- This research discussed the vulnerability of Schelling game security models in Chainlink systems.
- Chainlink provides DeFi protocol with off-chain data on price feeds and incentivizes participants through a coordination game. However, it has been discovered that the coordination game can be misaligned when the expected profit of dishonest behavior outweighs the expected profit of honest behavior which is usually induced by an external adversary.
- The research proposed two models to mitigate this occurrence. The first is to decrease the expected profits of dishonest behavior. The second is to make incentives transparent by allowing the majority of the LINK token holders to fork the network and burn the token in possession of dishonest behavior. This research is important because Chainlink is probably the most used decentralized oracle solution in DeFi protocols for pricing feeds.
Core Research Question
How can game-theoretic security vulnerabilities in Chainlink be mitigated?
Dekker, H., Ersoy, O., and Erkin, Z. (2021). Mitigating game theoretic vulnerabilities in Chainlink. Retrieved from Mitigating game theoretic vulnerabilities in Chainlink | TU Delft Repositories
- Oracles: These are mechanisms that provide blockchain networks with data that only exists outside of the networks, such as asset prices.
- Chainlink: A decentralized oracle network that provides real-world data to smart contracts on the blockchain.
- DeFi: Financial services that operate on distributed networks with no central intermediaries.
- DeFi oracles: Third-party service enabling blockchain smart contracts to access external, real-world data.
- Hard fork: A radical change to a network’s protocol that makes previously invalid blocks and transactions valid, or vice-versa.
- Schelling point: This is a coordination game where people respond based on what they think the other person’s response will be.
- Short selling: A trading strategy that speculates on the decline in a security’s price.
- LINK tokens: This is an ERC677 token that inherits functionality from the ERC20 token standard and allows token transfers to contain a data payload.
- Misaligned incentives: In this paper is when the expected profit of dishonest behavior outweighs the expected profit of honest behavior, which can happen through manipulation of the incentives by an external adversary.
- p+ε attack: This is a collusion strategy in a schelling game where an attacker essentially bribes voters with more payoff to choose a specific option.
- Strictly dominant Strategy: A strategy is strictly dominant if that strategy always yields a player the largest expected profit compared to other strategies, regardless of the strategy chosen by the other players.
- DeFi protocols often require off-chain data to compute and determine pricing feeds and thus rely on oracles to supply them with this off-chain information. DeFi protocols usually rely on centralized oracles which may be unreliable since there is a possibility of the operators of the Oracle gaining more from dishonest behavior.
- Chainlink was established to offer decentralized oracle infrastructure and thus mitigate the security risk created by centralized oracle. In the chainlink protocol, nodes are induced to provide correct answers by using a scheming game-based system.
- The Chainlink protocol rewards nodes for providing honest answers and punishes dishonest nodes. In addition to these security measures, the Chainlink whitepaper proposed a super-linear staking mechanism that divided the protocol into Tier 1 and Tier 2. Tier 1 stakes a security deposit to vote honestly and which will be lost if Tier 2 is alerted of a manipulation of Tier 1 outcome. If Tier 2 majority nodes decide that the majority votes of Tier 1 are manipulated, the aggregated security deposits will be rewarded to the single node that alerted Tier 2.
- However, where Tier 2 is completely dishonest itself, dishonest behavior will dominate the strategy of Tier 1 and thus produce dishonest results. In the Chainlink Schelling game, the Tier 2 nodes are incentivized by future revenue which makes it difficult for users to verify whether Tier 1 has been incentivized to produce honest behavior. This situation as agreed by the researchers presents a security vulnerability that can be manipulated in favor of dishonest voters.
- To mitigate this lack of transparency and allow users to verify whether honest behavior is a strictly dominant strategy for Tier 1 nodes, the researchers proposed two models that can mitigate these vulnerabilities and introduce transparency in Chainlink.
- The first is a proposal requiring chainlink Tier 2 nodes to hold LINK tokens on the assumption that the market value of the LINK tokens will substantially decrease when it is found out that the system has been compromised. However, a dishonest majority may bypass this mitigation by short selling through a protocol for loanable Funds or DeFi derivative markets.
- The second mitigation proposed builds on the first mitigation by enabling a majority of LINK token holders to fork the network and burn the tokens held by malicious Tier 2 nodes.
- The researchers deployed mathematical and logical proof to explain how the model proposed can mitigate the game theoretic vulnerabilities in Chainlink.
- To show the security vulnerability of chainlink, the researchers used a hypothesis to show that where Tier 2 node is completely reliable, providing correct data will strictly dominate providing incorrect in Tier 1 node, unless the profit by corruption exceeds a certain lower bound. However, where Tier 2 is dishonest completely, dishonest behavior becomes the dominant strategy for Tier 1.
- To improve Tier 2 incentives, the researchers proposed a mechanism that requires Tier 2 nodes to lock certain LINK tokens in a smart contract for a certain amount of time under the assumption that the market value of LINK tokens will substantially decrease when the market finds out the system has not functioned correctly.
The researchers discovered that while some game theoretic analyses of blockchain-based systems exist, no formal study has been done on the incentives securing the Chainlink system.
The research discovered that Tier 2 node incentives in Chainlink lack transparency which creates game-theoretic vulnerability.
Current Tier 2 Incentives
As we have shown, what strategy is strictly dominant for Tier 1 nodes depends on an honest Tier 2. In Table 4 we show the incentives of Tier 2 node N2 as proposed, while the variables are defined in Table 3.
Since the value of 𝐹 is not known by users, and depends on multiple ambiguous factors such as the desire of nodes to keep participating in the Chainlink system in the future, users can not verify whether or not 𝐹 + Δ𝐹 > 𝑀 + 𝐵 + 𝑆 and thus whether Tier 2 (and consequently Tier 1) is well incentivized to act honestly. It is not clear either how to estimate the value of Δ𝐹. This value may be positive on grounds of a share of future Chainlink data requests going from dishonest to honest nodes, but the value may also be negative if this dishonest consensus of Tier 2 would lead to a decrease in future Chainlink usage.
The study proposes mitigation which enables users to assess the agent incentives of Chainlink nodes such that they can verify whether honest behavior is a strictly dominant strategy for all participants.
Discussion and Key Takeaways
- Schelling game vulnerability: The researchers explained that lack of transparency in Tier 2 nodes in schelling game orchestrates game theoretic vulnerability in chainlink because users will not be able to determine whether Tier 1 nodes have been incentivized to produce honest votes.
- Chainlink security model: They discovered that the current security model in the Chainlink whitepaper lacks transparency making it vulnerable to malicious Tier 2 nodes
Mitigations: The researchers proposed two mitigation models for this vulnerability.
- The first mitigation is to lock up a certain amount of LINK tokens in a smart contract for a certain period on the assumption that the market value of the token will be decreased when the market finds out that the system was dishonest.
- The second mitigation builds on the first mitigation by allowing the majority of LINK token holders to fork the network and burn the token held by malicious Tier 2 nodes to make Tier 2 nodes transparent because users can verify whether or not Tier 1 has been incentivized by Tier 2 nodes to produce honest votes.
Implications and Follow-ups
- This paper sets the tone for discussion on the vulnerability of incentive mechanisms of Chainlink and schelling game theory.
- The research will be useful to Decentralized Oracle Network (DON) developers in crafting new DON.
- The research will help protocols like DeFi that use Chainlink for off-chain data to understand the network’s flaws and how to work around them.
- The research explains the risk vulnerability of schelling game used in Chainlink and how it can be resolved, therefore, it promotes a better understanding of web3 generally.