AIP BOLD Security Analysis


Authors: @red-swan @michael-oz

BOLD is a new dispute mechanism for Arbitrum which is permissionless and mitigates delay attacks. OpenZeppelin was asked by the ARDC to review the AIP. We assume that readers have read the AIP or at least the gentle introduction to which the AIP refers. Our analysis focuses on the parameters of BOLD involving the distribution of confiscated funds and their implications for the future.


Overall we were impressed with the amount of work that went into creating BOLD as well as the thoroughness of the analysis, and the quality of the documentation. The several documents linked in the AIP describe its intricacies well and do so effectively to the different target audiences. If they could be improved, we would suggest adopting a single nomenclature across the several documents (e.g. “challenge bond” vs. “mini-bond”, “challenge period 1” vs. ”dispute period”).

Confiscated Funds

The current validation scheme allows anyone to propose the next state in a canonical state chain, and users stake funds on which state they believe to be the correct next state. This proposed next state could be wrong, so anyone is allowed to dispute a proposed state within a confirmation period and losing a dispute means your assertion stake is confiscated. We were asked to consider possible ways for confiscated funds to be rewarded within the system. The research provided is extremely concerned about collusion between challengers, and we share this concern.

Reward funds based on actual network delay

One of the strengths of BOLD is that creating disputes does not significantly delay confirmation of the blocks assuming that there is no censorship of honest parties. So in a world without censorship, consider an honest party that is disputed by a malicious user. If their dispute ends before the challenge period is over, then no delay to the network has taken place and the honest block will become confirmed. If in reality both parties were the same and the malicious user was disputing with themselves, then it shouldn’t matter if they get a portion of their own stake as they’ve caused no delay and submitted an honest state for the network. The principle stated in the Economics paper is to have the assertion bond amount equal to the opportunity cost to the network of the maximum delay (one week). And this we believe could be a guiding principle in rewarding confiscated funds. Honest parties could get more of the confiscated funds the less time an honest state is delayed in confirmation. For example, consider bad states being posted and pruned quickly, honest parties could receive those funds.

Now let us consider censorship. If an honest state confirmation were delayed past the challenge period because honest parties were censored from sending dispute transactions, then it becomes less costly for malicious parties to delay the network if they are part of the honest party and receive their own confiscated stake. This is textbook griefing and should be discouraged. But there could be a sliding scale between the two scenarios. The function could be nuanced with cliffs where no rewards are transferred or exponentially decay as a state is delayed, but the overarching incentive could be in place where honest parties receive confiscated funds and more if state is not delayed.

There are some nuances surrounding waiting for paying out only to confirmed blocks. For example, if a bad state actor can censor honest parties from asserting, they can play disputes with themselves and win their own disputes but the “winning” bad state will not be confirmed once honest parties are able to send transactions to the network. They should not receive their rewards in this scenario and this delaying of paying rewards leads into another idea for how confiscated funds could be paid to honest parties.

Postpone rewarding funds

Next, consider a scenario where dishonest stakes are given to honest parties after six months. And again, let us consider the scenario above where a malicious user raises disputes with themselves at every honest state they post, delaying confirmation of states for as long as possible with censorship. Such a malicious user would need extraordinary capital to continuously delay states for six months. In such a scenario, if the DAO were able to recognize the network duress and also were able to vote and stop the delayed reward payments, the malicious user’s attack would then become much more expensive to continue (hopefully prohibitively more expensive). Our understanding is that BOLD does not preclude determined, large entities from performing this kind of attack. Indeed, any such optimistic rollup is susceptible to this. However, the network duress would be quite obvious and allow the DAO to make decisions about delaying rewards to protect the network.

Now consider a malicious user that does not have the capital to perform this attack continuously. They would be able to perform the attack more often after receiving rewards for disputing with themselves. However, the actual rewards would be delayed substantially, perhaps enough so that the delays they cause to the network provide no material difficulty for its users. Therefore, the longer an honest party has to wait for their funds, the less the risk of delays to the network and, therefore, the greater the share of the confiscated funds could be paid. And again, if there are enough malicious users out there to cause delays to the network (perhaps all operating separately), giving the DAO the ability to turn off the payments should discourage the “market” for bad states.

The obvious criticism with this method is that it introduces a special role into a permissionless system. But this is already a component of the AIP, giving the DAO all of the confiscated funds and the ability to use those funds how they wish. This privileged role the DAO will have in these cases can always be removed in newer iterations of the dispute protocol. So its temporary power to pause delayed rewards does not seem so unpalatable.

The Changing Economic Environment

BOLD sufficiently incentivizes parties to behave in ways that are beneficial to the network. Indeed, the success of BOLD relies on some of these incentives being sufficient at all times to induce the desired behavior. To this end, we were very pleased to see the proposal including the idea about service fees being paid to validators and honest disputers. This may be enough to incentivize validators and it may be the case that there need not be any further reward policy for confiscated funds. But it is an utmost priority to observe how these incentives actually perform. Should validators/disputers simply find better things to do with their locked assertion assets, they will leave their role, and the network will suffer. BOLD does a good job of guaranteeing the correctness of the state chain as long as one honest member exists. However, there exists a very perverse incentive for the last honest actor to be dishonest since no one is left to challenge them. So, in practice, more than one honest actor is ideal, and monitoring the health of the validator pool should become an ongoing DAO responsibility. We would hope that the number of validators and the amounts staked become a regular talking point, brought up at large. In fact, we recommend the DAO regularly monitor and discuss all of the factors in the proposal that determine the economic parameters at least until the community feels incredibly confident with BOLD’s performance. These parameters include the price of WETH, yield rates, the TVL of the bridge, the time-to-depletion for DAO payouts, and more. Gathering this information could be a simple, manual task performed by a specific DAO entity, and many of these values seem scrapable which would make this monitoring even easier. In this sense, adopting BOLD should be understood as the DAO adopting the responsibility for the economics of BOLD and the community’s confidence in it.


Given the serious security implications of allowing permissionless disputes, we are pleased and impressed with the level of thoroughness with which the Offchain Labs team and Arbitrum community has discussed the risks of BOLD.

We explored concerns with the handling of confiscated funds as well as the future need to monitor and update BOLD parameters as economic conditions change. The algorithm has been well thought-out and should work as expected. However, it does depend on economic incentives behaving under present economic conditions that are subject to change. We recommend monitoring the economic factors of BOLD once in production and be ready to make adjustments as needed.

For more information on OpenZeppelin’s role as Security Member of ARDC, please visit our Notion homepage 1.

EDIT: Our first version of this post attempted to explain BOLD in terms of the “Classic” dispute mechanism but confused some readers because it didn’t clearly distinguish between censorship and non-censorship scenarios. We’ve edited this post on June 19th to use more precise language in describing the different scenarios under consideration.


Thanks for the analysis.
I still have a question.
You talked about two options for paying with confiscated funds.
But in the end, which option seems more realistic and safer?
Or would you like to hear other options from the community?

We hope to be part of a larger conversation and wanted to simply bring up some ideas we had with the intent to share a more thorough runthrough if the community found the idea intriguing. The second option would have smaller operational risk to implement and much easier to integrate into the monitoring period for BOLD.

These options are not mutually exclusive. The first idea aims toward having an automated solution, so the DAO doesn’t take on any future responsibilities. The problem is that the incentives aren’t perfect and there are some nuances about rewarding after disputes and an eventual confirmation. The second idea aims toward safety and ease but does require the DAO to manage it, which requires its attention to not be on something else that may be important.

1 Like