No, I donāt think itās a requirement. Itās just a design choice to handle a special case.
If you feel fit, you can even disable mass withdrawal altogether and this case will never happen.
All of these things need to be defined mathematically and analyzed - every change to the protocol tends to have lots of potential repercussions imho
Yes, I agree. But it is specific for your application/implementation. Plasma in the general sense is a pattern, not a specification. Thatās why there are several Plasma styles already .
Also, I believe that in the original plasma paper, the solution for this case has already been discussed. It was mass-exit with bitmap of UTXOs which requires a bond to be placed. Any fraud proof can cancel the whole withdrawal.
In our implementation, there is a minimum bond when exiting that is forfeited to the challenger if successful. This is to ensure that it always economically makes sense to challenge, discourages a user to submit multiple exits for funds ( your scenario above ), and encourages people to play the role of bounty hunters of a side chain. Revenue for just watching and ensuring the integrity of the plasma chain.
3 Likes
In this scenario, if Eve attempts to withdraw her original $10 output, then someone can just submit a single fraud proof showing that that $10 output was spent. The bond placed with the withdrawal is deliberately large enough that it covers the cost of challenging. Iām not sure I see the issue here.
1 Like
Can you explain this more?
Each time Eve spends 1 cent she generates a new intermediate UTXO, If one exits all these intermediate UTXOs at once - how can a single fraud proof be used for all of them ?
Ah youāre saying exit all intermediate UTXOs. The value of the UTXO doesnāt matter, just that the minimum bond must be large enough to cover the cost of challenge. So thereās some small UTXO value at which itās no longer worth it to exit.
Letās say cost to exit < 1c, so Alice will try to exit from the UTXOs. Alice puts up a bond = cost to challenge, which may be larger than 1c. Someone is therefore incentivized to challenge, even if the UTXO values are small.
Lets say, Eve puts $10,000 dollars, and then creates 1,000,000 intemediate UTXOs
If Eve exits all of these UTXOs unchallenged, then her potential gain is $5B
Lets say exit transaction gas fee is $1, then Eve needs to have $1M to pay for the gas fees.
Now the challengers will need to pay (altruistically) $1M to submit fraud proofs to challenge Eve.
if they successfully challenge Eve, then Eve loses $1M and challengers lose $1M.
Eve can then make another attempts. Lets say after 100 attempts she exhausts the money that challengers are altruistically willing to pay. At that point both Eve and challengers kist $100M each.
Since challengers dont have any more money (or are not willing to fight any more), Eve makes $1B and wins.
So crypto economically it seems that challengers need to be compensated ? Would you agree? Otherwise it seems to be hard to rely on altruistic behavior ā¦
In addition to the $1M Eve has to pay for the gas costs of each exit, she has to put up a bond on each individual exit. This is so that the challenge never loses money by successfully challenging. Hence, it will cost Eve at least $2M to exit the 1M intermediate UTXOs she has created.
We never want to make users doing anything altruistic. Every exit has a bond attached that will pay the challengerās gas cost and more. So the challenger pays X in gas cost (and some other costs) but receives X+N in return for a successful challenge.
Ok - good 
Now I understand ) I think this can be a way to address the issue.
1 Like
Couldnāt this be gamed? I know one of the biggest assumptions in Plasma is root blockchain availability, but in the example discussed here Eve might be able to cheaply pull off a successful attack.
- Eve makes 1,000,000 intermediate UTXOs
- Eve tries to exit all these UTXOs and attaches a bond to each one of them, the gas cost + some bounty
- Immediately afterwards, Eve pulls off a spamming attack which lasts at least as long as the challenge period. This attack neednāt bloat the network, but just make gas costs higher than the bond in each UTXO so thereās a disincentive to challenge her fraudulent behaviour.
I guess this can be prevented by making the challenge period reasonably high, thus forcing Eve to pay a lot to keep the spam on-going, and efficiently calculating the bond costs. Iām not sure how the latter could be achieved though.
Point 3 could also be improved if Eve load balances her spam by cleverly waiting for the market to organically slow down the network. Running a Plasma chain after CryptoKitties launched wouldāve been rather problematic.
2 Likes
Good point! Looks like bonds are not going to secure things.
@PaulRBerg I think you might be on the right track to a valid attack model here.
But the longer the period, the worse the UX for the honest users gets. IMHO, even the current 7 days challenge period could turn out to be a big problem. How many people used to e.g. centralized trading platforms/exchanges will accept to wait 7 days to withdraw their funds?
I believe bond requirements would have to be calculated dynamically, and I would surely love to see that mathematical model. I donāt like to be negative, but I think that is close to impossible to design. Also, even if we assume that we have such a model, if it calculates that (some of) the exits should require 10ETH bonds (we assume that that calculation is correct from the security point of view), that will also completely ruin the UX for the honest usersā¦
3 Likes
Actually exiting 1,000,000 UTXOs is hard (and costly) but I agree that this is problematic and we need better models around bond prices. Mainly we should be looking at exactly how high these bonds need to be to prevent this sort of behavior. Assuming a bond is fixed at X ETH and a challenge costs Y gas, itās simple to determine when the explicit reward of challenge will be negative. How much would it cost to drive gas prices up that much for the entire challenge period?
Generally I donāt think static bonds cut it, but Iām also not aware of any efficient method for determining the current gas price. In reality there are probably some external incentives (companies want to keep user funds safe) we can take advantage of, but Iād rather capture these in the protocol.
This problem also exists in Plasma Cash (I think), although itās probably logistically harder to set up. Youād also have to target one person in particular.
1 Like
Isnāt it trivial to determine the current gas price by simply looking at the Txs in the last block (number of blocks)? Maybe Iām missing something obviousā¦ 
Even if Iām right and you can easily determine the gas price at a certain moment X and calculate the bond according to that (I assume we have a good, working model for this), the problem is that the attacker can start spamming and pumping the gas price e.g. 48 hours after that moment X. The (only) two solutions for this:
- Ask everyone to top up their bonds when the attack starts (UX nightmare)
- Introduce some buffer multiplier from the beginning, e.g. if the model calculates the bond size of 0.05 ETH, we ask for 5x0.05 ETH instead (less scary UX nightmare )
This is very much true, setting up the attack initially described by @kladkogex is a logistical ordeal, but I think we always should assume that the worst scenario can happen and will happen if we let it.
Many factors at play here, but the attacker could act cleverly and corroborate on random, organic bloats of the main chain.
@kfichter was saying that, despite the latest gas price in the most recent block, thereās still absolutely no guarantee that the next block wonāt contain a list of transactions with attached fees worth ć1 each if someone is willing to spend that amount of money. Presuming normal conditions though, indeed, the last block might be a good proxy for estimating the gas prices, but this thread has been presuming horror conditions, not trivial or rational ones.
Method 1 is indeed a UX nightmare and method 2 might be a scary model from an economic standpoint. If I know thereās always the threat of paying double or triple or more to get my funds back to Ethereum, I wouldnāt even deposit on Plasma in the first place.
Perhaps the optimal solution is to have a model where the operator is able to top up the bonds of every undercapitalised exit. He can afford to periodically scan the Plasma contract for any spooky exits and the main chain for sudden gas cost increases. The presumption here is that the operator has a strong incentive to keep the Plasma chain running, because the cost of a successful attack would be higher than the summed topped up bonds. Afterwards, they could impose slightly higher fees on Plasma to amortise these expenses. Now, there is an elastic limit of how much the bond top-ups can be, but thereās a relatively similar limit to the main chainās attack size, hence I intuitively feel that these two vectors eventually cancel out.
1 Like
Oh, then we were speaking about the same thing. Thanks.
This is an interesting idea but, as you said, we have to assume that the operator is incentivized to keep the Plasma chain running (correctly). This is a dangerous assumption IMO, since the operator might be the attacker, so her interest very well might be not to top up undercapitalised exit, or to top up only some of them.
@PaulRBerg @kladkogex what do you think about banning Eve temporarily or indefinitely after trying to pull certain number of successfully challenged invalid withdrawal attempts?
Individual users with whom Eve was creating micropayment transactions may not have good enough incentive to challenge her but general incentives for anyone could be calculated in cheap and efficient manner. And it would make impossible to perform this kind of attack.
Not sure how youād do this if Eve makes a different address for each exit.