Config> = StorageValue<_, BalanceOf<T>, ValueQuery>;
558
559	/// Slope factor controlling the discouragement rate for self-stake between optimum and cap.
560	///
561	/// Value between 0 and 1: k=1 means no discouragement, k=0 means immediate plateau.
562	#[pallet::storage]
563	pub type SelfStakeSlopeFactor<T: Config> = StorageValue<_, Perbill, ValueQuery>;
564
565	/// The total validator incentive budget for the given era, snapshotted at era end.
566	///
567	/// This is the similar to [`ErasValidatorReward`] but for the self-stake incentive pot.
568	#[pallet::storage]
569	pub type ErasValidatorIncentiveBudget<T: Config> =
570		StorageMap<_, Twox64Concat, EraIndex, BalanceOf<T>, ValueQuery>;
571
572	/// Sum of all validators' incentive weights for the era.
573	///
574	/// Directly linked to [`ErasValidatorIncentiveWeight`].
575	#[pallet::storage]
576	pub type ErasSumValidatorIncentiveWeight<T: Config> =
577		StorageMap<_, Twox64Concat, EraIndex, IncentiveWeight<T>, ValueQuery>;
578
579	/// Individual validator incentive weight per era.
580	/// Each validator's share of the incentive pot = `their_weight / sum_weight`.
581	#[pallet::storage]
582	pub type ErasValidatorIncentiveWeight<T: Config> = StorageDoubleMap<
583		_,
584		Twox64Concat,
585		EraIndex,
586		Twox64Concat,
587		T::AccountId,
588		IncentiveWeight<T>,
589		OptionQuery,
590	>;
591
592	/// Running sum of `validator_incentive_weight × era_points` across all validators
593	/// with non-zero era points for the era.
594	///
595	/// Maintained incrementally inside [`session_rotation::Eras::reward_active_era`] every
596	/// time validator points are credited. Used as the denominator of the weighted-points
597	/// share that determines each validator's slice of [`ErasValidatorIncentiveBudget`].
598	#[pallet::storage]
599	pub type ErasSumWeightedPoints<T: Config> =
600		StorageMap<_, Twox64Concat, EraIndex, IncentiveWeight<T>, ValueQuery>;
601
602	/// Cutoff era from which the validator self-stake incentive switches to the
603	/// weighted-points formula.
604	///
605	/// `None` is the pre-migration state for chains whose storage predates this item. Until the
606	/// migration records a cutoff, [`session_rotation::Eras::uses_weighted_points`] treats all
607	/// eras as weighted-points eras. Chains initialized with this storage item set the cutoff to
608	/// `0` in `genesis_build`, and the upgrade migration leaves any existing value untouched.
609	///
610	/// See [`session_rotation::Eras::uses_weighted_points`] for the exact semantics and
611	/// the rationale for the cutoff.
612	///
613	/// TODO(staking-async): remove this storage item, the legacy stake-only branch in
614	/// [`crate::Pallet::calculate_validator_incentive_for_page`], the
615	/// [`session_rotation::Eras::uses_weighted_points`] cutoff helper, and the
616	/// [`crate::migrations::SetWeightedPointsFormulaStartEra`] migration once
617	/// [`Config::HistoryDepth`] eras have elapsed since the upgrade — i.e. once the cutoff
618	/// satisfies `cutoff <= active_era - HistoryDepth`, at which point no pre-cutoff era
619	/// remains claimable and every live era uses the weighted-points formula.
620	#[pallet::storage]
621	pub type WeightedPointsFormulaStartEra<T: Config> = StorageValue<_, EraIndex, OptionQuery>;
622
623	/// Whether nominators are slashable or not.
624	///
625	/// - When set to `true` (default), nominators are slashed along with validators and must wait
626	///   the full [`Config::BondingDuration`] before withdrawing unbonded funds.
627	/// - When set to `false`, nominators are not slashed, and can unbond in
628	///   [`Config::NominatorFastUnbondDuration`] eras instead of the full
629	///   [`Config::BondingDuration`] (see [`StakingInterface::nominator_bonding_duration`]).
630	#[pallet::storage]
631	pub type AreNominatorsSlashable<T: Config> = StorageValue<_, bool, ValueQuery, ConstBool<true>>;
632
633	/// Per-era snapshot of whether nominators are slashable.
634	///
635	/// This is copied from [`AreNominatorsSlashable`] at the start of each era. When processing
636	/// offences, we use the value from this storage for the offence era to ensure that the
637	/// slashing rules at the time of the offence are applied, not the current rules.
638	///
639	/// If an entry does not exist for an era, nominators are assumed to be slashable (default).
640	#[pallet::storage]
641	pub type ErasNominatorsSlashable<T: Config> =
642		StorageMap<_, Twox64Concat, EraIndex, bool, OptionQuery>;
643
644	/// Map from all (unlocked) "controller" accounts to the info regarding the staking.
645	///
646	/// Note: All the reads and mutations to this storage *MUST* be done through the methods exposed
647	/// by [`StakingLedger`] to ensure data and lock consistency.
648	#[pallet::storage]
649	pub type Ledger<T: Config> = StorageMap<_, Blake2_128Concat, T::AccountId, StakingLedger<T>>;
650
651	/// Where the reward payment should be made. Keyed by stash.
652	///
653	/// TWOX-NOTE: SAFE since `AccountId` is a secure hash.
654	#[pallet::storage]
655	pub type Payee<T: Config> =
656		StorageMap<_, Twox64Concat, T::AccountId, RewardDestination<T::AccountId>, OptionQuery>;
657
658	/// The map from (wannabe) validator stash key to the preferences of that validator.
659	///
660	/// TWOX-NOTE: SAFE since `AccountId` is a secure hash.
661	#[pallet::storage]
662	pub type Validators<T: Config> =
663		CountedStorageMap<_, Twox64Concat, T::AccountId, ValidatorPrefs, ValueQuery>;
664
665	/// The maximum validator count before we stop allowing new validators to join.
666	///
667	/// When this value is not set, no limits are enforced.
668	#[pallet::storage]
669	pub type MaxValidatorsCount<T> = StorageValue<_, u32, OptionQuery>;
670
671	/// Tracks the last era in which an account was active as a validator (included in the era's
672	/// exposure/snapshot).
673	///
674	/// This is used to enforce that accounts who were recently validators must wait the full
675	/// [`Config::BondingDuration`] before their funds can be withdrawn, even if they switch to
676	/// nominator role. This prevents validators from:
677	/// 1. Committing a slashable offence in era N
678	/// 2. Switching to nominator role
679	/// 3. Using the shorter nominator unbonding duration to withdraw funds before being slashed
680	///
681	/// Updated when era snapshots are created (in `ErasStakersPaged`/`ErasStakersOverview`).
682	/// Cleaned up when the stash is killed (fully withdrawn/reaped).
683	#[pallet::storage]
684	pub type LastValidatorEra<T: Config> = StorageMap<_, Twox64Concat, T::AccountId, EraIndex>;
685
686	/// The map from nominator stash key to their nomination preferences, namely the validators that
687	/// they wish to support.
688	///
689	/// Note that the keys of this storage map might become non-decodable in case the
690	/// account's [`NominationsQuota::MaxNominations`] configuration is decreased.
691	/// In this rare case, these nominators
692	/// are still existent in storage, their key is correct and retrievable (i.e. `contains_key`
693	/// indicates that they exist), but their value cannot be decoded. Therefore, the non-decodable
694	/// nominators will effectively not-exist, until they re-submit their preferences such that it
695	/// is within the bounds of the newly set `Config::MaxNominations`.
696	///
697	/// This implies that `::iter_keys().count()` and `::iter().count()` might return different
698	/// values for this map. Moreover, the main `::count()` is aligned with the former, namely the
699	/// number of keys that exist.
700	///
701	/// Lastly, if any of the nominators become non-decodable, they can be chilled immediately via
702	/// [`Call::chill_other`] dispatchable by anyone.
703	///
704	/// TWOX-NOTE: SAFE since `AccountId` is a secure hash.
705	#[pallet::storage]
706	pub type Nominators<T: Config> =
707		CountedStorageMap<_, Twox64Concat, T::AccountId, Nominations<T>>;
708
709	/// Stakers whose funds are managed by other pallets.
710	///
711	/// This pallet does not apply any locks on them, therefore they are only virtually bonded. They
712	/// are expected to be keyless accounts and hence should not be allowed to mutate their ledger
713	/// directly via this pallet. Instead, these accounts are managed by other pallets and accessed
714	/// via low level apis. We keep track of them to do minimal integrity checks.
715	#[pallet::storage]
716	pub type VirtualStakers<T: Config> = CountedStorageMap<_, Twox64Concat, T::AccountId, ()>;
717
718	/// The maximum nominator count before we stop allowing new validators to join.
719	///
720	/// When this value is not set, no limits are enforced.
721	#[pallet::storage]
722	pub type MaxNominatorsCount<T> = StorageValue<_, u32, OptionQuery>;
723
724	// --- AUDIT NOTE: the following storage items should only be controlled by `Rotator`
725
726	/// The current planned era index.
727	///
728	/// This is the latest planned era, depending on how the Session pallet queues the validator
729	/// set, it might be active or not.
730	#[pallet::storage]
731	pub type CurrentEra<T> = StorageValue<_, EraIndex>;
732
733	/// The active era information, it holds index and start.
734	///
735	/// The active era is the era being currently rewarded. Validator set of this era must be
736	/// equal to what is RC's session pallet.
737	#[pallet::storage]
738	pub type ActiveEra<T> = StorageValue<_, ActiveEraInfo>;
739
740	/// Custom bound for [`BondedEras`] which is equal to [`Config::BondingDuration`] + 1.
741	pub struct BondedErasBound<T>(core::marker::PhantomData<T>);
742	impl<T: Config> Get<u32> for BondedErasBound<T> {
743		fn get() -> u32 {
744			T::BondingDuration::get().saturating_add(1)
745		}
746	}
747
748	const OFFENCE_QUEUE_ERAS_BOUND: u32 = 10;
749	/// Custom bound for [`OffenceQueueEras`] which is equal to `Config::BondingDuration +
750	/// OFFENCE_QUEUE_ERAS_BOUND`.
751	pub struct OffenceQueueErasBound<T>(core::marker::PhantomData<T>);
752	impl<T: Config> Get<u32> for OffenceQueueErasBound<T> {
753		fn get() -> u32 {
754			let bonding_duration = T::BondingDuration::get();
755			bonding_duration.saturating_add(OFFENCE_QUEUE_ERAS_BOUND) // adding OFFENCE_QUEUE_ERAS_BOUND eras
756			                                                 // to add headroom to
757			                                                 // the bound for runtime upgrades that
758			                                                 // lower BondingDuration so we avoid
759			                                                 // the try_into trap.
760		}
761	}
762
763	/// A mapping from still-bonded eras to the first session index of that era.
764	///
765	/// Must contains information for eras for the range:
766	/// `[active_era - bounding_duration; active_era]`
767	#[pallet::storage]
768	pub type BondedEras<T: Config> =
769		StorageValue<_, BoundedVec<(EraIndex, SessionIndex), BondedErasBound<T>>, ValueQuery>;
770
771	// --- AUDIT Note: end of storage items controlled by `Rotator`.
772
773	/// Summary of validator exposure at a given era.
774	///
775	/// This contains the total stake in support of the validator and their own stake. In addition,
776	/// it can also be used to get the number of nominators backing this validator and the number of
777	/// exposure pages they are divided into. The page count is useful to determine the number of
778	/// pages of rewards that needs to be claimed.
779	///
780	/// This is keyed first by the era index to allow bulk deletion and then the stash account.
781	/// Should only be accessed through `Eras`.
782	///
783	/// Is it removed after [`Config::HistoryDepth`] eras.
784	/// If stakers hasn't been set or has been removed then empty overview is returned.
785	#[pallet::storage]
786	pub type ErasStakersOverview<T: Config> = StorageDoubleMap<
787		_,
788		Twox64Concat,
789		EraIndex,
790		Twox64Concat,
791		T::AccountId,
792		PagedExposureMetadata<BalanceOf<T>>,
793		OptionQuery,
794	>;
795
796	/// A bounded wrapper for [`sp_staking::ExposurePage`].
797	///
798	/// It has `Deref` and `DerefMut` impls that map it back [`sp_staking::ExposurePage`] for all
799	/// purposes. This is done in such a way because we prefer to keep the types in [`sp_staking`]
800	/// pure, and not polluted by pallet-specific bounding logic.
801	///
802	/// It encoded and decodes exactly the same as [`sp_staking::ExposurePage`], and provides a
803	/// manual `MaxEncodedLen` implementation, to be used in benchmarking
804	#[derive(PartialEqNoBound, Encode, Decode, DebugNoBound, TypeInfo, DefaultNoBound)]
805	#[scale_info(skip_type_params(T))]
806	pub struct BoundedExposurePage<T: Config>(pub ExposurePage<T::AccountId, BalanceOf<T>>);
807	impl<T: Config> Deref for BoundedExposurePage<T> {
808		type Target = ExposurePage<T::AccountId, BalanceOf<T>>;
809
810		fn deref(&self) -> &Self::Target {
811			&self.0
812		}
813	}
814
815	impl<T: Config> core::ops::DerefMut for BoundedExposurePage<T> {
816		fn deref_mut(&mut self) -> &mut Self::Target {
817			&mut self.0
818		}
819	}
820
821	impl<T: Config> codec::MaxEncodedLen for BoundedExposurePage<T> {
822		fn max_encoded_len() -> usize {
823			let max_exposure_page_size = T::MaxExposurePageSize::get() as usize;
824			let individual_size =
825				T::AccountId::max_encoded_len() + BalanceOf::<T>::max_encoded_len();
826
827			// 1 balance for `total`
828			BalanceOf::<T>::max_encoded_len() +
829			// individual_size multiplied by page size
830				max_exposure_page_size.saturating_mul(individual_size)
831		}
832	}
833
834	impl<T: Config> From<ExposurePage<T::AccountId, BalanceOf<T>>> for BoundedExposurePage<T> {
835		fn from(value: ExposurePage<T::AccountId, BalanceOf<T>>) -> Self {
836			Self(value)
837		}
838	}
839
840	impl<T: Config> From<BoundedExposurePage<T>> for ExposurePage<T::AccountId, BalanceOf<T>> {
841		fn from(value: BoundedExposurePage<T>) -> Self {
842			value.0
843		}
844	}
845
846	impl<T: Config> codec::EncodeLike<BoundedExposurePage<T>>
847		for ExposurePage<T::AccountId, BalanceOf<T>>
848	{
849	}
850
851	/// Paginated exposure of a validator at given era.
852	///
853	/// This is keyed first by the era index to allow bulk deletion, then stash account and finally
854	/// the page. Should only be accessed through `Eras`.
855	///
856	/// This is cleared after [`Config::HistoryDepth`] eras.
857	#[pallet::storage]
858	pub type ErasStakersPaged<T: Config> = StorageNMap<
859		_,
860		(
861			NMapKey<Twox64Concat, EraIndex>,
862			NMapKey<Twox64Concat, T::AccountId>,
863			NMapKey<Twox64Concat, Page>,
864		),
865		BoundedExposurePage<T>,
866		OptionQuery,
867	>;
868
869	pub struct ClaimedRewardsBound<T>(core::marker::PhantomData<T>);
870	impl<T: Config> Get<u32> for ClaimedRewardsBound<T> {
871		fn get() -> u32 {
872			let max_total_nominators_per_validator =
873				<T::ElectionProvider as ElectionProvider>::MaxBackersPerWinnerFinal::get();
874			let exposure_page_size = T::MaxExposurePageSize::get();
875			max_total_nominators_per_validator
876				.saturating_div(exposure_page_size)
877				.saturating_add(1)
878		}
879	}
880
881	/// History of claimed paged rewards by era and validator.
882	///
883	/// This is keyed by era and validator stash which maps to the set of page indexes which have
884	/// been claimed.
885	///
886	/// It is removed after [`Config::HistoryDepth`] eras.
887	#[pallet::storage]
888	pub type ClaimedRewards<T: Config> = StorageDoubleMap<
889		_,
890		Twox64Concat,
891		EraIndex,
892		Twox64Concat,
893		T::AccountId,
894		WeakBoundedVec<Page, ClaimedRewardsBound<T>>,
895		ValueQuery,
896	>;
897
898	/// Exposure of validator at era with the preferences of validators.
899	///
900	/// This is keyed first by the era index to allow bulk deletion and then the stash account.
901	///
902	/// Is it removed after [`Config::HistoryDepth`] eras.
903	// If prefs hasn't been set or has been removed then 0 commission is returned.
904	#[pallet::storage]
905	pub type ErasValidatorPrefs<T: Config> = StorageDoubleMap<
906		_,
907		Twox64Concat,
908		EraIndex,
909		Twox64Concat,
910		T::AccountId,
911		ValidatorPrefs,
912		ValueQuery,
913	>;
914
915	/// The total staker reward budget for each era within [`Config::HistoryDepth`].
916	///
917	/// Set at era finalization:
918	/// - in non-minting mode this is the snapshot of the era pot balance before any payouts.
919	/// - in legacy mode it comes from `EraPayout`, with rewards minted on the fly.
920	#[pallet::storage]
921	pub type ErasValidatorReward<T: Config> = StorageMap<_, Twox64Concat, EraIndex, BalanceOf<T>>;
922
923	/// Rewards for the last [`Config::HistoryDepth`] eras.
924	/// If reward hasn't been set or has been removed then 0 reward is returned.
925	#[pallet::storage]
926	pub type ErasRewardPoints<T: Config> =
927		StorageMap<_, Twox64Concat, EraIndex, EraRewardPoints<T>, ValueQuery>;
928
929	/// The total amount staked for the last [`Config::HistoryDepth`] eras.
930	/// If total hasn't been set or has been removed then 0 stake is returned.
931	#[pallet::storage]
932	pub type ErasTotalStake<T: Config> =
933		StorageMap<_, Twox64Concat, EraIndex, BalanceOf<T>, ValueQuery>;
934
935	/// Mode of era forcing.
936	#[pallet::storage]
937	pub type ForceEra<T> = StorageValue<_, Forcing, ValueQuery>;
938
939	/// Maximum staked rewards, i.e. the percentage of the era inflation that
940	/// is used for stake rewards.
941	///
942	/// Only used in legacy minting mode (`DisableMinting = false`).
943	#[pallet::storage]
944	pub type MaxStakedRewards<T> = StorageValue<_, Percent, OptionQuery>;
945
946	/// The percentage of the slash that is distributed to reporters.
947	///
948	/// The rest of the slashed value is handled by the `Slash`.
949	#[pallet::storage]
950	pub type SlashRewardFraction<T> = StorageValue<_, Perbill, ValueQuery>;
951
952	/// The amount of currency given to reporters of a slash event which was
953	/// canceled by extraordinary circumstances (e.g. governance).
954	#[pallet::storage]
955	pub type CanceledSlashPayout<T: Config> = StorageValue<_, BalanceOf<T>, ValueQuery>;
956
957	/// Stores reported offences in a queue until they are processed in subsequent blocks.
958	///
959	/// Each offence is recorded under the corresponding era index and the offending validator's
960	/// account. If an offence spans multiple pages, only one page is processed at a time. Offences
961	/// are handled sequentially, with their associated slashes computed and stored in
962	/// `UnappliedSlashes`. These slashes are then applied in a future era as determined by
963	/// `SlashDeferDuration`.
964	///
965	/// Any offences tied to an era older than `BondingDuration` are automatically dropped.
966	/// Processing always prioritizes the oldest era first.
967	#[pallet::storage]
968	pub type OffenceQueue<T: Config> = StorageDoubleMap<
969		_,
970		Twox64Concat,
971		EraIndex,
972		Twox64Concat,
973		T::AccountId,
974		slashing::OffenceRecord<T::AccountId>,
975	>;
976
977	/// Tracks the eras that contain offences in `OffenceQueue`, sorted from **earliest to latest**.
978	///
979	/// - This ensures efficient retrieval of the oldest offence without iterating through
980	/// `OffenceQueue`.
981	/// - When a new offence is added to `OffenceQueue`, its era is **inserted in sorted order**
982	/// if not already present.
983	/// - When all offences for an era are processed, it is **removed** from this list.
984	/// - The maximum length of this vector is bounded by `BondingDuration +
985	///   OFFENCE_QUEUE_ERAS_BOUND`.
986	///
987	/// This eliminates the need for expensive iteration and sorting when fetching the next offence
988	/// to process.
989	#[pallet::storage]
990	pub type OffenceQueueEras<T: Config> =
991		StorageValue<_, WeakBoundedVec<u32, OffenceQueueErasBound<T>>>;
992
993	/// Tracks the currently processed offence record from the `OffenceQueue`.
994	///
995	/// - When processing offences, an offence record is **popped** from the oldest era in
996	///   `OffenceQueue` and stored here.
997	/// - The function `process_offence` reads from this storage, processing one page of exposure at
998	///   a time.
999	/// - After processing a page, the `exposure_page` count is **decremented** until it reaches
1000	///   zero.
1001	/// - Once fully processed, the offence record is removed from this storage.
1002	///
1003	/// This ensures that offences are processed incrementally, preventing excessive computation
1004	/// in a single block while maintaining correct slashing behavior.
1005	#[pallet::storage]
1006	pub type ProcessingOffence<T: Config> =
1007		StorageValue<_, (EraIndex, T::AccountId, slashing::OffenceRecord<T::AccountId>)>;
1008
1009	/// All unapplied slashes that are queued for later.
1010	#[pallet::storage]
1011	pub type UnappliedSlashes<T: Config> = StorageDoubleMap<
1012		_,
1013		Twox64Concat,
1014		EraIndex,
1015		Twox64Concat,
1016		// Unique key for unapplied slashes: (validator, slash fraction, page index).
1017		(T::AccountId, Perbill, u32),
1018		UnappliedSlash<T>,
1019		OptionQuery,
1020	>;
1021
1022	/// Cancelled slashes by era and validator with maximum slash fraction to be cancelled.
1023	///
1024	/// When slashes are cancelled by governance, this stores the era and the validators
1025	/// whose slashes should be cancelled, along with the maximum slash fraction that should
1026	/// be cancelled for each validator.
1027	#[pallet::storage]
1028	pub type CancelledSlashes<T: Config> = StorageMap<
1029		_,
1030		Twox64Concat,
1031		EraIndex,
1032		BoundedVec<(T::AccountId, Perbill), T::MaxValidatorSet>,
1033		ValueQuery,
1034	>;
1035
1036	/// All slashing events on validators, mapped by era to the highest slash proportion
1037	/// and slash value of the era.
1038	#[pallet::storage]
1039	pub type ValidatorSlashInEra<T: Config> = StorageDoubleMap<
1040		_,
1041		Twox64Concat,
1042		EraIndex,
1043		Twox64Concat,
1044		T::AccountId,
1045		(Perbill, BalanceOf<T>),
1046	>;
1047
1048	/// The threshold for when users can start calling `chill_other` for other validators /
1049	/// nominators. The threshold is compared to the actual number of validators / nominators
1050	/// (`CountFor*`) in the system compared to the configured max (`Max*Count`).
1051	#[pallet::storage]
1052	pub type ChillThreshold<T: Config> = StorageValue<_, Percent, OptionQuery>;
1053
1054	/// Voter snapshot progress status.
1055	///
1056	/// If the status is `Ongoing`, it keeps a cursor of the last voter retrieved to proceed when
1057	/// creating the next snapshot page.
1058	#[pallet::storage]
1059	pub type VoterSnapshotStatus<T: Config> =
1060		StorageValue<_, SnapshotStatus<T::AccountId>, ValueQuery>;
1061
1062	/// Keeps track of an ongoing multi-page election solution request.
1063	///
1064	/// If `Some(_)``, it is the next page that we intend to elect. If `None`, we are not in the
1065	/// election process.
1066	///
1067	/// This is only set in multi-block elections. Should always be `None` otherwise.
1068	#[pallet::storage]
1069	pub type NextElectionPage<T: Config> = StorageValue<_, PageIndex, OptionQuery>;
1070
1071	/// A bounded list of the "electable" stashes that resulted from a successful election.
1072	#[pallet::storage]
1073	pub type ElectableStashes<T: Config> =
1074		StorageValue<_, BoundedBTreeSet<T::AccountId, T::MaxValidatorSet>, ValueQuery>;
1075
1076	/// Tracks the current step of era pruning process for each era being lazily pruned.
1077	#[pallet::storage]
1078	pub type EraPruningState<T: Config> = StorageMap<_, Twox64Concat, EraIndex, PruningStep>;
1079
1080	/// The number of eras a validator can remain inactive during the last
1081	/// [`Config::HistoryDepth`] before being subject to chilling because of inactivity.
1082	///
1083	/// This must be less than or equal [`Config::HistoryDepth`] and bigger than 1.
1084	#[pallet::storage]
1085	pub type ChillInactiveThreshold<T: Config> = StorageValue<_, u32, ValueQuery, T::HistoryDepth>;
1086
1087	#[pallet::genesis_config]
1088	#[derive(frame_support::DefaultNoBound, frame_support::DebugNoBound)]
1089	pub struct GenesisConfig<T: Config> {
1090		pub validator_count: u32,
1091		pub force_era: Forcing,
1092		pub slash_reward_fraction: Perbill,
1093		pub canceled_payout: BalanceOf<T>,
1094		pub stakers: Vec<(T::AccountId, BalanceOf<T>, crate::StakerStatus<T::AccountId>)>,
1095		pub min_nominator_bond: BalanceOf<T>,
1096		pub min_validator_bond: BalanceOf<T>,
1097		pub max_validator_count: Option<u32>,
1098		pub max_nominator_count: Option<u32>,
1099		/// Create the given number of validators and nominators.
1100		///
1101		/// These account need not be in the endowment list of balances, and are auto-topped up
1102		/// here.
1103		///
1104		/// Useful for testing genesis config.
1105		pub dev_stakers: Option<(u32, u32)>,
1106		/// initial active era, corresponding session index and start timestamp.
1107		pub active_era: (u32, u32, u64),
1108	}
1109
1110	impl<T: Config> GenesisConfig<T> {
1111		fn generate_endowed_bonded_account(derivation: &str, rng: &mut ChaChaRng) -> T::AccountId {
1112			let pair: SrPair = Pair::from_string(&derivation, None)
1113				.expect(&format!("Failed to parse derivation string: {derivation}"));
1114			let who = T::AccountId::decode(&mut &pair.public().encode()[..])
1115				.expect(&format!("Failed to decode public key from pair: {:?}", pair.public()));
1116
1117			let (min, max) = T::VoterList::range();
1118			let stake = BalanceOf::<T>::from(rng.next_u64().min(max).max(min));
1119			let two: BalanceOf<T> = 2u32.into();
1120
1121			assert_ok!(T::Currency::mint_into(&who, stake * two));
1122			assert_ok!(<Pallet<T>>::bond(
1123				T::RuntimeOrigin::from(Some(who.clone()).into()),
1124				stake,
1125				RewardDestination::Staked,
1126			));
1127			who
1128		}
1129	}
1130
1131	#[pallet::genesis_build]
1132	impl<T: Config> BuildGenesisConfig for GenesisConfig<T> {
1133		fn build(&self) {
1134			crate::log!(trace, "initializing with {:?}", self);
1135			assert!(
1136				self.validator_count <=
1137					<T::ElectionProvider as ElectionProvider>::MaxWinnersPerPage::get() *
1138						<T::ElectionProvider as ElectionProvider>::Pages::get(),
1139				"validator count is too high, `ElectionProvider` can never fulfill this"
1140			);
1141			ValidatorCount::<T>::put(self.validator_count);
1142
1143			ForceEra::<T>::put(self.force_era);
1144			CanceledSlashPayout::<T>::put(self.canceled_payout);
1145			SlashRewardFraction::<T>::put(self.slash_reward_fraction);
1146			MinNominatorBond::<T>::put(self.min_nominator_bond);
1147			MinValidatorBond::<T>::put(self.min_validator_bond);
1148			if let Some(x) = self.max_validator_count {
1149				MaxValidatorsCount::<T>::put(x);
1150			}
1151			if let Some(x) = self.max_nominator_count {
1152				MaxNominatorsCount::<T>::put(x);
1153			}
1154
1155			// First pass: set up all validators and idle stakers
1156			for &(ref stash, balance, ref status) in &self.stakers {
1157				match status {
1158					crate::StakerStatus::Validator => {
1159						crate::log!(
1160							trace,
1161							"inserting genesis validator: {:?} => {:?} => {:?}",
1162							stash,
1163							balance,
1164							status
1165						);
1166						assert!(
1167							asset::free_to_stake::<T>(stash) >= balance,
1168							"Stash does not have enough balance to bond."
1169						);
1170						assert_ok!(<Pallet<T>>::bond(
1171							T::RuntimeOrigin::from(Some(stash.clone()).into()),
1172							balance,
1173							RewardDestination::Staked,
1174						));
1175						assert_ok!(<Pallet<T>>::validate(
1176							T::RuntimeOrigin::from(Some(stash.clone()).into()),
1177							Default::default(),
1178						));
1179					},
1180					crate::StakerStatus::Idle => {
1181						crate::log!(
1182							trace,
1183							"inserting genesis idle staker: {:?} => {:?} => {:?}",
1184							stash,
1185							balance,
1186							status
1187						);
1188						assert!(
1189							asset::free_to_stake::<T>(stash) >= balance,
1190							"Stash does not have enough balance to bond."
1191						);
1192						assert_ok!(<Pallet<T>>::bond(
1193							T::RuntimeOrigin::from(Some(stash.clone()).into()),
1194							balance,
1195							RewardDestination::Staked,
1196						));
1197					},
1198					_ => {},
1199				}
1200			}
1201
1202			// Second pass: set up all nominators (now that validators exist)
1203			for &(ref stash, balance, ref status) in &self.stakers {
1204				match status {
1205					crate::StakerStatus::Nominator(votes) => {
1206						crate::log!(
1207							trace,
1208							"inserting genesis nominator: {:?} => {:?} => {:?}",
1209							stash,
1210							balance,
1211							status
1212						);
1213						assert!(
1214							asset::free_to_stake::<T>(stash) >= balance,
1215							"Stash does not have enough balance to bond."
1216						);
1217						assert_ok!(<Pallet<T>>::bond(
1218							T::RuntimeOrigin::from(Some(stash.clone()).into()),
1219							balance,
1220							RewardDestination::Staked,
1221						));
1222						assert_ok!(<Pallet<T>>::nominate(
1223							T::RuntimeOrigin::from(Some(stash.clone()).into()),
1224							votes.iter().map(|l| T::Lookup::unlookup(l.clone())).collect(),
1225						));
1226					},
1227					_ => {},
1228				}
1229			}
1230
1231			// all voters are reported to the `VoterList`.
1232			assert_eq!(
1233				T::VoterList::count(),
1234				Nominators::<T>::count() + Validators::<T>::count(),
1235				"not all genesis stakers were inserted into sorted list provider, something is wrong."
1236			);
1237
1238			// now generate the dev stakers, after all else is setup
1239			if let Some((validators, nominators)) = self.dev_stakers {
1240				crate::log!(
1241					debug,
1242					"generating dev stakers: validators: {}, nominators: {}",
1243					validators,
1244					nominators
1245				);
1246				let base_derivation = "//staker//{}";
1247
1248				// it is okay for the randomness to be the same on every call. If we want different,
1249				// we can make `base_derivation` configurable.
1250				let mut rng = ChaChaRng::from_seed(
1251					base_derivation.using_encoded(sp_crypto_hashing::blake2_256),
1252				);
1253
1254				(0..validators).for_each(|index| {
1255					let derivation = base_derivation.replace("{}", &format!("validator{}", index));
1256					let who = Self::generate_endowed_bonded_account(&derivation, &mut rng);
1257					assert_ok!(<Pallet<T>>::validate(
1258						T::RuntimeOrigin::from(Some(who.clone()).into()),
1259						Default::default(),
1260					));
1261				});
1262
1263				// This allows us to work with configs like `dev_stakers: (0, 10)`. Don't create new
1264				// validators, just add a bunch of nominators. Useful for slashing tests.
1265				let all_validators = Validators::<T>::iter_keys().collect::<Vec<_>>();
1266
1267				(0..nominators).for_each(|index| {
1268					let derivation = base_derivation.replace("{}", &format!("nominator{}", index));
1269					let who = Self::generate_endowed_bonded_account(&derivation, &mut rng);
1270
1271					let random_nominations = all_validators
1272						.choose_multiple(&mut rng, MaxNominationsOf::<T>::get() as usize)
1273						.map(|v| v.clone())
1274						.collect::<Vec<_>>();
1275
1276					assert_ok!(<Pallet<T>>::nominate(
1277						T::RuntimeOrigin::from(Some(who.clone()).into()),
1278						random_nominations.iter().map(|l| T::Lookup::unlookup(l.clone())).collect(),
1279					));
1280				})
1281			}
1282
1283			// Chains initialized with this storage item maintain `ErasSumWeightedPoints` from
1284			// era 0. Pin the cutoff to the first era so every era uses the weighted-points formula
1285			// and the idempotent migration only acts on chains whose storage predates this item.
1286			WeightedPointsFormulaStartEra::<T>::put(0);
1287
1288			let (active_era, session_index, timestamp) = self.active_era;
1289			ActiveEra::<T>::put(ActiveEraInfo { index: active_era, start: Some(timestamp) });
1290			// at genesis, we do not have any new planned era.
1291			CurrentEra::<T>::put(active_era);
1292			// set the bonded genesis era
1293			BondedEras::<T>::put(
1294				BoundedVec::<_, BondedErasBound<T>>::try_from(
1295					alloc::vec![(active_era, session_index)]
1296				)
1297				.expect("bound for BondedEras is BondingDuration + 1; can contain at least one element; qed")
1298			);
1299		}
1300	}
1301
1302	#[pallet::event]
1303	#[pallet::generate_deposit(pub fn deposit_event)]
1304	pub enum Event<T: Config> {
1305		/// The era payout has been set.
1306		///
1307		/// In non-minting mode, `validator_payout` is the staker reward budget
1308		/// snapshotted from the general pot, and `remainder` is always zero.
1309		/// In legacy minting mode, both fields reflect the `EraPayout` computation.
1310		EraPaid {
1311			era_index: EraIndex,
1312			validator_payout: BalanceOf<T>,
1313			remainder: BalanceOf<T>,
1314		},
1315		/// The nominator has been rewarded by this amount to this destination.
1316		Rewarded {
1317			stash: T::AccountId,
1318			dest: RewardDestination<T::AccountId>,
1319			amount: BalanceOf<T>,
1320		},
1321		/// A staker (validator or nominator) has been slashed by the given amount.
1322		Slashed {
1323			staker: T::AccountId,
1324			amount: BalanceOf<T>,
1325		},
1326		/// An old slashing report from a prior era was discarded because it could
1327		/// not be processed.
1328		OldSlashingReportDiscarded {
1329			session_index: SessionIndex,
1330		},
1331		/// An account has bonded this amount. \[stash, amount\]
1332		///
1333		/// NOTE: This event is only emitted when funds are bonded via a dispatchable. Notably,
1334		/// it will not be emitted for staking rewards when they are added to stake.
1335		Bonded {
1336			stash: T::AccountId,
1337			amount: BalanceOf<T>,
1338		},
1339		/// An account has unbonded this amount.
1340		Unbonded {
1341			stash: T::AccountId,
1342			amount: BalanceOf<T>,
1343		},
1344		/// An account has called `withdraw_unbonded` and removed unbonding chunks worth `Balance`
1345		/// from the unlocking queue.
1346		Withdrawn {
1347			stash: T::AccountId,
1348			amount: BalanceOf<T>,
1349		},
1350		/// A subsequent event of `Withdrawn`, indicating that `stash` was fully removed from the
1351		/// system.
1352		StakerRemoved {
1353			stash: T::AccountId,
1354		},
1355		/// A nominator has been kicked from a validator.
1356		Kicked {
1357			nominator: T::AccountId,
1358			stash: T::AccountId,
1359		},
1360		/// An account has stopped participating as either a validator or nominator.
1361		Chilled {
1362			stash: T::AccountId,
1363		},
1364		/// A Page of stakers rewards are getting paid. `next` is `None` if all pages are claimed.
1365		PayoutStarted {
1366			era_index: EraIndex,
1367			validator_stash: T::AccountId,
1368			page: Page,
1369			next: Option<Page>,
1370		},
1371		/// A validator has set their preferences.
1372		ValidatorPrefsSet {
1373			stash: T::AccountId,
1374			prefs: ValidatorPrefs,
1375		},
1376		/// Voters size limit reached.
1377		SnapshotVotersSizeExceeded {
1378			size: u32,
1379		},
1380		/// Targets size limit reached.
1381		SnapshotTargetsSizeExceeded {
1382			size: u32,
1383		},
1384		ForceEra {
1385			mode: Forcing,
1386		},
1387		/// Report of a controller batch deprecation.
1388		ControllerBatchDeprecated {
1389			failures: u32,
1390		},
1391		/// Staking balance migrated from locks to holds, with any balance that could not be held
1392		/// is force withdrawn.
1393		CurrencyMigrated {
1394			stash: T::AccountId,
1395			force_withdraw: BalanceOf<T>,
1396		},
1397		/// A page from a multi-page election was fetched. A number of these are followed by
1398		/// `StakersElected`.
1399		///
1400		/// `Ok(count)` indicates the give number of stashes were added.
1401		/// `Err(index)` indicates that the stashes after index were dropped.
1402		/// `Err(0)` indicates that an error happened but no stashes were dropped nor added.
1403		///
1404		/// The error indicates that a number of validators were dropped due to excess size, but
1405		/// the overall election will continue.
1406		PagedElectionProceeded {
1407			page: PageIndex,
1408			result: Result<u32, u32>,
1409		},
1410		/// An offence for the given validator, for the given percentage of their stake, at the
1411		/// given era as been reported.
1412		OffenceReported {
1413			offence_era: EraIndex,
1414			validator: T::AccountId,
1415			fraction: Perbill,
1416		},
1417		/// An offence has been processed and the corresponding slash has been computed.
1418		SlashComputed {
1419			offence_era: EraIndex,
1420			slash_era: EraIndex,
1421			offender: T::AccountId,
1422			page: u32,
1423		},
1424		/// An unapplied slash has been cancelled.
1425		SlashCancelled {
1426			slash_era: EraIndex,
1427			validator: T::AccountId,
1428		},
1429		/// Session change has been triggered.
1430		///
1431		/// If planned_era is one era ahead of active_era, it implies new era is being planned and
1432		/// election is ongoing.
1433		SessionRotated {
1434			starting_session: SessionIndex,
1435			active_era: EraIndex,
1436			planned_era: EraIndex,
1437		},
1438		/// Something occurred that should never happen under normal operation.
1439		/// Logged as an event for fail-safe observability.
1440		Unexpected(UnexpectedKind<T>),
1441		/// An offence was reported that was too old to be processed, and thus was dropped.
1442		OffenceTooOld {
1443			offence_era: EraIndex,
1444			validator: T::AccountId,
1445			fraction: Perbill,
1446		},
1447		/// An old era with the given index was pruned.
1448		EraPruned {
1449			index: EraIndex,
1450		},
1451		/// The validator has been paid their self-stake incentive bonus.
1452		ValidatorIncentivePaid {
1453			era: EraIndex,
1454			validator_stash: T::AccountId,
1455			dest: RewardDestination<T::AccountId>,
1456			amount: BalanceOf<T>,
1457		},
1458		/// Validator self-stake incentive configuration has been updated.
1459		ValidatorIncentiveConfigSet {
1460			optimum_self_stake: BalanceOf<T>,
1461			hard_cap_self_stake: BalanceOf<T>,
1462			slope_factor: Perbill,
1463		},
1464	}
1465
1466	/// Represents unexpected or invariant-breaking conditions encountered during execution.
1467	///
1468	/// These variants are emitted as [`Event::Unexpected`] and indicate a defensive check has
1469	/// failed. While these should never occur under normal operation, they are useful for
1470	/// diagnosing issues in production or test environments.
1471	#[derive(Clone, Encode, Decode, DecodeWithMemTracking, PartialEq, TypeInfo, DebugNoBound)]
1472	#[codec(mel_bound())]
1473	#[scale_info(skip_type_params(T))]
1474	pub enum UnexpectedKind<T: Config> {
1475		/// Emitted when calculated era duration exceeds the configured maximum.
1476		EraDurationBoundExceeded,
1477		/// Received a validator activation event that is not recognized.
1478		UnknownValidatorActivation,
1479		/// Failed to proceed paged election due to weight limits
1480		PagedElectionOutOfWeight { page: PageIndex, required: Weight, had: Weight },
1481		/// Payee not set for a staker when paying rewards.
1482		MissingPayee { era: EraIndex, stash: T::AccountId },
1483		/// Total validator weight is zero but incentive allocation exists.
1484		ValidatorIncentiveWeightMismatch { era: EraIndex },
1485		/// Validator incentive transfer from era pot failed.
1486		ValidatorIncentiveTransferFailed { era: EraIndex },
1487	}
1488
1489	#[pallet::error]
1490	#[derive(PartialEq)]
1491	pub enum Error<T> {
1492		/// Not a controller account.
1493		NotController,
1494		/// Not a stash account.
1495		NotStash,
1496		/// Stash is already bonded.
1497		AlreadyBonded,
1498		/// Controller is already paired.
1499		AlreadyPaired,
1500		/// Targets cannot be empty.
1501		EmptyTargets,
1502		/// Duplicate index.
1503		DuplicateIndex,
1504		/// Slash record not found.
1505		InvalidSlashRecord,
1506		/// Cannot bond, nominate or validate with value less than the minimum defined by
1507		/// governance (see `MinValidatorBond` and `MinNominatorBond`). If unbonding is the
1508		/// intention, `chill` first to remove one's role as validator/nominator.
1509		InsufficientBond,
1510		/// Can not schedule more unlock chunks.
1511		NoMoreChunks,
1512		/// Can not rebond without unlocking chunks.
1513		NoUnlockChunk,
1514		/// Attempting to target a stash that still has funds.
1515		FundedTarget,
1516		/// Invalid era to reward.
1517		InvalidEraToReward,
1518		/// Invalid number of nominations.
1519		InvalidNumberOfNominations,
1520		/// Rewards for this era have already been claimed for this validator.
1521		AlreadyClaimed,
1522		/// No nominators exist on this page.
1523		InvalidPage,
1524		/// Incorrect previous history depth input provided.
1525		IncorrectHistoryDepth,
1526		/// Internal state has become somehow corrupted and the operation cannot continue.
1527		BadState,
1528		/// Too many nomination targets supplied.
1529		TooManyTargets,
1530		/// A nomination target was supplied that was blocked or otherwise not a validator.
1531		BadTarget,
1532		/// The user has enough bond and thus cannot be chilled forcefully by an external person.
1533		CannotChillOther,
1534		/// There are too many nominators in the system. Governance needs to adjust the staking
1535		/// settings to keep things safe for the runtime.
1536		TooManyNominators,
1537		/// There are too many validator candidates in the system. Governance needs to adjust the
1538		/// staking settings to keep things safe for the runtime.
1539		TooManyValidators,
1540		/// Commission is too low. Must be at least `MinCommission`.
1541		CommissionTooLow,
1542		/// Some bound is not met.
1543		BoundNotMet,
1544		/// Used when attempting to use deprecated controller account logic.
1545		ControllerDeprecated,
1546		/// Cannot reset a ledger.
1547		CannotRestoreLedger,
1548		/// Provided reward destination is not allowed.
1549		RewardDestinationRestricted,
1550		/// Not enough funds available to withdraw.
1551		NotEnoughFunds,
1552		/// Operation not allowed for virtual stakers.
1553		VirtualStakerNotAllowed,
1554		/// Stash could not be reaped as other pallet might depend on it.
1555		CannotReapStash,
1556		/// The stake of this account is already migrated to `Fungible` holds.
1557		AlreadyMigrated,
1558		/// Era not yet started.
1559		EraNotStarted,
1560		/// Account is restricted from participation in staking. This may happen if the account is
1561		/// staking in another way already, such as via pool.
1562		Restricted,
1563		/// Unapplied slashes in the recently concluded era is blocking this operation.
1564		/// See `Call::apply_slash` to apply them.
1565		UnappliedSlashesInPreviousEra,
1566		/// The era is not eligible for pruning.
1567		EraNotPrunable,
1568		/// The slash has been cancelled and cannot be applied.
1569		CancelledSlash,
1570		/// Commission is higher than the allowed maximum `MaxCommission`.
1571		CommissionTooHigh,
1572		/// Optimum self-stake cannot be greater than hard cap.
1573		OptimumGreaterThanCap,
1574		/// Validator inactivity proof is invalid.
1575		InvalidInactivityProof(InvalidInactivityProofError),
1576		/// Cannot set [`ChillInactiveThreshold`] to the provided value.
1577		InvalidChillInactiveThreshold,
1578	}
1579
1580	#[derive(Encode, Decode, DecodeWithMemTracking, PartialEq, Eq, TypeInfo, PalletError)]
1581	pub enum InvalidInactivityProofError {
1582		/// Invalid proof length.
1583		InvalidLen,
1584		/// Eras in proof are not sorted.
1585		NotSorted,
1586		/// Validator wasn't expected to validate at some era.
1587		ValidatorNotExposed,
1588		/// Validator wasn't inactive at some era.
1589		ValidatorActive,
1590		/// An invalid era was provided in the proof.
1591		InvalidEra,
1592	}
1593
1594	impl<T: Config> Pallet<T> {
1595		/// Apply previously-unapplied slashes on the beginning of a new era, after a delay.
1596		pub fn apply_unapplied_slashes(active_era: EraIndex) -> Weight {
1597			let mut slashes = UnappliedSlashes::<T>::iter_prefix(&active_era).take(1);
1598			if let Some((key, slash)) = slashes.next() {
1599				crate::log!(
1600					debug,
1601					"🦹 found slash {:?} scheduled to be executed in era {:?}",
1602					slash,
1603					active_era,
1604				);
1605
1606				let nominators_slashed = slash.others.len() as u32;
1607
1608				// Check if this slash has been cancelled
1609				if Self::check_slash_cancelled(active_era, &key.0, key.1) {
1610					crate::log!(
1611						debug,
1612						"🦹 slash for {:?} in era {:?} was cancelled, skipping",
1613						key.0,
1614						active_era,
1615					);
1616				} else {
1617					slashing::apply_slash::<T>(slash, Self::offence_era_of(active_era));
1618				}
1619
1620				// Always remove the slash from UnappliedSlashes
1621				UnappliedSlashes::<T>::remove(&active_era, &key);
1622
1623				// Check if there are more slashes for this era
1624				if UnappliedSlashes::<T>::iter_prefix(&active_era).next().is_none() {
1625					// No more slashes for this era, clear CancelledSlashes
1626					CancelledSlashes::<T>::remove(&active_era);
1627				}
1628
1629				T::WeightInfo::apply_slash(nominators_slashed)
1630			} else {
1631				// No slashes found for this era
1632				T::DbWeight::get().reads(1)
1633			}
1634		}
1635
1636		/// Execute one step of era pruning and get actual weight used
1637		fn do_prune_era_step(era: EraIndex) -> Result<Weight, DispatchError> {
1638			// Get current pruning state. If EraPruningState doesn't exist, it means:
1639			// - Era was never marked for pruning, OR
1640			// - Era was already fully pruned (pruning state was removed on final step)
1641			// In either case, this is an error - user should not call prune on non-prunable eras
1642			let current_step = EraPruningState::<T>::get(era).ok_or(Error::<T>::EraNotPrunable)?;
1643
1644			// Limit items to prevent deleting more than we can safely account for in weight
1645			// calculations
1646			let items_limit = T::MaxPruningItems::get().min(T::MaxValidatorSet::get());
1647
1648			let actual_weight = match current_step {
1649				PruningStep::ErasStakersPaged => {
1650					let result = ErasStakersPaged::<T>::clear_prefix((era,), items_limit, None);
1651					let items_deleted = result.backend as u32;
1652					result.maybe_cursor.is_none().then(|| {
1653						EraPruningState::<T>::insert(era, PruningStep::ErasStakersOverview)
1654					});
1655					T::WeightInfo::prune_era_stakers_paged(items_deleted)
1656				},
1657				PruningStep::ErasStakersOverview => {
1658					let result = ErasStakersOverview::<T>::clear_prefix(era, items_limit, None);
1659					let items_deleted = result.backend as u32;
1660					result.maybe_cursor.is_none().then(|| {
1661						EraPruningState::<T>::insert(era, PruningStep::ErasValidatorPrefs)
1662					});
1663					T::WeightInfo::prune_era_stakers_overview(items_deleted)
1664				},
1665				PruningStep::ErasValidatorPrefs => {
1666					let result = ErasValidatorPrefs::<T>::clear_prefix(era, items_limit, None);
1667					let items_deleted = result.backend as u32;
1668					result
1669						.maybe_cursor
1670						.is_none()
1671						.then(|| EraPruningState::<T>::insert(era, PruningStep::ClaimedRewards));
1672					T::WeightInfo::prune_era_validator_prefs(items_deleted)
1673				},
1674				PruningStep::ClaimedRewards => {
1675					let result = ClaimedRewards::<T>::clear_prefix(era, items_limit, None);
1676					let items_deleted = result.backend as u32;
1677					result.maybe_cursor.is_none().then(|| {
1678						EraPruningState::<T>::insert(era, PruningStep::ErasValidatorReward)
1679					});
1680					T::WeightInfo::prune_era_claimed_rewards(items_deleted)
1681				},
1682				PruningStep::ErasValidatorReward => {
1683					ErasValidatorReward::<T>::remove(era);
1684					EraPruningState::<T>::insert(era, PruningStep::ErasRewardPoints);
1685					T::WeightInfo::prune_era_validator_reward()
1686				},
1687				PruningStep::ErasRewardPoints => {
1688					ErasRewardPoints::<T>::remove(era);
1689					EraPruningState::<T>::insert(era, PruningStep::SingleEntryCleanups);
1690					T::WeightInfo::prune_era_reward_points()
1691				},
1692				PruningStep::SingleEntryCleanups => {
1693					ErasTotalStake::<T>::remove(era);
1694					ErasNominatorsSlashable::<T>::remove(era);
1695					ErasValidatorIncentiveBudget::<T>::remove(era);
1696					ErasSumValidatorIncentiveWeight::<T>::remove(era);
1697					ErasSumWeightedPoints::<T>::remove(era);
1698					EraPruningState::<T>::insert(era, PruningStep::ValidatorSlashInEra);
1699					T::WeightInfo::prune_era_single_entry_cleanups()
1700				},
1701				PruningStep::ValidatorSlashInEra => {
1702					let result = ValidatorSlashInEra::<T>::clear_prefix(era, items_limit, None);
1703					let items_deleted = result.backend as u32;
1704
1705					if result.maybe_cursor.is_none() {
1706						EraPruningState::<T>::insert(
1707							era,
1708							PruningStep::ErasValidatorIncentiveWeight,
1709						);
1710					}
1711
1712					T::WeightInfo::prune_era_validator_slash_in_era(items_deleted)
1713				},
1714				PruningStep::ErasValidatorIncentiveWeight => {
1715					let result =
1716						ErasValidatorIncentiveWeight::<T>::clear_prefix(era, items_limit, None);
1717					if result.maybe_cursor.is_none() {
1718						// Final step — remove pruning state.
1719						EraPruningState::<T>::remove(era);
1720					}
1721					T::WeightInfo::prune_era_validator_incentive_weight(result.backend as u32)
1722				},
1723			};
1724
1725			// Check if era is fully pruned (pruning state removed) and emit event
1726			if EraPruningState::<T>::get(era).is_none() {
1727				Self::deposit_event(Event::<T>::EraPruned { index: era });
1728			}
1729
1730			Ok(actual_weight)
1731		}
1732	}
1733
1734	#[pallet::hooks]
1735	impl<T: Config> Hooks<BlockNumberFor<T>> for Pallet<T> {
1736		fn on_poll(_now: BlockNumberFor<T>, weight_meter: &mut WeightMeter) {
1737			let (weight, exec) = EraElectionPlanner::<T>::maybe_fetch_election_results();
1738			crate::log!(
1739				trace,
1740				"weight of fetching next election page is {:?}, have {:?}",
1741				weight,
1742				weight_meter.remaining()
1743			);
1744
1745			if weight_meter.can_consume(weight) {
1746				exec(weight_meter);
1747			} else {
1748				Self::deposit_event(Event::<T>::Unexpected(
1749					UnexpectedKind::PagedElectionOutOfWeight {
1750						page: NextElectionPage::<T>::get().unwrap_or(
1751							EraElectionPlanner::<T>::election_pages().defensive_saturating_sub(1),
1752						),
1753						required: weight,
1754						had: weight_meter.remaining(),
1755					},
1756				));
1757			}
1758		}
1759
1760		fn on_initialize(_now: BlockNumberFor<T>) -> Weight {
1761			// Process our queue, using the era-specific nominators slashable setting.
1762			let mut consumed_weight = slashing::process_offence_for_era::<T>();
1763
1764			// apply any pending slashes after `SlashDeferDuration`.
1765			consumed_weight.saturating_accrue(T::DbWeight::get().reads(1));
1766			if let Some(active_era) = ActiveEra::<T>::get() {
1767				let slash_weight = Self::apply_unapplied_slashes(active_era.index);
1768				consumed_weight.saturating_accrue(slash_weight);
1769			}
1770
1771			consumed_weight
1772		}
1773
1774		fn integrity_test() {
1775			// ensure that we funnel the correct value to the `DataProvider::MaxVotesPerVoter`;
1776			assert_eq!(
1777				MaxNominationsOf::<T>::get(),
1778				<Self as ElectionDataProvider>::MaxVotesPerVoter::get()
1779			);
1780
1781			// and that MaxNominations is always greater than 1, since we count on this.
1782			assert!(!MaxNominationsOf::<T>::get().is_zero());
1783
1784			assert!(
1785				T::SlashDeferDuration::get() < T::BondingDuration::get() || T::BondingDuration::get() == 0,
1786				"As per documentation, slash defer duration ({}) should be less than bonding duration ({}).",
1787				T::SlashDeferDuration::get(),
1788				T::BondingDuration::get(),
1789			);
1790
1791			// Ensure NominatorFastUnbondDuration is not greater than BondingDuration
1792			assert!(
1793				T::NominatorFastUnbondDuration::get() <= T::BondingDuration::get(),
1794				"NominatorFastUnbondDuration ({}) must not exceed BondingDuration ({}).",
1795				T::NominatorFastUnbondDuration::get(),
1796				T::BondingDuration::get(),
1797			);
1798			// Ensure MaxPruningItems is reasonable (minimum 100 for efficiency)
1799			assert!(
1800				T::MaxPruningItems::get() >= 100,
1801				"MaxPruningItems must be at least 100 for efficient pruning, got: {}",
1802				T::MaxPruningItems::get()
1803			);
1804
1805			assert!(
1806				crate::POT_POOL_SIZE > T::HistoryDepth::get(),
1807				"POT_POOL_SIZE ({}) must be strictly greater than HistoryDepth ({}) \
1808				 to avoid reusing a pot slot whose era is still in the active history.",
1809				crate::POT_POOL_SIZE,
1810				T::HistoryDepth::get(),
1811			);
1812
1813			// If minting is disabled, EraPayout must be a noop to prevent double-minting.
1814			if T::DisableMinting::get() {
1815				let (v, r) = T::EraPayout::era_payout(
1816					BalanceOf::<T>::from(1u64),
1817					BalanceOf::<T>::from(1u64),
1818					1000u64,
1819				);
1820				assert!(
1821					v.is_zero() && r.is_zero(),
1822					"DisableMinting is true but EraPayout returns non-zero. \
1823					 Set EraPayout = () when DisableMinting = true."
1824				);
1825			}
1826		}
1827
1828		#[cfg(feature = "try-runtime")]
1829		fn try_state(n: BlockNumberFor<T>) -> Result<(), sp_runtime::TryRuntimeError> {
1830			Self::do_try_state(n)
1831		}
1832	}
1833
1834	#[pallet::call]
1835	impl<T: Config> Pallet<T> {
1836		/// Take the origin account as a stash and lock up `value` of its balance. `controller` will
1837		/// be the account that controls it.
1838		///
1839		/// `value` must be more than the `minimum_balance` specified by `T::Currency`.
1840		///
1841		/// The dispatch origin for this call must be _Signed_ by the stash account.
1842		///
1843		/// Emits `Bonded`.
1844		///
1845		/// NOTE: Two of the storage writes (`Self::bonded`, `Self::payee`) are _never_ cleaned
1846		/// unless the `origin` falls below _existential deposit_ (or equal to 0) and gets removed
1847		/// as dust.
1848		#[pallet::call_index(0)]
1849		#[pallet::weight(T::WeightInfo::bond())]
1850		pub fn bond(
1851			origin: OriginFor<T>,
1852			#[pallet::compact] value: BalanceOf<T>,
1853			payee: RewardDestination<T::AccountId>,
1854		) -> DispatchResult {
1855			let stash = ensure_signed(origin)?;
1856
1857			ensure!(!T::Filter::contains(&stash), Error::<T>::Restricted);
1858
1859			if StakingLedger::<T>::is_bonded(StakingAccount::Stash(stash.clone())) {
1860				return Err(Error::<T>::AlreadyBonded.into());
1861			}
1862
1863			// An existing controller cannot become a stash.
1864			if StakingLedger::<T>::is_bonded(StakingAccount::Controller(stash.clone())) {
1865				return Err(Error::<T>::AlreadyPaired.into());
1866			}
1867
1868			// Reject a bond which is lower than the minimum bond.
1869			if value < Self::min_chilled_bond() {
1870				return Err(Error::<T>::InsufficientBond.into());
1871			}
1872
1873			let stash_balance = asset::free_to_stake::<T>(&stash);
1874			let value = value.min(stash_balance);
1875			Self::deposit_event(Event::<T>::Bonded { stash: stash.clone(), amount: value });
1876			let ledger = StakingLedger::<T>::new(stash.clone(), value);
1877
1878			// You're auto-bonded forever, here. We might improve this by only bonding when
1879			// you actually validate/nominate and remove once you unbond __everything__.
1880			ledger.bond(payee)?;
1881
1882			Ok(())
1883		}
1884
1885		/// Add some extra amount that have appeared in the stash `free_balance` into the balance up
1886		/// for staking.
1887		///
1888		/// The dispatch origin for this call must be _Signed_ by the stash, not the controller.
1889		///
1890		/// Use this if there are additional funds in your stash account that you wish to bond.
1891		/// Unlike [`bond`](Self::bond) or [`unbond`](Self::unbond) this function does not impose
1892		/// any limitation on the amount that can be added.
1893		///
1894		/// Emits `Bonded`.
1895		#[pallet::call_index(1)]
1896		#[pallet::weight(T::WeightInfo::bond_extra())]
1897		pub fn bond_extra(
1898			origin: OriginFor<T>,
1899			#[pallet::compact] max_additional: BalanceOf<T>,
1900		) -> DispatchResult {
1901			let stash = ensure_signed(origin)?;
1902			ensure!(!T::Filter::contains(&stash), Error::<T>::Restricted);
1903			Self::do_bond_extra(&stash, max_additional)
1904		}
1905
1906		/// Schedule a portion of the stash to be unlocked ready for transfer out after the bond
1907		/// period ends. If this leaves an amount actively bonded less than
1908		/// [`asset::existential_deposit`], then it is increased to the full amount.
1909		///
1910		/// The dispatch origin for this call must be _Signed_ by the controller, not the stash.
1911		///
1912		/// Once the unlock period is done, you can call `withdraw_unbonded` to actually move
1913		/// the funds out of management ready for transfer.
1914		///
1915		/// No more than a limited number of unlocking chunks (see `MaxUnlockingChunks`)
1916		/// can co-exists at the same time. If there are no unlocking chunks slots available
1917		/// [`Call::withdraw_unbonded`] is called to remove some of the chunks (if possible).
1918		///
1919		/// If a user encounters the `InsufficientBond` error when calling this extrinsic,
1920		/// they should call `chill` first in order to free up their bonded funds.
1921		///
1922		/// Emits `Unbonded`.
1923		///
1924		/// See also [`Call::withdraw_unbonded`].
1925		#[pallet::call_index(2)]
1926		#[pallet::weight(
1927            T::WeightInfo::withdraw_unbonded_kill().saturating_add(T::WeightInfo::unbond()))
1928        ]
1929		pub fn unbond(
1930			origin: OriginFor<T>,
1931			#[pallet::compact] value: BalanceOf<T>,
1932		) -> DispatchResultWithPostInfo {
1933			let controller = ensure_signed(origin)?;
1934			let unlocking =
1935				Self::ledger(Controller(controller.clone())).map(|l| l.unlocking.len())?;
1936
1937			// if there are no unlocking chunks available, try to remove any chunks by withdrawing
1938			// funds that have fully unbonded.
1939			let maybe_withdraw_weight = {
1940				if unlocking == T::MaxUnlockingChunks::get() as usize {
1941					Some(Self::do_withdraw_unbonded(&controller)?)
1942				} else {
1943					None
1944				}
1945			};
1946
1947			// we need to fetch the ledger again because it may have been mutated in the call
1948			// to `Self::do_withdraw_unbonded` above.
1949			let mut ledger = Self::ledger(Controller(controller))?;
1950			let mut value = value.min(ledger.active);
1951			let stash = ledger.stash.clone();
1952
1953			// If unbonding all active stake, chill the stash first to avoid `InsufficientBond`
1954			// errors. This matches the behavior of pallet-staking.
1955			let chill_weight = if value >= ledger.active {
1956				Self::chill_stash(&stash);
1957				T::WeightInfo::chill()
1958			} else {
1959				Weight::zero()
1960			};
1961
1962			ensure!(
1963				ledger.unlocking.len() < T::MaxUnlockingChunks::get() as usize,
1964				Error::<T>::NoMoreChunks,
1965			);
1966
1967			if !value.is_zero() {
1968				ledger.active -= value;
1969
1970				// Avoid there being a dust balance left in the staking system.
1971				if ledger.active < asset::existential_deposit::<T>() {
1972					value += ledger.active;
1973					ledger.active = Zero::zero();
1974				}
1975
1976				let is_nominator = Nominators::<T>::contains_key(&stash);
1977
1978				let min_active_bond = if is_nominator {
1979					Self::min_nominator_bond()
1980				} else if Validators::<T>::contains_key(&stash) {
1981					Self::min_validator_bond()
1982				} else {
1983					// staker is chilled, no min bond.
1984					Zero::zero()
1985				};
1986
1987				// Make sure that the user maintains enough active bond for their role.
1988				// If a user runs into this error, they should chill first.
1989				ensure!(ledger.active >= min_active_bond, Error::<T>::InsufficientBond);
1990
1991				// Determine unbonding duration based on validator history.
1992				// If the account was a validator in recent eras (within BondingDuration), they must
1993				// wait the full BondingDuration even if they've switched to nominator role.
1994				// This prevents validators from avoiding slashing by switching roles and using the
1995				// shorter nominator unbonding period.
1996				let active_era = session_rotation::Rotator::<T>::active_era();
1997				let was_recent_validator = LastValidatorEra::<T>::get(&stash)
1998					.map(|last_era| active_era.saturating_sub(last_era) < T::BondingDuration::get())
1999					.unwrap_or(false);
2000
2001				let unbond_duration = if was_recent_validator {
2002					// Use full bonding duration for recent validators
2003					T::BondingDuration::get()
2004				} else {
2005					// Use nominator bonding duration for pure nominators
2006					<Self as sp_staking::StakingInterface>::nominator_bonding_duration()
2007				};
2008
2009				let era =
2010					session_rotation::Rotator::<T>::active_era().saturating_add(unbond_duration);
2011				if let Some(chunk) = ledger.unlocking.last_mut().filter(|chunk| chunk.era == era) {
2012					// To keep the chunk count down, we only keep one chunk per era. Since
2013					// `unlocking` is a FiFo queue, if a chunk exists for `era` we know that it will
2014					// be the last one.
2015					chunk.value = chunk.value.defensive_saturating_add(value)
2016				} else {
2017					ledger
2018						.unlocking
2019						.try_push(UnlockChunk { value, era })
2020						.map_err(|_| Error::<T>::NoMoreChunks)?;
2021				};
2022				// NOTE: ledger must be updated prior to calling `Self::weight_of`.
2023				ledger.update()?;
2024
2025				// update this staker in the sorted list, if they exist in it.
2026				if T::VoterList::contains(&stash) {
2027					let _ = T::VoterList::on_update(&stash, Self::weight_of(&stash));
2028				}
2029
2030				Self::deposit_event(Event::<T>::Unbonded { stash, amount: value });
2031			}
2032
2033			let actual_weight = if let Some(withdraw_weight) = maybe_withdraw_weight {
2034				Some(
2035					T::WeightInfo::unbond()
2036						.saturating_add(withdraw_weight)
2037						.saturating_add(chill_weight),
2038				)
2039			} else {
2040				Some(T::WeightInfo::unbond().saturating_add(chill_weight))
2041			};
2042
2043			Ok(actual_weight.into())
2044		}
2045
2046		/// Remove any stake that has been fully unbonded and is ready for withdrawal.
2047		///
2048		/// Stake is considered fully unbonded once [`Config::BondingDuration`] has elapsed since
2049		/// the unbonding was initiated. In rare cases—such as when offences for the unbonded era
2050		/// have been reported but not yet processed—withdrawal is restricted to eras for which
2051		/// all offences have been processed.
2052		///
2053		/// The unlocked stake will be returned as free balance in the stash account.
2054		///
2055		/// The dispatch origin for this call must be _Signed_ by the controller.
2056		///
2057		/// Emits `Withdrawn`.
2058		///
2059		/// See also [`Call::unbond`].
2060		///
2061		/// ## Parameters
2062		///
2063		/// - `num_slashing_spans`: **Deprecated**. Retained only for backward compatibility; this
2064		///   parameter has no effect.
2065		#[pallet::call_index(3)]
2066		#[pallet::weight(T::WeightInfo::withdraw_unbonded_kill())]
2067		pub fn withdraw_unbonded(
2068			origin: OriginFor<T>,
2069			_num_slashing_spans: u32,
2070		) -> DispatchResultWithPostInfo {
2071			let controller = ensure_signed(origin)?;
2072
2073			let actual_weight = Self::do_withdraw_unbonded(&controller)?;
2074			Ok(Some(actual_weight).into())
2075		}
2076
2077		/// Declare the desire to validate for the origin controller.
2078		///
2079		/// Effects will be felt at the beginning of the next era.
2080		///
2081		/// The dispatch origin for this call must be _Signed_ by the controller, not the stash.
2082		#[pallet::call_index(4)]
2083		#[pallet::weight(T::WeightInfo::validate())]
2084		pub fn validate(origin: OriginFor<T>, prefs: ValidatorPrefs) -> DispatchResult {
2085			let controller = ensure_signed(origin)?;
2086
2087			let ledger = Self::ledger(Controller(controller))?;
2088
2089			ensure!(ledger.active >= Self::min_validator_bond(), Error::<T>::InsufficientBond);
2090			let stash = &ledger.stash;
2091
2092			// ensure their commission is correct.
2093			ensure!(prefs.commission >= MinCommission::<T>::get(), Error::<T>::CommissionTooLow);
2094			ensure!(prefs.commission <= MaxCommission::<T>::get(), Error::<T>::CommissionTooHigh);
2095
2096			// Only check limits if they are not already a validator.
2097			if !Validators::<T>::contains_key(stash) {
2098				// If this error is reached, we need to adjust the `MinValidatorBond` and start
2099				// calling `chill_other`. Until then, we explicitly block new validators to protect
2100				// the runtime.
2101				if let Some(max_validators) = MaxValidatorsCount::<T>::get() {
2102					ensure!(
2103						Validators::<T>::count() < max_validators,
2104						Error::<T>::TooManyValidators
2105					);
2106				}
2107			}
2108
2109			Self::do_remove_nominator(stash);
2110			Self::do_add_validator(stash, prefs.clone());
2111			Self::deposit_event(Event::<T>::ValidatorPrefsSet { stash: ledger.stash, prefs });
2112
2113			Ok(())
2114		}
2115
2116		/// Declare the desire to nominate `targets` for the origin controller.
2117		///
2118		/// Effects will be felt at the beginning of the next era.
2119		///
2120		/// The dispatch origin for this call must be _Signed_ by the controller, not the stash.
2121		#[pallet::call_index(5)]
2122		#[pallet::weight(T::WeightInfo::nominate(targets.len() as u32))]
2123		pub fn nominate(
2124			origin: OriginFor<T>,
2125			targets: Vec<AccountIdLookupOf<T>>,
2126		) -> DispatchResult {
2127			let controller = ensure_signed(origin)?;
2128
2129			let ledger = Self::ledger(StakingAccount::Controller(controller.clone()))?;
2130
2131			ensure!(ledger.active >= Self::min_nominator_bond(), Error::<T>::InsufficientBond);
2132			let stash = &ledger.stash;
2133
2134			// Only check limits if they are not already a nominator.
2135			if !Nominators::<T>::contains_key(stash) {
2136				// If this error is reached, we need to adjust the `MinNominatorBond` and start
2137				// calling `chill_other`. Until then, we explicitly block new nominators to protect
2138				// the runtime.
2139				if let Some(max_nominators) = MaxNominatorsCount::<T>::get() {
2140					ensure!(
2141						Nominators::<T>::count() < max_nominators,
2142						Error::<T>::TooManyNominators
2143					);
2144				}
2145			}
2146
2147			// dedup targets
2148			let mut targets = targets
2149				.into_iter()
2150				.map(|t| T::Lookup::lookup(t).map_err(DispatchError::from))
2151				.collect::<Result<Vec<_>, _>>()?;
2152			targets.sort();
2153			targets.dedup();
2154
2155			ensure!(!targets.is_empty(), Error::<T>::EmptyTargets);
2156			ensure!(
2157				targets.len() <= T::NominationsQuota::get_quota(ledger.active) as usize,
2158				Error::<T>::TooManyTargets
2159			);
2160
2161			let old = Nominators::<T>::get(stash).map_or_else(Vec::new, |x| x.targets.into_inner());
2162
2163			let targets: BoundedVec<_, _> = targets
2164				.into_iter()
2165				.map(|n| {
2166					if old.contains(&n) ||
2167						(Validators::<T>::contains_key(&n) && !Validators::<T>::get(&n).blocked)
2168					{
2169						Ok(n)
2170					} else {
2171						Err(Error::<T>::BadTarget.into())
2172					}
2173				})
2174				.collect::<Result<Vec<_>, DispatchError>>()?
2175				.try_into()
2176				.map_err(|_| Error::<T>::TooManyNominators)?;
2177
2178			let nominations = Nominations {
2179				targets,
2180				// Initial nominations are considered submitted at era 0. See `Nominations` doc.
2181				submitted_in: CurrentEra::<T>::get().unwrap_or(0),
2182				suppressed: false,
2183			};
2184
2185			Self::do_remove_validator(stash);
2186			Self::do_add_nominator(stash, nominations);
2187			Ok(())
2188		}
2189
2190		/// Declare no desire to either validate or nominate.
2191		///
2192		/// Effects will be felt at the beginning of the next era.
2193		///
2194		/// The dispatch origin for this call must be _Signed_ by the controller, not the stash.
2195		///
2196		/// ## Complexity
2197		/// - Independent of the arguments. Insignificant complexity.
2198		/// - Contains one read.
2199		/// - Writes are limited to the `origin` account key.
2200		#[pallet::call_index(6)]
2201		#[pallet::weight(T::WeightInfo::chill())]
2202		pub fn chill(origin: OriginFor<T>) -> DispatchResult {
2203			let controller = ensure_signed(origin)?;
2204
2205			let ledger = Self::ledger(StakingAccount::Controller(controller))?;
2206
2207			Self::chill_stash(&ledger.stash);
2208			Ok(())
2209		}
2210
2211		/// (Re-)set the payment target for a controller.
2212		///
2213		/// Effects will be felt instantly (as soon as this function is completed successfully).
2214		///
2215		/// The dispatch origin for this call must be _Signed_ by the controller, not the stash.
2216		#[pallet::call_index(7)]
2217		#[pallet::weight(T::WeightInfo::set_payee())]
2218		pub fn set_payee(
2219			origin: OriginFor<T>,
2220			payee: RewardDestination<T::AccountId>,
2221		) -> DispatchResult {
2222			let controller = ensure_signed(origin)?;
2223			let ledger = Self::ledger(Controller(controller.clone()))?;
2224
2225			ensure!(
2226				(payee != {
2227					#[allow(deprecated)]
2228					RewardDestination::Controller
2229				}),
2230				Error::<T>::ControllerDeprecated
2231			);
2232
2233			let _ = ledger
2234				.set_payee(payee)
2235				.defensive_proof("ledger was retrieved from storage, thus it's bonded; qed.")?;
2236
2237			Ok(())
2238		}
2239
2240		/// (Re-)sets the controller of a stash to the stash itself. This function previously
2241		/// accepted a `controller` argument to set the controller to an account other than the
2242		/// stash itself. This functionality has now been removed, now only setting the controller
2243		/// to the stash, if it is not already.
2244		///
2245		/// Effects will be felt instantly (as soon as this function is completed successfully).
2246		///
2247		/// The dispatch origin for this call must be _Signed_ by the stash, not the controller.
2248		#[pallet::call_index(8)]
2249		#[pallet::weight(T::WeightInfo::set_controller())]
2250		pub fn set_controller(origin: OriginFor<T>) -> DispatchResult {
2251			let stash = ensure_signed(origin)?;
2252
2253			Self::ledger(StakingAccount::Stash(stash.clone())).map(|ledger| {
2254				let controller = ledger.controller()
2255                    .defensive_proof("Ledger's controller field didn't exist. The controller should have been fetched using StakingLedger.")
2256                    .ok_or(Error::<T>::NotController)?;
2257
2258				if controller == stash {
2259					// Stash is already its own controller.
2260					return Err(Error::<T>::AlreadyPaired.into())
2261				}
2262
2263				let _ = ledger.set_controller_to_stash()?;
2264				Ok(())
2265			})?
2266		}
2267
2268		/// Sets the ideal number of validators.
2269		///
2270		/// The dispatch origin must be Root.
2271		#[pallet::call_index(9)]
2272		#[pallet::weight(T::WeightInfo::set_validator_count())]
2273		pub fn set_validator_count(
2274			origin: OriginFor<T>,
2275			#[pallet::compact] new: u32,
2276		) -> DispatchResult {
2277			ensure_root(origin)?;
2278
2279			ensure!(new <= T::MaxValidatorSet::get(), Error::<T>::TooManyValidators);
2280
2281			ValidatorCount::<T>::put(new);
2282			Ok(())
2283		}
2284
2285		/// Increments the ideal number of validators up to maximum of
2286		/// `T::MaxValidatorSet`.
2287		///
2288		/// The dispatch origin must be Root.
2289		#[pallet::call_index(10)]
2290		#[pallet::weight(T::WeightInfo::set_validator_count())]
2291		pub fn increase_validator_count(
2292			origin: OriginFor<T>,
2293			#[pallet::compact] additional: u32,
2294		) -> DispatchResult {
2295			ensure_root(origin)?;
2296			let old = ValidatorCount::<T>::get();
2297			let new = old.checked_add(additional).ok_or(ArithmeticError::Overflow)?;
2298
2299			ensure!(new <= T::MaxValidatorSet::get(), Error::<T>::TooManyValidators);
2300
2301			ValidatorCount::<T>::put(new);
2302			Ok(())
2303		}
2304
2305		/// Scale up the ideal number of validators by a factor up to maximum of
2306		/// `T::MaxValidatorSet`.
2307		///
2308		/// The dispatch origin must be Root.
2309		#[pallet::call_index(11)]
2310		#[pallet::weight(T::WeightInfo::set_validator_count())]
2311		pub fn scale_validator_count(origin: OriginFor<T>, factor: Percent) -> DispatchResult {
2312			ensure_root(origin)?;
2313			let old = ValidatorCount::<T>::get();
2314			let new = old.checked_add(factor.mul_floor(old)).ok_or(ArithmeticError::Overflow)?;
2315
2316			ensure!(new <= T::MaxValidatorSet::get(), Error::<T>::TooManyValidators);
2317
2318			ValidatorCount::<T>::put(new);
2319			Ok(())
2320		}
2321
2322		/// Force there to be no new eras indefinitely.
2323		///
2324		/// The dispatch origin must be Root.
2325		///
2326		/// # Warning
2327		///
2328		/// The election process starts multiple blocks before the end of the era.
2329		/// Thus the election process may be ongoing when this is called. In this case the
2330		/// election will continue until the next era is triggered.
2331		#[pallet::call_index(12)]
2332		#[pallet::weight(T::WeightInfo::force_no_eras())]
2333		pub fn force_no_eras(origin: OriginFor<T>) -> DispatchResult {
2334			ensure_root(origin)?;
2335			Self::set_force_era(Forcing::ForceNone);
2336			Ok(())
2337		}
2338
2339		/// Force there to be a new era at the end of the next session. After this, it will be
2340		/// reset to normal (non-forced) behaviour.
2341		///
2342		/// The dispatch origin must be Root.
2343		///
2344		/// # Warning
2345		///
2346		/// The election process starts multiple blocks before the end of the era.
2347		/// If this is called just before a new era is triggered, the election process may not
2348		/// have enough blocks to get a result.
2349		#[pallet::call_index(13)]
2350		#[pallet::weight(T::WeightInfo::force_new_era())]
2351		pub fn force_new_era(origin: OriginFor<T>) -> DispatchResult {
2352			ensure_root(origin)?;
2353			Self::set_force_era(Forcing::ForceNew);
2354			Ok(())
2355		}
2356
2357		/// Force a current staker to become completely unstaked, immediately.
2358		///
2359		/// The dispatch origin must be Root.
2360		/// ## Parameters
2361		///
2362		/// - `stash`: The stash account to be unstaked.
2363		/// - `num_slashing_spans`: **Deprecated**. This parameter is retained for backward
2364		/// compatibility. It no longer has any effect.
2365		#[pallet::call_index(15)]
2366		#[pallet::weight(T::WeightInfo::force_unstake())]
2367		pub fn force_unstake(
2368			origin: OriginFor<T>,
2369			stash: T::AccountId,
2370			_num_slashing_spans: u32,
2371		) -> DispatchResult {
2372			ensure_root(origin)?;
2373
2374			// Remove all staking-related information and lock.
2375			Self::kill_stash(&stash)?;
2376
2377			Ok(())
2378		}
2379
2380		/// Force there to be a new era at the end of sessions indefinitely.
2381		///
2382		/// The dispatch origin must be Root.
2383		///
2384		/// # Warning
2385		///
2386		/// The election process starts multiple blocks before the end of the era.
2387		/// If this is called just before a new era is triggered, the election process may not
2388		/// have enough blocks to get a result.
2389		#[pallet::call_index(16)]
2390		#[pallet::weight(T::WeightInfo::force_new_era_always())]
2391		pub fn force_new_era_always(origin: OriginFor<T>) -> DispatchResult {
2392			ensure_root(origin)?;
2393			Self::set_force_era(Forcing::ForceAlways);
2394			Ok(())
2395		}
2396
2397		/// Cancels scheduled slashes for a given era before they are applied.
2398		///
2399		/// This function allows `T::AdminOrigin` to cancel pending slashes for specified validators
2400		/// in a given era. The cancelled slashes are stored and will be checked when applying
2401		/// slashes.
2402		///
2403		/// ## Parameters
2404		/// - `era`: The staking era for which slashes should be cancelled. This is the era where
2405		///   the slash would be applied, not the era in which the offence was committed.
2406		/// - `validator_slashes`: A list of validator stash accounts and their slash fractions to
2407		///   be cancelled.
2408		#[pallet::call_index(17)]
2409		#[pallet::weight(T::WeightInfo::cancel_deferred_slash(validator_slashes.len() as u32))]
2410		pub fn cancel_deferred_slash(
2411			origin: OriginFor<T>,
2412			era: EraIndex,
2413			validator_slashes: Vec<(T::AccountId, Perbill)>,
2414		) -> DispatchResult {
2415			T::AdminOrigin::ensure_origin(origin)?;
2416			ensure!(!validator_slashes.is_empty(), Error::<T>::EmptyTargets);
2417
2418			// Get current cancelled slashes for this era
2419			let mut cancelled_slashes = CancelledSlashes::<T>::get(&era);
2420
2421			// Process each validator slash
2422			for (validator, slash_fraction) in validator_slashes {
2423				// Since this is gated by admin origin, we don't need to check if they are really
2424				// validators and trust governance to correctly set the parameters.
2425
2426				// Remove any existing entry for this validator
2427				cancelled_slashes.retain(|(v, _)| v != &validator);
2428
2429				// Add the validator with the specified slash fraction
2430				cancelled_slashes
2431					.try_push((validator.clone(), slash_fraction))
2432					.map_err(|_| Error::<T>::BoundNotMet)
2433					.defensive_proof("cancelled_slashes should have capacity for all validators")?;
2434
2435				Self::deposit_event(Event::<T>::SlashCancelled { slash_era: era, validator });
2436			}
2437
2438			// Update storage
2439			CancelledSlashes::<T>::insert(&era, cancelled_slashes);
2440
2441			Ok(())
2442		}
2443
2444		/// Pay out next page of the stakers behind a validator for the given era.
2445		///
2446		/// - `validator_stash` is the stash account of the validator.
2447		/// - `era` may be any era between `[current_era - history_depth; current_era]`.
2448		///
2449		/// The origin of this call must be _Signed_. Any account can call this function, even if
2450		/// it is not one of the stakers.
2451		///
2452		/// The reward payout could be paged in case there are too many nominators backing the
2453		/// `validator_stash`. This call will payout unpaid pages in an ascending order. To claim a
2454		/// specific page, use `payout_stakers_by_page`.`
2455		///
2456		/// If all pages are claimed, it returns an error `InvalidPage`.
2457		#[pallet::call_index(18)]
2458		#[pallet::weight(T::WeightInfo::payout_stakers_alive_staked(T::MaxExposurePageSize::get()))]
2459		pub fn payout_stakers(
2460			origin: OriginFor<T>,
2461			validator_stash: T::AccountId,
2462			era: EraIndex,
2463		) -> DispatchResultWithPostInfo {
2464			ensure_signed(origin)?;
2465
2466			Self::do_payout_stakers(validator_stash, era)
2467		}
2468
2469		/// Rebond a portion of the stash scheduled to be unlocked.
2470		///
2471		/// The dispatch origin must be signed by the controller.
2472		#[pallet::call_index(19)]
2473		#[pallet::weight(T::WeightInfo::rebond(T::MaxUnlockingChunks::get() as u32))]
2474		pub fn rebond(
2475			origin: OriginFor<T>,
2476			#[pallet::compact] value: BalanceOf<T>,
2477		) -> DispatchResultWithPostInfo {
2478			let controller = ensure_signed(origin)?;
2479			let ledger = Self::ledger(Controller(controller))?;
2480
2481			ensure!(!T::Filter::contains(&ledger.stash), Error::<T>::Restricted);
2482			ensure!(!ledger.unlocking.is_empty(), Error::<T>::NoUnlockChunk);
2483
2484			let initial_unlocking = ledger.unlocking.len() as u32;
2485			let (ledger, rebonded_value) = ledger.rebond(value);
2486			// Last check: the new active amount of ledger must be more than min bond.
2487			ensure!(ledger.active >= Self::min_chilled_bond(), Error::<T>::InsufficientBond);
2488
2489			Self::deposit_event(Event::<T>::Bonded {
2490				stash: ledger.stash.clone(),
2491				amount: rebonded_value,
2492			});
2493
2494			let stash = ledger.stash.clone();
2495			let final_unlocking = ledger.unlocking.len();
2496
2497			// NOTE: ledger must be updated prior to calling `Self::weight_of`.
2498			ledger.update()?;
2499			if T::VoterList::contains(&stash) {
2500				let _ = T::VoterList::on_update(&stash, Self::weight_of(&stash));
2501			}
2502
2503			let removed_chunks = 1u32 // for the case where the last iterated chunk is not removed
2504				.saturating_add(initial_unlocking)
2505				.saturating_sub(final_unlocking as u32);
2506			Ok(Some(T::WeightInfo::rebond(removed_chunks)).into())
2507		}
2508
2509		/// Remove all data structures concerning a staker/stash once it is at a state where it can
2510		/// be considered `dust` in the staking system. The requirements are:
2511		///
2512		/// 1. the `total_balance` of the stash is below the existential deposit.
2513		/// 2. or, the `ledger.total` of the stash is below the existential deposit.
2514		///
2515		/// The former can happen in cases like a slash; the latter when a fully unbonded account
2516		/// is still receiving staking rewards in `RewardDestination::Staked`.
2517		///
2518		/// The gate is intentionally the existential deposit and *not* `min_chilled_bond`: a
2519		/// governance change to `MinValidatorBond` / `MinNominatorBond` must not turn previously
2520		/// safe stashes into permissionlessly reapable ones. Accounts that fall below the new
2521		/// minimums after such a change should be `chill_other`-ed (which has a density gate and
2522		/// does not destroy the ledger), not reaped.
2523		///
2524		/// It can be called by anyone, as long as `stash` meets the above requirements.
2525		///
2526		/// Refunds the transaction fees upon successful execution.
2527		///
2528		/// ## Parameters
2529		///
2530		/// - `stash`: The stash account to be reaped.
2531		/// - `num_slashing_spans`: **Deprecated**. This parameter is retained for backward
2532		/// compatibility. It no longer has any effect.
2533		#[pallet::call_index(20)]
2534		#[pallet::weight(T::WeightInfo::reap_stash())]
2535		pub fn reap_stash(
2536			origin: OriginFor<T>,
2537			stash: T::AccountId,
2538			_num_slashing_spans: u32,
2539		) -> DispatchResultWithPostInfo {
2540			let _ = ensure_signed(origin)?;
2541
2542			// virtual stakers should not be allowed to be reaped.
2543			ensure!(!Self::is_virtual_staker(&stash), Error::<T>::VirtualStakerNotAllowed);
2544
2545			let ed = asset::existential_deposit::<T>();
2546			let origin_balance = asset::total_balance::<T>(&stash);
2547			let ledger_total =
2548				Self::ledger(Stash(stash.clone())).map(|l| l.total).unwrap_or_default();
2549			let reapable = origin_balance < ed ||
2550				origin_balance.is_zero() ||
2551				ledger_total < ed ||
2552				ledger_total.is_zero();
2553			ensure!(reapable, Error::<T>::FundedTarget);
2554
2555			// Remove all staking-related information and lock.
2556			Self::kill_stash(&stash)?;
2557
2558			Ok(Pays::No.into())
2559		}
2560
2561		/// Remove the given nominations from the calling validator.
2562		///
2563		/// Effects will be felt at the beginning of the next era.
2564		///
2565		/// The dispatch origin for this call must be _Signed_ by the controller, not the stash.
2566		///
2567		/// - `who`: A list of nominator stash accounts who are nominating this validator which
2568		///   should no longer be nominating this validator.
2569		///
2570		/// Note: Making this call only makes sense if you first set the validator preferences to
2571		/// block any further nominations.
2572		#[pallet::call_index(21)]
2573		#[pallet::weight(T::WeightInfo::kick(who.len() as u32))]
2574		pub fn kick(origin: OriginFor<T>, who: Vec<AccountIdLookupOf<T>>) -> DispatchResult {
2575			let controller = ensure_signed(origin)?;
2576			let ledger = Self::ledger(Controller(controller))?;
2577			let stash = &ledger.stash;
2578
2579			for nom_stash in who
2580				.into_iter()
2581				.map(T::Lookup::lookup)
2582				.collect::<Result<Vec<T::AccountId>, _>>()?
2583				.into_iter()
2584			{
2585				Nominators::<T>::mutate(&nom_stash, |maybe_nom| {
2586					if let Some(ref mut nom) = maybe_nom {
2587						if let Some(pos) = nom.targets.iter().position(|v| v == stash) {
2588							nom.targets.swap_remove(pos);
2589							Self::deposit_event(Event::<T>::Kicked {
2590								nominator: nom_stash.clone(),
2591								stash: stash.clone(),
2592							});
2593						}
2594					}
2595				});
2596			}
2597
2598			Ok(())
2599		}
2600
2601		/// Update the various staking configurations .
2602		///
2603		/// * `min_nominator_bond`: The minimum active bond needed to be a nominator.
2604		/// * `min_validator_bond`: The minimum active bond needed to be a validator.
2605		/// * `max_nominator_count`: The max number of users who can be a nominator at once. When
2606		///   set to `None`, no limit is enforced.
2607		/// * `max_validator_count`: The max number of users who can be a validator at once. When
2608		///   set to `None`, no limit is enforced.
2609		/// * `chill_threshold`: The ratio of `max_nominator_count` or `max_validator_count` which
2610		///   should be filled in order for the `chill_other` transaction to work.
2611		/// * `min_commission`: The minimum amount of commission that each validators must maintain.
2612		///   This is checked only upon calling `validate`. Existing validators are not affected.
2613		/// * `chill_inactive_threshold`: The number of eras a validator can remain inactive during
2614		///   the last [`Config::HistoryDepth`] eras before being subject to chilling becuase of
2615		///   inactivity.
2616		///
2617		/// RuntimeOrigin must be Root to call this function.
2618		///
2619		/// NOTE: Existing nominators and validators will not be affected by this update.
2620		/// to kick people under the new limits, `chill_other` should be called.
2621		// We assume the worst case for this call is either: all items are set or all items are
2622		// removed.
2623		#[pallet::call_index(22)]
2624		#[pallet::weight(
2625			T::WeightInfo::set_staking_configs_all_set()
2626				.max(T::WeightInfo::set_staking_configs_all_remove())
2627		)]
2628		pub fn set_staking_configs(
2629			origin: OriginFor<T>,
2630			min_nominator_bond: ConfigOp<BalanceOf<T>>,
2631			min_validator_bond: ConfigOp<BalanceOf<T>>,
2632			max_nominator_count: ConfigOp<u32>,
2633			max_validator_count: ConfigOp<u32>,
2634			chill_threshold: ConfigOp<Percent>,
2635			min_commission: ConfigOp<Perbill>,
2636			max_staked_rewards: ConfigOp<Percent>,
2637			are_nominators_slashable: ConfigOp<bool>,
2638			chill_inactive_threshold: ConfigOp<u32>,
2639		) -> DispatchResult {
2640			ensure_root(origin)?;
2641
2642			if let ConfigOp::Set(threshold) = chill_inactive_threshold {
2643				ensure!(
2644					threshold > 1 && threshold <= T::HistoryDepth::get(),
2645					Error::<T>::InvalidChillInactiveThreshold
2646				);
2647			}
2648
2649			macro_rules! config_op_exp {
2650				($storage:ty, $op:ident) => {
2651					match $op {
2652						ConfigOp::Noop => (),
2653						ConfigOp::Set(v) => <$storage>::put(v),
2654						ConfigOp::Remove => <$storage>::kill(),
2655					}
2656				};
2657			}
2658
2659			config_op_exp!(MinNominatorBond<T>, min_nominator_bond);
2660			config_op_exp!(MinValidatorBond<T>, min_validator_bond);
2661			config_op_exp!(MaxNominatorsCount<T>, max_nominator_count);
2662			config_op_exp!(MaxValidatorsCount<T>, max_validator_count);
2663			config_op_exp!(ChillThreshold<T>, chill_threshold);
2664			config_op_exp!(MinCommission<T>, min_commission);
2665			config_op_exp!(MaxStakedRewards<T>, max_staked_rewards);
2666			config_op_exp!(AreNominatorsSlashable<T>, are_nominators_slashable);
2667			config_op_exp!(ChillInactiveThreshold<T>, chill_inactive_threshold);
2668
2669			Ok(())
2670		}
2671		/// Declare a `controller` to stop participating as either a validator or nominator.
2672		///
2673		/// Effects will be felt at the beginning of the next era.
2674		///
2675		/// The dispatch origin for this call must be _Signed_, but can be called by anyone.
2676		///
2677		/// If the caller is the same as the controller being targeted, then no further checks are
2678		/// enforced, and this function behaves just like `chill`.
2679		///
2680		/// If the caller is different than the controller being targeted, the following conditions
2681		/// must be met:
2682		///
2683		/// * `controller` must belong to a nominator who has become non-decodable,
2684		///
2685		/// Or:
2686		///
2687		/// * A `ChillThreshold` must be set and checked which defines how close to the max
2688		///   nominators or validators we must reach before users can start chilling one-another.
2689		/// * A `MaxNominatorCount` and `MaxValidatorCount` must be set which is used to determine
2690		///   how close we are to the threshold.
2691		/// * A `MinNominatorBond` and `MinValidatorBond` must be set and checked, which determines
2692		///   if this is a person that should be chilled because they have not met the threshold
2693		///   bond required.
2694		///
2695		/// This can be helpful if bond requirements are updated, and we need to remove old users
2696		/// who do not satisfy these requirements.
2697		#[pallet::call_index(23)]
2698		#[pallet::weight(T::WeightInfo::chill_other())]
2699		pub fn chill_other(origin: OriginFor<T>, stash: T::AccountId) -> DispatchResult {
2700			// Anyone can call this function.
2701			let caller = ensure_signed(origin)?;
2702			let ledger = Self::ledger(Stash(stash.clone()))?;
2703			let controller = ledger
2704				.controller()
2705				.defensive_proof(
2706					"Ledger's controller field didn't exist. The controller should have been fetched using StakingLedger.",
2707				)
2708				.ok_or(Error::<T>::NotController)?;
2709
2710			// In order for one user to chill another user, the following conditions must be met:
2711			//
2712			// * `controller` belongs to a nominator who has become non-decodable,
2713			//
2714			// Or
2715			//
2716			// * A `ChillThreshold` is set which defines how close to the max nominators or
2717			//   validators we must reach before users can start chilling one-another.
2718			// * A `MaxNominatorCount` and `MaxValidatorCount` which is used to determine how close
2719			//   we are to the threshold.
2720			// * A `MinNominatorBond` and `MinValidatorBond` which is the final condition checked to
2721			//   determine this is a person that should be chilled because they have not met the
2722			//   threshold bond required.
2723			//
2724			// Otherwise, if caller is the same as the controller, this is just like `chill`.
2725
2726			if Nominators::<T>::contains_key(&stash) && Nominators::<T>::get(&stash).is_none() {
2727				Self::chill_stash(&stash);
2728				return Ok(());
2729			}
2730
2731			if caller != controller {
2732				let threshold = ChillThreshold::<T>::get().ok_or(Error::<T>::CannotChillOther)?;
2733				let min_active_bond = if Nominators::<T>::contains_key(&stash) {
2734					let max_nominator_count =
2735						MaxNominatorsCount::<T>::get().ok_or(Error::<T>::CannotChillOther)?;
2736					let current_nominator_count = Nominators::<T>::count();
2737					ensure!(
2738						threshold * max_nominator_count < current_nominator_count,
2739						Error::<T>::CannotChillOther
2740					);
2741					Self::min_nominator_bond()
2742				} else if Validators::<T>::contains_key(&stash) {
2743					let max_validator_count =
2744						MaxValidatorsCount::<T>::get().ok_or(Error::<T>::CannotChillOther)?;
2745					let current_validator_count = Validators::<T>::count();
2746					ensure!(
2747						threshold * max_validator_count < current_validator_count,
2748						Error::<T>::CannotChillOther
2749					);
2750					Self::min_validator_bond()
2751				} else {
2752					Zero::zero()
2753				};
2754
2755				ensure!(ledger.active < min_active_bond, Error::<T>::CannotChillOther);
2756			}
2757
2758			Self::chill_stash(&stash);
2759			Ok(())
2760		}
2761
2762		/// Clamps a validator's commission to the `[MinCommission, MaxCommission]` range.
2763		///
2764		/// Named `force_apply_min_commission` for legacy reasons — it also enforces the
2765		/// maximum. Any account can call this.
2766		#[pallet::call_index(24)]
2767		#[pallet::weight(T::WeightInfo::force_apply_min_commission())]
2768		pub fn force_apply_min_commission(
2769			origin: OriginFor<T>,
2770			validator_stash: T::AccountId,
2771		) -> DispatchResult {
2772			ensure_signed(origin)?;
2773			let min_commission = MinCommission::<T>::get();
2774			let max_commission = MaxCommission::<T>::get();
2775			Validators::<T>::try_mutate_exists(validator_stash, |maybe_prefs| {
2776				maybe_prefs
2777					.as_mut()
2778					.map(|prefs| {
2779						if prefs.commission < min_commission {
2780							prefs.commission = min_commission;
2781						}
2782						if prefs.commission > max_commission {
2783							prefs.commission = max_commission;
2784						}
2785					})
2786					.ok_or(Error::<T>::NotStash)
2787			})?;
2788			Ok(())
2789		}
2790
2791		/// Sets the minimum amount of commission that each validators must maintain.
2792		///
2793		/// This call has lower privilege requirements than `set_staking_config` and can be called
2794		/// by the `T::AdminOrigin`. Root can always call this.
2795		#[pallet::call_index(25)]
2796		#[pallet::weight(T::WeightInfo::set_min_commission())]
2797		pub fn set_min_commission(origin: OriginFor<T>, new: Perbill) -> DispatchResult {
2798			T::AdminOrigin::ensure_origin(origin)?;
2799			ensure!(new <= MaxCommission::<T>::get(), Error::<T>::CommissionTooHigh);
2800			MinCommission::<T>::put(new);
2801			Ok(())
2802		}
2803
2804		/// Pay out a page of the stakers behind a validator for the given era and page.
2805		///
2806		/// - `validator_stash` is the stash account of the validator.
2807		/// - `era` may be any era between `[current_era - history_depth; current_era]`.
2808		/// - `page` is the page index of nominators to pay out with value between 0 and
2809		///   `num_nominators / T::MaxExposurePageSize`.
2810		///
2811		/// The origin of this call must be _Signed_. Any account can call this function, even if
2812		/// it is not one of the stakers.
2813		///
2814		/// If a validator has more than [`Config::MaxExposurePageSize`] nominators backing
2815		/// them, then the list of nominators is paged, with each page being capped at
2816		/// [`Config::MaxExposurePageSize`]. If a validator has more than one page of nominators,
2817		/// the call needs to be made for each page separately in order for all the nominators
2818		/// backing a validator to receive the reward. The nominators are not sorted across pages
2819		/// and so it should not be assumed the highest staker would be on the topmost page and vice
2820		/// versa. If rewards are not claimed in [`Config::HistoryDepth`] eras, they are lost.
2821		///
2822		/// The validator's own reward (commission + own-stake share) is prorated across pages
2823		/// proportional to each page's stake. The full validator reward is the sum across all
2824		/// pages.
2825		#[pallet::call_index(26)]
2826		#[pallet::weight(T::WeightInfo::payout_stakers_alive_staked(T::MaxExposurePageSize::get()))]
2827		pub fn payout_stakers_by_page(
2828			origin: OriginFor<T>,
2829			validator_stash: T::AccountId,
2830			era: EraIndex,
2831			page: Page,
2832		) -> DispatchResultWithPostInfo {
2833			ensure_signed(origin)?;
2834			Self::do_payout_stakers_by_page(validator_stash, era, page)
2835		}
2836
2837		/// Migrates an account's `RewardDestination::Controller` to
2838		/// `RewardDestination::Account(controller)`.
2839		///
2840		/// Effects will be felt instantly (as soon as this function is completed successfully).
2841		///
2842		/// This will waive the transaction fee if the `payee` is successfully migrated.
2843		#[pallet::call_index(27)]
2844		#[pallet::weight(T::WeightInfo::update_payee())]
2845		pub fn update_payee(
2846			origin: OriginFor<T>,
2847			controller: T::AccountId,
2848		) -> DispatchResultWithPostInfo {
2849			let _ = ensure_signed(origin)?;
2850			let ledger = Self::ledger(StakingAccount::Controller(controller.clone()))?;
2851
2852			ensure!(
2853				(Payee::<T>::get(&ledger.stash) == {
2854					#[allow(deprecated)]
2855					Some(RewardDestination::Controller)
2856				}),
2857				Error::<T>::NotController
2858			);
2859
2860			let _ = ledger
2861				.set_payee(RewardDestination::Account(controller))
2862				.defensive_proof("ledger should have been previously retrieved from storage.")?;
2863
2864			Ok(Pays::No.into())
2865		}
2866
2867		/// Updates a batch of controller accounts to their corresponding stash account if they are
2868		/// not the same. Ignores any controller accounts that do not exist, and does not operate if
2869		/// the stash and controller are already the same.
2870		///
2871		/// Effects will be felt instantly (as soon as this function is completed successfully).
2872		///
2873		/// The dispatch origin must be `T::AdminOrigin`.
2874		#[pallet::call_index(28)]
2875		#[pallet::weight(T::WeightInfo::deprecate_controller_batch(controllers.len() as u32))]
2876		pub fn deprecate_controller_batch(
2877			origin: OriginFor<T>,
2878			controllers: BoundedVec<T::AccountId, T::MaxControllersInDeprecationBatch>,
2879		) -> DispatchResultWithPostInfo {
2880			T::AdminOrigin::ensure_origin(origin)?;
2881
2882			// Ignore controllers that do not exist or are already the same as stash.
2883			let filtered_batch_with_ledger: Vec<_> = controllers
2884				.iter()
2885				.filter_map(|controller| {
2886					let ledger = Self::ledger(StakingAccount::Controller(controller.clone()));
2887					ledger.ok().map_or(None, |ledger| {
2888						// If the controller `RewardDestination` is still the deprecated
2889						// `Controller` variant, skip deprecating this account.
2890						let payee_deprecated = Payee::<T>::get(&ledger.stash) == {
2891							#[allow(deprecated)]
2892							Some(RewardDestination::Controller)
2893						};
2894
2895						if ledger.stash != *controller && !payee_deprecated {
2896							Some(ledger)
2897						} else {
2898							None
2899						}
2900					})
2901				})
2902				.collect();
2903
2904			// Update unique pairs.
2905			let mut failures = 0;
2906			for ledger in filtered_batch_with_ledger {
2907				let _ = ledger.clone().set_controller_to_stash().map_err(|_| failures += 1);
2908			}
2909			Self::deposit_event(Event::<T>::ControllerBatchDeprecated { failures });
2910
2911			Ok(Some(T::WeightInfo::deprecate_controller_batch(controllers.len() as u32)).into())
2912		}
2913
2914		/// Restores the state of a ledger which is in an inconsistent state.
2915		///
2916		/// The requirements to restore a ledger are the following:
2917		/// * The stash is bonded; or
2918		/// * The stash is not bonded but it has a staking lock left behind; or
2919		/// * If the stash has an associated ledger and its state is inconsistent; or
2920		/// * If the ledger is not corrupted *but* its staking lock is out of sync.
2921		///
2922		/// The `maybe_*` input parameters will overwrite the corresponding data and metadata of the
2923		/// ledger associated with the stash. If the input parameters are not set, the ledger will
2924		/// be reset values from on-chain state.
2925		#[pallet::call_index(29)]
2926		#[pallet::weight(T::WeightInfo::restore_ledger())]
2927		pub fn restore_ledger(
2928			origin: OriginFor<T>,
2929			stash: T::AccountId,
2930			maybe_controller: Option<T::AccountId>,
2931			maybe_total: Option<BalanceOf<T>>,
2932			maybe_unlocking: Option<BoundedVec<UnlockChunk<BalanceOf<T>>, T::MaxUnlockingChunks>>,
2933		) -> DispatchResult {
2934			T::AdminOrigin::ensure_origin(origin)?;
2935
2936			// cannot restore ledger for virtual stakers.
2937			ensure!(!Self::is_virtual_staker(&stash), Error::<T>::VirtualStakerNotAllowed);
2938
2939			let current_lock = asset::staked::<T>(&stash);
2940			let stash_balance = asset::stakeable_balance::<T>(&stash);
2941
2942			let (new_controller, new_total) = match Self::inspect_bond_state(&stash) {
2943				Ok(LedgerIntegrityState::Corrupted) => {
2944					let new_controller = maybe_controller.unwrap_or(stash.clone());
2945
2946					let new_total = if let Some(total) = maybe_total {
2947						let new_total = total.min(stash_balance);
2948						// enforce hold == ledger.amount.
2949						asset::update_stake::<T>(&stash, new_total)?;
2950						new_total
2951					} else {
2952						current_lock
2953					};
2954
2955					Ok((new_controller, new_total))
2956				},
2957				Ok(LedgerIntegrityState::CorruptedKilled) => {
2958					if current_lock == Zero::zero() {
2959						// this case needs to restore both lock and ledger, so the new total needs
2960						// to be given by the called since there's no way to restore the total
2961						// on-chain.
2962						ensure!(maybe_total.is_some(), Error::<T>::CannotRestoreLedger);
2963						Ok((
2964							stash.clone(),
2965							maybe_total.expect("total exists as per the check above; qed."),
2966						))
2967					} else {
2968						Ok((stash.clone(), current_lock))
2969					}
2970				},
2971				Ok(LedgerIntegrityState::LockCorrupted) => {
2972					// ledger is not corrupted but its locks are out of sync. In this case, we need
2973					// to enforce a new ledger.total and staking lock for this stash.
2974					let new_total =
2975						maybe_total.ok_or(Error::<T>::CannotRestoreLedger)?.min(stash_balance);
2976					asset::update_stake::<T>(&stash, new_total)?;
2977
2978					Ok((stash.clone(), new_total))
2979				},
2980				Err(Error::<T>::BadState) => {
2981					// the stash and ledger do not exist but lock is lingering.
2982					asset::kill_stake::<T>(&stash)?;
2983					ensure!(
2984						Self::inspect_bond_state(&stash) == Err(Error::<T>::NotStash),
2985						Error::<T>::BadState
2986					);
2987
2988					return Ok(());
2989				},
2990				Ok(LedgerIntegrityState::Ok) | Err(_) => Err(Error::<T>::CannotRestoreLedger),
2991			}?;
2992
2993			// re-bond stash and controller tuple.
2994			Bonded::<T>::insert(&stash, &new_controller);
2995
2996			// resoter ledger state.
2997			let mut ledger = StakingLedger::<T>::new(stash.clone(), new_total);
2998			ledger.controller = Some(new_controller);
2999			ledger.unlocking = maybe_unlocking.unwrap_or_default();
3000			ledger.update()?;
3001
3002			ensure!(
3003				Self::inspect_bond_state(&stash) == Ok(LedgerIntegrityState::Ok),
3004				Error::<T>::BadState
3005			);
3006			Ok(())
3007		}
3008
3009		/// Migrates permissionlessly a stash from locks to holds.
3010		///
3011		/// This removes the old lock on the stake and creates a hold on it atomically. If all
3012		/// stake cannot be held, the best effort is made to hold as much as possible. The remaining
3013		/// stake is removed from the ledger.
3014		///
3015		/// The fee is waived if the migration is successful.
3016		#[pallet::call_index(30)]
3017		#[pallet::weight(T::WeightInfo::migrate_currency())]
3018		pub fn migrate_currency(
3019			origin: OriginFor<T>,
3020			stash: T::AccountId,
3021		) -> DispatchResultWithPostInfo {
3022			let _ = ensure_signed(origin)?;
3023			Self::do_migrate_currency(&stash)?;
3024
3025			// Refund the transaction fee if successful.
3026			Ok(Pays::No.into())
3027		}
3028
3029		/// Manually and permissionlessly applies a deferred slash for a given era.
3030		///
3031		/// Normally, slashes are automatically applied shortly after the start of the `slash_era`.
3032		/// The automatic application of slashes is handled by the pallet's internal logic, and it
3033		/// tries to apply one slash page per block of the era.
3034		/// If for some reason, one era is not enough for applying all slash pages, the remaining
3035		/// slashes need to be manually (permissionlessly) applied.
3036		///
3037		/// For a given era x, if at era x+1, slashes are still unapplied, all withdrawals get
3038		/// blocked, and these need to be manually applied by calling this function.
3039		/// This function exists as a **fallback mechanism** for this extreme situation, but we
3040		/// never expect to encounter this in normal scenarios.
3041		///
3042		/// The parameters for this call can be queried by looking at the `UnappliedSlashes` storage
3043		/// for eras older than the active era.
3044		///
3045		/// ## Parameters
3046		/// - `slash_era`: The application era (`offence_era + SlashDeferDuration`), i.e. the key
3047		///   into [`UnappliedSlashes`].
3048		/// - `slash_key`: A unique identifier for the slash, represented as a tuple:
3049		///   - `stash`: The stash account of the validator being slashed.
3050		///   - `slash_fraction`: The fraction of the stake that was slashed.
3051		///   - `page_index`: The index of the exposure page being processed.
3052		///
3053		/// ## Behavior
3054		/// - The function is **permissionless**—anyone can call it.
3055		/// - The `slash_era` **must be the current era or a past era**.
3056		/// If it is in the future, the
3057		///   call fails with `EraNotStarted`.
3058		/// - The fee is waived if the slash is successfully applied.
3059		///
3060		/// ## Future Improvement
3061		/// - Implement an **off-chain worker (OCW) task** to automatically apply slashes when there
3062		///   is unused block space, improving efficiency.
3063		#[pallet::call_index(31)]
3064		#[pallet::weight(T::WeightInfo::apply_slash(T::MaxExposurePageSize::get()))]
3065		pub fn apply_slash(
3066			origin: OriginFor<T>,
3067			slash_era: EraIndex,
3068			slash_key: (T::AccountId, Perbill, u32),
3069		) -> DispatchResultWithPostInfo {
3070			let _ = ensure_signed(origin)?;
3071			let active_era = ActiveEra::<T>::get().map(|a| a.index).unwrap_or_default();
3072			ensure!(slash_era <= active_era, Error::<T>::EraNotStarted);
3073
3074			// Check if this slash has been cancelled
3075			ensure!(
3076				!Self::check_slash_cancelled(slash_era, &slash_key.0, slash_key.1),
3077				Error::<T>::CancelledSlash
3078			);
3079
3080			let unapplied_slash = UnappliedSlashes::<T>::take(&slash_era, &slash_key)
3081				.ok_or(Error::<T>::InvalidSlashRecord)?;
3082			slashing::apply_slash::<T>(unapplied_slash, Self::offence_era_of(slash_era));
3083
3084			Ok(Pays::No.into())
3085		}
3086
3087		/// Perform one step of era pruning to prevent PoV size exhaustion from unbounded deletions.
3088		///
3089		/// This extrinsic enables permissionless lazy pruning of era data by performing
3090		/// incremental deletion of storage items. Each call processes a limited number
3091		/// of items based on available block weight to avoid exceeding block limits.
3092		///
3093		/// Returns `Pays::No` when work is performed to incentivize regular maintenance.
3094		/// Anyone can call this to help maintain the chain's storage health.
3095		///
3096		/// The era must be eligible for pruning (older than HistoryDepth + 1).
3097		/// Check `EraPruningState` storage to see if an era needs pruning before calling.
3098		#[pallet::call_index(32)]
3099		// NOTE: as pre-dispatch weight, use the maximum of all possible pruning step weights
3100		#[pallet::weight({
3101			let v = T::MaxValidatorSet::get();
3102			T::WeightInfo::prune_era_stakers_paged(v)
3103				.max(T::WeightInfo::prune_era_stakers_overview(v))
3104				.max(T::WeightInfo::prune_era_validator_prefs(v))
3105				.max(T::WeightInfo::prune_era_claimed_rewards(v))
3106				.max(T::WeightInfo::prune_era_validator_reward())
3107				.max(T::WeightInfo::prune_era_reward_points())
3108				.max(T::WeightInfo::prune_era_single_entry_cleanups())
3109				.max(T::WeightInfo::prune_era_validator_slash_in_era(v))
3110				.max(T::WeightInfo::prune_era_validator_incentive_weight(v))
3111		})]
3112		pub fn prune_era_step(origin: OriginFor<T>, era: EraIndex) -> DispatchResultWithPostInfo {
3113			let _ = ensure_signed(origin)?;
3114
3115			// Verify era is eligible for pruning: era <= active_era - history_depth - 1
3116			let active_era = crate::session_rotation::Rotator::<T>::active_era();
3117			let history_depth = T::HistoryDepth::get();
3118			let earliest_prunable_era = active_era.saturating_sub(history_depth).saturating_sub(1);
3119			ensure!(era <= earliest_prunable_era, Error::<T>::EraNotPrunable);
3120
3121			let actual_weight = Self::do_prune_era_step(era)?;
3122
3123			Ok(frame_support::dispatch::PostDispatchInfo {
3124				actual_weight: Some(actual_weight),
3125				pays_fee: frame_support::dispatch::Pays::No,
3126			})
3127		}
3128
3129		/// Sets the maximum commission that validators can set.
3130		///
3131		/// The dispatch origin must be `T::AdminOrigin`.
3132		#[pallet::call_index(33)]
3133		#[pallet::weight(T::WeightInfo::set_max_commission())]
3134		pub fn set_max_commission(origin: OriginFor<T>, new: Perbill) -> DispatchResult {
3135			T::AdminOrigin::ensure_origin(origin)?;
3136			ensure!(new >= MinCommission::<T>::get(), Error::<T>::CommissionTooLow);
3137			MaxCommission::<T>::put(new);
3138			Ok(())
3139		}
3140
3141		/// Configure the validator self-stake incentive parameters.
3142		///
3143		/// The dispatch origin must be `T::AdminOrigin`.
3144		///
3145		/// Changes take effect in the next era when rewards are calculated.
3146		#[pallet::call_index(34)]
3147		#[pallet::weight(T::WeightInfo::set_validator_self_stake_incentive_config())]
3148		pub fn set_validator_self_stake_incentive_config(
3149			origin: OriginFor<T>,
3150			optimum_self_stake: ConfigOp<BalanceOf<T>>,
3151			hard_cap_self_stake: ConfigOp<BalanceOf<T>>,
3152			self_stake_slope_factor: ConfigOp<Perbill>,
3153		) -> DispatchResult {
3154			T::AdminOrigin::ensure_origin(origin)?;
3155
3156			let new_optimum = match optimum_self_stake {
3157				ConfigOp::Noop => OptimumSelfStake::<T>::get(),
3158				ConfigOp::Set(v) => v,
3159				ConfigOp::Remove => BalanceOf::<T>::zero(),
3160			};
3161
3162			let new_cap = match hard_cap_self_stake {
3163				ConfigOp::Noop => HardCapSelfStake::<T>::get(),
3164				ConfigOp::Set(v) => v,
3165				ConfigOp::Remove => BalanceOf::<T>::zero(),
3166			};
3167
3168			ensure!(new_optimum <= new_cap, Error::<T>::OptimumGreaterThanCap);
3169
3170			let has_changes = !matches!(
3171				(&optimum_self_stake, &hard_cap_self_stake, &self_stake_slope_factor),
3172				(ConfigOp::Noop, ConfigOp::Noop, ConfigOp::Noop)
3173			);
3174
3175			macro_rules! config_op_exp {
3176				($storage:ty, $op:ident) => {
3177					match $op {
3178						ConfigOp::Noop => (),
3179						ConfigOp::Set(v) => <$storage>::put(v),
3180						ConfigOp::Remove => <$storage>::kill(),
3181					}
3182				};
3183			}
3184
3185			config_op_exp!(OptimumSelfStake<T>, optimum_self_stake);
3186			config_op_exp!(HardCapSelfStake<T>, hard_cap_self_stake);
3187			config_op_exp!(SelfStakeSlopeFactor<T>, self_stake_slope_factor);
3188
3189			if has_changes {
3190				Self::deposit_event(Event::<T>::ValidatorIncentiveConfigSet {
3191					optimum_self_stake: OptimumSelfStake::<T>::get(),
3192					hard_cap_self_stake: HardCapSelfStake::<T>::get(),
3193					slope_factor: SelfStakeSlopeFactor::<T>::get(),
3194				});
3195			}
3196
3197			Ok(())
3198		}
3199
3200		/// Chill an inactive validator.
3201		///
3202		/// This extrinsic can be called by anyone, given that the valid inactivity proof is
3203		/// provided. Inactivity proof is a vector of eras where the given validator was inactive.
3204		///
3205		/// Requirements for the inactivity proof:
3206		/// - The length must be equal to [`ChillInactiveThreshold`].
3207		/// - It must be sorted in ascending order.
3208		/// - It must not contain duplicate entries.
3209		/// - For every era the `stash` account must be exposed.
3210		/// - Every item must pass the check provided by [`Config::IsValidatorInactive`].
3211		/// - Every era must be less than the active era.
3212		///
3213		/// On a successfull execution, caller doesn't pay fees.
3214		#[pallet::call_index(35)]
3215		#[pallet::weight(T::WeightInfo::chill_inactive(proof.len() as _))]
3216		pub fn chill_inactive(
3217			origin: OriginFor<T>,
3218			stash: T::AccountId,
3219			proof: BoundedVec<EraIndex, T::HistoryDepth>,
3220		) -> DispatchResultWithPostInfo {
3221			ensure_signed(origin)?;
3222
3223			let threshold = ChillInactiveThreshold::<T>::get();
3224			ensure!(
3225				proof.len() as EraIndex == threshold,
3226				Error::<T>::InvalidInactivityProof(InvalidInactivityProofError::InvalidLen)
3227			);
3228			ensure!(
3229				proof.is_sorted_by(|a, b| a < b),
3230				Error::<T>::InvalidInactivityProof(InvalidInactivityProofError::NotSorted)
3231			);
3232
3233			// All proof eras must fall in the retained window `[active_era - HistoryDepth,
3234			// active_era)`.
3235			let active_era = Rotator::<T>::active_era();
3236			let oldest_allowed_era = active_era.saturating_sub(T::HistoryDepth::get());
3237			let oldest_proof_era = proof.first().copied().unwrap_or(EraIndex::MAX);
3238			let most_recent_proof_era = proof.last().copied().unwrap_or(EraIndex::MAX);
3239			ensure!(
3240				oldest_proof_era >= oldest_allowed_era && most_recent_proof_era < active_era,
3241				Error::<T>::InvalidInactivityProof(InvalidInactivityProofError::InvalidEra)
3242			);
3243
3244			for era in proof {
3245				ensure!(
3246					Eras::<T>::was_validator_exposed(era, &stash),
3247					Error::<T>::InvalidInactivityProof(
3248						InvalidInactivityProofError::ValidatorNotExposed
3249					)
3250				);
3251
3252				let points = Eras::<T>::get_reward_points_for_validator(era, &stash);
3253
3254				ensure!(
3255					T::IsValidatorInactive::is_inactive(era, &stash, points),
3256					Error::<T>::InvalidInactivityProof(
3257						InvalidInactivityProofError::ValidatorActive
3258					)
3259				);
3260			}
3261
3262			if Self::do_remove_validator(&stash) {
3263				Self::deposit_event(Event::<T>::Chilled { stash });
3264
3265				Ok(Pays::No.into())
3266			} else {
3267				Err(Error::<T>::BadTarget.into())
3268			}
3269		}
3270	}
3271
3272	#[pallet::view_functions]
3273	impl<T: Config> Pallet<T> {
3274		/// Resolve the account ID for a given reward pot.
3275		pub fn pot_account(pot: crate::RewardPot) -> T::AccountId {
3276			<T::RewardPots as crate::PotAccountProvider<T::AccountId>>::pot_account(pot)
3277		}
3278
3279		/// Current balance held in a given reward pot.
3280		pub fn pot_balance(pot: crate::RewardPot) -> BalanceOf<T> {
3281			let account =
3282				<T::RewardPots as crate::PotAccountProvider<T::AccountId>>::pot_account(pot);
3283			<T::Currency as frame_support::traits::fungible::Inspect<T::AccountId>>::balance(
3284				&account,
3285			)
3286		}
3287
3288		/// Per-era reward allocation (staker rewards + validator incentive budget).
3289		///
3290		/// Both fields are zero for eras created in legacy minting mode.
3291		pub fn era_reward_allocation(
3292			era: EraIndex,
3293		) -> crate::reward::EraRewardAllocation<BalanceOf<T>> {
3294			crate::reward::EraRewardAllocation {
3295				staker_rewards: ErasValidatorReward::<T>::get(era).unwrap_or_else(Zero::zero),
3296				validator_incentive: ErasValidatorIncentiveBudget::<T>::get(era),
3297			}
3298		}
3299	}
3300}