Validators Create New Attack Vectors for Decentralized Systems
Pascal Thellman is CMO at Bounty0x, a simple service for earning crypto, and an advisor at PolyGrowth, a crypto PR firm.
As proof-of-stake (PoS) networks gear up in an effort to compete with proof-of-work (PoW) blockchains, significant attention has been placed on their validator mechanisms and incentive structures for maintaining valid consensus.
In particular, ethereum has been brewing the development milestones for its transition to PoS consensus as part of its ‘Serenity’ upgrade for several years.
Binance recently released the details of its upcoming ‘decentralized’ exchange which will rely upon 11 validator nodes – all controlled by Binance – for confirming transactions on the exchange. The company has since come under fire for even calling their exchange decentralized and has gone on the defensive.
Interchain projects like Cosmos and Polkadot are gaining traction among proponents of interoperability and fast-finality consensus blockchains using Tendermint BFT and DPoS consensus models, respectively. And Cosmos is preparing for the launch of its mainnet Cosmos Hub soon. While PoS cryptocurrency networks offer better energy efficiency and faster finality than PoW, they have yet to be proven at scale and come with myriad concerns in various attack vectors and misaligned incentives.
Further, though most interchain blockchain projects focus on using validators for their network consensus, others have maintained the emphasis on using PoW via nuanced approaches. Block Collider uses an optimized version of Nakamoto Consensus for an interoperable chain of several blockchains without the need to change its security model to that of PoS or using validating nodes.
PoW is the battle-tested and sustainable consensus algorithm that bitcoin launched an entire industry with, so it is necessary to assess some of the potential quandaries with the rapid onset of PoS cryptocurrency networks.
The myriad forms of validating
Networks that deploy validator mechanisms in their consensus use a variety of names – from “hubs” to “masternodes.” However, they all employ similar design models where validators guarantee the valid state of the network by “validating” or “producing” blocks in frequencies that correlate to their stake of the native token in the network.
Validators replace the role of miners in a PoW blockchain network and are incentivized to act honestly within the system because their stake is locked into the network while they perform their task. They are rewarded in the native token of the network for authentic validating efforts, and their stakes are slashed if they act maliciously.
If you’re looking for a deep dive into the mechanics of PoS validating systems, Vitalik Buterin provides clarification on ethereum’s CBC Casper (PoS) mechanism and an initial design philosophy for PoS. Similarly, Cosmos provides some useful developer documentation for how their interchain validating works.
PoS mechanisms are exceptionally complex because they require advanced game theoretic approaches and their immutability is subjectively interpreted. The source of the validation of the blockchain ledger derives from validator assurances of its integrity, rather than energy expended via mining where the cardinal attack vector is energy itself rather than human interpretation — an ideal social scalability construct for minimizing trust.
Additionally, many interchain frameworks require compatibility of blockchains that are plugging into the network. For instance, Cosmos requires subchains that use fast-finality consensus, precluding the ability of PoW blockchains to connect to the network.
Properly analyzing some of the pitfalls of validator networks requires focusing on two primary areas:
- Attacks vectors
- Misaligned incentives
The leading concern of validator networks is their trade-off of scalability for security.
Cost savings via PoS networks and quicker finality that help the network scale come at an equal cost in long-term network integrity, which is one of the fundamental value propositions of blockchains.
The misaligned incentives of validator networks often directly correspond to the attack vectors that require complicated engineering around to avoid. Two of the long-standing issues with validator consensus are the attack vectors of Long-Range Attacks and Sour Milk Attacks.
Long-Range Attacks (LRA)
An LRA is where a malicious party could purchase the private key of a sizeable token balance that was used in validating in the past. The party could then wield this balance to generate an alternative history of the blockchain from when the private key held the balance, effectively enabling them to award themselves increasing rewards based on the PoS validation.
The proposed solution to this problem is checkpointing, but checkpointing the state of the chain requires nodes continually be online and has been criticized as a complex and centralized solution. Moreover, LRAs demonstrate that in the long-run, PoS validator networks fail to guarantee the validity of the ledger – particularly in past states of the blockchain.
The result is that validator networks are not creating a permanent, immutable ledger with their consensus, but rather only a “temporary consensus” within a given context of time.
Sour Milk Attacks
A sour milk attack is where base validators push their peers to doubt honest peers by publishing genuine and fraudulent blocks to peers concurrently. At the same time, these base nodes coordinate with other malicious peers to do the same, muddling the ability of honest peers to discern between valid and invalid blocks.
The requirements for conducting these attacks are concerningly low, as only a fraction of the network validators can effectively freeze the network, create forks and lock the consensus.
Other attack vectors
Some other prominent attack vectors for PoS validating networks include the “Fake Stake attack,” stake grinding and DDOS attacks against validators that are required to remain online — forcing them to lose money.
In particular, the fake stake attack reveals that PoS validating is not as efficient at scaling as perceived, due to the higher costs of checking PoS blockchains compared to PoW blockchains. The attack vector was recently disclosed and would enable attackers with minimal stakes to crash nodes running the network’s software.
One of the main concerns with validator networks is their potential for supplementing the wealth of the “crypto 1 percent” where only validators with significant stakes will reap the rewards of staking. With the wealthiest stakeholders able to control a sizeable portion of the overall supply, the incentive for average stakeholders to participate in validating is diminished.
Reduced incentives are inextricably linked to one of the most cited and high-profile pitfalls of validator networks — the low participation in staking by users. The downstream effects of low participation are network centralization, front-running trades with price cartels, and many more adverse consequences.
The game theory complexity of validator networks is also often criticized. To the hammers — engineers in game theory and incentive structures — everything in PoS consensus design looks like a nail. As such, the model becomes exceptionally convoluted and akin to engineering new solutions to problems that old solutions collaterally produced.
Further, misaligned incentives draw from the sheer complexity of such systems. In particular, the “Nothing at Stake Problem” is one of the foremost concerns of PoS validator networks. The Nothing at Stake problem is a well-documented issue in validator PoS networks where PoS consensus cannot adequately solve the problem of two blocks being produced at similar times.
PoW solves this via a randomized mechanism involving the most worked chain of energy expenditure. However, PoS passes this burden onto the validators, leading to one block potentially having more stake than the other. The problem materializes when validators realize that staking on two competing chains is advantageous to them. By using their stake on both chains, it becomes challenging to discern which chain is the valid chain.
Criticisms of proposed solutions to the Nothing at Stake problem again highlight the layers of abstraction needed to obfuscate the fundamental issue of staking without actually addressing the problem itself – leading to even more design convolution.
As networks that rely upon validators continue to garner support among next-generation blockchain platforms, it is prudent to place the new consensus designs into the context of practicality. PoW is the only proven distributed consensus for blockchain networks. Only time will tell if PoS validators prove sustainable models for scalable blockchains, and being aware of their shortcomings is the optimal approach in a sea of blockchain innovation.
Network image via Shutterstock