Author Topic: Attack scenario  (Read 14498 times)

0 Members and 1 Guest are viewing this topic.

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
Emski, some comments where we may have disagreed:
*Autovoting algorithms that can be gamed
Autovoting algorithm exploitation depends on the predictability of the voting algorithm not on the voting system. One can still exploit it even in approval voting.
Approval voting (AV) is a different animal.  You don't need a computer algo to help you vote, just select some delegates you like and trust or seem to be doing good things for the community.  You can adjust it if others come along you like better or if someone you voted for can't get their act together.  Network statistics will be readily available and will inform your decision but we shouldn't encourage autovote algorithms imo.  I'm not voting for any delegate just because of network stats; I need to know what forum member or who is claiming to run the delegate.  Otherwise no dice for "mystery delegates" sockpuppets? with favorable network stats.  I'm sure we'll find plenty of good candidates so we don't have to get desperate.

Edit: if there is no autovoting for, but only automatically removing support for someone you've voted for that does something wrong, I think this should be fine.

*Large shareholders profit from voting themselves to be delegate or negotiating kickbacks.
The idea in DPOS is - shareholders elect delegates. If there is a large shareholder he will elect his own delegate(s).
As the votes are public negotiating will be always possible. Imagine the deal: You vote for me, I vote for you, none of us vote for anyone else.
Assuming approval voting is in use, If I see someone negotiating a deal on the forums saying "you vote for me, I vote for you, we don't vote for others."  There is no way I'm voting for this person, not to mention blasting them so no one else does.  They are not going to get elected using only the votes of themselves and some friends they've made deals with.  To be competitive in AV you need LOTS of support, maybe upwards of 50% of stake voting for you, not some stupid backdoor deal you negotiated.

*Small shareholders most likely don't get these benefits or can't negotiate kickbacks
This is correct in both systems. Negotiating efforts should produce value - you dont negotiate for 10 units but you will do it for 10 mil.
In "AV" there is no need for these negotiations and if they are discovered you have probably just blown your chance to ever be a delegate.  You need BROAD support to win, if you try to negotiate "you scratch my back I scratch yours" with individuals, the broad community whose back you are not scratching will reject your candidacy.  Delegates must act in the best interests of the DAC to appeal to the most people rather than just trying to appeal to those who voted for them.  The small guy will benefit just as much because delegates are looking out for the whole DAC and also courting small voters.

*No incentive for delegates to reinvest profits to help the DAC
Votes are always incentive. Most people will elect delegate that helps the system. These just for profit might not stay unless backed by large shareholders.
This is based on my contention that selfish voting would predominate (self voting, kickbacks etc.)  It's hard to convince someone to vote for you because of all you do for the community when they get a direct kickback elsewhere.

*Attacking entity can buy 50+ delegate positions through kickbacks
Where is that explained?
Basically, if you can encourage support with kickbacks people will look for delegates that offer the best kickbacks… take it from there, it's a slippery slope.
« Last Edit: June 22, 2014, 10:24:00 am by Agent86 »

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
+5% for the simplicity

Will I be able to remove my + 1 vote later on

Are we going to have a weighted approval internally for the wallet .. so that I can tell him .. A is better then B but i support both?

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
we are probably going to go with approval voting.

Some things to discuss: Should you still be able to downvote delegates with your stake? We are leaning towards yes but have not thought through it very carefully.
+5% +5% +5% +5%
That's great!  I think this is a very good decision.  Downvoting is not at all needed and will only cause problems.  I think if you think about it you will come to same conclusion.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
*Autovoting algorithms that can be gamed
Autovoting algorithm exploitation depends on the predictability of the voting algorithm not on the voting system. One can still exploit it even in approval voting.

*Cat and mouse of trying to vote down delegates
Yes. Having exclusive voting system (able to vote for only one entity) and ability to switch vote, enables a lot of vote-switching scenarios.

*Downvoting has too much opportunity cost
As I said I don't like exclusive vote - if you downvote you should still be able to upvote. However this particular moment needs more research.

*Large shareholders profit from voting themselves to be delegate or negotiating kickbacks.
The idea in DPOS is - shareholders elect delegates. If there is a large shareholder he will elect his own delegate(s).
As the votes are public negotiating will be always possible. Imagine the deal: You vote for me, I vote for you, none of us vote for anyone else.

*Small shareholders most likely don't get these benefits or can't negotiate kickbacks
This is correct in both systems. Negotiating efforts should produce value - you dont negotiate for 10 units but you will do it for 10 mil.

*No incentive for delegates to reinvest profits to help the DAC
Votes are always incentive. Most people will elect delegate that helps the system. These just for profit might not stay unless backed by large shareholders.

*Attacking entity can buy 50+ delegate positions through kickbacks
Where is that explained?

*Shareholders can't vote for all delegates they trust (must pick 1 at time)
Yes! This could be an issue. (although you can spread your stake by % )

*Person with 3-4% has lots of power (can basically vote in or out a handful of delegates at will)
Correct! And even such person could manipulate the autovote easily as I stated initially.

*Delegates don't need/have broad community support
Yes, but they must not irritate a lot of people because they could downvote them. Which is costly (unless upvoting/downvoting is not exclusive)

*Pulls community and shareholders apart instead of bringing them together.
*Is confusing and not intuitive
*Ruins our one chance to make a great 1st impression on 1st time users.
... cant comment on this.

It looks like approval voting is better. Although there are still things to consider.
« Last Edit: June 22, 2014, 07:02:47 am by emski »

Offline liondani

  • Hero Member
  • *****
  • Posts: 3737
  • Inch by inch, play by play
    • View Profile
    • My detailed info
  • BitShares: liondani
  • GitHub: liondani
Facebook uses only up voting too (likes) for a reason... we talk about different things but maybe their approach can help us too...  marketing wise I mean... the idea is that :  "our network has only good delegates we are not full of scammers or bad actors or low quality delegates  ... " hope you understand what I mean... the feeling the community will have about "our" delegates... so for marketing only reasons I am against down voting... for security reasons you guys know better  ;)

Sent from my ALCATEL ONE TOUCH 997D using Tapatalk
« Last Edit: June 22, 2014, 03:36:03 am by liondani »

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
Dan and I talked some more over dinner today and I think we have won him over.

Once he was convinced that there is unlikely to be a large honest stakeholder who does nothing but downvote bad delegates at huge opportunity cost then cat&mouse becomes unsolvable and that is the core issue behind all the reasons Agent86 listed. After thinking through some possible transaction compression techniques and realizing that it only makes the transaction about 3x as large, I am happy to announce that we are probably going to go with approval voting.

Some things to discuss: Should you still be able to downvote delegates with your stake? We are leaning towards yes but have not thought through it very carefully.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
I agree the existing algo is probably sufficient if we don't dilute to pay delegates.  I also know a lot of things I listed are different ways of looking at the same issue.  I'm not trying to be difficult, I just believe approval voting is a real improvement and feel a certain obligation to advocate for it.

I just want us to hold ourselves to a higher standard.  I'm anxious for us to be able to leverage the power of reinvestment through dilution.  I think this is a big opportunity and the quicker we get there the better.  I don't want us to spend a ton of energy tweaking something to make it sufficient if there is a better option.  If there's something more future proof and better than sufficient that's what I want!

Offline bytemaster

When the only thing at stake is whether or not blocks get produced the existing algorithm is probably sufficient. 

When we make the role of delegate profitable via dilution then the game changes dramatically.  Some of your concerns are not valid:

1) Cat & Mouse is costly (delegate registration fee)
2) Buying votes would likely result in down votes and thus not get you anywhere.
3) Voting yourself to be delegate is just another way of stating #1....
4) Lots of incentive... assuming people vote against bad delegates.
5) Down voting does not have opportunity cost... it is effectively a vote *for* anyone "but" the bad guy.  This is generally a more powerful way to express your opinion.
6) Kickbacks is just another form of #2

You have a very large list... but 99% is just rephrasing the same thing a different way.   

I think it comes down to this:
1) can someone with a couple of percent play the 'cat and mouse' game to effectively earn a profit while doing nothing?

I think the answer is no because it only takes one honest person of equal weight to vote against them every time they move *AND* large players have more to gain by having the network be a success.   
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
What problem will your proposed voting scheme solve ?
All of them :) including the ones you've already brought up and more:

*Autovoting algorithms that can be gamed
*Cat and mouse of trying to vote down delegates
*Delegates buying votes
*Downvoting has too much opportunity cost
*Large shareholders profit from voting themselves to be delegate or negotiating kickbacks.
*Small shareholders most likely don't get these benefits or can't negotiate kickbacks
*No incentive for delegates to reinvest profits to help the DAC
*Attacking entity can buy 50+ delegate positions through kickbacks
*Delegates don't need/have broad community support
*Shareholders can't vote for all delegates they trust (must pick 1 at time)
*Person with 3-4% has lots of power (can basically vote in or out a handful of delegates at will)
*Pulls community and shareholders apart instead of bringing them together.
*Is confusing and not intuitive
*Ruins our one chance to make a great 1st impression on 1st time users.

I'm sure there's more but that's some of them.  When something's broken there tends to be a lot of ways of seeing how it's broken.
« Last Edit: June 21, 2014, 10:42:37 pm by Agent86 »

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
And as bytemaster proposed hardfork with removal of balances voting for misbehaving entity => this might affect LAZIES which are presumably normal lazy users who let the software autovote for them. Hardforking without their stake might be something even more evil than EVIL's initial plan.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
Also, I think 34% is not sufficient - the LAZIES will not need to push EVIL's delegates to 0, just out of top 101. They do not need to use all 33% of their LAZY votes to accomplish this.
Well 34% was just a number. Under very probable circumstances EVIL could manipulate LAZIES with just 3% or 4%. Pushing a delegate out of top101 requires 2%- X% , where X is the NET VOTE for 101th delegate. And even in the test network this diff is close to 1%. I believe that in the real network a lot of the top delegates will have NET VOTE of 2%, leaving 101th (X) with much lower NET VOTE.

If EVIL has 4% stake and acts like this:
1 EVIL votes up misbehaving delegate with 4% stake. (this may take some time while LAZIES downvote it, so EVIL can use up all his stake)
2 LAZIES vote it down with 3% (which may still be in top101 as the missbehaving delegate has 1% but this is the worst case).
3 EVIL moves his 4% upvotes away and places 1 well performing delegate into suitable position so that LAZIES' autovote for that delegate. (using his stake)
4 LAZIES abandon the misbehaving delegate and vote for EVIL's delegate from 3.
5 EVIL carefully removes his stake so that ALL LAZIES' votes are cast on his delegate from 3. (This might require following each block's vote changes and making sure the delegate remains on autovoting position)
6 if delegatesEVILControls < 51 repeat else ShowWhyEVILisEvil();

Using the above mentioned "algorithm" an entity with small stake could "redirect" much of the LAZIES autovote.
« Last Edit: June 21, 2014, 06:09:14 pm by emski »

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
Negative votes is not an "entirely different topic" I proposed a voting scheme that doesn't rely on negative votes but you've said you're not convinced.
Difference comes from the topic I intended - LAZIES vote manipulation. What problem will your proposed voting scheme solve ?

Do you think we can just get rid of negative votes from the current voting system and otherwise leave it as is?
Do you think it's fine if anyone (or group) with 1% can elect a delegate with no way for everyone else to get rid of that delegate?

I think negative voting shouldn't exclude positive vote. But I'm too lazy to research extensively on this so I stay quiet.

OK, so you think it's complex. but I've given a place to start and proposed a system to solve the problem.  Are there specific reasons you suspect it doesn't or other specific reservations or you just haven't had time to think about it?
What problem will your proposed voting scheme solve ? And as I already said I didn't research this extensively I cant say which is better.

Offline Agent86

  • Sr. Member
  • ****
  • Posts: 471
  • BTSX: agent86
    • View Profile
Its not that much about the voting system as it is about the predictable autovoting algorithm for LAZIES. I believe this could be exploited relatively easy and could be an issue.
I share your concern about the autovoting algorithm but I also think it's the symptom of the bigger problem.  This type of algorithm is not really needed for approval voting;  you can just vote for some delegates that you trust and leave it at that.  The client can give you warnings if one of your delegates is messing up or give you some network statistics, but the constant vote balancing/autovoting isn't needed. (there's also more to voting and selecting candidates than network statistics)
As for the "approval voting" I'm not convinced in the advantages it has over current system (although I don't think current negative votes are good for the system but this is entirely different topic).
Negative votes is not an "entirely different topic" I proposed a voting scheme that doesn't rely on negative votes but you've said you're not convinced.

Do you think we can just get rid of negative votes from the current voting system and otherwise leave it as is?

Do you think it's fine if anyone (or group) with 1% can elect a delegate with no way for everyone else to get rid of that delegate?

In general "fair" voting system for our case is extremely complex and controversial topic that might require much more research.
OK, so you think it's complex. but I've given a place to start and proposed a system to solve the problem.  Are there specific reasons you suspect it doesn't or other specific reservations or you just haven't had time to think about it?

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
Its not that much about the voting system as it is about the predictable autovoting algorithm for LAZIES. I believe this could be exploited relatively easy and could be an issue.

I talked with Dan today about this. The voting algorithm could obviously use more thought, for more than just the reason you gave.
I don't think it will be hard to come up with a voting algorithm which makes it hard to manipulate LAZIES.

Also, I think 34% is not sufficient - the LAZIES will not need to push EVIL's delegates to 0, just out of top 101. They do not need to use all 33% of their LAZY votes to accomplish this.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
emski,
Can you think of any attacks against "approval voting"?  It's quite simple; no down votes and every share can vote for (approve) of as many delegates as they like.  Delegates with the most approval win.  I think it's a perfect system for what we want and can't think of any reasonable attack.

More detailed discussion in the DPOS thread:
https://bitsharestalk.org/index.php?topic=4009.msg66308#msg66308

Its not that much about the voting system as it is about the predictable autovoting algorithm for LAZIES. I believe this could be exploited relatively easy and could be an issue.

As for the "approval voting" I'm not convinced in the advantages it has over current system (although I don't think current negative votes are good for the system but this is entirely different topic). In general "fair" voting system for our case is extremely complex and controversial topic that might require much more research.