Staking and Network Security

THORChain is a proof-of-stake network that relies on a number of validators bonding Rune collateral in order to become eligible to earn block rewards from the network. Since a BFT algorithm is used (Tendermint) that relies on synchronicity, the number of validators must be capped in order to reach finality in each round of block proposals.

Matching the Cosmos architecture, it is expected to have 100 validators on launch of the network, increasing over a number of years to a larger (but capped) number.

Tendermint requires full-nodes as Validators or block producers, and each Validator must have a weight on the network. The weight is determined by the stake they hold, so Tendermint can support Proof-of-Stake out of the box.

Staking

THORChain must not only achieve optimal network security (protection from byzantine actors) but it must also achieve ideal asset security to protect its cross-chain bridges that will be holding external assets.

By design, THORChain’s bridges are permissionless and opt-in to validators in order to protect the network from censorship.

The bridges are secured by validators that choose to maintain bridges to earn on exit fees. They form a compliant “quorum” of validators that are cycled through the multi-signatures protecting the bridge assets.

However, because of the opt-in nature of this responsibility external bridges do not have the security of the entire network. Thus, the bridging protocol uses economic incentives to ensure that the assets held on bridges are always safe.

Safety, as it relates to this, is determined by enforcing a net economic loss on the attacking actor, that far outweighs the potential reward. An example of asymmetric design, commonly used in computer architecture, to deter attacks before they happen.

Achieving ideal asset security is defined as ensuring that the value of stake bonded by the set of validators guarding a bridge is always twice as high than the value of the assets held on the bridge.

What are the incentives to do this?

The incentives to bond tokens with Validators are to earn block rewards that will be emitted as part of the token’s inflation schedule, as well as any transaction fees collected (including trading and exit fees).

THORChain’s proposes a design with a flat 2–5% emission to validators.

The incentives to stake Rune in liquidity pools are to earn on liquidity fees, which are proportional to volume across pools, transaction sizes and existing liquidity depth.

Staking is an inherent part of the protocol and provides liquidity to all assets. Due to the way that CLPs are created alongside the instantiation of digital assets on THORChain, there will always be some liquidity depth to assets. By adding incentivisation (liquidity fees), trading pairs will always be liquid, increasing the usefulness and value of the protocol.

When staking, a user can stake symmetrically or asymmetrically in the pool. Despite the method of staking, the user will always end up receiving assets on both sides of the pool.

The reasons for this are twofold:

By receiving assets on both sides of the pool the staker is hedged against any downside on one side and thus any fees earned presents a net gain in value to the staker. Staking asymmetrically creates a price imbalance that is corrected by either arbitrage or market forces, and thus results in an accumulation of assets on the unbalanced side for the staker.

Relationship with Bridges

Since THORChain is a cross-chain protocol with bridges that hold assets, our network design is asymmetric towards asset security. We choose a safety threshold of 2 on all bridge assets, that is, there must be twice the amount of Rune securing a bridge than there is in the value of the asset.

Since the incentives for staking arise from economic activity, we attempt to form a position on what would likely be the level of staking participation. We assume that any actor who can stake can also bond, so we can suppose that they will position their assets between staking and bonding depending on the potential ROI available.

From real world analysis of liquidity networks and decentralised exchanges we determine the following numbers:

Secure Network Design

For a byzantine attacker to attack the network, they would need to accumulate 25% of the supply of Rune. Roughly 250m units.

To remove even 200m Rune from the pools, the attacker would need to place in 4 times the amount of paired assets. Since the pools are coupled mathematically, the price action on the asset would cause the value of Rune to increase by 25 times.

The bridges would increase in security by 25 times due to the rise in value of the stake holding the assets. The value of the block rewards and transaction fees paid to validators would increase in value 25 times.

This large multiple in incentives would attract further delegation from Rune holders, increasing the amount of Rune the attacker would need to acquire. This positive feedback loop would continue until the attacker cannot collect enough Rune from markets to conduct an attack.