How rational is Cardano's stake? How secure is Ouroboros?

Many people have different definitions of rational delegation. This is not to argue their points, but to compare Cardano’s design assumptions with the real world. Cardano’s design defines rational delegation as trying to maximize rewards. So long as >50% of delegates are trying to maximize their rewards Cardano can be ‘proven secure’.

A rational delegate will evaluate all pools and order them with the highest reward potential at position 1. They would delegate to the highest rewarding pool that has room for their stake as to not oversaturate it. As pools fill up, new stakers have to choose pools lower on the list. The list would fill from top to bottom.

So, how rational is Cardano’s stake?

For this evaluation we will consider any stake within the top 500 pools to be rational

First, we find all private pools that are fully pledged. Subtract that number from 500. This is how many rational public pool choices there are. Now we add up the stake within all of these highest reward potential pools, including the stake pledged to private pools. This is the amount of rational stake within the system.

I calculated only 14% of the total stake is acting rationally. This is a far cry from the >50% required for Oroborous to be secure.

There is some ambiguity that can cause errors in this calculation, like underperforming pools put in the top 500. I do not suspect any errors to be in the range of 36%.

This evaluation method is overly conservative as it’s irrational to choose the 500th highest rewarding pool when there is room in the 10th. I believe this would be more accurate if we just ordered the pools from highest to lowest and then found how many down from 1 saturation stops. That is the amount of truly rational stake. That’s only like 2 public pools down the list.

There’s quite a bit of discussion about stake distribution going on now in these two threads:

Discord > CIP Editors Meetings > PR242/CIP-0050

1 Like

Similar to our previous discussions, you take a very narrow definition of “rational”, here.

Even the “official” recommendations by IOG people “allow” to consider other things like: “Do I want to support the operator or their cause?”

Considering all people delegating to pools not in the top yield field as irrational seems a bit bold.

1 Like

You’re putting a lot of weight on a single line in a blog post by a single person that’s unrelated to the ouroboros proof.

Cardano is not ‘provably secure’ if marketing is used to make delegation choices.

As I said in the OP, a lot of people have their own definitions. The proofs are crystal clear about what rational delegation is.

Can you point to the proof that you mean?

I tried to find rational delegation assumptions in the Ouroboros as well as the Ouroboros Praos paper. Only section speaking about delegation in some detail is Section 9 of the Ouroboros paper. And it does not contain any definitions or proofs (and also describes a delegation system that is only roughly similar to the one we have in Cardano now).

The complex, multifactor, and dynamic, delegation decisions of millions of individuals, all thinking separately, is a feature not a bug. The fact that delegation in Cardano is so readily changeable, and who to stake with so open to diverse opinion, is a strength.

The result is a more seemingly random and diverse distribution of stake that is less predictable and less controllable. This makes Ouroboros resiliant.

Hello @Tom_Stafford

That is not how it works.

What is meant by provably secure is that it can be modeled and tested in a way that can show required levels of security in a realistic model.

When ever you create a model for testing you make assumptions (and hopefully declare what assumptions you are making). One of the assumptions that Ouroboros research made was that there will always be more then 50% of “honest” delegators. This doesn’t translate to rational delegators, just not adversarial ones.

The reason to have such assumption is obvious. If at any point of time most of delegators (50%+) turn adversarial, then no security is needed.

This doesn’t follow, since delegation would come first before any pools are in top 500.
Also, this is just saying that rational choice of a pool is the one that has been chosen more often then others. There is nothing here that would prevent top pool (or pools) from being adversarial in nature. Top 100 pools maybe be attempting to start a Sybil attack, yet your model would suggest that we should delegate to such pools.

Every model has limits to help it focus on testing chosen variables or outcomes. There is no complete model that can ever account for real world impact. For example: incentive of ISPOs seemed to have greater effect to incentivize delegation then pool rewards (since some ISPOs had 100% fees).

This is why everyone suggests to do research about pool operators and use that info to choose where to delegate. There is real world info that you are not going to be able to model and trying to tell ADA holders that we have a perfect formula on how to keep perfect security is dishonest.

Ouroboros research so far has guarded us from many know technical attacks such as block withholding attack and numerous fork-type attacks. However, security will always depend on network participants willingness to keep the network secure.

As for myself, I always delegate to multiple pools (cause we can all be wrong, I too was part of MELD ISPO with out even thinking about it). Now I choose pools on performance, mission and community presence. The only rational decision for me is that I should never delegate more then 1/3 of my ADA to single pool (so if I’m wrong at least 2/3 of my ADA is still securing the network). As well as to choose pools that have found a way to self incentivize, such as charity pools.

So, in my view, better questions to ask are:
How can we as delegators improve the security of Cardano network? What is the next security model that can be researched and built on top of Ourobors to further improve security?


On the one hand: It’s not a single line and not in a single blog post.

Both, the Kiayias blogpost that we were both using as reference in previous discussions and the IOHK support answer on stake pool selection mention a whole lot of different things to consider, off-chain charateristics that you might consider “marketing” as well as on-chain metrics that are not so easy to all put in the same Top 500 rating.

On the other hand: I did not find any of the scientific papers in the library giving the background for the whole stake pool and delegation design including the pledge, fixed fee, and margin mechanisms.

How pledging will keep Cardano healthy - IOHK Blog from two years ago says something about debating, assessing, and iterating, but a detailed analysis, let alone formal proofs are nowhere to be found.

1 Like