Risk Assessment for Validators and "Stake Flip Attack"


Exciting to see the fast progress of the validator community! I have been working on a risk assessment for validators, inclusive of everything it should take to run a validator. Please check it out: https://bubowerks.io/blog/2018/08/03/risk-assessment-of-cosmos-tendermint-validators/
I would appreciate any feedback before the next step: figuring out the best means of dealing with each of the threats presented.

In the process of looking at the risks, I came up with something I’m dubbing the Stake Flip Attack: https://bubowerks.io/blog/2018/08/08/stake-flip-attack/
Basically the idea is that an attacker could delegate some of their stake to a legitimate validator(s) and then pull it out when they want to elevate their validator. It doesn’t decrease the amount of stake an attacker would need to take over the network, but would be a rather unexpected way to promote a validator, so it is worth thinking about. Probably the more general question is: how does Cosmos Hub intend to prevent a very resourceful attacker (think nation state) from buying enough stake to get over two-thirds voting stake in the network, especially if they do so through many separate entities?

Thoughts on both the risks in general and the stake flip attack appreciated!



Supply and demand should handle this quite effectively. The markets increased desire for atoms, and validators wanting to use their current atoms should cause the atom price to rise. Thus the cost to get 2/3rds will be greater than 2/3rds of the market cap.


Oh sure – think of it as a hostile takeover in the stock market. In that case, other investors see the one investor buying up all the stock, trying to get to 51% and they either oppose selling at all costs, or try to maximize the price they’ll sell for. The price paid per share to get that last 1% is way more than when they started buying up stock.

Now since this isn’t a regulated market, it’s much easier for an entity to be buying atoms through multiple fronts, pretending to be multiple independent validators. That activity will still drive the price up, but not as sharply because no one else knows what’s going on. The other consideration is do we know who all bought Atoms in the ICO, in a Know Your Customer (KYC) type manner?

We should keep in mind here that unlike something like bitcoin, the value here to the attacker isn’t the native coin itself, but rather control of the transactions, which may allow them to steal far more in other cryptocurrencies than the atoms are worth. It’s like breaking into Intercontinental Exchange – sure, their $78B in assets is nice, but most of it is illiquid, and far more appealing is the $43B flowing through there every day. Note that the NYSE has specific controls to prevent such attacks, such as the money flowing through different channels – something that would not be true if you’re directly trading Etherium for Bitcoin.

Hope I’m not sounding too much like a Negative Nancy – I raise the issue because I think it is a promising system… and unfortunately that means some bad folks are probably thinking the same.