Closed sherlock-admin3 closed 1 week ago
I don't think this is introduced or escalated by ARC-41. The real problem is that there is no slashing nor rewards scaling. The game of theory should could result in some validators going offline to save money while collecting rewards but enough validators have to be online or else no one earns any rewards (and presumably, the token price falls).
The key difference between before & after for ARC-41 is that if enough validators were offline as to halt the chain for long enough, before the honest validators work fork the balance of the lazy validator to 0. Now, the honest validators have to fork the balance of the lazy validator and their delegators to 0. Similarly, a delegator won't delegate to a lazy validator if it increases the risk of the chain going down significantly.
Long story short, this is an existing issue with the BFT and I don't think the economics have changed with ARC-41. The introduction of commission was already planned by ARC-38 which most validators would deploy (delegation pool with commission program) and then not accept native delegation by closing off to delegators.
ghostant-1017
High
The introduction of ARC-41 in the current implementation of AleoBFT will make the network less secure compared to before.
Summary
I believe that the introduction of ARC-41 in the current implementation of AleoBFT will make the network less secure compared to before.
Vulnerability Detail
I base my analysis on the following three facts:
In the current implementation of AleoBFT, the profit obtained by a Validator node not participating in consensus is exactly the same as that of a Validator node participating in consensus (only proportional to the amount staked).
The introduction of ARC41 allows anyone who raises 10 million Aleo Credits to become a member of the consensus Committee and join the consensus network.
Funds staked by users to any Validator node are secure, and the only factor affecting earnings is the validator's commission rate.
Hazards brought by ARC41:
Impact
As above describes
Code Snippet
No
Tool used
Manual Review
Recommendation
Before this ARC can be introduced, slashing for malicious behavior needs to be implemented