Plasma Evil Miner Vulnerability?

Consider a future case where there is a global Plasma operator managing hundreds of millions of users (e.g a decentralized Ebay or micropayments processor).

Then if the Plasma operator misbehaves and all users exit, then major ETH miners are set to make billions USD in gas fees.

So it seems that in this scenario, there is a huge incentive for major ETH miners to hack the operator and intentionally make it do a bad thing (such as post a corrupt Merkle root to the Plasma smart contract)

To mitigate this, one way could be to provide some type of a mechanism for the plasma operator to self-correct a problem - essentially admit guilt in return for a fixed size penalty …

Hopefully this hypothetical plasma smart contract would be written in such a way that users can somehow challenge the corrupt merkle root and revert/replace it with a correct one.

My hope is that no multi-billion dollar chain will be managed by a single operator, as I’d consider that an incentive failure.

There is a potential attack vector in the case that X% of validators (stakers, miners, whatever) are more incentivized to cause the chain to fail than to maintain the chain. Note that this is mitigated somewhat in MVP with mass exits (less gas/exit) and is basically non-problematic in Cash because no time restraint on exits exists. I would probably consider the case where X% of validators are hacked as outside of my threat model, but maybe we need to consider more Ethereum-style PoS systems to account for this.