Changes Needed for Mission 70 - Avoid Impending Sybil Risk

Note, this is something that came up after expanding upon an idea that was spawned from another thread. So that there is opportunity for constructive criticism and open discussion focused solely on one concept I have created this post.

These changes attempted to address two of the core issues identified in Mission 70

• Inflation from legacy node rewards
• Underutilized capacity

It does reveal one major challenge though, which is why I thought the community may be able to help suggest sequencing or safeguards that could overcome these. Or suggest a better alternative.

image1280×896 147 KB

The Idea - Offboard all Gen-1 nodes

Basically a stronger stance than is already included in Mission 70. As there is no clear upgrade path from Gen-1 to Gen-2 it seems inevitable anyway. This is not a huge change from what is suggested. Just is more finite. Give say 6 months to remove all Gen-1.

Pros

• Immediately eliminate the least efficient and most inflationary reward stream.
• Simplify reward system (no Gen-1 vs Gen-2 complexity)
• Accelerate the node-reward reduction
• Remove the most underused nodes

Cons

• Node ownership becomes more concentrated until demand requires additional providers
• Potentially fewer geographies (I have not drilled down into current Gen-2 v Gen-1 distribution)

Mitigation Options

• Phased offboarded region by region
• Force known groups to sell their nodes to a Gen-1 provider
• Give temporary incentives for Gen-2 providers to move to underrepresented regions

image480×270 47.3 KB

So what could this look like?

There are currently 1,030 Gen-1 machines and 391 Gen-2.

Would that leave enough computation power?
Mission 70 already includes provisions to make better use of the SEV SNP-enabled Gen-2 machines. Dom states there are already 442 SEV-capable nodes (not sure if he is counting some Dfinity owned Gen-2 that arent switched on yet to get to this figure). By reducing subnet size, my understanding from the whitepaper is we would end up with more power than we currently have.

What locations would be removed?
There would no longer be nodes in Isle of Man, France, Sweden, Belgium, Slovenia, Japan, Germany or Romania.

image618×822 20.7 KB

What about Decentralisation?
This is where the suggestion breaks down. Even with what is suggested in Mission 70 the sybil pattern is real:

• Gen1 currently masks the problem
• If/when Gen1 sunsets, 94% of subnets become vulnerable

To explain even more simply, the issue is that currently 42% of the Gen-2 nodes are controlled by 4 groups (or specifically it can reliably be assumed that at least one member of the 4 groups have access to all the nodes within that group).

In order to avoid the obvious security issues that would leave the IC exposed to, something would need to change. One option would be to have departing Gen-1 providers take over ownership, costs etc. for some of the Gen-2 nodes owned by these groups. Perhaps the Foundation have a bunch of Gen-2 ready to switch on to replace their 69 Gen-1 machines that would be sunsetted? @Leadership now is not the time to be coy. Is there a contingency plan?

image1010×1046 53.9 KB

This is a governance/decentralization issue that NNS should address before mission 70 is adopted in any form.

With scale there will be more node providers so the threat will be reduced as long as there can be assurances that any future node providers are truly newcomers.

There are other potential solutions such as the cICP owned nodes which are part of Neutrinite Dao’s goal? @infu

Anyway there you have it, this is a problem that is coming for us whether we like it or not. Gen-1 will naturally be removed over time. How can we guarantee network integrity without stifling growth?

Actually thinking further here. Maybe the Sybil risk can be managed by incorporating the cloud computing element.

I think there are two parts to this

1. Manage Old Nodes

• Announce a fixed sunset date for all Gen-1 nodes (e.g. 6–12 months)
• No indefinite reward tapering
• No Gen-1.1 extension beyond that date

Rationale

• Gen-1 hardware is, fully amortized, less secure and often idle
• Providers have already captured outsized returns
• Ongoing rewards are pure inflation with diminishing network value

This gives a clear runway with no surprise exits. It really is only a slight tweak to the current mission 70. Existing Gen-1 could always pivot to cloud engines services.

image643×360 30.9 KB

The next is what to do with Gen-2. We have people who want to provide a decentralized stable governance layer and people who are in it just for the profits. Why not put the profit seekers to work?

2. Define Gen-2 Protocol Rewards

Protocol rewards should pay only for baseline security and decentralization, not profitability.

• Covers:
  • Operating costs
  • Modest margin
• Not designed to be the primary profit center
• Significantly lower than today’s Gen-2 rewards

Proposal

Each Gen-2 node must be backed by locked ICP neurons.

Example structure:

• X ICP locked per node
• Minimum dissolve delay (e.g. 1–2 years)
• Slashing or penalty mechanisms for misbehavior or prolonged downtime

Why this matters

• Aligns node providers with long-term ICP health and governance outcomes
• Prevents purely extractive operators
• Raises professionalism without requiring permissioned access

This could be an excellent use case for Neutrinite or other DAOs to possibly enter the business. As long as the UBO issues can be dealt with, this would ensure complete protection from sybil attacks.

image1000×692 148 KB

3. Cloud Engines Become the Profit Layer

For those node providers who no longer find the second option appealling (or Gen-1 node providers) they can put their hardware to work. The proposal in Mission 70 is as follows:

Cloud Engine Revenue Split

• ~80% → node providers
• ~20% → automatic ICP buy & burn (as Mission 70 proposes)

It is not specified but I would assume it is on the node provider to create the website and promotional materials, set the costs and really try to drive people to host on the IC.

Key shift

• Node providers make real money only if they create real usage
• Profit comes from selling cloud capacity, vertical solutions, enterprise contracts and AI / self-writing workloads

In other words in order to make the big bucks, they need to increase the burn.

image1261×781 147 KB

So what do we do about the known groups?

Gen-2 providers that are in known groups split so their potential impact is reduced.

In a very simplified form, use half the nodes for subnets and offer the provider with options for the remaining half:

1. Sell their nodes to a sunsetting Gen-1 provider or new node provider so they can be relocated and used for subnets. This may not work for all as it depends if the data center contracts can be broken amongst other things.

2. Commit those nodes to provide cloud hosting.

If the node provider opts to offer cloud hosting, there is no reason why multiple node providers couldn’t join together to form a business. They can set the fee structure for their services. The responsibility is then on the node provider to maximise their profits.

Why it works

The incentives are aligned. There is so much untapped potential and this provides a simple way for people who have existing hardware to monetise that. Basically if you like money, increase the burn!

We can work through the technical issues here. There are a few ways this could be approached. One option is for Neutrinite DAO to act as an intermediary between node providers (NPs) and NNS rewards through an on-chain protocol. In this setup, the DAO would select its NPs after they’ve been approved by the NNS, and apply different terms and reward schedules.

The idea of cloud engines is especially interesting. Right now, NPs don’t seem to have much incentive to do more than just run nodes—things like building custom software for their infrastructure or actively promoting their services. This may already be happening in some cases, but it’s not clearly defined or encouraged by the protocol itself.

Cloud engines would change that. Developers, NPs, DAOs, and users would all need to work together. More people would have a real stake in making something succeed, and rewards could be built directly into the protocol. In the end, everyone either benefits from getting real work done, or no one does.

That said, making cloud engines successful will likely be much harder than running gen-2 NNS nodes. We probably need more R&D and networking to reach services and features that people outside of crypto actually care about. Because of that, it may be better not to invest heavily in hardware, especially if the expectation is that large, already well-funded organizations will immediately find a use for it.

I dont really see problem with whitepaper proposal. Gen-1 rewards down by 40%. This level
would still allow most node providers to cover their costs and, in most cases,
earn a positive margin.
Extra option: As an alternative to a plain reduction of Gen-1 rewards, one could consider
lowering rewards for unassigned nodes. Nodes can rotate from time to time, but yes eventually all Gen-1 need to be replaced.

From some time ago i was thinking that Dfinity should stake like 50mil ICP just to get rewards for node providers, not just mint them out of thin air. Fixed usd amount untill floor is reached, than get less in usd value.

To attract institutions, staking rewards still need to be taken down.

If the NNS allows the ‘node providing’ for a subnet to be delegated to a protocol/DAO, it becomes much more flexible than that, the 80% can be split in different ways. Some cloud engines may only rely on sales teams, others may want to put some services inside the subnet to attact new devs to them. For these it may be best to have a DAO.

The issue is the Gen-1 nodes are not SEV-capable so they cannot be used in the smaller subnets. Also they are older specs. They could be fine to use as cloud storage machines, which is why there is the option to move to Cloud Providing.

Mission 70 in that respect only needs to add a deadline for when all Gen-1 need to be repurposed or turned off as they are no longer up to the requirements for cutting edge technology.

It still doesn’t address the sybil issue, which you can’t ignore.

You blowing it too big. Yes there are groups, if someone want to do some harm, they could just communicate with each other no matter if they know each other or not. Most important subnets have 34 and 40 nodes and well diversified. They do have contracts and if some wrongdoing happens, can be sued.

Yes we need to keep eye on that already here providers cant add more nodes or even be provider (new company or rent nodes). Gen 1 go and if needed new providers with gen 2 come in.

This is why sybli risk in my opinnion currently is not problem and Dfinity seems to agree.

Good work here, didn’t mean to be harsh in earlier comments.

We all want to see the network succeed

Keep it up

Donna, I really wouldn’t worry about a Sybil Risk. All the node providers are well vetted.

It would be very dumb of them to screw with the nodes and go to prison. We all know who they are.

It is not just if they would screw with anything. It is more it reduces the security of the whole IC. Why would anyone want to host their data when it is possible that could be accessed by other people?

Certainly no enterprise contracts would take that risk. If part of the strategy of Mission 70 is to increase burn by becoming a true force for cloud hosting, this needs to be rectified.