Security Analysis of Filecoin's Expected Consensus in the Byzantine vs Honest Model

TL;DR

This paper provides the first formal security analysis of Filecoin's Expected Consensus protocol, identifying its security threshold and proposing improvements to enhance its resilience against adversaries controlling up to roughly 20% of total storage.

Contribution

It formally analyzes the security of Filecoin's Expected Consensus, introduces the n-split attack, and proposes two improvements to increase security thresholds.

Findings

EC is secure against adversaries with less than ~20% storage control.

The n-split attack successfully compromises EC at the threshold.

Two proposed fixes can increase EC's security threshold.

Abstract

Filecoin is the largest storage-based open-source blockchain, both by storage capacity (>11EiB) and market capitalization. This paper provides the first formal security analysis of Filecoin's consensus (ordering) protocol, Expected Consensus (EC). Specifically, we show that EC is secure against an arbitrary adversary that controls a fraction $\beta$ of the total storage for $\beta m< 1- e^{-(1-\beta)m}$, where $m$ is a parameter that corresponds to the expected number of blocks per round, currently $m=5$ in Filecoin. We then present an attack, the $n$-split attack, where an adversary splits the honest miners between multiple chains, and show that it is successful for $\beta m \ge 1- e^{-(1-\beta)m}$, thus proving that $\beta m= 1- e^{-(1-\beta)m}$ is the tight security threshold of EC. This corresponds roughly to an adversary with $20\%$ of the total storage pledged to the chain. Finally, we propose two improvements to EC security that would increase this threshold. One of these two fixes is being implemented as a Filecoin Improvement Proposal (FIP).