ChainLinkGod Podcast - Cryptoeconomic Security in the Chainlink Network with Crypto___Oracle

Primer: ChainLinkGod and Crypto Oracle discusses the cryptoeconomic security in the Chainlink Network from the perspectives of rewards and penalties. Node operators are rewarded for their honest service with a subsidy and service fees from users. In addition, explicit and implicit staking are used to deter malicious behaviour and serve as another layer of defence.

Background

  • In a previous podcast, ChainLinkGod and Crypto Oracle covered cryptoeconomic security for:

    • Bitcoin

    • Ethereum

  • This episode is a continuation of that episode

  • Focus of the current episode is on Chainlink cryptoeconomic security

Difference Between Chainlink And A Blockchain

  • A blockchain operates as a single unified network, providing the same standard service to everyone on that network

"You can think about it like each one of these Oracle networks is a standalone service for smart contracts. Whereas blockchain is kind of a one size fits all approach." - Crypto Oracle

  • Chainlink is a heterogeneous network. Millions of independent Oracle networks can run in parallel. Each of these networks have their own cryptoeconomic security customized to whatever those users of that network want

  • Chainlink provides consensus about the external state of the world, which is much more subjective and unpredictable

  • Chainlink Oracle networks are highly customizable:

    • Different data types

    • Some have a couple of sources vs others which have a lot of sources

    • Some may be paid APIs while others are publicly available

  • Makes financial sense for Chainlink nodes to specialize in a specific service instead of trying to do everything

  • As Chainlink scales, we are going to see plenty of different customized designs

Cryptoeconomic Security For Chainlink

  • Cryptoeconomic security could be approached from multiple angles

  • From the perspective of rewards

    • Subsidy

    • Service fees

  • From the perspective of penalties

    • Explicit Staking

    • Implicit Staking

Rewards: Subsidy

  • Nodes are incentivized to provide a service because they receive a subsidy

  • The subsidy is used to bootstrap Oracle networks into existence

  • Oracle networks will start to snowball until it becomes a self-sustainable network

  • The subsidy provides certainty to node operators with regards to future income. This is a form of cryptoeconomic security

  • If nodes misbehave, they will lose the subsidy and be cut off from the network

Governance Mechanism

  • Chainlink uses a multisig approach comprising a team, the nodes, and users. These stakeholders can sign the multisig to remove malicious nodes

  • The rationale for the multisig approach is to have some sort of administrator that coordinates the activity of adding/removing nodes and data sources

  • In the long-term, each Oracle network is going to have its own governance scheme that is driven entirely by its users. Users would pool their fees and collectively vote and determine how those fees are to be used (e.g. number of nodes, how much will each node be paid, etc.)

Economies Of Scale

  • Oracle networks are dynamic. If demand for a particular Oracle network falls, that particular network can be scaled down by having the multisig adjust the parameters

  • As the revenue stream grows larger and more users are onboarded, less subsidy is needed. This creates a path to self-sustainability

  • The subsidy going to node operators are denominated in LINK. As node operators are continuously staking, they will end up having greater amounts of LINK token to stake in the future (as opposed to tokens going directly to retail). Their long-term mindset strengthens the cryptoeconomic security of Chainlink

"One of the key points with this subsidy is like, it's providing like guaranteed income to these Oracle nodes where the transaction fees can be very unpredictable. But if a node operator knows they're going to continue earning revenue from this pseudo block reward subsidy, then they'll have a stronger incentive to continue providing their services because there's guaranteed income in the future." - ChainLinkGod

Dynamic Reward VS Standardized Reward

  • Blockchains provide service on a standardized timeframe (e.g. every 10 minutes for Bitcoin)

  • For Oracles, there are a lot of different services which are offered at different frequencies

  • Bringing data that no one needs is a waste of capital. Similarly, some data are only needed at certain frequencies

  • Chainlink is blockchain agnostic. How can block rewards be issued across multiple chains running at the same time?

  • For Chainlink, a dynamic block reward system is appropriate for them. It can respond to user demand, which can change a lot in Oracle networks. This maximizes the value of the network

  • Key point of this subsidy is that it ensures Chainlink nodes remain profitable when they deliver data on-chain, even during times of extreme blockchain network congestion. Most often, these subsidies are used during times of market volatility, when updates are the most important

Rewards: Service Fees

  • Every smart contract application that's using Chainlink has to pay LINK to access Oracle services

  • Health of Chainlink is key to the nodes' business model and the revenue they bring in

  • data.chain.link shows the different price feeds that Chainlink is providing as well as the different networks they are running on

  • There are different sponsors for each price feed. All users share the same Oracle feed and collectively fund it. Each new user that comes in lowers the cost for all existing users. What users get is the highest quality data for the lowest cost

  • Economies of scale are gained through this arrangement

  • By aggregating capital, this increases the security budget for each price feed

  • If multiple oracle projects are used, funding would be split across projects and networks, leading to the fractionalizing of security across these networks

  • Once these Oracle networks grow and service fees increase, this negate the need for subsidies for those networks. The subsidy capital can then be reallocated to go launch new Oracle networks

  • Cycle keeps continuing until the network has some capital that it provides a large amount of income for nodes and yet at a low price per user cost that, realistically, no other networks could compete with

  • Lots of abstraction layers: people can pay in whatever cryptocurrency they want, but node operators get paid in LINK tokens in the background

Why Can't I Pay The Oracles In Any Token?

  • Payment in LINK is what gives the subsidy value

  • Security of the network as a whole is going to depend on the value of that token

Penalties: Explicit Staking

  • In the Chainlink 2.0 whitepaper, it is stated that LINK tokens will be staked and locked up as collateral to provide insurance on Oracle services

  • This introduces skin in the game where LINK can be slashed for bad performance

A Two-Tier Oracle Network

  • The Chainlink 2.0 model is broken down into two-tier Oracle networks:

    • First tier: Network of independent Oracle nodes continuously generating oracle reports (e.g. ETH/USD price feed, weather in Argentina)

    • Second tier: A backstop tier which is only used for dispute resolution

  • Each node in the first tier locks up a specific amount of LINK tokens, which gives them the right to participate in the network/contribute their data

  • There is a possibility where the majority of Oracle nodes may collude and try to deliver manipulated data. To prevent this, any node in the first tier can act as a watchdog and raise an alert if they think the majority of the nodes are dishonest

  • When an Oracle network report is created, each node in the first tier gets a random priority number that determines the order the watchdog alerts are processed

  • Once an alert is raised, it goes to the second tier to be voted on

  • If the watchdog is correct and the second tier confirmed that the report was manipulated, then all the slashed stake from the malicious nodes would get concentrated to the highest priority watchdog

  • If the watchdog report is wrong, whoever that raised the false alert will get slashed

  • Every node is incentivized to raise an alert if the majority is malicious, even if they themselves are malicious, because they have an opportunity to potentially win this concentrated reward, even if they do not have the highest priority number

  • To corrupt the network, the attacker has to bribe each node by that concentrated reward amount, which increases quadratically. This is known as the super-linear staking impact

Super-linear staking impact: a mechanism where malicious actors are required to have a budget significantly larger than the combined deposits of all nodes within an Oracle Network, creating increasingly greater security guarantees for high-value smart contract applications in a cost-efficient manner.

Example

  • 100 Chainlink nodes, with each node staking $1 million

  • Total budget of that network: $100 million

  • Super-linear staking design: Each node needs to be bribed by the concentrated amount/half of the stake = each node needs to be bribed $50 million

  • Attacker needs a budget of $50 million x 100 = $5 billion

  • As the number of nodes increases, the cost of attack skyrockets

  • This model ensures a very hard security budget for a lot less stake. More capital efficient than other existing models

Enhancing Cryptoeconomic Security

  • This model only requires just a single node to be honest for the model to work. As more nodes are dishonest, the concentrated reward amount for raising an honest alert grows exponentially, incentivizing nodes to be honest

  • Other Oracle projects have a design where anybody can raise an alert. This has a tradeoff where people can spam disputes and make the system run slower

  • From a reputational perspective, nodes that correctly flag alerts will improve their reputation as they have shown that they will flag dishonest reports. Users would want such nodes in their Oracle network

  • Second tier would very rarely be called to perform arbitration as the threat of arbitration is strong enough to deter malicious nodes/malicious majority

  • The most reputable, the highest income-generating, and the most public Chainlink nodes will be in the second tier. If they falsely arbitrate a dispute, they can affect the value of the LINK token adversely

  • Another model proposed by Sergey at the CoinDesk 2021 Conference involves the second tier consisting of Chainlink users (e.g. Aave, Synthetix, dYdX) to arbitrate what the data point should be in the case of a dispute. This could be the dev team or the DAO, which has skin in the game

  • Unlikely for the users of those Oracle reports (e.g. Aave, Synthetix, dYdX, etc.) to collude and sabotage their own users because doing so would destroy the value of their own token

  • Votes are recorded publicly on the blockchain. At any point in time, protocol users can check whether the protocol voted against its users

"So effectively, the cryptoeconomic security of these networks with the users as the second tier would be the aggregate market cap of both the Chainlink token and all of the governance tokens, all these users in the second tier. So that effectively allows the Chainlink network to scale its cryptoeconomic security beyond its market cap." - ChainLinkGod

  • Growth in the Chainlink market cap improves the cryptoeconomic security of the first tier. For the second tier, it piggybacks off the cryptoeconomic security of the market cap value of these user tokens. Hence, increasing the cost of attack for attackers

  • Users have the freedom to design their second tier

Penalties: Implicit Staking

  • Chainlink nodes get paid in LINK tokens whose value is derived from the health of the network

  • If the network gets corrupted and people lose faith in it, the market valuation of the token would collapse

  • This provides a strong incentive for Chainlink nodes to provide honest services because they do not want to devalue the token that they are financially exposed to

  • Chainlink node operators can also lock their LINK into a timelock contract to prove their exposure to LINK. This shows users that if anything happens to the Chainlink network, they will be financially harmed

  • Some Chainlink community members are running nodes not because of the financial rewards, but to help the network grow

  • LINK can be staked in the future. In valuing LINK, one has to take into account the opportunity cost of not only the current value of the LINK token itself, but also the future revenue that LINK is able to generate for you

  • Chainlink nodes are reviewed and are known entities. There will be both legal and social ramifications if they are malicious

"They [Chainlink node operators] are known entities, you can go figure out who these people are fairly easily. And there's legal ramifications, not to mention social ramifications from people screwed over from all that money. It's not like a DeFi hack where you just disappear into the ether and no one knows who you are." - Crypto Oracle

Answering Criticisms Of Chainlink

What If You Short LINK To Attack The Network?

  • Number of stopping points that prevent such an attack

  • Attackers need liquidity on a non-KYC exchange and a non-Chainlinked application, which is very rare/doesn't exist

  • It is also not capital efficient and requires an extreme amount of social coordination to short LINK

  • Attacker needs to overcome both the explicit and implicit incentives of Chainlink

  • Attacker will lose all future upside of the LINK token. Realistically, the value of the token can drop 100%, but has a theoretical upside of infinity

  • It's more profitable to be honest and continue serving the network

Cost Of Being An Oracle Node

  • Need to have API subscriptions to high quality data sources

  • Need to run full nodes or have a connection to a full node

  • Need to run multiple full nodes if you are running on multiple blockchains

  • Need to have some sort of infrastructure (e.g. bare metal server or in the cloud)

  • Depending on the service agreement, there could even be specialized infrastructure

  • The Chainlink economy is a free market economy. Node operators need to market themselves and have some business development operations to convince users to include their node into the network

Reputation

  • Users select the nodes that they want in their Oracle network

  • Users would want nodes with a high reputation

  • In Chainlink, historical performance of each node is tracked on-chain

  • Many facets of reputation (e.g. uptime, how much LINK is at stake, how long they have been running, the actual entity, etc). Depending on what users want out from an Oracle Network, some facet of reputation will be prioritized over others

  • Nodes are financially incentivized to build their reputation as that will allow them to continue earning revenue and be eligible to earn from future jobs

  • Trying to bootstrap a new reputation is difficult. Have to start from zero

  • Cryptoeconomic incentives to build reputation can have cross-network effects (e.g. poor performance on Chainlink can harm your reputation and future revenue on other networks that you operate on)

  • The effects of reputation can be felt within Chainlink network itself. If someone is malicious in one specific Chainlink network for one type of data, users may not trust that node operator for the other different networks they are in

  • Deutsche Telekom's subsidiary T-Systems is running a Chainlink node. Large enterprises that run Chainlink nodes are leveraging their existing reputation to bootstrap their nodes because they are already a trusted entity

Conclusion

  • Cryptoeconomic security of the Chainlink is dynamic

  • There will be new data sources, security models, and trusted hardware cryptography

  • Chainlink is not a blockchain. Each Oracle network can be deployed and used in parallel, enabling horizontal scalability

"It's [Chainlink] not like a chain, but it's more like an onion, where each layer is like another layer of security on top. So realistically, you just need one form of security to work properly, for the value of the data to be secure. But because you're layering on redundant security, effectively, you have this defense in-depth where you're protected against multiple different types of attack vectors." - ChainLinkGod

  • Chainlink provides this in-depth defense approach. You can layer on multiple forms of cryptoeconomic security to get a total amount of cryptoeconomic security (e.g. adding more stake, adding nodes with a certain reputation, etc.)

  • In the future, most of our applications and agreements will be executed on these cryptoeconomically secured decentralized networks and Chainlink is going to play a significant role as the data layer, privacy layer, and everything that blockchains don't do

All information presented above is for educational purposes only and should not be taken as investment advice. Summaries are prepared by The Reading Ape. While reasonable efforts are made to provide accurate content, any errors in interpreting and summarizing the source material are ours alone. We disclaim any liability associated with the use of our content.