@Pinotio.com yeah I think 51% is a Proof of Work thing, for consensus-based PoS it’s 1/3 and 2/3 as attack tresholds:
Thanks @Tobi !
I see, so over 2/3rds of validators need to be “good” in order to ensure both safety and liveness (forward progress of epochs).
This means that an attacker would have to get control of 1/3rd of validators, which leads to the question of how much CELO would be required to get control of 1/3rd of validators…
Naive Approach
If we assume that an attacker can control 1/3rd of validators with 1/3rd of locked Celo, then at 60% of outstanding Celo locked, an attacker could stall the network with 20% of outstanding Celo (which is currently about $160M based on a market cap of $800M).
Empirical Approach
Just looking at https://celo.org/validators/explore it seems possible to get validators elected for about 0.3-0.6% of locked Celo. So, it seems - to first order - that an attacker could get control of 1/3rd of nodes by building up ownership of about maybe 37*0.6 = 22.2% of locked Celo.
Encouraging more Celo to be locked increases the cost to the attacker of an attack, so I suppose that setting locked Celo rewards to maintain a certain percentage of locked Celo makes some sense. Looking at CELO ownership, there are only two current owners above 2.5% (18% is the reserve, who is the 55% - the foundation?):
I don’t have a good way to pick a number, but setting a target of 60% locked, which means probably somewhere around 20% CELO ownership for an attacker to stall the network, is ok.
@thezviad , @tim , @asa , how do you think the amount of locked CELO should be set (either directly or indirectly)?
I wouldn’t fixate too much on specific value of CELO for malicious network takeover. When I think of network security/takeover from a single entity, I look at two options:
#1: malicious take over for short term profits
#2: long term take over to steer direction of the network in a specific direction
When we talk about controlling 1/3 of validators or more (probably more like 2/3 validators to actually generate fake blocks to somehow profit quuickly), that is more in category #1. The reality here is that, if there is an attempt for malicious short term take over, there is always last line of defense of hard forking the network too. Celo network doesn’t operate in the vacuum. Important participants (like validators, exchanges, etc) can coordinate a hard fork in case of a large scale malicious take over attempt. If you read some of the original ETH2 discussions, that option is always mentioned in there too. So while the amount of CELO for doing such a take over shouldn’t be too low, it doesn’t really have to have some astronomic costs, because it is extremely unlikely for an attacker to manage to get their profits out before other participants of the network manage to take control.
Now more interesting discussion is around #2 options. Which is slowly taking over the network by steering it in a specific direction. For this option, there is no need to do anything with the validators. And it wouldn’t really be malicious either. The network is already governable and changeable through governance. If you own something like 25-50 million CELO, you can propose and potentially pass a lot of proposals. Especially as Celo Foundation divests its holdings, it will become more of a possibility for large single holders to shape the network through governance. So if an entity owns that much CELO, they don’t really need to take over the network through validators, they can start pushing network towards their preferred setup through regular governance.
It’s a bit more of an art than a science but I think anywhere between 50-70% of non-reserve CELO being staked is a good target. I do agree with @thezviad that there are off-chain ways to mitigate a takeover for now but as chains become more and more interoperable that will likely become less true, as these sorts of attacks may wind up impacting other chains which are unlikely to hard fork to “fix” the attack.
@Pinotio.com the 55% address you see has to be the LockedGold contract.
however I would love to hear from these folks how else we should reduce CELO emissions right now given that we are overspending
@nambrot this presumes that there is a desired level of issuance which I argued against in a previous post on this thread and will continue to argue against.
