Staking pools and some issues that perhaps should be considered

So the teams behind Cardano has gone to great lenght to mathematically prove the security of the Proof of Stake model. (https://iohk.io/research/papers/#9BKRHCSI) However many would argue all security is no stronger than the weakest link in any security system. In light of such a framework I am wondering how the distribution of Proof of stake pools could affect the security of the whole system itself. Keep in mind I have a basic understanding of the underlying model behind this so I am simply trying to ask critical questions and hopefully there are some more wiser people out there who can answer how this has already been tackled. Also appologize in advance that english is not my first language but hopefully my meaning come across.

#Geographical distribution
Staking pools are likely to be skewed geographically to where there is currently a lot of Cardano in circulation. I would argue for this to be the case since most investors tend to want to put the currency they invest into in use in a country that the laws they understand (among other reasons.) Now in itself this is not a problem but lets say a country puts regulations in place that causes dramatic changes quickly. For example the outlawing of staking pools causing a large portion of systems to quickly be shut down. As far as my understanding of the paper goes this would not shut down or corrupt any transfers but I am wondering if this could cause transaction times to come to a grinding halt until new pools with available hardware where up and running. This could have dire consequences in the case of time critical transactions and thus a security risk. I believe ideally staking pools should be geographically spread out to such a degree that no single country has a majority of the transaction computational power. There are many ways one can get to good geopgrahic distribution - one could get this by good governence, incentives or by rules of the system itself.

#Risks to the staking pools
As far as my basic understanding goes a user can at any point in time change what staking pool they let stake for them. If the computational method used by Cardano is costly in hardware, and I am going to assume this is the case if one ideally wants around 100-150 pools with a majority of transactions, then these pools runs financial risks whenever they expand hardware and if rational actors they would limit growth to anything with a quick return of interest on hardware expenditure. In theory if Cardano has a high growht rate it could be slowed down by staking pools willingness to invest large enough sums to get hardware quickly enough. Again this could cause slow downs in transactions speeds and if any such transactions where time critical that could cause problems. If not tackled properly it could also cause less incentive for quality taking pools to be formed that are long term stable. If staking pools are themselves free to set the fee one might argue this would be self correcting in a market economy where fees would increase if needed for investment or actors with deeper pockets would leveragte the advantage to burn more money up front for a larger market share. However it would still cause periods of boom and bust that are part of any market economy and could thus cause slowdowns during periods of bust. One example of how to solve this would be for the treasury/governance system to incentives investment in infastructure across pools in cases where growth is limited by economic constraints on hardware.

#Staking pool fee as the single most important factor for user selection of pool
One problem that could in theory happen is that pools that invest the least in security measures are more competitive in fee prices and become the most popular pools. This could cause these pools to be more easily hacked or influenced and could become a weakness in the system. To avoid this either the treasury/governance should incentivize security measures by staking pools or for example some form of security standard certificate could be developed by security professionals and paid/managed through the treasury system. Other examples would be to reward pools with no security incidents over time. In any case one should atleast consider the fact that if there are no incentives for security in the pools and all incentives lies in having the lowest fee cost this could cause pools to have less of a security standard than what would be ideal.

#Paralyzing honest staking pools in a coordinated effort
I do not know if this is far out there but let me just post it for consideredation: The lesser distributed pools are and the lesser security measures are implemented the easier it would be for coordinated attack on any such system. For example if say 80-90% of all staking pools where located in Korea , Japan and US and these countries came in a war situation where they decided to wage economical warfare on other countries all by law required the public state pools to be shut down and at same time replaced them with staking pools that did not give a honest view of transactions (for example excluding or funneling founds from other countries) they could more easily overcome the 50%+1 requirement than if said staking pools with hardware where more geopgrahically diversed. If security was too relaxed this could also be done by hacking attacks so incentivizing staking pools to have security seems to be important for this semi distributed system to work.

#Reputation / PR / Legal
To gain a competitive edge or by ethical reasons or to build buisness relationships staking pools could use fees to help spread ADA popularity across the world by setting up hardware / infastructure in locations that need it most. Google / Facebook is already doing this with network infastructure across places that do not have such infastrucutre. I see no reason why fees could not be used to educate and build infastructure to expand ADA across the world. After all it would be in the interest of staking pools to increase growth, and some might even be motivated by more lofty goals as wanting to make the world a better place (and gain a competitive edge at the same time in being more likely selected as a pool.) All of this is very fine but problem could be caused over how this is implemented. Picture if someone is motivated by pure business motives and invest in infrasctructure only if people in that place claim to the pool of the actor that is investing. “Africapool” invest heavily in several countires in africa with government deals that allows users only to give staking claims to africapool. I am not saying this is going to happen but it could happen if incentives are too large for the staking pools. And it could then cause individual staking pools to have a too large dominance in one geographical location thus again creating security problems and or legal problems like say first gaining the exclusive right of a country to allow its citizen to stake in ada and then cranking up the fees of the pool. Again to avoid such behaviour one would need to look how staking pools are allowed to use fees and guidance/governance given to staking pools.

Okay that was all I could think of for now in my 45 minutes typing this but perhaps others can join in on this discussion and add other theoretical concerns as well. I have high hopes for Cardano in general and most of my concerns are theoretical in nature so I am not so bothered by them but I hope it is usefull to discuss them in any case.

Hi Eystein!
You’ve raised lots of valid points, some of which I’ve also been pondering to some degree.

I think there are some points already mitigated, and other’s well just have to wait and see how the pool incentives and staking rolls out. I imagine IOHK has put in plenty of time thinking about these very same issues…

Here’s a couple quick inputs from my own thinking on it:

1 - Geographical risk - Certainly that is a larger concern. I wasn’t thinking about war per se, but mostly the fact that 97% of all internet traffic goes through a concentrated set of underwater cables between continents.

Sometimes these get disrupted by mundane things like fishing trawlers hooking them etc. and while there’s usually enough backup, the speed can take a big hit in the short term.

That’s why for https://AdaPools.io, we have setup four server nodes across the globe - Singapore/Chicago/Amsterdam/Frankfurt. The idea is that in the event of a localized disruption we could mitigate the bulk of it with multiple nodes geographically dispersed.

However, that of course ties into your next point:

This is definitely going to be an issue. Obviously I could run AdaPools from my laptop and have way lower cost than running a network of geographically distributed nodes…yet for the purpose of the Ada network overall, it’s far better to have that dispersed setup for robustness and network throughput.

One item that may help is they are going to list “network quality” and that may reflect the difference between a pool on a laptop that isn’t as fast to respond vs. a high end server sitting at a backbone crossroad. But I doubt it would account for geo-dispersed setup.

Related to that, this network quality measurement could end up causing centralization. Imagine for example that the core cluster of IOHK servers live in HK, and therefore our Singapore server by default has ‘faster’ response by virtue of being physically closer than the Frankfurt Germany node.
That would result in us being incentivized for moving all servers closer to HK physically to get better ‘network quality’ even though it reduces geographic dispersion if that was the ‘be all’ factor for pool listing.

security - this is another item where pool fees as the selection criterion might negatively skew it. We run Dome9 security on all our nodes and it’s expensive…but it’s the absolute tightest security we’ve found (and hence all their awards). IOHK may have to run penetration testing on pools to verify security or similar as a way to enforce some minimum standard, otherwise again, the laptop pool wins out at least until that pool collapses due to hacking.

One idea that might help offset the drive for lowest fee/lowest quality would be monitoring ‘blocks missed’ by pools…that may be part of the network quality but could be another way to offset the drive for cheapest setup at the expense of network quality.

Someone on here was saying they were going to run a pool for 0% b/c they felt no one should have a pool fee and they wanted to ‘drive out’ anyone who charged.

My counter to that was that doing that would ensure we would all end up piled into their spare desktop computer (b/c I would spend the monthly expenses of running a set of top tier geo servers and put that same money into buying more ada and stake with them…) and when it crashed…then the whole network would be at risk since there were no other professional nodes on the network…except his spare computer + IOHK core servers. Then the value of Ada crashes b/c it’s clear there is no decentralized network supporting it unlike say bitcoin where miners are very, very well compensated securing the network (arguably too well compensated and that’s another discussion b/c you have 4 pools running the bulk of the hashing power and with their economy of scale, dips in price simply let them end up with even more % as it drives out smaller miners)…

I think a lot of these issues will all ultimately be addressed in one form or another as Charles indicated they will have a month+ of pools running on a test network, and I imagine most of these issues will be brought up and worked through.

Anyway all good points you make and I just skimmed into some of the ones I’ve already been thinking about!

Thank you for joining in on the discussion MegaWind. I can see you have taken these issues into consideration. I guess for the time beeing the infastructure of the internet itself is not something that can be done so much about. But I am optimistic for the future of this problem as more and more infastructure is built. What can be done for now is as you suggest to spread out the location of the pool. When it comes to the security then yes some form of minimum standard seems like a way forward given that security issues are none issues until they actually matter it seems important to stress test these in advance of any actual security issues. I also agree with you 0% fee is not the way to go and too much compensation does tend to create almost monopoly like situations due to economy of scale. I am not sure what is a sweet spot regarding reward structure. Perhaps it needs to be layered somewhat to incentivize new pools if any pools tend to have a too large portion of the overall staking.