Defending Against Malicious Reorgs in Tezos Proof-of-Stake

TL;DR

This paper analyzes the vulnerability of the Tezos Proof-of-Stake blockchain to malicious chain reorganizations, quantifies attack probabilities, and proposes protocol adjustments and monitoring methods to mitigate deep reorg risks.

Contribution

It provides a detailed analysis of reorg attack rates in Tezos, suggests protocol parameter adjustments for enhanced security, and introduces a blockchain health monitoring method.

Findings

A 40% attacker can perform a 20-block reorg once per day on average.

Protocol adjustments can reduce deep reorg attack opportunities by two orders of magnitude.

There is a trade-off between robustness to deep reorgs and selfish mining vulnerabilities.

Abstract

Blockchains are intended to be immutable, so an attacker who is able to delete transactions through a chain reorganization (a malicious reorg) can perform a profitable double-spend attack. We study the rate at which an attacker can execute reorgs in the Tezos Proof-of-Stake protocol. As an example, an attacker with 40% of the staking power is able to execute a 20-block malicious reorg at an average rate of once per day, and the attack probability increases super-linearly as the staking power grows beyond 40%. Moreover, an attacker of the Tezos protocol knows in advance when an attack opportunity will arise, and can use this knowledge to arrange transactions to double-spend. We show that in particular cases, the Tezos protocol can be adjusted to protect against deep reorgs. For instance, we demonstrate protocol parameters that reduce the rate of length-20 reorg opportunities for a 40% attacker by two orders of magnitude. We also observe a trade-off between optimizing for robustness to deep reorgs (costly deviations that may be net profitable because they enable double-spends) and robustness to selfish mining (mining deviations that result in typically short reorgs that are profitable even without double-spends). That is, the parameters that optimally protect against one make the other attack easy. Finally, we develop a method that monitors the Tezos blockchain health with respect to malicious reorgs using only publicly available information.