Tari Protocol Discussion 27
On Monday, the Tari community gathered to assess tools needed to prevent bad actors from participating as validator nodes on the Tari network. Below is the TL;DR on Monday’s conversation (full transcript included below):
One way to discourage bad actors on the Tari network is to simply make it more expensive to try and game the system than to just do what is required to manage a particular digital asset.
Something like a strong BFT consensus could work here, where one only gets paid fees if there is evidence of participation and they voted with the BFT consensus group.
A few game theory concepts to consider implementing on the Tari network:
- VNs can only get paid their fees for ‘with BFT votes’ and not ‘against BFT votes’.
- No recourse for attempted bad acting other than loss of income.
- VNs guilty of bad acting can/should be banned from a committee.
- VNs guilty of bad acting will not be known for such outside of the committee where it occured.
Join us for our next discussion on Freenode in #tari-dev.
Discussion times proposed by the Tari community:
Mondays: 6pm CAT (11am EST)
Thursdays: 11am CAT (4am EST)
To keep up with the latest Tari developments, you can follow the project on Twitter.
Transcript of Monday’s discussion
10:33 AM <Hansie> Hi there, anyone? 10:35 AM <Hansie> Maybe it is wrong to assume that a VN registration Tx will include the registration fee as well as the collateral to manage an asset? 10:47 AM <Blackwolfsa> Yes I think we should split them 10:47 AM <Blackwolfsa> Asset collateral should be split so as to easy manage multiple ones 10:49 AM <Hansie> Do you propose a specific 'ring fenced' collateral for a specific digital asset? 10:51 AM <Blackwolfsa> I think so yes 10:52 AM <Hansie> Time-locked registration UTXO, mined in the base layer? 10:53 AM <Blackwolfsa> Both should be in the base layer. 10:53 AM <Blackwolfsa> Mined 10:54 AM <Blackwolfsa> This should make it sybil resistant and then registration is important for the vn id 10:55 AM <Hansie> Makes sense 10:56 AM <Hansie> So is the collateral UTXO into some sort of multisig, and the registration UTXO a payment to self? 10:57 AM <Blackwolfsa> Definitely an aggregated signed, multi signature is up for debate 10:57 AM <Blackwolfsa> If we can do snorr + shamir then it can be aggregated 10:59 AM <Hansie> Cool 11:00 AM <Hansie> Any recourse for attempted bad acting on the part of a VN? 11:01 AM <Blackwolfsa> I am a fan of designing a system to not need it. Any idea how we could? 11:02 AM <Xeagu> Meeting now? 11:02 AM <Hansie> <Xeagu> : Just packing up now on my part 11:06 AM <Hansie> Blackwolfsa: Maybe make it more expensive to try and game the system than to just do what is required to manage the asset. Something like a strong BFT consensus, only get paid fees if there are evidence of participation and voted with the BFT consensus group. ?? 11:10 AM <Blackwolfsa> Yes I think something along those lines 11:10 AM <Hansie> How does this sound? 11:10 AM <Hansie> `Assumptions - Game theory` 11:10 AM <Hansie> - VNs can only get paid their fees for 'with BFT votes' and not 'against BFT votes'. 11:10 AM <Hansie> - No recourse for attempted bad acting other than loss of income. 11:10 AM <Hansie> - VNs guilty of bad acting can/should be banned from a committee. 11:10 AM <Hansie> - VNs guilty of bad acting will not be known for such outside of the committee where it occured. 11:11 AM <Blackwolfsa> We could easily add a memory only known bad actors 11:11 AM <Blackwolfsa> And propagate those forward 11:11 AM <Hansie> Maybe that could be gamed easily? 11:12 AM <Hansie> Got to go, bye for now. 11:12 AM <Blackwolfsa> Well you could easily vote for you want with you in the committee 11:12 AM <Blackwolfsa> Do how do we control that? 11:13 AM <neonknight> VNs will be discourage from bad acting as they will be motivated to make fees. Running a VN costs money and resources. 11:14 AM <neonknight> Voting who you want part of a committee might not be great as the bad player can then promote his BAD friends to be part of his committee. 11:18 AM <Blackwolfsa> We need some way of voting off non performance 11:18 AM <Blackwolfsa> If we can get a nice way of controlling this then we can allow that 11:19 AM <oneiric_> does any kind of vetting or trust-then-verify system make sense in this context? 11:19 AM <simian_za> It's not really possible to vet a VN 11:20 AM <simian_za> You can only really judge them based on their performance in your committee 11:20 AM <neonknight> Also most VNs will be completely anonymous 11:21 AM <oneiric_> ok, so really only trust-then-verify, where bad performance is punished 11:21 AM <Blackwolfsa> We can't really punish as well, only punish by not paying fees out 11:22 AM <Blackwolfsa> What we need is to motivate VNs to vote bad performance out 11:22 AM <simian_za> exactly, there might be a possibility of a blacklist but when you start down that road you kind of create a way for bad actors to attack other actors 11:23 AM <neonknight> I think most punishment mechanisms can be gamed and could be used incorrectly 11:24 AM <Blackwolfsa> We need to be able to solve this: there is a commitee that has a mayorrity bad performance in it. They don't care that they don't handle all requests 11:24 AM <Blackwolfsa> They get their fees 11:24 AM <Blackwolfsa> We need to be able to remove them 11:25 AM <simian_za> So I guess in the same way that the Asset Issuer will control the process to convene the first committee they should have a mechanism to remove non performant members 11:26 AM <Blackwolfsa> We need the fees to be a factor of how much work you did vs how much work the commitee did 11:26 AM <simian_za> Is there any reason that giving the Asset Issuer absolute rights to kick members of the committee is a problem? 11:27 AM <oneiric_> why not majority, or super-majority, voting? with maybe some external check to ensure will of the masses doesn't unjustly punish individuals? 11:27 AM <simian_za> that is still an issue if you get a majority of low performers (only actually handle say 50% of the instructions coming in) and they are happy with that 11:28 AM <Blackwolfsa> I see no problem allowing the asser issuer to kick people 11:28 AM <Blackwolfsa> Well if you have someone handling less then you you should get less fess 11:28 AM <Blackwolfsa> That way it motivates you to get better VNs as buddies 11:29 AM <oneiric_> ^ if the issuer having kick privileges is the agreement going in, then yeah that makes sense 11:30 AM <simian_za> In the end its the Issuer who has the most incentive to make sure the asset is being serviced properly 11:30 AM <Blackwolfsa> Yes 11:31 AM <stanimal> The AI has ultimate control over the VNs used - in a network selected committee, could you not specify a bigger committee size should you require more capacity? 11:31 AM <Blackwolfsa> If we can make the fee formula so that the amount you get is max if every vn including you handle 100% of fees 11:31 AM <Blackwolfsa> Then it's incentives to have only good vns 11:32 AM <simian_za> stanimal: that is true you could though you would need to be willing to pay more fees 11:33 AM <stanimal> The issuer wallet could maintain the reputation stats of the VNs used, and make better decisions after the next checkpoint 11:34 AM <stanimal> i.e. choose not to include the offending VN next time 11:34 AM <stanimal> eventually finding trustworthy, reliable VNs 11:34 AM <oneiric_> any way for VN to regain lost reputation? 11:35 AM <oneiric_> let's say they were manipulated into bad action? 11:35 AM <simian_za> well they could register a new VN 11:36 AM <simian_za> they would need to front a new registration fee but the tainted VN registration fee will be released in the future 11:37 AM <neonknight> Stanimal: I think the issuer might know the distribution of payouts to each committee member at the end of each checkpoint, this should correlates with their service delivery but not necessarily bad acting. The issuer could drop worst performer for an alternate VN. 11:38 AM <simian_za> oneiric_: keeping track of a VNs "reputation", good or bad, between different committees is quite challenging. We have not been able to think of a good way to do it in a decentralized manner that cannot be gamed 11:39 AM <simian_za> even in the most rudimentary terms such as a one-strike your burned blacklist 11:40 AM <oneiric_> how do coins like steemit do it? 11:40 AM <stanimal> It would be centralized in the local asset issuer wallet - or would that not make sense? 11:41 AM <neonknight> It could be centralised, but I don't think the asset issuer will always be online. 11:41 AM <stanimal> Good point 11:42 AM <Blackwolfsa> It would be great if the asset issuer doesn't have to be 11:43 AM <Blackwolfsa> I think we could design it so that he doesn't have to be 11:44 AM → mikethetike joined ⇐ el00ruobuob quit 11:47 AM <simian_za> oneiric_: Not sure how steemit was set up but most the non-PoW coins use some sort of proof of stake mixed with including their own trusted nodes in the mix 11:47 AM <simian_za> both factors work because of the centralization 11:48 AM <stanimal> So the current deterrents we have are: loss of fees and the cost of mounting an attack on a committee (network selected would make it hard & expensive to become part of any particular committee) - for any high value assets, the safety net is to use permissioned nodes - is that right? 11:48 AM <oneiric_> damn, knew there was something about steemit that bugged me 11:49 AM <simian_za> I am not 100% versed in the actual story but there was a lot of shade being thrown at steem over the last year 11:50 AM <simian_za> stanimal: sounds about right 11:50 AM <stanimal> loss of fees = VN running costs + somehow not including them in the next committee - which I guess we don't completely have 11:52 AM <simian_za> well they also loose the potential fees they could be earning with their registration fee + collateral by not performing 11:52 AM <simian_za> so thats a lost opportunity cost 11:58 AM <Blackwolfsa> Yip only lost opportunity 11:58 AM <stanimal> Could committee members come to a consensus that a VN is being a douchebag (technical term for bad actor) - and not forward messages to them (losing the bad VN fees)- additionally, the asset issuer would also be able to see that committee state and potentially act on that 11:59 AM <Blackwolfsa> Could be as well 11:59 AM <Blackwolfsa> There could be some devious ways to "vote" a VN out 11:59 AM <neonknight> I think it could happen 12:01 PM <stanimal> But then you'd have a bad committee right? 12:01 PM <Blackwolfsa> No you are doing your job 12:01 PM <Blackwolfsa> Signing valid instructions 12:02 PM <Blackwolfsa> We need to motivate good behaviour 12:02 PM <neonknight> Agreed, the same thing will happen if 1 out of 5 VNs have bad latency and the other 4 always reach consensus without the slow VN. 12:04 PM <stanimal> Ye agreed, back to punishment models being gamed 12:04 PM <stanimal> or being unjust 12:07 PM <Blackwolfsa> If the economics is chosen in such a way it should self regulate 12:09 PM <stanimal> Definitely first prize - thanks all g2g