How to ensure the gravity bridge integrity?

[OmarElawady]

POS networks such as the ones based on cosmos have the well known threat of takeovers if someone with enough money managed to stake 2/3 of the overall staked tokens. That's why the network users are incentivized to stake until a certain percentage (staked/overall) is reached. The way this is done in cosmos hub is increasing the rewards for the validators to make the staked/overall percentage 2/3. This ensures enough liquidity so that the network is being used for something useful, while at the same time ensures that it's relatively hard for someone to takeover the network if he has enough money.

Our network is different in that the money it has is originating from Binance, so the 2/3 money proportion used in cosmos hub network is not practically usable here(?) because the money exists on multiple chains.

In normal networks, when it's breached by a malicious party, a hard fork can be created before the malicious action is taken and the validators can start working against the forked chain ~after social consensus. This can't be done here as we are attached to Binance. If the malicious action taken is to fake a transfer from the bridge to move all the money to some account, the action is automatically performed, and it can't be reverted (from cosmos side only).

Some thoughts about how this can be addressed:

• The bridge module can be completely deserted and a centralized bridge is created from scratch with a specific owner
• It could be researched how to modify the gravity bridge contract to disallow updating the validators (or doing so manually). So a centralized bridge but based on gravity modification.
• Using different currencies for staking exclusive to cosmos other than the currency transferred from Binance, so that it could be controlled and some measures can be taken like the 2/3 staked ratio to prevent such attacks.

[xmonader]

cc @robvanmieghem

[robvanmieghem]

Before we get in solutions, let's first write down the consequences of a "takeover". You can not simply accept false transaction since that would fork the honest validators leaving the attacker into it's own fork. Force validators into new rules by using the government modules? Maybe but it does not matter because the effect would be the same as the easiest attack being the following: Rewrite history and double spend or simply sign a transaction on BSC to send the valted TF's somewhere: This effectively sends all the TFT's present on TF hub to someones's BSC address. A side effect is that TFT's value would be killed. In order to so, one would require > 2/3 of all TFT staked and in this process destroys the value of the TFT's the one had before the attack. An attacker is as such not able to gain any value by attacking the network. As long as the value of staked TFT is high enough, someone having a lot of TFT has too much at stake to think about attacking the network

[robvanmieghem]

But you are right, an incentive to stake TFT's is currently not built-in. The incentive is a 5% interest for staked tokens that will be awarded after 1 year

[robvanmieghem]

I'm going to add this to the docs