README.md

CIP	Title	Author	Comments-URI	Status	Type	Created
0045?	Pledge-Based Saturation Limit Under a Closed System	Jay Pseudonym Cappucino <jycappucino@gmail.com>	https://forum.cardano.org/t/cip-stake-decentralization-using-pledge-as-a-bidding-parameter-to-determine-saturation-limit/95936	Draft	Process	2022-02-28

Abstract

This proposal attempts to solve the ongoing stake centralization by allocating pool saturation limit in proportion to pool pledge while at the same time guaranteeing that the total saturation limit is always equal to the circulating supply regardless of the number of pools and pledge status, i.e., whether the ecosystem is under-pledged, fully-pledged, or over-pledged. The specification under this proposal is governed in a very dynamic manner using a set of well-defined equations which allows the staking mechanism to operate without the need for frequent network consensus.

Motivation

With the current saturation limit set at 68 M per pool and with 3119 pools (epoch 321), the current staking mechanism can accommodate a total stake of 212.1 B ADA (68M*3119). This amount of ADA is 543% in excess of the current circulating supply of 33B. Because of this substantial saturation limit, one can set up a few pools and offer lucrative rewards to capture a sizeable amount of stake (e.g., Binance APY is 17.7%). This leads to centralization and weakening of the ecosystem against Sybil attack. Staying true to the nature of Ouroboros, we describe a mechanism that uses pledge as a stake-bidding parameter under a closed system, i.e., the ecosystem total saturation limit is always equal to the total ADA in circulation. The proposed mechanism ensures that no single entity can get away with excessive stake without putting up a hefty pledge and expending for computing and related infrastructure. This expense, likewise, confers the ecosystem a very high resistance against Sybil attack. For epoch 321, the cost to conduct a Sybil attack under this CIP is millions in pledge and at least 1108 adversarial pools. We dare say that the cost to conduct a Sybil attack under the current protocol is 0 pledge in ADA and at least 177 adversarial pools only. This number of adversarial pools needed to attack the ecosystem under the current protocol does not change even if the total number of pools increases, unless the saturation limit (68 M) is decreased. These pools can be readily saturated using lucrative ISPOs and had been demonstrated during the Sundaeswap ISPO which involved 98 pools that were at or near saturation. We, therefore, posit that this CIP is not only fair to all but also enhances decentralization and better security than the current protocol.

Specification

Nonmathematical Description

Under this CIP, there is no barrier to entry to set up a pool, but there exists an optimal pledge which is used as a yardstick to determine pool saturation limit in proportion to pledge.

• The ecosystem total saturation limit is always equal to total ADA in circulation.
• The optimal pool saturation limit is equal to the total ADA in circulation divided by the total number of pools.
• Individual pool saturation limit is optimal when pool pledge = optimal pledge
• Individual pool saturation limit decreases exponentially when pool pledge < optimal pledge.
• Individual pool saturation limit increases only incrementally past the optimal saturation limit when pool pledge > optimal pledge.
• The ecosystem is under-pledged when the ecosystem total saturation limit < circulating supply. The saturation limit unclaimed by under-pledged pools is equal to the circulating supply minus the ecosystem total saturation limit.
  • Under this condition, pools can over-pledge to “borrow” additional saturation limit unclaimed by the under-pledged pools.
  • If there is still unclaimed saturation limit even after some pools have over-pledged, the unclaimed saturation limit will be distributed in accordance with Equation 1.
  • However, the distributed unclaimed saturation limit can still be claimed by any pool by continuing to pledge.
• The ecosystem is in equilibrium when the total saturation limit = circulating supply. Under this condition, only the under-pledged pools can continue to pledge to take back the borrowed saturation limit that was supposed to be allocated for them. The over-pledge pools’ excess saturation limit, on the otherhand, will continue to decrease as under-pledge pools continue to pledge until all excess had been returned. This and the proposition from the previous bullet point ensures that:
  • a closed system is maintained, which means that the ecosystem total saturation limit is always equal to the total ADA in circulation regardless of the pledge status of the ecosystem, i.e., under-pledged, fully-pledged, or over-pledged. TRULY OUROBOROS.
  • no single pool has a saturation limit that dwarfs other pools’ limits, encouraging decentralization.
  • since the ecosystem total saturation limit is always equal to ADA in circulation, the ADA delegation per pool will be more or less even.
• Optimal pledge decreases down to a minimum as the total number of pools increases but increases exponentially as the total number of pools decreases. This mechanism addresses Sybil attack:
  • optimal pledge becomes expensive when the total number of pools decreases, thereby increasing the expense to conduct a Sybil attack.
  • expense to conduct Sybil attack also increases as the total number of pools increases because although the optimal pledge decreases, optimal saturation limit decreases as well. Therefore, the attacker needs to setup a very large number of pools in order to obtain 51% of the total delegated ADA.

Mathematical Description

Calculating Optimal Pledge

where p_opt is the optimal pledge, φ is the amount of ADA in circulation (currently 33B), k is the total number of pools, and n is a variable that is determined via consensus to warrant an economically viable optimal pledge (p_opt). Therefore, it appears that n is a variable that the community can vote for adjustment to increase or decrease p_opt. In effect, it can be used to control the total number of pools (k) so that at some value n, the ecosystem gradually settles to some value k which the community thinks is the optimal value. It is very important that k is tightly controlled by n, and k should only increase according to some parameters, for example, with increasing user demand. So that even if k is large, all pools are still minting blocks because of high user demand.

If we set n =15,

scenario 1 (very small number of pools):

• k = 500,
• p_opt = ~ 774,763 ADA per pool

scenario 2 (current number of pools):

• k = 3119 (epoch 321)
• p_opt = 47,205 ADA per pool

scenario 3 (very large number of pools):

• k = infinity
• p_opt = 27,440 ADA per pool

Conclusion: p_opt becomes cheaper as the total number of pools (k) increases, but more expensive as the total number of pools decreases. Setting n = 15 is only for illustration purposes. The Cardano scientists and engineers may want to place a more restrictive value of this parameter. For example, at n = 14 and k = 3119, p_opt = 124k ADA.

Calculating Saturation Limit (α)

case 1: p_a ≤ p_opt

where:
φ/k is the optimal saturation limit
p_a = actual pool pledge
p_opt = optimal pledge
α_unc = saturation limit left unclaimed even after some pools have over-pledged. This variable is defined in Equation 7.
T_a = pool accumulated time of operation (in days) counting from day 1 of operation (read explanation below).
T_tot= total accumulated time of operation (in days) of all nonover-pledging pools only (read explanation below).

The first term of Equation 2 allocates saturation limit based on pledge, and ensures that saturation limit increases or decreases exponentially with pledge.

It is ideal that α_unc = 0, but if α_unc > 0, the second term of Equation 2 ensures its distribution. The distributed α_unc, however, can still be claimed by any pool by increasing its pledge.

Distribution of α_unc based, yet again, on pledge will further disadvantage those who are under-pledged. Therefore, we use accumulated time of operation,T_a, as a parameter for the distribution of α_unc. This mechanism ensures that the unclaimed saturation limit is distributed into pools that had been securing the ecosystem for the longest time. This manner of distribution prevents any would-be attacker, likely someone who had just registered a pool (or pools), from getting a significant portion of α_unc. This mechanism is very important when the number of pools (k) suddenly decreases to a very low number, making p_opt very expensive and leading to significant under-pledging. Under this condition, pools that are under-pledged but had been in operation for a significant amount of time will be rewarded with a significant portion of α_unc.

Example 1

• k = 3119 (epoch 321)
• p_opt = 47,205 ADA (at n = 15, see calculation in the previous section)
• p_a = 47,205 ADA
• α_unc = 0 (we will deal with nonzero values later)
• φ = 33B (current ADA in circulation)

α = $\frac{33B}{3119}$ $e^{1 - 47,205/47,205}$ = $\frac{33B}{3119}$ = 10.6M

Conclusion: Epoch 321 saturation limit for pools with at least 47,205 ADA in pledge is 10.6M (at n = 15). Setting the saturation limit to 10.6M would make some large pools to become oversaturated which will encourage delegators of these pools to move their stakes to small pools. It is very important that the number of pools (k) is properly controlled by the parameter n so that k remains optimal - i.e., even if k is large but optimal, no pool will be devoid of blocks.

Example 2 (same variable values as in example 1 but lower p_a).

• k = 3119 (epoch 321)
• p_opt = 47,205 ADA
• p_a = 30,000 ADA (for example)
• α_unc = 0 (we will deal with nonzero values later)
• φ = 33B (current ADA in circulation)

α = $\frac{33B}{3119}$ $e^{1 - 47,205/30000}$ = 6.0 M

Conclusion: Saturation limit decreases exponentially when p_a<p_opt which should encourage pools to achieve p_opt. In an under-pledged ecosystem, pools can over-pledge to borrow saturation limit unclaimed by the under-pledged pools (see next case).

case 2: p_a>p_opt (the equation is quite complex so please bear with me).

where:

• n = (p_a\p_opt) is an integer division (example: 4\3 = 1).
• $\frac{(x-|x|)}{2}$ returns 0 when x is positive, otherwise it returns the value of x.
• The first term in equation 3 (blue text) is the guaranteed saturation limit since the pool exceeded p_opt.
• The second term in equation 3 (red + green text) calculates saturation limit in excess of the guaranteed limit.
• The second factor of the second term in equation 3 (green text), is the penalty factor that is accounted when the ecosystem is over-pledged. This factor decreases (eventually going to zero) as under-pledge pools continue to increase their pledges. The decrease in the penalty factor, in turn, leads to the decrease in the excess saturation limit (red text) of all over-pledged pools. Therefore, the penalty factor ensures that over-pledged pools "return" the borrowed saturation limit even without further intervention.

Example 1: ecosystem is not over-pledged.

• p_a = 110,000 ADA
• p_opt = 47,205 ADA (n = 15)
• Δ = 1 (Please accept this for now. Proof is provided later.)
• current circulation supply (φ) = 33B ADA
• current total number of pools (k, epoch 321) = 3119

Because the system is not over-pledged, Equation 3 is reduced to:

Plugging in the values,

Conclusion: Since p_a/p_opt = $\frac{110000}{47205}$ = 2.33, the pool is guaranteed a saturation limit that is twice of $\frac{33B}{3119}$. The other additional limit $\frac{33B}{3119}$ $e^{-2.028}$ comes from the 0.33 fractional excess and is penalized exponentially.

Example 2: ecosystem is over-pledged.
Here, we will provide the derivation for the penalty factor (Δ) and we will prove that it leads to a closed system, i.e., the total saturation limit is always equal to the circulation supply no matter how under-pledged or over-pledged the ecosystem is. The penalty factor (Δ) has the following characteristics:

• Δ = 1, when the ecosystem is either under-pledged or at equilibrium. Under this condition, the excess saturation limit of over-pledged pools are unaffected. In essence, they are not yet "returning" any of the borrowed excess.
• Δ ⟶ 0, when the ecosystem is over-pledged and under-pledged pools keep pledging. Under this condition, the excess saturation limit of over-pledged pools decreases and approaches zero. In essence, they are "returning" the borrowed excess.

Using Equation 2, we first calculate the total saturation limit (α_total) excluding:

• saturation limit from over-pledges.
• unclaimed saturation limit (α_unc).

where p_ai is the actual pledge of pool i. Since the total saturation limit (α_total) can never exceed circulating supply (φ), the unclaimed saturation limit (α_unc) is then calculated as follows:

Realistically, some pools will be over-pledged and their total excess saturation limit (α_ovp) may be deducted from the circulating supply (φ) as follows:

Solving for α_ovp we have,

Now, we have to remember that the second term in Equation 3 calculates the excess saturation limit of an over-pledged pool. Therefore, the total excess saturation limit (α_ovp) can also be expressed as the sum of the second term in Equation 3 of all over-pledged pools and is given as follows:

where j is any over-pledging pool. Plugging in Equation 9 into Equation 8, we have:

Dividing both sides of Equation 10 by the left-hand side and simplifying, we have:

Now, we will prove that Equation 11 guarantees a closed system, i.e.,

Δ = 1, when the ecosystem is either under-pledged or at equilibrium.
Δ ⟶ 0, when the ecosystem is over-pledged, and under-pledged pools continue to pledge.

Case 1: Ecosystem is under-pledged and over-pledged pools keep over-pledging to borrow additional saturation limit: the total excess saturation limit is going to increase (red arrow) while unclaimed saturation limit is going to decrease (blue arrow). Therefore the numerator is going to increase (because the third term is negative) by the same magnitude as the denominator.

Case 2: Ecosystem is under-pledged and under-pledged pools keep pledging to claim the remaining saturation limit allocated for them: the second term in the numerator is going to increase (red arrow) while the third term is going to decrease by the same magnitude (blue arrow):

Case 3: Ecosystem is over-pledged (α_unc = 0) and under-pledged pools keep pledging to take back the saturation limit borrowed by the over-pledged pools: the total saturation limit of under-pledged pools increases (red arrow) which causes a decrease in the numerator (blue arrow) and, therefore, a decrease in the penalty factor. The decrease in the penalty factor, in turn, causes a decrease in an over-pledged pool’s excess saturation limit (see Equation 3). In this scenario, an over-pledged pool is simply returning the “borrowed” excess.

Case 4: Ecosystem is over-pledged (α_unc = 0) and fully-pledged and over-pledged pools keep over-pledging even when there’s no longer any saturation limit left for them to borrow: the denominator increases which causes the penalty factor to decrease. This, in turn, decreases the excess saturation limit of over-pledged pools but leave the saturation limit of all non-overpledging pools unaffected. This situation will cause the total saturation limit to go below the circulation supply (α_total < φ) even if the ecosystem is over-pledged. This decrease should be sufficient to prevent fully-pledged and over-pledged pools from continuing to pledge when α_unc = 0. However, such weakness may possiby be exploited. Hence, when α_unc = 0, continuing pledge from fully-pledged and over-pledged pools should be rejected.

Sybil Attack

We can calculate the total pledge to conduct a Sybil attack using the following equation:

We consider a scenario where some pools turn adversarial (k_adversarial), and we can give the best scenario for the attackers by assuming that their pools are fully saturated. We can then plot the total pledge to conduct a Sybil attack as well as k_adversarial vs the number of pools (k).

It is not surprising that the number of pools needed to attack the ecosystem (k_adversarial) increases linearly with the number of pools (left figure). This observation is in line with the expectation that an ecosystem's security should become more robust as the number of pools increases. Unfortunately, this expectation is not true for the protocol currently implemented in Cardano. Notice the existence of a minimum in the plot (right figure) at around 1600 pools. The total pledge to conduct a Sybil attack at this minimum is 45 M ADA in pledge (when n = 15) and at least 600 pools turning adversarial. The total pledge to conduct a Sybil attack increases as the number of pools either decreases or increases from this minimum. For epoch 321 at n = 15, the total pledge to conduct a Sybil attack is 52 M ADA in pledge and at least 1108 adversarial pools. We dare say that the total pledge to conduct a Sybil attack under the current protocol is 0 ADA in pledge and only 177 adversarial pools. This number of adversarial pools needed to attack the ecosystem under the current protocol does not change even if the total number of pools increases, unless the saturation limit (68 M) is decreased. These pools can easily get saturated by implementing lucrative (and maybe fake) ISPOs. This mechanism of stake centralization had already been demonstrated during the Sundaeswap ISPO which involved 98 pools that were at or near saturation.

New Reward Structure

This CIP describes a protocol that attempts to enhance decentralization but is vastly different from the current protocol that uses a reward structure which is a function of stake, pledge, and saturation limit. The current reward structure has known issues (described below) that is actually antagonistic to decentralization. While the current protocol is formulated based on game theory, the would-be protocol from this CIP is not. The reason is because there are only two decisions that a pool need to choose: to pledge or not to pledge, and these decisions are not influenced by the decision of any other pool. Here, we propose a simple reward structure (in general terms) that is fair to all.

Currently, pool operators are paid a fixed cost of 340 ADA plus a margin per epoch. As long as a pool is minting even just a block in an epoch, the pool gets the fixed cost plus the margin of which both are subtracted from the total reward before the rest is distributed to the pool delegators. This mechanism appears to be not sustainable for small pools because the pool reward erodes the already meager delegators reward - i.e., a fixed cost of 340 ADA plus a margin is going to take a significant portion from the delegators reward since small pools mint fewer blocks.

Because we no longer need the current reward structure and it is expected that pools would have more or less the same delegation under this CIP, we propose that pool operators are paid for each block they minted. First, the reward per block is calculated by dividing the reward pot (reserve + fees) by the number of blocks in an epoch. Then, the reward for the pool operator for any block he mints is a FEW PERCENT of the reward per block multiplied by the "fullness" of the minted block - i.e., if the minted block is only 80% filled, then the operator reward for that block is multiplied by 0.8. This multiplier has an effect of decreasing the operator reward if the pool fails to completely fill the block to maximum capacity. In this manner, pools are encouraged to fill each block up to maximum capacity. Then, after deducting the total pool reward from the reward pot, 20% of the reward pot is then allocated to the treasury and the rest are allocated to the delegators with the delegator reward fixed at 0.0616% per epoch (or 4.5% annually) regardless of which pool a delegator is staked, except if he is in an oversaturated pool. If there remains an undistributed reward, this must be redirected to the treasury or reserve. The 4.5% reward declines exponentially for delegators in an oversaturated pool according to the following equation:

where

• r_d is the delegator reward
• δ is the pool delegation
• α is the pool saturation limit
• the factor 10 in the exponent ensures that the reward drops by ~60% when pool delegation exceeds by 10% of the saturation limit.

The mechanism described above further enhance decentralization. In the current protocol, delegators are biased towards nearly saturated pools because these pools generate better rewards just because of how the reward mechanism is structured in the current protocol. This bias causes centralization of stake towards pools that are at near saturation. In this CIP, such bias is eliminated because it no longer matter which pool a delegator is staked - all delegators are getting the same reward of 4.5% unless they are staked in an oversaturated pool. Finally, the delegator reward may be increased as Cardano adoption increases, making delegation more attractive and allowing better security for the ecosystem.

Rationale

The steady centralization of stake concentrated to only a few MPOs primarily arises from the substantial saturation limit (68M) allocated for each pool. This large allocation allows moneyed MPOs to gain substantial delegation simply by setting up multiple pools and offering lucrative rewards. If left unchanged, the current state of affairs deters would-be SPOs from setting up pools and discourages current SPOs from continuing to operate because, for a significant number of them, the cost/reward is economically disadvantageous. This only leads to further centralization.

To mitigate the problem outlined above, we recognized that saturation limit needs to get decreased to some minimum that allow fair distribution of stake but avoids the potential risk of oversaturation by guaranteeing that the total saturation limit is always equal to the circulating supply. We may do this by allocating saturation limit based on pledge. This idea was first explored by Casey Gibson in his CIP which you may find here. We found that there may be potential weaknesses to his ideas, but the same weaknesses are addressed in our proposal. These weaknesses are:

• The Gibson proposal appears to be less effective at solving stake centralization.
  To illustrate this argument, let's detemine how the Gibson proposal would affect a current MPO that has 60 pools and controls 2.8B ADA. First, we take note that this MPO has total control of the stakes delegated to it. The Gibson proposal, in its current form, allocates 100% of K (65M in stake) for every 500,000 ADA in pledge. Therefore, each pool from this MPO requires 65.5M (65 M in stake plus 0.5 M pledge) to setup and get fully saturated. The number of pools that this MPO needs to retain all 2.8B stake is just 43 pools ($\frac{2.8B}{65.5M}$), which is lower than the MPOs current number of pools (60 pools). The total pledge would amount to 21.5M (43*500,000) but this pledge is irrelevant for this MPO because it has total control of the stake delegated to it.

  The numbers from our proposal would be 282 pools and 12.8M in pledge to retain all 2.8B in stake at n = 15 and k = 3119 (epoch 321). The calculation is as follows

  p_opt = 33B*e^(1-15*(1+erf(-100/(3119-60+pools))))
  α = $\frac{33B}{3119-60+pools}$
  pools = 2.8B/(α+p_opt)

  We have three equations and three unknowns which resolves to pools = 282 and total pledge to 12.8M (282 pools * 45.5K in pledge). These numbers will increase as the number of pools increases.

• The Gibson proposal may disenfranchise a significant portion of ADA in circulation from getting staked at low pool number.
  Because the Gibson proposal does not gurantee that the total saturation limit of all pools is equal to the amount of ADA in circulation, there exists a significant risk of disenfranchising some portion of ADA in circulation. For example, if the number of pools abruptly drops to 500, all pools need to pledge at maximum (500,000 ADA to get 65M saturation limit) so that the ecosystem can achieve a total saturation limit that is approximately equal to the total ADA in circulation. However, all pools pledging at maximum is a very unlikely scenario, leaving some ADA disenfranchised. Risk of disenfranchisement exists even at the current number of pools. In contrast, the total saturation limit under our proposal is always equal to ADA in circulation regardless of the pledge status in the ecosystem.

• The Gibson proposal may be less effective in dealing with abrupt changes in the staking parameters.
  Since the Gibson proposal rely on parameters that can only be changed when there is network consensus, such design is less robust against abrupt changes in the ecosystem, e.g., when there is a need for the number of validators to scale up with demand or when the number of pools declines abruptly due to extreme events. Our proposal scales up and down without further intervention because the protocol is governed by equations.

Finally, this CIP effectively increases the k_effective parameter.
The k_effective is a parameter that attempts to measure decentralization, and is defined by the equation shown as follows:
The parameter k_effective should increase as decentralization increases. However, recently it had plateaued between the values 40 to 43. The strategy described in this CIP effectively increases this parameter as the number of pools increases. This is due to the fact that as the number of pools increases, the saturation limit (α) decreases. This decrease in the saturation limit, in turn, should decrease the ratio of group stake to total stake in Equation 14, which then leads to the increase of k_effective.

Copyright

This CIP is licensed under CC-BY-4.0