THORChain’s security depends on MCP and incentives. In this post I’m laying out my thoughts on the security of THORChain network. I challenge the likelihood of an economically rational attack with an end goal of re-discovering for myself the bonded/pooled safety threshold
THORChain in a nutshell (doesn’t makes sense but go for it)
THORChain is a decentralized liquidity network that pools together native external assets such as BTC, ETH, BNB etc. to allow trustless, secure, permissionless cross chain swaps. Pooled external assets are simply funds that are sent to addresses on their native chains which are controlled by supermajority (>2/3) of THORChain bonders who are also nodes on external connected chains. Rune is the currency of THORChain that serves as a unit of account to settle Txs on THORChain and secure the network. There are 2 different groups in THORChain; bonders and liquidity providers. All Non-Rune Assets (BTC, ETH, BNB etc.) are pooled together with Rune at a 1:1 ratio by lps, resulting in Pooled Rune value to equal Non-Rune Asset’s value. Bonders are the block producers of THORChain network who get to generate blocks by a 2/3 consensus. In order to secure Non-Rune Assets, bonders bond in (lock up) Rune as a security coverage for collectively managing Non-Rune Assets. When the ratio of Bonded Rune/Pooled Rune = 2, the network is considered to be at a safe and cost efficient state.
Ratio is determined by market
It’s important to realize that Bonded/Pooled Ratio is completely determined by free market forces. It’s up to the market participants to decide how much Rune to pool and how much Rune to bond. The protocol follows a simple formula (incentive pendulum) which splits total income (liquidity fees + emissions) among the 2 groups according to the ratio of Bonded Rune/Pooled Rune. When Bonded Rune = 2 x Pooled Rune, bonders and lps receive %67 and %33 of total income respectively. When ratio is bigger than 2 (meaning the system gets over bonded as it is right now) incentive mechanism spares a bigger portion to lps and when below, vice versa. The goal is to encourage/discourage becoming a bonder/lp by use of incentives to ensure the system always remains secure (and capital efficient)
Effectiveness of Incentive Pendulum
Note that all incentive pendulum does it to shift allocation of income among 2 groups. It doesn’t punish these groups. It only incentivizes one more than the other in an attempt to change their motivation. From a big picture this only encourages Rune to get locked for productive use. That’s not to say that productive groups (lps and bonders) always gain more then speculators. It definitely makes a lot of sense to bond in Rune rather than sitting on it especially if you feel confident in avoiding significant slashes as a bonder. However I find a hodl or pool decision to be rather complicated
First off, lps have to sell %50 of their Rune in exchange for the paired Non-Rune Asset. From a bullish Rune perspective this will strike as an opportunity cost. Add to that, the ambiguity of future impermenant loss and all of a sudden you are trying to predict the relative price change of 2 different crypto assets (which unlike in Uniswap also run on two different chains) within a variable time frame into the future.
Here is what your thought process roughly looks like… If while you are in pool Rune outcompetes Non-Rune Asset by 3x, your total cost will be 42 % (%9 imp loss cost + %33 opp cost of holding Non-Rune). This is how much loss you will suffer by choosing to become an lp instead of simply hodling Rune. You then want (Fee+Emission)*AvgPoolShareWhileInPool / Pooled Amount to be greater than 42%. Emissions for 1st year are known to be %30. If we project the annual fees to amount for another %60 we should aim to stay in pool for a period of at least 6 months.
The math gets further complicated if you try to think in longer terms not only because predict future change in relative prices become harder but also you need to consider changing volume/liquidity ratios and emission rates. Here is a valid risk analysis set forth by Delphi on this subject that needs careful mitigation for sustainable growth; “In the long term, … as pool sizes grow and transaction sizes relative to the pool shrink, that means individuals will be paying less and less in fees… The portion of total income that’s supported by issuance will mitigate this risk, but that reward also declines over time.”
The calculation i made earlier is a half hearted one. The exact numbers shouldn’t matter. What’s important is the potential impact, this relatively complex decision making process has on the effectiveness of incentive pendulum. My intuition says that the obscurity increases the inertia of market and delays the network to recoil back from an over-bonded state to the optimal state.
An interesting factor thats counters this effect is the different barrier to entry levels of these 2 groups. To become a bonder (i) one’s bond must be bigger than the bond of top 36th bonder (ii) one must have the technical know how. Surely, bonders have a much higher barrier to entry than lps. While all bonders can choose to become lp, probably only a very small subset of lps can become bonder even if they wanted to. As a result, shifts from bonded Rune to Pooled Rune will be far more common than the way around.
What if funds exceed the coverage
Considering the fact that the amount of bonded and pooled Rune is at the mercy of the market eventually we can see Non-Rune Assets to become worth more than the security coverage(Bonded Rune) at which point the the network goes through an unsafe state. This may occur as a result of market participants’ deliberately choosing not to react to incentive pendulum for whatever reason or an unintentional lag in desired action etc. In an unsafe state it becomes economically rational for bonders to form a 2/3 collusion to steal all of the funds.
Now there is all sorts of things in place to prevent a 2/3 bonder collusion; bonding is permissionless, all bonders are anonymous, social signaling/delegation is avoided, bonders can’t communicate, get cycled every ~3 days. However even with all these things we can’t naively pretend a collusion is impossible or better yet a deep pocket attacker can’t act as 24 different bonders.
As of now, Mimir is the only centralized aspect of the network (it will be dumped on mainnet). It’s the feature that allows admins to change certain constants in the chain such as churn speed, emission rate etc. For the context of this post, 2 constants captured my attention; (i)MinimumBondInRunewhich forces a min bond size requirement to become an active bonder (ii) MaximumStakeRune which limits the value of Non-Rune Assets to be secured. It is my understanding that these constants can be changed to recover from an unsafe state. Raising minimim bond size is a change in regulation that will force Bonded Rune to rise, which at least until mainnet can be done by admins if needed. But what if for some reason the network gets under-bonded during mainnet?
It’s not clear to me if the community will view this case as an emergency situation which needs to be handled immediately by Ragnarok (a process which refunds everyone and shuts down the network). Some community member may temporarily cease to become bonder, lp waiting for the network to shift back into a safe state. Others may be willing to take the risk relying on permissionless, anonymous, communicationless, high churn nature of bonding to prevent a potential malicious collusion.
Playing the devil
THORChain has 3 security assumptions
- less than 1/3 of actors taking part are working to take down the network for non-financial reasons
- less than 2/3 of actors taking part are working together to steal assets
- RUNE is worthless if the network is attacked and assets are stolen
For the rest of this article I will pretend to be an attacker who is patiently waiting the right time for a rug pull (challenging point 2 and 3) In doing so I will try to rediscover the Bonded/Pooled security threshold for myself
First things first. In order to capture the network, I need to somehow acquire 24 seats in the 36 active bonder. Skipping many technicalities, if i get to do that I can basically activate God mode and do whatever I want. Nothing prevents me from doing that I can permissionlessly become bonder(s). I just need to make sure I have the necessary funds.
I said earlier that bonders are getting regularly churned in&out. Approximately every 3 days the network churns out 2 bonders from active bonder set; one being the oldest, the other being the worst-behaving (most slashed). Churned out bonders are replaced with 2 standby bonders who have committed bigger bonds to the network than the rest of the standby bonders. Assuming I pulled out a fantastic job to consecutively churn in 24 bonders while managing to not be any of the worst-behaving bonders, i get a window of approx. 18 days where I control 2/3 of the network every 54 days. That gives me a maximum of %33 uptime on my God mode. If i want to increase my uptime I will need some readily available extra standby bonds (working capital) which will in return unavoidably increase my capital requirement (maybe by %30). However it’s important to note that this will not necessarily increase the realized cost of my attack as I will leave the network & sell those Rune on market before the attack. So if i were controling 27 active bonds, i will make 3 of my biggest active bonders to leave the network prior to rug pull.
It’s important to notice that if I’m long Rune, the cost of acting as 24+ honest bonder is essentially zero to me. In fact it’s a very lucrative business since I get to receive +2/3 of all bonder income (estimated to have %30 apy for first year), which can be viewed as a reduction on total cost of my attack.
But isn’t simultaneously being long Rune and planning a pull rug on the network stir a logical fallacy? At the end of the day if I pull the rug all my my future income will be gone for good. That one is hard to argue against. The only way to make sense of it is imagining a situation where I have a strong conviction that the system will perfectly work until it won’t, in other words until it reaches an unsafe state where i start to think the network is unlikely to recover anytime soon and will be vulnerable to economically rational attacks for an extended period of time. At this point I’m thinking what if someone else pulls the rug before i do? Now, I can find myself in a weird situation where I view acting dishonest during unsafe state and acting honest during safe state to make great economical sense.
Time to pull the rug
At first glance, my cost seems to be 2/3 of Total Active Bonded Rune and my gain seems to be total non-pooled Rune. There are some non-negligible factors that pose both negative and positive effects on my net return (return -cost) Let’s examine them one at a time. A positive factor will increase my return as an attacker.
- Skewness of active bond set ->Positive
Looking at today’s active bond set I notice that the bonds required for seats are “skewed to the left”, with a long tail of low scores pulling the mean down more than the median. Note that the minimumBond constant can be used by admins to prevent this, yet it seems like it doesn’t do much for now.
Average of Bottom 2/3 = 86 % x Total Average -> A 14% cost reduction over 24/36 Active Bonded Rune
2. Rune to be dumped on secondary markets -> Positive
I’m sure many of you have seen the chart above. This is imply a visualization of an order book in a centralized exchange. The point in x axis, where green and red matches indicates the last price Rune got traded (spot price). The area underneath the green side is the sum of all buy orders that are already committed by the market participants. In other words this shows how much I would gain if I were to fill all those buy orders. So without further do the magic number is…
… $3,533,000. This is how much I would gain on CEXs if I dump all the Rune I have after the rug pull. Considering the current total pooled Rune of $16,610,672 this results in a 21 % increase in return in USD
It’s important to realize what impact the macro bull/bear markets has on this ratio. A Non-Rune Asset prices drop, has no affect in bonded/pooled Rune in and of itself. Yet during such dumps, the market generally witness an inflow to CEXs. This may cause primary market of Rune to shrink more than its’ secondary market, further increasing the return of a potential attacker. Considering the fact that currently only %25 of Rune is locked for productive use, risk of speculative Rune piling up on CEXs in not a negligible one.
*I didn’t count liquidity on VCC(due to low trust score on coingecko) and on Sushiswap as the bridge is temporary and to best of my knowledge currently controlled by admins.
3. Yggdrasil ->Negative
50 % of all assets on THORChain rest in a single Asgard vault while the other 50 % is distributed across 36 Yggdrasil Vaults. Asgard is collectively generated & owned by 2/3 of bonders (TSS comittee) and requires TSS signing so no single bonder can steal funds. However TSS signing takes about 15 secs, so for swaps Yggdrasil funds are used instead to allow fast settlement. Yggdrasil Vaults are like hot vaults wholly generated & owned by individual bonders so funds in Yggdrasil can technically be stolen by individual bonders at any time but they will suffer a 1.5x slash. To sum up, Yggdrasil allows fast without a compromise in security. As a matter of fact, this ingenious solution strengthens the security because since private keys to Yggdrasil Vaults are solely owned by individual bonders %67 of the bonders can steal everything except for the funds in Yggdrasil Vaults. That means even when I pull the rug I won’t have access to funds in other bonders’ Yggdrasil Vaults. 0.5 x 12/36 = 16.6 % a decrease in return over Total Pooled Non-Rune Assets
Let’s summarize the listed factors
- Skewness of Bond Set -> 14% reduction in cost
- Secondary Markets-> 21% addition in return
- Yggdrasil -> 16.6% reduction in return
As a consequence when a rug pull starts to make economical sense when Pooled Rune * 1.21 * 0.834 > Bonded Rune * 24/36 * 0.86. In other words the system can be viewed to be secure as long as
Bonded Rune > Pooled Rune * 1.76
A buffer is always good to have so I’d watch for Bonded Rune > Pooled Rune x 2 as indicated in the official documents
Fun fact: Rune pumped 30% since I started this article :)
Enjoy!
