Alternative fix for proposer withholding attack

Sharding
3

Here is one way to design the incentives (sorry for not making this explicit!) so that incentives align:

  • The validator can only include a single proposal (collation header signed by a proposer) in the VMC.
  • A proposer loses the proposal fee F iff his proposal is included in the VMC by the validator.
  • The validator gains F iff the selected proposal “wins”, i.e. gets included in the highest scoring proposal chain.
  • The proposer is awarded T, the total transaction fees without collation subsidy, iff his proposal wins.
  • The validator is awarded the collation subsidy S iff the selected proposal wins.

The scheme has the following phases:

  1. Proposing: Proposers share proposals to the eligible validator without the collation bodies being published.
  2. Commitment: The eligible validator commits to all the proposals he has seen, and broadcasts the commitment to all proposers.
  3. Reveal: After seeing the commitment, some subset of proposers reveal their collation bodies. Proposers are incentivised to reveal collation bodies for two reasons:
    • The commitment guarantees the validator cannot steal the fees.
    • The validator has a preference for proposals for which he has seen the corresponding collation body. (See selection algorithm below.)
  4. Selection: After the reveal phase the validator decides which proposal to include in the VMC. (See selection algorithm below.)

Selection algorithm

An honest and rational validator calculates the expected value for each proposal, and then selects the proposal with the highest expected value. Let’s assume the probability of the proposal winning after inclusion in the VMC is 0.99 if the collation body is properly made available.

For proposals for which the validator has the collation body the expected value for him is 0.99 * (F + S). The reason is that the validator will publish the collation body himself to guarantee availability.

For proposals for which he does not have the collation body the expected value is R * 0.99 * (F + S) where R is the probability that the corresponding proposer reveals the collation body.

In an adversarial context where withholding attacks are common with untrusted proposers, the validator will set a low value of R for untrusted proposers, i.e. R \ll 1. In the extreme case the validator will estimate R = 0 for proposals for which he does not have access to the collation body, thereby only selecting proposals for which he has access to the collation body.