Bribery attacks and Dharma
Every week the Mosaic research team will delve into important topics within the cryptoasset space.
Cryptoeconomics: Bribery Attacks for Token-Curated Registries — Lanre Ige
Currently, Token-Curated Registries (TCRs) are susceptible to bribery attacks and this analysis will show how attackers can carry out attacks at zero cost in theory. TCRs have arguably been the most talked about topic in cryptoeconomics over the last few months. TCRs are registries of listings generated by token holders. Applicants stake a portion of tokens to add a listing. Token holders can vote on whether to accept or reject the listing using their tokens. A majority wins the vote and the listing is accepted or rejected. Listings can be anything from website URLs to information about specific token sales.
It is outside of the scope of this article to describe exactly how TCRs work; however, Mike Goldin’s article offers the best explanation. Moreover, the adChain and Messari white papers give specific examples of proposed TCR implementations. TokenEngineering.net also provides a great deal of resources about TCRs.
One interesting attack vector for TCRs are bribery attacks. In order to outline how a bribery attack could work, it is helpful to distinguish between a TCR’s different actors. To quote Mike Goldin:
There are three user types in a token-curated registry and each has different interests, incentives, and interaction patterns towards the registry. Consumers desire high-quality lists. Candidates desire to be included in such lists. Token holders desire to increase the price of the tokens they hold.
At a high-level, a generic TCR works as follows (as described by Ainsley Sutherland):
- A candidate submits an entry to the TCR alongside a deposit
- A token-holder can challenge the applicant’s listing by staking an amount of tokens equal to the candidates deposit
- If the listing is challenged then token holders vote on whether said listing should remain on the registry
- Vote is typically a simple majority vote: ‘YES’ if the entry deserves to remain on the registry; ‘NO’ if the entry does not.
- If the Applicant wins then ‘YES’ voters split the challenger’s deposit
- If the Challenger wins then ‘NO’ voters split the applicant’s deposit
One potential problem for any TCR is that of bribery; listed or potentially listed projects may be incentivized to bribe token holders in order to: (1) keep competitors off of a given TCR; (2) guarantee that they themselves are added to a TCR; (3) undermine the quality of listings on a TCR. A bribery attack on a TCR is very similar to a P + epsilon attack — a theoretical bribery attack on a Schelling game vote — and can be analyzed in a similar way. Let’s assume that a user wants to submit a listing and therefore stakes Q amount of the TCR’s token. A challenger disputes the listing and commits a stake equal to Q to challenge it [1]. A majority vote is then held by all other token holders:
- If the challenger wins, the project is removed from the whitelist. The challenger’s stake is returned to them and they receive 50% of the lister’s stake. The remaining 50% is given to those that voted in proportion to the amount of tokens they used to vote.
- If the challenger loses, the project remains on the white list. 50% of the challenger’s stake is given to voters and 50% is given to the lister. (Alternatively, a challenger only stakes 50% of Q and all of their stake is given to voters)
The payoff for voters is exactly the same as the payoff for a SchellingCoin bribery attack as laid out by Vitalik Buterin. Let P be the payoff a generic voter would receive following a challenge; P would be 1/2Q multiplied by proportion of token votes the generic voter used in the particular listing challenge. The payoff is as follows:
The argument for SchellingCoin voting is that: if everyone expects everyone else to vote truthfully, then their incentive is to also vote truthfully in order to comply with the majority. With TCRs the situation is complicated by subjectivity, token holders aren’t voting on an objective truth like ‘the temperature in Alaska’, rather they are voting in accordance with the norms of the given TCR. For example, Messari will set out a certain standard they expect of listings which will act as the quasi-schelling point for voters. If the norms are well-defined enough, the argument follows that they’ll become common knowledge within the TCR and the dominant strategy will be to vote in accordance with them.
However, if a briber commits to pay out X to voters who vote ‘YES’ for a certain listing, where X = P + ε if the majority votes ‘NO’, and X = 0 if the majority votes ‘YES’, then the voter’s payoff looks like this:
It is a dominant strategy for everyone to vote ‘YES’ regardless of what one thinks the majority will do. Therefore, the majority will vote ‘YES’, assuming that the system does not contain a majority of voters with strong non-monetary motivations. In this example, the cost of a successful bribery attack is zero. Interestingly enough, ‘YES’ is still the dominant strategy even if a voter thinks that everyone else won’t take the attacker’s bribe.
Generally speaking, the feasibility of a bribery attack on a TCR depends on two factors:
- The cost to and the benefit of an attacker of carrying out the bribe
- Token holders’ ability to prove that they voted a certain way and an attacker’s ability to credibly commit to paying bribes to compliant voters
Economics of bribery attacks
While a successful attacker does not actually have to pay a bribe, there is the risk of the bribe attack failing to convince the majority of voters. In such a case, the attacker would have to pay out a large sum of money [(P¹+ε)+(P²+ε)+… +(P^(n)+ε)] where n is the number of bribed voters. One strategy (used by Paul Storcz in his Truthcoin white paper) to prevent bribery is to build a mechanism which increases the funds at stake based off how contentious the vote was during a challenge.
Under this model, voters have to put down deposits to vote also. During the majority vote, when slightly over 50% of votes are in favor of one outcome and slightly less than 50% in favor of the other, the entire deposit is taken away from minority voters. As the voting result becomes less contentious, less of the deposit is taken away from minority voters. While bribery attacks are still possible under this model, it becomes increasingly expensive for an attacker to credibly commit. In general, the larger the required deposits become for TCR listings, the harder it becomes for a bribery attack to make economic sense. While successful bribery attacks are zero-cost, there may be large amounts of capital required to credibly commit to the bribes. Given that the marginal benefit of a single bribe for a single listing isn’t likely to be massive, bribery attacks may not be feasible on larger, more valuable TCRs (network values in the billions of dollars). As such, TCRs may be especially vulnerable as they first go live so it’ll be interesting to see whether this attack vector is attempting on new projects such as adChain.
Provable voting and credible commitment
The bribery attack depends on the ability of voters to prove that they voted a certain way and on the ability of the attacker to credibly commit to paying the bribe upon certain conditions. Currently, most TCR implementations do not try to prevent voters from proving to others that they voted a certain way. Ainsley Sutherland from Engima suggested the concept of secret voting to make provable voting impossible on a TCR. To quote Ainsley:
Secret contracts are smart contracts executed by a decentralized network but that do not reveal input data to the nodes executing the code.
Hypothetically, a secret voting contract could hold votes where the results could be trusted by users on the TCR without individual votes being revealed. A example Enigma secret contracts would encrypt a users vote with the public key of a Trusted Execution Environment (TEE). Following the voting period, the encrypted votes would be counted and tallied within the TEE. The vote result would then be return, but the individual votes would not. Since under this scheme no one can prove how they voted, it would be impossible for a bribed user to prove their vote — making bribes impossible.
It is outside the scope of this article to analyze Enigma’s approach and there have been other proposals for secret voting which do not involve TEEs. The key point is that it is plausible that voting schemes will develop over the coming years which make secret voting possible, and therefore making TCR bribery attacks unfeasible. To this date however, there has been limited work done around implementing secret voting schemes into TCRs and it is likely that some that go live over the next year will be susceptible to bribery attacks.
This article has shown TCRs’ susceptibility to zero-cost bribery attacks. It remains to be seen if the payoff to a attacker — in terms of getting their preferred listing on registry or polluting a given TCR — justifies the bribe capital they will have to credibly commit. We cannot understate the ability for project developers to use other non-cryptoeconomic mechanisms (i.e. simple reputation systems) to help prevent bribing and vote memeing.
____
[1] It’s important to note that different TCRs implement the challenge mechanism differently. For example, Messari only requires the challenger to stake 50% of P and the lister does not receive any compensation for a failed challenge.
Product: Dharma Protocol — Onboarding the World of Fiat to the Decentralized World — Jason Yannos
There isn’t a week that goes by in the world of cryptocurrency where debate surrounding what will drive mass adoption takes place. Many market participants speculate around the Store of Value thesis where either Bitcoin or a handful of cryptocurrencies will drive mass adoption and act as an onramp while others are strong proponents of the security token thesis where traditional forms of equity ownership will be tokenized and easily accessible.
It is still early days for this emerging industry and almost impossible to determine which thesis will drive mass adoption. With that said, it is clear that the majority of narratives today surrounding what will drive mass adoption are centered around use cases of financial technology.
Last week marked the official Mainnet launch of the Dharma Protocol on Ethereum. The Dharma protocol is a permissionless protocol for the tokenization of debt — issuing, underwriting, and administering all financial instruments related to debt. In the few days since the protocol went live, over twenty thousand dollars of tokenized debt has been issued, a very impressive amount for a short period of time.
Originally founded in 2017 by Nadav Hollander, Dharma received approximately $120,000 in seed funding from some of the most prominent backers in the crypto world ranging from Polychain Capital, Y Combinator, and Garry Tan.
Why is the launch of the Dharma Protocol and the upcoming tokenization of debt instruments so significant?
By removing ourselves from the dialogue surrounding the narratives of mass adoption today and objectively looking at the potential use cases through the lenses of current market sizes and mass use cases, we discover that the tokenization of debt is by far the largest market size today standing at approximately 100 trillion dollars. Both the store of value and the security tokenization theses pale in comparison — respectively representing market sizes of 2.4 trillion dollars (total market size for gold today) and 69 trillion dollars (total market size of all major equity indexes) (3).
Dharma Protocol and similar protocols aiming to tokenize debt instruments are going after a clear and defined societal use case, one that has been around since the creation of money and will continue to exist through its evolution. It is a well-known fact that although the world is abundant with capital, many still lack the appropriate mediums to access capital. The Dharma Protocol embodies the true definition of programmable money allowing anyone in the world to either lend or borrow capital, helping to create a truly decentralized and open financial network.
Imagine for a moment if the annual interest rate on your credit card spiralled to a whopping annual rate of 476%. Most credit card borrowers in the western world offer rates between 10–20%; however, borrowers in emerging markets like Brazil are often faced with such atrocious rates making it almost impossible to climb out of debt. With the ability to tokenize debt on the Dharma Protocol, a borrower who is struggling financially could potentially pay back their debt obligations through tokenizing their debt with a pool of lenders willing to lend at a much lower rate. This is indeed very powerful to many in need.
Key Risks
While the Dharma Protocol is very promising, the protocol is still in its infancy. At this current point in time, awareness for the project is desperately lacking, evident through its tiny online presence of approximately 5,000 followers on Twitter and 1,200 members in its Telegram group. Arguably only those most plugged into the blockchain industry know of the project. In order for the project to achieve its ambitious plans to act as a key payment rail in the decentralized web, it will have to bootstrap its marketing efforts and put its foot on the gas pedal to create awareness and inevitably adoption.
Conclusion
By removing the gatekeepers who currently determine the eligibility, amount, and interest rates charged to borrowers, we will move one step closer to truly fair debt markets and witness a re-pricing of various forms of debt. We will bank the unbanked and help individuals & families around the world thrive. It is still early days for the tokenization of debt instruments but the launch of the Dharma Protocol marks a significant step forward for the blockchain industry as a whole and the future of finance.
End of weekly research report
We hope you have enjoyed reading the Mosaic researchers’ weekly report and stay tuned to the next article. Click here to visit our website
This article is intended for informational purposes only. The views expressed herein are not and should not be construed as legal or investment advice or recommendations. Recipients of this article should do their own due diligence, considering their specific financial circumstances, investment objectives, and risk tolerance before investing. The individuals contributing to this article have positions in some or all of the assets discussed. This article is neither an offer, nor the solicitation of an offer, to buy or sell any of the assets mentioned herein.
