Measuring RSK Security

A complex system’s security cannot be measured by a single metric. Security is the result of the combined strength of a series of components and their interactions. Security is generally pictured as a chain, because it takes only a weak or faulty link to break it. To measure RSK security, different points of view must be used, and many system components must be reviewed. The broader categories that must be analyzed are design, implementation and operation, the last including the improvement proposal review process and the development lifecycle. The RSK components where security is critical are the peg and the consensus protocols (the selection of the best chain), but there were also critical decisions with long-lasting security implications in the design of RSK VM, node discovery, wire messages and peer scoring components.

There is no single measure of security in the blockchain ecosystem. An expert can argue that RSK is more secure than Ethereum by a metric X, while another expert argues Ethereum is more secure by a metric Y, different from X, and both of them can be right. In this article we tackle the problem of measuring RSK security by analyzing the different components in RSK and by doing so from the different angles presented.

General Security

Design. RSK design excels on security. It is robust against the most common attacks known by 2018, but also anticipated and now can resist many attacks that were discovered years later. First, RSK is based on merge-mining, which is a consensus protocol that is widely known and conceptually simple. Simplicity makes it more secure. The security assumptions of merge-mining are well studied. RSK implements a variant of Nakamoto Consensus called DECOR, which is especially strong against selfish mining. The REMASC contract, which distributes fees according to DECOR, is strong against fee sniping. Armadillo, a subsystem that is part of RSK consensus that is paired with a decentralized component that monitors the blockchain for forks, provides a strong protection against 51% mining attacks. DECOR also provides protection against bribing attacks, and uncle mining. The minimum gas price specified in blocks protects the RSK network against fee side-channels, and against network denial-of-service attacks. The RVM, RSK’s flavor of the EVM, is simple and has been widely reviewed. While RSK opcodes gas costs currently match resource requirements, it may be inadequate for the future. A series of upcoming changes, including storage rent and parallel transaction processing will improve these costs to become future-proof and withstand the load required to serve millions of active users. Finally, while the Solidity compiler is not strictly part of RSK, it is the main language used by developers to code RSK’s smart contracts. After several years of being battle-tested and improved, it has matured to become the standard smart-contract compiler.

Implementation. RSK client code “RSKj” is maintained mainly by RSK core devs and a number of external contributors, including IOV researchers and developers in the community. While we wish to see more code reviews from the community, the core developers have created a strong development process. The RSK core team is a dedicated team, and this makes RSK development more reliable than many other blockchains’, especially Ethereum clones. Other blockchains based on geth clones inherit most of the changes, features and errors from the geth team, as they blindly copy code. The new code may be incompatible with the cloned blockchain or may put it in danger, and incompatibilities can go undetected by their teams. On the contrary, RSK core developers understand the full RSKj codebase. While RSK code was based originally on a fork of an Ethereum client, most of the code has been rewritten from scratch since then, so there is no technical debt inherited from pre-RSK times.

Another element that contributes to RSK’s security is that the RSK node is written in Java, and not Golang, such as geth. Java has a much wider development base, and security auditors are more used to reviewing Java code than golang code, increasing the capability of peer review and security audits to uncover potential bugs.

Development. Every single change to the RSK code is peer reviewed internally and anything that can affect security is also internally audited by IOV Labs security team and externally audited by Coinspect. In addition, a separate QA team tests every RSKj release before it can be distributed to the community. Very few blockchains’ core development teams have code auditing and a dedicated QA team as an integral part of the development cycle. The cherry on top of the cake are deterministic builds and signed-releases.

Uptime. Since the launch of RSK in 2018, no security vulnerability has been discovered in the wild or exploited to steal the funds in RSK’s peg, or to break the security of RSK smart contracts. The outstanding track record of RSK is evidence of the community focus on security.

Bug Bounty Program. IOV Labs has created a bug bounty program to reward security researchers that dedicate time and effort to improve the RSK blockchain. The bug bounty program is run by hackerone and has promptly awarded bounties to individuals who have contributed to make RSK more secure.

To summarize, RSK simplicity is one of its main security strengths. Complex systems tend to later reveal hidden incentive problems, and also more code bugs. For example, Ethereum 2.0 design is highly complex and many vulnerabilities have been found, including two papers published in the last 6 months highlighting security problems. Even Ethereum 1.0 consensus design had several vulnerabilities reported, even some that haven’t been fixed yet. RSK consensus has no outstanding vulnerability.

Consensus Security

Security budget. One of the metrics that is commonly used to evaluate blockchain security is the “security budget”. This is how much money (in USD) is paid to the miners per unit of time (i.e. USD/hour). This metric assumes that the miners will re-invest most of the revenue in hashrate securing the network because tough competition reduces gradually the profitability margins (the Efficient Market Hypothesis). Under the EMH assumption, this metric indicates how much money will be invested in securing the chain. This metric is good for standalone blockchains, but does not apply well to merge-mined chains, especially where there are aligned-incentives between the main and the sidechain. Considering the RSK plus Bitcoin’s security budget, RSK is more secure than Ethereum. According to crypto51.app, Bitcoin and Ethereum have almost the same security budget. Considered alone, RSK is far behind, but Armadillo, a key component of RSK, gracefully fills this gap, as explained below.

Attack Deterrence. One particular method to achieve higher practical security without increasing the defenses from an attack is to reduce the potential profit. If a successful attack is unprofitable, then the attack is disincentivized, as the attacker incurs many costs such as capital and operational, and potential legal liabilities if discovered. RSK deters reorgs using its Armadillo subsystem. The slow-to-settle nature of Nakamoto consensus gives merge-mined chains the capability of detecting attacks before they can actually cause harm. A reorg attack on RSK must be visible on Bitcoin’s blocks, unless the attacker is willing to forego the Bitcoin rewards. Armadillo monitors the Bitcoin blockchain and alerts of any reog attempt. Recently Armadillo was strengthened with RSKIP179 (time-stamp linking) and additional improvements are waiting to be reviewed. While no attack on RSK consensus has ever occurred to test Armadillo effectiveness, the monitoring system is online 24/7. The practical effect of Armadillo is similar to an increase of RSK security budget to match Bitcoin’s.

Thermodynamic security. Another metric to measure security is the cost of blockchain reversal measured in energy (sometimes called thermodynamic security). By this metric, and based on the figures indicated digiconomist.net (BTC, ETH), Bitcoin doubles Ethereum’s energy consumption. Assuming low orphan block rate, this means that RSK, having 50% of Bitcoin hashrate, has approximately the same thermodynamic security as Ethereum. However, the RSKIP178 proposal (External Hashrate confirmation), which is being considered for a future network upgrade, allows the expansion of RSK’s thermodynamic security to match Bitcoin’s security even with lower merge-mining engagement, making RSK more secure than Ethereum.

Nakamoto coefficient. The Nakamoto coefficient measures the minimum number of participants that can disrupt a protocol (outsiders are not considered). This metric can be applied to a blockchain consensus. How many malicious miners are needed to attack a blockchain? Both Ethereum and RSK have mining pools which concentrate temporary decision making into few participants. Four Bitcoin mining pools control more than 51% of the hashrate and three mining pools control more than 51% of Ethereum’s hashrate. Based on the Nakamoto coefficient, Bitcoin is more secure than Ethereum, but RSK has 50% of Bitcoin hashrate, so RSK is approximately as secure as Ethereum. However, in case of Nakamoto consensus, the Nakamoto coefficient is only an indicator of short term security because the disruption that a mining pool can cause is temporary as honest miners would quickly disengage with a mining pool that acts maliciously, and either mine solo or switch to an honest pool. With a few exceptions, most of the largest mining farms in Bitcoin have less than 2% of the total hashrate. That’s why the real Nakamoto coefficient of RSK consensus is probably higher than 25.

Hashrate for Rent. Still another metric that can be used to measure security is the amount of hashrate that can be rented. Rented hashrate can be used to attack the blockchain, sometimes anonymously, without any initial hardware investment. According to crypto51.app there is no Bitcoin hashrate to rent, while 6% of Ethereum hashrate can be rented. As RSK uses Bitcoin’s hashing function, RSK is better protected by the “nicehash attack” than Ethereum.

State-sponsored 51% attack. A last metric we can use to measure security is the cost of mining hardware that an attacker would need to buy (or manufacture) to 51%-attack the blockchain. Since these costs are huge, it is supposed to be only possible by a state. To perform a 51% attack, the attacker must buy or build enough hardware to surpass 100% of the existent honest hashrate. Approximate calculations of the total Bitcoin and Ethereum hardware cost based on state-of-the-art ASICs show both costs are very close (15.6B against 12.84B, respectively). These estimations seem credible as both networks are currently mainly mined by ASICs. This means that Ethereum is more secure than RSK if the government decided to invest billions in attacking the blockchains.

Powpeg Security

The RSK Powpeg is a bridge to Bitcoin that allows BTCs to flow from Bitcoin to RSK and vice versa. The Powpeg has matured from its inception in 2018 as a federation to now include many decentralized qualities.

Defense-in-depth. RSK Powpeg is based on a layered security model, a practice we call “defense-in-depth”. Every new proposal that has been merged into the RSK codebase to strengthen RSK security adds a new layer on top of the existing layers. The established philosophy is that well-functioning security components should not be replaced.

Trust-less. Pegnatories are the organizations or individuals participating in the RSK PowPeg. Pegnatories keep specialized hardware called PowHSMs active and connected to special types of RSK full nodes (the “Powpeg Node”). Because Bitcoin private keys are stored and secured inside the HSMs, pegnatories cannot sign arbitrary transactions to falsify peg-outs.

Simplicity. Most other bridges rely on a single all-encompassing cryptographic protocol that solves a multi-party custody problem in an intricate way. These complex cryptographic protocols are delicate and very few entities can audit them thoroughly. Often these types of protocols become compromised, resulting in a sudden loss of security for users. RSK protocol is simple, yet it provides advanced features, such as dynamic reconfiguration of pegnatories (a process called “migration”).

Capital Efficiency. Recent 2-way peg designs focus on crypto-economic incentives that take advantage of high collateralization in a new token. However, using a different token for the core sidechain functionality is not aligned with Bitcoin values and, even worse, these protocols are highly inefficient regarding capital allocation. RSK peg does not require collateral and while some view this drawback, the absence of locked capital makes the Powpeg predictably secure and long-term sustainable.

Incentivized. The RSK Powpeg members are incentivized to participate by receiving a small portion of RSK transaction fees that is automatically channeled to them. While the protocol does not reward liveness, pegnatories and the community monitor the blockchain and can detect anomalies resulting from pegnatories going offline, or emitting erroneous messages.

Secured by Specialized Hardware. A PowHSM is an external tamper-proof device that creates and protects one of the private keys required for the Bitcoin multi-signature protocol, only signing transactions proven valid by enough cumulative work. The Powpeg node is designed to have maximal connectivity and to communicate information about the RSK blockchain, specifically cumulative work, to the PowHSM.

HSM Follows RSK SPV-Consensus. The latest version of the PowHSM validates RSK consensus in SPV mode. Therefore the devices follow the miner’s majority hashrate, preventing arbitrary signing. While some pegnatories have not yet upgraded to this version, the majority of pegnatories has.

Time-delayed Lock. Under the assumption that most existent Bitcoin ASICs are online, proof of work is actually proof of time elapsed. Not only PowHSMs validate consensus, the cumulative work required by the PowHSM also works as a forced time delay for any attack, same as most secure banking vaults.

Nakamoto coefficient. The Nakamoto coefficient can also be applied to the number of PowHSM devices that an attacker would need to hack to perform an unauthorized peg-out. Currently 7 PowHSM need to be compromised, because each PowHSM stores an unique key and no pegnatory holds more than one device. This provides greater security than WBTC, where only 2 keys are required to mint or burn tokens, and both keys belong to a single custodian. While Bitgo is a renowned company and it has very high operational security, two factors make the RBTC more secure than WBTC. First, Bitgo is a single entity in a single jurisdiction, so Bitgo obeys a single government authority. Confiscation and censorship are potential risks. RSK pegnatories are located in different jurisdictions, so no single authoritarian government can try to seize the bitcoins. Second, the PowHSM security is highly independent of the pegnatory security: even if the pegnatory is hacked the key in the PowHSM will be secured.

Transparent Coordination and Auditability. The whole peg-in, peg-out and migration processes are transparent and use the RSK blockchain for broadcasting, leaving a clear audit trail. No message is secretly communicated between pegnatories. This puts the RSK community at the same level as pegnatories and miners, preventing any insider information regarding the correct functioning of the peg to be used for profit.

Guarded 24/7. The peg is guarded 24/7 by the Armadillo fork-monitoring tool, mentioned earlier. The tool, which is periodically enhanced, can be downloaded and run by anyone in the community. In case of any blockchain reog attempt, pegnatories are notified and the peg can be momentarily paused, with objective evidence of an ongoing attack, and not by rumors.

Censorship-resistance. RSK uses SPV (Simple Payment Verification) mode to check peg-ins. Any user can notify a peg-in transaction, and therefore the Powpeg is not needed for peg-ins. In the case of peg-outs, the Powpeg provides high selective censorship prevention, which means that pegnatories cannot censor individual transactions.

HSM Firmware attestation. The PowHSM devices support attestation. An attestation is a message signed by the device that proves the firmware running on the device corresponds to a specific binary. The device signs messages with a private key generated during manufacturing, and the associated device public key is signed by the manufacturer’s root key, creating a certificate. The attestation, together with the manufacturer’s root public key, the certificate and the source code that can be deterministically compiled into the signed binary code, provides the elements to verify the correctness of the firmware running on the device. Currently PowHSMs produce attestations on first-time key generation during installation, so that the remaining pegnatories are assured the emitted public key was created (and is protected by) the correct firmware. Soon, the device will also support periodic attestations published in the blockchain, so that anyone can perform the same verification procedure.

“Slow” by Default. RSK peg-ins require 100 Bitcoin confirmations, and peg-outs require approximately 200 Bitcoin confirmations (4000 RSK confirmations). This ensures that the attacker will not be motivated to revert Bitcoin or RSK to double-spend funds of the peg. While 100 Bitcoin confirmations may look excessive, these figures are in fact required for the highest security today and for the future where Bitcoin subsidy is lowered. Other bridges that accept only a few confirmations are risky and have not performed the correct risk assessment to support millions of dollars in transfers. Even if there is no documented attack to a bridge based on a blockchain reorg, we think this could happen any time. To provide fast peg-ins and peg-outs while remaining secure, the Powpeg provides alternate transfer methods, atomic swaps and a repayment protocol called flyover.

Decentralized Onchain Oracle. As a byproduct of having an SPV node in consensus, the Bridge serves as a Bitcoin blockchain oracle. It exposes the Bitcoin blockchain to RSK smart-contracts. While the oracle is not directly related to Powpeg security, it enhances the security of swaps, and therefore faster peg-ins and peg-outs can be accomplished.

Trustless Repayments. The Flyover functionality in RSK bridge allows fast peg-ins and fast peg-outs based on trustless third party liquidity providers. Flyover peg-in addresses can be associated with individual EOAs or contracts in RSK, but are still controlled by the Powpeg. This provides a secure peg-in shortcut to avoid waiting 100 confirmations.

Summary

Blockchain security cannot be measured by a single number such as hashrate or staked coins. Security emerges from the way blockchain components are designed and combined, and also from the many processes involved in blockchain development. RSK stands out for showing a high security standard for guarding bitcoins, in which many other blockchains and bridges have obstreperously failed. Security is not black and white, and every protocol can potentially fail (the reader is encouraged to perform his own research!), but failure probability is highly uneven over the blockchains in the crypto ecosystem. We believe RSK is currently one of the most secure DeFi platforms for holding bitcoins. The RSK community keeps working nonstop to improve RSK security, so it is one day regarded as the Fort Knox of Bitcoin.