On Discouragement Attacks
Vitalik Buterin just wrote an important paper. It matters because it addresses the fundamental economic nature of attacks on blockchains, and specifically that the cheapest way to attack a POW or POS blockchain is to undermine its incentive structure. Attackers can do this without losing a cent simply by investing to drive the expected mining or staking rewards to zero, discouraging profit-oriented miners and stakers from participating in securing the network. Vitalik calls this the “discouragement attack”.
The attack is serious because there is no defense against it. And why should there be? From a technical perspective “discouragement attacks” aren’t attacks at all: proof-of-stake networks cannot differentiate between someone who is spending money to attack the network and someone who is spending money to defend it. Perhaps someone willing to stake at low reward is simply an efficient provider of network security? And how can a consensus algorithm make decisions about the motives of stakers when that falls outside the scope of an algorithm?
This inability to discriminate between attackers and honest peers in POS and POW prevents the deployment of the solution: market-driven defences. Once it is possible for a blockchain to discriminate between honest and dishonest behaviour, networks can be secured against these attacks through normal market mechanisms that increase the cost of attacks as they happen. In a proof-of-stake network this could be done by forcing attackers to stake an ever-increasing pool of money in order to get the same return (i.e. increasing the cost of the attack) or by allocating more profit to honest nodes to keep them from abandoning the chain. Effectively implemented, market-driven mechanisms could bankrupt even a state-level actor before they ‘win’. So why it is impossible to deploy them in classic proof-of-work and proof-of-stake?
Examined closely, the major issue is the inability of POW and POS mechanisms to differentiate between “valuable” and “hostile” work. The reason for this is that staking and mining systems have no social constraints on investing funds in supporting the network. This makes the costs of mining or staking fixed.
How can we avoid this problem? Saito’s solution is to ensure the cost of producing a block fluctuates depending on the degree of support a node receives from the rest of the network. In other networks this would require introducing heuristics that would open attacks on the payment mechanism. In the case of Saito this mechanism is safe as the work measured by Saito is a derivative of the volume of transaction fees gathered from other nodes. This decentralises the security mechanism by providing a method for the players in the network who can discriminate between honest nodes and attackers (i.e. the other participants in the network) to respond organically to attacks. In Saito this is done through two critical mechanisms that do not exist in first-generation blockchains. (How this is done is covered in detail in the Saito Whitepaper, here we proceed taking Saito’s consensus mechanism as given.)
The first mechanism is the routing network, which is incentivized to weaponize itself against attackers but not honest nodes. One aspect of the Saito network that many newcomers miss is that the decision of a node to pass transactions to another node constitutes a vote of confidence that rewards the receiving node with a fraction of additional income. When the network comes under any attack that threatens to disrupt normal operations and imperil the profitability of running the network, the sensible strategy for routing nodes is to stop routing transactions to attackers. By cutting off the flow of “measured work” to hostile peers, Saito denies attackers the resources needed to produce blocks. At the same time, cutting off attackers from the lifeblood of the network lowers the cost of block production for honest nodes as the same “work” attackers could previously use is now available for honest nodes elsewhere. This mechanism can be theoretically used with other forms of distributed work (such as delegated POW (i.e. “hashcash“) although those systems have some critical limitations that Saito fixes. The important point is that in this system “discouragement attacks” stop being dangerous, as attackers are now forced to outspend the entire rest of the network to sustain an attack on it. This provides a far greater level of security than simply requiring attackers to commandeer a 51% share of hashing or staking.
The second mechanism that Saito uses to eliminate “discouragement attacks” is enabled by Saito’s use of cryptographic signatures to assign “work” only to the specific nodes that have done it. This is a critical step forward for network security, as it allows honest nodes to move “work” from orphaned blocks back onto the main chain. The fact that “work” (transactions) is not locked into orphaned blocks means that attackers who wish to overwhelm the network and censor their peers must keep up an unending stream of blocks (and pay the deadweight loss Saito imposes on them as the cost of each block produced) simply in order to keep their peers from accepting their blocks and moving all censored transactions to the end of their chain. In practice, this means they must increase the amount they are spending with each block to continuously out-balance the growing mass of “work” (i.e. honest transactions) generated by the honest nodes who are threatening to simply move censored transactions to the end of their chain. Not matter how fast attackers run in Saito, they must always run faster than the rest of the network and are guaranteed to eventually die of exhaustion.
Advanced blockchain developers who study the mechanisms Saito introduces will come to recognize a multitude of other market-driven mechanisms that build on these dynamics and provide even more defenses that are simply not possible in POW and POS networks. One of the more interesting dynamics is the way the manipulation of paysplit by participants in a threatened chain (typically by increasing the payout to miners, but sometimes by reducing it) can not only increase the deadweight loss that attackers face when producing blocks, but also speed up block production by increasing the amount of fees that honest network participants are willing to pay for transactions on their preferred chain. By choosing to sacrifice their own long-term revenue for a short-term boost in mining support, full-nodes that vote to increase paysplit can increase the pace of block production in real time. The interplay Saito’s pricing mechanisms enable between routing nodes and miners allows a more dynamic pricing of risk and provides security in ways that can never be done by a POW or POS algorithm.
We recommend anyone interested in serious technical solutions to these underlying economic problems familiarize themselves with Saito’s security mechanism. Either way, it is important to read Vitalik’s piece. By admitting to the existence of these sorts of Achilles Heels on first generation blockchains, Vitalik is doing the entire blockchain community a service by opening a space for a discussion on how to solve these problems. We hope that our own work can help people realize that there are solutions available that can help blockchains like Ethereum and Bitcoin solve scaling problems by increasing rather than decreasing market forces within security mechanisms.