Bond Adjustment Proposal

Overview

The bond requirement for ICON validators was introduced on mainnet nearly 4 years ago. The intention of the bond was to align incentives between validators and the success of the ICON Network through enforcing “skin in the game”.

However, years later we have observed some unintended consequences of the bond requirement. It has placed a significant burden through capital inefficiency on those that are still validating, it is (potentially) responsible for the decline in validator numbers on the ICON Network, and the bond requirement is a large barrier to entry for new validators looking to participate.

Details

At this stage, we believe the bond requirement should be lowered for the following key reasons:

  • Capital inefficiency - the bond can’t be used in DeFi, therefore a significant portion of a validator’s capital is not available for leverage and returns a maximum of only ~20% annually in ICX terms.
  • Barrier to entry - potential new-entrants to ICON are deterred by the bond requirement. In order for a new validator to join the ecosystem, they must make a direct investment in ICX in addition to server costs, which is impractical in many situations.

Capital inefficiency can be quite impactful for larger validators. As an example from Lydia Labs, we have 1.8M ICX bonded (~380k at time of writing). This 1.8M ICX could be deposited into Balanced and leveraged for over ~$200k of additional working capital to pay expenses and make other investments while remaining invested in ICX. It could also be used to provide liquidity and generate more revenue for both ICON and Balanced.

As for examples of barrier-to-entry, just recently an outside hackathon provider became interested in running a “public good” validator on ICON. Their validator would use all profits to conduct ICON-focused hackathons, distributing ICX to the winners. However, it’s simply not practical to expect a company like this to use working capital to invest in a speculative cryptocurrency like ICX. The workaround would be for a large ICX holder to supply the bond, but this is added friction to onboarding new validators and not an ideal solution.

Looking at other ecosystems for inspiration, you can see that most do not have something like the bond requirement, and we believe the aforementioned reasons may play a factor. For example, no Cosmos SDK chain that we are aware of has a bond requirement, and Cosmos has a much larger validator ecosystem.

With all of that said, Lydia Labs proposes to lower the bond requirement to 1%. We do not propose a lower number because of the potential for edge case issues, however, are open to doing so. It’s worth noting that even with a lowered bond requirement, the minimum requirement of a 10,000 ICX bond to receive minimum wage will still be in effect.

Slashing, as it’s currently designed, will only apply to the 10,000 ICX bond. In an ideal situation, we would apply slashing as Cosmos does, to the delegators. However, this would take more work on goloop, of which we do not have the intention to pursue. The opportunity cost of being jailed should be enough of a deterrent, at least in ICON’s current state.

We look forward to feedback on this proposal.

I am concerned about how easily the network could be attacked if the bond is reduced without addressing the security and decentralization tradeoffs through some other simultaneous change.

As I understand it, the bond exists to defend against sybil attacks, spread votes from top validators, and deter malicious behavior. Reducing the bond would eliminate all of these benefits solely to lower the cost of capital to validate the network.

We’ve had a number of new validators come in since the new economic policy changes from a couple months ago, so I don’t think drastic changes are needed to incentivize validating the network.

I consider this a drastic change because it reduces the barrier to attack the network by 80%. If we reduce the bond, an attacker could potentially create numerous validators with just a fraction of the ICX that would have been required under the current bond requirements. This would potentially make sybil attacks possible for many of the current top validators to do. However, I think it is an open question what exactly the potential risks are of a significantly lowered bond requirement.

I think in your case you could probably just reduce the amount you currently have bonded and lose out on the associated power, still be a top validator, and nothing would really change for you except that you re-allocated some of that money towards something with higher return and/or lower risk.

Is bonding the best way to secure the network? I don’t think so because of the reasons you mentioned. The burden should be shared among voters.

All this is to say that slashing the delegates as you mentioned is in my opinion the best path forward by far. While it does add work to goloop, I think it’s necessary and would address both cost of capital and security.

3 Likes

For this concern, I think you should step through the scenario analysis a bit more to see that there is no meaningful difference on any of these attack vectors.

Sybil Attacks - how exactly can somebody sybil the network more easily without the bond? I don’t see how that would work.

In the current system, you need to burn 2k ICX to register a node. But besides that, you can set up as many nodes as you want. You won’t get any rewards or power without any delegation and without any bond. So you need to buy or know somebody with ICX. If there is no bond requirement, you still need ICX for delegation. Whether the ICX is used for delegation or for bond doesn’t make much of a difference. To get a node started and for it to have power, in both scenarios, you need ICX or know somebody with ICX. You can’t assume an attacker can launch many nodes and suddenly get delegation to all of them without any investment of their own. If you assume that receiving delegation comes at no cost, then I think there are no DPoS networks that are Sybil Resistant.

Spreading Votes from top validators - I don’t see how this works either. Is the bond requirement helping spread votes away from Lydia Labs? I don’t see any evidence of that. What it does is spread votes away from underbonded validators, for example, somebody like Dorahacks if they were to register and try to accrue votes without the capital to invest like Lydia Labs does. If anything, it concentrates votes to whales and companies that can afford or have the freedom to have large investments in ICX.

Deter Malicious Behavior - I agree, it’s a deterrent to validators. But as I said in my original proposal, I don’t believe this deterrent is worth the costs. Ideally, like we’ve both mentioned, the delegators would take on the slashing risk, but would take considerably more work. Open to hearing what it would take though if you want to chat with Parameta about it.

I’m pretty sure this is incorrect. The cost to take over 1/3 of the top validator slots and halt the network would remain similar with and without a bond. Let’s say the combined power of the lower 1/3 of the validator set is 10M. With the bond requirement, they spread 500k of ICX across their nodes as the bond, then delegate to their own nodes with the rest of the 10M. Total cost is 10M + 500k. Without the bond requirement it would be 10M to attack. Difference in cost of attack is less than 5%, not 80%.

This isn’t an attack and doesn’t impact security. The network doesn’t care if there’s a bunch of small validators with litto to no power. At most, they could get 3 of the top 25 validator slots during rotations. If they were large validators, as I mentioned above, the bond requirement makes a pretty negligible impact on cost of attack.

Potential Alternative Solution
While I disagree with the points you’ve made for the aforementioned reasons, I’m open to alternative solutions.

@CyrusVorwald can you explore a potential, somewhat “hacky” solution with the parameta team where we would set the bond requirement to 100%, remove the bond-address whitelisting feature, and direct all UX’s/apps to instead of delegating user’s ICX, the ICX is bonded to the validator. Maybe this can achieve a similar goal. SCOREs must also be able to bond for validators in order to not break sICX. I am not sure how the I-Score calculation would work with a bond of 100,000 and delegation of 0, so maybe explore this with them and see what they think. This might be a quick way to achieve a Cosmos-like system, where all delegators are bonders with their bond at risk, and all rewards mechanisms can remain untouched (hopefully).

Hello,

As a member of a validator team I can confirm that the bond requirement poses a significant barrier.

I have been a member of the community for a long time and proposed to my team that we should run a Validator on Icon last year. We strongly considered hosting one but decided it was not worth the upfront cost of accumulating a bond.

1 Like

Are you sure? From docs, I thought slashing could be as high as total bond (100% slashing) in some cases?

Yes, how can we ensure decentralization? so that voting %age is not dominated by top 3-4% of validators? Otherwise let only “one validator” to run the whole ICON Network alone… & the rest can take rest…

We also think bond is heavy for us to manage too… But how to make sure your suggestion ensures decentralization so that voting power is not 90%+ concentrated only to couple of big top delegated validators?

I was thinking that if validators only have a nominal amount staked, and the vast majority of stake comes from delegators who don’t bear slashing risks, then the economic security model starts to break down.

Validators who have little of their own capital at risk may be more inclined to engage in selfish or reckless behavior, knowing that they face minimal consequences if caught. If validators are not adequately invested in the network’s success, the network users and token holders may lose confidence in the security of the chain.

If there’s 80% less validator “stake at stake,” it would be 80% easier to bribe them. Bribers don’t need to run their own nodes or get delegates, they just have to send enough money to validators that there is no longer an honest majority. But I didn’t consider that there may be legal consequences to accepting such bribes and because it’s a DPoS network, they cannot do so anonymously in our network. So there may be enough deterrents and safety measures that it is not an issue to reduce the bond.

I do think that the total stake at stake should be maximized because that directly measures security of the chain, but you make good points about why the bond could potentially be removed without simultaneously transferring that stake to delegates or somewhere else.

Lowering the bond makes the network easier to validate, that’s all fine if nodes would just validate blocks.

But validators do more than that. Voting power needs to be well considered, specially with NOL.

3 extreme scenarios:

  1. A validator like Binance might decide to just leave 1M bond and 5% commission. If voters do their homework they should vote for them. Then with a 1% bond Binance could host 100 million delegation. I don’t doubt Binance is a good actor, but it’s also true ICON network is not their priority.

  2. A malicious validator could try to gain a lot of traction with even a 0% commission, with just 3 million ICX the node could support 300 million delegations. If NOL is significant (which already is) would that be a problem?

  3. As @iconsweden says, this could also lead to disproportionate delegations concentration. Bigger nodes can afford smaller commissions, rinse and repeat.

So I think this proposal could have very good short term results, then I’m unsure of long term outlook here.

If voting power would be capped at protocol level maybe that could change my position.

Not sure how much insight I can provide here, but here are a few thoughts reading through this.

I think the proposal is good and I don’t see any obvious issues in regards to the approach and analysis. I would be in favor of this, even considering some of the additional discussion, however I feel like I should qualify that with some additional thoughts.

The bond has been a prohibitive barrier for my node (Inanis Invictus) and we have relied on the bonding capability of others for the past year. Without them, this node would have been turned off because the amount of capital to keep it running at a break even is not feasible, much less for the way we are using our node (to help fund development of Inanis Invictus). Honestly i’ve never liked bonding and felt like it was, in many ways, punative to small node operators, but I also recognize that the goal was (maybe still is?) to attract “enterprise” validators anyway.

While I get many validators aren’t doing anything but running their nodes for profit, I think some specifics about our situation will help provide a bit of context to how changes like this impact operators like us.

Our operating cost is between 5-700 USD a month. I get that this is probably a bit higher than a standard, bare minimum node, however we have additional resources included in this cost (application servers, databases and backup resources). Regardless, our break even point, at current prices is about 1.8 million delegations, which requires a bond of 90,000 ICX (which is a capital investment of ~19,500 USD just to break even, and obviously more to see a “return” of any measurable amount.

From my perspective it doesn’t even make sense to start a node on ICON, even if the cost to operate is half of what it is, unless you can guarantee a bond of at least 50,000 ICX (which is at risk due to slashing, btw) and at least 20x that in delegations which, in all likelyhood (without the grant program, especially), you will need to supply yourself because a huge portion of votes are stagnant.

I understand this isn’t all entirely specific to the proposal, but it feels important to the discussion about the potential impacts of changing the bonding for validators in similar positions.

1 Like

Thanks @Brandon_FBM for sharing your perspective.

@CyrusVorwald @RooK5677 just to cut directly to the point here, you guys have not provided mathematical examples of how lowering the bond requirement significantly lowers security. I went through the effort to share with you that the objective cost of attack changes by a negligible amount, as seen here:

If you have some math to show me how the network is significantly less secure with a lower bond, please share it, as that’s obviously important to me as a major stakeholder. However, keep in mind that your math, and all of your points for that matter, should apply specifically to comparison of 5% bond vs lower than 5% bond. Much of what you have mentioned applies to all existing DPoS networks.

To share what’s happening in practice and just how unsustainable/insecure the current model is in practice, please see this screenshot. This is a bonder that I know, and I know they are much more interested in utilizing this ~2M ICX in DeFi and elsewhere rather than supplying a bond for validators.

So, without any complex math, take some time to consider the change in cost of attack on the network if this person removes their bond from all these validators at once. Will it become cheaper or more expensive to attack the network? It’s pretty straight forward, it will indeed become cheaper to attack the network. If Power in the main validator set goes down, it becomes objectively cheaper to attack the network, not debatable, but happy to help you understand offline if this isn’t clicking. And again, we are sticking to the point of discussion of 5% bond vs lower than 5% bond.

Now, if there were no bond requirement, and this individual were to remove their bond, it would have near 0 impact on the cost of attack. Power of the validators in the screenshot would drop only by the amount of delegation removed, rather than 20x the delegation. Therefore cost of attack would remain virtually unchanged. This highlights that network security is HEAVILY tied to the individuals providing bonds, rather than those delegating to nodes. Delegators have far less impact on decentralization and block production in the current network structure, as their delegation means nothing without a bonder.

Don’t get me wrong, I was a big fan of the bond requirement. It was originally something I supported strongly. But that was with the long-term goal to head more toward a PoS network, and less DPoS. At this point in ICON’s lifecycle, this no longer makes sense. We’re not going to change consensus to include hundreds of nodes with small bonds and small delegation. Our network is secured via DPoS, and with a bond requirement, it can only ever be as secure as those willing to bond, rather than those willing to delegate. That’s not a good, sustainable plan. Delegators should have the power in the a DPoS network, not just a subset known as bonders.

Think about it this way, take the Lydia Labs node for example. If we remove all of our bond (and so does this person), all those delegations to our node become meaningless. It takes away the power of the delegator and gives it all to the bonder.

I like the plan of lowering the bond requirement as much as possible then transitioning to Cosmos style delegation/slashing. Hope this elaboration helps you guys understand that network security isn’t going to be meaningfully lowered by lowering the bond requirement.

1 Like

This clicked, but at the same time is in line with my concerns:

Voters would have a lot more power and they can be incentivized with a low or no commission.

As said before, if one combines 2 million ICX (0.2% of the supply) with ~0% commission, an individual could (in theory) gather 200M votes (20% of the voting power). Maybe not enough to make material damage, but enough to have a big say on things.

Voters will go where the yield is higher, so the power is not really on them but on validators that can afford low to none commissions. If there was no commission this argument would be meaningless.

In other words, I agree that power is on bonders now, but I don’t agree that power will go to voters. It will mostly depend to the commission that the validator sets. Power is on the validator operator.

Right now most validators care for the network and are known positive actors, also only 2 validators significantly under 100% bond: Citadel and Staky.

The other ~50 are managing their ratio (not saying it is easy).

Finally bonding can be inclusive because it creates synergies between validators and community bonders.

Having said all that, there’s no denying that a 5% bond is an entry barrier. What if the bond is not a fixed amount? What if new/small validators can enjoy a 1% bond, and then the bond requirement gradually increases up to x% as more power is accrued?

Basically: If you want to validate blocks ICON welcomes you. If you want to earn $100k a year on emissions and have a big say, ICON asks commitment.

Greetings!

Thanks for this proposal. Everstake stands behind the initiative to reduce the bond requirement to 1%. This adjustment would serve as a pivotal measure in facilitating the onboarding of new validators, crucial contributors to the development of the ecosystem. We also agree that bond could be further optimized for increased utility, it can enhance liquidity provision and bolster revenue generation.

1 Like