‡ Selfish Behavior in the Tezos Proof-of-Stake Protocol. [PDF]
Michael Neuder (University of Colorado, Boulder), Daniel J. Moroz (Harvard University), Rithvik Rao (Harvard University), David C. Parkes (Harvard University)
(‡ accepted for both conference and journal)
Paper summaries from the reviewers:
“The authors formalize and analyze an attack on incentives in a production Proof-of-Stake system. In this "selfish endorsing" attack a Tezos delegate manipulates protocol-specified time delays on block acceptance to increase their overall reward compared to honest participants. They achieve this by selectively withholding their endorsements on honest blocks and dishonestly producing a lower-priority block. The authors show that the attack is feasible and profitable, give a simple heuristic to mitigate the impact, and proceed to show that a parameter change could render the protocol immune to this class of attack (while significantly increasing average block times)."
“This paper describes a selfish-mining-like attack that could be performed profitably on the proof-of-stake consensus algorithm currently used in Tezos. It also presents a fix.”
Comments on the strength of the paper:
“The models build intuitively from Tezos's protocol parameters. The authors not only clearly explain how this attack works but also provide an intuitive explanation for why it is possible. Plus, the notation ergonomics are excellent.”
“The authors present existing work on incentive attacks in PoW and PoS systems. The paper establishes that the selfish endorsing attack is a practical instantiation of a previously-known theoretical attack on PoS systems ("Predictible Selfish Mining").”
“The attack probability and profitability are derived from simple protocol rules. The derivation is easy to follow, and no errors are apparent.”
“The paper makes a valuable contribution by formally describing a concrete attack on a proof-of-stake protocol that is currently used in production, and by proposing a fix. It is a good demonstration of how to formally model such an attack.”
Critiques & author responses:
Comment 1: Paper only analyzes the system from a single axis of attack.
Response: It is true that our work is only examining a single attack vector (namely length-2 selfish endorsing). We aren’t claiming that this is a full security analysis, but rather aim to show that this specific attack is feasible against this system, significant in its own right. Future work exploring how selfish behavior could be combined with network level attacks or other deviant strategies would certainly be worth exploring.
Comment 2: Second order effects of attack and proposed fix are not explored.
Response: Great point. We added some sentences describing how during this attack, block rate will slow down, so transaction throughput will as well. Additionally, the attack would be relatively easy to detect through the appearance of orphan blocks. We don’t dive too deeply into the effects of the fix because as we point out in the paper, the fix is only provably secure against length-2 selfish endorsing and in fact opens up the door for length-1 block stealing attacks. We add this context to our discussion. Additionally we point out the new reward system as proposed by the Carthage update, which was partially in response to our work.
Comment 3: Table 1 needs to be explored more, specifically why the reward of the attack is not monotone increasing in the stake of the system.
Response: This is a great point. The reason that attack rewards are not monotone with the percent of stake owned is because the endorsements for the slot before the stolen block will end up being penalized for ending up on a lower priority block. Thus this limits the profitability of attacks to situations where the attacker doesn’t have too many of the previous slot endorsement rights. We found the numerical maximum to be α= 0.351.
Comment 4: For future work think about multiple agents and attacks on the delegate selection system.
Response: This is indeed a great direction to explore in future work. Multiple selfish agents is still an area of active research in Proof-of-Work systems, so there is certainly room to grow for Proof-of-Stake systems. Attacks on the delegate selection system are difficult to imagine because the random seed is generated using information committed to the chain from the previous 4,096 blocks, but certainly this is another aspect worth exploring.
Comment 5: No discussion on asynchrony or message propagation delays.
Response: This is certainly an interesting additional layer on our model. We do take as an assumption that messages are instantly delivered, which was similarly assumed in much of the initial selfish mining literature. We add a statement describing this assumption, but we think that incorporating it into our model would add a large amount of complexity and is appropriate as future work.
Comment 6: Only considers a subset of possible attacks (length-1 and length-2).
Response: Indeed this is a limited set of attacks, and this is because generalizing this theory to length-n attacks is computationally intractable using this Brown-Cohen et. al.method. We add more to the future work section describing some of the difficulties.
Comment 7: Scope is limited (1 protocol).
Response: This is true but the reality of the PoS landscape is that each implementation is quite distinct. Therefore, it is hard to say much generally about attacks. Brown-Cohen et. al. describe a class of general attacks on PoS systems with certain properties, and our work can be seen as instance of the “Predictable Selfish Mine”. But this kind of attack was only relevant after Tezos completely switched their fork-choice rule from heaviest chain to longest chain, dramatically changing the modelling. In future work that applies more generally, we will explore how varied PoS implementations are.