You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/threat-model.md
+20Lines changed: 20 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -288,6 +288,26 @@ Mempool partitioning differs from eclipse attacks on voting/diffusion in that it
288
288
| 27 | Mempool partitioning via network control | Inconsistent mempools, conflicting EBs | Network infrastructure control | Limited: directional flow difference |
289
289
| 28 | Honeypot contract creating transaction races | Artificial high-volume conflicting traffic | Contract deployment costs / incentives | Limited: attacker pays for some conflicts |
290
290
291
+
### System operation and Governance
292
+
293
+
**Description**: Threats arising from the complexity and scale of deploying and operating Leios, including governance failures, implementation inconsistencies, and resource sustainability challenges. These risks stem from the inherent complexity of coordinating protocol upgrades across a decentralized network and the long-term operational demands of increased system capacity.
294
+
295
+
Backward compatibility failures represent a particularly critical risk, as demonstrated by recent mainnet events (Nov 2025) where differences in node version behavior led to chain forks until stake consolidated on node versions with consistent behavior. Any functional change or complexity increase in Leios can create similar scenarios where subtle implementation differences cause honest nodes to diverge. Hard fork coordination attacks target the governance process itself, attempting to prevent or delay beneficial upgrades through manipulation of stakeholder voting or readiness signaling. While governance attacks primarily aim to prevent hard forks, they could theoretically create similar network inconsistency effects if they result in partial deployment scenarios where some nodes upgrade while others remain on older versions, effectively creating the same divergent behavior as implementation bugs.
296
+
297
+
Excessive chain growth poses a different challenge where the success of Leios could paradoxically threaten decentralization. If transaction throughput increases faster than SPO storage capabilities, honest stake could be forced offline due to resource constraints, inadvertently concentrating power among well-resourced operators and giving adversaries advantages in most stake-based attacks.
298
+
299
+
**Impact**: These threats can undermine the fundamental assumptions that keep Cardano secure and decentralized. Backward compatibility failures create chain splits that require manual coordination to resolve. Governance attacks can prevent beneficial upgrades entirely or create persistent network splits. Excessive growth can force honest operators offline, reducing effective honest stake and strengthening potential attackers' relative position in all stake-based attacks.
**Mitigation**: Extensive conformance testing and testnet deployments reduce implementation risks. Comprehensive communication, education, and staged rollouts help ensure successful governance coordination. Conservative parameterization and monitoring of storage requirements protect against excessive growth, with protocol parameters adjusted based on observed SPO capabilities. The Ouroboros consensus protocols are provenly self-healing for temporary inconsistencies, but persistent issues require coordinated community response.
0 commit comments