Minimum worker periods, worker history, and network effects

[tuxxy]

With the separation of Workers and Stakers (#949), an awesome feature is suddenly created. The ability for a staker to specifiy a worker is great domain separation and provides some awesome control mechanisms.

However, this also opens up some "undefined behaviors" that are rather disturbing to me. @vzotova tells me this can be resolved via a "worker history", but it also adds some downsides mostly related to contract storage.

Even if the attack surface is very minimal, this seems like the perfect vector to execute a network attack -- during a period of unpredictability. This raises the question, "What kinds of attacks can be performed during this unpredictable period?" I do not know the answer to this question (this is what disturbs me).

Even if this period is small, it's leaves a giant gap of unpredictability that deeply concerns me with the things we are not thinking about.

Ideally, I'd like to see this resolved. Whether or not the worker history is the best solution, I don't know yet, but this gap of unpredictability is exceptionally concerning to me.

[michwill]

The worst I can imagine is that an attacker who's got the worker key (if) can slash the worker who's still there.

If there is something else you are thinking of: can you elaborate, what sort of unpredictability discomforts you so greatly?