Abstract
This economic security audit by Argo and Tokensight has been written to explain how the Omni operator network will work and to explore potential corruption scenarios in which an operator disrupts the network. This research is meant to serve as the first of many more audits to educate the community on AVS crypto-economic security as operator networks begin to launch in the next few months.
I. Introducing Omni
Omni is an interoperability chain, designed to enable Ethereum rollups to communicate in a secure, performant, and globally compatible manner. Omni establishes a new precedent for secure interoperability by deriving its crypto-economic security from a dual token model: restaked $ETH (via Eigenlayer) and $OMNI, its native token.
II. Understanding Omni's Operator Network
The job of Omni’s Operator Network is to participate within Omni’s CometBFT consensus mechanism as Validators. CometBFT is a Byzantine Fault Tolerant (BFT) consensus engine that powers Proof-of-Stake blockchains. It allows a set of nodes to securely come to consensus on the state of a blockchain, even if up to 1/3 of the nodes are malicious or fail in arbitrary ways. Projects like Osmosis, Juno, dYdX, Axelar, and more trust CometBFT for consensus.
To ensure that operators do not behave malicious, Omni employs a Proof-of-Stake (PoS) system such that operators participating as validators in CometBFT consensus must stake capital. If misbehavior is detected, an operator’s collateral will be slashed. Omni will employ a dual staking system, such that operators can utilize restaked Ether via Eigenlayer or $OMNI, the native network token.
Optional: A quick primer on CometBFT Consensus
CometBFT is a consensus mechanism that allows a set of non-trust validators to work together to constantly update the state of a blockchain. Each validator's voting power is proportional to their bonded stake, tying network security to honest validators' stake rather than just their count, incentivizing higher stakes.
Here's a high-level overview of how CometBFT works:
Proposer Selection: Each round, a proposer is chosen based on a deterministic round-robin algorithm considering each validator's voting power.
Proposal: The proposer broadcasts a block proposal containing a batch of transactions to all validators.
Prevote: Validators broadcast a prevote for the proposed block if valid, or nil if no valid proposal is received within a set time.
Precommit: If a validator receives >2/3 prevotes for the same block, it broadcasts a precommit for that block. If >2/3 prevotes are nil, it precommits nil.
Commit: If a validator receives >2/3 precommits for the same block, it commits the block to its local blockchain, finalizing the block. If >2/3 precommits are nil, it moves to the next round.
Round Progression: If a proposer fails to get sufficient prevotes or precommits, the protocol progresses to the next round with a new proposer until a block is committed.
What is the cost to corrupt Omni?
We define cost of corruption as the amount of financial resources and social capital an attacker or group of colluding attackers would need to expend in order to successfully compromise the integrity and security of the Omni Network.
The two main corruption scenarios in the Omni Network are:
Greater than 1/3 Stake: A validator or set of colluding validators amass more than 1/3 stake of the Omni network and can engage in the following activities: transaction censorship or stalling.
Greater than or equal to 2/3 Stake: A validator or set of colluding validators amass more than 2/3 stake of the Omni network and can engage in the following activities: double spend.
Cost of Acquiring >1/3 Stake
Only Restaked TVL Scenario (No $OMNI Staking): Assuming a total value locked (TVL) of $1.5B in the Omni AVS contract on Eigenlayer, a validator or set of validators would need to acquire $500M worth of restake TVL to control 1/3 of the network stake.
Dual Staking Scenario (Restaking and $OMNI Staking): With $1.5B of restaked Ether in the Omni AVS contract on Eigenlayer and an additional $1.5B of $OMNI staked, an attacker or group of attackers would need to acquire $500M worth of restaked Ether and $500M of staked $OMNI, totaling $1B in required capital. The dual staking mechanism effectively doubles the cost of corruption compared to the solo restaked TVL scenario.
Cost of Acquiring ≥2/3 Stake
Solo Restaked TVL Scenario: With an assumed $1.5B of TVL in the Eigenlayer, a validator or set of colluding validators would need to acquire $1B worth of restake TVL to control 2/3 of the network stake.
Dual Staking Scenario: With $1.5B of restaked Ether in the Eigenlayer and an additional $1.5B of $OMNI staked, an attacker or group of attackers would need to acquire $1B worth of restaked Ether and an additional $1B of staked $OMNI, totaling $2B in required capital.
Additional factors to consider when measuring cost of corruption
Principal-agent problem: Validators may act in their own self-interest rather than in the best interest of the restakers who delegate capital. In theory, if a validator is only staking delegated capital, their financial cost is $0.
Social capital and legal consequences: Existing validators that are public entities must not only expend significant financial resources but also risk their social reputation and face potential legal consequences for engaging in malicious activities.
What is the potential profit from corrupting Omni?
Potential Profit from a >1/3 Stake Attack
An attacker controlling more than 1/3 of the stake in the Omni Network could potentially disrupt the network by censoring transactions or stalling the network.
Transaction Censorship: One potential attack scenario is transaction censorship, where the attacker refuses to include certain transactions in the blocks they propose. They could potentially profit by accepting bribes to include or exclude specific transactions. However, the profit from such attacks is highly unclear given the nascency of Omni.
Stalling: Another scenario is a "stalling" attack, where the attacker deliberately delays block confirmation by withholding their votes or voting for invalid blocks. This could be used as a form of extortion, where the attacker demands a ransom to resume normal operation.
Potential Profit from a ≥2/3 Stake Attack
Attackers controlling a supermajority (>66%) of stake in the Omni Network could potentially execute profitable attacks, most probably a double-spend. In a double-spend attack, the attacker sends a transaction, waits for it to be accepted, and then creates a conflicting transaction sending the same funds back to themselves, effectively spending the same funds twice.
The potential profit from a double-spend attack can be calculated as: Profit = Value of double-spent transactions - Cost of acquiring the necessary stake - Cost of executing the attack
For example, if an attacker double-spends $500 million and the cost of acquiring a 2/3 stake is $2 billion, the profit would be approximately -$1.5 billion. Furthermore, these examples assume the attacker can successfully cash out the double-spent funds and maintain their stake's value.
The profitability of a 2/3 stake attack depends on several factors:
Cost of acquiring the necessary stake
Value of double-spent transactions or bribes received for censorship
Ability to successfully cash out double-spent funds
Market value of the attacker's stake after the attack is discovered
Legal and reputational consequences
A Basic Example
To illustrate a simple example, let’s assume the total stake in Omni equals $300 million and the Gross Value Extracted is estimated to be the same in both attack types ($150 million).
As presented in the calculated scenarios above and as recommendation for auditing purposes, Omni as an AVS would benefit from placing greater weight in its slashing conditions toward transaction censorship and stalling attacks (>1/3 Stake Attack) than double spend attacks (≥2/3 Stake Attack), since an adversary would profit from attacking the former and incur a loss from the latter.
Discussion & Conclusion
Over the next few months, as several AVSs go live, the team will closely monitor the rollout of the operator networks. When Omni goes live, we aim to answer the following questions:
Will Omni’s initial operator set be whitelisted?
How centralized and entrenched on other AVSs will Omni’s operator set be?
How many operators will there be and how concentrated will stake be among top operators? How reputable will they be?
How much TVL will the Omni network have?
Are there more profitable attack approaches than double spend for Omni?
How complex will their code be as an AVS? High code complexity may lead to an increased likelihood of bugs.
We will be conducting economic audits for more AVSs as they roll out. If you are interested in following along our research, please follow the Argo Twitter and Tokensight Twitter.