Jump to content

Limiting the total amount delegated into pools

Guest Queen Galadriel

Recommended Posts

Guest Queen Galadriel

After some discussions, we propose that there should be a maximum healthy delegation cap for pools at the protocol level. For example, this could be 5% of the total amount staked (exact numbers to be decided together). At 10m staked, a single pool could have maximum 500k eGLD at once.
Unlimited cap barely brings any benefits, but opens us up for more trouble. We do understand that you could simply by-pass this by making a second pool, but why make it easier than it needs to be to begin with?
This would be very beneficial for decentralization and would prevent situations similar to Ghash.io reaching 51% in 2013 (which they did with solo miners, in our case that would be solo delegators).

Different proposals were given:

  • Flexible % limit of total stake, for example 5%.
  • Hard absolute number of units, for example 600k delegated.
  • Limit per contract vs. limit per contract owner.

Featured and Partner pools would be required to not intentionally bypass these restrictions as they can be bypassed. In the worst case, this benefits nobody but it does not cause any damage either and can be implemented easily (choice 2).

Link to post
Share on other sites

I agree a limit is needed. Not at all urgent in phase 3 because node scarcity has mostly set the landscape until phase 4. But it will become increasingly important in the future.

My suggestion after phase 3 is a combination of Galadriel's points 2 and 3: an agency would be able to receive delegations up to n times their own direct stake in their pool (e.g., n=20 with the minimum 1250 EGLD needed for creating a pool gives a 25000 EGLD delegation cap) AND no more than a fixed set max. amount like 500k EGLD.

The absolute max and the n multiplier have no impact on new and small agencies until they reach n * 1250, and they can keep raising their max cap over time by staking to their own pool some of their fees. Partner agencies who are earning decent fees in phase 3 and have been involved since genesis should have no problems staking the required amount on top of the min. 1250 EGLD if they wish to keep their delegation cap at the absolute max.

Sure, a cap can be bypassed with several pools but at least the 1250 EGLD + growing direct stake for larger pools makes it more expensive and brings back a tiny bit of the skin in the game argument.. Few solutions are ever perfect.

To answer some of the points raised on Telegram:

- the scenario is not that a normal, profitable SP one day decides to go rogue. But anyone can be hacked or coerced by a sufficiently determined adversary: 0-days, stolen ssh keys, insider jobs at the agency or its hosting providers, rubber-hose cryptanalysis, ... This is paranoid thinking today, but in a billion people economy? Agencies of any size, especially long-established and transparent ones, have the added vulnerability of being more visible and having no plausible-deniability to the general public, not just to their accountant, bank clerk, tax man and hosting company.

- cryptography and the sound design of the protocol can only guarantee that control over a given fraction of stake, or actually control over the corresponding node keys, is required to attack the network. If other ways exists to gain such control that are cheaper than buying/borrowing that many tokens, the weakest links are the operators, the infrastructure, and the behavior of the delegators, see next point, so it's wise to consider the case of one or a few of the largest being compromised.

- for a concrete scenario that does not even require compromising any existing agency: with little (1250 EGLD + server and marketing budget) compared to potential delegations, a determined attacker can start and keep undercutting all honest agencies for years (our hardware is cheap) and inflate the returns offered by his agency through 0 fees, ESDT airdrops and all sorts of marketing. Many delegators will inevitably move to it sooner or later - afterall the guy will have been delivering for a while...

Looking at how these things are addressed or not in other projects and whether similar attacks have ever occurred is beside the point as long as some mitigation if not a complete solution can be implemented. Let Elrond break new ground here too! What exactly one does after gaining control of a shard, and whether the resulting loss and collateral damage make it unrealistic, are also beside the point. Can we really assume the time will never come when simply taking down a successful blockchain may be a goal for someone with enough resources to try?

Edited by Flying Stone
Link to post
Share on other sites
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...