Much appreciation to Andrew Miller for devising this attack, and to Zack Hess, Vlad Zamfir?, and Paul Sztorc for discussing and replying.
An attack on SchellingCoin was proposed by Andrew Miller this month. It was already known that SchellingCoin and similar systems could be exploited. Truth coin consensus relies on trusting the unknown. A new and unproven cryptoeconomic security assumption states that one can trust those who act honestly in a game that involves simultaneous consensus because they anticipate that everyone else will. The issues are minor, such as the attacker’s capability to gradually increase their influence on the output by continuous effort. This, however, points to a much more fundamental problem.
The scenario is as follows. Suppose there is a game in which users vote on what is true (1) or false (0). In our example, it is false. Each user can choose to vote 1 or 0. If the majority votes 0, then the reward for the user who voted the same as the majority is P. If they vote differently, then they get 0. Therefore, the payoff matrix is:
| Votes 0 | you vote 1 | |
| Others vote 0 | P | 0 |
| Others vote 1 | 0 | P |
The theory is that everyone will vote truthfully if they assume others will do the same. This is why some may not vote truthfully. It can be a self-reinforcing Nash equilibrium.
Now for the attack. Suppose an attacker credibly agrees (e.g. via an Ethereum contract, putting their reputation at stake, or leveraging the reputation of a dependable escrow provider) to pay X to voters who voted 1 when the game ends, where X = P + ε if the majority votes 0, and X = 0 if the majority votes 1. Now the payoff matrix is:
| Votes 0 | you vote 1 | |
| Others vote 0 | P | P + ε |
| Others vote 1 | 0 | P |
Therefore, it is the dominant strategy to vote 1, regardless of the majority opinion. Assuming that there are not many altruists in the system, the majority will vote 1 so that the attacker will not have to pay. This mechanism was captured by the attack. Note that this is the opposite of Nicholas Houy’s Argument Proof of stake: 51% zero-cost attacks (Extended to ASIC-based Proof-of-Work). There is no such thing as a Epistemic Takeover. It is essential to trust that the attacker will succeed. However, everyone still has an incentive to vote in favor of the attacker, even though they risk being unsuccessful.
Schelling Mechanism Rescue
There are several options to save the Schelling mechanism. Instead of using round N as the basis, Schelling Consensus can be based on criteria, who gets rewarded “majority is
Achievement of a 51% majority is a difficult task, as it requires one side to have a majority of the votes. This is usually done by coordinating with other participants, but this can be difficult when the group is large. Another approach is counter-coordination; this involves coordinating with other participants to vote for the truth, with a probability of 0.6 for one side and 0.4 for the other. This works especially well when there is a fixed reward for each voter who reaches the majority. Instead of paying out a fixed amount to everyone, the system can be adjusted to provide individual payouts to achieve the goal. This can be seen as a matter of collective reasoning. Even if a sufficient bribe is offered, a defector can still defect. The main issue here is that when you have a probabilistic mix of strategies A and B, their performance changes linearly according to the probability parameter, so if you vote with a probability of 0.49 to 0.51, it is more practical than voting with probability 1 for A.
It is known that these complex schemes exist and are close to being solved, but it is also possible that there will not be a more complicated counter-coordination plan in the future. There are many crypto-economic tools available, and they are important in virtually all financial transactions. Any attempt to link the crypto-world with the real world could be under attack, but this is not a common practice. SchellingCoin may seem strange at first, but it has many similarities in terms of strengths and weaknesses.
One example is proof of work, which is a multi-equilibrium game version of Schelling’s scheme. If there are two forks A and B, you can mine the winning one to get 25 BTC. However, if the fork is lost, you will not receive anything. Now imagine an attacker launching a double-spend attack against multiple parties at once – this prevents one party from having a strong incentive against the attacker. Alternatively, double-spending could be used to try and crash the price by attacking with 10x leverage. If B loses, the attacker will gain 25.01 BTC.
The problem with this approach is that deposits are not accepted for proof of work, so the required bribe level is equal to the mining rewards multiplied by the length of the fork, not the capital costs of 51%. To increase the security, it is possible to add security deposits or to double the voting penalties on mining. However, proof of work may still be valid for a long time despite its flaws, and some schemes can be effective in practice. This article will focus on the concept of “subjective” security, and how they could theoretically solve specific problems.