30% sharding attack

JustinDrake · March 9, 2018, 12:23am

Attack

Let’s assume that an attacker controls some proportion a of validator deposits in the VMC, and some proportion b of mining power in the main chain. Because the current getEligibleProposer method is subject to blockhash grinding the attacker can make himself the eligible proposer on a shard (actually, several shards, depending on how fast the attacker can grind) with proportion a + (1 - a)*b.

If we set a = b (i.e. the attacker controls the same proportion of validator deposits and mining power) and solve for a + (1 - a)*a = 0.5 (i.e. solve for the attacker having controlling power) we get a = 0.292. That is, an attacker controlling just 30% of the network can do 51% attacks on shards.

Defenses

One defense strategy is to use a “perfectly fair” validator sampling mechanism with no repetitions, e.g. see here. Another strategy is to improve the random number generator to something like RANDAO or Dfinity-style BLS random beacons.

JustinDrake · March 9, 2018, 9:43pm

I think I was being stupid 🤦. The blockhash wraps the over the nonce so blockhash grinding is limited by PoW. Maybe there’s a 30% sharding attack with full PoS, but the situation is not nearly as bad with PoW.

mhchia · March 10, 2018, 8:40am

And it seems harder to simultaneously control so many stakes and hashing powers. Don’t know how to measure this kind of hybrid condition.

vbuterin · March 10, 2018, 9:34am

I am inclined to say don’t bother initially for this exact reason. In the longer term, there are better random beacons that we can introduce, and will have to introduce anyway for full PoS.