Most existing blockchains rely on a key security assumption: if the validators (or miners) were to corrupt the system enough to steal a lot of money, the money they stole would become worthless, since trust in the system would be destroyed. For example, if a 2/3rds majority of token holders on the Cosmos Hub gave themselves all the Atoms of the other 1/3rd, Atoms would soon become worthless since everyone would know that the system was not to be trusted.
This assumption breaks down when we consider a chain which has more money locked in a bridge than its staking tokens are worth. For example:
The bridge
The Hotdog Zone is used to buy and sell hot dogs. It has a staking token, HotDogCoin which serves the same purpose that Atoms do on the Cosmos Hub. But hot dog customers do not want to use some kind of weird hot dog coin. They want to use a stablecoin which has an equivalent value to the dollar. Luckily, there’s another zone, the Dai Zone, which has such a stablecoin. So the Hot Dog Zone can use a bridge (IBC) to bring Dai stablecoin over into the Hot Dog Zone where people can spend it on hot dogs.
This bridge consists a module on the Dai Zone which locks up Dai. When you send the this code some Dai, it gets locked up, and a token representing Dai gets minted on the Hot Dog Zone. We’ll call it Hot Dog Dai. You can send someone some Hot Dog Dai on the Hot Dog Zone to buy a hot dog from them. When they want to move the Dai back over to the Dai Zone, they send it to a module on the Hot Dog Zone which destroys the Hot Dog Dai, while releasing some of the Dai on the Dai Zone.
The attack
This is all well and good, but what happens if an attacker gets more than 2/3rds of the HotDogCoin staking token? They can now upgrade the protocol to add a transaction that transfers all of the Hot Dog Dai to themselves (a totally valid state transition by the way!), and use this to take all the Dai in the bridge module on the Dai Zone.
When this happens, HotDogCoin will become worthless since the chain is compromised, but if there is more Dai in the bridge than the attacker spent to buy enough HotDogCoin to carry out the attack, this is worth it.
The situation that a zone secures more value than it staking token’s market cap will be very common in a mature, realistic market. Many businesses handle much more money than their market cap. This is especially true for marketplaces, payment processors, and other types of industries that are well suited to the use of a blockchain.
The mitigation
The key to mitigating this attack is to create a situation where the theft of the asset in the bridge will make that asset worthless, to bring back the time-tested security assumption mentioned at the beginning of this post. One easy way to do this is to make sure that both zones share the same validator set.
In the example above, Hot Dog Zone could only accept validators that are also validating on Dai Zone. Now, if an attacker buys up enough HotDogCoin tokens to try to rob the bridge, they will need get their changes past the Dai Zone validators. If the Dai Zone validators allow this attack to proceed, the Dai Zone stablecoin will become worthless since its validators are unquestionably compromised.
@zaki any thoughts?