Incentivized attacks: Why the game of stakes method is the archetype for network viability
How do rational actors with incentives to exploit the system behave in an open source, open entry environment? That is a rather tricky challenge to overcome when developing blockchains and Zaki Manian has some handy advice.
When it comes to the development of blockchains, one explicit challenge that consistently emerges is understanding how rational actors with incentives to exploit the system will behave in an open source, open entry environment. For some time, Tendermint Inc. has been dedicated to moving classical BFT algorithm design from academic research to production environments to provide an alternative to Proof-of-Work based Nakamoto Consensus.
The challenge here is greater still, given that no prior classical BFT system has ever been operated under this type of environment. With this in mind, and prior to the launch of the Cosmos Network, we recently designed and ran the Game of Stakes, a novel participatory experiment to see what expected and unexpected problems might arise in operating a BFT system under purely selfish rational motivations.
The need for provable security
Fully aware of how critical security and resilience are to a network’s success, blockchain developers are now seeking a new approach when it comes to testing the viability of their platforms. Instead of unexpectedly discovering flaws or glitches as they happen post-launch, blockchain developers are starting to turn towards pre-emptively detecting potential flaws pre-launch by actively encouraging users to poke holes in the system and uncover any potential vulnerabilities.
Seeking an innovative way to test the viability of a blockchain project in advance of the launch of the Cosmos Network, Tendermint Inc., the lead developer behind the project, designed the Game of Stakes. An experiment intended specifically to test network integrity, the Game of Stakes encouraged participating developers to do their best to kick others out of the network. Providing invaluable data on how collusion and deception interact with the incentive layer of a Byzantine Fault-Tolerant (BFT) Proof of Stake system, this trial by fire incentivized developers to find vulnerable systems, and bring users offline. While we know that testnets help to form the validator community of a network, incentivized attack initiatives such as Game of Stakes go one step further by helping to solidify the community into a group of operators who can dynamically adapt to network conditions.
Trial by fire
The structure of these “trials by fire” may differ based on a network’s needs but fundamentally rely on financial incentivization for players to attack the specific network being tested. When each attack occurs, the team can then analyze the behaviors of the players and the mechanisms at play, which will, in turn, provide a deep understanding of how the network might perform once launched. By using a game structure to incite a battlefield on top of a network, mechanisms looking to test their security and scalability can demonstrate the existence and enthusiasm of a community of people who profoundly understand the software and, most importantly, are capable of operating it.
This is an exercise that more blockchains should be implementing, before they go live, in order to ensure the network’s legitimacy, viability, and quality assurance. In this way, the Game of Stakes model and initiating a trial by fire is likely to become the archetype for blockchain industry network launches.
State of play
Motivated by real crypto-economic rewards, the Game of Stakes participatory research experiment model entices developers to beta test networks by;
- Modifying their software and colluding with other players to censor players’ abilities to participate in consensus and accumulate stake.
- Searching for misconfigured validator setups and attempting to exploit them and block other players from accumulating stake.
- Targeting other players’ nodes with false or deceptive traffic.
The precise structure of these incentivized attack initiatives will depend on the network implementing them, but as with Game of Stakes, the aim will be to increase participation on the testnet by putting up bounties. Walking away with a bounty, winners of the game would typically be those who demonstrate the highest uptime in the face of a highly adversarial environment. The goal of the testnet game in advance of a network launch is to simulate a mainnet environment to stress-test all the features. This stress-testing is vital for any network to ensure that it is stable, in preparation for mainnet.
Incentivized attacks as a defense mechanism
A gamified incentivized attack allows a team to test the boundaries of a network. Knowing that hundreds, if not thousands, of validators, will be looking to contribute to a project after mainnet, it’s crucial that the network is able to scale and accommodate high transaction volumes if it is to remain viable.
It is also an opportunity to impose an adversarial environment in which we can predict various attack scenarios, measure the boundaries of worst-case outcomes, and estimate the cost of executing similar attacks on mainnet. Exposing a network’s validators to cartel-forming scenarios means that in the event that validators detect this activity pattern on mainnet, they are already trained to circumvent familiar attacks should they arise.
SEE ALSO: A blockchain nightmare
Key learnings from game of stakes and mainnet launch
- Firstly, in comparison to Game of Stakes, mainnet has actually been very peaceful to date. Game of Stakes was a pathological worst case environment that would be difficult to replicate on mainnet, but a very worthwhile experiment in terms of preparing for all eventualities.
- While 2018 saw the launch of multiple Cosmos testnets which contributed to the formation of the validator community, Game of Stakes solidified this community into a group of operators who can dynamically adapt to network conditions. The inherent value of this to the future development of the Cosmos Network cannot be overstated. At the conclusion of the game, I recommended an ATOM allocation to 50 winners who demonstrated skill at adapting to the adversarial network conditions and, in doing so, contributed to helping to prepare the mainnet. We’re very grateful to all of those who took part.
- Our biggest concern ahead of Game of Stakes was that there would be no attacks, that the experiment would be boring, and that nothing would happen. Game of Stakes was designed as a learning experiment and a test of the network, and peace and quiet would have been entirely useless for our purposes. The fact that we saw Sybil attacks, pre-commit censorship and Denial of Service (DoS) can be chalked up as a positive, providing, as it did, the opportunity to observe and understand how the network would fare when confronted with this type of activity from malicious actors. All of this network activity took place 24 hours a day, which is the reality of decentralized global networks, and it was particularly valuable to have the chance to observe it prior to the mainnet launch of the largest ever distributed global BFT network.
A design for the future
The incentivized attack initiative is an archetype that we can and should be witnessing with every network under development and seeking to launch in a smooth, stable and secure manner. In creating such methods for testing a network, we’re able to return to the crux of blockchain technology; decentralized, community-driven exploration and implementation of a technology with the potential to change the way we interact with every aspect of society.