EigenLayer: The Cryptoeconomics of Slashing

Original Title: 《The cryptoeconomics of slashing》

Original Authors: Sreeram Kannan & Soubhik Deb (EigenLayer), a16z

Compiled by: Overnight Porridge, The Way of DeFi

Among the mechanisms designed for proof-of-stake (PoS) protocols, none is as controversial as slashing. Slashing provides a method for economically punishing any specific node that fails to act in accordance with the protocol in a targeted manner. It achieves this by taking away part or all of the validator's staked assets, without imposing externalities on other nodes that act according to the protocol.

Slashing is unique to proof-of-stake (PoS) protocols because it requires the blockchain to be able to enforce penalties. Such enforcement is clearly infeasible in proof-of-work (PoW) systems, which is akin to burning the mining hardware of misbehaving nodes. The ability to apply punitive incentives opens up a new design space in blockchain mechanism design, making it worthy of careful consideration.

Despite its clear benefits in the form of "karma," the main objection to slashing is that nodes may be excessively penalized due to unintentional mistakes, such as running outdated software. As a result, many protocols avoid adopting slashing and instead rely on what is known as token toxicity (i.e., if the protocol is successfully attacked, the underlying token will lose value). Many believe that stakers will view this toxicity as a threat to the security of the protocol. In our assessment, token toxicity is insufficient to deter adversarial attacks in certain typical scenarios. In fact, in such cases, the cost incurred by adversaries to attack and undermine the protocol (referred to as bribery costs) is essentially zero.

In this paper, we will demonstrate how to incorporate slashing into the mechanism design of PoS protocols, thereby significantly increasing the bribery costs that any adversary may incur. In the presence of bribery, slashing guarantees high and measurable bribery costs for decentralized protocols as well as for protocols that do not meet the token toxicity assumption (whether centralized or decentralized).

Situations that may lead to bribery and a lack of token toxicity are ubiquitous. Many PoS protocols avoid falling into either of these categories by having a closely-knit community, which is only feasible at smaller scales. (1) By relying on strong leadership to guide them in the right direction, delegating validation to a small number of well-known and legally regulated node operators; (2) or by relying on concentrated staking of tokens within a small group. None of these solutions satisfactorily develop a large and decentralized community of validating nodes. If a PoS protocol is characterized by having only a few validators (or, in extreme cases, only one validator), then it is preferable to have a method to penalize these large validators in case they engage in hostile behavior.

In the remainder of this paper, we will:

1. Propose a model to analyze complex bribery attacks;
2. Show that PoS protocols without slashing mechanisms are vulnerable to bribery attacks;
3. Demonstrate that PoS protocols with slashing mechanisms have quantifiable security against bribery attacks;
4. Discuss some drawbacks of slashing and propose mitigations;

I. Model

Before introducing the slashing case, we first need a model under which we will conduct our analysis. The two most popular models currently used to analyze PoS protocols (the Byzantine model and the game-theoretic equilibrium model) fail to capture some of the most destructive real-world attacks, while slashing serves as a powerful deterrent against these attacks. In this section, we will discuss these existing models to understand their shortcomings and propose a third model (which we call the bribery analysis model). Although the bribery analysis model can simulate a wide range of attacks, it has not yet been used to analyze many protocols.

Existing Models

In this section, we will briefly describe the Byzantine and game-theoretic equilibrium models and their shortcomings.

Byzantine Model

The Byzantine model stipulates that at most a certain proportion (?) of nodes can deviate from the actions prescribed by the protocol and execute any actions of their choice, while the remaining nodes still adhere to the protocol. Proving that a specific PoS protocol can withstand Byzantine actions that hostile nodes may take is a very important issue.

For example, consider a PoS consensus protocol based on the longest chain, where liveness is prioritized over security. Early studies on the security of longest chain consensus focused on demonstrating security against a specific attack (i.e., the private double-spending attack, where all Byzantine nodes collude privately to construct an alternative chain and only reveal it when it becomes longer than the longest chain). However, the nothing-at-stake phenomenon provides an opportunity to propose many blocks using the same staked assets and to use independent randomness to increase the likelihood of constructing a longer private chain. It was not until much later that extensive research was conducted to show that certain structures of longest chain PoS consensus protocols can withstand all attacks for certain ? values.

(For more details, see 《Everything is a Race and Nakamoto Always Wins》 and 《PoSAT: Proof-of-Work Availability and Unpredictability, Without the Work》)

The entire category of Byzantine fault-tolerant (BFT) consensus protocols prioritizes security over liveness. They also require the assumption of a Byzantine model to prove that these protocols are deterministically secure against any attack for a given upper limit on ? (For more details, see 《HotStuff: BFT Consensus in the Lens of Blockchain》, 《STREAMLET》, 《Tendermint》.)

While the Byzantine model is useful, it does not take into account any economic incentives. From a behavioral perspective, the ? portion of these nodes is essentially fully adversarial, while the (1-?) portion of nodes fully complies with the protocol specifications. In contrast, a significant portion of nodes in PoS protocols may be driven by economic gains and run modified versions of the protocol that benefit their own interests, rather than simply adhering to the complete protocol specifications. A prominent example is the case of the Ethereum PoS protocol, where today most nodes do not run the default PoS protocol but instead run the MEV-Boost modified protocol, as participating in the MEV auction market generates additional rewards, whereas running the exact normative protocol does not provide this extra reward.

Game-Theoretic Equilibrium Model

The game-theoretic equilibrium model attempts to address the shortcomings of the Byzantine model by using concepts such as Nash equilibrium to investigate whether rational nodes have economic incentives to follow a given strategy when all other nodes also follow the same strategy. More specifically, assuming everyone is rational, the model investigates two questions:

1. If all other nodes follow the protocol-specified strategy, will executing the same protocol-specified strategy yield the maximum economic benefit for me?
2. If every other node is executing the same protocol-deviating strategy, will it still be most incentivizing for me to follow the protocol-specified strategy?

Ideally, the design of the protocol should ensure that the answers to both questions are "yes."

An inherent drawback of the game-theoretic equilibrium model is that it excludes scenarios where external agents may influence node behavior. For example, external agents can set up bribes to incentivize rational nodes to act according to their specified strategies. Another limitation is that it assumes each node has independent agency to decide which strategy to adopt based on its ideology or economic incentives. However, this does not cover scenarios where a group of nodes colludes to form a cartel or where economies of scale encourage the creation of a centralized entity that essentially controls all staked nodes.

Separating Bribery Costs from Bribery Profits

Some researchers have proposed a bribery analysis model to analyze the security of any PoS protocol, although no one has used it for more in-depth analysis. This model first poses two questions: (1) What is the minimum cost required for any adversary to successfully execute a security or liveness attack on the protocol? (2) What is the maximum profit that an adversary can gain from successfully executing a security or liveness attack on the protocol?

The adversary in the questions may be:

• A node that unilaterally deviates from the protocol-specified strategy;
• A group of nodes that actively cooperate to undermine the protocol; or
• An external adversary attempting to influence the decisions of many nodes through external actions such as bribery;

Calculating the costs involved requires considering any costs incurred by bribery, any economic penalties arising from executing Byzantine strategies, etc. Similarly, calculating profits is all-encompassing, including rewards obtained within the protocol from successfully attacking it, any value obtained from DApps built on top of the PoS protocol, holding derivatives related to the protocol in secondary markets, and profiting from the volatility caused by the attack, etc.

Comparing the lower bound of the minimum cost for any adversary to initiate an attack (bribery cost) with the upper bound of the maximum profit that the adversary can extract (bribery profit) indicates that attacking the protocol is economically profitable (Note: this model has been used to analyze Augur and Kleros), giving us a simple equation:

Bribery Profit - Bribery Cost = Total Profit

If the total profit is positive, then the adversary has the motivation to launch an attack. In the next section, we will consider how to increase bribery costs through slashing, thereby reducing or eliminating total profit. (Note that a simple example of the upper limit of bribery profit is the total value of assets protected by the PoS protocol. More complex boundaries can be established that take into account circuit breakers limiting asset transfers over a period of time. A detailed study of methods to reduce and limit bribery profits is beyond the scope of this paper.)

II. Slashing

Slashing is a way for PoS protocols to economically penalize a node or a group of nodes for executing a provably different strategy from the given protocol specifications. Typically, to implement any form of slashing, each node must commit a certain amount of stake in advance as collateral. Before delving into slashing, we will first examine PoS systems with endogenous tokens that rely on token toxicity as an alternative to slashing.

We primarily focus on the study of slashing mechanisms for security violations rather than liveness violations. We impose this limitation for two reasons: (1) Security violations can be entirely attributed to some BFT-based PoS protocols, while liveness violations cannot be attributed to any protocol, and (2) Security violations are generally more severe than liveness violations, leading to the loss of user funds rather than users being unable to publish transactions.

What Problems Arise Without Slashing?

Consider a PoS protocol composed of N rational nodes (with no Byzantine or altruistic nodes). Let us assume, for simplicity in calculations, that each node deposits an equal amount of staked assets. We first explore how token toxicity fails to guarantee significant bribery costs. To maintain consistency throughout the document, we also assume that the PoS protocol used is a BFT protocol with a ⅓ adversary threshold.

Token Toxicity is Insufficient

A common viewpoint is that token toxicity can protect staking protocols from any attacks on their security. Token toxicity implies that if the protocol is successfully attacked, the underlying tokens used for staking will lose value, thereby deterring participating nodes from attacking the protocol. Consider the scenario where 1/3 of stakers collude: these nodes can cooperate to undermine the security of the protocol. But the question is whether they can do so without facing penalties?

If the total valuation of the staked tokens strictly depends on the security of the protocol, then any attack on the protocol's security could potentially reduce its total valuation to zero. Of course, in practice, it will not drop directly to zero, but rather to some smaller value. However, to illustrate the most powerful possible case for token toxicity, we will assume here that token toxicity works perfectly. The bribery cost for any attack on the protocol is the value of the tokens held by the rational nodes in the attacking system, which they must be willing to lose entirely.

We now analyze the motivations for collusion and bribery in a PoS system with token toxicity in the absence of slashing. Assume the external adversary sets up bribery conditions as follows:

1. If a node executes the strategy indicated by the adversary but the attack on the protocol is unsuccessful, the node receives a reward B1 from the adversary.
2. If a node executes the strategy indicated by the adversary and the attack on the protocol is successful, the node receives a reward B2 from the adversary.

For a node that has staked S, we can derive the following payoff matrix, where R is the reward for participating in the PoS protocol:

Assuming the adversary sets the bribery rewards as B1 > R and B2 > 0. In this case, regardless of the strategy taken by other nodes (dominant strategy), the return from accepting bribes from the adversary is higher than any other strategy that the node can adopt. If 1/3 of the other nodes ultimately accept bribes, they can attack the security of the protocol (this is because we assume we are using a BFT protocol with an adversary threshold of ⅓). Now, even if the current node does not accept bribes, the tokens will lose their value regardless due to token toxicity (the cell in the upper right corner of the matrix).

Thus, accepting the B2 bribe is incentive-compatible for the node. If only a small number of nodes accept bribes, the tokens will not lose value, but the nodes can benefit from giving up the reward R in exchange for receiving B1 (the left column of the matrix). If 1/3 of the nodes agree to accept bribes and the attack is successful, the total cost of bribery paid by the adversary is at least ?/3 × B2, which is the cost of bribery. However, the only condition for B2 is that it must be greater than zero, so B2 can be set close to zero, meaning the bribery cost can be negligible. This type of attack is referred to as a "P+ε" attack‌.

One way to summarize this impact is that token toxicity is insufficient because the effects of misbehavior are socialized: token toxicity completely devalues the tokens, affecting both good and bad nodes equally. On the other hand, the benefits of bribery are privatized and limited to those rational nodes that actually accept bribes. For those who accept bribes, there are no one-to-one consequences, meaning that this system lacks an effective version of "karma."

Is Token Toxicity Always Effective?

Another misleading claim popular in the ecosystem is that every PoS protocol can achieve a certain degree of protection through token toxicity. However, in reality, the exogenous incentives of token toxicity cannot extend to certain categories of protocols, where the valuation of the tokens used as stake does not depend on the secure operation of the protocol. One such example is re-staking protocols like EigenLayer, where ETH used in the Ethereum protocol is reused to guarantee the economic security of other protocols.

Consider re-staking 10% of ETH using EigenLayer to perform validation for a new sidechain. Even if all stakers in EigenLayer collude by attacking the security of the sidechain, the price of ETH is unlikely to drop. Therefore, token toxicity cannot be transferred to re-staking services, meaning that the bribery cost is zero.

What Help Does Slashing Provide?

In this section, we will explain how slashing can significantly increase bribery costs in two scenarios:

• Decentralized protocols under bribery;
• PoS protocols where token toxicity is non-transferable;

Preventing Bribery

Protocols can use slashing to greatly increase the corruption costs for external adversaries attempting bribery attacks. To better illustrate this, we consider an example of a BFT-based PoS chain that requires staking of the chain's native tokens and must destroy at least ⅓ of the total stake to successfully attack its security (in the form of double-signing). Assume the external adversary is able to bribe at least ⅓ of the total staked assets to execute double-signing. Evidence of double-signing can be submitted to a normative fork, which will slash the nodes that accepted bribes from the adversary and double-signed. Assume each node stakes S tokens and all slashed tokens are destroyed, we obtain the following payoff matrix:

With slashing, if a node agrees to accept a bribe and the attack is unsuccessful, its staked assets S are slashed in the normative fork (the cell in the lower left corner of the matrix), contrasting with the bribery scenario without a slashing mechanism. On the other hand, even if the attack is successful, the node will not lose its staked assets S in the normative fork (the cell in the upper right corner of the matrix). If ⅓ of the total stake needs to be bribed to make the attack successful, then the bribery cost must be at least ?/3 × S, which is significantly higher than the bribery cost without a slashing mechanism.

Protection Against Non-Transferable Token Toxicity Situations

In some PoS protocols where the valuation of tokens is not affected by the security of the protocol, token toxicity is non-transferable. In many such systems, the PoS protocol is built on top of another underlying protocol. The underlying protocol then resolves disputes by deploying dispute resolution mechanisms on top of it and grants the underlying protocol the authority to provably slash nodes related to the PoS protocol, thereby sharing security with the PoS protocol.

For example, if Byzantine actions in the PoS protocol can be objectively attributed to hostile nodes in the underlying protocol, then their stake in the PoS protocol will be slashed in the underlying protocol. One example of such a PoS protocol is EigenLayer, characterized by re-staking, which allows different validation tasks to gain security from the Ethereum underlying protocol. If in a validation task on EigenLayer, a node re-stakes and adopts a Byzantine strategy, where the Byzantine behavior can be objectively attributed, then it can be proven that the node is hostile on Ethereum, and its staked assets will be slashed (regardless of how large the stake is).

Assuming each node re-stakes S, all slashed tokens are destroyed, and rewards R are obtained from participation, we construct the following payoff matrix:

Since we are considering validation tasks where any Byzantine behavior can be objectively attributed, even if the node behaves honestly but the attack is successful, the node will not be slashed on Ethereum (the cell in the upper right corner of the matrix). On the other hand, a node that agrees to accept a bribe and exhibits hostile behavior will be objectively slashed on Ethereum (the bottom row of the matrix). If ⅓ of the total stake needs to be bribed to make the attack successful, then the bribery cost is at least ?/3 × S.

We also consider the extreme case where all staked assets of the PoS protocol are concentrated in one node. This is an important scenario as it foreshadows the eventual centralization of stakes. Given our assumption that there is no token toxicity for re-staked tokens, if there is no slashing, the centralized node can operate in a Byzantine manner without facing penalties. However, with slashing, this Byzantine centralized node can be penalized in the underlying protocol.

Slashing for Attributable Attacks vs. Non-Attributable Attacks

There is an important subtlety between slashing for attributable attacks and slashing for non-attributable attacks. Consider the case of security failures arising in Byzantine fault-tolerant protocols. Typically, these stem from double-signing Byzantine behavior aimed at undermining the security of the blockchain—this is an example of an attributable attack, as we can identify which nodes attacked the security of the system. On the other hand, Byzantine behavior that involves censoring transactions to undermine the liveness of the blockchain is an example of a non-attributable attack. In the former case, slashing can be algorithmically implemented by providing evidence of double-signing to the state machine of the blockchain.

In contrast, since it is not possible to algorithmically prove whether nodes are actively censoring, slashing for censoring transactions cannot be algorithmically completed. In this case, the protocol may have to rely on social consensus to enforce slashing. A certain proportion of nodes can execute a hard fork to specify slashing for those accused of participating in censorship. This hard fork will only be considered a normative fork when social consensus emerges.

We define bribery costs as the minimum cost to execute a security attack. However, we need an attribute of PoS protocols called accountability, which means that if the protocol loses security, there should be a way to attribute responsibility to a small number of nodes (⅓ of nodes in BFT protocols). It turns out that analyzing which protocols are accountable is subtle (see the paper on BFT protocol accountability here‌). Furthermore, it has been shown that dynamically available longest chain protocols (e.g., PoSAT‌) are unaccountable (for a discussion on the trade-offs between dynamic availability and accountability, as well as some methods to address these fundamental trade-offs, see this paper‌).

III. Traps of Slashing and Mitigations

Like any technology, slashing can also bring its own risks if not implemented carefully:

1. Client Misconfiguration/Key Loss. One of the traps of slashing is that innocent nodes may suffer disproportionate penalties due to unintentional errors (such as misconfigured keys or lost keys). To address concerns about excessively slashing honest nodes due to negligent errors, protocols can adopt certain slashing curves that impose lighter penalties when only a small amount of staked assets is inconsistent with the protocol, but impose severe penalties when the staked assets executed on a strategy conflicting with the protocol exceed a threshold proportion. For example, Ethereum 2.0 adopts this approach.

2. Credible Slashing Threats as a Lightweight Alternative. If a PoS protocol does not implement algorithmic slashing, it can instead rely on social slashing threats, meaning that in the case of a security failure, nodes will agree to point to a hard fork where misbehaving nodes will lose their funds. While this does require significant social coordination compared to algorithmic slashing, as long as the threat of social slashing is credible, the game-theoretic analysis proposed above continues to apply to protocols that rely on commitments rather than algorithmic slashing.

3. Social Slashing for Liveness Failures is Fragile. Social slashing is necessary to punish non-attributable attacks, such as liveness failures like censorship. While social slashing can theoretically be implemented for non-attributable failures, it is difficult for newly joined nodes to verify whether such social slashing is for the right reasons (censorship) or because the node was falsely accused. When social slashing is used for attributable failures, there is no such ambiguity even without an algorithmic slashing implementation. Newly joined nodes can continue to verify that this slashing is legitimate because they can check their double-signatures, even if only manually.

IV. What Happens to Slashed Funds?

There are two possible methods to handle slashed funds: destruction and insurance.

1. Destruction: The direct method of handling slashed funds is simply to destroy them. Assuming the total value of the tokens does not change due to the attack, the value of each token will increase proportionally and will be more valuable than before. Destruction does not identify the parties harmed by the security failure and compensates them, but indiscriminately benefits all non-attacking token holders.

2. Insurance: A more complex slashing fund distribution mechanism that has not yet been studied involves insurance bonds issued against slashing. Customers trading on the blockchain may obtain these insurance bonds in advance on the blockchain to protect themselves from potential security attacks, providing insurance for their digital assets. When an attack jeopardizing security occurs, algorithmic slashing of stakers generates a fund that can then be distributed to insurers in proportion to the bonds.

V. Current State of Slashing in the Ecosystem

To our knowledge, Vitalik first explored the benefits of slashing in this article in 2014. The Cosmos ecosystem built the first effective slashing implementation in its BFT consensus protocol, which enforces slashing when validators fail to participate in proposing blocks or double-sign ambiguous blocks.

Ethereum 2.0 has also incorporated a slashing mechanism into its PoS protocol, where validators may be penalized for making ambiguous proofs or proposing ambiguous blocks. Slashing misbehaving validators is a way to achieve economic finality in Ethereum 2.0. Validators may also face relatively mild penalties for lacking proofs or if they fail to propose blocks when they should.

***

PoS protocols without slashing mechanisms are highly vulnerable to bribery attacks. We use a new model (the bribery analysis model) to analyze complex bribery attacks and then use it to illustrate that PoS protocols with slashing mechanisms have quantifiable anti-bribery security. While there are drawbacks to incorporating slashing into PoS protocols, we propose several possible methods to mitigate these drawbacks. We hope that PoS protocols will use this analysis to evaluate the benefits of slashing in certain cases—potentially enhancing the security of the entire ecosystem.