Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: Attack scenario  (Read 2259 times)

0 Members and 1 Guest are viewing this topic.

Offline emski

  • Hero Member
  • *****
  • Posts: 1283
    • View Profile
    • http://lnkd.in/nPbhxG
Attack scenario
« on: June 19, 2014, 07:28:02 PM »

I was wondering what would happen if we had the following situation:

Imagine an evil user (EVIL) exists with 34% of the total stake.
Imagine we have 34% of the users (LAZIES) who let the software autovote.
Imagine EVIL votes for misbehaving delegates with all of his stake (34% of the total).
This should cause the LAZIES to (auto)vote against the same misbehaving delegates with ~ 34% of the total stake. So that the misbehaving delegates have <0 total votes.
As the total stake is 100% the remaining 32% controlled by honest users (HONEST) elect the remaining/acting delegates.

Then EVIL registers 51 delegates and (instantly?) votes for them with his stake (34% of the total). EVIL will surely elect all of them as we have 34% LAZIES who voted against the initial misbehaving delegates.

1.How long will it take for the LAZIES to autovote again?
2.What if EVIL arranges his votes in such way, that autovoting of LAZIES gives upvotes for his delegates, freeing some of his stake to elect other delegates?
3.Is controlling 51 of the delegates a problem?
4.Can EVIL attempt the same with less than 34% of the stake? (what is the minimum stake he needs?)

5.Is this situation impossible?

PS: Sorry if the question is lame, I'm still collecting pieces of the puzzle and I might've missed some information.

Offline tonyk

  • Hero Member
  • *****
  • Posts: 3309
    • View Profile
Re: Attack scenario
« Reply #1 on: June 19, 2014, 08:37:39 PM »
Why is the EVIL evil? Opportunistic maybe?
Lack of arbitrage is the problem, isn't it. And this 'should' solves it.

Offline bytemaster

Re: Attack scenario
« Reply #2 on: June 19, 2014, 08:45:49 PM »
Why is the EVIL evil? Opportunistic maybe?

Lazy votes will likely be those with cold storage and thus 'unchanging'. 

I think that it isn't really a problem for an attacker to have 51% unless they want to use their 51% to ignore blocks from the 49... at which point it becomes very clear that a hard fork that removes all balances voting for the attacker should be performed. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline emski

  • Hero Member
  • *****
  • Posts: 1283
    • View Profile
    • http://lnkd.in/nPbhxG
Re: Attack scenario
« Reply #3 on: June 19, 2014, 08:49:23 PM »

Lazy votes will likely be those with cold storage and thus 'unchanging'. 


Isnt it possible to have 30% stake in lazy active shareholders that don't bother setting delegates?
« Last Edit: June 19, 2014, 08:52:46 PM by emski »

Offline bytemaster

Re: Attack scenario
« Reply #4 on: June 20, 2014, 01:18:08 PM »

Lazy votes will likely be those with cold storage and thus 'unchanging'. 


Isnt it possible to have 30% stake in lazy active shareholders that don't bother setting delegates?

It is.

However, I am sure if something went wrong in a major way that couldn't be resolved by the active 70% that these inactive shareholders have financial incentive to take action.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline emski

  • Hero Member
  • *****
  • Posts: 1283
    • View Profile
    • http://lnkd.in/nPbhxG
Re: Attack scenario
« Reply #5 on: June 20, 2014, 02:39:56 PM »
And what if an attacker decides to use the LAZIES to make them vote for his delegates.
Imagine the following:
EVIL has 2% stake.
EVIL votes for misbehaving delegate.
LAZIES votedown that misbehaving delegate.
EVIL switches his votes to his own delegate placing it in such a way that LAZIES autovote for it.
Each block EVIL reduces his vote for that delegate making all LAZIES' transactions autovote for that particular delegate.

This shouldn't cause much trouble initially but if EVIL carefully places his votes he could control most of the LAZIES.

I understand that there are more "imminent" and important tasks at hand and this might not be even possible.

However my point is that LAZIES could be exploited and it might be a good idea to think about updating the autovoting algorithm to the point that it is not that predictable.

Offline bytemaster

Re: Attack scenario
« Reply #6 on: June 20, 2014, 03:00:58 PM »
Quote
EVIL switches his votes to his own delegate placing it in such a way that LAZIES autovote for it.

Big leap here... how do you place it in such a way that LAZIES auto vote for it? 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline emski

  • Hero Member
  • *****
  • Posts: 1283
    • View Profile
    • http://lnkd.in/nPbhxG
Re: Attack scenario
« Reply #7 on: June 20, 2014, 03:14:53 PM »
Quote
EVIL switches his votes to his own delegate placing it in such a way that LAZIES autovote for it.

Big leap here... how do you place it in such a way that LAZIES auto vote for it?
I used as reference https://github.com/BitShares/bitshares_toolkit/blob/master/docs/dpos.dox - @section dpos_voting_algorithm  Voting Algorithm

Assuming the new delegate has high score. Evil places it at rank 101 with some of his %2 stake (that delegate has less than 1% of votes). The misbehaving delegate now has -2% votes (all from LAZIES and none from EVIL) and is at rank > 200. With LAZIES' next transactions they should autovote again (am i right?). And LAZIES' vote should be according to the following rule
# If there are no trusted_delegates in then vote for the observed_delegate with the highest score and less than 1%
         of the vote
EVIL can easily place votes for his (high scored) delegate so that he falls in this rule. And adjust his votes each block so that he is still in that rule.

So he can free most of his stake to repeat this (assuming EVIL controls several high performing delegates). And he might "trap" all the LAZIES' votes into delegates he controls... AND THEN....
« Last Edit: June 20, 2014, 03:17:48 PM by emski »

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
Re: Attack scenario
« Reply #8 on: June 20, 2014, 04:26:25 PM »
emski,
Can you think of any attacks against "approval voting"?  It's quite simple; no down votes and every share can vote for (approve) of as many delegates as they like.  Delegates with the most approval win.  I think it's a perfect system for what we want and can't think of any reasonable attack.

More detailed discussion in the DPOS thread:
https://bitsharestalk.org/index.php?topic=4009.msg66308#msg66308

Offline tonyk

  • Hero Member
  • *****
  • Posts: 3309
    • View Profile
Re: Attack scenario
« Reply #9 on: June 20, 2014, 04:31:26 PM »
emski,
Can you think of any attacks against "approval voting"?  It's quite simple; no down votes and every share can vote for (approve) of as many delegates as they like.  Delegates with the most approval win.  I think it's a perfect system for what we want and can't think of any reasonable attack.

More detailed discussion in the DPOS thread:
https://bitsharestalk.org/index.php?topic=4009.msg66308#msg66308

Only concerns I have are:
-Is it really far more demanding/taxing on the blockchain?
-Is it as easy to vote out bad delegates?
Lack of arbitrage is the problem, isn't it. And this 'should' solves it.

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
Re: Attack scenario
« Reply #10 on: June 20, 2014, 04:49:31 PM »
emski,
Can you think of any attacks against "approval voting"?  It's quite simple; no down votes and every share can vote for (approve) of as many delegates as they like.  Delegates with the most approval win.  I think it's a perfect system for what we want and can't think of any reasonable attack.

More detailed discussion in the DPOS thread:
https://bitsharestalk.org/index.php?topic=4009.msg66308#msg66308

Only concerns I have are:
-Is it really far more demanding/taxing on the blockchain?
-Is it as easy to vote out bad delegates?
I don't think it really adds much to the blockchain as you only need to specify changes in delegate selections, people probably won't be changing their selections as often.  There is some idea that a constructed database of votes would be bigger.

My thoughts:  Whatever the costs, it is almost certainly worth it.  It is just sooo much better than current voting method.

"-Is it as easy to vote out bad delegates?"
Yes. In fact it's much easier to vote out bad delegates than in the current system and much less likely that bad delegates get voted in in the first place.  In the current system if someone has enough stake to vote themselves in as a delegate (less than 1% required) it will be next to impossible to get rid of them as a delegate if they want to vote for themselves.

Offline emski

  • Hero Member
  • *****
  • Posts: 1283
    • View Profile
    • http://lnkd.in/nPbhxG
Re: Attack scenario
« Reply #11 on: June 21, 2014, 12:45:29 AM »
emski,
Can you think of any attacks against "approval voting"?  It's quite simple; no down votes and every share can vote for (approve) of as many delegates as they like.  Delegates with the most approval win.  I think it's a perfect system for what we want and can't think of any reasonable attack.

More detailed discussion in the DPOS thread:
https://bitsharestalk.org/index.php?topic=4009.msg66308#msg66308

Its not that much about the voting system as it is about the predictable autovoting algorithm for LAZIES. I believe this could be exploited relatively easy and could be an issue.

As for the "approval voting" I'm not convinced in the advantages it has over current system (although I don't think current negative votes are good for the system but this is entirely different topic). In general "fair" voting system for our case is extremely complex and controversial topic that might require much more research.

Offline toast

Re: Attack scenario
« Reply #12 on: June 21, 2014, 12:53:59 AM »
Its not that much about the voting system as it is about the predictable autovoting algorithm for LAZIES. I believe this could be exploited relatively easy and could be an issue.

I talked with Dan today about this. The voting algorithm could obviously use more thought, for more than just the reason you gave.
I don't think it will be hard to come up with a voting algorithm which makes it hard to manipulate LAZIES.

Also, I think 34% is not sufficient - the LAZIES will not need to push EVIL's delegates to 0, just out of top 101. They do not need to use all 33% of their LAZY votes to accomplish this.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
Re: Attack scenario
« Reply #13 on: June 21, 2014, 03:39:05 AM »
Its not that much about the voting system as it is about the predictable autovoting algorithm for LAZIES. I believe this could be exploited relatively easy and could be an issue.
I share your concern about the autovoting algorithm but I also think it's the symptom of the bigger problem.  This type of algorithm is not really needed for approval voting;  you can just vote for some delegates that you trust and leave it at that.  The client can give you warnings if one of your delegates is messing up or give you some network statistics, but the constant vote balancing/autovoting isn't needed. (there's also more to voting and selecting candidates than network statistics)
As for the "approval voting" I'm not convinced in the advantages it has over current system (although I don't think current negative votes are good for the system but this is entirely different topic).
Negative votes is not an "entirely different topic" I proposed a voting scheme that doesn't rely on negative votes but you've said you're not convinced.

Do you think we can just get rid of negative votes from the current voting system and otherwise leave it as is?

Do you think it's fine if anyone (or group) with 1% can elect a delegate with no way for everyone else to get rid of that delegate?

In general "fair" voting system for our case is extremely complex and controversial topic that might require much more research.
OK, so you think it's complex. but I've given a place to start and proposed a system to solve the problem.  Are there specific reasons you suspect it doesn't or other specific reservations or you just haven't had time to think about it?

Offline emski

  • Hero Member
  • *****
  • Posts: 1283
    • View Profile
    • http://lnkd.in/nPbhxG
Re: Attack scenario
« Reply #14 on: June 21, 2014, 08:09:44 AM »
Negative votes is not an "entirely different topic" I proposed a voting scheme that doesn't rely on negative votes but you've said you're not convinced.
Difference comes from the topic I intended - LAZIES vote manipulation. What problem will your proposed voting scheme solve ?

Do you think we can just get rid of negative votes from the current voting system and otherwise leave it as is?
Do you think it's fine if anyone (or group) with 1% can elect a delegate with no way for everyone else to get rid of that delegate?

I think negative voting shouldn't exclude positive vote. But I'm too lazy to research extensively on this so I stay quiet.

OK, so you think it's complex. but I've given a place to start and proposed a system to solve the problem.  Are there specific reasons you suspect it doesn't or other specific reservations or you just haven't had time to think about it?
What problem will your proposed voting scheme solve ? And as I already said I didn't research this extensively I cant say which is better.

 

Google+