[Discussion] ECIP-TBD: Increase ETC security by slashing

[qizhou]

---

ecip: TBD title: Increase ETC security by slashing description: Increase ETC security by requiring security deposits for miners author: Qi Zhou (@qizhou) discussions-to: TBD status: Draft type: Standards Track category: Core created: 2022-09-05 requires:

Abstract

Increasing the cost of reverting a one-hour confirmed ETC transaction to that of a one-week confirmed transaction by requiring a relatively small amount of security deposits for miners.

Motivation

The motivation of the proposal is to increase the reverting cost of an ETC transaction that was confirmed by one-hour blocks to the cost of reverting one-week blocks, i.e., 168x increment for any ETC transaction confirmed by recent one-hour blocks.

The cost of reverting n blocks of a PoW chain can be roughly estimated as n * BLOCK_REWARD * TOKEN_PRICE. To increase the attack cost, the basic idea of the proposal is to introduce security deposits for miners besides the existing PoW algorithm, where the security deposit can be slashed if an attack is identified.

To achieve the security goal, the total amount of the security deposit for recent one-hour blocks should equal the number of ETCs produced in one week, which is about 2.48 (ETC per block) * 45818 (blocks in one week) = 113,628.64 ETCs. As a result, since ETC produces about 256 blocks per hour, the proposal will require a miner to deposit 113,628.64 / 256 ~ 443.87 ETC per block in any 256-block window.

Specification

Constant	Value
FORK_BLKNUM	TBD
SECURITY_DEPOSIT_CONTRACT	TBD
BLOCK_REWARD	2.48
HASHRATE_ESTIMATE_WINDOW	256
SECURITY_BLOCKS	45818
SECURITY_DEPOSIT_WITHDRAW_WAIT_BLOCKS	91636

If block.number >= FORK_BLKNUM, to produce a block, a miner is required to prove the following amount of ETCs locked in the SECURITY_DEPOSIT_CONTRACT before performing the existing PoW difficulty check:

SECURITY_BLOCKS * BLOCK_REWARD * (n + 1)  // HASHRATE_ESTIMATE_WINDOW

where n is the number of blocks produced by the miner in recent HASHRATE_ESTIMATE_WINDOW - 1 blocks.

In addition, the miner is able to produce a special block that can perform an optional deposit operation before the security deposit and PoW difficulty checks.

To withdraw the locked ETCs in SECURITY_DEPOSIT_CONTRACT, the miner can submit a normal tx to transfer the ETCs from locked status to withdrawing status. After staying in withdrawing for SECURITY_DEPOSIT_WITHDRAW_WAIT_BLOCKS blocks, the miner can withdraw the ETCs immediately.

Rationale

To revert one-hour blocks of the ETC canonical chain, i.e., roughly HASHRATE_ESTIMATE_WINDOW blocks given 13.2s average block interval, the proposal requires the attacker to deposit and lock SECURITY_BLOCKS * BLOCK_REWARD = 113628.64 ETCs. This amount of ETCs can be slashable if the attack is identified, and thus the cost of reverting a one-hour post-upgraded ETC chain equals to the original ETC without deposit for about 1 week.

The withdrawal waiting time, i.e., SECURITY_DEPOSIT_WITHDRAW_WAIT_BLOCKS * 13.2s average block interval is set to about 2 weeks to leave enough time for the ETC community to determine if an attack happened and to perform the corresponding slashing mechanism (e.g., via social consensus).

Note that this also requires a miner to provide at least

SECURITY_BLOCKS * BLOCK_REWARD // HASHRATE_ESTIMATE_WINDOW = 443.87 ETCs

to produce a block, and the amount required increases linearly with the proportional hash power of the miner vs that of all miners. E.g., a miner with 10% of hashpower of the network would generally require

SECURITY_BLOCKS * BLOCK_REWARD * 10% = 11362.864 ETCs

to mine efficiently.

Security Considerations

Needs discussion.

Copyright

Copyright and related rights waived via CC0.

[qizhou]

@atoulme @gitr0n1n @IstoraMandiri @meowsbits

[Jamyye]

While I appreciate the motivation of this discussion, I worry that this will lead to a higher cost to enter the mining scene and hurt decentralization.

Right now, a miner can solo mine to their own local node if they so choose. Does this proposal suggest that a miner locks up 443.87 ETC in order to do that?

From the prospective of a small pool owner, many would be forced to stop their operations if they weren't able to find a lump sum of ETC.

Currently, ETC's mining ecosystem is very decentralized having matured for many years and being interoperable with ETH has lead to many open-source mining software and pools.

There are over 80 public pools for ETC. The small to medium size pools would have to lock, say 1%, which is 1136 ETC, over $42,000 as of now - and will most likely only increase in cost.

Even for large pools, top 5 pools, they would all of a sudden require to lock up nearly 11362-20000 ETC, over $420k-740k USD as of typing.

My worries are this will hurt decentralization of the mining ecosystem, forcing solo miners to "solo pools" run by large owners and forcing small pools out.

[qizhou]

While I appreciate the motivation of this discussion, I worry that this will lead to a higher cost to enter the mining scene and hurt decentralization.

Right now, a miner can solo mine to their own local node if they so choose. Does this proposal suggest that a miner locks up 443.87 ETC in order to do that?

From the prospective of a small pool owner, many would be forced to stop their operations if they weren't able to find a lump sum of ETC.

Currently, ETC's mining ecosystem is very decentralized having matured for many years and being interoperable with ETH has lead to many open-source mining software and pools.

There are over 80 public pools for ETC. The small to medium size pools would have to lock, say 1%, which is 1136 ETC, over $42,000 as of now - and will most likely only increase in cost.

Even for large pools, top 5 pools, they would all of a sudden require to lock up nearly 11362-20000 ETC, over $420k-740k USD as of typing.

My worries are this will hurt decentralization of the mining ecosystem, forcing solo miners to "solo pools" run by large owners and forcing small pools out.

Many thanks for raising the concern. Admittedly, this may increase the burden for solo miners to obtain at least 443.87 ETC as the "commitment" to being good miners. There are a couple of ways to solve the problem:

1. We could increase HASHRATE_ESTIMATE_WINDOW to 2 hours or more (e.g., 1 day) so that 443.87 ETC can be reduced to 221.93 ETC (2-hour window) or 18.49 ETC (1-day window) at the cost of longer finality time, especially for the waiting time of depositing assets in exchanges. We could discuss the tradeoff to see what is the best for miners and users.

2. Another way is to borrow ETC if the browsing rate is favorable. E.g., suppose the PoW cost is about half of the mining revenue, the APR is about 5200% / 2 = 2600%, which is very high compared to my estimated borrowing rate for ETC (e.g., compound offer 2.8% APY borrowing rate for ETH).

Note that compared to other pure PoS, which may lock ~10% total supply (e.g., ETH PoS is about 10%), the required staked tokens are about 113,628.64 / 136,664,275~0.083%, which is less than 0.1% of the total supply of ETC.

[atoulme]

Can you expand a bit on the motivation of this ECIP? What purpose does it serve and what does it achieve? That is unclear to me right now.

[qizhou]

Can you expand a bit on the motivation of this ECIP? What purpose does it serve and what does it achieve? That is unclear to me right now.

Thanks for the question. The motivation is to enhance the security level of ETC transactions, which depends on the number of confirmation blocks.

To start, let us check https://www.crypto51.app/ for the attacking costs of all PoW chains, where I paste a screenshot here:

One key parameter in the security is the "1h Attack Cost", which tells "how difficult to revert a block (and its txs) after 1-hour confirmation"? The higher the value, the harder the attack is, and thus the safer the chain is. For PoW chains, the equation is

n * BLOCK_REWARD * NUMBER_OF_BLOCKS_PER_HOUR

where n is the number of blocks produced in one hour.

For example, for ETH, the average block interval is 13.91s (from whattomine.com), and thus given $1638 USD/ETH, we have

3600 / 13.91 * 2 * 1638 = $847,850

or for ETC, we have block interval as 13.2s, and thus given $40.47 USD/ETH, we have

3600 / 13.2 * 2.48 * 40.47 = $27,372

which matches https://www.crypto51.app/ pretty well.

So suppose user A transfers $1M to user B, how long should user B wait until user B can safely assume the $1M fund will not be reverted by user A? A simple equation for ETC will be $1M / 27,372 ~ 36 hours, i.e., user B has to wait 36 hours so that the fund is safe, which is pretty long.

For the proposal, it requires the miners (including user A if the user wants to attack) to lock security deposits so that reverting the 1h blocks will be much more expensive. Given the parameters in the proposal, the attacker will spend 2.48 * 45818 * 40.47 = $4,598,551 to revert 1h blocks, which is even 5.4x higher than ETH! In another word, to assume $1M transfer is safe, we could only wait for 1M / 4,598,511 ~ 13mins, which is much shorter than previous 36 hours.

[bobsummerwill]

Have you seen this report by @meowsbits, by the way? Very relevant: https://github.com/meowsbits/51-percent-docs/

[qizhou]

Have you seen this report by @meowsbits, by the way? Very relevant: https://github.com/meowsbits/51-percent-docs/

Many thanks for the report. I take a look at https://meowsbits.github.io/51-percent-docs/ and the data is very valuable (especially with MESS).

The proposal here can be combined with MESS with further security (or faster confirmation). For example, Coinbase now requires 3,000 block confirmations, which is about 11 hours, while Coinbase only requires 14 network confirmations for ETH (3.24 mins). The proposal here can further reduce the confirmation time of ETC, likely 14 network confirmations or even shorter based on previous analysis on reverting cost of 1-hour blocks. ($4.6M of proposed vs $0.847M of ETH)

Please let me know if you have further questions.

[IstoraMandiri]

Thanks for this interesting proposal @qizhou .

I have copied some initial comments from discord about potential side effects of this proposal, for your information, I hope they are useful.

• Is it really necessary? Many seem confident that once ETC is the new Apex Predator, 51% attacks will be a thing of the past and even support removing other mitigation strategies like MESS
• Would it make ETC no longer permissionless? New participants would need someone's permission (buying ETC from someone) in order to mine it
• One problem is that acquiring this ETC to lock up means it's impossible to mine "fresh" coins that have no tx provenance, so it has privacy implications
• It seems that it will shifts power to large miners at the expense of small miners because it increases the barrier to entry / burden of getting started - what is the overall effect on centralization?
• How does it affect the dynamic of chain splits in the case there is genuine community disagreement, does it discourage this?

Thanks for your contributions.

[stevanlohja]

I think the proposal is a good incentive for miners to "be honest" by requiring miners to pledge a stake in ETC, but I don't think this would be healthy for the decentralization of the network because:

1. Ethereum Classic cannot handle all the miners from Ethereum (assuming the Merge is successful). This is going to further reduce the amount of small-medium sized miners on ETC. Miners already delegate their hardware and energy to to win blocks and delegating a deposit is additional costs. We also have nuanced costs due to global energy insecurities which favorites large miners that can establish operations in certain countries.
2. MESS, while increasing security, favorites the large miners politically and and this proposal would favor them economically.

[stevanlohja]

I think the proposal is a good incentive for miners to "be honest" by requiring miners to pledge a stake in ETC, but I don't think this would be healthy for the decentralization of the network because:

1. Ethereum Classic cannot handle all the miners from Ethereum (assuming the Merge is successful). This is going to further reduce the amount of small-medium sized miners on ETC. Miners already delegate their hardware and energy to to win blocks and delegating a deposit is additional costs. We also have nuanced costs due to global energy insecurities which favorites large miners that can establish operations in certain countries.
2. MESS, while increasing security, favorites the large miners politically and and this proposal would favor them economically.

Since we are in a post-ETH-merge era, my point on 1 and 2 is definitely solidified now.

[qizhou]

Since we are in a post-ETH-merge era, my point on 1 is definitely a reality now.

I agree that ETC cannot handle all miners from ETH, especially ETH's hashpower was much greater. I also agree that miners put a lot of costs to delegate their hardware and energy to win a block. However, the cost of the delegation that converts to the security of ETC is amortized over time, while the upfront commitment cost is much higher (e.g., a GPU can generally run 4-years). My argument is that could we ask miners to pre-delegate a few weeks of mining costs (in terms of ETC token) so that we could increase the network (in recent one hour) to a few weeks based on the fact that the miners already commit a much higher upfront cost (measured in security level, generally a couple of years)?

[OmniEdge]

Istora's questions above are quite useful to answer and could help clarify things.

This ECIP only solves one thing but doesnt look at the whole. Increasing the reverting cost is a good objective in itself but is inversely correlated to decentralization and distribution of the mining infrastructure.

[qizhou]

Thanks for this interesting proposal @qizhou .

I have copied some initial comments from discord about potential side effects of this proposal, for your information, I hope they are useful.

• Is it really necessary? Many seem confident that once ETC is the new Apex Predator, 51% attacks will be a thing of the past and even support removing other mitigation strategies like MESS

Thanks for the question. Even ETC is now the blockchain with the dominant hashpower of Ethash, the cost of performing 51% attack is still relatively low given the data https://www.crypto51.app/.

• Would it make ETC no longer permissionless? New participants would need someone's permission (buying ETC from someone) in order to mine it

I believe it is still permissionless given the assumption that the ETC market is fully decentralized - anyone can easily buy ETC from most exchanges and miners can hardly stop new buyers and prevent them from new miners.

• One problem is that acquiring this ETC to lock up means it's impossible to mine "fresh" coins that have no tx provenance, so it has privacy implications

This can be solved by allowing the mining of a new block together with an optional "deposit" transaction before PoSW check. This means that as long as the miner has a sufficient token balance, it could mine a new block by depositing the balance ahead of PoSW check.

• It seems that it will shifts power to large miners at the expense of small miners because it increases the barrier to entry / burden of getting started - what is the overall effect on centralization?

This depends on the minimal stake vs upfront commitment cost, especially since we assume that the miners (no matter the size they are) already commit a significant upfront cost of buying mining machines.

• How does it affect the dynamic of chain splits in the case there is genuine community disagreement, does it discourage this?

The proposal does not change the fork-choice rule, and thus if there is a chain split, that means each chain has a sufficient deposit. However, the one with greater post-staking hashpower (or total difficulty) will win as a the final canonical chain.

Thanks for your contributions.

[bobsummerwill]

It is likely that ETC is now very ASIC-dominated and will become increasingly more so.

Those ASICs are the miners stake and commitment and they cannot be used for anything else (barring the tiny Ethash coins which cannot absorb any significant inflow).

I don't think there is a problem to be solved here.

[ghost]

GPU mining was a very necessary step in securing decentralised POW networks but evolution has lead to increasing ASIC and FPGA participation, which are much more energy efficient. In bull markets we see that GPU's also become depleted at the expense of rendering farms and gamers, driving up the cost of their equipment. It will be great to see more manufacturers providing dedicated machines to ensure participation of less technical people securing the network. One day maybe a DIY kit to 3D print your own miner(s).

[gitr0n1n]

Some relevant ECIP-1000 copy:

"Additionally, many ideas have been brought forward for changing Ethereum Classic that have been rejected for various reasons."

"It also helps to make sure the idea is applicable to the entire community and not just the author. Just because an idea sounds good to the author does not mean it will work for most people in most areas where Ethereum Classic is used."

As discussed above, there are concerns this proposal would restrict access to participate in mining (pay to play with an arbitrary ETC value) which could have a negative effect on decentralization in the mining ecosystem via restricted participation. IMO, it's unlikely to get adoption from the greater mining community should such a change be proposed and a fork would implement.

"Vetting an idea publicly before going as far as writing a ECIP is meant to save both the potential author and the wider community time."

"Asking the Ethereum Classic community first if an idea is original helps prevent too much time being spent on something that is guaranteed to be rejected based on prior discussions (searching the internet does not always do the trick)."

"Once the champion has asked the Ethereum Classic community as to whether an idea has any chance of acceptance, a draft ECIP should be submitted to the ECIPs git repository as a pull request. This gives the author a chance to flesh out the draft ECIP to make it properly formatted, of high quality, and to address additional concerns about the proposal."

I think the collective feedback is that this proposal does not have a chance at acceptance in today's Ethereum Classic with its positioning as the largest PoW smart contract network in the whole blockchain space. This ECIP is likely wonderful for a network that is not as mature and secure as Ethereum Classic is today.

"An ECIP must meet certain minimum criteria. It must be a clear and complete description of the proposed enhancement. The enhancement must represent a net improvement."

As noted above, this enhancement appears to have negative externalities to its specific goal.

Motion to @qizhou (the proposal champion) & @ethereumclassic/ecip-editors (ECIP editors) to Close as not planned this discussion as the suggested draft proposal does not seem compatible with the Ethereum Classic network as the Apex network on Ethash. The ECIP has not been assigned a number yet, so its unlikely there is a need to change the status to "withdraw" as it was never a formal ECIP, but rather in the ideation stage. Discussion generally noted the proposal did not seem compatible with the network's foundational principles of decentralization and censorship-resistance (open access) from the start of discussion 14 months ago. Additionally 51% attack costs seems to not take into account MESS functionality.

Expense $/hour of attack vs revenue of attack $13.8k $/hour

• w/o MESS ~$13.9k/hr from https://www.crypto51.app/ and https://meowsbits.github.io/51-percent-docs/
• w MESS ~$37k/hr from https://meowsbits.github.io/51-percent-docs/

I'll check back in 14 days to see if there is a need to leave this discussion open.

Side note: It should be noted that without mess, the cost to attack is comparable to rewards. So an interesting fact for MESS deprecation discussions.

[gitr0n1n]

Closing due to the aforementioned comments above.