exempt-delegation.tex

\pdfbookmark[section]{Exempt Delegations}{Exempt Delegations}
\section{Exempt Delegations}

\ifccs
  \ifproceedings
  \else
    \import{./}{exempt-delegation-attack-diagram.tex}
  \fi
\fi

\ifccs
  \begin{figure*}[b]
    \centering
    \includegraphics[width=0.65\textwidth]{./figures/sequence-diagram.pdf}
    \caption{Sequence diagram of the attack with exempt delegations.}
    \label{fig:exempt-sequence}
  \end{figure*}
\fi

Exempt delegations (proposed in LSM~\cite{liquidity-staking-module})
are a mechanism to alleviate the Principal--Agent problem in liquid staking.
In this mechanism, an exempt delegation amount $c$ \asset is associated
with each validator. It is a measure of the validator's trustworthiness.
The liquid staking protocol is now redesigned to impose restrictions
on how much of the protocol's pooled moneys can be delegated to a particular
validator based on the validator's exempt delegation.
The restriction is
parameterized by a factor $\phi$ (in practice, $\phi > 1$)
and is given by the inequality $b \leq \phi c$: Only up to $\phi c$ \assets
are allowed to be delegated in aggregate by the liquid staking protocol
to a validator with a reserve of $c$ \asset in exempt delegations.

A new validator begins its lifecycle with $c = 0$. They can then
raise their own exempt delegation amount by locking aside a
chosen amount of \asset, and marking it as \emph{exempt}. Those
assets are delegated to the validator as usual. However,
the \emph{exempt}
marking means that those delegated assets cannot be part of the liquid
staking protocol pool, but must remain locked aside. Additionally,
these specially marked delegations are slashed\footnote{We abstract some
of the irrelevant implementation details here. See
\ifproceedings
  the full version of this paper~\cite{liquid-staking-eprint}
\else
  Appendix~\ref{sec:lsm}
\fi
for how the real protocol works in the context of Cosmos.}
at a potentially higher rate $q \geq p$. Exempt delegated assets cannot
be undelegated in a way that causes a violation of $b \leq \phi c$.

Principals, whether wise or unwise, are not expected to participate in exempt
delegations; instead, it is the validator who exempt delegates to
themselves (or someone who trusts the validator for extrinsic reasons).
This means that, in case of validator misbehavior, the exempt delegation
slashing $qc$ is a penalty that only affects the validator.

\iflncs
  \ifproceedings
  \else
    \import{./}{exempt-delegation-attack-diagram.tex}
  \fi
\fi

\ifproceedings
  \iflncs
    \begin{figure*}[htb]
      \centering
      \includegraphics[width=1\textwidth]{./figures/sequence-diagram.pdf}
      \caption{Sequence diagram of the attack with exempt delegations.}
      \label{fig:exempt-sequence}
    \end{figure*}
  \fi
\else
\fi

This raises
the cost of the attack described in the previous section. The
adversary must first, at time $t_1$ (where $t_0 < t_1 < t_2$), exempt delegate a sufficient amount
$c \geq \frac{b}{\phi}$ \asset to $\mathcal{V}$ before she can liquid stake $b$ \asset.
Whereas the \stassets
corresponding to those $b$ \assets can be, as before, sold at $t_3$ to
separate the agent from the principal, the $c$ amount remains with the
agent, holding her financially liable to misbehavior. After equivocation at $t_4$,
in addition to any other costs, the adversary loses $qc$ \asset. At the conclusion
of the attack, the adversary undelegates the unslashed $(1 - q)c$ \asset exempt delegation.
\ifproceedings
  The sequence diagram of the refined attack is illustrated in Figure~\ref{fig:exempt-sequence}.
\else
  The timeline of the refined attack is illustrated in Figure~\ref{fig:exempt-timeline}
  and the respective sequence diagram in Figure~\ref{fig:exempt-sequence}.
\fi

The attack may remain profitable despite exempt delegations.
To maximize her shorting leverage, the adversary wants to use all
of her initial capital $u$ \asset to obtain the $z$ \stasset loan.
Upon swapping $z$ for $b^*$ \asset, the adversary can then use part of it as $c$.
The rational adversary should not waste any unnecessary resources on
$c$; therefore, after choosing $b$ she can set $c = \frac{b}{\phi}$.
Since the maximum amount the adversary exempt delegates
cannot be more than her initial capital $u$ \asset,
it must always hold that $b \leq u\phi$.

The profit of the attack now becomes $\alpha = b^* - b' - qc$.
Solving for $\frac{d\alpha}{db} = 0$ yields the optimal $b = \sqrt{u p b_0 \frac{\phi}{q}} - b_0$,
which maximizes
the adversary's profit, subject to the constraint
$0 \leq b \leq u\phi$.

The intuition for why exempt delegations protect the system is that,
for the adversary to profit from the short, she must cause a significant
shift in the price. The shift in the price is determined by the factor
$p\frac{b}{b_0 + b}$, so the adversary aims for a large $b$. But because $b \leq \phi c$
must be respected, this incurs a large penalty $qc = \frac{q}{\phi}b$.


\ifproceedings
\else
  \iflncs
    \begin{figure*}[htb]
      \centering
      \includegraphics[width=1\textwidth]{./figures/sequence-diagram.pdf}
      \caption{Sequence diagram of the attack with exempt delegations.}
      \label{fig:exempt-sequence}
    \end{figure*}
  \fi
\fi


%Taking into consideration the flash loan cost as well, the final profit of the attack is now
%$\alpha = b^* - b' - qc - \betaasset b$.
%Solving for $\frac{d\alpha}{db} = 0$ gives the optimal $b = \sqrt{\frac{u f p b_0}{(\betaasset + \frac{q}{\phi})\gammastasset}} - b_0$,
%which maximizes
%the adversary's profit, subject to the constraints
%$0 \leq b \leq \frac{u}{(\frac{1}{\phi} + \betaasset) \gammastasset}$.
%In non-extreme market conditions, if the attack is profitable, the bound
%$b \leq \frac{u}{(\frac{1}{\phi} + \betaasset)\gammastasset}$ will not be reached,
%and the adversary will use the value
%$b = \sqrt{\frac{u f p b_0}{(\betaasset + \frac{q}{\phi})\gammastasset}} - b_0$.

To make the attack irrational, we select
the parameter $\frac{\phi}{q}$ such that $\alpha \leq 0$.
Plugging in the adversarially optimal value for $b$ in the inequality $\alpha \leq 0$ and solving
for $\frac{\phi}{q}$ yields

\begin{gather*}
  \frac{\phi}{q} \leq \frac{b_0}{p u}\,. \label{eq:phi-choice} \tag{$\ast$}
\end{gather*}

% (-b0*β*γ - 2*sqrt(f)*sqrt(p)*u*sqrt(f - 1) + f*p*u + f*u - u)/(b0*γ)
% (1/(b0*γ)) * (f*p*u + f*u - b0*β*γ - 2*u*sqrt(fp*(f-1)) - u)
%\begin{gather*}
%  \frac{\phi}{q} \leq \frac{b_0 \gammastasset}{f p u + f u - b_0 \betaasset \gammastasset - 2 u \sqrt{fp (f-1)} - u}\,. \label{eq:phi-choice} \tag{$\ast$}
%

Plugging the values we believe the protocol to operate under into
$p$, $b_0$ and $u$, we calculate a secure
$\frac{\phi}{q}$ for an assumed maximum adversarial market domination $\frac{u}{b_0}$.
In Figure~\ref{fig:contour-plotu}, we show the adversarial profit for
different values of $\frac{\phi}{q}$ and $\frac{u}{b_0}$.
For the figure, we used a slashing rate $p = 0.5$.


\begin{figure}[htb]
  \centering
  \iflncs
    \includegraphics[width=0.7\textwidth]{./figures/plotu.pdf}
  \fi
  \ifccs
    \includegraphics[width=0.4\textwidth]{./figures/plotu.pdf}
  \fi
  \caption{Adversarial profitability based on market domination
            $\frac{u}{b_0}$ and parameter $\frac{\phi}{q}$.
            The white area indicates secure parametrizations.}
  \label{fig:contour-plotu}
\end{figure}


A higher exempt delegation slashing rate $q$ makes the attack more expensive. This
is because a larger portion of the exempt delegation $c$, holding the adversary accountable,
is slashed. A lower exempt delegation factor $\phi$ also makes the attack more expensive
since a larger exempt delegation is required to liquid stake the same $b$ \asset.
Hence, a lower $\frac{\phi}{q}$ makes the protocol less vulnerable to the attack.
We recommend always setting $q = 1$ if possible, as this allows for
larger values of $\phi$, increasing liquidity, without any harm to anyone
besides the adversary.


\noindent
\textbf{Repeating the attack.} If the adversary finds herself in a situation
where the attack is profitable, the attack can be repeated in quick succession
to siphon off almost all of the money in the liquid staking protocol.
This corresponds to moving across the $x$ axis in Figure~\ref{fig:contour-plotu}.
As the attack repeats, $b_0$ decreases and $u$ increases as money moves from
the reserves of the staking protocol to the hands of the adversary.
We conclude that the protocol must be configured with enough margin
such that the conditions for the attack never emerge.




% This equation can be used in practice to calculate the appropriate value
% of $\frac{\phi}{q}$ that can withstand an adversary with a market presence of $\frac{u}{b_0}$
% (due to the very short duration of the attack, the cost of money borrowing does not alter
% the final result by much). Note that, even though the attack might be profitable for a
% large $p$, a lower value of $p$ may make the attack unprofitable.
% Additionally, protocols with more liquidity $b_0$ are less prone to attack,
% because a larger capital $u$ is required to achieve the required market domination
% $\frac{u}{b_0}$.
% For example, if the liquid staking protocol has $b_0 = 1000$ \asset in deposits,
% and the adversary can use a capital of $u = 100$ \asset to attack the protocol
% ($\frac{u}{b_0} = 10\%$ market domination),
% if $p = q = 100\%$ is the slashing rate, then $\phi \leq \frac{b_0}{u} = 10$
% is a safe protocol parametrization. Attack profitability for different adversarial
% market dominations $\frac{u}{b_0}$, assuming free money borrowing and $p = 50\%$,
% are illustrated in Figure~\ref{fig:contour-plotu}.
% The white area under the black line ($\alpha = 0$) consists of safe values
% of the parameter $\frac{\phi}{q}$.

\noindent
\textbf{Proportional representation VS fair punishment.}
Proportional representation and fair punishment, as indicated in
Section~\ref{sec:attack}, are conflicting properties in liquid
staking. Without exempt delegations ($\phi = \infty$),
the protocol has full proportional representation, as the principal can
signal delegation to any agent of their choice without restriction. There,
an adversary can always cause unfair punishment of principals.
However, with the introduction of exempt delegations, if we make
$\frac{\phi}{q}$ smaller, the pool of available agents to choose from is reduced to
only the wealthy amongst them, so proportional representation
becomes limited. For a sufficiently small $\frac{\phi}{q}$,
the protocol has fair punishment in the rational model.

\ifproceedings
\else
  This concludes the main contribution of our paper. The next
  sections make some of the financial arguments slightly more precise.
\fi


%\begin{align*}
%  &a = b^* - b' - qc - \betaasset b\\
%  &a = \frac{b_0}{s_0}z(1 - (1 - p\frac{b}{b_0 + b})((1 + \rstasset)^{\Delta_z} + \betastasset)) - \betaasset b - \frac{q}{\phi}b\\
%  &a = \frac{u}{\gammastasset}(1 - (1 - p\frac{b}{b_0 + b})((1 + \rstasset)^{\Delta_z} + \betastasset)) - \betaasset b - \frac{q}{\phi}b\\
%\end{align*}
%
%Let $f = (1 + \rstasset)^{\Delta_z} + \betastasset$:
%
%\begin{align*}
%  &a = \frac{u}{\gammastasset}(1 - (1 - p\frac{b}{b_0 + b})f) - \betaasset b - \frac{q}{\phi}b\\
%\end{align*}

%\begin{gather*}
%  \frac{da}{db} = 0\\
%  \frac{u f p}{\gammastasset} \frac{b_0}{(b_0 + b)^2} - \betaasset - \frac{q}{\phi} = 0\\
%  \frac{u f p b_0}{\gammastasset (b_0 + b)^2} = \betaasset + \frac{q}{\phi}\\
%  \frac{u f p b_0}{\gammastasset (\betaasset + \frac{q}{\phi})} = (b_0 + b)^2\\
%  (b_0 + b)^2 - \frac{u f p b_0}{\gammastasset (\betaasset + \frac{q}{\phi})} = 0\\
%  b^2 + 2b_0b + b_0^2 - \frac{u f p b_0}{\gammastasset (\betaasset + \frac{q}{\phi})} = 0\\
%\end{gather*}