Cerberus Proposal #9
Exploring governance-based chain attacks on small crypto ecosystems.
June 29, 2022
Moultrie Audits has historically opposed governance proposals which expand immature validator sets. We voted "No" on proposal #14 on the basis that most validators in the inactive set were likely unprepared to activate, had essentially no stake, and we doubted that it would decentralize the voting power distribution among the validator set. Couple this with the fact that increasing the validator set decreases efficiency and it made little sense to us to bump the validator set at the level of maturity Akash was at. If you extend the logic of those who wish to expand validator sets on the Cosmos SDK when the inactive validators who will activate have no stake, then the set could be expanded to whatever the inactive set was, say 175. Since the prevote wouldn't change, and jailing is essentially meaningless in the short-term, we don't see why the pro-increase argument fundamentally changes at these higher levels.
We documented the effects of proposal #14 on the Akash Network in this blog post and updated it again 5 months later. Our suspicions were correct in that many validators were immediately jailed and ultimately exited the chain. This was a good demonstration of the resiliency of tendermint consensus as the chain was entirely unaffected. We also found that the voting power distribution did not change after two weeks, or 5 months, from the period tested prior to the proposal taking effect.
However, in spite of this data, I am reconsidering this position after observing Cerberus's Proposal #9. I think this was a fair proposal; validators feel rightful obligations to their delegators to not abandon projects, but if the community came together and decided to call it, I think it is a good way to end the project as opposed to a slow withdrawal where resources dwindle away. It did make me reconsider attack vectors on smaller PoS chains though.
In PoS, market cap is commonly compared to PoW's hashrate. What protects against 51% attacks is the large financial resources it would take to purchase half the market cap of a project (~70 billion for Ethereum), and the upward pressure from this endeavor would continuously raise the market cap. Sidenote: this is an underappreciated benefit of staking; there is a smaller liquid supply to purchase which could raise the price faster in periods of intense buy pressure and prohibits the capacity to purchase over 50% of the supply. Besides the obvious low market caps of many SDK projects, what Cerberus elucidates is the threat of buying off validators. To be clear, I am NOT saying this is what happened with Cerberus. The situation merely prompted me to consider this attack vector.
Since validator commission is relatively small (0-10%), and the commission is largely inflation, the average validator is probably not reaping massive profits on single chains, especially in bear markets. In other words, there is asymmetry between the default voting power of validators, the total number of crypto staked to them, and their economic investment, which is a fraction of the voting power. This is self-evident, but it means that validators could be bribed to vote "Yes" on a proposal to shut down a chain, like Proposal #9, and it could easily be in their best economic interest. Governments intent on destroying a Cosmos SDK chain wouldn't have to buy half the supply, they'd merely need to pay validators enough to make them vote "Yes".
This bribe amount obviously will differ depending on the moral compass of the validator. Many people will say that such an action would kill the reputation of the validator and ruin them across chains. I agree, but the reality of anonymous validators should be recognized, as well as the ease of simply changing one's name on chain and restarting the validating infrastructure. Once again, we support the ability for anyone to become a validator (permissionless entry), though the risks must be mentioned.
What expanding the validator set could do is introduce more coordination needed to shutdown a chain. The counterargument to the counterargument of our argument is our argument. Which is a fun way to say that since the Akash prevote, and top 5%, 25%, and 50%, power distribution levels didn't change as a result of increasing the validator set, there actually wouldn't be more coordination needed to reach the threshold for a successful shutdown through a governance proposal. Alternatively, it might be easier to bribe newer, less well-known, and less financially secure validators.
Take Akash Network as an example. There is currently ~74% bonded and the top 10 validators (out of 100) control over 50% of the stake. The self-bonded value of these top 10 validators combined is 4,627,241 $AKT, or $1,091,593. This means that someone would need only $1.1 million to provide a bribe that would short-term economically benefit these validators. Trust is essentially the main barrier to preventing this, but that is a poor thing to rely on. There are historical examples of validators exploiting bugs in a chain, and during bear markets when companies might go under, and are holding sinking bags, ethics may slip.
This was a streaming thought I found potentially valuable as a discussion point about the risks of chain attacks from wealthy actors (cough *governments*) via governance proposals, and whether expanding validator sets would abet or increase risk.