The hacker claims a share of the funds at risk rather than the whistleblower reward (blackmailing) and can ask others to pay to learn if they have been hacked (“blackmailing in the dark”). That’s interesting even with a single hacked validator.
Now with the current way we slash people, the attacker is incentivized to batch his blackmailing, but as well to do as much FUD as possible so people overestimate how many validators are actually hacked, and so accept to pay more.
If I have the penalties calculated right, we have today, with 10m staked, a hacker taking 20% of the slashable funds (so not that much), and no “blackmailing in the dark”:
| # of validators slashed | 1 | 1% | 2% | 4% | 8% | 16% | 32% |
|---|---|---|---|---|---|---|---|
| individual penalty (ETH) | 1.00 | 1.93 | 2.86 | 4.72 | 8.44 | 15.88 | 30.76 |
| Hacker’s reward (ETH) | 0.20 | 0.39 | 0.57 | 0.94 | 1.69 | 3.18 | 6.15 |
| Total hacker’s reward (ETH) | 0.202 | 1206 | 3575 | 11800 | 42200 | 158800 | 615200 |
| Total hacker’s reward ($, 1 ETH = $250) | $50 | $301,563 | $893,750 | $3 million | $11 million | $40 million | $154 million |
| Ratio vs. simple whistleblower reward | x4 | x7 | x10 | x17 | x31 | x58 | x112 |
The hacker can also target staking pools of course (but users have to trust staking pools now: Trustless Staking Pools).