Bonding vs (Delegated) Staking in Nym
Node operators as well as any ordinary user holding NYM tokens can stake in Nym, but they serve slightly different functions in the system…
Node operators as well as any ordinary user holding NYM tokens can stake in Nym, but they serve slightly different functions in the system. This can cause some confusion when it comes to the terminology, so in this blogpost we first give a brief overview of the difference between bonding stake (for node operators) and delegating stake (for ordinary users), before delving into the more complex reasons behind this design.
So, firstly:
- Node operators bond their stake (in the form of NYM tokens) in order to join the network. Node operators include Nym blockchain Validators and the non-blockchain Mixnodes and Gateways, and all have to put up a stake in order to join the network topology and begin routing traffic, interacting with clients, and all of the activities that ensure network-level privacy for users.
- Users who hold NYM tokens, on the other hand, delegate their stake (in the form of NYM tokens) to Mixnodes and Gateways that they believe provide a good Quality of Service (QoS). This helps in the selection of node operators, as these get selected to serve the network on the basis of their total stake (bond+delegated stake). Delegated staking thereby provides soft governance by allowing NYM token holders to participate in the selection of nodes for the network — and they passively earn a share of the node operators NYM rewards in doing so.
With that out of the way, let’s get into the weeds!
What is staking?
Staking is the provision of collateral — a bond — for being able to engage in some activity, acting as a form of skin in the game, publicly showing your commitment to the activity you’re engaging in.
Permutations of staking are currently utilised by many decentralised systems. Broadly speaking, however, across all staking systems, node operators provide stake to join the network, and this stake operates as an assurance that they behave properly. Although many systems do also slash stake if nodes do not behave as expected, Nym importantly does not do this, instead relying on probabilistic inclusion into the active set of the network based on stake (more on this in the sections below).
Why staking for node operators?
As well as an economically-incentivised assurance of good behaviour, staking is used in the network as defence against Sybil attacks. Sybil attacks are a major potential issue for open and decentralised/distributed systems that rely on shared consensus, in that anyone who can run the software for a node can join the network. As such, if there is not an imposed cost to meaningfully contribute to the network as a node, individual actors can set up multiple nodes and gain control of a disproportionate amount of the network’s nodes. Depending on the usecase of the network itself, this could allow an attacker to affect message broadcasting (i.e blocking some users from effectively using a network or giving priority to others),[1] engage in traffic analysis or fingerprinting by being able to view a disproportionate amount of the total network activity; or skew the outcome of any application level uses of the network, such as e-voting.[2]
There is unfortunately no one-size-fits-all approach to mitigating Sybil attacks. The strategy that different networks must take to defend against Sybil attacks is reliant on what counts as a meaningful contribution to the network for the nodes in that network. Let’s look at how each type of Nym node does this in practice.
Our Cosmos Validators operate essentially as the consensus backbone of the Nym network by maintaining the Nym blockchain. The blockchain provides a public history of all NYM token transactions, the network topology at any given time, certificate creation and protects against double-spending. Furthermore, Cosmos allows for the network to be extended with CosmWasm smart contracts (one of which is the current core of our mixnet). The Validators operate the network according to the Ouroboros Proof of Stake consensus model, wherein block production relies on a series of nodes within the network passing the buck of producing blocks between themselves, with the likelihood of each node being selected based on the amount of stake they bond into the network as an assurance that they won’t (e.g.) produce fake transactions for their friends or have excessive downtime.
Defending against Sybil attacks in a Proof of Stake system relies on two things:
- maintaining a distribution of stake across the nodes such that one node does not control more than 66+1% of the total amount staked by all validators, and
- ensuring that it is economically unwise for several validators that collectively control 66+1% stake to collude to attack the network by skewing consensus their way.
In our move towards Mainnet, we’re mirroring the economic distribution of our key investors. As such, even though in theory it could be possible to socially coordinate enough validators to be in ‘control’ of 66+1% of the total stake (the floor for consensus) it wouldn’t economically make sense for these validators to be involved as it would undermine the significant investments they have put into Nym.
Mixnodes and Gateways must similarly provide stake in order to be included in the network topology, with this stake acting as an economic disincentive from running a disproportionate number of nodes. Although it may seem counter-intuitive to require Node Operators to provide some ‘skin in the game’ stake in order to take part in the network, Gateways and Mixnodes make up the entrances to and communication backbone of the mixnet respectively. If Gateways and Mixnodes had a view of more of the network than their immediate neighbours, they could possibly work to collude on Fingerprinting and/or traffic deanonymisation attacks![3] This sets Nym apart from ‘free-to-play’ networks such as Tor, which is vulnerable to Sybil attacks in the form of individuals running significant chunks of the overall network’s nodes.[4]
Aside from acting as a defence against Sybil attacks, the amount that users delegate to Gateways and Mixnodes is utilised by the network as a form of soft governance, with the amount of rewards a node gets being based on its Quality of Service (i.e. its uptime and proper configuration). As such, users who wish to delegate their stake to Mixnodes and Gateways will (in theory) gravitate towards those nodes with the best QoS, ensuring that the network is operating as efficiently as possible. As the network scales with demand,[5] in much the same way as with the Validators, Mixnodes and Gateways with the highest stake bonded to them (from both their node operators and user delegation) have a higher chance of being selected to be part of the active set (i.e. those nodes actually mixing traffic), and thus gain further rewards![6]
—
To summarise, staking, in the form of bonding a stake (node operators), and delegating a stake (users), provides important information security, governance and economic features to the Nym system.
—
[1] The line between legitimate and illegitimate uses of this has arguably become blurred, for example with MEV becoming a ‘feature’ rather than a bug of Ethereum’s priority system in its mempool.
[2] For more reading on Sybil attacks, see this introduction to Sybil attacks, as well as an outline of the attempted Sybil attack on a previous Nym testnet from our CTO Dave Hrycyszyn .
[3] See this article from our head of research Ania Piotrowska for a more detailed breakdown of what these attacks are, and how Nym is able to defend against them.
[5] See section 3 of the whitepaper for more on this, and expect a blog post soon!
[6] This will be covered in far more detail in a future blogpost, so don’t worry about not fully understanding it from just this explanation.
