# Risk Sharing in Proof of Stake A Proof of Stake system encapsulates an market where validators participate in block proposal and voting, in order to receive rewards. Just like a regular marketplace, the protocol needs to be designed in such a way that validators are incentivized to behave honestly, as much as possible. A concept central to such a design is *risk sharing*: > **ALL (LITERALLY) IN THE SAME BOAT** > Greek is a language of precision; it has a word describing the opposite of risk transfer: risk sharing. *Synkyndineo* means “taking risks together,” which was a requirement in maritime transactions. > > The *Acts of the Apostles* describes a voyage of St. Paul on a cargo ship from Sidon to Crete to Malta. As they hit a storm: > > >“When they had eaten what they wanted they lightened the ship by throwing the corn overboard into the sea.” > > Now while they jettisoned *particular* goods, all owners were to be proportioned the costs of the lost merchandise, not just the specific owners of the lost merchandise. For it turned out that they were following a practice that dates to at least 800 B.C., codified in Lex Rhodia, Rhodian Law, after the mercantile Aegean island of Rhodes; the code is no longer extant but has been cited since antiquity. It stipulates that the risks and costs for contingencies are to be incurred equally, with no concern for responsibility. Justinian’s code summarizes it: > > > It is provided by the Rhodian Law that where merchandise is thrown overboard for the purpose of lightening a ship, what has been lost for the benefit of all must be made up by the contribution of all. > > And the same mechanism for risk-sharing took place with caravans along desert routes. If merchandise was stolen or lost, all merchants had to split the costs, not just its owner. > > *Skin in the Game, Nassim Taleb* This redistribution of wealth is expected to be a common theme in Proof of Stake systems for a simple reason: *non-attributability of faults*. [The Two Generals' Problem](https://en.wikipedia.org/wiki/Two_Generals%27_Problem) dictates that a failure of communication over an unreliable link cannot be attributed exactly to either the link or the counterparty. In our context, it means that it is not possible to know whether an observed lack of participation of a validator is due to their own inaction, or to them being censored by a majority. Vitalik defines and explores the feasibility of such behavior in his paper [Discouragement Attacks](https://github.com/ethereum/research/blob/master/papers/discouragement/discouragement.pdf), and comes up with a scheme that is similar to Rhodian Law. Since Vitalik already presents it in the blockchain context, I'll demonstrate the similarity by creating an analogous model of Rhodian law: Let there be $N$ merchants, each in possession of a single divisible asset identical in value. Then $N$ is also the total number of assets. Then a subset of $L$ merchants incur a loss of their assets. An ideal redistribution scheme would not try to compensate the victims 100% of their losses, but preserve the original uniform distribution of wealth, because it would otherwise be gameable. Thus, the rest of the merchants compensate the victims $(N-L)L/N$ assets, while the net loss of each merchant becomes $L/N$. Each merchant loses the same amount, and the original wealth distribution is preserved. This is essentially what Vitalik proposed in *Discouragement Attacks* and has been baked into the [Beacon Chain Spec](https://github.com/ethereum/eth2.0-specs/blob/6ef79ac2a8b8da876bfb9aac6078de0995266dd3/specs/core/0_beacon-chain.md#rewards-and-penalties), with a little caveat: victims still lose their share of the total reward. The following section summarizes his model. ## Asymmetric Rewards Assume that we have a round based protocol with $N$ validators, where each validator is supposed to send a message in each round for which they receive $R/N$ tokens as reward. A majority of validators could choose to censor a minority, which would result in the minority's messages not being included, depriving them of their reward. When applied consistently, this sort of attack would cause them to leave, leaving a higher share of the reward for the attacker. To disincentivize such behavior, Vitalik proposes to make rewards a function of the degree of participation. Say that there are $a$ attackers and $v$ victims with $a+v\leq N$. Victims lose their reward, and the rewards of the rest are scaled linearly with the number of validators observed to have participated, $(N-v)/N$. This yields the following table | Group | Total reward without attack | Total reward with attack | Losses | |-|-|-|-| |Victim| $vR/N$ | 0 | $vR/N$ | |Attacker| $aR/N$ | $aR(N-v)/N^2$ | $avR/N^2$ | |Rest| $(N-a-v)R/N$ | $(N-a-v)R(N-v)/N^2$ | $(N-a-v)vR/N^2$ | Vitalik defines the griefing factor as the ratio of the *losses to everyone except the attackers* to *losses to the attackers*. This analytically becomes $$ \begin{aligned} F &= \frac{vR/N+(N-a-v)vR/N^2}{avR/N^2} \\ &= \frac{2N-a-v}{a} \end{aligned} $$ The most critical cases involve 51% attacks, which are assumed to be possible with $a=N/2$ attackers. Then we have the griefing factors for the limiting cases of the smallest possible minority as $F(a=N/2, v=0) = 3$, and the largest possible minority as $F(a=v=N/2) = 2$. This means that for every \$1 a majority sacrificed, others would lose $2-3, depending on the targeted minority. Despite the scaling workaround, the attack vector remains there, because attacker payout is positive with or without an attack, and there remains a chance that certain market conditions would allow censoring to be profitable, as demonstrated by Vitalik. ## Symmetric rewards Let's see what would happen if we made it more similar to Rhodian Law, and also rewarded the validators that are observed not to have sent any messages. Payouts are still scaled with participating stake, and only the victim's row is changed: | Group | Total reward without attack | Total reward with attack | Losses | |-|-|-|-| |Victim| $vR/N$ | $vR(N-v)/N^2$ | $v^2R/N^2$ | |Attacker| $aR/N$ | $aR(N-v)/N^2$ | $avR/N^2$ | |Rest| $(N-a-v)R/N$ | $(N-a-v)R(N-v)/N^2$ | $(N-a-v)vR/N^2$ | Then the new griefing factor becomes equal to $$ F' = \frac{N-a}{a} $$ which looks like this: ![](https://i.imgur.com/Dwvzkzk.png) The immediate result is $F'(a>N/2)<1$. In other words, if a majority wanted to censor a minority, for each \$1 they sacrificed, others would lose less than 1\$, neutralizing the discouragement attack vector. Assuming that a 51% attack can't be conducted with $a\ll N/2$, we should consider $a\geq N/2$ for censoring others' messages. Since it's not possible to discourage minorities by griefing, the dominant strategy of a majority would be to not censor, *assuming sending/including messages didn't have a cost*. ### Griefing by being lazy On the other hand, losses are very asymmetric for small nonzero values of $a$. Minorities cannot censor others, but they can still carry out griefing attacks by not sending any messages intentionally. For example, a minority of size $N/10$ could decide to be lazy, and cause 9$ in losses to others for each 1$ they sacrificed. Nevertheless, it's harder for such an attack to discourage a majority, because the amount a minority can sacrifice is limited due to their small size. A majority by definition operates at a higher financial order of magnitude than a minority, and the losses from a minority attack would likely be negligible. Every validator would lose the same amount $aR/N^2$, which gets smaller with the size of the attacker. It might be alarming that $\lim_{a\to 0^+} F'=\infty$, but that is irrelevant, since $F'$ is a ratio over losses to the attacker, and doesn't make sense when no attacker exists. ## Taking costs into account Risk sharing has a caveat, regardless of the symmetry of rewards. We have previously mentioned that symmetric rewards solve the problem of discouragement attacks by majorities, assuming sending/including messages didn't have a cost. But participation in the protocol does have a cost in real life, which should be accounted for in this model. To make a cost analysis, we need to make the toy model more contextually relevant by introducing stakes. Let's assume that each validator has staked some number of tokens, which determines how much reward they will receive. Let $s_i$ be the stake of validator $i$ and $w_i=s_i/\sum_j s_j$ be the weight of validator $i$. If the validators all had equal weight, then we would have $w_i=1/N$ for $i=1,\dots,N$, equivalent to previous cases. Each validator is still supposed to send exactly one message. Let's assume that we don't scale down rewards with the degree of participation. Then $i$ receives $w_iR$ upon sending a message. Let $C_f$ and $C_v$ be the fixed and variable (with respect to weight) costs of sending a message respectively. Then a validator $i$ is incentivized to send a message as long as $w_iR > C_f + w_i C_v$. Validators with weight smaller than $C_f/(R-C_v)$ would not send a message, because that would result in a negative payoff. A more complicated case is scaling rewards with participating weight. Let $x=(x_1,\dots,x_N)$ be the tuple of boolean variables that hold whether a validator has sent a message. A validator $i$ decides to send a message if their payout $\pi_i$ is greater than zero: $$ x_i = \begin{cases} 1 & \text{if}\quad \pi_i(x) > 0 \\ 0 & \text{otherwise} \end{cases} $$ The participating weight is calculated as $$ W_p(x) = \sum_{i\in V}x_iw_i $$ Each validator $i$ receives $w_iW_pR$, and their payout is finally defined as $$ \pi_i(x) = w_i(W_p(x)R-C_v)-C_f $$ We have an implicit system of equations, which needs to be solved for $x$ in order to calculate the actual percentage of participation. The solution highly depends on the distribution of stakes across validators. Let's concentrate on the edge case of $x_i=0$ for all $i\in V$. For this **not** to be a Nash equilibrium, there needs to be at least one validator with a weight $w$ that satisfies $$ w^2R - wC_v -C_f > 0 $$ This is because $W_p=w$ when only the said validator participates. The condition yields $$ w > \frac{\sqrt{C_v^2+4RC_f}+C_v}{2R} $$ considering $R,C_f,C_v>0$. If no such validator exists, then there won't be an incentive for any validator to send a message. The actual problem at hand is to define a minimum reward such that the system won't suffer such a critical lack of incentive. Given certain values of $C_f$ and $C_v$, the reward should be at least $$ R > \frac{C_f}{\max(w)^2} + \frac{C_v}{\max(w)} $$ If we assume a uniform distribution of weights, we obtain a simple rule of thumb to use when setting the reward $$ \boxed{ R > N^2 C_f + NC_v } $$ The ideal parameters should also ensure a participation of all validators. Thus, the validator with the smallest weight should be able to have a positive payout for $W_p=1$. We then get another formula for the minimum reward $$ \boxed{ R > \frac{C_f}{\min(w)} + C_v } $$ If we again assume a uniform distribution, we obtain $R > C_fN + C_v$, a condition seemingly weaker than the one above. However, the inequality above may become useful when the weight distribution is very uneven. In that case, it might yield a stronger condition.
Last changed by  
Onur
724

Read more

[ICortex](https://github.com/textcortex/icortex): Giving Programming Superpowers to Non-Programmers

Introducing ICortex, our new Jupyter kernel that allows you to generate Python code from natural language prompts: {%youtube AtVCBNq48oc %} ICortex is a drop-in replacement for the IPython kernel that powers Jupyter Notebooks. It is open source, fully extensible, and can connect to multiple code generation services, including TextCortex API, OpenAI Codex API, locally-running HuggingFace models, and so on. Whether you are ...

10/13/2022
AutoPrice

Background Control Mechanisms for Trustless Self-Governing Protocols It is a feature of public blockchains, where a protocol parameter needs to adapt to certain conditions, but should not be controlled by a specific participant. The solution is to implement a mechanism where it auto-adjusts, according to quantifiable and objective conditions. The primary example is Bitcoin’s difficulty adjustment. There, variations in average block time are used to dynamically adjust Bitcoin’s block difficulty, every 2016 blocks. Owing to difficulty adjustment, Bitcoin blocks are mined every 10 minutes on average without any external control. Shifts in block time feed back into the difficulty parameter, which then dampens said shifts, creating a negative feedback loop. Here, Bitcoin's designer made use of elementary control theory, setting mean block time as a process variable and difficulty adjustment as the control action: Gas Price Volatility Blockchains have a limited supply, and a vertical supply curve. For that reason, blockchain resources are subjected to very high price volatilities, once user demand surpasses platform capacity. Let's consider Ethereum. Demand for gas isn’t distributed equally around the globe. Ethereum users exist in every inhabited continent, with the highest demand seen in East Asia, primarily China. Europe+Africa and the Americas seem to be on par in terms of demand. This results in predictable patterns that follow the peaks and troughs of human activity in each continent. The correlation between gas usage and price is immediately noticeable, demonstrated by a 5 day period from March 2019. The grid marks the beginnings of the days in UTC, and the points in the graph correspond to hourly averages, calculated as:

6/29/2020
Lazy Strategies

In Proof of Work We investigate the strategy where miners mine empty blocks to reduce the uncertainty of mining a block which is invalid because it contains a transaction that is already included by another block. In this case, the miner is aware of the new block, already has its hash and/or header, but has not downloaded the rest of the block which contains the transactions. Constant reward per mined block: $R$ Time required to mine an empty block: $T_e$ Time required to mine a full block: $T_f$ Gas price: $P$ Gas in a block: $G$ Block gas limit: $G_\max$ Average tx fee collected from a block: $F(G) = PG$

5/18/2020
Compensation Fees in Transaction Fee Distribution

Users need to specify a fee when submitting their transactions. When it is a validator’s turn to propose a block, the validator collects transactions from the transaction pool, executes them in a certain order, and publishes them in a new block. Fees in a block are distributed to all validators pro rata. This is to weaken the incentive to steal transactions from other blocks, in case the block proposer receives the whole fee. The protocol has the following parameters: $P$: Average gas price of the previous era. This value is updated at the end of each era, calculated by dividing total collected fees by total consumed gas. $G$: Gas in a block. $G_{\text{max}}$: Block gas limit. $G \leq G_{\text{max}}$ for every block. $F$: Total fee collected from transactions in a block. $N$ is the current number of validators, $w_i$ is the normalized weight of validator $i$.

5/15/2020
Read more from Onur
Published on HackMD