Subnet Management - General Discussion

it’s started making me wonder how easy it could be for a node provider to own multipe nodes under different identities/entities, with the intention of eventually having full control over a subnet (controlling > 2/3 of the nodes), i.e. a sybil attack.

Yes, this is a concern. The Node Provider Technical Working Group is working on various ideas on ways to audit or check node providers, to make it harder for someone to accomplish this.

Technically, this risk is why every subnet cannot have more than one node with a single node provider. Each subnet being spread across nodes around the entire world also works against this risk, as it would be signficantly harder for a node provider to set up legal entities in many countries and form DC contracts in many countries. We encourage the community’s engagement with this topic!

The biggest requirements to become a node provider are both the funds to buy the servers (which can easily run $10k per server) and have the technical ability to manage nodes. Many people have one but not the other. The biggest issue with requiring a large staking amount is that it would raise the cost to become a node provider even higher than it already is, since any funds that are staked could not be used to purchase servers. (But one could argue that spending $100k on servers that are highly specialized for the use of the Internet Computer—and signing data center contracts which typically run for a few years—provides a similar type of “sign of dedication to the IC” as staking. The only realistic way to gain that money back through rewards is if the IC continues to grow. I do not think we currently have any way to slash someone else’s staked ICP, though someone else can correct me if I’m wrong.)

2 Likes

Thanks @katiep

I think this would still be achievable if the motivation, means, and incentive is there. Maybe not too concerning at this point, but in the future, when there are many more subnets and NPs, I think there really needs to be a protocol-level mechanism that can do a better job of disincentivising bad actors.

Maybe stake slashing isn’t necessary, but a significant ICP neuron that’s max staked, owned by each NP (or perhapse special NPs, for which there need to be a certain proportion per subnet) seems like an absolute must.

I actually think every NP should have a known neuron. This is a neuron that they could use to demonstrate alignment with a proposal that affects them (to get around the potential for impersonation on forums that aren’t on-chain).

1 Like

I agree with your first point.

The problem with the second is this… to a NP who is already putting up $500k in cash to buy servers, what amount of ICP to stake would be significant compared to that? If they’re willing to “waste” $500k, then it stands to reason that the staking should be even more… but would it be good for the ecosystem if a NP had to stake another $500k in ICP? That’s $1 million! How many legitiment, honest NPs have that?

1 Like

I don’t really understand the need for these two concepts. It doesn’t seem like we need node providers to provide a stake that gets slashed or a large neuron. I also don’t see how this would solve any problems. If we are just worried about the same node provider creating multiple identities, then why not strengthen the KYC requirements, sign legal compliance agreements, and/or conduct detailed compliance audits? Non-compliance violations could have the consequence of the individual node provider remuneration getting slashed (partially or fully). Is this not what is already planned or in progress?

I personally think this is comparing apples and oranges. The servers are expensive not because they can be used as IC nodes, but because they’re sophisticated hardware capable or generally useful compute. If the IC network crashes, is attacked, or otherwise damaged, those servers would continue to remain expensive pieces of hardware. The same can’t be said for staked ICP (that’s the point of proof-of-stake).

I’m thinking that if the IC is to be a world computer, there shoudn’t need to be a dependency on off-chain systems and structures. If all of those things you mentioned are handled on-chain, then they then become exposed to the attack that they’d be intended to prevent.

A world computer needs a protocol-level solution to these sorts of challenges, for the sake of dependencies and scalability. Proof-of-stake is a highly effective protocol-level incentive alignment mechanism.

Those are valid points. I support the principals myself, if only we could find a way to make the barrier to entry for NPs easier for very real, very honest, technically capable people who want to be NPs. There are a lot more honest people who want to support the IC who do NOT have a million dollars then there are poeple who do. I don’t think hosting IC nodes should belong only to the wealthy, because let’s be serious… does wealth guarantee that a person is honest? No, it doesn’t.

1 Like

Proof-of-stake, and decentralised systems in general, aren’t about guaranteeing the behaviour of individual entities.

I agree that the barriers to entry shouldn’t be too high for NPs (or it would hurt scalability). But scalability shouldn’t be prioritised over robustness. I think you could have both by having two tiers of NPs. As longs as more than 1/3 of the nodes in a subnet are backed by a large proof-of-stake, then you have a significantly more robust subnet than one where the nodes are not backed by a large proof-of-stake.

New subnet management proposals have been submitted. Links to reviews should appear under this post shortly :slightly_smiling_face: