Tellor Security 201
The Tellor oracle is a decentralized network of miners dedicated to providing data to the Ethereum network. Having been live for over a year now, with several upgrades, Tellor has become quite the robust system, consistently driving towards decentralization and security. This article should give you a good understanding of the current crypto-economic guarantees underlying the system and even the best ways to attack it and how much it will cost.
A Primer On Blockchain Security
Among the best projects in the cryptosphere, security isn’t defined by a single feature or one line of code, but by an aggregate of several attributes that prevent any potential misuse of the network and any tangent attack vectors. Before we jump into Tellor’s system, we’re going to clarify some pieces about blockchain security in general, notably the Ethereum network we’re built on, so we can clearly differentiate between attacks on Tellor vs attacks on Ethereum, both of which would shut down Tellor.
Lack of Finality
Ethereum isn’t fast. It’s faster than Bitcoin; but in order for the state of the network to reach consensus, you’re not talking about the blocktime. According to the Ethereum white paper, 7 confirmations should be enough to confirm the transaction (about 2 minutes), but oftentimes exchanges and others who want to be really sure, wait for over 30 confirmations! This means that if you have an application that needs to run real time on Ethereum and make updates according to the change in state, you’re opening yourself up to more attack vectors and in the long run will probably have a bad time. It’s just a piece of reality that we need to acknowledge more in DeFi especially. Things just take time and if you want to work on a distributed consensus network, you will have to be patient.
This is important for oracles because speed is always of concern. People want the price of X and they want it very quickly. The problem is that even a centralized oracle won’t be “finalized” to the off-chain viewer until well after it’s real time. As we’ll see with Tellor and with Ethereum, security and time cannot be separated. There hasn’t been a solution to the “scalability trilemma” and making a secure and decentralized system means sacrificing speed.
The dreaded 51% attack
As a quick review, a 51% attack occurs when a miner or group of miners controlling more than 50% of the networks mining hash rate can abuse the network by
1. Preventing new transactions
2. Reversing old transactions
3. Adding new transactions that aren’t valid (e.g. printing Ether)
Basically it’s the cost to mine every block for a certain period of time; this is why the cost to 51% attack is measured in dollars/time or cost to break for 1h, 1 day, etc. This is critical for oracles (or any smart contract on Ethereum), because mining every block on Ethereum doesn’t always lead to reversions or forks. The more nefarious attack for a system is simply not allowing certain transactions to go through, namely price updates or calls to our oracle contract. The reason it’s so dangerous is that Ethereum as a whole would still function, your app would just be inaccessible and stale. This means that no matter how secure your on-chain oracle is, if someone mines every block on Ethereum, they can prevent you from updating your oracle.
If you had to guess how much it would cost to successfully perform a 51% attack on Bitcoin today, you’re probably thinking some ridiculous amount. This is however, not the case at all. In fact, relatively speaking, it’s quite cheap to perform a 51% attack on Bitcoin. When we think of most protocols that are built on top of layer 1 protocols, such as Bitcoin or Ethereum, you can actually come up with an estimated cost to successfully attack that protocol based on several factors, including market cap, hash rate, miner costs, block time, etc. For example, the cost to successfully conduct a 51% attack on Bitcoin’s network for one hour (or 6 blocks) in August of 2020 is about $700,000. This is with a market cap of $213 Billion, making the cost 0.253% of the market cap to break Bitcoin. If you want to look at the estimated cost to break other protocols, you can visit Crypto51’s website for more information. To save you the trip, the cost to break ETH is $270,000, and the cost to break BSV for an hour is a mere $7,000 (don’t tell Craig Wright). So if you have a smart contract on Ethereum that needs a price update within 5 minutes, it only costs someone $22k to guarantee that you don’t get an update.
There are three ways to break Tellor:
- Break Ethereum or prevent contract calls to Tellor
- Vote an incorrect disputed value as correct
- Stall the Tellor system so it becomes unusable for customer needs (by disputing all values or by mining bad values)
The first avenue has been explored thoroughly, but the second and third paths to successfully attack and break the Tellor oracle are determined by several factors:
- P = Price of Tellor TRB tokens (assume USD)
- MC = Market Cap of Tellor
- Average time in between blocks in the Tellor system.
- SA = Staking amount for mining (currently 500 TRB)
- VS = Voting Share of honest tokens
- CTB = Cost-to-Break
Cost to Break a Tellor Vote
For the vote, it is simple to calculate the CTB of a single vote:
CTB = VS * MC
This means that if you buy up enough votes to 51% attack the voting system, you can successfully break Tellor. This is why community is everything for Tellor. It’s very important for the system to have a high percentage of its community voting in order to stave off parties trying to vote bad values through. Unfortunately for an attacker though, even just breaking a simple vote doesn’t break Tellor; Tellor has a caveat of multiple dispute rounds. This means that if a vote goes in way of an attacker, any participant can pay to dispute the vote. This process goes on ad-infinitum as the system will need to repeatedly vote and hopefully get more and more votes to beat the attacker. In this way, the only way that a party will be able to actually break Tellor is if they gain 51% of the tokens in the Tellor system.
CTB = 51% * MC
With Tellor’s current MC of around $40M, it becomes obvious that mining every block on Ethereum to prevent calls to the Tellor contract is by far the cheaper option.
Cost to Stall Tellor — Mining Bad Values
Stalling the Tellor system therefore becomes the most viable attack vector. Similar to breaking BTC or ETH, the cost to break Tellor is measured in time, so CTB/hr or CTB/day. If a user requires a query every 10 minutes, a party will just need to break (or stall) Tellor for 10 minutes and then they succeed in the attack. Education of users on waiting for several confirmations is key to preventing a stalling attack. Just as building things that should be realtime on Ethereum is a bad idea, it’s also a bad idea on Tellor, so making sure that projects build the right kind of projects for utilizing Tellor (and Ethereum) is the first and probably most important security measure we can take.
Here’s how we calculate the cost to break Tellor for one block. The POW value is minimal, it’s the staking (and value of the TRB token) that gives the Tellor Oracle network its real security. The formula is simple.
CTB/ TRB Block = Cost of POW + Cost of staking
Cost of POW = The costs of electricity, ASIC miner operation, Ethereum gas prices, etc. It’s minimal compared to staking costs (which is why staking is such an important security feature).
Since you will need to stake the miners, and putting a bad value on chain will get you disputed, any cost to stall Tellor here is determined mainly by the cost to stake 3 times per block (you need ⅗ miners to get a recorded value in the block)
Cost of Staking /block = Staking Requirement x 3 x P
An important concept to note is that faster blocktimes by Tellor actually means increased security. Currently Tellor is at 5 minute blocks, down from 10 minutes a few months ago, and we plan to go faster in the future. Similar to block times on Layer 1 chains, faster blocktimes come with tradeoffs. Less inflationary reward per block means that pushing on-chain (which costs gas) needs to be covered by more tips (e.g. more expensive for users). Longer blocktimes also lead to less miner race conditions and promote better use of the Tellor oracle in general considering the chain we’re built on. Scarcity in the slots also adds necessary pieces for the token of Tellor to really work and creates a smaller sample of data points which miners must track and validate.
Cost to Stall Tellor — Disputing All Values
The other option to stall Tellor is to simply dispute every block. The current cost to dispute is determined by the number of miners in Tellor (the fee increases if there are less miners as we don’t want people disputing all of them to shut down the system):
MT = Miner Target (target number of miners) is currently set to 200
SM = staked miners
max((min(200,SM) — MT) / MT * SA , 15)
So in plain English, the cost to dispute is the stake amount, but goes down with each new staked miner (down by 2.5 TRB) until we get to it costing only 15TRB. Currently, with ~50 miners staked SM, it is around 75% of the SA.
Each dispute is only 15TRB, but the cost to dispute is more for the median value (it is equal to the stake amount). In addition, it is multiplied by the number of open disputes for that requestID
This means that the cost to dispute the main ID is:
Dispute Cost = = SA * number of blocks disputed for this request ID
So over time, it’s:
Where n = number of blocks disputed for this request ID
CTB = SA * Price* n(n+1)/2
Now that we have our formulas, let’s look at the results with a $20 price:
- Break Ethereum or prevent contract calls to Tellor
Cost to 51% attack — rewards (you are censoring, nothing that would require a fork) = $517,000 / hr (https://www.crypto51.app/) — $290,000/hr (https://bitinfocharts.com/ethereum/ ) = $227,000/ hr
- Dispute a value and properly vote it as correct
51% * Market Cap = 51% * $30,000,000 = $15,000,000
- Stall the Tellor system — by disputing all values
SA * number of blocks disputed for this request ID = 500 * $20 (12(12+1)/2) = $780,000 / hr
- Stall the Tellor system — by mining bad values
SA x 3 x P / blocks in an hour = 500 * 3 * 20$ * 12 = $360,000 / hr
So it costs a lot to break Tellor. If you’re actually talking about getting bad values on chain, it’s going to cost you in the tens of millions of dollars to break the voting and will cost you $360,000/ hr to mine bad values to put on chain. The cheapest ways to hurt the system would be to just mine every block on Ethereum and prevent calls to Tellor, a nefarious attack, but one which Tellor and any other smart contract is unfortunately subject to. The Tellor network is secure for participants who use the lack of finality in the system properly, allow for disputes to settle and for proper wait time(or confirmations) between reports if the system comes under attack. The best way to protect your protocol is by acknowledging its vulnerabilities and adding processes to mitigate risks. A good design and transparent, measurable security of its own and third party components are only a few of the key items to consider.
If you need data in your smart contracts and you’re thinking about using Tellor, reach out and we’d be happy to discuss the pros and cons as well as the necessary steps to building a robust data feed for your system.