Author Topic: Leveraging trusted delegates of a high market cap DAC to secure smaller DACs  (Read 1582 times)

0 Members and 1 Guest are viewing this topic.

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile

The irony is I've seen some fairly bright people talk themselves into believing that security that has no extra cost removes/lowers the effectiveness of security.  If I understand right, they would argue that nothing-at-stake invalidates this whole model, because the BTSX owners have nothing to lose by screwing with the lesser chain.

I pointed out merged mining, like Namecoin.  They thought for a second then decided it hadn't actually been decided that merge mining aids in security.  lol.  Fun stuff to think about if such stuff is your inclination. 
« Last Edit: August 10, 2014, 06:04:41 am by gamey »
I speak for myself and only myself.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag

Offline sfinder

  • Hero Member
  • *****
  • Posts: 1205
  • 4 Cores CPU+100GB SSD+anti-DDoS Pro
    • View Profile
it will be a problem.  merge forging with btsx chain may be a way to go
微博:星在飘我在找|BTS X 受托人delegate ID:baidu
中国教育书店合作将20%收入捐献给贫困山区学生。
Cooperating with China Education Bookstore and will donate 20% of delegate income to the poor students

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
After writing the post at https://bitsharestalk.org/index.php?topic=5033.msg90117#msg90117, I started thinking more about DACs that have the property where the shares in the DAC do not have a lot of value (meaning low market cap for the DAC), but there are assets on the blockchain that do have a lot of value. It first seemed somewhat counterintuitive to me that the blockchain can contain a total amount of value that is more than the market cap of the DAC, but after thinking about it a little it seems totally obvious now. A fully owned domain on the BitShares DNS DAC has a lot of value that belongs to that domain owner, but not to the shareholders. Someone can do cross-chain trading to trade BTSX for the domain, and the DAC doesn't capture any of that value (well other than a tiny transaction fee). But at least BitShares DNS extracts a lot of value from the domain auctions. The problem is much worse for user-issued assets on a standalone BitShares Me DAC, or loans on a Lending DAC, and many other DAC examples people can think of. So, in the case of BitShares Me, there can be a lot of very highly valued user-issued assets (based on the trust in the user backing them) that can be traded back and forth, but because the only income source of the DAC are low transaction fees, the market cap of the DAC (which should be related to its net income) is also low. Whenever there is high value trade occurring, there could be an opportunity to make money off double-spend attacks.

So, I think DACs that have this structure are vulnerable to 51% stake attacks. As far as I can see, there could be a rational financial reason for an evil actor to pull off a double-spend attack by buying up 51% of the stake in a very low market cap DAC, since pulling off double spend (or other block chain manipulation) attacks on even just few particular high value transfers could make it all worth it. For example, if a user wanted to do an atomic cross-chain trade of some amount of BitUSD for a user-issued asset on a separate BitShares Me DAC, and the attacker doing the trade on the BitShares Me DAC actually owned 51% of the stake on the DAC (and thus all of the delegates), the user would be very vulnerable. After the attacker claims the BitUSD and thus reveals the secret to allow the user to claim the asset, he could selectively block the user's transaction that claims the asset for long enough until he could take the asset back as a refund after the timeout (timeout is necessary in atomic cross-chain trades so that traders don't lose their money if the other party disappears in the middle of a trade). Eventually, the complaints would reach the other 49% of shareholders so they could fork and purge, but by then the attacker may have done this multiple times with many victims (perhaps concurrently) to have made more BitUSD than the cost of buying 51% of the stake in the BitShares Me DAC. A possible answer to this is to not do high value transfers on low market cap DACs, but I think that may be too limiting sometimes.

What if instead, the BitShares Me DAC, recognizing that its low market cap made it insecure, decided to give up its sovereignty to another, larger market cap, DAC. To use the corporation analogy for DACs, what if the shareholders of the DAC agreed to not select its board of directors by shareholder vote, but rather by whoever who was on the board of a more successful company. A small DAC could decide to follow the blockchain/network of BitShares X in addition to its own blockchain/network. This would not be a bidirectional relationship (meaning the BitShares X blockchain wouldn't need to know about the small DACs existence) since otherwise this wouldn't scale. By following the BTSX blockchain, everyone using this small DAC would know the approval rating of all registered delegates on the BTSX blockchain (as determined by BTSX holders). The DAC would have its own ability for accounts to register as interested in acting as delegates. The difference between this and the one on BitShares X however is that the fee would be very small, the accounts could take themselves on or off as they would like, and only accounts that were also registered as delegates on the BTSX blockchain would be allowed to do this (as determined by the having the same Owner Key). Of the subset of BitShares X registered delegates who were also registered as interested in acting as a delegate for the small DAC, the approval rating from the BTSX blockchain would be used to rank them and choose the top 101 as the active delegates of the small DAC.

The shareholders of the small DAC would not be able to vote out/in the active delegates. Only the shareholders of BitShares X could do that. The delegates performance and behavior on this DAC could still influence users' decision on how to vote on BitShares X. If the users (not necessarily just shareholders) of this small DAC collectively have a considerable percentage of the stake of BTSX, then the delegates misbehaving on this DAC would hurt their approval rating on the BTSX blockchain. But, if users of the small DAC only have a tiny percentage of BTSX, their influence is too small to significantly change delegate approval rating, and so the only way they could get rid of misbehaving delegates on their DAC would be by convincing other BTSX stakeholders that the delegate they voted for is not a trustworthy individual. And technically, the shareholders of the small DAC could always hard fork away from the BitShares X chain if they thought conditions absolutely called for it.

This is the tradeoff that a DAC that makes by linking its delegates to a larger parent DAC. It gains protection from attackers buying 51% of their stake with the intention of harming their network; this is done by the shareholders putting their trust in the BTSX shareholders rather than themselves, since they worry that they are small enough to be compromised by an attacker. However, the shareholders also lose control of directly dealing with misbehaving delegates themselves. The tradeoff is worth it if the shareholders of the DAC believe that enough of the users (not necessarily just shareholders) of the DAC will also collectively be major BTSX holders and if they can convince the top active delegates on BitShares X to also act as delegates on their small DAC (with appropriate compensation of course).

The shareholders of the DAC would still have some control. In the case of an emergency or hard fork, it is always their stake that matters not the stake of the greater BTSX community. Also, during regular operation, I propose that the shareholders be able to use their stake to vote on matters specific to the DAC (within the constraints of the hard-coded rules of the DAC). For example, they could vote on the delegate pay rate that every active delegate on that DAC would get paid (which is in some ways more flexible than letting the delegates decide the pay rate as part of their campaign promise because it would allow the rate to be adjusted down and up over time as needed). I would also want to allow shareholders to vote yes/no on proposals created by the delegates which could make other changes in the operation of the DAC. One of them could be hiring "workers" (to use Agent86's term) who get their own specified salary (which could even be high enough to cause net inflation if the shareholders wanted). These workers would be hired to do all the interesting jobs related to the DAC, like funding development, marketing, and more. None of these proposals could compromise the security of the DAC, since that responsibility is only assigned to the active delegates which are determined by BTSX shareholders. The only job of the delegates would be to just keep the network operating and continuing to build on the blockchain in a way consistent with the rules. For this job, they would be compensated, but there would be no need to pay them too much more than the typical computing expenses of runnning a DPOS delegate node.

In conclusion, shareholders of a low market cap DAC can rely on the trustworthiness of other DAC stakeholders to choose the delegates to run the machinery of the DAC, while they still maintain control of all the important decisions of the DAC. The delegates' job is very simple and is one that they have already proven to be reliable at in other DACs. If the DAC's shareholders can rely on BTSX holders to be concerned with the reliable operation of the DAC (say if they are users of the DAC) and if they can attract the top BTSX delegates with sufficient pay to run their DAC, then they can link their DAC to BTSX to take advantage of the great security benefits that comes from the high market cap of BTSX (namely that a 51% attack doesn't provide any financial benefit for an attacker). This provides a lot of flexibility in the design of DACs. DACs that provide users the ability to hold and transfer significant value do not need to overcharge the users for security reasons. They can just take the low but respectable transaction fees as a sustainable source of income. Also, by only linking the DAC to BTSX rather than directly bloating up the BitShares X blockchain/network with lots of different business rules and transaction types, users can safely experiment with different DACs and, most importantly, properly scale out by not cramming everything onto one chain. BitAssets and atomic cross-chain trading still provide the means of communicating the value transferred from one DAC to another DAC without needing the blockchains of each DAC to explicitly communicate with one another.

What are people's thoughts on this idea? Am I overly concerned about the risk of 51% stake attack on low market cap DACs? Am I overstating the utility of low market cap DACs in the first place? And would BTSX shareholders be likely to even care if their chosen delegates are slacking off in DACs other than the ones they have a financial stake in? I think they absolutely would care if the delegates were proven to be malicious (double signing blocks, somehow known to be filtering), but what if they were just lazy and missing a lot of blocks?