Stackelberg Attacks or: How I Learned to Stop Worrying and Trust the Blockchain
share
We identify a subtle security issue that impacts the design of smart contracts caused by the fact that agents may themselves deploy smart contracts. Typically, equilibria of games are analyzed in vitro, under the assumption that players cannot arbitrarily commit to strategies. However, equilibria obtained in this fashion do not hold in general in vivo, when games are deployed on a blockchain. Being able to deploy side contracts changes fundamental game-theoretic assumptions by inducing a meta-game, specifically a Stackelberg game with multiple commitments, wherein agents strategize to deploy the best contracts. Not taking these commitment capabilities into account thus fails to capture an important aspect of deploying smart contracts in practice. A game that remains secure when the agents can deploy contracts is said to be Stackelberg resilient. We show that Stackelberg resilience can be computed efficiently for any two-player game of perfect information and show that it is hard to compute in general. We show that if a game is Stackelberg k-resilient, that is, resilient when there are k contracts, it is also resilient when there are fewer contracts. We demonstrate the non-triviality of side contract resilience by analyzing two smart contracts for decentralized commerce from the literature. These contracts have the same intended functionality, but we show that only one is Stackelberg resilient. Our work highlights an issue that is necessary to address to ensure the secure deployment of smart contracts and suggests that other contracts already deployed on major blockchains may be susceptible to these attacks.
READ FULL TEXT