Cosmos is vulnerable: Governance and the validator

How does coupling governance with validators change incentives?
It may be more valuable to a validator to have governance voting power than to earn income for providing network security. This selection mechanism rewards power-seeking validators, while punishing the rest of the validators for putting a price on validator security and services.


Quick Takes

  • Combining Cosmos Hub governance with the validator role is problematic
  • The Hub’s design indirectly rewards power-seeking at the cost of the validator set
  • Undercutting the validator set to capture governance power drives down the value of validator security
  • Case study: Sikka is exploiting this vulnerability
  • Governance signalling is powerful
  • On-chain parameter changes via governance fast approaching
  • Call to research: should we separate Cosmos governance from validator security?
  • Design drives behaviour–be careful what you select for!

Related articles


Capturing Governance Power

What if someone decided to try to capture Cosmos Hub governance power with only 1000 ATOMs. How would they do that?

They would have to run a validator and attract as many delegations as possible, since 1000 ATOMs isn’t enough stake-backing to qualify for the active set of validators. Delegations are also important because, in practice, a validator’s governance voting power is proportional to the weight of its stake-backing.

What’s a good strategy for attracting delegations?

  1. Lower the barrier to delegation ie. charge zero fees;
  2. Leverage an existing position of power to provide additional value.

If this validator offers, for free, the same service as what all the other validators charge for, plus some other value like exchange liquidity or rebates, why would a delegator select another validator? This could be considered a sort of delegation-buying strategy.

This strategy attracts delegators because they don’t have to pay fees on the rewards they earn or for any number of other kinds of added value. Delegators could be attracted to a validator because the person running it is well-known, and perhaps there’s a peace of mind that their delegations are safe based on the operator’s social capital.

If the strategy works, delegations will flow to this validator and away from the others, and this validator will accumulate governance power. Even if the other validators lower their fees–the fees that sustain their operations–they likely will not be able to compete, unless they can monetize their position in some other way. If validators seek governance power first and foremost, it’s a race to the bottom for validator commission fees.

So others can’t compete. Who cares?

Okay, so your strategy worked and you’ve got lots of governance power that’s increasing daily. What’s the big deal? This is capitalism–what does it matter that the rest of the validators are losing delegations?

This strategy drives a selection mechanism that rewards power-seeking validators, while punishing the rest of the validators for putting a price on validator security and services. As with any social design, be careful what you select for.


Cosmos Validators

Validators serve two key roles in the Cosmos Hub: 1) running the network and 2) voting on governance proposals that change the network. The greater the number of unique entities running validators, the more the potential for the network to run in a decentralized way. It matters who runs validators, because they control how the network runs and changes.

Validator Business Model

Beyond acting as a network node, a Cosmos validator earns ATOMs for securely proposing and validating the blocks that make up the Cosmos Hub blockchain. Most validators earn a portion of their delegator’s rewards (ie. a commission) for providing the validator service.

The validator must first have enough stake-backing to qualify to be in the active validator set, currently limited to the top 100 validators. Therefore, the only way for a validator to earn rewards is to compete, via self-stake and/or delegated stake, with other validator candidates for one of the 100 active slots. Currently, the 100th ranked validator has a stake-backing of 80,001 ATOMs.

Once a validator has attracted enough delegated stake, they join the active set. Based on their commission fee, the validator keeps a percentage of the rewards that their delegators earn. Validators typically sell a portion of their commission-based earnings to pay for costs involved in their services, estimated to average around $2500 USD per month by Jack of KysenPool.

Validator Competition

Validator competition helps to keep commission fees balanced. But what happens when they can’t earn enough commission to pay their bills? They either shut down or change strategies.


“Unfortunately our frequent ROI calculations showed that the return would have remained negative for too long before we could develop what we wanted.” –Bity

Chorus One’s fee reduction announcement 17 days after losing 39% of their stake from a ~3M ATOM redelegation to Sikka.

This Vulnerability Is Being Exploited

Cosmos validators have identified that undercutting is a problem for the Hub. They have been brainstorming ideas to change how Cosmos works in order to mitigate the damage from 0-fee validators. Until recently, nobody has advocated for separating governance power from the validator role.

Case Study: the Cosmos validator Sikka

An example of this vulnerability being exploited can be found in the strategy used by the Cosmos validator Sikka. Led by Sunny Aggarwal, a well-known Cosmos researcher, Sikka appears to be leveraging a zero-fee commission with Sunny’s public recognition and insider status to dominate the validator set’s governance voting power.

Day by day, month by month, Sikka has been accumulating delegations that have been increasing their governance voting power.

I won’t dive too deep into the numbers here, but perhaps it’s worth comparing the relative success of other 0-fee validators that followed Sikka’s lead. Note that this is not a condemnation of Sikka or Sunny, as per this Twitter thread:

I think it’s valuable that Sunny was able to demonstrate this vulnerability before another entity managed to do something similar.


But delegators can override their validators..

By my calculation, of the 153M ATOMs that voted on Cosmos Hub 3 Upgrade Proposal D, 0.55% of those votes came directly from 14 token-holders (and one token-holder accounted for 76% of that). Thanks to Yannick for prompting me to point this out!

Since token-holders tend to be passive in token-based voting, and validator voting overrides are rare, Cosmos validators are the de facto executives of each proposal to change the network.

But governance is only signalling..

Currently, governance only has the power to signal changes to the network. The Cosmos Hub, still being in its infancy, relies upon its primary developer, All in Bits, which is contracted by the Interchain Foundation to implement and release changes to the Hub’s software. For now, voting power signals the right for the network’s software to be changed (or not changed) in a certain way, and All in Bits has the power to change that software, and the validators have the power to run that software (or not).

All in Bits has the power to ignore what’s signalled by governance and to release different software, but that would undermine a fundamental assumption of what we have come to expect about how the Cosmos Hub works. Some validators may choose not to run that software, and it would damage All in Bits’ reputation and the legitimacy of their role as protocol developers for the Hub.

Similarly, validators have the power to run a different version of the software than what is signalled by governance, but this would result in a hard fork, and could leave some validators stranded on a minority fork.

So in summary, a successful proposal is currently no more than a signal that is used to co-ordinate action, based on the assumption that everyone involved will honour the outcome of the vote. And that’s powerful. But we can expect more than just signalling.

Governance Power Will Include Enactment

Cosmos Hub 3 will introduce two key new governance features that will lend new power to voting.

Community pool spending

Currently there are ~190k ATOMs in the community pool, according to Hubble. Following the Cosmos Hub 3 upgrade, ‘community pool spending’ via governance proposals will be enabled. This means that we can directly fund Cosmos goods that benefit the entire network the same way we fund the security of the network (via inflation). Keep in mind that governance voting power will directly decide and enforce which proposals get funded.

On-chain parameter changes

The second feature pushes us beyond signalling, and enables us to fine tune how the network runs without disrupting it. Successful proposals will modify on-chain parameters without halting or forking the network. What kinds of changes could proposals trigger?

The inflation rate, the slashing parameters (either penalty or threshold), reward distribution amounts, governance parameters (eg. quorum), the unbonding period–these are some of the many impactful parameters that will soon be eligible to be changed by decisions enacted via governance voting power.


Call to Research:
Should we separate Cosmos governance from validator security?

Now that we know we’re vulnerable, we should do something about it. What should we do?

Time for a governance proposal

First, we should signal that we agree there’s a problem, and that it deserves attention. That can be done via governance proposal. Perhaps we’ll want to signal that the Interchain Foundation (ICF) should dedicate resources to researchers willing to undertake solving this problem. Research could also be funded by the community pool.

It’s Our Cosmos

Next, we should think about what we like about the current system. For example, validators tend to be vigilant, which is convenient, because attention is necessary for good governance, and token-holders seem to be passive. But that doesn’t mean that validators’ values are ideally aligned with the values of the network and the other stakeholders.

Perhaps there’s an opportunity to better distribute governance power.

We’ll want to think about how to solve this problem as stakeholders. What kind of role is best for representing stakeholders? Experts should only tell us how something may work, not what we should value.

Token-holders cannot be expected to pay attention to every proposal, can they? In that case they’ll need representation. If not validators by default, then who is best suited to represent token-holders for governance decisions? Perhaps this could be a dedicated role that anyone, including validators, can participate in. Token-holders could delegate their vote to a representative, in what’s called a liquid democracy.

Rather than unbundle governance from validators, perhaps there’s an opportunity to incentivize or productize token-holder voting.

If our system was designed to make good voting decisions a worthwhile activity, perhaps we would see more token-holder voting overrides. Thanks to Doug Petkanics (Livepeer Inc.) for pointing this out!

Perhaps there’s an in-between solution.

What if governance power could could be delegated separately from stake? In this case I could stake with one validator and have another validator vote on governance proposals on my behalf. Thanks to Sunny Aggarwal (All in Bits) for offering this idea!

Be careful what you select for

A liquid democracy is susceptible to capture via vote-buying. A design alternative to a bundled validator role should be well-researched and considered, with feedback from all stakeholders. Be wary of any claims of this being a simple problem to solve.

Sunny and Doug both pointed this out: decoupling governance from validators likely won’t solve consensus power centralization. I think it should help, but we’ll still want to research ways to improve consensus decentralization. I find proportional bond and unbond times (relative to consensus power) attractive.

How do we want the Cosmos Hub to evolve?

Our design decisions drive the success and failure of competing growth strategies in the Cosmos ecosystem, as well as the behaviours and attention of network participants. Ultimately, design decisions will determine which entities participate in our network, how they participate, and to what extent they participate.

I’m looking forward to helping to make Cosmos a better network for all of its stakeholders. Let’s work together on the Cosmos forum to solve this problem. Special thanks to Doug Petkanics, Sunny Aggarwal, and Jae Kwon for thoughtful feedback.


Hopefully you found this useful. Feedback is always welcome! I’m on Twitter.