How rational is Cardano's stake? How secure is Ouroboros?

Tom_Stafford · 9 July 2022 17:57

Many people have different definitions of rational delegation. This is not to argue their points, but to compare Cardano’s design assumptions with the real world. Cardano’s design defines rational delegation as trying to maximize rewards. So long as >50% of delegates are trying to maximize their rewards Cardano can be ‘proven secure’.

A rational delegate will evaluate all pools and order them with the highest reward potential at position 1. They would delegate to the highest rewarding pool that has room for their stake as to not oversaturate it. As pools fill up, new stakers have to choose pools lower on the list. The list would fill from top to bottom.

So, how rational is Cardano’s stake?

For this evaluation we will consider any stake within the top 500 pools to be rational

First, we find all private pools that are fully pledged. Subtract that number from 500. This is how many rational public pool choices there are. Now we add up the stake within all of these highest reward potential pools, including the stake pledged to private pools. This is the amount of rational stake within the system.

I calculated only 14% of the total stake is acting rationally. This is a far cry from the >50% required for Oroborous to be secure.

There is some ambiguity that can cause errors in this calculation, like underperforming pools put in the top 500. I do not suspect any errors to be in the range of 36%.

This evaluation method is overly conservative as it’s irrational to choose the 500th highest rewarding pool when there is room in the 10th. I believe this would be more accurate if we just ordered the pools from highest to lowest and then found how many down from 1 saturation stops. That is the amount of truly rational stake. That’s only like 2 public pools down the list.

COSDpool · 9 July 2022 18:20

There’s quite a bit of discussion about stake distribution going on now in these two threads:

github.com/cardano-foundation/CIPs

CIP-0050? | Shelleys Voltaire decentralization update

cardano-foundation:master ← michael-liesenfelt:CIP-Liesenfelt-Shelleys_Voltaire_decentralization_update

opened 03:59AM - 05 Apr 22 UTC

michael-liesenfelt

+677 -0

**Full Document:** **[English](https://github.com/michael-liesenfelt/CIPs/blob/C…IP-Liesenfelt-Shelleys_Voltaire_decentralization_update/CIP-Liesenfelt-Shelleys_Voltaire_decentralization_update/README.md)**, **[Español](https://github.com/michael-liesenfelt/CIPs/blob/CIP-Liesenfelt-Shelleys_Voltaire_decentralization_update/CIP-Liesenfelt-Shelleys_Voltaire_decentralization_update/README.Spanish.md)**, **官话 Chinese** Improving decentralization is absolutely necessary for the long term health and growth of the Cardano ecosystem. The current reward formula has resulted in a stable but stagnant level of decentralization. With the benefit of hindsight over the last year the intent of (a0, k) has not resulted in the desired decentralization outcome. This CIP provides the justification, methods, metrics, and implementation for an improvement program to increase decentralization of the Cardano network. The proposed reward equation retains the function of k for diminishing rewards based on stake and enforces diminishing rewards based on pledge leverage, L. The proposed equation enforces a set of principles to ensure stakeholders of dramatically different size can all achieve the same maximum yield. The yield ceiling feature prevents the formation of two classes of stakeholders and removes some of the benefits of centralization. The economic motivations of the largest stakeholders will be aligned with decentralization, reward diversification, fault tolerance, and ensuring the Sybil protection of the entire community. [**Current list of Support and Opposition**](https://github.com/michael-liesenfelt/CIPs/wiki/Support-or-opposition-to-CIP-50) [Cardano Foundation CIP-Editors Discord : CIP-50 Topic Thread](https://discord.gg/Q3WuMPMk9A) **Current Status:** 2022 06 29 - Hivemind stakeholder review in progress here! IOG will review after the Vasil hardfork. **Additional Resources:** [Cardano Live #54 | Cardano Network Parameters with Dr. Michael Liesenfelt](https://youtu.be/eAs_L68RO-c) [Spicy Dumpling Show | May 6 2022 | CIP 50: Pledge factor and pool rewards](https://youtu.be/1UpD2s_vegQ)

Discord > CIP Editors Meetings > PR242/CIP-0050

HeptaSean · 9 July 2022 19:36

Similar to our previous discussions, you take a very narrow definition of “rational”, here.

Even the “official” recommendations by IOG people “allow” to consider other things like: “Do I want to support the operator or their cause?”

Considering all people delegating to pools not in the top yield field as irrational seems a bit bold.

Tom_Stafford · 9 July 2022 20:30

You’re putting a lot of weight on a single line in a blog post by a single person that’s unrelated to the ouroboros proof.

Cardano is not ‘provably secure’ if marketing is used to make delegation choices.

As I said in the OP, a lot of people have their own definitions. The proofs are crystal clear about what rational delegation is.

HeptaSean · 9 July 2022 21:54

Can you point to the proof that you mean?

I tried to find rational delegation assumptions in the Ouroboros as well as the Ouroboros Praos paper. Only section speaking about delegation in some detail is Section 9 of the Ouroboros paper. And it does not contain any definitions or proofs (and also describes a delegation system that is only roughly similar to the one we have in Cardano now).

7.4d4 · 10 July 2022 00:00

The complex, multifactor, and dynamic, delegation decisions of millions of individuals, all thinking separately, is a feature not a bug. The fact that delegation in Cardano is so readily changeable, and who to stake with so open to diverse opinion, is a strength.

The result is a more seemingly random and diverse distribution of stake that is less predictable and less controllable. This makes Ouroboros resiliant.

Neo_Spank · 10 July 2022 10:00

Hello @Tom_Stafford

That is not how it works.

What is meant by provably secure is that it can be modeled and tested in a way that can show required levels of security in a realistic model.

When ever you create a model for testing you make assumptions (and hopefully declare what assumptions you are making). One of the assumptions that Ouroboros research made was that there will always be more then 50% of “honest” delegators. This doesn’t translate to rational delegators, just not adversarial ones.

The reason to have such assumption is obvious. If at any point of time most of delegators (50%+) turn adversarial, then no security is needed.

This doesn’t follow, since delegation would come first before any pools are in top 500.
Also, this is just saying that rational choice of a pool is the one that has been chosen more often then others. There is nothing here that would prevent top pool (or pools) from being adversarial in nature. Top 100 pools maybe be attempting to start a Sybil attack, yet your model would suggest that we should delegate to such pools.

Every model has limits to help it focus on testing chosen variables or outcomes. There is no complete model that can ever account for real world impact. For example: incentive of ISPOs seemed to have greater effect to incentivize delegation then pool rewards (since some ISPOs had 100% fees).

This is why everyone suggests to do research about pool operators and use that info to choose where to delegate. There is real world info that you are not going to be able to model and trying to tell ADA holders that we have a perfect formula on how to keep perfect security is dishonest.

Ouroboros research so far has guarded us from many know technical attacks such as block withholding attack and numerous fork-type attacks. However, security will always depend on network participants willingness to keep the network secure.

As for myself, I always delegate to multiple pools (cause we can all be wrong, I too was part of MELD ISPO with out even thinking about it). Now I choose pools on performance, mission and community presence. The only rational decision for me is that I should never delegate more then 1/3 of my ADA to single pool (so if I’m wrong at least 2/3 of my ADA is still securing the network). As well as to choose pools that have found a way to self incentivize, such as charity pools.

So, in my view, better questions to ask are:
How can we as delegators improve the security of Cardano network? What is the next security model that can be researched and built on top of Ourobors to further improve security?

HeptaSean · 10 July 2022 19:58

On the one hand: It’s not a single line and not in a single blog post.

Both, the Kiayias blogpost that we were both using as reference in previous discussions and the IOHK support answer on stake pool selection mention a whole lot of different things to consider, off-chain charateristics that you might consider “marketing” as well as on-chain metrics that are not so easy to all put in the same Top 500 rating.

On the other hand: I did not find any of the scientific papers in the library giving the background for the whole stake pool and delegation design including the pledge, fixed fee, and margin mechanisms.

How pledging will keep Cardano healthy - IOHK Blog from two years ago says something about debating, assessing, and iterating, but a detailed analysis, let alone formal proofs are nowhere to be found.