In a Protocol Contracts Audit for The Graph, OpenZeppelin identified a vulnerability that allows a dishonest indexer to claim indexing rewards without indexing subgraphs (C02). The profitability of this attack vector depends crucially on the economic condition of the subgraph in question. Using economic analytic models of indexer and delegator behavior, Prysm Group has assessed that this attack may be profitable on some subgraphs under the protocol implementation in place as of July 2021. In order to fully mitigate this attack vector for all subgraphs, one or more upgrades to the protocol need to be implemented.
Prysm Group’s analysis of this attack includes:
- Allocation Equilibrium Analysis characterizes the equilibrium behaviors of financially motivated indexers and delegators;
- Spoofing Attack Profitability Analysis describes the economic conditions under which a spoofing attack is made unprofitable.
A spoofing attacker can make the same claim on indexing rewards as an honest indexer without doing indexing work or incurring the necessary costs. The attacker also faces the risk of slashing when malfeasance is detected, so they try to minimize value-at-risk by self-delegating part of the allocation. We find that the slashing risk outweighs the cost-saving from submitting an invalid PoI when the probability of detection, slashing percentage, delegation tax, and the total indexing reward on a subgraph are high enough.
Prysm Group believes that introducing a minimal curation threshold for subgraphs, below which the subgraph does not accrue indexing rewards, may eliminate profit opportunities for potential attackers without introducing onerous distortions that affect honest indexers.