PIP 14 — Divergent Oracle Prices
Proposal for adding more sources of oracle price records
Summary of Proposal
This proposal was put forward by an anonymous white hat developer. I’ve updated it below to reflect what is possible in the current PegNet software.
1. Add more diversity to the OPR generating parties (meaning who can submit OPRs) 50% weight to miners— 50% weight to Stakers.
2. Then run the grading algorithm on these. Set the deviation for each asset. If deviation between OPRs is too high (say 0.5%), pause conversions on that pAsset that block.
Advantages Of This Approach
The first big advantage of this approach is PegNet can detect attacks without slowing down the conversions over many blocks. For example in the case of a fast market change, such as the dropping price of oil recently, PegNet users can still follow the price change and take advantage of it with their conversions. As this approach compares different price records between Miners / Stakers in the same block, rather than comparing previous block prices to current block prices.
A potential attacker needs to control both a majority of the mining power and a majority of the staked pAssets / PEG. If they only control 1 group, the cost to maintain the attack is higher than what he earns.
Example:
Scenario 1: attacker wants to push the price of gold down to zero and buy it cheaply.normal (no attack):
- Miners of say GOLD: 1000
- Stakers say GOLD: 1003
______
deviation: 1.5attacker controls 1 group:
- Miners say GOLD: 1
- Stakers say GOLD: 1000
_____
deviation: 499.5
as you can see. There’s big difference and easy to detect automatically.
Scenario 2: attacker is trickier, he pushes the price down a little (say 1%) to buy it cheaper. It's undetected by human. This is the hardest situation. 1.01^72 is still x2 their asset per day.
1.005^72 is +40% their asset per day.Solution: Tight deviation.
Example:
last block (no attack):
- miners of current block say GOLD: 1000
- peg holders say GOLD: 1003
______
deviation: 1.5Scenario 2A: attacker changes 1% price
this block, attacker controls 1 group:
- Miners say GOLD: 990
- Stakers say GOLD: 1000
_____
deviation: 5.0Scenario 2B: attacker changes 0.5% price
this block, attacker controls 1 group:
- Miners say GOLD: 995
- Stakers say GOLD: 1000
_____
deviation: 2.5
The deviation of attacked block is almost doubled of last block. So it still can be detected by code. Going lower is not worth to do an attack and unpredictable, since asset prices can change 0.5% in 10 minutes in reality.
Future Iteration With Past + Current Miners
When Digital IDs (DIDs) are Fully Deployed on Factom than the approach can be improved to involve Miners from past blocks and the current block.
25% by miners of the current block
25% by miners of last 100 blocks (weighted by percent of total hashrate)
25% by miners of last 1,000 blocks (also weighted)
25% by Stakers
Then run the grading algorithm on all of these. Set the deviation for each asset. A potential attacker needs to control all 4 to alter prices. If he only controls 3 groups, the cost to maintain the attack is higher than what he earns.
Example:
Scenario 1: attacker wants to push the price of gold down to zero and buys it cheaply.
normal (no hack):
- miners of current block say GOLD: 1000
- miners of last 100 blocks say GOLD: 1001
- miners of last 1000 blocks say GOLD: 998
- peg holders say GOLD: 1003
______
deviation: 1.802775637732attacker controls 3 groups:
- miners of current block say GOLD: 1
- miners of last 100 blocks say GOLD: 1
- miners of last 1000 blocks say GOLD: 1
- peg holders say GOLD: 1050
_____
deviation: 454.23032428494attacker controls 2 groups:
- miners of current block say GOLD: 1
- miners of last 100 blocks say GOLD: 1
- miners of last 1000 blocks say GOLD: 1000
- peg holders say GOLD: 1001
_____
deviation: 499.75012506252attacker controls 1 group:
- miners of current block say GOLD: 1
- miners of last 100 blocks say GOLD: 999
- miners of last 1000 blocks say GOLD: 1000
- peg holders say GOLD: 1001
_____
deviation: 432.58026711814
In this example if someone decides to attack PegNet, he must have 9,900% higher hashrate of current network, has to mine PegNet for 7 days to have 74% voting power. In the meantime, the devs can figure it and do something to counter the attack. That’s such a huge barrier for any attacker. Even if he manages to do so, 25% voting power is held by PegNet Stakers who still report honest prices.
Conclusion
Having multiple groups of parties submit oracle price records vastly increases the cost to an attacker and by implementing tight controls on the prices deviation the benefit of the attack is reduced.
