Step-by-step: the road to Fleming, 2: Sybil resilience

The reason I pointed out that comparison is that it can easily be misinterpreted by people who aren’t familiar with the safenetwork…
That kind of statements are easily misconstrued.


Its unfortunate though.

But even knowing the little I do about SAFE, the comparison with POS still leaves an overall negative impression. Even though I realise what is being said and agree. To me its more like the Elders in a traditional tribe. They been through the rigours of life and are wise. Even if occasionally you get one that shouldn’t be.


in fact, in the general sense, there is only PoS. Why?


  • in PoW you stake machines bought with cash
  • in PoS you stake directly cash
  • in Node ageing you stake computer time = internet + power + computer, which all are cash

So, in the general sense there all are PoS, but the stake is only seemingly different…


Thanks @tobbetj :slight_smile:


Well personally I think this needs to be viewed in the context of wanting to balance the lowest possible rejection rate for normal users (“honest nodes”) with rejecting as many malicious ones as possible

Yep these simulations add valuable data and crucial pieces to the puzzle :slight_smile:
In general I’m a big fan of all the simulations done by the community!


I mentioned the issue of network partition in another post (How good is SAFE Network really for anonymity?) and people kindly replied to me on how Safe could address it (was glad to see people welcoming new questions!). Unfortunately I was not completely convinced at the time (need more reading); and now seeing some relevant discussion here it has come back to my mind that network partition combined with some other techniques could still stand a fair chance to subvert the network.

First of all partitioning-based attack has been explored in the past for bitcoin (, and I haven’t seen convincing proposals on solutions. One possibility might be to sacrifice liveness in case of partition to avoid further damage (which indeed was suggested in my other post); however someone raised a good point on this topic that ability to stall or refuse local chain is only viable if partition is not complete. That is to say a lot of what we try to rely on for security in a decentralized setting is having knowledge of the decentralized topology, and that knowledge itself is not localizable - in the sense that it requires exchange of information with the wider network where ‘the wider network’ needs to have a defined and consistent meaning across.

Say the attacker realizes it’s too expensive to control sections - what he can do instead is to build a walled garden with potential users inside such that he’ll have a partitioned network where he always has the main share, regardless of the resistance we build into the network by decentralization. He can do that by for example, using middleman rogue servers in front of the bootstrap servers controlling a few bootstrap servers and blocking others - so a new user by default is likely to enter his network, and of course he can also tweak his own network by making it corrupt as well. Only nodes which manage to exchange information with those outside the partition in the past can escape the fate of being walled - for new nodes any attempt of knowing the ‘true picture’ could be prevented by complete partitioning.

1 Like

The whole point of my post was precisely to point out was that those kind of abstractions “in general sense” really doesn’t help, and we are getting too meta already.

Another example could be, humans are also animals “in general sense”, but you wouldn’t go to a veterinarian for a health check, would you?

To go from “PoW shares the same problems with PoS” to “PoW is basically PoS” to your extreme statement of “Everything is PoS, essentially”. This deformation is precisely what I fear to happen when others read this, each level of abstraction makes it more and more inaccurate to the point of becoming ridiculous and meaningless.

Another example of abstraction is that the SafeNetwork is an open systems that maintain homeostasis, are composed of cells, can grow, adapt to their environment, respond to stimuli, reproduce and evolve… therefore, in a sense, the SafeNetwork is a new lifeform.
Which is a valid deduction based on the premise but not really true, is it?
Does this kind of statements really help to move the technical discussions forward? Does that mean that the Maidsafe team need to hire an exobiologist now?

I hope to have made my point across now…


Any info about how the queue to join will be managed? Could the queue could also be subject to sybil attacks? If the queue can be controlled that could be quite valuable in itself. (Seemed like this would be part of RFC Node Ageing but I couldn’t find any details on disallow rules other than the section Starting A Node which says only one node age 0 allowed).

A bit of a philosophical point on this: the network can control the supply very well (knowing how much spare storage there is, then slowing supply via disallow rules or increasing supply via farm rate). But the network can not control the demand very well (demand ‘just happens’, both read and write demand, although write demand can be slightly controlled by PUT price). So how does this supply demand asymmetry affect the design of the disallow rules? I think if demand is unavoidably chaotic then supply should very minimally constrained or effectively not constrained at all. Open to being convinced otherwise!

Is this relocation verifiably random? Any more info on this mechanism? The latest I can find is from 2015 RFC Address Relocation which uses a hash of current member names.

Looking forward to seeing some economic modelling of this. I’ve tried it myself but seeing it from elsewhere will be really cool.

This is an interesting idea (but not one that I know of any plans to implement).

There’s a good list of malic detection for malicious peers. I wonder what malice could be detected at the section level and what action could be taken.

Is detecting malicious peers good enough?

I have to admit I got a bit of a chuckle out of the name Proof-of-Importance. All this proof-of-this and proof-of-that, what even is proof?! The term is definitely becoming diluted and imo SAFE should stay away from proof-of-x naming.

In general I agree. More inclusion is usually a better result (my politics speaking). But the cost can be quite high, especially for performance. So to my mind there needs to be some conscious deliberate balancing going on (not necessarily hardcoded, but the joining rules should be made with a degree of predictable intention). Not easy!

But what’s the benefit? Why would an attacker do this? I’m not sure I understand the motivation for partitioning the network.

To take this slightly out of context, I agree and think proof-of-x also does not help the technical discussion and should be dropped completely at all levels from beginners to wizards. The SAFE network has consensus and it has event ordering, they work together to secure the network. There’s no proof of anything. Just consensus and event ordering.

But ‘telling people how to talk’ is pretty ugly so I’ll leave it at that!


A couple of hopefully helpful points.

Not yet, but we will for sure have an RFC for this and I expect a lot of really informed debate here, I think we all have ideas and feelings, so great to get to hard facts on this one.

Now we can use the hash of a PARSEC Block that causes the relocation, so “random” or perhaps better to say non deterministic, or difficult to know this value beforehand. Still needs checked for edge cases, just to be certain.

Agree, this part is very intresting and can couple a lot of the network functions, it is an area where the feeling can certainly be simpler will be better, even though it seems lacking at first. So potentially not limiting too much (already it is a single Infant per section) or none at all (allow an attacker to flood the network with new nodes) are great to consider from an attack perspective. Or we have the full limit where the network calculates if it needs new nodes/workers and only then accepts them. As you say we cannot control Gets so much, we have some control over Put and Add etc. and can throttle Gets so there is decent scope here to figure out the most appropriate mechanism. So we can make the network go read-only then “stalled” (basically reduce or stop Get requests for a period), so using these options and thinking about swarm / botnet attacks and balanced with join in, do work, get paid easily is a great place for thought experiments.


I meant any node that passes the initial PoR test shouldn’t be rejected just because there is enough free space. I agree that the network should reject nodes that are not capable enough, otherwise the network might under-perform. I will edit my post accordingly.


Made me think of this


Well there is a practical difference. With the SAFE network you can invest even a small amount of computer resources over time. This means those who do not have cash and can only buy tech on occasion can still participte in the network. Some people just don’t have a disposable income to spend on PoS or even more on PoW which requires extreme computing power these days. SAFE is essentially more flexible and therefore allows for those in poverty to enter.


I think you guys have it, we have a stake as such, but mostly time. This is something we all have varying degrees of. I would hope the time and dedication of farmers is what pays off as opposed to a single huge cash influx being able to affect the picture. This time is great here as the poorer folks with some time and small compute devices can be rewarded.

So shift from wealth buying immediate influence to also requiring time means anyone with that time, stands an equal chance, per computer of course. the wealthy may have millions of computers and millions more chance, but the time will be fair across all devices. I am certain we can do more, but lets see, step 1 seems the right direction.


I’m also not a big fan of all these proof of… But I can’t help myself: I hear farmers and I hear proof of stake…
With proof of steak it certainly takes time and effort: raise the cattle on the farm etc…

1 Like


I get me steak from the butchers. Doesn’t all meat come from the meat shops? Whats a cattle?

The shop assistant has plenty of proof its steak

Yes I lived rural and know

1 Like

The comparison has its problems, but are other “proof of”-comparisons that much better?

1 Like

As a vegetarian I’m strictly against proof of steak. But proof of tofu burger isn’t more appealing. How about proof of organically grown salad? (POOGS)

O no, if you combine this (tofu under salad), you get POTUS.


If you’re not an ovo-lacto vegetarian, maybe proof of cake? You can’t have and eat it too anyways :wink:

I don’t know who said it, but “time is money”.

I am not quite understanding why older nodes should be more trustworthy… What happens if an attacker is setting up lots of vaults right when the network goes live? I mean there doesn’t seem to be a mechanism to make sure these “king nodes” are really good people, they are just the ones that got there first. It sounds to me like once you had the king nodes you could even use them to reject all new vaults that aren’t yours and actually gain even more influence over time.