Consensus on the list of delegates

[sschechter]

This looks like a viable attack to me. A disruptive hard fork might be needed to overcome it.

The post-attack scenario is more like a company unable to hire anyone new, with a group of employees that are impossible to fire. Worse, these employees do not have to act in the best interest of the company, but they still receive pay (BTS) no matter their behavior, which they can constantly dump on the market for "real money". Not good, and not anything like today's "centralized" companies.

Not acting in the best interest of employees is one thing, it happens all the time in the real world.  But if it doesn't act in the best interest of its customers, its customers will no longer use its services and the shareholders will dump their shares.  The result is that the hostile employees will destroy their own source of food.  This is not any more likely to occur in BitShares than it would any other brick and mortar company.  At the end of the day, a hostile entity with enough resources can damage any company they feel like.  Should someone want to damage the airline industry, they can fly planes into buildings.  Extraordinary circumstances in which you cannot prepare for require resolution, not over engineered solutions to prevent it from ever happening.  Otherwise, you'd spend all your time coming up with solutions to edge cases without ever building any products.

[Ander]

I believe (with only moderate confidence, I could easily be convinced otherwise by good evidence) that the network if you get 51% of delegates into a hostile state, then this requires the userbase of Bitshares to hard fork to fix the situation.  A hostile delegate includes one that is accepting bribes in order to collaborate with the other hostile delegates.


Ultimately, a blockchain derives value from the size of its network.  Such an attack would split the network into the two forks, and users would be forced to choose between them.  It should be fairly clear what has occurred, and almost all of the users should choose the chain without the hostile delegates.  If people do not support one chain unanimously, then the value of the network will be split into the two forks depending on the number of users who support each one.



Obtaining a delegate spot is relatively difficult, and requires one to build a reputation.  Maintaining a delegate position is also difficult and requires creating value for bitshares, so if the attack is not executed very quickly, there are ongoing costs. 

https://bitsharestalk.org/index.php?topic=13864.msg180306#msg180306


If many delegates are replaced in a short period of time, this is a massive warning flag to everyone to be extra aware of the possibility of attack.

The cost to a delegate who engages in hostile activity (either directly or taking bribes to collaborate), is to potentially lose their delegate position.  Either the attack fails, and those who tried are voted out.  Or the attack succeeds, the userbase is upset at the results, and hardforks back to a good state and removes the offending delegates. 



From a game theory perspective, the major thing working in our favor is that bad actions result in loss of reputation, and it is difficult (expensive) to build reputation.

[Chronos]

Come-From-Beyond has been explaining for 6 pages, haha. I'll summarize:

• 51 of 101 delegates decide they never want to be fired (via bribery, for example).
• These delegates ignore all blocks from the other 50 delegates. Their chain is longest, so it is accepted. The 50 are powerless.
• The 51 delegates ignore all transactions that vote them out, but they still produce blocks without these transactions.
• In the end, the accepted longest chain never votes them out. They can sell all BTS and maintain control of the chain.

Do I understand correctly?

[Troglodactyl]

This looks like a viable attack to me. A disruptive hard fork might be needed to overcome it.

The post-attack scenario is more like a company unable to hire anyone new, with a group of employees that are impossible to fire. Worse, these employees do not have to act in the best interest of the company, but they still receive pay (BTS) no matter their behavior, which they can constantly dump on the market for "real money". Not good, and not anything like today's "centralized" companies.

Can you explain how this is viable?

[Chronos]

This looks like a viable attack to me. A disruptive hard fork might be needed to overcome it.

The post-attack scenario is more like a company unable to hire anyone new, with a group of employees that are impossible to fire. Worse, these employees do not have to act in the best interest of the company, but they still receive pay (BTS) no matter their behavior, which they can constantly dump on the market for "real money". Not good, and not anything like today's "centralized" companies.

[cube]

Welcome ComeFromBeyond, and thanks for your ideas! 
I think it is important that we all analyze to try and find realistic attack scenarios.  If we know about them, then we could make any necessary changes to prevent or disincentivize them.


I would love to see DevShares used as a testing ground for this.  There should be people trying to attack DevShares, empirically testing these attack ideas so that we can analyze the results: how much did it cost, and what hard was done?

Yes, we should take in critical analyses that helps to harden bitshares defence.  Come_From_Beyond can only help as much as the information given to him.

[Ander]

Welcome ComeFromBeyond, and thanks for your ideas! 
I think it is important that we all analyze to try and find realistic attack scenarios.  If we know about them, then we could make any necessary changes to prevent or disincentivize them.


I would love to see DevShares used as a testing ground for this.  There should be people trying to attack DevShares, empirically testing these attack ideas so that we can analyze the results: how much did it cost, and what hard was done?

[Troglodactyl]

In the BitShares network, as long as there are some delegates who continue building on the longest valid chain, and including valid transactions, that group will have an advantage over any group that ignores valid blocks. Even if they start out outnumbered, they can replace delegates by including votes, while hostile groups can only ignore honest delegates.

We assume that majority is bribed. Hence even if honest delegates build one chain and dishonest ones build another, the latter will be longer.

OK, what you're missing is that while the dishonest delegates are forced to ignore the honest ones, the honest delegates do not suffer the same disadvantage. The honest delegates can continue dropping honest leaf blocks on the hostile chain for as long as the hostile chain is longest. Eventually one of those leaves will give them the majority they need to permanently banish the hostiles.

[sschechter]

In the BitShares world, delegates are not government representatives, they are employees of a company. If your scenario happens, what is the actual harm done?

You call them employees but this doesn't change the fact that they can exclude those employees who try to publish orders leading to their firing.

The harm is this - the employees will be employed forever and here we come to a work-around - noone should be a delegate indefinitely. Isn't it why the USA president can't be elected more than twice?

No, this has nothing to do with term limits and presidents.  In your scenario, shareholders can no longer fire employees, only the other employees can.  This is the way Google or any other company works.  In order to get hired, you need approval from Google's employers - no outside opinions matter. No matter how much this forum may like me (if at all ), they can't vote me into a paid position with Google. Delegates have simple job. The only power they have is to keep their own job if they collude, in your extraordinarily, unlikely, hypothetical scenario.

At the end of the day, when all else fails, human intervention will fix this problem. Whether or not you think this solution meets an arbitrary definition of what you think is 'good' is irrelevant.

[Come-from-Beyond]

If I'm an honest delegate, and I see that the longest chain is the hostile chain, I just have to sign my honest vote including block on the end of that formerly hostile chain, and at that point my honest chain is now the longest chain.

Then hostile delegates ignore your block and extend their chain with 2 blocks making shareholders to pick theirs.

[Come-from-Beyond]

In the BitShares network, as long as there are some delegates who continue building on the longest valid chain, and including valid transactions, that group will have an advantage over any group that ignores valid blocks. Even if they start out outnumbered, they can replace delegates by including votes, while hostile groups can only ignore honest delegates.

We assume that majority is bribed. Hence even if honest delegates build one chain and dishonest ones build another, the latter will be longer.

[Troglodactyl]

Sure, they'll be excluded from confirmation in the hostile chain, but they'll still be the leaf blocks in that chain after every honest delegate turn.  Each such honest leaf block can include votes that replace the hostile delegates and heal the chain.

...and heal a shorter chain. I don't get why someone would adopt a shorter chain. What lines of the code will make them do so?

If I'm an honest delegate, and I see that the longest chain is the hostile chain, I just have to sign my honest vote including block on the end of that formerly hostile chain, and at that point my honest chain is now the longest chain.

[Come-from-Beyond]

In the BitShares world, delegates are not government representatives, they are employees of a company. If your scenario happens, what is the actual harm done?

You call them employees but this doesn't change the fact that they can exclude those employees who try to publish orders leading to their firing.

The harm is this - the employees will be employed forever and here we come to a work-around - noone should be a delegate indefinitely. Isn't it why the USA president can't be elected more than twice?

[Come-from-Beyond]

Sure, they'll be excluded from confirmation in the hostile chain, but they'll still be the leaf blocks in that chain after every honest delegate turn.  Each such honest leaf block can include votes that replace the hostile delegates and heal the chain.

...and heal a shorter chain. I don't get why someone would adopt a shorter chain. What lines of the code will make them do so?

[Troglodactyl]

If we come to the problem from another side...

Let's assume that 20 honest delegate is indeed enough to outweigh the other 81 ones. Then we should agree that in situation when 61 delegates vote for no change, 20 delegates vote for scenario A and 20 delegates vote for scenario B we will be completely confused what branch to follow - A or B. Hence this can be used to fragment the network. It's so obvious that I can't even provide a formal proof (trivial things are very hard to prove).

The only flexibility the delegates have is to ignore valid transactions or to ignore valid blocks and make their own fork.

If all the block signers in any blockchain network decide to ignore all other signers' blocks, then sure, they'll create lots of equally illegitimate forks and make a mess of things.

In the BitShares network, as long as there are some delegates who continue building on the longest valid chain, and including valid transactions, that group will have an advantage over any group that ignores valid blocks. Even if they start out outnumbered, they can replace delegates by including votes, while hostile groups can only ignore honest delegates.