Stake-To-Farm (STF) protecting the network

Reaching consensus on SAFE is now solved with PARSEC. The problem of course is… How do you prevent some attacker from launching thousands of nodes to take over groups?

Problem:

  • Think of a starting SAFE Network with 100.000 Vaults up and running a week after launch.
  • Groups will have several Elders reaching consensus on everything from splits and merges to allowing new nodes to be elders as well.
  • An attacker (say some corrupt government) could attack this network by launching 50.000 nodes and hope that the growth of the network isn’t so fast that their attack will fail. They could even join with a lot of nodes from the start.
  • If the attacker owns 31% of some group it can cause great harm to the network.

Solution:

  • Request Recourse Proof (currently implemented) where nodes need to do a bunch of calculations making it harder to just start random Vaults and become an elder.
  • Use Nodeage… (currently implemented/planned) where Vaults are “hopped” randomly from one group to the other to grow in age and only (after reaching a certain age) become Elder.

Although these will probably work (and can be made more tough if needed) they might still not protect the network during a start-up.

Stake-To-Farm (STF)
This idea is actually quite simple… Next to the protection above the network could ask any new Vault to stake some Safecoin on the network. Let’s sat it costs 0.44 Safecoin at a certain time to create a SAFE account. Groups could ask any new Vault to stake 10X that amount of Safecoin if they want to become an Elder. And only when they reach the level of Elder they get it back.

Now back to the 100.000 Vaults network. Imagine you want to start 50.000 Vaults to attack the network. That would cost you 220.000 USD in stake just to try attacking the network. Next to the costs you already have hiring nodes in a datacenter somewhere.

Attacking a bigger network (say 1 million Vaults) would cost even way more than that.

Pros:

  • The network becomes more secure

Cons:

  • It cost any new Vault some Safecoin to use for stake.

Just an idea, let me know what you think.

15 Likes

At first glance this sounds like a reasonable proposal, and the potential to attack the network via these vectors is worrying until it is a truly global one. Imagine the NSA, google or other similar actor capable of writing malignant node code, and with certainly enough spare capacity to launch many vaults…

I imagine that this proposal would have some side effects that might take time to think through. Off the top of my head, it will deter the initial growth phase… going from 0 barrier to join to some barrier is significant. It also would make it so that the cost to join will increase as the network requires more resources…

Otherwise, great idea! Interested also to hear what others think.

6 Likes

This idea would prevent honest farmers from entering the network, since they would not possess the necessary safecoin to enter, and, in the end, it could help the attacker.

In my opinion, it is necessary that, in the first months, there are reference farmers that control a significant percentage of Vaults and that serve to prevent a possible attack. (It would also help the network grow in an orderly manner and generate the necessary publicity).

For months, I’m thinking that, when the release date approaches, we should consider the creation of a support club that invests a considerable amount to control, for enough time, a significant percentage of the network.
I know that this idea goes against the spirit of the network but it would be temporary. In a way it would be like babysitting when the network is a baby.
By the way, this investment could give more than remarkable returns.

12 Likes

When the network is large and have a billion vaults, you simply cannot hope to do this. There might only be 2 billion coins total and many people will only be able to get their first coin through farming.

So this now makes farming an elitist role and the peoples of the world can no long be part of the dream that is the original SAFE.

And this is before you get into all the issues with POS

It is simple to solve this, AGEING. Ageing has the purpose to make NODES prove themselves WITHOUT staking coins that they potentially cannot get. So why have this extra process. Its unnecessary and while seemingly a good idea is going to have its own issues.

  • How does this help the billion people in poor countries who want to run a farm on their mobile equipment and do not have access to even buy a coin. Cannot be lending coin to this number.
  • It is going to be a long time before there is even 1 billion coins out there and at this time 450 million are owned by a relatively few people
  • Many of the current owners of MAID would love to prove they can take over sections to steal more coins and POS makes it easier because they will be trusted quicker. And yes at least one person had 30 million coins and probably has not sold all of them. Many have millions (a number of vaults have a million or more coins in them.

We need a method that does not make the wealthy favoured above the poorer. And this method does this

Get the idea I think this is really a bad idea :wink:

I think you think it will be relatively easy to take over sections and bypass the protections that resist this. Like node Ageing and limiting new nodes to one or 2 nodes at a time. The attacker has to take a long time attacking and this will cost a lot. If using cloud then the cost of servers for weeks and if botnet then that will be very costly. Even a 48 hour attack botnets cost a lot. And this is the reason DDOS usually lasts for less than 24-48 hours and rarely continuously for much longer.

15 Likes

I like the thinking…

Clearly the start up phase has specific risks which decrease over time and with scale.

I worry about the cost aspect though.

Costs are not an issue to a determined adversary. Yet would be to genuine people.

To spread we need as few barriers as possible.

So I wonder…could the system build a trap that decreases over time?

Maybe for example a high percentage of nodes at the start are ‘placebo’ nodes.

They think they are doing something and are rewarded but in reality they are not. But they don’t know this.

The trap would work like this…

If they could be set up in such a way to purely gauge if they were being honest or not, and you could in turn link them to other ‘live’ nodes that also try to be dishonest at the same time, then you’d have an inbuilt way of identifying future attackers.

The mere presence of a trap might deter them in the first place?

I could be talking shite here. I don’t know if that even makes sense (though in my head it does). But the under the radar advantage bitcoin had to scale is clearly not going to apply to a working SAFE network so crucial to think about…

And I’m sure the developers have a far better a solution up there sleeves :relaxed:

3 Likes

Agreed and I know Maidsafe will be providing a lot of vaults during this phase and I’ve suggested that this can be done. It should be more than possible with the help of the community. And you are right that the betas will give us the opportunity to grow the network with the opportunity to restart if it was not enough.

6 Likes

I’m interested in being part of this support network - perhaps we can help each other with building droplets to run nodes. I can easily afford a fair number of d.o. droplets or similar to host some start-up farms.

1 Like

Our society has tried this for many years and it doesn’t work (I now doubt if it doesn’t work actually on purpose). E.g. some years ago I was sitting in a bar in Italy right at the beginning of a beautiful pedestrian street, then a person came with an extremely expensive car and parked in the pedestrian street (where it was obviously not allowed), he got off the car and started walking and enjoying the beautiful place. After a few minutes, what was happening made a lot of sense to me, i.e. if you had enough money then the rules are not really for you but for those who cannot afford a fine (we can have a separate discussion about moral/ethics/respect, etc.), but technically this is the way things work in real societies now, I believe.

12 Likes

Many here have dedicated countless hours to this community for little to no reward. @neo @mav @fergish @polpolrene @whiteoutmashups @happybeing @JPL and the list goes on. I believe they should instantly be allowed elder status from the begining. They have an intrinsic desire to help the network survive. I at least feel comfortable knowing they are guarding the baby so to speak. Call them “Guardians of the SAFE” if you will. :grinning: Those who have clearly shown passion for SAFE should be recruited.

If they have enough financial and hardware resources they could easily work together with @maidsafe to spawn several hundred thousand vaults. The network might be a little slower at first since their bandwith and hard drives will be strained but its a small price to pay for its survival. Restarting too many times might be demoralizing to newcomers who upload swaths of data just to have to do it over and over again until stability is reached.

EDIT: The more of them the better less chance of gaming the system if they ever go rougue.

2 Likes

If you think about it the first lot of nodes will become elders very quickly and I’d say they will be the ones Maidsafe start up before announcing the network.

Maybe we could have them startup the network then an invite for many active members to join and get the baby network past the 20000 node stage.

14 Likes

+1 against privileged status of anybody… A headstart should be well enough…
(privileged user accounts open new attack vectors… oh - and i don’t trust that @neo guy :face_with_raised_eyebrow: :wink:)

5 Likes

Now now I have a long memory, some of them nigh on 60 years :sunglasses:

3 Likes

@neo I like the idea you propose above. Though if there is even a small chance a large entity is planning a takeover then we wont know when the network is finally SAFE to use. That could make people uneasy for a long time.

The “Guardian” approach has clear evidence that this community is not to be messed with when it comes to the survival and safety of this network. Any concerned soul seeking to use the network has only to take a glimpse at the forum to see the passion here and the likelyhood that destructive collusion by the “Guardians” during the early network is null. :v: :smirk:

… Everybody has a price… (not necessarily monetary)…

Although as the network will be started during the release candidate stage (late beta) it will not be real safecoin but still testsafecoin and if teh worse happened then the network could be restarted.

Then leave this network run till it is too large for a serious attack. Then when its proven it then become live network and coin exchange from MAID to safecoin can start.

Exactly. And we’ve seen some hop ship already.

5 Likes

They responsibility of the guardian role is spread out among so many people that no single individual will likely have enough voting power to mint safecoin if that is your concern. But hey, shit happens…

2 Likes

Yes that is a key point in my suggestions above (which I assume would be obvious, but maybe not). And the other is that before leaving beta we can restart and ensure network is too large for successful attacks.

I still think if we strike a balance it can be done and give users peace of mind very early on.

1 Like

The whole guardians idea smells of privilege just as much if not more than requiring staking. In the least any SAFE rewards would need to be disabled for the guardians until the network is ‘opened up’, otherwise it would just be a pre-mine scam (and still kind of would be since they’d be the only elders who can farm to start with)

2 Likes

Yes not guardians but maybe for the first (short) while as the network is run up just a limited number to add nodes then open it up further. During this time it is just testsafecoin and not much data that can be farmed anyhow so very few testsafecoin rewards anyhow

1 Like