The Future of Staking is Going into Hyperdrive: Introducing Interchain Security

Cosmos & Cross-Chain Staking in a post-IBC World

Intro

We are quickly approaching the conclusion of the three-phase launch of the Cosmos Hub mainnet, what with the primary building blocks of the Cosmos ecosystem — Tendermint Core, Cosmos SDK, and IBC — being brought to completion. With the close of this chapter comes the ringing in of the next one.

We’re now witnessing the Cosmos universe expand — and, like the universe, do so at an ever-increasing rate. Following the Gaia (aka Cosmos Hub) mainnet launch, or what I like to call, the Cosmic Big Bang, hundreds of new chains have exploded into existence, becoming their own clusters of gravitational forces.

But despite more and more chains adopting the Cosmos SDK — and eventually IBC — a void remains. Because IBC is, by design, built as a permissionless standard that allows any two chains that support the protocol to speak the same language, there’s no reason for them not to directly connect to each other. Which leads you to ask: If IBC allows any two chains to talk to each other, why then, are hubs even necessary?

Cosmos is, by design, a multi-hub ecosystem. However, as stakeholders of Gaia, we need to gain clarity about what it means to be a hub in the first place and what distinct value proposition a hub such as Gaia presents to its users.

We attempt to answer this question in this post by exploring various models that can and should each be explored in controlled experimental settings that the great petri dish we call the Cosmos Network should permit.

The focus of this post will be on the primary ways Gaia can be leveraged to provide various forms of cross-chain staking and fault recovery to new zones that enter the Internet of Blockchains.

Understanding Replicated Security

We’ll first cover the simplest model for implementing cross-chain staking. A distinction needs to be made here about what Polkadot calls “shared security”. Because Cosmos architecture is so fundamentally different from that of Polkadot’s, the term “Replicated Security” is a distinct technical departure from the Polkadot shared security model.

Replicated Security is a simple duplication of the validator set of any existing blockchain. If we’re to consider Gaia as the anchor that new zones need for security bootstrapping, then with Replicated Security, the new zone would simply copy over the existing set of Cosmos Hub validators to instantiate that zone.

This model is how Cosmos architecture allows for near-infinite scaling through horizontal scalability. A sample use case where this could be used is on Ethermint. In the past, claims were made about Cosmos offering “unlimited horizontal scalability”. Replicated Security, which is simply duplicating a whole validator set from the Cosmos Hub, would be that glue that makes this claim possible.

The work lies ahead for us to actually get this implemented. But for now, we’ll continue exploring more sophisticated models of cross-chain staking.

Understanding Interchain Staking

There are two ways of implementing Interchain Staking:

1. Sunny Aggarwal’s “Leased Security” model. A fraction of the Cosmos Hub validator set can discover and elect to validate for new zones of their choosing. Key distinction: zones will use the same ATOMs that are bonded on the Hub in order to “merge mine” their zone.
2. Jae Kwon’s “Interchain Staking” model. The entire validator set of the Cosmos Hub at any given time provides validation-as-a-service to new zones that elect to be Interchain Staked. Key distinction: zones use a secondary token — let’s call it PHOTONs for now — to bootstrap security on their zone. PHOTONs would be issued from the Hub and have a fixed inflation schedule, similar to Ethereum’s.

Method 1) Leased Security

Borrowing from an analogy made by Ryan S. Adams on “Investing in DeFi Paradigms”, blockchain security is kind of like a country’s military defense. To measure how much is enough security, one must ask: If the US wants to defend against an attack, does it spend 1% of its GDP, 5%, or some other amount? And how much more equipped is the US to defend against attacks with every incremental increase in dollars spent? Trouble is, you won’t know the answer until you are attacked.

In the PoS case, the question we have to ask ourselves is: How much ATOM, as a percentage of its market cap, is sufficient to defend against Byzantine actors as the number of zones that lease security from the Hub grows? And how much are zones willing to pay Cosmos Hub validators in order to lease “shares” of its overall security?

There are many application developers who might want to build applications using the Cosmos SDK, but not necessarily build their own validator set and/or economic security from scratch. In this case, they should be able to leverage the validator set of Gaia to operate their chain, borrowing a portion of the security from Gaia.

Sunny often makes the analogy between empires and nation-states — Ethereum being an empire with a military, where all applications must be built under its dominion, whereas Cosmos spawns sovereign nation-states, where zones have complete sovereignty but trade off the convenience of having readily-available military defense. In this context, the Leased Security model can be seen as similar to NATO, where the Gaia chain is the “United States”, lending its security to others in its “sphere of influence”, but still allowing other chains to maintain their own sovereignty.

At first, this sounds like the sharding that Polkadot and Ethereum 2.0 are building. While it is similar, Sunny’s model proposes adding a bit more Cosmos-flavored flair. In sharded execution environments, each of the shards or parachains get equal security using random sortition; the root chain will have, say, 1000 validators, and validators get assigned randomly to validate shards.

In the Gaia Leased Security model, if a chain wants to lease security from Gaia, it can register itself on the Gaia chain, with a description, along with binaries/code for the chain. Each validator can then individually decide whether they want to co-validate the chain, based on their personal expected benefit. They’d calculate the expected value of any newly registered zone, assessing each use case, the expectation of fee earnings, block rewards, direct payments, etc. When a validator pulls the trigger and co-validates, they would then put their ATOMs on Gaia at risk for slashing penalties they incur on the co-validated chain in addition to ones they might incur on Gaia.

Because this feature allows each validator to individually decide whether they want to co-validate a specific chain or not, there will be some chains that have nearly all validators co-validating and some chains that have only a few validators co-validating.

Because CryptoKitties does not need the same level of security as MakerDAO, this more Hayek-ian approach to leased security allows for more allocative efficiency. If all decentralized apps (dApps) received the same security, they’re paying into a universal ticket auction, making users of less critical dApps overpay for security and subsidize users of other, more critical dApps.

From a scalability perspective, this allows validators — hobbyist or professional-grade — to operate as many chains as they have the capacity for.

From a delegator’s perspective, it gives them more optionality to earn rewards in many different tokens while staking only one: ATOM. For instance, they may very well be staked to several validators co-validating many different chains. To illustrate, if Alice is delegated to Validator A on Cosmos Hub but she wants to use ATOM to cross-stake on Foochain and earn Foochain provisions, but Validator A is not co-validating, Alice can delegate her same ATOMs to Validator B, who is co-validating Foochain, while continuing to remain staked to Validator A on the Hub. Her voting power would be slashable both for penalties incurred by Validator A on Cosmos Hub and penalties incurred by Validator B on Foochain.

The Leased Security Lowdown:

• Consensus Entry: Entry into the set of any zone’s consensus signers is done by validator opt-in. Delegators would follow specific validators who co-validate on the zones that they want to stake on and earn provisions in.
• Staking token denomination: ATOM acts as the security premium for zones to “lease” security as if being protected under NATO. Staking is done with the same ATOMs — which are effectively virtualized ASICs — as this simulates merge mining between Proof-of-Work blockchains that have the same hashing algorithms.
• Slashing penalties: Enforced by the zone’s consensus protocol but slashing penalties will slash ATOMs that are staked on the Hub instead of on the zone.
• Governance: Cosmos Hub will act as a Supreme Court to perform dispute resolution and evidence handling when faults are observed on a zone.

While Leased Security makes economic sense, it does come with second-order effects like greater centralization of voting power. If the Internet of Blockchains evolves around this model over the course of years, then it stands to reason that many new zones would opt for Leased Security, therefore concentrating the defense needs of many billions of dollars under management across many zones on the few hundreds of validators that are operating the Cosmos Hub. While Leased Security is enticing for ATOM delegators from a yield earnings perspective, it also has the potential to come with a suboptimal outcome for the decentralization and sovereignty narratives.

Jae Kwon’s version of cross-chain staking internalizes that externality and proposes a model that is more optimized toward decentralization while still providing validation-as-a-service coming from the Cosmos Hub.

Method 2) Interchain Staking

Jae Kwon’s Interchain Staking model leverages a secondary token — let’s call it the PHOTON for now. A key feature of PHOTON is that it hard-spoons the ATOM distribution at a given snapshot and airdrops those new PHOTONs to ATOM holders. After all of its initial supply has been distributed by the protocol, new PHOTONs would be able to be minted at a fixed rate every block. Like the ETHER supply schedule that subsidizes miners a fixed block reward per block mined, the PHOTON supply would be minted in the same manner.

PHOTONs would be issued as a secondary token on the Cosmos Hub. Continuous provisions of PHOTONs would go toward staked ATOM holders, who could then utilize those PHOTONs to Interchain Stake to new zones of their choosing. Every new zone that is IBC registered to the Cosmos Hub, by default, would be able to have Interchain Staking with PHOTONs.

If a fault is discovered on an Interchain Staked zone, call it Foochain, whatever has been put up for stake will be slashed pro-rata to the amount of each token that has been staked. For example, if 50% of Foochain’s stake-weight voting power is in PHOTON and the other 50% is in FOO, then the validator and its delegators will each be slashed 50/50 on each token. The key distinction here, though, is that FOO would be slashed on the zone itself and PHOTON would be slashed on the Cosmos Hub, where it was originally issued.

In terms of earning staking rewards, the same model holds. If you are staking 50% PHOTON and 50% FOO, then your block provisions pay out pro-rata to the percentage of overall voting power you’re providing to the Interchain Staked zone, Foochain.

An edge case in the Interchain Staking model needs to be considered, however. If 1/3 of the voting power is Byzantine on Foochain, then any evidence that is submitted by that chain to the Cosmos Hub can’t be relied upon anyway. In order for a proper consensus trial to happen with untampered evidence that goes to the Supreme Court of the Cosmos Hub, the mitigation tactic against this is to allow anyone who is monitoring any zone to be able to submit evidence of wrongdoing, not just the validators of the zones. This provides a kind of checks and balances scheme similar to Polkadot’s fishermen. Except here, there are no direct protocol rewards for doing so.

Interchain Staking done with the PHOTON instead of the ATOM has several benefits:

• It opens the door to having much more validators in the ecosystem in aggregate than does Leased Security with ATOM because doing so with ATOM limits the maximum number of validators who can perform cross-chain staking to the 125 validator slots allowed to operate the Cosmos Hub
• It is more secure and mitigates the introduction of perverse incentives such as the incentive to create many faux zones in order to get ATOM Leased Security, earn block rewards in ATOM, receive ATOM provisions rent-free of paying the tax that ATOM stakers pay to the Hub tax pool, and circumvent having any meaningful participation in Cosmos Hub governance

On the topic of governance, because ATOM is the access point for anybody to participate in important decisions that govern the fate of the Cosmos Hub, it should be reserved for those who really care about the Cosmos Hub. Thus, a secondary staking token whose supply schedule is not inflationary, like the ATOM’s, and rather, deflationary — or constant — would take the place of ATOM while not overexposing Cosmos Hub governance to stakeholders who may not care about the future of the Cosmos Hub, and who rather just need a way to quickly bootstrap the security for their sovereign zone.

Regardless of whether or not a zone cares about the Cosmos Hub, this model still allows for Cosmos Hub governance to provide Supreme Court services to the zone, like acting as the “designated recoverer” that Jae Kwon talks about in his Shape of Cosmos paper.

The Interchain Staking Lowdown:

• Consensus Entry: Entry into the set of a zone’s consensus signers is enforced by the zone itself. Any zone that is IBC registered to the Hub by default has the option to have Interchain Staking with PHOTONs
• Staking token denomination: PHOTON as the security premium for zones to interchain stake. Staking is not done with ATOMs, as that reduces overall security
• Slashing penalties: Faults that are detected on the zone will slash the zone’s native token and whatever PHOTONs that are staked on the Hub in proportion to the zone’s total voting power. PHOTONs are slashed on the Hub, not the zone. Anyone who detects a fault who has been monitoring the zone can submit evidence to the Hub for slashing penalties if a zone ever gets corrupted
• Governance: Cosmos Hub acts as the “designated recoverer” by which Hub governance process takes over upon failures incurred on any zone that opts into Interchain Staking

That’s all for now where we cover the hottest topics of consideration in the cross-chain staking world for Proof-of-Stake-based protocols. Be sure to watch out for future write-ups about hub token issuance, staking derivatives, and other research topics breaking out of staking research.

Disclaimer: The models discussed in this post are in their proposal stages, meaning it’s a WIP and no decision has been made to finalize any particular model. This post is meant to spur constructive discussion about where the future of cross-chain staking should land for the Cosmos Network and is meant for purely educational purposes for providing contextual guidance.

Acknowledgements: Thanks to Sunny Aggarwal for sharing the initial Gaia 2.0 model, Jae Kwon for coming up with the Replicated Security and Interchain Staking concepts, and dogemos for helping out with an early draft and being there for the early conversations.