harmony icon indicating copy to clipboard operation
harmony copied to clipboard

Published 20 hours ago verified publisher icon harmony-one

Rewrite slashing rates to mitigate a profitable attack involving 2 colluding validators

Open pkakelas opened this issue 3 years ago • 0 comments

Summary

If a validator's self-owned stake is less than the stake delegated to them, then a profitable attack involving two colluding validators can take place. Thus, the slashing penalty calculation should be revisited.

Current Design

The slashing percentage is computed as the sum of the percentages of the voting power of all keys that reportedly double-signed (during the same accusation), at a minimum value of 2%. Slashing is applied proportionately to every party that had delegated to V, during the epoch when the double-signing occurred.

The logic above can be observed in: staking/slash/double-sign.go. The exact slashing rate is calculated in the Rate() function according to the voting power of the delegators and applied in the Apply() function in lines 531 and 477 respectively. The slashing procedure is triggered in lines 334-340 in internal/chain/engine.go.

Problems

Consider a validator V who manages s units of stake split into two parts: sv (units owned by V) and sd (external stake delegated to V).

At some point, V performs a double-signing, which incurs a slashing percentage is x. Therefore, x·s V’s stake is slashed, of which x·sv is owned by V and x·sd is owned by V’s delegators.

Let V′ be the reporting party that publishes the proof of V’s double-signing. V′ receives, as reporting reward, R = (x·s)/2 of the slashed stake.

Now, consider the case where V and V′ are colluding. The reporting reward R. If R is higher than V’s penalty, then V is incentivized to double-sign (as long as it is V′ who reports it and gets the reward). Specifically, V is incentivized to perform the attack if the following holds: sd > sv.

Therefore, the attack is viable if the validator’s self-owned stake is less than the stake delegated to them. As a result, via this attack, V incurs a loss of x · sd stake on their delegators and obtain a profit of x·(sv − sd/2).

The attack explained above is possible due to 2 main reasons:

  1. Slashing is applied both on the offending validator’s self-owned stake and the stake delegated to them, at exactly equal proportions.
  2. The reporter’s reward is exactly equal to 1/2 of the total slashed stake.

As of October 2021, all of Harmony’s active validators satisfy the above inequality, i.e., no validator owns more stake than their aggregate delegated stake. Thus, in order to mitigate the attack described above, the end goal should be to make sure that the reward will never be larger than the slashing percentage x multiplied by the stake owned by V. In other words the approach should make sure that the inequality R > x * sv does not hold.

Proposal

  • First, the reporting reward remains equal to 1/2 of the total slashed stake, while the other half is burnt.

  • The amount of the validator’s self-owned stake that should be slashed is 50% of their stake owned during the epoch which pertains to the double-signing. In case the validator has undelegated a large part of their stake at the epoch of reporting and their stake is not enough to cover the amount that should be slashed, then 100% (of their stake at the reporting epoch) is slashed.

  • The aggregate slashed stake of the delegators (during the epoch which pertains to the double-signing) is at most 80% of the leader’s self-owned slashed stake. Note that the 80% rate is not applied on the nominal amount of the leader's slashed stake (that is, 50% of their stake during the double-signing epoch), but on the eventually slashed stake amount (which, due to posterior double-signing, may be less than the nominal amount). Therefore, the leader can never gain from launching a colluding attack (i.e penalizing his own delegators later).

To make the mechanism clear, here's an example:

A validator V owns 100 coins. Parties A, B, C delegate 100, 70, 30 coins respectively to V. We have the following scenarios, for a double-signing made by V regarding a slot in epoch e:

  • The proof is published in epoch e; the slashing stake is as follows:

    • V: 50 coins
    • A: 20 coins
    • B: 14 coins
    • C: 6 coins

    This is because the 80% of 50 coins is 40 coins = 20 + 14 + 6 coins.

  • The proof is published in epoch e′ ≫ e, during which V controls 30 coins, A controls 100 coins, B, C control 6 coins. The slashing stake is as follows:

    • V: 30 coins
    • A: 12 coins
    • B: 6 coins
    • C: 3 coins

    In this case, V does not own 50 coins hence the maximum slashing amount is 30 coins. As in the previous case, the delegators are slashed proportionally to an amount that sums to 80% of 30 coins which is 24 coins.

Adopting the approach described above, the leader can never gain from launching a colluding attack (i.e penalizing his own delegators later).

pkakelas avatar Feb 14 '22 21:02 pkakelas