Slashing is the most controversial of all the mechanisms for Proof of Stake (PoS), protocols. Slashing allows you to financially penalize a specific node for not following the protocol-consistent guidelines in a targeted way. It removes some or all the validator stake, but does not impose externalities on other nodes that behave in accordance to the protocol. Because PoS protocols are able to enforce penalties, slashing is unique because it requires the blockchain. This type of enforcement is not possible in a Proof-of-Work system (PoW), which is similar to burning mining hardware used by bad nodes. This new design space opens up for blockchain mechanism design and merits careful consideration. Many protocols avoid slashing and instead rely upon token toxicity (i.e. if the protocol is attacked successfully, the token loses its value). Many believe that stakers will see this toxicity as a threat to the security of the protocol. Our evaluation shows that token toxicity is not sufficient for preventing adversarial attacks in certain scenarios. In this instance, the cost for an adversary to attack and break the protocol (called a bribe cost), is almost zero. This greatly increases the risk of adversarial attacks. In the presence of bribery, slashing guarantees high and measurable bribery costs for decentralized protocols as well as for protocols that do not satisfy token toxicity assumptions (centralized or decentralized).Circumstances that could lead to bribery and lack of token toxicity are ubiquitous. Many PoS protocols avoid falling in either of these two categories. They have a tight-knit community that can only be achieved when they are small. (1) By relying upon strong leadership to guide them in the right direction and delegating validation a small number of legally regulated node operators. (2) Or by relying centralized staking tokens within a small group. These solutions are not ideal for building large, decentralized validator communities. If the PoS protocol is only characterized by a few validators (or in extreme cases only one validator), then it would make sense to have a way of penalizing these large validators for engaging with adversarial behavior.
It is shown that PoS protocols that lack a slashing mechanism can be vulnerable to bribery attacks.
Demonstrate that the PoS protocol with slashing mechanism offers quantifiable security from bribery attacks
We will also discuss the negative effects of slashing, and suggest mitigations.
ModelBefore we can introduce the forfeiture case, we need a model that will allow us to conduct our analysis. The two most popular models for PoS protocols analysis (Byzantine models or game-theoretic equilibrium model) fail to capture the most serious real-world attacks. Slashing acts as an effective deterrent. We will discuss the shortcomings of these models and present a third model, which we call the “bribery analysis model”. Although the bribing analysis model is capable of simulating a large number of attacks, it has not been used to analyze many protocols.Existing modelIn this section, we briefly describe Byzantine and game-theoretic equilibrium models and their shortcomings.Byzantine modelThe Byzantine model dictates that, at most, a certain percentage () of nodes can deviate from the action prescribed by the protocol and perform any action they choose, while the rest of the nodes still abide by the protocol. It is not easy to prove that a PoS protocol is resistant against Byzantine actions that adversarial Nodes can take. For example, the longest-chain PoS consensus protocol, where safety is more important than liveness. The security of the longest-chain consensus was first studied to demonstrate security against a specific attack. This attack was a private double-spend attack in which all Byzantine Nodes conspire to create an alternate chain and then make it public. The nothing-at-stake phenomenon allows you to propose multiple blocks with the same stake and use independent randomness to increase your chances of building longer private chains. It was only much later that extensive research was done to prove that certain structures of the longest-chain PoS protocol are immune to all attacks for certain values. A whole class of Byzantine Fault Tolerant consensus protocols (BFT), that prioritize safety over life, was also not done. They must also assume a Byzantine Model to prove that these protocols are deterministically safe against any attack for an upper bound on. The behavioral perspective shows that the part of these nodes are fully adversarial, while the (1-1) part of the nodes conforms to protocol specification. A large number of PoS protocol nodes may be motivated by economic gain, and may run a modified version that serves its own interests, rather than adhering to the full protocol specifications. Consider the Ethereum PoS protocol as an example. Most nodes today do not run the default PoS protocol, but instead run the modified MEV-Boost protocol. Participating in the MEV auction marketplace will generate additional rewards. The reason this is the case is that most nodes do not run the default PoS protocol. Instead, they use the modified MEV-Boost protocol. Game-theoretic equilibrium modelsGame-theoretic equilibrium models attempt the Byzantine model’s flaws by using solution concepts like the Nash equilibrium to examine whether rational nodes have an economic incentive follow a strategy when all the other nodes follow the same strategy. The model, which assumes everyone is rational, asks two questions: If all nodes follow the protocol mandated policy, is it in my economic best interest to enforce that policy?
Is it incentivizing me to follow the protocol if every other node enforces the same policy of deviating?
The protocol should be designed in a way that both questions are answered “yes”. However, the game-theoretic equilibrium model does not account for situations where exogenous agents could affect the behavior of nodes. External agents, for example, can offer bribes in order to encourage rational nodes to follow their policies. It assumes that each node is able to decide which strategy it will adopt based on its ideology and economic incentives. However, it doesn’t address situations where a group nodes conspires to form a cartel. Or where economies of scale encourage the creation a central entity that controls all staking nodes. The model starts with two questions: (1) What cost is required by an adversary to successfully execute a security or liveness breach on the protocol? (2) What is the maximum profit an antagonist can make from successfully executing protocol security or lifeness attacks? And the opponent might be: Nodes that unilaterally violate the agreement’s policy.
A group of nodes actively cooperating to break the protocol
External adversaries attempt to influence the decisions at many nodes by external actions, such as bribery.
When calculating the cost involved, you must take into account all costs associated with bribery and any financial penalties for enforcing Byzantine strategies. Calculating profit also includes in-protocol rewards for successful attacks on the protocol and any value captured by DApps sitting on top.
PoS protocols, holding on secondary markets protocol-related derivatives, profit from incoming volatilities, and so forth.
The lower bound on the cost for an adversary to launch a attack (bribe cost), and the upper bound on how much the adversary can extract (bribe profits) show that the attacking protocol is economically profitable. (note: This model was used to analyze Augur & Kleros). We get a simple equation: Bribe Profit – Bribe cost = Total Profit. If the total profit is positive, the adversary is motivated to attack. We will now examine how cutting costs can increase the cost for bribes as well as reduce or eliminate total profits. (Note: A PoS protocol can be used to limit the value of assets. This is a simple example of a cap for bribing profits. Circuit breakers, which limit asset transfers over time, can help to establish more complex bounds. This article does not cover the details of how to reduce and cap bribery profits research. SlashingSlashing allows a PoS protocol or group of PoS protocols to economically punish a node for implementing a strategy that is not consistent with a protocol specification. Each node must have previously pledged a certain amount as collateral to be able to implement any form slashing. We will be examining native token-based PoS systems that rely on token toxicity as an alternative to slashing. This limitation is proposed for two reasons: (1) security breaches are entirely attributable some BFT-based PoS protocol, but liveness violates are not attributable any protocol; and (2) security violations can be more severe than liveness violation, which results in a loss in user funds, not in the inability to post transactions. Consider a PoS protocol that consists of N rational nodes (no Byzantine nor altruistic nodes). For computational simplicity, let us assume that each node deposits the same amount of stake. First, we will examine how token toxicity doesn’t justify high bribery fees. To maintain consistency throughout the document, we assume that the PoS protocol used has a 1/3 adversary threshold. Token toxicity is not sufficient. It is commonly believed that token toxicity protects staking protocol security from any attack. Token toxicity refers to the fact that tokens used for stake in the protocol can lose value if it is attacked successfully. This will prevent participating nodes from attacking it. Imagine 1/3 of stakers joining forces to attack the protocol. These nodes can work together to compromise the protocol’s security. The question is, can it be done with impunity? If the total value of staked tokens depends on its security, then any attack on that protocol could result in its total valuation dropping to zero. In practice, it doesn’t drop to zero directly, but to a lesser value. To show the strongest case of token toxicity, we will assume that token toxicity works perfectly. We will now examine the incentives for collusion or bribery in token toxic PoS systems. Let’s say that an external opponent sets the bribery conditions. If the node follows the opponent’s strategy, but the attack against the protocol fails, the node gets a reward B1.
If the opponent’s strategy is followed and the attack on protocol succeeds, the node will receive a reward B2 from him.
The income matrix for the nodes that deposit the stake S is as follows: Let’s say the adversary sets the payoff for bribery at B1>R and. B2>0. B2>0. If 1/3 of other nodes accept the bribe, they have the ability to attack the protocol’s security (this is because we assume that we are using a BFT protocol with an adversary threshold 1/3). Even if the current node doesn’t accept the bribe the token loses value due to token toxicity (top right cell of the matrix). It is therefore incentive compatible for nodes accept B2 bribes. The token doesn’t lose its value if only a small number of nodes accept the offer. However, nodes get B1 instead of the reward R (left column in matrix). If 1/3 of the nodes accept the bribe, and the attack succeeds, the adversary’s total cost to pay the bribe will be at least. N/3 x B2, the cost of the bribe. The only condition for B2 being greater than zero is that it be higher. This means that B2 can be set to close to zero, meaning that the cost of bribing will be negligible. This attack is known as a “P+e attack”. However, the benefits of taking money are privatized and only those rational nodes who actually accept bribes will reap the benefits. Token toxicity does not have a one-to-one effect on those who take bribes. Another misleading claim in the ecosystem is that all PoS protocols have some protection. The exogenous incentives of token toxicity do not apply to certain classes or protocols, where the valuation of tokens used for pledged face value is not dependent on the protocol’s safe operation. EigenLayer is a restaking protocol that uses the Ethereum protocol to reuse ETH in order to protect the economy of other protocols. To validate the new sidechain, consider retaking 10% of your ETH using EigenLayer. Even if all the EigenLayer stakers are complicit in attacking the security of the sidechain’s sidechain, it is unlikely that ETH’s price will drop. Token toxicity cannot be transferred to re-staking service, which means that bribery risks are not zero. Pitfalls and mitigations of Slashing. Like any technology, slashing has its own risks if it isn’t implemented carefully. The client configuration is incorrect or the key is lost. Unintentional errors, such as misconfigurations or lost keys, can lead to innocent nodes being unfairly punished in slashing. To address concerns about inadvertent errors that could lead to excessive slashing of honest users, the protocol could adopt certain slashing curvatures that penalize less when pledged equity exceeds a threshold ratio. Severe penalties may be imposed if pledged equity executed on the platform exceeds this ratio. This is the approach taken by Ethereum 2.0.
The credible threat that slashing will be used as a lighter alternative. A PoS protocol that does not implement algorithmic cutting can rely on social slashing. In other words, in the event there is a security breach, nodes will point to a hard fork and the funds of the misbehaving nodes will be lost. Although this requires more social coordination than algorithmic slashing does, as long as the threat is credible, the game theory analysis presented above still applies to protocols that do not use algorithmic slashing. Instead, it relies on social cutting of commitments.
Social slashing to punish liveness failures is fragile. Social slashing can be used to punish non-attributable acts, such as censorship and liveness failures. Although it is theoretically possible for social slashing to be imposed for non-attributable failings, it is difficult to verify for newly joined nodes whether the social slashing is being done for the right reasons (censorship), or because the node was wrongly charged. This ambiguity is not present when social slashing is used for attributable failings. Because they can verify their double signatures manually, new nodes can continue to verify the legitimacy of this slashing.
What about the confiscated funds?There are two possible ways to deal with forfeited funds: destruction and insurance.Destruction: The straightforward way to deal with confiscated funds is to simply destroy them. Assuming that tokens’ total value has not been affected by the attack, each token will gain in value and be more valuable than ever before. Instead of compensating only the security breach victims, the burn would benefit all token holders.
Insurance: Insurance bonds issued against forfeitures are a more complicated way to fund forfeiture funding that has yet to be studied. These insurance bonds can be obtained by customers who transact on the blockchain to insure their digital assets and protect themselves against potential security attacks. In the event of a security-compromising attack, algorithmic slashing of stakers generates a fund that can then be distributed to insurers in proportion to the bond.
The status quo of ecology confiscation Cosmos ecosystem implemented slashing in its BFT consensus protocol. This ensures that validators are not allowed to propose blocks or double-sign ambiguous ones. Validators in Ethereum 2.0 could be punished for making ambiguous statements or proposing ambiguous block proposals. The way Ethereum 2.0 achieves financial finality is by slashing bad behavior validators. A validator can be penalized for missing proofs or failing to propose blocks when they should. This is how Ethereum 2.0 achieves economic finality. To analyze complex bribery attacks, we use a new model (bribery analytics model) and then use it for proving that PoS protocols with slashing mechanism have quantifiable anti bribery security. Although there are some flaws to incorporating slashing in PoS protocols, we offer some possible solutions. We hope that PoS protocols will use this analysis to assess the benefits of slashing in certain situations – potentially improving the security of the entire ecosystem.DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.Join us to keep track of news: https://linktr.ee/coincuHaroldCoincu NewsTags: BFTByzantine Fault TolerantEigenLayerEthereum 2.0PoSSlashing