Resilient Alerting Protocols for Blockchains

TL;DR

This paper tackles the resilience of blockchain alerting systems to bribery-based suppression by formalizing the alerting problem as a cryptoeconomic game between a bribing adversary and $n$ rational nodes. It proves a fundamental upper bound of $\Theta(n^2)$ on bribery resistance and introduces a simultaneous alerting game that asymptotically achieves this bound. It then presents three practical instantiations—Lockstep (strict synchrony), Hardware-Based with TEEs and Proof of Publication, and Sequential alerting—each offering different latency and on-chain storage tradeoffs while preserving asymptotically optimal bribery resistance. The results delineate a rich design space for robust off-chain alerting, with implications for the security and economic guarantees of high-stakes blockchain protocols.

Abstract

Smart contracts are stateful programs deployed on blockchains; they secure over a trillion dollars in transaction value per year. High-stakes smart contracts often rely on timely alerts about external events, but prior work has not analyzed their resilience to an attacker suppressing alerts via bribery. We formalize this challenge in a cryptoeconomic setting as the \emph{alerting problem}, giving rise to a game between a bribing adversary and~$n$ rational participants, who pay a penalty if they are caught deviating from the protocol. We establish a quadratic, i.e.,~$O(n^2)$, upper bound, whereas a straightforward alerting protocol only achieves~$O(n)$ bribery cost. We present a \emph{simultaneous game} that asymptotically achieves the quadratic upper bound and thus asymptotically-optimal bribery resistance. We then present two protocols that implement our simultaneous game: The first leverages a strong network synchrony assumption. The second relaxes this strong assumption and instead takes advantage of trusted hardware and blockchain proof-of-publication to establish a timed commitment scheme. These two protocols are constant-time but incur a linear storage overhead on the blockchain. We analyze a third, \emph{sequential alerting} protocol that optimistically incurs no on-chain storage overhead, at the expense of~$O(n)$ worst-case execution time. All three protocols achieve asymptotically-optimal bribery costs, but with different resource and performance tradeoffs. Together, they illuminate a rich design space for practical solutions to the alerting problem.

Figures (3)

• Figure 1: Lockstep protocol: nodes alert during the same timestep.
• Figure 2: TEE-based alerting protocol: all nodes commit during the commitment phase, then reveal after $N_{\sf commit}\xspace$ blocks.
• Figure 3: Sequential alerting protocol: nodes are assigned to sequential time slots, each node can alert during its slot. The protocol terminates as soon as one node alerts.

Theorems & Definitions (31)

• Definition 1: (${c}\xspace, {{\lambda}}\xspace$)-Alerting Protocol
• Definition 2: $\sigma$-Bribery Resistance
• Claim 1: Maximum bribery resistance
• Claim 2: $\mathsf{NoAlert}$ dominance
• Corollary 1: Profitable bribery when $G\xspace > {{\lambda}}\xspace \, n(n-1)$
• Claim 3: $\mathsf{Alert}$ is dominant when $\beta_i \leq {{\lambda}}\xspace$
• Corollary 2: Bribery is unprofitable when $G\xspace < {{\lambda}}\xspace \, n$
• Lemma 1: No symmetric pure equilibrium
• Claim 4: Lower bound on expected bribe
• Definition 3: Alert Capability