Why Harvard Research on a Low-Profit Tezos Attack Matters for Proof-of-Stake

A recent academic study says Tezos is threatened by "selfish mining," providing a valid attack model for other live and up-and-coming proof-of-stake (PoS) cryptocurrencies.

That’s the finding from Selfish Behavior in the Tezos Proof-of-Stake Protocol, published last November by then-Harvard researcher and current Google engineering intern Michael Neuder.

The paper from Neuder and other Harvard researchers shows the profitability – albeit small – of “selfish endorsing” attacks in Tezos, a variant of selfish mining.

Luckily for Tezos, the selfish mining concern can easily be patched through the network’s flexible on-chain governance model, which conducts periodic votes for protocol changes in lieu of hard or soft forks.

“It was a great research paper and we’d love to see more focus on economic and complex-system-interactions in cryptocurrency systems in academic and industrial research,” Tezos Foundation Chief Security Officer Ryan Lackey told CoinDesk in an email. “Thanks to our governance model, it’s pretty easy to get [the fix] adopted.”

However, the ability to address governance issues quickly raises questions concerning possible trade-offs involved with on-chain governance, how voting works and the possible outcomes of staking centralization.

Key findings

As described and proven by the researchers, a Tezos baker (the blockchain’s term for “miner”) can be rationally incentivized to create their own blocks and receive endorsements from other bakers not connected to the main chain, creating a secondary invalid chain.

Through the attack, the initial baker gains both the block and endorsement reward for the invalid block and can continue the attack until detected. If exposed, the baker’s stake is "slashed," punishing the baker for dishonest mining.

In Tezos, stakers gain fractions of a block reward for endorsing the creation of a new block, which packages network transactions. Selfish mining occurs in Nakamoto-style consensus mechanisms, like Tezos, which follow the longest chain rule. Under the rule, the longest chain, containing the most work, is generally considered the correct pathway by network participants.

The attack is far from lucrative, however, for two reasons.

The net payout of an attack is insignificant – a mere 255 XTZ ($336 at today’s prices) for staking 40 percent of the network's outstanding supply in one year. It’s also highly costly if detected: Validators can have their stake in the network taken away if dishonesty is detected. Still, according to Messari research analyst Wilson Withiam, the study exposes understudied aspects of PoS.

“It goes to show how little we know about PoS mechanisms, let alone one in a working environment,” Withiam told CoinDesk. “As the less understood consensus mechanism next to Proof-of-Work, most PoS attack vectors may remain unknown, and code changes like those implemented via [Tezos governance update] Babylon could continue to unveil new vulnerabilities on live networks.”

Withiam said that with more PoS network’s launching in the near future, such as Eth 2.0 and Libra, understanding selfish-mining attacks remains “vital.”

Tezos’ take

The attack may be unlikely due to the high costs, but Tezos is still taking the issue seriously. An ongoing election is expected to pass a network upgrade altering endorsement incentives, according to Adrian Brink of Tezos blockchain research firm Cryptium Labs.

“It’s important to understand that most of these attacks (like selfish baking) are not short-term dangers but rather long-term dangers, since they are obvious if executed and only start to have a serious impact if executed over months to years,” Brink said via email.

The incident highlights Tezos’ on-chain governance, a unique feature among current blockchain protocols.

For selfish mining, Brink said changing incentives to decrease the likelihood of attacks is the goal.

“[The update] hardens the security model in order to make more likely attacks (such as the selfish baking attack) unprofitable for attackers unless they acquire a very large percentage of the stake,” said Brink.

Even with all the fancy coding, developing a holistic system remains difficult, said Brink.

“Generally it’s impossible to build a security model which is secure against everything,” he said. “Bitcoin’s mining model has many weaknesses and there have been countless papers written about it. So the trick with designing these systems is to make the right trade-offs.”

On-chain governance and staking centralization

Network attack vectors such as selfish mining highlight Tezos’ on-chain governance and the ability to address headaches before they become migraines.

Yet, compared to other chains, Tezos has taken the unexplored path when it comes to large-cap coins requiring censorship-resistance and stability.

For Tezos, the mounting centralization of staking on exchanges could have many unknown consequences.

As data firm Coinmetrics pointed out, the number of addresses staking 0.1 XTZ or more on Coinbase jumped 30 percent in one month following the exchange’s “free staking” announcement. What are the possible outcomes for mass staking on publicly identifiable – and therefore censorship prone – exchanges?

“Staking with coins held on an exchange is simpler than delegating or staking directly,” said Castle Island Ventures partner Nic Carter. “It's not surprising to me. Exchanges are kind of neo-banks serving the crypto community.” (Carter holds investments in XTZ.)

Carter said voting-based systems such as PoS require “a robust civil society.” In other words, information and participation are worth their weight in gold for these protocols.

“I think Tezos has done well in that respect,” Carter said. “They have high participation and generally an eagerness on the part of token holders to participate. Whether this impairs the censor resistance of the protocol – that's an interesting question we will grapple with soon, I believe.”