>As far as I can tell there is no opportunity cost to casting a malicious vote, no repercussions, and no collective action barrier that needs to be overcome.

There is another interesting analysis on BMM and drivechains from /u/almkglor on reddit. I'm going to share here for visibility. 

The problem with drivechains and blind merged mining is the disconnect between voting and "blind" merge mining. With BMM, a miner can do:

  1. Not accept BMM, not vote.
  2. Not accept BMM, operate their own sidechain node, mine sidecoin, and vote correctly.
  3. Not accept BMM, always upvote (i.e. allow theft).
  4. Not accept BMM, always downvote (i.e. strangle).
  5. Accept BMM, not vote.
  6. Accept BMM, operate their own sidechain node, and vote correctly. (not mine sidecoin directly: they get paid in maincoin by sidecoin-only miners).
  7. Accept BMM, always upvote (i.e. allow theft).
  8. Accept BMM, always downvote (i.e. strangle).

3 and 7 will mean that non-verifying miners will be (inadvertently) complicit in theft. Drivechains have 1008-block cycles ostensibly to protect against theft, so that someone can "raise the alarm" and tell miners to downvote a particular theft withdrawal, but that sounds too much like centralized collusion to me.

Strategy 8 will dominate over strategy 6, since the miner does not have to run a sidechain node (reduced cost) while still earning the same as strategy 6.

Strategies 5->8 are all strictly superior to 1->4, so BMM does not really change anything: strategy 8 (equivalent to strategy 4 if BMM is not implemented) will still choke strategy 6 (equivalent to strategy 2 if BMM is not implemented)

It seems Drivechain's security model is: miners always upvote by default. If a theft withdrawal is done on the mainchain, some sidechain nodes call up their miner friends (which makes me worry about miner centralization) to downvote it instead.

The problem is: what if after a theft withdrawal is defeated, another theft withdrawal is done? And another, and another? This weakens the peg: while a theft withdrawal is on-going, a genuine withdrawal can't be posted (at least as I understand Sztorc's explanation). This chokes the sidechain withdrawal.

The difference from maincoin is that attempts to choke the block are somewhat costly and a maincoin user can offer a higher transaction fee to beat the spam. If side->main is choked, no amount of sidecoin can be offered to beat the spammed theft transactions.

I don't know, it seems like very weak security to me.

TLDR: a miner is most profitable if he always accepts BMM bribes, but downvotes withdrawal transactions (WT). This obviously isn't ideal because a withdrawal will never occur from the drivechain if enough miners employ this strategy -- which seems to be the most profitable strategy.

-Chris
 

On Mon, Dec 4, 2017 at 1:36 PM, Chris Pacia via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

I think you are missing a few things.

First of all, I think the security model for sidechains is the same as
that of every blockchain

People will say things, like "but with sidechains 51% hashrate can steal
your coins!", but as I have repeated many times, this is also true of
 mainchain btc-tx.  is something else?

There are substantial opportunity costs as well as a collective action problem when it comes to re-writing the mainchain. 

Is there anything similar for drivechains? As far as I can tell there is no opportunity cost to casting a malicious vote, no repercussions, and no collective action barrier that needs to be overcome. 

Unless I'm missing something I wouldn't liken the security of a drivechain to that of the mainchain.

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev