BTC

$64042.96

3.04%

ETH

$3060.425

2.07%

BNB

$560.031

3.43%

XRP

$0.511

4.65%

Knowledge

Slashing In PoS: Severe Punishment For Bad Actors’ Fraud

January 31, 2023 - Around 16 mins mins to read
Of the mechanisms designed for Proof of Stake (PoS) protocols, none is as controversial as slashing. Slashing provides a way to financially penalize any specific node for not acting in a protocol-consistent manner in a targeted manner. It does this by taking away some or all of the validator stake without imposing externalities on other nodes behaving in accordance with the protocol.
Slashing In PoS: Severe Punishment For Bad Actors' Fraud

Slashing is unique to PoS protocols because it requires the blockchain to be able to enforce penalties. This kind of enforcement is obviously not feasible in a Proof-of-Work (PoW) system, which is similar to burning the mining hardware used by misbehaving nodes. This ability to apply punitive incentives opens up a new design space in blockchain mechanism design and thus deserves careful consideration.

While it confers clear benefits in the form of “karma,” the main objection to slashing is that node can be excessively slashed due to inadvertent mistakes such as running outdated software. As a result, many protocols avoid slashing and instead rely on so-called token toxicity (i.e., if the protocol is successfully attacked, the underlying token loses value).

Many believe that stakers will view this toxicity as a threat to compromising the security of the protocol. In our evaluation, token toxicity is not sufficient to prevent adversarial attacks in some typical scenarios. In fact, in this case, the cost incurred by the adversary to attack and break the protocol (called the bribe cost) is essentially zero.

In this article, we show how slashing can be incorporated into the mechanical design of PoS protocols, thereby greatly increasing the cost of bribery that any adversary can incur. In the presence of bribery, slashing guarantees high and measurable bribery costs for decentralized protocols as well as for protocols that do not satisfy token toxicity assumptions (centralized or decentralized).

Circumstances that could lead to bribery and lack of token toxicity are ubiquitous. Many PoS protocols avoid falling into either of these two categories by having a tight-knit community, which is only feasible when they are small: (1) by relying on strong leadership to steer them in the right direction, delegating validation to a small set of well-known and legally regulated node operators; (2) or by relying on centralized staking of tokens within a small group. None of these solutions are entirely satisfactory for growing large and decentralized validator communities. If the PoS protocol is characterized by only a few validators (or, in extreme cases, only one validator), then it would be nice to have a way to penalize these large validators for engaging in adversarial behavior.

In the remainder of this article, we:

  • Propose a model to analyze complex bribing attacks;
  • Shows that PoS protocols without a slashing mechanism are vulnerable to bribing attacks;
  • Show that the PoS protocol with slashing mechanism has quantifiable security against bribing attacks;
  • As well as discussing some of the disadvantages of slashing and suggesting mitigations.

Model

Before introducing the forfeiture case, we first need a model under which we will conduct our analysis. The two most popular models currently analyzing PoS protocols (Byzantine models and game-theoretic equilibrium models) fail to capture some of the most damaging real-world attacks for which slashing acts as a powerful deterrent. In this section, we discuss these existing models to understand their shortcomings and propose a third model (which we call the bribery analysis model). Although the bribing analysis model is capable of simulating a large number of attacks, it has not been used to analyze many protocols.

Existing model

In this section, we briefly describe Byzantine and game-theoretic equilibrium models and their shortcomings.

Byzantine model

The Byzantine model dictates that, at most, a certain percentage (????) of nodes can deviate from the action prescribed by the protocol and perform any action they choose, while the rest of the nodes still abide by the protocol. Proving that a particular PoS protocol is resistant to Byzantine actions that adversarial nodes can take is a non-trivial problem.

For example, consider the longest-chain PoS consensus protocol, where liveness takes precedence over safety. Early research on the security of longest-chain consensus focused on demonstrating security against a specific attack (i.e., a private double-spend attack, in which all Byzantine nodes secretly collude to build an alternate chain and then to make it public).

However, the nothing-at-stake phenomenon presents an opportunity to propose many blocks with the same stake, and use independent randomness to increase the likelihood of building longer private chains. Extensive research was not done until much later to show that certain structures of the longest-chain PoS consensus protocol are resistant to all attacks for certain values of ????.

An entire class of Byzantine Fault Tolerant (BFT) consensus protocols that prioritize safety over liveness. They also need to assume a Byzantine model to prove that, for an upper bound of ????, these protocols are deterministically secure against any attack.

As useful as the Byzantine model is, it does not take into account any economic incentives. From a behavioral perspective, the ???? part of these nodes is fully adversarial in nature, while the (1-????) part of the nodes fully conforms to the protocol specification.

In contrast, a large proportion of nodes in a PoS protocol may be motivated by economic gain and run a modified version of the protocol that benefits its own interests rather than simply adhering to the full protocol specification. To give a prominent example, consider the case of the Ethereum PoS protocol. Today, most nodes do not run the default PoS protocol but run the MEV-Boost modified protocol. This is because participating in the MEV auction market will generate additional rewards while running The exact canonical protocol does not have this additional bonus.

Game theoretic equilibrium model

Game-theoretic equilibrium models attempt to address the shortcomings of the Byzantine model by using solution concepts such as the Nash equilibrium to study whether rational nodes have an economic incentive to follow a given strategy when all other nodes also follow the same strategy. More specifically, assuming everyone is rational, the model investigates two questions:

  • If all other nodes follow the protocol-mandated policy, is it in my best economic interest to enforce the same protocol-mandated policy?
  • If every other node is enforcing the same policy of deviating from the protocol, is it most incentivized for me to still follow the policy?

Ideally, the protocol should be designed so that the answer to both questions is “yes.”

An inherent shortcoming of the game-theoretic equilibrium model is that it excludes scenarios where exogenous agents may affect the behavior of nodes. For example, external agents can set bribes to incentivize rational nodes to behave according to their stated policies. Another limitation is that it assumes that each node has an independent agency that can decide for itself which strategy to adopt based on its ideology or economic incentives. But that doesn’t cover scenarios where a group of nodes colludes to form a cartel or where economies of scale encourage the creation of a centralized entity that essentially controls all staking nodes.

Separating bribery costs from bribery profits

Some researchers have proposed a bribery analysis model to analyze the security of any PoS protocol, although no one has used it for a deeper analysis. The model begins by asking two questions: (1) What is the minimum cost required for any adversary to successfully perform a security or liveness attack on the protocol? (2) What is the maximum profit an adversary can gain from successfully executing a protocol security or liveness attack?

And the opponent in question might be:

  • Nodes that unilaterally deviate from the policy stipulated in the agreement;
  • A group of nodes actively cooperating with each other to break the protocol, or
  • External adversaries try to influence the decisions of many nodes through external actions such as bribery.
  • Calculating the costs involved takes into account any costs incurred for bribery, any financial penalties for enforcing a Byzantine strategy, etc. Likewise, calculating profit is all-encompassing, including in-protocol rewards from successful attacks on the protocol, any value captured from DApps sitting on top of
  • PoS protocols, holding protocol-related derivatives on secondary markets, profit from incoming volatility, and so on.

Comparing the lower bound on the minimum cost for any adversary to launch an attack (bribe cost) with the upper bound on the maximum profit the adversary can extract (bribe profit) shows that the attacking protocol is economically profitable (note: the model has been used to analyze Augur and Kleros), which gives us a simple equation:

Bribe Profit – Bribe Cost = Total Profit

If the total profit is positive, then the adversary has the incentive to attack. In the next section, we consider how slashing can increase the cost of bribes and reduce or eliminate total profits. (Note that a simple example of a cap on bribing profits is the total value of assets secured by a PoS protocol. More complex bounds can be established, taking into account circuit breakers that limit asset transfers over time. Details of methods for reducing and capping bribing profits research are beyond the scope of this article.)

Slashing

Slashing is a way for a PoS protocol to economically punish a node or group of nodes for implementing a strategy that is provably different from a given protocol specification. Typically, to implement any form of slashing, each node must have previously committed a certain amount of stake as collateral. Before diving into slashing, we will first look at PoS systems with native tokens that rely on token toxicity as an alternative to slashing.

We mainly focus on the study of slashing mechanisms for security violations, not liveness violations. We propose this limitation for two reasons: (1) security violations are entirely attributable to some BFT-based PoS protocols, but liveness violations are not attributable to any protocol, and (2) security violations are usually more severe than liveness violations, This results in a loss of user funds, not the user’s inability to post transactions.

Is there any problem if there is no penalty?

Consider a PoS protocol consisting of N rational nodes (no Byzantine or altruistic nodes). Let us assume, for computational simplicity, that each node deposits an equal amount of stake. We first explore how token toxicity does not warrant high bribery costs. For consistency throughout the document, we also assume that the PoS protocol used is a BFT protocol with a â…“ adversary threshold.

Token toxicity is not enough

A common view is that token toxicity protects staking protocols from any attack on their security. Token toxicity implies the fact that if the protocol is successfully attacked, the underlying tokens used to stake in the protocol will lose value, thereby inhibiting participating nodes from attacking the protocol. Consider the scenario of 1/3 of stakers teaming up: these nodes can cooperate to break the security of the protocol. But the question is whether it can be done with impunity?

If the total valuation of staked tokens is strictly dependent on the security of the protocol, then any attack on the security of the protocol could reduce its total valuation to zero. Of course, in practice, it doesn’t drop directly to zero but to some smaller value. But in order to show the strongest possible case of token toxicity, we will assume here that token toxicity works perfectly. The bribery cost of any attack on the protocol is the tokens held by rational nodes attacking the system, and they must be willing to lose all of this value.

We now analyze the incentives for collusion and bribery in token-toxic PoS systems without slashing. Assume that the external opponent sets the bribery conditions as follows:

  • If the node follows the strategy indicated by the opponent, but the attack on the protocol is unsuccessful, the node receives a reward B1 from the opponent.
  • If the node follows the strategy indicated by the opponent and the attack on the protocol is successful, the node receives a reward B2 from the opponent.

For the nodes depositing the stake S, we can get the following income matrix, and R is the reward for participating in the PoS protocol:

Slashing In PoS: Severe Punishment For Bad Actors' Fraud

Suppose the adversary sets the payoff of bribery as B1>R and. B2>0. In this case, no matter what strategy other nodes adopt (the dominant strategy), the rewards of accepting a bribe from an opponent are higher than any other strategy the node can adopt. If 1/3 of the other nodes end up accepting the bribe, they can attack the security of the protocol (this is because we assume we are using a BFT protocol with an adversary threshold of â…“). Now, even if the current node does not take the bribe, the token loses its value anyway due to token toxicity (top right cell in the matrix).

Therefore, it is incentive compatible for nodes to accept B2 bribes. If only a small percentage of nodes accept the bribe, the token does not lose value, but the nodes benefit from forgoing the reward R and gaining B1 instead (left column in the matrix). If 1/3 of the nodes agree to accept the bribe and the attack is successful, the total cost for the adversary to pay the bribe is at least. ????/3 × B2, which is the cost of the bribe. However, the only condition for B2 is that it must be greater than zero. Therefore, B2 can be set close to zero, which means that the cost of bribing is negligible. This attack is called a “P+ε” attack.

One way of summarizing this effect is that token toxicity is not enough because the impact of bad behavior is social: token toxicity completely devalues the value of the token, affecting both good and bad nodes equally. On the other hand, the benefits of taking bribes are privatized and limited to those rational nodes that actually take bribes. There are no one-to-one consequences for those who take bribes; that is, there is no working version of “karma” in this system.

Slashing In PoS: Severe Punishment For Bad Actors' Fraud

Does token toxicity always work?

Another misleading claim that is popular in the ecosystem is that every PoS protocol has some degree of protection through token toxicity. But in fact, the exogenous incentives of token toxicity do not extend to certain classes of protocols where the valuation of tokens used as pledged face value does not depend on the safe operation of the protocol.

One such example is a re-staking protocol like EigenLayer, where the ETH used by the Ethereum protocol is reused to secure the economy of other protocols. Consider retaking 10% of your ETH with EigenLayer to perform validation of the new sidechain. Even if all stakers in EigenLayer cooperate in misbehaving by attacking the security of the sidechain, the price of ETH is unlikely to drop. Therefore, token toxicity is not transferable to re-staking services, which means that bribery costs are zero.

Pitfalls and mitigations of slashing

Like any technology, slashing comes with its own risks if not implemented carefully:

  1. The client configuration is wrong / the key is lost. One of the pitfalls of slashing is that innocent nodes may be disproportionately punished for unintentional errors such as misconfigured or lost keys. To address concerns about the excessive slashing of honest nodes due to inadvertent mistakes, the protocol could adopt certain slashing curves that are less penalized when only a small amount of pledged Severe penalties will be imposed when the pledged equity executed on the platform exceeds the threshold ratio. For example, Ethereum 2.0 takes this approach.
  2. The credible threat of slashing as a lightweight alternative. If a PoS protocol does not implement algorithmic slashing, it can instead rely on the threat of social slashing, i.e., in the event of a security failure, nodes will agree to point to a hard fork where misbehaving nodes lose their funds. This does require significant social coordination compared to algorithmic slashing, but as long as the threat of social slashing is credible, the game-theoretic analysis presented above continues to apply to protocols without algorithmic slashing but instead relies on social slashing of commitments.
  3. Social slashing for liveness failures is fragile. Social slashing is necessary to punish non-attributable attacks, such as liveness failures like censorship. While it is theoretically possible to impose social slashing for non-attributable failures, it is difficult for newly joining nodes to verify whether this social slashing is happening for the right reasons (censorship) or because the node was wrongly accused. This ambiguity does not exist when using social slashing for attributable failures, even without a slashed software implementation. Newly joining nodes can continue to verify that this slashing is legitimate because they can check their double signatures, even if only manually.

What about the confiscated funds?

There are two possible ways to deal with forfeited funds: destruction and insurance.

  1. Destruction: The straightforward way to deal with confiscated funds is to simply destroy them. Assuming the total value of tokens has not changed due to the attack, each token will increase in value proportionally and will be more valuable than before. Instead of identifying and compensating only those parties harmed by a security failure, the burn would indiscriminately benefit all non-attacking token holders.
  2. Insurance: A more complex forfeiture funding allocation mechanism that has not been studied involves insurance bonds issued against forfeitures. Customers transacting on the blockchain may obtain these insurance bonds in the blockchain in advance to protect themselves from potential security attacks, insuring their digital assets. In the event of a security-compromising attack, algorithmic slashing of stakers generates a fund that can then be distributed to insurers in proportion to the bond.

The status quo of confiscation in the ecology

As far as we know, Vitalik first explored the benefits of slashing in this 2014 article. The Cosmos ecosystem built the first efficient implementation of slashing into its BFT consensus protocol, which enforces slashing when validators do not participate in proposing blocks or double-sign ambiguous blocks.

Ethereum 2.0 also includes a slashing mechanism in its PoS protocol, and validators in Ethereum 2.0 may be punished for making ambiguous proofs or proposing ambiguous blocks. Slashing misbehaving validators is the way Ethereum 2.0 achieves economic finality. A validator can also be penalized relatively mildly for missing proofs, or if it doesn’t propose blocks when it should.

PoS protocols without a slashing mechanism are extremely vulnerable to bribery attacks. We use a new model (bribery analysis model) to analyze complex bribery attacks and then use it to show that PoS protocols with slashing mechanisms have quantifiable anti-bribery security. While there are flaws in incorporating slashing into PoS protocols, we propose some possible ways to mitigate these flaws. We hope that PoS protocols will use this analysis to assess the benefits of slashing in certain situations – potentially improving the security of the entire ecosystem.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Harold

Coincu News

BFT

Byzantine Fault Tolerant

EigenLayer

Ethereum 2.0

PoS

Slashing

Avatar of Harold

Author

Harold

With a passion for untangling the complexities of the financial world, I've spent over four years in financial journalism, covering everything from traditional equities to the cutting edge of venture capital. "The financial markets are a fascinating puzzle," I often say, "and I love helping people make sense of them." That's what drives me to bring clear and insightful financial journalism to the readers of Coincu.
Knowledge

Slashing In PoS: Severe Punishment For Bad Actors’ Fraud

Of the mechanisms designed for Proof of Stake (PoS) protocols, none is as controversial as slashing. Slashing provides a way to financially penalize any specific node for not acting in a protocol-consistent manner in a targeted manner. It does this by taking away some or all of the validator stake without imposing externalities on other nodes behaving in accordance with the protocol.
Slashing In PoS: Severe Punishment For Bad Actors' Fraud

Slashing is unique to PoS protocols because it requires the blockchain to be able to enforce penalties. This kind of enforcement is obviously not feasible in a Proof-of-Work (PoW) system, which is similar to burning the mining hardware used by misbehaving nodes. This ability to apply punitive incentives opens up a new design space in blockchain mechanism design and thus deserves careful consideration.

While it confers clear benefits in the form of “karma,” the main objection to slashing is that node can be excessively slashed due to inadvertent mistakes such as running outdated software. As a result, many protocols avoid slashing and instead rely on so-called token toxicity (i.e., if the protocol is successfully attacked, the underlying token loses value).

Many believe that stakers will view this toxicity as a threat to compromising the security of the protocol. In our evaluation, token toxicity is not sufficient to prevent adversarial attacks in some typical scenarios. In fact, in this case, the cost incurred by the adversary to attack and break the protocol (called the bribe cost) is essentially zero.

In this article, we show how slashing can be incorporated into the mechanical design of PoS protocols, thereby greatly increasing the cost of bribery that any adversary can incur. In the presence of bribery, slashing guarantees high and measurable bribery costs for decentralized protocols as well as for protocols that do not satisfy token toxicity assumptions (centralized or decentralized).

Circumstances that could lead to bribery and lack of token toxicity are ubiquitous. Many PoS protocols avoid falling into either of these two categories by having a tight-knit community, which is only feasible when they are small: (1) by relying on strong leadership to steer them in the right direction, delegating validation to a small set of well-known and legally regulated node operators; (2) or by relying on centralized staking of tokens within a small group. None of these solutions are entirely satisfactory for growing large and decentralized validator communities. If the PoS protocol is characterized by only a few validators (or, in extreme cases, only one validator), then it would be nice to have a way to penalize these large validators for engaging in adversarial behavior.

In the remainder of this article, we:

  • Propose a model to analyze complex bribing attacks;
  • Shows that PoS protocols without a slashing mechanism are vulnerable to bribing attacks;
  • Show that the PoS protocol with slashing mechanism has quantifiable security against bribing attacks;
  • As well as discussing some of the disadvantages of slashing and suggesting mitigations.

Model

Before introducing the forfeiture case, we first need a model under which we will conduct our analysis. The two most popular models currently analyzing PoS protocols (Byzantine models and game-theoretic equilibrium models) fail to capture some of the most damaging real-world attacks for which slashing acts as a powerful deterrent. In this section, we discuss these existing models to understand their shortcomings and propose a third model (which we call the bribery analysis model). Although the bribing analysis model is capable of simulating a large number of attacks, it has not been used to analyze many protocols.

Existing model

In this section, we briefly describe Byzantine and game-theoretic equilibrium models and their shortcomings.

Byzantine model

The Byzantine model dictates that, at most, a certain percentage (????) of nodes can deviate from the action prescribed by the protocol and perform any action they choose, while the rest of the nodes still abide by the protocol. Proving that a particular PoS protocol is resistant to Byzantine actions that adversarial nodes can take is a non-trivial problem.

For example, consider the longest-chain PoS consensus protocol, where liveness takes precedence over safety. Early research on the security of longest-chain consensus focused on demonstrating security against a specific attack (i.e., a private double-spend attack, in which all Byzantine nodes secretly collude to build an alternate chain and then to make it public).

However, the nothing-at-stake phenomenon presents an opportunity to propose many blocks with the same stake, and use independent randomness to increase the likelihood of building longer private chains. Extensive research was not done until much later to show that certain structures of the longest-chain PoS consensus protocol are resistant to all attacks for certain values of ????.

An entire class of Byzantine Fault Tolerant (BFT) consensus protocols that prioritize safety over liveness. They also need to assume a Byzantine model to prove that, for an upper bound of ????, these protocols are deterministically secure against any attack.

As useful as the Byzantine model is, it does not take into account any economic incentives. From a behavioral perspective, the ???? part of these nodes is fully adversarial in nature, while the (1-????) part of the nodes fully conforms to the protocol specification.

In contrast, a large proportion of nodes in a PoS protocol may be motivated by economic gain and run a modified version of the protocol that benefits its own interests rather than simply adhering to the full protocol specification. To give a prominent example, consider the case of the Ethereum PoS protocol. Today, most nodes do not run the default PoS protocol but run the MEV-Boost modified protocol. This is because participating in the MEV auction market will generate additional rewards while running The exact canonical protocol does not have this additional bonus.

Game theoretic equilibrium model

Game-theoretic equilibrium models attempt to address the shortcomings of the Byzantine model by using solution concepts such as the Nash equilibrium to study whether rational nodes have an economic incentive to follow a given strategy when all other nodes also follow the same strategy. More specifically, assuming everyone is rational, the model investigates two questions:

  • If all other nodes follow the protocol-mandated policy, is it in my best economic interest to enforce the same protocol-mandated policy?
  • If every other node is enforcing the same policy of deviating from the protocol, is it most incentivized for me to still follow the policy?

Ideally, the protocol should be designed so that the answer to both questions is “yes.”

An inherent shortcoming of the game-theoretic equilibrium model is that it excludes scenarios where exogenous agents may affect the behavior of nodes. For example, external agents can set bribes to incentivize rational nodes to behave according to their stated policies. Another limitation is that it assumes that each node has an independent agency that can decide for itself which strategy to adopt based on its ideology or economic incentives. But that doesn’t cover scenarios where a group of nodes colludes to form a cartel or where economies of scale encourage the creation of a centralized entity that essentially controls all staking nodes.

Separating bribery costs from bribery profits

Some researchers have proposed a bribery analysis model to analyze the security of any PoS protocol, although no one has used it for a deeper analysis. The model begins by asking two questions: (1) What is the minimum cost required for any adversary to successfully perform a security or liveness attack on the protocol? (2) What is the maximum profit an adversary can gain from successfully executing a protocol security or liveness attack?

And the opponent in question might be:

  • Nodes that unilaterally deviate from the policy stipulated in the agreement;
  • A group of nodes actively cooperating with each other to break the protocol, or
  • External adversaries try to influence the decisions of many nodes through external actions such as bribery.
  • Calculating the costs involved takes into account any costs incurred for bribery, any financial penalties for enforcing a Byzantine strategy, etc. Likewise, calculating profit is all-encompassing, including in-protocol rewards from successful attacks on the protocol, any value captured from DApps sitting on top of
  • PoS protocols, holding protocol-related derivatives on secondary markets, profit from incoming volatility, and so on.

Comparing the lower bound on the minimum cost for any adversary to launch an attack (bribe cost) with the upper bound on the maximum profit the adversary can extract (bribe profit) shows that the attacking protocol is economically profitable (note: the model has been used to analyze Augur and Kleros), which gives us a simple equation:

Bribe Profit – Bribe Cost = Total Profit

If the total profit is positive, then the adversary has the incentive to attack. In the next section, we consider how slashing can increase the cost of bribes and reduce or eliminate total profits. (Note that a simple example of a cap on bribing profits is the total value of assets secured by a PoS protocol. More complex bounds can be established, taking into account circuit breakers that limit asset transfers over time. Details of methods for reducing and capping bribing profits research are beyond the scope of this article.)

Slashing

Slashing is a way for a PoS protocol to economically punish a node or group of nodes for implementing a strategy that is provably different from a given protocol specification. Typically, to implement any form of slashing, each node must have previously committed a certain amount of stake as collateral. Before diving into slashing, we will first look at PoS systems with native tokens that rely on token toxicity as an alternative to slashing.

We mainly focus on the study of slashing mechanisms for security violations, not liveness violations. We propose this limitation for two reasons: (1) security violations are entirely attributable to some BFT-based PoS protocols, but liveness violations are not attributable to any protocol, and (2) security violations are usually more severe than liveness violations, This results in a loss of user funds, not the user’s inability to post transactions.

Is there any problem if there is no penalty?

Consider a PoS protocol consisting of N rational nodes (no Byzantine or altruistic nodes). Let us assume, for computational simplicity, that each node deposits an equal amount of stake. We first explore how token toxicity does not warrant high bribery costs. For consistency throughout the document, we also assume that the PoS protocol used is a BFT protocol with a â…“ adversary threshold.

Token toxicity is not enough

A common view is that token toxicity protects staking protocols from any attack on their security. Token toxicity implies the fact that if the protocol is successfully attacked, the underlying tokens used to stake in the protocol will lose value, thereby inhibiting participating nodes from attacking the protocol. Consider the scenario of 1/3 of stakers teaming up: these nodes can cooperate to break the security of the protocol. But the question is whether it can be done with impunity?

If the total valuation of staked tokens is strictly dependent on the security of the protocol, then any attack on the security of the protocol could reduce its total valuation to zero. Of course, in practice, it doesn’t drop directly to zero but to some smaller value. But in order to show the strongest possible case of token toxicity, we will assume here that token toxicity works perfectly. The bribery cost of any attack on the protocol is the tokens held by rational nodes attacking the system, and they must be willing to lose all of this value.

We now analyze the incentives for collusion and bribery in token-toxic PoS systems without slashing. Assume that the external opponent sets the bribery conditions as follows:

  • If the node follows the strategy indicated by the opponent, but the attack on the protocol is unsuccessful, the node receives a reward B1 from the opponent.
  • If the node follows the strategy indicated by the opponent and the attack on the protocol is successful, the node receives a reward B2 from the opponent.

For the nodes depositing the stake S, we can get the following income matrix, and R is the reward for participating in the PoS protocol:

Slashing In PoS: Severe Punishment For Bad Actors' Fraud

Suppose the adversary sets the payoff of bribery as B1>R and. B2>0. In this case, no matter what strategy other nodes adopt (the dominant strategy), the rewards of accepting a bribe from an opponent are higher than any other strategy the node can adopt. If 1/3 of the other nodes end up accepting the bribe, they can attack the security of the protocol (this is because we assume we are using a BFT protocol with an adversary threshold of â…“). Now, even if the current node does not take the bribe, the token loses its value anyway due to token toxicity (top right cell in the matrix).

Therefore, it is incentive compatible for nodes to accept B2 bribes. If only a small percentage of nodes accept the bribe, the token does not lose value, but the nodes benefit from forgoing the reward R and gaining B1 instead (left column in the matrix). If 1/3 of the nodes agree to accept the bribe and the attack is successful, the total cost for the adversary to pay the bribe is at least. ????/3 × B2, which is the cost of the bribe. However, the only condition for B2 is that it must be greater than zero. Therefore, B2 can be set close to zero, which means that the cost of bribing is negligible. This attack is called a “P+ε” attack.

One way of summarizing this effect is that token toxicity is not enough because the impact of bad behavior is social: token toxicity completely devalues the value of the token, affecting both good and bad nodes equally. On the other hand, the benefits of taking bribes are privatized and limited to those rational nodes that actually take bribes. There are no one-to-one consequences for those who take bribes; that is, there is no working version of “karma” in this system.

Slashing In PoS: Severe Punishment For Bad Actors' Fraud

Does token toxicity always work?

Another misleading claim that is popular in the ecosystem is that every PoS protocol has some degree of protection through token toxicity. But in fact, the exogenous incentives of token toxicity do not extend to certain classes of protocols where the valuation of tokens used as pledged face value does not depend on the safe operation of the protocol.

One such example is a re-staking protocol like EigenLayer, where the ETH used by the Ethereum protocol is reused to secure the economy of other protocols. Consider retaking 10% of your ETH with EigenLayer to perform validation of the new sidechain. Even if all stakers in EigenLayer cooperate in misbehaving by attacking the security of the sidechain, the price of ETH is unlikely to drop. Therefore, token toxicity is not transferable to re-staking services, which means that bribery costs are zero.

Pitfalls and mitigations of slashing

Like any technology, slashing comes with its own risks if not implemented carefully:

  1. The client configuration is wrong / the key is lost. One of the pitfalls of slashing is that innocent nodes may be disproportionately punished for unintentional errors such as misconfigured or lost keys. To address concerns about the excessive slashing of honest nodes due to inadvertent mistakes, the protocol could adopt certain slashing curves that are less penalized when only a small amount of pledged Severe penalties will be imposed when the pledged equity executed on the platform exceeds the threshold ratio. For example, Ethereum 2.0 takes this approach.
  2. The credible threat of slashing as a lightweight alternative. If a PoS protocol does not implement algorithmic slashing, it can instead rely on the threat of social slashing, i.e., in the event of a security failure, nodes will agree to point to a hard fork where misbehaving nodes lose their funds. This does require significant social coordination compared to algorithmic slashing, but as long as the threat of social slashing is credible, the game-theoretic analysis presented above continues to apply to protocols without algorithmic slashing but instead relies on social slashing of commitments.
  3. Social slashing for liveness failures is fragile. Social slashing is necessary to punish non-attributable attacks, such as liveness failures like censorship. While it is theoretically possible to impose social slashing for non-attributable failures, it is difficult for newly joining nodes to verify whether this social slashing is happening for the right reasons (censorship) or because the node was wrongly accused. This ambiguity does not exist when using social slashing for attributable failures, even without a slashed software implementation. Newly joining nodes can continue to verify that this slashing is legitimate because they can check their double signatures, even if only manually.

What about the confiscated funds?

There are two possible ways to deal with forfeited funds: destruction and insurance.

  1. Destruction: The straightforward way to deal with confiscated funds is to simply destroy them. Assuming the total value of tokens has not changed due to the attack, each token will increase in value proportionally and will be more valuable than before. Instead of identifying and compensating only those parties harmed by a security failure, the burn would indiscriminately benefit all non-attacking token holders.
  2. Insurance: A more complex forfeiture funding allocation mechanism that has not been studied involves insurance bonds issued against forfeitures. Customers transacting on the blockchain may obtain these insurance bonds in the blockchain in advance to protect themselves from potential security attacks, insuring their digital assets. In the event of a security-compromising attack, algorithmic slashing of stakers generates a fund that can then be distributed to insurers in proportion to the bond.

The status quo of confiscation in the ecology

As far as we know, Vitalik first explored the benefits of slashing in this 2014 article. The Cosmos ecosystem built the first efficient implementation of slashing into its BFT consensus protocol, which enforces slashing when validators do not participate in proposing blocks or double-sign ambiguous blocks.

Ethereum 2.0 also includes a slashing mechanism in its PoS protocol, and validators in Ethereum 2.0 may be punished for making ambiguous proofs or proposing ambiguous blocks. Slashing misbehaving validators is the way Ethereum 2.0 achieves economic finality. A validator can also be penalized relatively mildly for missing proofs, or if it doesn’t propose blocks when it should.

PoS protocols without a slashing mechanism are extremely vulnerable to bribery attacks. We use a new model (bribery analysis model) to analyze complex bribery attacks and then use it to show that PoS protocols with slashing mechanisms have quantifiable anti-bribery security. While there are flaws in incorporating slashing into PoS protocols, we propose some possible ways to mitigate these flaws. We hope that PoS protocols will use this analysis to assess the benefits of slashing in certain situations – potentially improving the security of the entire ecosystem.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Harold

Coincu News

Visited 31 times, 1 visit(s) today