# Electra Weak Subjectivity Calculations _Special thanks to Mikhail Kalinin and Justin Traglia for correcting several mistakes._ The __Weak Subjectivity Period (WSP)__ is the period of time a node can stop observing the chain for and when they return not be tricked by an adversary as to who is and isn't a validator. To execute a weak subjectivity attack, an attacker creates two diverging chains starting the moment the chain was last observed such that a minimal amount of their attacking balance needs to equivocate (and be slashed) in order for the attack to succeed. When a node is following the chain and is thus fully aware of all validator balances, the minimum amount of balance that needs to equivocate and be slashed is $\frac 1 3$ of the total active balance. As two divergent chains each need $\frac 2 3$ of the balance to finalize an epoch and the minimum intersection of $\frac 2 3$ and $\frac 2 3$ of the same set is $\frac 1 3$. The WSP is parameterized by the __Decay Parameter__ $D, \; \left(0<D<\frac 1 3 \right)$, which determines by how much we're willing to weaken the normal $\frac 1 3$ slashing guarentee for nodes that stop viewing the chain for the duration of the WSP. A typical value would be $D=10\%$, which means that if a node goes offline for the duration of the WSP, an attacker would have to equivocate with $\frac 1 3 - 10\% \approx 23\%$ of the total active balance in order to convince the returning node that a different chain to the canonical one is true. ## How the attack works At the moment the WSP starts (ie. a node stops observing the network), an attacker creates two chains, one public fork (___Chain A___) which is the canonical chain that online nodes follow and another private one (___Chain B___). When the offline node returns, the attacker reveals _Chain B_ to that node which is deceived into believing this is canonical as it is believable given what they knew about validator balances when they were last online and plausible changes since then. This requires the attacker to equivocate with some of their balance by voting on both _Chain A_ and _Chain B_ with the same validators for which they will likely be slashed. An attacker minimizes the amount of balance that needs to equivocate by making sure that the intersection between validators on _Chain A_ and _Chain B_ is as small as possible. They do this by activating new validators on _Chain A_ which aren't on _Chain B_ while simultaneously activating new validators on _Chain B_ which aren't on _Chain A_. They simultaneously do the same but with exiting validators. The per-epoch rate at which new validators can enter the chain is bounded by `get_balance_churn_limit(state)`, measured in `gwei`, which we will call $\delta$. The same limit applies to exits. Therefore _Chain A_ can activate $\delta$ new validators while simultaneously exiting $\delta$ validators, resulting in a total chainge of $2\delta$. _Chain B_ does the same, but with different validators, and therefore they diverge from one-another at a rate of $2\delta + 2\delta = 4\delta$ per epoch. ## The Math Let $\delta$ be the per epoch churn limit (in `gwei`) Let $n$ represent the number of epochs since the start of the WSP Let $\sigma_n$ be the total active balance after $n$ epochs Thus, $\sigma_0$ is the total active balance when the WSP begins At the start of an attack ($n=0$), the slashable balance is $\frac 1 3 \sigma_0$. As explained above, the attacker reduces the size of the intersecting balance by $4\delta$ per epoch and therefore after $n$ epochs, the slashable balance is: $$ \begin{align*} \text{slashable balance}\; & = \frac 1 3 \sigma_0 - \underbrace{2n\delta}_{\text{Chain A}} - \underbrace{2n\delta}_{\text{Chain B}} \\ \text{slashable balance}\; & = \frac 1 3 \sigma_0 - 4n\delta \end{align*} $$ By definition, a node is inside the WSP iff at least $\frac 1 3 - D$ fraction of the total staked balance is slashable. Thus, we require that: $$ \require{cancel} \begin{align*} \text{WSP threshold balance} & < \text{slashable balance} \\ \sigma_0 \left( \frac 1 3 - D \right) & < \frac 1 3 \sigma_0 -4n\delta \\ \cancel{\frac 1 3 \sigma_0} - \sigma_0 D & < \cancel{\frac 1 3 \sigma_0} -4n\delta \\ 4n\delta & < \sigma_0 D \\ n & < \frac{\sigma_0 D}{4\delta} \end{align*} $$ ## Appendix: Consolidations vs Activations and Exits In terms of the divergence capable with consolidations, consolidating balance $b$ into $a$ results in a total change to the validator set of $2b$. It counts twice as the set of validator balances changes by $b$ first by going from $V = \{ a, b, \dots \}$ to $V^\prime = \{ a, 0, \dots \}$ and again by $b$ when going to $V^{\prime\prime} = \{ a+b, 0, \dots \}$. Therefore, for the purposes of the WSP a consolidation can be modeled as both an activation and an exit at the same time and is bound by the same churn rate, $\delta$. Thus, consolidations on each chain change the set of balances by $2\delta$. The `consensus_specs` enforce that the sum of the churn due to activations, exits, and consolidations be less than or equal to $\delta$, the above WSP limit calculations suffice to capture the effects of both.