By Dr. Nicholas Blasco and Nicholas Fett
The Decentralized Derivatives Association (DDA) is working hard to scale the Ethereum network as well as our own independent products. After the initial Beta launch in January, DDA (along with the rest of the Ethereum community) quickly realized that scaling the network is the only way that a truly decentralized future can materialize. Like many others in the space, DDA’s proposal includes the implementation of fully public sidechains that are bridged to the main Ethereum network using a relay system.
DDA’s approach differs from other sidechain proposals in its drive towards true decentralization. Many scaling solutions require networks to utilize either Proof-of-Authority, Delegated Proof-of-Stake, or other centralized or semi-centralized consensus mechanisms. DDA is building a platform that is unstoppable. Aligned with the belief that the true value of distributed systems is in the unstoppable applications that can be built on top of them, DDA will create a fully decentralized implementation for the creation and exchange of derivative instruments.
Summary
This article lays the groundwork for analyzing the viability of bridged sidechains and the cryptoeconomic incentives that may differ from running just one network. Although the vulnerability analysis discussed in this article will specifically ascertain to DDA’s implementation, the math will hold for any two chains that are bridged and pass value back and forth.
Now let’s get to the math.
Assuming:
- 2 public chains (e.g. Ethereum Mainnet and DDA-chain)
- A relayer or relayer network
- Rational, profit maximizing actors
Values:
- Value of native dapp chain Ether (dEth)
- Value of mainchain Ether locked on DDA chain (mEth)
- Value of largest oncoming loss (LOL)
Costs:
- Cost to 51 percent attack DDA chain (a51)
- Cost to break relay network (BRN)
The goal of breaking the network is solely to steal the mainchain Ether. If you 51 percent attack a chain, you can assume the value of that chain will drop to zero. Since the value of dEth will then be zero, the only goal is to steal the mEth locked on the dapp chain.1 To achieve this, parties can either steal the mEth on the chain or disrupt the relay network to steal the mEth.
Therefore:
𝐶𝑜𝑠𝑡 𝑜𝑓 𝑠𝑡𝑒𝑎𝑙𝑖𝑛𝑔 𝑚𝐸𝑡ℎ = 𝑚𝑖𝑛(𝑎51,𝐵𝑅𝑁);
𝑎51 = 𝑓(𝑑𝐸𝑡ℎ) + 𝑓(𝑚𝑖𝑛𝑖𝑛𝑔 𝑝𝑟𝑜𝑓𝑖𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦 𝑟𝑒𝑙𝑎𝑡𝑖𝑣𝑒 𝑡𝑜 𝑜𝑡ℎ𝑒𝑟 𝑐𝑜𝑖𝑛𝑠)
To simplify for our article, ‘a51’ will be used to measure the cost to steal all value on the dapp chain. The basic assumption we can make is that if 𝐿𝑂𝐿 + 𝑚𝐸𝑡ℎ > 𝑎51, the network is unsafe. Since we don’t want to limit usage of the platform (mEth / LOL), the only way to increase security on the network is to increase a51 (get more miners). There are a few ways to do this:
- Pay miners with mEth
- Peg dEth (or at least give it a minimum value)
- Incentivize ownership of dEth (promise of dividends, expectation of increase in value, etc.)
To incentivize additional miners to participate in the chain, DDA (or another service running a dapp chain) can pay miners an additional reward in mEth, in addition to dEth. Unfortunately, the ideal reward DDA should set is highly dependent on LOL.
Where:
𝑀𝑅 = 𝑚𝑖𝑛𝑖𝑛𝑔 𝑟𝑒𝑤𝑎𝑟𝑑 𝑝𝑎𝑖𝑑 𝑏𝑦 𝐷𝐷𝐴 (𝑒.𝑔.𝑓𝑒𝑒𝑠 𝑜𝑛 𝑚𝐸𝑡ℎ 𝑡𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝑠 𝑜𝑟 𝑝𝑒𝑟 𝑡𝑟𝑎𝑑𝑒 𝑓𝑒𝑒)
To maintain stability:
𝑀𝑅 + 𝑎51 > 𝑚𝐸𝑡ℎ + 𝐿𝑂𝐿
If we assume a stable state at the beginning, we need to maintain stability for all outcomes as the variables change. Since a51, although slightly correlated to mEth, is a relatively stable value in the short term (barring all miners shutting down their nodes at once), the following equation must hold to maintain stability:
𝑀𝑅′ > 𝑚𝐸𝑡ℎ′ + 𝐿𝑂𝐿′
This is a dangerous situation! Since LOL is the largest oncoming loss and Ethereum addresses are anonymous, we must assume:
𝐿𝑂𝐿 = ∑𝑛𝑒𝑡 𝑒𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑙𝑜𝑠𝑠𝑒𝑠
This means that if all losing contracts on the network are owned by one party and all contracts use the full amount of collateral, assuming equal amounts of collateral on both long and short sides would yield:
max(𝐿𝑂𝐿) = .5𝑚𝐸𝑡ℎ
If we assume this as a worst-case scenario (the case with current DDA contracts):
𝑀𝑅 + 𝑎51 > 1.5𝑚𝐸𝑡ℎ
This is good news actually…we now have a concrete number that we can target with our mining reward. The implementation of this is difficult. The assumption for this outcome is that the cost to 51 percent attack a network is stable in the short term (a semi-proven assumption given BTC and ETH). For longer time frames however, we can assume that a51 may change. Therefore, it is very beneficial to have a system that can levy fees for MR relatively quickly (e.g. not just when mEth transfers occur). For DDA’s creation and transfer of derivatives contracts, the fee for MR can be levied on initial transfers to the dapp as well as on a per-trade basis on any exchange on the dapp chain.
Attack Scenarios and Game Theoretic Solutions
To further elaborate on the implications of these findings, we’ll now portray the results using a different method: game theory. The state of the system can be modeled as a kind of stochastic game with the following example states being reason for concern:
- 𝑚𝐸𝑡ℎ + 𝐿𝑂𝐿 > 𝑑𝐸𝑡ℎ
- 𝑚𝐸𝑡ℎ + 𝐿𝑂𝐿 > 𝑎51
- 𝑚𝐸𝑡ℎ + 𝐿𝑂𝐿 > 𝐵𝑅𝑁
In order to anticipate potential attacks in both secure and insecure states, we model the network as a game with varying states. While costs are anticipated to increase as both a function of mining and the value of dEth, the LOL and mEth values may increase dramatically over a short period of time. These cost and value changes determine the probability of attack. The initial state of the game presents vulnerability but low attack probability due to the low gains of any player in the game (not much mEth in system).
Each of these scenarios has 2 players. Regardless of the number of players however, the basic math is the same.
In this scenario, Player 1 refers to DDA; however, Player 1 could represent any company using a sidechain based dapp and relayers to connect to the main Ethereum blockchain. Player 2 can represent an individual, organization or competitor interested avoiding a large oncoming loss on the DDA derivatives network.
Player 2 has two options: one is to attack (Act), and two is to not attack (Don’t Act). If Player 2 Acts, and Player 1 does not, Player 2 stands to gain 10 and Player 1 will lose 15. Player 1 also has two options; one is to act by implementing security measures to defend against an attack (e.g. raise fees on the network). The second option is to take no action (Don’t Act), in which Player 1 decides to believe an attack will not occur because it is not in the best interest to Player 2. In the scenario where Player 1 does not act (right hand column), the cost of commencing an attack by Player 2 is much lower (Player 2 can choose between the gaining or losing 10), so Player 2 would attack.
The pareto optimal solution in the current game or scenario is when no action is taken by DDA or an attacker. While it is much more beneficial for the attacker to change strategies, it is not beneficial for DDA to change strategies unless a perfect information game is being played. Since both players know it is more beneficial for the attacker to change strategies, DDA must then also change strategies to avoid a massive loss.
Summarizing the first scenario: DDA or other dapp chain operator will implement a stability fee or additional miner reward rather than risk an attack.
Figure 3 illustrates the cost matrix for a scenario in which the cost to break the relay network or the cost to attack 51 percent of the dapp chain are considered without the cost of a large oncoming loss as part of the game. This scenario is likely on a network that is not anonymous. Player 2 in this scenario is therefore an anonymous attacker, not currently partaking in DDA derivatives contracts (or other dapp chain activity). The payoff values in Figure 3 have changed; however, the values have not changed to an extent where the sequence of strategies will be different than Figure 2.
For the final game, Player 2 has no LOL but has interest in seeing Player 1 fail. Maybe Player 2 is interested in the mEth locked on the dapp or is possibly a competitor. The “competitor game” scenario in Figure 4 depicts a pareto optimal solution as well as a socially optimal solution. Socially optimal solutions are the most beneficial but are often unstable (as demonstrated above). When determining optimal strategies, it must be considered that the search techniques for Player 1 and Player 2 may be different.
Analysis of Strategies
Although the examples appear simple, the costs and benefits present on a live chain are highly complex functions encompassing many variables included in this research as well as numerous additional considerations. By analyzing the cost matrix, it appears a Nash Equilibrium (and thus an ‘optimal value’
for defense) cannot be reached. A Nash Equilibrium can only be reached when both players cannot improve their outcome by changing strategy. Because the attacker would lose the money it would cost to unsuccessfully attack DDA as well as the LOL value, it would be more advantageous to incur the LOL by not acting. DDA cannot change strategies without the risk of massive loss and therefore must act by implementing additional security measures.
Competitor Sabotage and Other Value Caveats
Aside from our brief competitor analysis, the benefit to malicous actors in our game theory scenario has been solely focused on the monetary benefit parties could extract from the system. This is likely an exaggerated amount for several reasons:
- The value of a theft must be discounted by the amount one would be able to realistically exit with
- The value of a theft must be discounted by the risk of failure of the attack
𝐺𝑎𝑖𝑛 𝑓𝑟𝑜𝑚 𝑎𝑡𝑡𝑎𝑐𝑘 = 𝐸(𝑑𝑖𝑠𝑐𝑜𝑢𝑛𝑡𝑒𝑑 𝑣𝑎𝑙𝑢𝑒 𝑜𝑓 𝑠𝑜𝑙𝑑 𝐸𝑡ℎ𝑒𝑟) = 𝑓(𝑚𝐸𝑡ℎ,𝑝𝑜𝑠𝑡 𝑎𝑡𝑡𝑎𝑐𝑘 𝐿𝑖𝑞𝑢𝑖𝑑𝑡𝑦 𝑜𝑓 𝑚𝐸𝑡ℎ,𝑝𝑟𝑜𝑏𝑎𝑏𝑙𝑖𝑡𝑦 𝑜𝑓 𝑠𝑢𝑐𝑐𝑒𝑠𝑠)
On the other hand, the value of the attack should also be increased by non-mEth gains.
Let’s say for instance that DDA’s wildest dreams come true and we begin to completely revolutionize the OTC derivatives market to such a degree that traditional dealers are losing business and traditional exchanges are losing clients and liquidity. Unsurprisingly, dealers now have an incentive to shut down DDA that extends beyond the monetary value of the theft. Let’s say for example, the biggest loser in the advent of the new derivatives model is a theoretical bank, Gildmen Hachs Bank (GHB). The benefit to GHB to attack the network is as follows:
𝐺𝐻𝐵 𝑏𝑒𝑛𝑒𝑓𝑖𝑡 = 𝑓(𝑚𝐸𝑡ℎ,𝑝𝑜𝑠𝑡 𝑎𝑡𝑡𝑎𝑐𝑘 𝐿𝑖𝑞𝑢𝑖𝑑𝑡𝑦 𝑜𝑓 𝑚𝐸𝑡ℎ,𝑝𝑟𝑜𝑏𝑎𝑏𝑙𝑖𝑡𝑦 𝑜𝑓 𝑠𝑢𝑐𝑐𝑒𝑠𝑠) + ∑𝑑𝑖𝑠𝑐𝑜𝑢𝑛𝑡𝑒𝑑 𝑓𝑢𝑡𝑢𝑟𝑒 𝑒𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑝𝑟𝑜𝑓𝑖𝑡𝑠 𝑔𝑖𝑣𝑒𝑛 𝑛𝑜 𝐷𝐷𝐴 𝑐ℎ𝑎𝑖𝑛
Whereas the previous state of balance was:
𝑀𝑅 + 𝑎51 > 1.5𝑚𝐸𝑡ℎ
The new formula for a given competitor (COMP) is:
𝑀𝑅 + 𝑎51 > 1.5𝑚𝐸𝑡ℎ + 𝐶𝑂𝑀𝑃 𝑏𝑒𝑛𝑒𝑓𝑖𝑡
Now the state must be analyzed given these additional factors. The good news for DDA (and other dapp chains) is that competitors are not yet engaging in 51 percent attacks on each other’s network. The benevolence of the gentlemen anarchist in the current system has thus prevailed; however, as the traditional finance sector comes into the space, the likelihood of socially optimal solutions decreases rapidly. This topic has been analyzed by many in the cryptocurrency space already (if the Federal Reserve truly saw Bitcoin as a threat, what would be the amount necessary to prevent an attack?), but for the case of DDA, we will aim to over-collateralize the network until the overall cost to attack is large enough to mitigate the competitor sabotage effects of malicious incumbents.
Caveats and Other methods
I know what you’re all thinking at this point… well this is why other methods are better (Plasma, counterfactual state channels, etc.) and why would anyone ever want to use this system if you don’t address chain survivability and make verified withdrawals?
To explain briefly for those not thinking that, Plasma and some other methods require you to prove what the other chain did with a token if you want to unlock it. So, if Alice locks Ether on a sidechain, transfers it to Bob, who transfers it to Charlie, Charlie would need to have proof of those signed transactions if he wants to unlock the Ether on the mainchain. This method is very promising and many other research teams have dedicated themselves to building it.
The only real issue is that these methods are not production ready and might not be ready for some time. You can bet on the fact that DDA is going to weigh the pros and cons of every method and use the best one out there. At the moment, it remains to be seen if a full smart-contract based plasma chain can be confirmed on the main chain. I’m hopeful, but gas costs on the mainchain need to be considered when building validation methods. This is why, at DDA, we’re building a scalability solution that can be implemented in mere months, not quarters or years.
Dapps seeking to scale can abstract away most of the risks described in this article by simply staying private (e.g. POA chain with permissioned relayers). This is an option in the short term, but if the ultimate goal is a POA chain, one should probably have a long reflection on whether the underlying activity needs to be on a blockchain in the first place.
Conclusion
This article was written as an introduction to the additional economic and security concerns of bridged chains. Sidechains are viable solution to scaling in the near term for Ethereum and DDA intends to implement a fully public sidechain for the execution of OTC derivatives contracts for members of DDA. For more information on DDA, please visit our website and subscribe for updates.
Thanks to Alexandra Fett, John Chaney, Lucian Stroie, Brenda Loya and Jacob Matthews for their thoughts and comments on the article.
