ChainLinkGod Podcast - Cryptoeconomic Security in the Chainlink Network with Crypto___Oracle
Primer: ChainLinkGod and Crypto Oracle discusses the cryptoeconomic security in the Chainlink Network from the perspectives of rewards and penalties. Node operators are rewarded for their honest service with a subsidy and service fees from users. In addition, explicit and implicit staking are used to deter malicious behaviour and serve as another layer of defence.
Background
In a previous podcast, ChainLinkGod and Crypto Oracle covered cryptoeconomic security for:
Bitcoin
Ethereum
This episode is a continuation of that episode
Focus of the current episode is on Chainlink cryptoeconomic security
Difference Between Chainlink And A Blockchain
A blockchain operates as a single unified network, providing the same standard service to everyone on that network
"You can think about it like each one of these Oracle networks is a standalone service for smart contracts. Whereas blockchain is kind of a one size fits all approach." - Crypto Oracle
Chainlink is a heterogeneous network. Millions of independent Oracle networks can run in parallel. Each of these networks have their own cryptoeconomic security customized to whatever those users of that network want
Chainlink provides consensus about the external state of the world, which is much more subjective and unpredictable
Chainlink Oracle networks are highly customizable:
Different data types
Some have a couple of sources vs others which have a lot of sources
Some may be paid APIs while others are publicly available
Makes financial sense for Chainlink nodes to specialize in a specific service instead of trying to do everything
As Chainlink scales, we are going to see plenty of different customized designs
Cryptoeconomic Security For Chainlink
Cryptoeconomic security could be approached from multiple angles
From the perspective of rewards
Subsidy
Service fees
From the perspective of penalties
Explicit Staking
Implicit Staking
Rewards: Subsidy
Nodes are incentivized to provide a service because they receive a subsidy
The subsidy is used to bootstrap Oracle networks into existence
Oracle networks will start to snowball until it becomes a self-sustainable network
The subsidy provides certainty to node operators with regards to future income. This is a form of cryptoeconomic security
If nodes misbehave, they will lose the subsidy and be cut off from the network
Governance Mechanism
Chainlink uses a multisig approach comprising a team, the nodes, and users. These stakeholders can sign the multisig to remove malicious nodes
The rationale for the multisig approach is to have some sort of administrator that coordinates the activity of adding/removing nodes and data sources
In the long-term, each Oracle network is going to have its own governance scheme that is driven entirely by its users. Users would pool their fees and collectively vote and determine how those fees are to be used (e.g. number of nodes, how much will each node be paid, etc.)
Economies Of Scale
Oracle networks are dynamic. If demand for a particular Oracle network falls, that particular network can be scaled down by having the multisig adjust the parameters
As the revenue stream grows larger and more users are onboarded, less subsidy is needed. This creates a path to self-sustainability
The subsidy going to node operators are denominated in LINK. As node operators are continuously staking, they will end up having greater amounts of LINK token to stake in the future (as opposed to tokens going directly to retail). Their long-term mindset strengthens the cryptoeconomic security of Chainlink
"One of the key points with this subsidy is like, it's providing like guaranteed income to these Oracle nodes where the transaction fees can be very unpredictable. But if a node operator knows they're going to continue earning revenue from this pseudo block reward subsidy, then they'll have a stronger incentive to continue providing their services because there's guaranteed income in the future." - ChainLinkGod
Dynamic Reward VS Standardized Reward
Blockchains provide service on a standardized timeframe (e.g. every 10 minutes for Bitcoin)
For Oracles, there are a lot of different services which are offered at different frequencies
Bringing data that no one needs is a waste of capital. Similarly, some data are only needed at certain frequencies
Chainlink is blockchain agnostic. How can block rewards be issued across multiple chains running at the same time?
For Chainlink, a dynamic block reward system is appropriate for them. It can respond to user demand, which can change a lot in Oracle networks. This maximizes the value of the network
Key point of this subsidy is that it ensures Chainlink nodes remain profitable when they deliver data on-chain, even during times of extreme blockchain network congestion. Most often, these subsidies are used during times of market volatility, when updates are the most important
Rewards: Service Fees
Every smart contract application that's using Chainlink has to pay LINK to access Oracle services
Health of Chainlink is key to the nodes' business model and the revenue they bring in
data.chain.link shows the different price feeds that Chainlink is providing as well as the different networks they are running on
There are different sponsors for each price feed. All users share the same Oracle feed and collectively fund it. Each new user that comes in lowers the cost for all existing users. What users get is the highest quality data for the lowest cost
Economies of scale are gained through this arrangement
By aggregating capital, this increases the security budget for each price feed
If multiple oracle projects are used, funding would be split across projects and networks, leading to the fractionalizing of security across these networks
Once these Oracle networks grow and service fees increase, this negate the need for subsidies for those networks. The subsidy capital can then be reallocated to go launch new Oracle networks
Cycle keeps continuing until the network has some capital that it provides a large amount of income for nodes and yet at a low price per user cost that, realistically, no other networks could compete with
Lots of abstraction layers: people can pay in whatever cryptocurrency they want, but node operators get paid in LINK tokens in the background
Why Can't I Pay The Oracles In Any Token?
Payment in LINK is what gives the subsidy value
Security of the network as a whole is going to depend on the value of that token
Penalties: Explicit Staking
In the Chainlink 2.0 whitepaper, it is stated that LINK tokens will be staked and locked up as collateral to provide insurance on Oracle services
This introduces skin in the game where LINK can be slashed for bad performance
A Two-Tier Oracle Network
The Chainlink 2.0 model is broken down into two-tier Oracle networks:
First tier: Network of independent Oracle nodes continuously generating oracle reports (e.g. ETH/USD price feed, weather in Argentina)
Second tier: A backstop tier which is only used for dispute resolution
Each node in the first tier locks up a specific amount of LINK tokens, which gives them the right to participate in the network/contribute their data
There is a possibility where the majority of Oracle nodes may collude and try to deliver manipulated data. To prevent this, any node in the first tier can act as a watchdog and raise an alert if they think the majority of the nodes are dishonest
When an Oracle network report is created, each node in the first tier gets a random priority number that determines the order the watchdog alerts are processed
Once an alert is raised, it goes to the second tier to be voted on
If the watchdog is correct and the second tier confirmed that the report was manipulated, then all the slashed stake from the malicious nodes would get concentrated to the highest priority watchdog
If the watchdog report is wrong, whoever that raised the false alert will get slashed
Every node is incentivized to raise an alert if the majority is malicious, even if they themselves are malicious, because they have an opportunity to potentially win this concentrated reward, even if they do not have the highest priority number
To corrupt the network, the attacker has to bribe each node by that concentrated reward amount, which increases quadratically. This is known as the super-linear staking impact
Super-linear staking impact: a mechanism where malicious actors are required to have a budget significantly larger than the combined deposits of all nodes within an Oracle Network, creating increasingly greater security guarantees for high-value smart contract applications in a cost-efficient manner.
Example
100 Chainlink nodes, with each node staking $1 million
Total budget of that network: $100 million
Super-linear staking design: Each node needs to be bribed by the concentrated amount/half of the stake = each node needs to be bribed $50 million
Attacker needs a budget of $50 million x 100 = $5 billion
As the number of nodes increases, the cost of attack skyrockets
This model ensures a very hard security budget for a lot less stake. More capital efficient than other existing models
Enhancing Cryptoeconomic Security
This model only requires just a single node to be honest for the model to work. As more nodes are dishonest, the concentrated reward amount for raising an honest alert grows exponentially, incentivizing nodes to be honest
Other Oracle projects have a design where anybody can raise an alert. This has a tradeoff where people can spam disputes and make the system run slower
From a reputational perspective, nodes that correctly flag alerts will improve their reputation as they have shown that they will flag dishonest reports. Users would want such nodes in their Oracle network
Second tier would very rarely be called to perform arbitration as the threat of arbitration is strong enough to deter malicious nodes/malicious majority
The most reputable, the highest income-generating, and the most public Chainlink nodes will be in the second tier. If they falsely arbitrate a dispute, they can affect the value of the LINK token adversely
Another model proposed by Sergey at the CoinDesk 2021 Conference involves the second tier consisting of Chainlink users (e.g. Aave, Synthetix, dYdX) to arbitrate what the data point should be in the case of a dispute. This could be the dev team or the DAO, which has skin in the game
Unlikely for the users of those Oracle reports (e.g. Aave, Synthetix, dYdX, etc.) to collude and sabotage their own users because doing so would destroy the value of their own token
Votes are recorded publicly on the blockchain. At any point in time, protocol users can check whether the protocol voted against its users
"So effectively, the cryptoeconomic security of these networks with the users as the second tier would be the aggregate market cap of both the Chainlink token and all of the governance tokens, all these users in the second tier. So that effectively allows the Chainlink network to scale its cryptoeconomic security beyond its market cap." - ChainLinkGod
Growth in the Chainlink market cap improves the cryptoeconomic security of the first tier. For the second tier, it piggybacks off the cryptoeconomic security of the market cap value of these user tokens. Hence, increasing the cost of attack for attackers
Users have the freedom to design their second tier
Penalties: Implicit Staking
Chainlink nodes get paid in LINK tokens whose value is derived from the health of the network
If the network gets corrupted and people lose faith in it, the market valuation of the token would collapse
This provides a strong incentive for Chainlink nodes to provide honest services because they do not want to devalue the token that they are financially exposed to
Chainlink node operators can also lock their LINK into a timelock contract to prove their exposure to LINK. This shows users that if anything happens to the Chainlink network, they will be financially harmed
Some Chainlink community members are running nodes not because of the financial rewards, but to help the network grow
LINK can be staked in the future. In valuing LINK, one has to take into account the opportunity cost of not only the current value of the LINK token itself, but also the future revenue that LINK is able to generate for you
Chainlink nodes are reviewed and are known entities. There will be both legal and social ramifications if they are malicious
"They [Chainlink node operators] are known entities, you can go figure out who these people are fairly easily. And there's legal ramifications, not to mention social ramifications from people screwed over from all that money. It's not like a DeFi hack where you just disappear into the ether and no one knows who you are." - Crypto Oracle
Answering Criticisms Of Chainlink
What If You Short LINK To Attack The Network?
Number of stopping points that prevent such an attack
Attackers need liquidity on a non-KYC exchange and a non-Chainlinked application, which is very rare/doesn't exist
It is also not capital efficient and requires an extreme amount of social coordination to short LINK
Attacker needs to overcome both the explicit and implicit incentives of Chainlink
Attacker will lose all future upside of the LINK token. Realistically, the value of the token can drop 100%, but has a theoretical upside of infinity
It's more profitable to be honest and continue serving the network
Cost Of Being An Oracle Node
Need to have API subscriptions to high quality data sources
Need to run full nodes or have a connection to a full node
Need to run multiple full nodes if you are running on multiple blockchains
Need to have some sort of infrastructure (e.g. bare metal server or in the cloud)
Depending on the service agreement, there could even be specialized infrastructure
The Chainlink economy is a free market economy. Node operators need to market themselves and have some business development operations to convince users to include their node into the network
Reputation
Users select the nodes that they want in their Oracle network
Users would want nodes with a high reputation
In Chainlink, historical performance of each node is tracked on-chain
Many facets of reputation (e.g. uptime, how much LINK is at stake, how long they have been running, the actual entity, etc). Depending on what users want out from an Oracle Network, some facet of reputation will be prioritized over others
Nodes are financially incentivized to build their reputation as that will allow them to continue earning revenue and be eligible to earn from future jobs
Trying to bootstrap a new reputation is difficult. Have to start from zero
Cryptoeconomic incentives to build reputation can have cross-network effects (e.g. poor performance on Chainlink can harm your reputation and future revenue on other networks that you operate on)
The effects of reputation can be felt within Chainlink network itself. If someone is malicious in one specific Chainlink network for one type of data, users may not trust that node operator for the other different networks they are in
Deutsche Telekom's subsidiary T-Systems is running a Chainlink node. Large enterprises that run Chainlink nodes are leveraging their existing reputation to bootstrap their nodes because they are already a trusted entity
Conclusion
Cryptoeconomic security of the Chainlink is dynamic
There will be new data sources, security models, and trusted hardware cryptography
Chainlink is not a blockchain. Each Oracle network can be deployed and used in parallel, enabling horizontal scalability
"It's [Chainlink] not like a chain, but it's more like an onion, where each layer is like another layer of security on top. So realistically, you just need one form of security to work properly, for the value of the data to be secure. But because you're layering on redundant security, effectively, you have this defense in-depth where you're protected against multiple different types of attack vectors." - ChainLinkGod
Chainlink provides this in-depth defense approach. You can layer on multiple forms of cryptoeconomic security to get a total amount of cryptoeconomic security (e.g. adding more stake, adding nodes with a certain reputation, etc.)
In the future, most of our applications and agreements will be executed on these cryptoeconomically secured decentralized networks and Chainlink is going to play a significant role as the data layer, privacy layer, and everything that blockchains don't do
All information presented above is for educational purposes only and should not be taken as investment advice. Summaries are prepared by The Reading Ape. While reasonable efforts are made to provide accurate content, any errors in interpreting and summarizing the source material are ours alone. We disclaim any liability associated with the use of our content.