Markets for Security
By Matt Liston
In light of recent attacks on theDAO it seems to be a good time to discuss how prediction markets could be used to hedge against, mitigate, or prevent such a situation in the future.
Estimating Probabilities
In general, prediction markets are excellent at providing instruments to hedge against risk, or form insurance contracts. In the case of a DAO, a market asking: “will a security hole in the DAO be used to drain greater than 1000 Ether before the end of 2016”. This market would be resolved on January 1, 2017 and settle in the YES direction if such an attack occurred, or the NO direction if it did not. Participants in this market would likely be security experts, potential attackers, and token holders or Ether holders wishing to hedge against DAO theft risk and resulting price movements. Security experts who do a code review could express their confidence in this market. In the example of theDAO several people reviewed the code and did not find the real exploit but had a hunch that they were close to finding it. The market mechanism could make this “hunch” quantifiable and would turn it into valuable information for user. Thanks to our market scoring rule and the efficient market hypothesis, this market should aggregate accurate probabilities of this event occurring by properly incentivizing participants with unique knowledge to reveal their information through the market. Such a market would act as a warning flag for DAO participants. A mechanism could also be built into a DAO to place funds in secure lockdown if the probability of theft passes a certain threshold.
Hedging Against Risk
This same market could be used by participants to hedge against (offset losses) the possibility of such an attack. In order to do this, participants would buy YES positions in the market. In the result of an attack, they would receive a payout inversely proportional to the probability at the time of share purchase. For example, if share pricing is 0.1 Ether for YES and 0.9 Ether for NO, then a participant purchasing YES shares would receive a 1000% profit in the case of an attack. If this participant is holding 1000 Ether and the price drops 50% following attack, then a purchase of 50 YES shares at 0.1 Ether per, would completely offset their losses. However, a disclaimer should be added that it might have been difficult to hedge all 150M against risk as this would require another 150M locked up in the prediction market.
Exploit Market
Prediction markets can also be used to incentivize white hat hackers to search for security exploits. This can be done be creating markets asking “is there x type of undiscovered bug in this code and if so, will it be safely revealed” and buying heavily in the NO direction. This effectively incentivizes a security researcher to search for an exploit. If they find an exploit, they would then buy shares in the YES direction which would provide them with a payout. Additionally, an oracle could be specified to only settle the market in the YES direction if the researcher reveals the exploit in such a way that it is not used for direct attack and can be fixed internally before publicized.
A combination of the above markets could be used to predict and lockdown before an attack, allow participants to hedge against various attack risks, and provide a dynamic crowdsourced bounty program for researchers to safely discover exploits. There may be variations of the above use cases as well as entirely separate mechanisms which could be useful in this context. I’m curious to see what others in the community can come up with! Hopefully we can implement markets such as these before other possible attacks on the DAO and DApp ecosystem.
Read more at: http://sirdarckcat.blogspot.com/2016/03/creating-decentralized-security-rewards.html by Eduardo Vela
Originally published at medium.com on September 2, 2016.
