Forced Bribes

Bringing penetration testing to decentralized dispute resolution systems.

This is part of a series of posts about our dispute resolution research, the previous post can be found here. The important takeaway being that we aim to be able to blacklist malicious domains and aim to be able to arbitrate this process.

As part of the ENS dispute resolution research, one thing that is of importance is how we can identify malicious arbitrators and eliminate them from our system as soon as possible. The ENS dispute resolution system is initially planned as a secondary layer. When building a dispute resolution system responsible for governing a decentralized protocol, we must assume that most, if not all, of our arbitrators are malicious or may have malicious intentions. There are aspects of dispute resolution which depend on the honesty of arbitrators and therefore cannot be 100% verifiably trustless, therefore creating a bullet proof dispute resolution system is seemingly almost impossible if we do not actively attempt to break the resolution system ourselves. For that reason we need to build in various safety guards to ensure that we can find and remove the bad actors.

One of the interesting concepts I have been thinking about recently in relation to this issue is forced bribes. Forced bribes, for the lack of a better name, are when a dispute resolution protocol has a built in system to bribe arbitrators. The assumption here is that arbitrators are required to report attempts of bribes making it simple to find bad actors when we ourselves are the bribers.

The concept of this system itself is rather simple, however the fine tuning of various “parameters” and execution of bribes is where the complexity really lies. The problem here is how do we bribe arbitrators in a way that they cannot determine it was us? And how many disputes do we run forced bribes on? As mentioned by Nick Johnson, this can probably be quantified based on assumptions about the proportion of trustworthy arbitrators, the amount of resources dedicated to tests and the desired success rate for untrustworthy arbitrators.

One method would be to run bribes only on low stake disputes, the rationale being that we do not want to potentially corrupt high stake cases. This to me however does not seem very productive as it limits the coverage of our arbitration testing, additionally we need to consider which factors categorize a dispute as one of lower stakes. We also need to consider that this may not be an optimal method due to the fact that if a dispute is deemed as lower stake real malicious actors would probably not then attempt to bribe the arbitrators on it. There needs to be a certain balance between which disputes we try to “break” and which we do not, additionally we need to be able to keep this metric hidden so arbitrators cannot behave honestly on the disputes they know we are bribing.

The bribes need to be masked well enough so that an arbitrator cannot determine if our bribes are real or not, if that were to be the case the system would be essentially broken. Therefore bribes should be naturally created, not through some smart contract or automated process unless we can verify that the automated process is indistinguishable from a real person. Ideally bribes would be created there where disputes are discussed by arbitrators or on various forums such as reddit. Another issue needed to be tackled is how we can do all of this verifiably and decentralized, if only one party can issue fake bribes there is a centralized entity penetration testing the system, which should be avoided. Anyone should be able to verify that a bribe was fake at some point in time, of course not during the time at which it is being attempted.

When bribing, we need to determine if this is limited to a single arbitrator or a group that is handling the same dispute. In either way we should be able to punish all arbitrators that knew about a bribe but failed to report it, here we run into the issue however of having to prove that an arbitrator, who was not directly targeted, knew about the bribe. Failing to report a bribe should directly result in a form of punishment, self-policing should be the norm of our system. Arbitrators that fail to do so, cannot be trusted and therefore should be removed.

One thing we need to consider is the fact that if the forced bribes system is over designed and processes are automated, it may be easy to distinguish on what is and what isn’t a fake bribe. Therefore the system should remain primitive, identifiable patterns must be avoided at all costs as this would lower the security of the system.