Uptime slashing allows a 1/3+ instance to fully take over the network

[hendrikhofstadt]

Credit also goes to @adrianbrink who initially described the attack and with whom I discussed this attack.

Let's imagine a network where a byzantine actor A controls 1/3+ (34%) of the voting weight and all other groups of validators B (32%), C (17%), D (17%) act according to the default logic of Cosmos and Tendermint.

Normally this would allow A to halt the network but not cause any further damage (except for faking lower uptimes by conducting a censorship attack).

Now since we have uptime slashing and subsequently jailing the following can happen:

• A can censor any other block proposals of B,C,D so he is the only proposer that can actually create blocks (reach a 2/3+ majority/polka).
• In the blocks of A all precommits of B and C are included, D is censored (17+34+17 = 68 > 66.6)
• This is done for n_blocks > MinSignedPerWindow
• Subsequently D is slashed and jailed making A,B,C the only validators in the active set
• The new power distribution is A (50%), B (25%), C (25%)
• A can censor any other block proposals of B and C so he is the only proposer that can actually create blocks. In these blocks all unjail transactions are censored/excluded
• In the blocks of A all precommits of B are included, C is censored (50+25 = 75 > 66.6)
• This is done for n_blocks > MinSignedPerWindow
• Subsequently C is slashed and jailed making A,B the only validators in the active set
• Due to inflation and the proposer bonus A will have gained slightly more rewards than the others (in a full scale network censorship could be more fine grained [censoring only single validators out of the group B] and would allow reaching 2/3+ without inflation bonuses).
• The new power distribution is A (67%), B (33%)

=> A has a 2/3+ majority and can censor B out of the set to be the only validator.
=> Network takeover

Without action taken by the other validators within these 2*SigningWindow the 2f+1 assumption is broken (even though not the stated f < N/3).

The only way to prevent this is for the others to actively monitor the network and censor A at the point they detect the byzantine behaviour.

In a live network this would mean that 1/3+ would have to detect this and patch in censorship within the said window. WIth a SigningWindow of 5000 blocks and a block time of 5s the first set of validators would have ~7h to patch this and the 2nd batch another ~7h.

We should therefore think about countermeasures or set a more forgiving SigningWindow

@adrianbrink Pointed out that even without slashing the 1/3+ instance can gain a 2/3+ majority by inflating them away and censoring their delegation TXs, however this would take substantially longer.

CC @adrianbrink @leoluk

---

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[adrianbrink]

Nice write-up Hendrik of our discussion.

On the last point, I would add that it may not take substantially longer depending on how well an attacker understands the PoS implementation.

[zmanian]

My basic point of view on this is it's exactly the kind of attack I would love to see in Game of Stakes.

You potentially can do things about this class of attack by incorporating changes at the consensus layer. But I am excited about seeing attribution and social consensus driving a response.

[Hyung-bharvest]

But, I think denying specific group of validators by another specific group of validators is a clear evidence of censorship. Why Cosmos(or tendermint) does not have a slashing mechanism on these acts?

If we set enough long time window and enough statistical hurdle, we might can monitor and prevent the censorship attack in advance.

Is there any side-effect of this slashing idea? So, down-time slashing can be defined by not just missing, but statistically enough missing of a sufficiently large group of proposers

[zmanian]

Why no automated slashing mechanism? Because it's not possible to differentiate between a network level censorship attack and cartel censorship attack at the protocol level.

[Hyung-bharvest]

Oh, so, a validator missing certain blocks proposed by certain group of validators can be forced by a detailed timing network level attack?(disrupt signing on certain proposer's blocks) That can lead to a "Falsification" of slashing. I understand now. Thanks.

[cwgoes]

@SLAMPER I believe this is a duplicate of #2522.

Is there anything different here that you think is more concerning?

(this is definitely a problem regardless)

[hendrikhofstadt]

Have not seen that. Fine to close in favor of it.