Robust Restaking Networks

Durvasula, Naveen; Roughgarden, Tim

doi:10.4230/LIPIcs.ITCS.2025.48

Robust Restaking Networks

Naveen Durvasula

Columbia University, New York, NY, USA Tim Roughgarden

a16zcrypto, New York, NY, USA
Columbia University, New York, NY, USA

Abstract

We study the risks of validator reuse across multiple services in a restaking protocol. We characterize the robust security of a restaking network as a function of the buffer between the costs and profits from attacks. For example, our results imply that if attack costs always exceed attack profits by 10%, then a sudden loss of .1% of the overall stake (e.g., due to a software error) cannot result in the ultimate loss of more than 1.1% of the overall stake. We also provide local analogs of these overcollateralization conditions and robust security guarantees that apply specifically for a target service or coalition of services. All of our bounds on worst-case stake loss are the best possible. Finally, we bound the maximum-possible length of a cascade of attacks.

Our results suggest measures of robustness that could be exposed to the participants in a restaking protocol. We also suggest polynomial-time computable sufficient conditions that can proxy for these measures.

Keywords and phrases:

Proof of stake, Restaking, Staking Risks

Copyright and License:

2012 ACM Subject Classification:

Networks

\rightarrow

Network economics

Related Version:

Full Version: https://arxiv.org/abs/2407.21785

Acknowledgements:

We thank Tarun Chitra, Soubhik Deb, Sreeram Kannan, Mike Neuder, and Mallesh Pai for comments on earlier drafts of this paper. We thank Soubhik and Sreeram in particular for emphasizing the importance of local guarantees.

Funding:

This research was supported in part by NSF awards CCF-2006737 and CNS-2212745, and research awards from the Briger Family Digital Finance Lab and the Center for Digital Finance and Technologies.

DOI:

10.4230/LIPIcs.ITCS.2025.48

Event:

16th Innovations in Theoretical Computer Science Conference (ITCS 2025)

Editors:

Raghu Meka

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

1.1 Sharing Validators Across Services

Major blockchain protocols such as Bitcoin or Ethereum are “decentralized,” meaning that transaction execution is carried out by a large and diverse set of “validators.” Such protocols offer a form of “trusted computation,” in the sense that, because they are decentralized, no one individual or entity can easily interfere with their execution. A decentralized and Turing-complete smart contract platform such as Ethereum can then be viewed as a trusted programmable computer capable of performing arbitrary computations.

While Turing-complete, the computing functionality offered by Ethereum smart contracts suffers from limitations imposed by design decisions in the underlying consensus protocol. Most obviously, computation and storage in the Ethereum virtual machine is scarce, with perhaps 15–20 transactions processed per second. Could the Ethereum protocol be somehow bypassed, opening the door for different or more powerful computing functionality, while retaining at least some of the protocol’s decentralization? Or, what about applications that are not compatible with all Ethereum validators, perhaps due to demanding hardware requirements or regulatory constraints?

One natural approach to addressing these challenges is to allow the reuse of a blockchain protocol’s validators across multiple services, where a “service” is some task that could be carried out by some subset of validators. (The initial blockchain protocol can be viewed as the canonical service, performed by all validators.) For example, such services could include alternative consensus protocols (perhaps with higher throughput, a different virtual machine, or different consistency-liveness trade-offs), storage (“data availability”), or verifiable off-chain computation (“zk coprocessors”).¹¹1Several projects, in various stages of production, are currently exploring this idea; the Eigenlayer restaking protocol [15] is perhaps the most well known of them. We stress that our goal here is to develop a model that isolates some of the fundamental challenges and risks of validator reuse, independent of any specific implementation of the idea.

The obvious danger of validator reuse is an increased risk of a validator deviating from its intended behavior (e.g., due to overwhelming computational responsibilities). Our focus here is deliberate validator deviations in response to economic incentives, such as the profits that could be obtained by corrupting one or more services. The goal of this paper is to quantify such risks:

Under what conditions can validators be safely reused across multiple services?

1.2 Cryptoeconomic Security

We first review the usual “cryptoeconomic” approach to answering a more basic question: when is a blockchain protocol, without any additional services, “safe from attack”? The idea is to perform a cost-benefit analysis from the perspective of an attacker, and declare the protocol safe if the cost of carrying out an attack exceeds the profit that the attacker can expect from it; see also Figure 1. In the specific case of a proof-of-stake blockchain protocol with slashing (such as Ethereum), the cost can be estimated as the value of the validator stake that would be lost to slashing following an attack. For example, let $V$ denote the set of validators of a proof-of-stake blockchain protocol and $\sigma_{v}$ the stake of validator $v\in V$ (e.g., 32 ETH in Ethereum). In a typical PBFT-type protocol in which double-voting validators lose all of their stake, the cost of an attack (i.e., causing a consistency violation) can be bounded below by $\tfrac{1}{3}\sum_{v\in V}\sigma_{v}$ . In this case, the protocol can be regarded as cryptoeconomically secure provided the estimated profit $\pi$ of an attack is less than this quantity. To the extent that there is a “buffer” between $\tfrac{1}{3}\sum_{v\in V}\sigma_{v}$ and $\pi$ , the protocol can be treated as “robustly secure,” meaning secure even after a sudden loss of some amount of stake (e.g., due to slashing caused by a software error).

Figure 1: A blockchain protocol operated by a collection of validators, with

\pi

denoting the profit of successfully attacking the protocol and

\sigma_{v}

the amount of stake posted by a validator

v

as collateral.

1.3 Our Results: Robustly Secure Validator Reuse

Viewing the basic scenario of a blockchain protocol as a star graph (with one “service” representing the protocol connected to all the validators running it), the more complex scenario of validators reused across multiple services can be viewed as an arbitrary bipartite graph (Figure 2). As before, we suppose that each validator $v\in V$ has some stake $\sigma_{v}$ that can be confiscated in the event that $v$ participates in an attack on a service that it has agreed to support. There is now a set $S$ of services, with $\pi_{s}$ denoting the profit an attacker would obtain by compromising the service $s\in S$ .²²2We follow [15] and assume that the estimates on attack profitability (the $\pi_{s}$ ’s) are given. Developing tools to help produce such estimates in practice is an important open research direction. We assume that compromising a service $s\in S$ requires the participation of an $\alpha_{s}$ fraction of the overall validator stake supporting $v$ (e.g., $\alpha_{s}=1/3$ ). With this expanded network formalism to capture multiple services, when should we consider a network to be “secure”?

Figure 2: A general restaking network, with validators reused across multiple services.

Intuitively, a network is insecure if there is a set of services that can be profitably attacked. This requires two conditions to be satisfied: the validators $B\subseteq V$ carrying out the attack must control sufficient stake to do so (for each service $s$ in the attacked set $A$ , the validators of $B$ control at least a $\alpha_{s}$ fraction of the staked pledged to $s$ ), and they must profit from it (i.e., $\sum_{s\in A}\pi_{s}>\sum_{v\in B}\sigma_{v}$ ). We call such a pair $(A,B)$ a valid attack and a network secure if there are no valid attacks; see also Figure 3. With multiple services, security is an inherently combinatorial (as opposed to binary) notion. For example, the computational problem of checking whether a network is secure is as hard as the (coNP-hard) problem of verifying the expansion of a bipartite graph (see [12]).

(a) A valid attack.

(b) A secure network.

Figure 3: Two restaking networks. Each service (left-hand side vertex) and validator (right-hand side vertex) is labeled with its profit-from corruption or stake, respectively. Assume that a service can be corrupted if and only if it is attacked by at least half of its validators (i.e.,

\alpha_{s}=1/2

for every service

s

). The restaking network in (a) is not secure because there is a valid attack (indicated by the dotted line): three validators can earn a profit of 4 by corrupting all four services while losing only three units of stake. The restaking network in (b) is secure.

When is a network “robustly secure,” in the sense that the sudden loss of a small amount of stake cannot enable a catastrophic attack? Unlike the “all-or-nothing” version of this question with a single service, with multiple services, the following more fine-grained question is the appropriate one: given an initial shock in the form of a sudden loss of a $\psi$ fraction of the overall stake, what is the total fraction of stake that might be lost following any consequent valid attacks?

As in the case of a single service, some amount of “buffer” in stake (relative to attack profits) is necessary for robust security. We parameterize this overcollateralization factor via a parameter $\gamma$ and suppose that, whenever $B\subseteq V$ is a subset of validators capable of corrupting all the services in $A\subseteq S$ , the total stake of $B$ is at least a $1+\gamma$ factor larger than the total profit from corrupting all of $A$ . For example, this condition holds in the network in Figure 3(b) for $\gamma=1/2$ (but not for larger values of $\gamma$ ).

Our first main result (Theorem 4) precisely characterizes the worst-case (over bipartite graphs and shocks, as a function of $\gamma$ ) fraction of the overall stake that can be lost due to a shock of size $\psi$ : $\left(1+\tfrac{1}{\gamma}\right)\psi$ . Because the network was secure prior to the shock, the value of a $\left(1+\tfrac{1}{\gamma}\right)\psi$ fraction of the overall stake is also an upper bound on the total profit obtained from all of the attacked services.

We also show that our result is tight in a strong sense (Theorem 6 and Theorem 7): for every $\psi$ , $\gamma$ , and $\epsilon$ greater than zero such that $0\leq\left(1+\frac{1}{\gamma}\right)\psi-\epsilon\leq 1$ , there exists a restaking graph in which a $\psi$ fraction of the overall stake can disappear in a shock that results in the loss of at least a $\left(1+\frac{1}{\gamma}\right)\psi-\epsilon$ fraction of the overall stake.³³3After slightly reducing the validator stakes, the network in Figure 3(b) already shows that the bound is tight for the special case in which $\psi=1/5$ and $\gamma$ is arbitrarily close to $1/2$ . (Consider a shock that knocks out the validator that is connected to all four services.)

Qualitatively, this result implies that a constant-factor strengthening of the obvious necessary condition for security automatically implies robust security. For example, if attack costs always exceed attack profits by 10%, then a sudden loss of .1% of the overall stake cannot result in the ultimate loss of more than 1.1% of the overall stake.

Our result suggests a “risk measure” that could be exposed to the participants in a restaking protocol, namely the maximum value of the buffer parameter $\gamma$ that holds with respect to the current restaking network. We also suggest easy-to-check sufficient conditions that can proxy for this risk measure (Corollary 5). These conditions are similarly tight, as shown in Theorem 6 and Theorem 7.

1.4 Our Results: Local Robust Security Guarantees

The results described in Section 1.3 are “global” with respect to the network structure, in three distinct senses: (i) the overcollateralization condition is assumed to hold for every subset $B\subseteq V$ of validators and $A\subseteq S$ of services that $B$ is capable of corrupting; (ii) the initial shock can affect any subset of validators, subject to the assumed bound of $\psi$ on the total fraction of stake lost; and (iii) any subset of validators might lose stake following the initial shock, subject to our upper bound of $(1+\tfrac{1}{\gamma})\psi$ on the total fraction of lost stake.

Local guarantees

We next pursue more general “local” guarantees, which are parameterized by a set $C$ of services. (The global guarantees will correspond to the special case in which $C=S$ .) For example, $C$ might be a set of closely related services that share a number of dedicated validators. The operators of such a set $C$ might object to both the assumptions and the conclusion of our global guarantee:

$\blacksquare$

How can we be sure that the overcollateralization factor holds for services and validators that we know nothing about?
$\blacksquare$

And even if we could, how can we be sure that random validators that we have nothing to do with won’t suddenly lose their stake (e.g., because they supported a malicious or buggy service), resulting in an initial shock the causes the loss of more than a $\psi$ fraction of the overall stake?
$\blacksquare$

And even if we could, how can we be sure that our validators won’t be the ones that lose their stake following a shock that is purely the fault of other services and/or validators?

To address these concerns, we next consider a refined version of the basic model, parameterized by a set $C$ of services. We denote by $\Gamma(C)$ the validators that are exclusive to $C$ , meaning that they contribute to no services outside $C$ . (In the special case in which $C=S$ , $\Gamma(C)=V$ and we recover the original model.) Intuitively, the validators in $\Gamma(C)$ are the ones that services in $C$ are “counting on”; other validators support (potentially malicious or buggy) services outside $C$ and, from $C$ ’s perspective, could disappear at any time. We then restrict attention to initial shocks in which at most a $\psi$ fraction of the total stake controlled by the validators of $\Gamma(C)$ is lost. (The shock can affect validators outside of $\Gamma(C)$ arbitrarily.) The goal is then to identify overcollateralization conditions guaranteeing that, no matter what the initial shock and subsequent attacks, the fraction of stake ultimately lost by the validators in $\Gamma(C)$ is bounded (by a function of the shock size $\psi$ and an overcollateralization parameter $\gamma$ ).

Generalizing our global guarantees to local guarantees is not straightforward and, as the next two examples show, requires additional compromises. The first example shows that protection can be guaranteed only against a subset of valid attacks, a natural and well motivated subset that we call “stable attacks.” The second example shows that, even when restricting attention to stable attacks, overcollateralization is required not only for potential attacks, but more generally for what we call “attack headers.”

Figure 4: Simple overcollateralization is insufficient in the local setting. There are two restaking networks shown above. In each, the validators are denoted along with their corresponding stakes by the yellow circles. Services and their profits from corruption are denoted by the blue rounded squares. In each of these networks, the service outlined in green is overcollateralized. However, despite being unrelated to the overcollateralized service, if the validator outlined in red disappears, the validators in yellow can attack all services (including the overcollateralized one).

Necessity of restricting to stable attacks

In more detail, in the first example (depicted on the left of Figure 4), we consider a restaking network with two services and three validators. (Vertices in this figure correspond to validators, which were previously represented as the right-hand side vertices of a bipartite graph; each service is now identified with its neighborhood of validators.) The service highlighted in green on the left has $100$ times as much stake securing it as its profit from corruption, and shares no validators with other services, so one might hope that it would be protected from any shocks that affect only the other validators. However, if the validator outlined in red disappears, the two validators outlined in yellow can attack both services for a profit of $102-101>0$ . But this example is unsatisfying: the validator with stake $1$ could have attacked the service with profit from corruption $101$ on its own to yield a profit of $100$ . The addition of the validator with stake $100$ added $100$ to the cost of the attack, but only added $1$ (from the corruption of the service highlighted in green) to the profit. We show in Theorem 8 that the issue suggested by this example is fundamental: without further restrictions on attacks that rule out contrived examples such as this one, there does not exist a local condition that guarantees local security. In response, we confine attention to sequences of what we call stable attacks in which all of the attacking validators contribute positively to the profit of the attack (as opposed to free riding on the profits attributable to other attacking validators). The attack in the example is not stable, as the validator with stake $100$ was not a profitable addition to the attack that could have been carried out by the validator with stake $1$ .

Necessity of overcollateralizing attack headers

Even if we restrict our attention to stable attacks, simple overcollateralization is insufficient to guarantee local security. To appreciate the issue, consider the restaking network shown on the right in Figure 4. In this example, there are three services, each with a profit from corruption of $1$ , and three services each with stake $1$ . Each validator is used to secure two different services. The service outlined in green is overcollateralized in that its profit from corruption is $1$ , but two units of stake stake are securing it. Despite this, if the unrelated validator outlined in red disappears, the two validators outlined in yellow can attack all three services for a profit of $3-2>0$ . Furthermore, if all validators are required to attack each service (i.e., $\alpha_{s}=1$ ), then this attack is stable, as the inclusion of both validators in the attack is profitable. Thus, despite being overcollateralized, a stable attack can be launched on the service highlighted in green even if stake unrelated to the service disappears in a shock.

We find that to guarantee robust security for a coalition of services $C$ using only “local” information, it is necessary to overcollateralize not only pairs $(A,B)$ where $B$ is a set of validators capable of attacking all services in $A$ , but a more general collection of pairs that we call attack headers. Informally, this amounts to requiring that there is some “buffer” in stake for any potential attack on some services in $C$ even if we were to allow every validator that is also securing a service outside of $C$ to join the attack without considering their profitability. Our main result here (Theorem 10) formally provides a local condition guaranteeing that, whenever an initial shock knocks out at most a $\psi$ fraction of the stake that provides security exclusively to $C$ , the worst-case loss of such stake, after an arbitrary sequence of stable attacks, is at most a $(1+\tfrac{1}{\gamma})\psi$ fraction. We show that our bounds are tight and indeed require overcollateralization of all attack headers (Corollary 14 and Theorem 15), and again provide easily computable sufficient (and similarly tight) conditions that can proxy for the overcollateralization condition (Corollary 13). Our local condition generalizes the global overcollateralization condition, with the latter corresponding to the special case of the former in which $C=S$ .

1.5 Our Results: Cascading Attacks

An attack on a restaking network results in a loss of stake (of the attacking validators), and this may introduce new opportunities for other sets of validators to carry out profitable attacks. That is, an initial shock may set off an entire cascade of attacks. (All of the bounds on stake loss described in Sections 1.3 and 1.4 hold for cascades of attacks of arbitrary length.) Our final result concerns the maximum-possible length of such a cascade, and shows that this quantity is also governed in part by the overcollateralization factor $\gamma$ .

Precisely, we define the reference depth of a cascade of attacks as a measure of the “long-range dependence” between different attacks in an attack sequence. For example, if each attack in the sequence is directly enabled by the loss of the validators slashed in the previous attack, then the reference depth of the sequence is 1. Our main result here (Theorem 16) bounds the maximum-possible attack length as a function of the reference depth $k$ , the shock size $\psi$ , the overcollateralization factor $\gamma$ , and the minimum stake $\epsilon$ held by a validator: $k(1+\log_{1+\gamma}(\frac{\psi\cdot[\text{total stake}]}{\epsilon\gamma}))$ . For example, in the case of constant reference depth and equal validator stake amounts, the worst-case attack length is logarithmic in the number of validators with overcollateralization and linear without it.

1.6 Related Work

Our focus on the risks of cascading failures following a small shock echoes some of themes in the literature on systemic risk in financial networks. For example, Eisenberg and Noe [9] that study the existence and structure of inter-firm payments in a financial network following a default. This work is extended by Glasserman and Young [11], who study how “connectedness,” meaning the fraction of liabilities that a firm externally owes, affects contagion risk. Acemoglu et al. [2] build further on this work and study network “stability,” meaning the propensity for shocks to propagate; they show that connectivity initially improves stability, but then at a phase transition, denser connectivity leads to increased shock propagation. In a subsequent paper, Acemoglu et al. [1] unify a number of the preceding results.

A separate line of work, beginning with Chen et al. [6], aims to axiomatically characterize systemic risk measures. The model in [6] can capture, in particular, a contagion model characterized by a matrix of profits and losses over different firms and outcomes. The results in [6] characterize the global measures of risk (operating on the matrix) that satisfies certain sets of desirable axioms. This is work is expanded upon in Kromer et al. [13], where the authors consider general outcome measure spaces, as well as in Feinstein et al. [10], where the authors consider set-valued risk measures. Battison et al.[4] study systemic risk measurement when a regulator has limited information about contracts made between financial network participants (e.g., the fraction of the face value that can likely be recovered if a counterparty defaults), and show how small errors in knowledge can lead to large errors in systemic risk measurement.

Our work also shares some conceptual similarity with the well-known work of Diamond and Dybvig [8] on bank runs and of Brunnermeier et al. [5] on the risks of re-hypothecation.

The model in the present work differs substantially from those considered in the aforementioned papers, in large part because of the idiosyncrasies of restaking networks, including their combinatorial and bipartite nature and their susceptibility to economically motivated attacks.

Restaking has also, to a limited extent, been studied in its own right. The EigenLayer team introduces restaking in [15]. The framing of an economically motivated attacker that trades off stake loss with profits from corruption appears in [15], and is used also by Deb et al. [7]. Chitra and Neuder [14] discuss restaking risk from a validator perspective, comparing restaking with investments in other financial instruments (e.g. bonds). Alexander [3] considers the interplay between existing leveraging schemes and liquid restaking tokens, which can amplify large-scale credit risk.

2 Model

Validators and Services

We consider a setting in which there is a set $V$ of validators and a set $S$ of services. Each service $s\in S$ has some profit from corruption $\pi_{s}$ , and each validator $v\in V$ has some stake $\sigma_{v}$ . We also associate with each service $s$ a parameter $\alpha_{s}$ that denotes the fraction of stake required to corrupt/launch an attack on $s$ . We call a bipartite graph $G=(S,V,E,\pi,\sigma,\alpha)$ a restaking graph; an edge is drawn between a validator $v\in V$ and a service $s\in S$ if $v$ is restaking for $s$ . For a given set of vertices $A$ in a graph $G$ , we use the notation $N_{G}(A)$ to denote the neighbors of $A$ .

Attack Dynamics

For simplicity, we assume that validators lose their full stake $\sigma_{v}$ if they launch an attack on a service. As such, for a given collection of services $A\subseteq S$ , and a given collection of validators $B\subseteq V$ restaking for those services, we say that $(A,B)$ is an attacking coalition for a restaking graph $G$ if the validators in $B$ possess enough stake to corrupt the services $A$ :

\displaystyle\underbrace{\sum_{v\in B\cap N_{G}(\left\{s\right\})}\sigma_{v}}_% {\text{Total stake in $s$ owned by validators $B$}}\geq\alpha_{s}\cdot% \underbrace{\sum_{v\in N_{G}(\left\{s\right\})}\sigma_{v}}_{\text{Total amount% restaked in $s$}}

\displaystyle\forall s\in A

(1)

We further say that $(A,B)$ is a valid attack if it is an attacking coalition that has an incentive to launch an attack:

\underbrace{\sum_{s\in A}\pi_{s}}_{\text{Total profit from corrupting $A$}}>% \underbrace{\sum_{v\in B}\sigma_{v}}_{\text{Total stake owned by validators $B% $}}

(2)

If a valid attack $(A,B)$ is carried out, we denote by $G\searrow B$ the induced subgraph $G\left[S,V\setminus B\right]$ . The graph $G\searrow B$ denotes the state of the restaking graph after the attack is carried out. If no valid attacks exist on the graph, we call it secure. To simplify notation, for any subset of validators $B\subseteq V$ , we will use the shorthand $\sigma_{B}$ to denote $\sum_{v\in B}\sigma_{v}$ . Similarly, for any $A\subseteq S$ , we will use $\pi_{A}$ as shorthand for $\sum_{s\in A}\pi_{s}$ .

EigenLayer sufficient conditions

We note in passing that, in their whitepaper [15], EigenLayer proposes some efficiently verifiable sufficient conditions for security that they check to ensure that an attack does not exist.

Claim 1 (EigenLayer Sufficient Conditions, from Appendix B.1 of the EigenLayer Whitepaper [15]).

A restaking graph $G$ is secure if for each validator $v\in V$ ,

\sum_{s\in N_{G}\left\{v\right\}}\frac{\sigma_{v}}{\sigma_{N_{G}\left(\left\{s% \right\}\right)}}\cdot\frac{\pi_{s}}{\alpha_{s}}\leq\sigma_{v}

(3)

Proof.

It is shown in Appendix B.1 of the whitepaper that if Equation 3 holds for $G$ , then the graph is secure (i.e. no valid attacks $(A,B)$ satisfying Equations 1 and 2 exist). $\hfill\vartriangleleft$

Cascading attacks

Our goal is to understand when a small shock can result in the loss of a large fraction of the overall stake. Small shocks can turn into large shocks by means of a cascading attack. Formally, we say that a disjoint sequence $(A_{1},B_{1}),\dots,(A_{T},B_{T})\in 2^{S}\times 2^{V}$ is a valid cascade of attacks on a restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ if for each $t\in[T]$ , $(A_{t},B_{t})$ is a valid attack on $G\searrow\bigcup_{i=1}^{t-1}B_{i}$ . We denote by $\mathcal{C}(G)$ the set of all such sequences of valid cascading attacks.

Worst-case stake loss

We now define a metric that measures the total potential loss of stake due to a sequence of cascading attacks. In our model, we first suppose that an initial small shock decreases the amount of stake. Formally, we define, for a given restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ ,

\mathbb{D}_{\psi}(G):=\left\{D\subseteq V\mid\frac{\sigma_{D}}{\sigma_{V}}\leq% \psi\right\}

(4)

to be the set of validator coalitions that constitute at most a $\psi$ -fraction of all stake. Given some $D\in\mathbb{D}_{\psi}(G)$ , we use the notation $G\searrow D:=G\left[S,V\setminus D\right]$ to denote the induced subgraph of the restaking graph when we delete the validators $D$ . We now define

R_{\psi}(G):=\underbrace{\psi}_{\text{Initial shock}}+\max_{D\in\mathbb{D}_{% \psi}(G)}\max_{(A_{1},B_{1}),\dots,(A_{T},B_{T})\in\mathcal{C}(G\searrow D)}% \underbrace{\frac{\sigma_{\bigcup_{t=1}^{T}B_{t}}}{\sigma_{V}}}_{\text{Stake % lost from cascading attacks}}

(5)

This quantity represents the worst-case total fraction of stake lost due to an initial $\psi$ -fraction of the stake disappearing. By construction, $\psi\leq R_{\psi}(G)\leq 1$ .

3 Overcollateralization Provides Robust Security

In this section, we show that “scaling up” the definition of security automatically results in robust security, meaning bounded losses from cascading attacks that follow an initial shock. We first show that, without loss of generality, it suffices to consider single valid attacks $(A,B)\in\mathcal{C}(G\searrow D)$ instead of more general cascading attacks.

Lemma 2.

Let $G=(S,V,E,\pi,\sigma,\alpha)$ be an arbitrary restaking graph, and further suppose that $(A,B)$ is an attacking coalition on $G\searrow D$ , where $D\subseteq V$ . Then, $(A,B\cup D)$ is an attacking coalition on $G$ .

Proof.

Because $(A,B)$ is an attacking coalition on $G\searrow D$ , we must have by Equation 1 that

\displaystyle\sigma_{B\cap N_{G}\left\{s\right\}}\geq\alpha_{s}\cdot\sigma_{N_% {G}\left\{s\right\}\setminus D}

\displaystyle\forall s\in A

(6)

It follows that for any $s\in A$ ,

$\displaystyle\sigma_{\left(B\cup D\right)\cap N_{G}\left\{s\right\}}$	$\displaystyle=\sigma_{B\cap N_{G}\left\{s\right\}}+\sigma_{D\cap N_{G}\left\{s% \right\}}$	(7)
	$\displaystyle\geq\alpha_{s}\cdot\sigma_{N_{G}\left\{s\right\}\setminus D}+% \sigma_{D\cap N_{G}\left\{s\right\}}$	(8)
	$\displaystyle\geq\alpha_{s}\cdot\sigma_{N_{G}\left\{s\right\}}$	(9)

and the desired result follows. $\hfill\blacktriangleleft$

Corollary 3.

Let $G=(S,V,E,\pi,\sigma,\alpha)$ be an arbitrary restaking graph, and further suppose that $(A_{1},B_{1}),\dots,(A_{T},B_{T})\in\mathcal{C}(G)$ is a valid sequence of cascading attacks on $G$ . Then, $\left(\bigcup_{t=1}^{T}A_{t},\bigcup_{t=1}^{T}B_{t}\right)$ is also a valid attack on $G$ .

Proof.

By repeatedly applying Lemma 2, we find that for each $t\in[T]$ , $\left(A_{t},\bigcup_{i=1}^{t}B_{t}\right)$ is an attacking coalition on $G$ . It follows by inspection of Equation 1 that we must therefore have that $\left(\bigcup_{t}A_{t},\bigcup_{t}B_{t}\right)$ is an attacking coalition on $G$ . To finish the result, it suffices to show that Equation 2 holds for this attacking coalition on the original graph $G$ . This follows from the disjointness of the $A_{t}$ ’s and of the $B_{t}$ ’s:

\pi_{\bigcup_{t}A_{t}}=\sum_{t=1}\pi_{A_{t}}>\sum_{t=1}^{T}\sigma_{B_{t}}=% \sigma_{\bigcup_{t}B_{t}}

(10)

where in the inner inequality we use that for each $t\in[T]$ , $\pi_{A_{t}}>\sigma_{B_{t}}$ by Equation 2, as $(A_{t},B_{t})$ is a valid attack on $G\searrow\bigcup_{i=1}^{t-1}B_{i}$ . It follows that $\left(\bigcup_{t}A_{t},\bigcup_{t}B_{t}\right)$ is a valid attack on $G$ . $\hfill\blacktriangleleft$

Adding Multiplicative Slack

Our condition is given by adding multiplicative slack to Equation 2. Formally, we say that a restaking graph $G$ is secure with $\gamma$ -slack if for all attacking coalitions $(A,B)$ on $G$ ,

(1+\gamma)\underbrace{\pi_{A}}_{\text{Total profit from corrupting $A$}}\leq% \underbrace{\sigma_{B}}_{\text{Total stake owned by validators $B$}}

(11)

Theorem 4.

Suppose that a restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ is secure with $\gamma$ -slack for some $\gamma>0$ . Then, for any $\psi>0$ , $R_{\psi}(G)<\left(1+\frac{1}{\gamma}\right)\psi$ .

Proof.

Take any $\psi>0$ and any $D\in\mathbb{D}_{\psi}(G)$ for some restaking graph $G$ where (11) holds. Let $(A_{1},B_{1})\dots,(A_{T},B_{T})\in\mathcal{C}(G\searrow D)$ be arbitrary. Applying Corollary 3, we must have that $(\bigcup_{t}A_{t},\bigcup_{t}B_{t})\in\mathcal{C}(G\searrow D)$ as well. Defining $A:=\bigcup_{t}A_{t}$ and $B:=\bigcup_{t}B_{t}$ , we must therefore have that $(A,B)$ is an attacking coalition on $G\searrow D$ , and furthermore that

\displaystyle\pi_{A}

\displaystyle>\sigma_{B}

(12)

By Lemma 2, we must also have that $(A,B\cup D)$ is an attacking coalition on the original graph $G$ . It then follows that as $G$ is secure with $\gamma$ -slack, Equation 11 must hold on $(A,B\cup D)$ , whence

(1+\gamma)\pi_{A}\leq\sigma_{B\cup D}=\sigma_{B}+\sigma_{D}

(13)

Putting this together with Equation 12, we find that

(1+\gamma)\sigma_{B}<(1+\gamma)\pi_{A}\leq\sigma_{B}+\sigma_{D}\leq\sigma_{B}+% \psi\cdot\sigma_{V}

(14)

It follows that

	$\displaystyle\gamma\cdot\sigma_{B}<\psi\cdot\sigma_{V}$	$\displaystyle\implies\frac{\sigma_{B}}{\sigma_{V}}<\frac{\psi}{\gamma}$		(15)
		$\displaystyle\implies\psi+\frac{\sigma_{B}}{\sigma_{V}}<\left(1+\frac{1}{% \gamma}\right)\psi$		(16)

As we took $A_{1},\dots,A_{T}$ to be arbitrary, we find that $R_{\psi}(G)<\left(1+\frac{1}{\gamma}\right)\psi$ , as desired. $\hfill\blacktriangleleft$

The EigenLayer sufficient conditions (3) can be similarly “scaled up” to yield efficiently checkable sufficient conditions for security with $\gamma$ -slack (and hence, by Theorem 4, robustness to cascading attacks).

Corollary 5.

Let $G$ be a restaking graph such that, for all validators $v\in V$ ,

\sum_{s\in N_{G}(\left\{v\right\})}\frac{\sigma_{v}}{\sigma_{N_{G}\left(\left% \{s\right\}\right)}}\cdot\frac{(1+\gamma)\pi_{s}}{\alpha_{s}}\leq\sigma_{v}

(17)

Then, $R_{\psi}(G)<\left(1+\frac{1}{\gamma}\right)\psi$ .

Proof.

This follows from Theorem 4 and 1. Noting that the $\gamma$ -slack condition holds precisely iff no valid attacks exist when profits from corruption $\pi_{s}$ are inflated by a multiplicative factor of $(1+\gamma)$ , it suffices to apply EigenLayer’s sufficient conditions from 1 with modified profits from corruption $(1+\gamma)\pi_{s}$ . $\hfill\blacktriangleleft$ Note that, given a restaking network, it is straightforward to compute the minimum value of $\gamma$ such that the condition in (17) holds. This value can then be interpreted as an easily computed “risk measure” of such a network.

4 Lower Bounds for Global Security

In this section, we show that the upper bounds from the previous section are tight. We first show that if there is no multiplicative slack (i.e. $\gamma=0$ ), then very small shocks can cause all stake to be lost in the worst case. This holds even under the EigenLayer conditions (3)⁴⁴4The graph exhibited in the proof of Theorem 6 has $\pi_{x}/\sigma_{a}\to\infty$ as $\epsilon\to 0$ . It is possible to construct a counterexample with similar properties while maintaining that $\pi_{s}/\sigma_{v}$ is greater than some universal constant for any $s\in S$ and $v\in V$ . This is done in the full version of the paper..

Theorem 6.

For any $0<\epsilon<1$ , there exists a restaking graph $G$ that is secure and meets the EigenLayer condition (3), but has $R_{\psi}(G)=1$ for all $\psi\geq\epsilon$ .

Proof.

We construct a restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ with one service $S=\left\{x\right\}$ and two validators $V=\left\{a,b\right\}$ , where an edge exists between each validator and the service (i.e. $E:=(\left\{x\right\},\left\{a\right\}),(\left\{x\right\},\left\{b\right\})$ ). We then let $\sigma_{a}:=\epsilon$ , $\sigma_{b}:=1-\epsilon$ , $\pi_{x}:=1$ , and $\alpha_{x}:=1$ . Without loss of generality, we may assume $\psi<1$ as $R_{1}(G)=1$ for any restaking graph $G$ . This graph satisfies (3) as

	$\displaystyle\frac{\sigma_{a}}{\sigma_{a}+\sigma_{b}}\cdot\frac{\pi_{x}}{% \alpha_{x}}=\sigma_{a}$		(18)
	$\displaystyle\frac{\sigma_{b}}{\sigma_{a}+\sigma_{b}}\cdot\frac{\pi_{x}}{% \alpha_{x}}=\sigma_{b}$		(19)

whence the graph is also secure by 1. We now consider an initial shock $D=\left\{a\right\}$ . As $\sigma_{a}/\sigma_{V}=\epsilon\leq\psi$ , it follows that $D\in D_{\psi}(G)$ . The pair $(\left\{x\right\},\left\{b\right\})$ is a valid attack on $G\searrow D$ , since $\left\{b\right\}=N_{G\searrow D}\left\{x\right\}$ whence it is an attacking coalition, and $\sigma_{b}<\pi_{x}$ . It follows that $R_{\psi}(G)\geq\frac{\sigma_{a}+\sigma_{b}}{\sigma_{V}}=1$ as desired. $\hfill\blacktriangleleft$

Next, we show that the bound we give in Theorem 4 (indeed, more strongly, the condition given in Corollary 5) is tight for all $\psi,\gamma>0$ .

Theorem 7.

For any $\psi,\gamma,\epsilon>0$ such that

0\leq\left(1+\frac{1}{\gamma}\right)\psi-\epsilon\leq 1,

(20)

there exists a restaking graph $G$ that satisfies the condition (17) from Corollary 5 but has $R_{\psi}(G)\geq\left(1+\frac{1}{\gamma}\right)\psi-\epsilon$ .

Proof.

We construct a restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ with three validators $V=\left\{a,b,c\right\}$ and one service $S=\left\{x\right\}$ , where an edge exists between each of the validators $a$ and $b$ and the service $x$ (i.e. the edge set $E:=\left\{(x,a),(x,b)\right\}$ ). Without loss of generality, suppose that $\epsilon\leq\psi/\gamma$ . Let $\sigma_{a}>0$ be any positive constant. We define

$\displaystyle\sigma_{b}$	$\displaystyle:=\sigma_{a}\left(\frac{1}{\gamma}-\frac{\epsilon}{\psi}\right)$	(21)
$\displaystyle\sigma_{c}$	$\displaystyle:=\sigma_{a}\left(\frac{1-\psi+\epsilon}{\psi}-\frac{1}{\gamma}\right)$	(22)
$\displaystyle\pi_{x}$	$\displaystyle:=\frac{\left(1+\frac{1}{\gamma}\right)\psi-\epsilon}{1+\gamma}% \cdot\sigma_{V}$	(23)
$\displaystyle\alpha_{s}$	$\displaystyle:=1$	(24)

Notice first that $\sigma_{b}\geq 0$ as we have taken $\epsilon\leq\psi/\gamma$ . Next, observe that

	$\displaystyle\sigma_{c}\geq 0$	$\displaystyle\iff\frac{1-\psi+\epsilon}{\psi}\geq\frac{1}{\gamma}$		(25)
		$\displaystyle\iff 1\geq\left(1+\frac{1}{\gamma}\right)\psi-\epsilon$		(26)

whence $\sigma_{c}\geq 0$ by Equation 20. Finally, we must also have that $\pi_{x}\geq 0$ by Equation 20 as well. Next, notice by construction that

\displaystyle\sigma_{V}

\displaystyle=\sigma_{a}+\sigma_{b}+\sigma_{c}=\sigma_{a}\left(1+\frac{1}{% \gamma}-\frac{\epsilon}{\psi}+\frac{1-\psi+\epsilon}{\psi}-\frac{1}{\gamma}% \right)=\frac{\sigma_{a}}{\psi}

(27)

This graph meets condition (17) from Corollary 5, as

$\displaystyle\sum_{s\in N_{G}\left\{a\right\}}\frac{\sigma_{a}}{\sigma_{N_{G}% \left\{s\right\}}}(1+\gamma)\pi_{s}$	$\displaystyle=\frac{\sigma_{a}}{\sigma_{a}+\sigma_{b}}\left[\left(1+\frac{1}{% \gamma}\right)\psi-\epsilon\right]\sigma_{V}$	(28)
	$\displaystyle=\frac{\sigma_{a}}{\sigma_{a}\left(1+\frac{1}{\gamma}-\frac{% \epsilon}{\psi}\right)}\left[\left(1+\frac{1}{\gamma}\right)\psi-\epsilon% \right]\frac{\sigma_{a}}{\psi}$	(29)
	$\displaystyle=\sigma_{a}$	(30)

A similar argument shows that

\sum_{s\in N_{G}\left\{b\right\}}\frac{\sigma_{b}}{\sigma_{N_{G}\left\{s\right% \}}}(1+\gamma)\pi_{s}=\frac{\sigma_{b}}{\sigma_{a}\left[\left(1+\frac{1}{% \gamma}\right)\psi-\epsilon\right]}\left[\left(1+\frac{1}{\gamma}\right)\psi-% \epsilon\right]\sigma_{a}=\sigma_{b}

(31)

Finally, as the validator $c$ has no neighbors, it also satisfies the condition, whence the graph indeed satisfies (17). We now consider an initial shock $D:=\left\{a\right\}$ to the graph. Because

\frac{\sigma_{a}}{\sigma_{V}}=\frac{\sigma_{a}}{\sigma_{a}/\psi}=\psi,

(32)

the shock $D\in\mathbb{D}_{\psi}$ constitutes a $\psi$ fraction of the total stake as desired. The attack $(\left\{x\right\},\left\{b\right\})$ is a valid attack on $G\searrow D$ . To see this, notice first that $(\left\{x\right\},\left\{b\right\})$ is an attacking coalition on $G\searrow D$ as $\left\{b\right\}=N_{G\searrow D}\left\{x\right\}$ . Furthermore, $\left\{b\right\}$ is incentivized to attack since

$\displaystyle\pi_{x}-\sigma_{b}$	$\displaystyle=\frac{\left(1+\frac{1}{\gamma}\right)\psi-\epsilon}{1+\gamma}% \cdot\sigma_{V}-\sigma_{b}$	(33)
	$\displaystyle=\left[\frac{1+\frac{1}{\gamma}-\frac{\epsilon}{\psi}}{1+\gamma}-% \left(\frac{1}{\gamma}-\frac{\epsilon}{\psi}\right)\right]\sigma_{a}$	(34)
	$\displaystyle=\left[\frac{\left(1+\frac{1}{\gamma}\right)\psi+\gamma\epsilon}{% (1+\gamma)\psi}-\frac{1}{\gamma}\right]\sigma_{a}$	(35)
	$\displaystyle=\frac{\gamma\epsilon\sigma_{a}}{(1+\gamma)\psi}>0$	(36)

whence Equation 2 is satisfied for the pair $(\left\{x\right\},\left\{b\right\})$ . It follows that

R_{\psi}(G)\geq\frac{\sigma_{a}+\sigma_{b}}{\sigma_{V}}=\frac{\left(1+\frac{1}% {\gamma}-\frac{\epsilon}{\psi}\right)\sigma_{a}}{\sigma_{a}/\psi}=\left(1+% \frac{1}{\gamma}\right)\psi-\epsilon

(37)

as desired. $\hfill\blacktriangleleft$

5 Local Security

The bound in Theorem 4 on the worst-possible stake loss from cascading attacks is reassuring from a global perspective, but less so from the perspective of one or a small number of services who would like an assurance that they will not be among those affected by such attacks. Beginning with this section, we focus on a specific coalition of services $C\subseteq S$ that seeks to insulate their shared security $\Gamma(C)$ against shocks and resulting cascading attacks that may come about due to the decisions of other services and validators. Formally, we denote by

\Gamma(C):=\left\{v\in V\mid N_{G}\left\{v\right\}\subseteq C\right\}

(38)

the set of validators that exclusively provide security for services in $C$ .

Worst-case stake loss (local version)

As before, we first suppose that an initial shock affects the restaking graph. Whereas previously, we considered shocks for which the total stake in the shock was bounded, we now consider shocks for which the total stake that impacts the exclusive security of some coalition of services $C$ (i.e., stake that secures services from $C$ and only services from $C$ ) is bounded. Formally, for any coalition of services $C\subseteq S$ within some restaking graph $G$ , we let

\mathbb{D}_{\psi}(C,G):=\left\{D\subseteq V\mid\frac{\sigma_{D\cap\Gamma(C)}}{% \sigma_{\Gamma(C)}}\leq\psi\right\}

(39)

denote the set of all validator coalitions that provide at most $\psi$ stake to the aggregate security of the coalition of services $C$ . Notice that shocks $D\in\mathbb{D}_{\psi}(C,G)$ may have much more total stake $\sigma_{D}$ than a $\psi$ fraction of the graph. We are instead only guaranteed that the impact of the shock on stake that is being used exclusively for members in $C$ is small. We are now interested in the potential cascading losses that can affect the stake that is exclusively utilized by the coalition $C$ after a shock occurs that destroys at most $\psi$ stake from the aggregate security of $C$ . Formally, we study the quantity

R_{\psi}(C,G):=\underbrace{\psi}_{\text{Initial Shock}}+\max_{D\in\mathbb{D}_{% \psi}(C,G)}\max_{(A_{1},B_{1}),\dots,(A_{T},B_{T})\in\mathcal{C}(G\searrow D)}% \underbrace{\frac{\sigma_{\bigcup_{t=1}^{T}B_{t}\cap\Gamma(C)}}{\sigma_{\Gamma% (C)}}}_{\text{Stake lost from cascading attacks}}

(40)

Local security conditions

We seek sufficient conditions on a restaking graph $G$ that guarantee a nontrivial upper bound on $R_{\psi}(C,G)$ . Ideally, the sufficient condition would depend only the neighborhood/choices of the coalition $C$ to provide a guarantee that holds regardless of the choices made by other validators and services (i.e., the services of $C$ can attempt to “control their own destiny” by ensuring that the locally defined sufficient condition holds). Formally, given a restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ and a coalition of services $C\subseteq S$ , we call a restaking graph $G^{\prime}=(S^{\prime},V^{\prime},E^{\prime},\pi^{\prime},\sigma^{\prime},% \alpha^{\prime})$ a $C$ -local variant of $G$ if $C$ cannot distinguish $G^{\prime}$ from $G$ on the basis of local information: $C\subseteq S^{\prime}$ , $N_{G}C=N_{G^{\prime}}C$ , and

	$\displaystyle(\pi_{s},\alpha_{s})$	$\displaystyle=(\pi^{\prime}_{s},\alpha^{\prime}_{s})$	$\displaystyle\forall s\in C$		(41)
	$\displaystyle\left(\sigma_{v},N_{G}\left\{v\right\}\right)$	$\displaystyle=\left(\sigma^{\prime}_{v},N_{G^{\prime}}\left\{v\right\}\right)$	$\displaystyle\forall v\in N_{G}C$		(42)

We then define a local security condition $f:(C,G)\mapsto\left\{0,1\right\}$ to be a Boolean function that takes as input a restaking graph $G$ and a coalition of services $C\subseteq S$ such that $f(C,G)$ must be equal to $f(C,G^{\prime})$ for all $C$ -local variants $G^{\prime}$ . The intuition behind this definition is that the condition should only depend on service-level information (e.g. profits from corruption, security thresholds) for services in the coalition, and validator-level information for validators in $N_{G}C$ .

Local security impossibility

Unfortunately, without further restrictions on the attacks under consideration (like those defined later in this section), it is impossible to construct any nontrivial local security condition that yields any nontrivial upper bound on $R_{\psi}(C,G)$ .

Theorem 8.

For any local security condition $f$ , any secure restaking graph $G$ and coalition of services $C\subseteq S$ such that $f(C,G)=1$ , there exists a secure $C$ -local variant $G^{\prime}$ of $G$ such that $R_{0}(C,G^{\prime})=1$ .

Proof.

Take any $f$ , $C$ , and secure $G$ such that $f(C,G)=1$ . Define

\Delta:=\sigma_{N_{G}C}-\pi_{C}

(43)

to be the total overcollateralization of $C$ in aggregate. Next, we define $G^{\prime}$ to be an augmented version of $G$ , where we add a new service $s^{*}$ that has a profit from corruption $\pi_{s^{*}}=\Delta+2\epsilon$ where $\epsilon>0$ . We further add $2$ validators $a$ and $b$ to the graph who are adjacent only to $s^{*}$ . We let $\sigma_{a}:=\Delta+\epsilon$ and $\sigma_{b}:=\epsilon$ . As $\sigma_{a}+\sigma_{b}\geq\pi_{s^{*}}$ , the graph $G^{\prime}$ must be secure as $G$ was secure. Next, notice that as the validator $a$ is not path-connected to $C$ , $G^{\prime}$ must be a $C$ -local variant of $G$ . However, by construction, the attack $\left(C\cup\left\{s^{*}\right\},N_{G}C\cup\left\{b\right\}\right)$ is valid on the graph $G^{\prime}\searrow\left\{a\right\}$ . It follows that $R_{0}(C,G^{\prime})=1$ . $\hfill\blacktriangleleft$

Stable attacks

While the above impossibility appears to be quite strong, it is somewhat contrived. At the heart of the impossibility is that under the definition of a valid attack (i.e. Equations 2 and 1), not every validator must be productive in carrying out the attack. There may be a subset of validators in the attack that can yield more net profit than the full coalition. In what follows, we show that if we assume that malicious validator coalitions will choose to add others to their ranks only if it is profitable for them in net to do so, then a local security condition with guarantees similar to those in Theorem 4 does indeed exist. Formally, for $A\subseteq S$ and $B\subseteq V$ , we say that an attack $(A,B)$ is stable if it is valid (i.e. Equations 2 and 1 hold), and for all $A^{\prime}\subseteq A$ and $B^{\prime}\subseteq B$ such that $(A^{\prime},B^{\prime})$ is valid,

\sigma_{B\setminus B^{\prime}}<\pi_{A\setminus A^{\prime}}

(44)

Intuitively, if (44) did not hold, then the validators of $B^{\prime}$ would be better off ditching those in $B\setminus B^{\prime}$ and attacking only the services in $A^{\prime}$ .

We say that a disjoint sequence $(A_{1},B_{1}),\dots,(A_{T},B_{T})\in 2^{S}\times 2^{V}$ is a cascade of stable attacks on a restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ if for each $t\in[T]$ , $(A_{t},B_{t})$ is a stable attack on $G\searrow\bigcup_{i=1}^{t-1}B_{i}$ . We denote by $\mathcal{S}(G)$ the set of all such sequences of cascading stable attacks. In light of Theorem 8, we redefine our notion of worst-case stake loss using stable attacks:

R_{\psi}(C,G):=\psi+\max_{D\in\mathbb{D}_{\psi}(C,G)}\max_{(A_{1},B_{1}),\dots% ,(A_{T},B_{T})\in\mathcal{S}(G\searrow D)}\frac{\sigma_{\bigcup_{t}B_{t}\cap% \Gamma(C)}}{\sigma_{\Gamma(C)}}

(45)

Unlike valid attacks, unions of sequences of stable cascading attacks need not be stable (which will complicate the proof of Theorem 10 in the next section).

Claim 9.

There exists a restaking graph $G$ and a sequence $(A_{1},B_{1}),(A_{2},B_{2})\in\mathcal{S}(G)$ such that $\left(A_{1}\cup A_{2},B_{1}\cup B_{2}\right)\not\in\mathcal{S}(G)$ .

Proof.

Consider restaking graph where there are two services $S=\left\{x,y\right\}$ and two validators $V=\left\{a,b\right\}$ where both validators are restaking in both services. Furthermore, $\pi_{x}=\pi_{y}=2$ , $\alpha_{x}=\alpha_{y}=\frac{1}{2}$ , and $\sigma_{a}=\sigma_{b}=1$ . In this case, the sequence $\left(\left\{x\right\},\left\{a\right\}\right),\left(\left\{y\right\},\left\{b% \right\}\right)\in\mathcal{S}(G)$ . However, $\left(\left\{x,y\right\},\left\{a,b\right\}\right)\not\in\mathcal{S}(G)$ because the attack $\left(\left\{x,y\right\},\left\{a\right\}\right)$ is a valid attack. $\hfill\vartriangleleft$

6 A Local Security Condition for Stable Attacks

In this section, we give a family of local security conditions that yield guarantees on the local worst-case stake loss $R_{\psi}(C,G)$ that resemble our result from Theorem 4 for global security. In Theorems 4 and 7, we showed that security with $\gamma$ -slack was necessary and sufficient in order to obtain a $\left(1+\frac{1}{\gamma}\right)\psi$ upper-bound on $R_{\psi}(G)$ . In other words, it was both necessary and sufficient to ensure that all attacking coalitions $(A,B)$ were overcollateralized multiplicatively by a factor of $(1+\gamma)$ . Our condition for local security is similar: we must ensure that certain attack headers $(X,Y)$ are overcollateralized multiplicatively by a factor of $(1+\gamma)$ .

Attack header

Formally, we say that $(X,Y)$ is an attack header, for $X\subseteq S$ and $Y\subseteq\Gamma(X)$ , if there exists a set of validators $B\subseteq V$ satisfying

B\cap\Gamma(X)=\emptyset

(46)

such that $(X,B\cup Y)$ is an attacking coalition. In other words, $(X,Y)$ is an attack header if $Y$ can be appended to a collection of validators $B$ that may be slashed without attacking services in $X$ to form an attacking coalition that attacks the services $X$ . An attacking coalition is a special case of an attack header (in which $B$ can be taken as $\emptyset$ ).

Theorem 10.

Let $G=(S,V,E,\pi,\sigma,\alpha)$ be a restaking graph and $C\subseteq S$ be a coalition of services. If, for all attack headers $(X,Y)$ where $X\subseteq C$ ,

(1+\gamma)\pi_{X}\leq\sigma_{Y}

(47)

then $R_{\psi}(C,G)<(1+\frac{1}{\gamma})\psi$ . Furthermore, the Boolean function that checks whether Equation 47 holds for all attack headers is a local security condition.

Proof.

Let $D\in\mathbb{D}_{\psi}(C,G)$ and $(A_{1},B_{1}),\dots,(A_{T},B_{T})\in\mathcal{S}(G\searrow D)$ be arbitrary. For each $t\in[T]$ , define

L_{t}:=B_{t}\cap\Gamma(C)

(48)

to be the set of all validators exclusively securing $C$ that were lost in the $t\textsuperscript{th}$ attack. Next, define

A^{\prime}_{t}:=\left\{s\in A_{t}\mid\sigma_{B_{t}\setminus L_{t}}\geq\alpha_{% s}\cdot\sigma_{N_{G}\left\{s\right\}\setminus\left(\bigcup_{i=1}^{t-1}B_{i}% \cup D\right)}\right\}

(49)

to be the maximal set of services such that $(A^{\prime}_{t},B_{t}\setminus L_{t})$ is an attacking coalition on $G\searrow\left(\bigcup_{i=1}^{t-1}B_{i}\cup D\right)$ . Notice also that because $(A_{t},B_{t})$ is a stable attack on $G\searrow\left(\bigcup_{i=1}^{t-1}B_{i}\cup D\right)$ , we must have that $A_{t}\setminus A^{\prime}_{t}$ is nonempty, and furthermore must be a subset of $C$ .

Claim 11.

\sigma_{\bigcup_{t}B_{t}\cap\Gamma(C)}<\pi_{\bigcup_{t}A_{t}\setminus A^{% \prime}_{t}}

(50)

Proof.

From stability, we have that

\sigma_{L_{t}}=\sigma_{B_{t}\setminus\left(B_{t}\setminus L_{t}\right)}<\pi_{A% _{t}\setminus A^{\prime}_{t}}

(51)

To see why this holds, notice that there are two cases. If the attacking coalition $(A^{\prime}_{t},B_{t}\setminus L_{t})$ is a valid attack, then the inequality follows directly from the stability definition. If instead $(A^{\prime}_{t},B_{t}\setminus L_{t})$ is not a valid attack despite being an attacking coalition, the inequality must still hold because the original attack $(A_{t},B_{t})$ is valid and therefore satisfies Equation 2. Iterating over $t$ , we find that

\sigma_{\bigcup_{t}B_{t}\cap\Gamma(C)}=\sum_{t=1}^{T}\sigma_{L_{t}}<\sum_{t=1}% ^{T}\pi_{A_{t}\setminus A^{\prime}_{t}}=\pi_{\bigcup_{t}A_{t}\setminus A^{% \prime}_{t}}

(52)

$\hfill\vartriangleleft$

Claim 12.

$\left(\bigcup_{t}\left(A_{t}\setminus A^{\prime}_{t}\right),\left(\bigcup_{t}B% _{t}\cup D\right)\cap\Gamma(C)\right)$ is an attack header on $G$ , and $\bigcup_{t}\left(A_{t}\setminus A^{\prime}_{t}\right)\subseteq C$ .

Proof.

Because each $A_{t}\setminus A^{\prime}_{t}\subseteq C$ , we must also have that $\bigcup_{t}A_{t}\setminus A^{\prime}_{t}\subseteq C$ as well. Next, by applying Corollary 3 noting the disjointness of the $(A_{t},B_{t})$ , we have that

\left(\bigcup_{t}A_{t},\bigcup_{t}B_{t}\right)=\left(\bigcup_{t}\left(A_{t}% \setminus A^{\prime}_{t}\right)\cup\bigcup_{t}A^{\prime}_{t},\quad\bigcup_{t}B% _{t}\right)

(53)

must be an attacking coalition on $G\searrow D$ . In particular, we must have that $\left(\bigcup_{t}\left(A_{t}\setminus A^{\prime}_{t}\right),\bigcup_{t}B_{t}\right)$ is an attacking coalition on $G\searrow D$ , whence by Lemma 3 we have that $\left(\bigcup_{t}\left(A_{t}\setminus A^{\prime}_{t}\right),\bigcup_{t}B_{t}% \cup D\right)$ is an attacking coalition on $G$ . Rewriting the above as

\left(\bigcup_{t}\left(A_{t}\setminus A^{\prime}_{t}\right),\quad\left[\left(% \bigcup_{t}B_{t}\cup D\right)\cap\Gamma(C)\right]\cup\left[\left(\bigcup_{t}B_% {t}\cup D\right)\setminus\Gamma(C)\right]\right)

(54)

and noting by construction that

\left[\left(\bigcup_{t}B_{t}\cup D\right)\setminus\Gamma(C)\right]\cap\Gamma(C% )=\emptyset,

(55)

we find that $\left(\bigcup_{t}\left(A_{t}\setminus A^{\prime}_{t}\right),\left(\bigcup_{t}B% _{t}\cup D\right)\cap\Gamma(C)\right)$ is an attack header on $G$ as desired. $\hfill\vartriangleleft$ Putting these claims together yields the desired result. By Claim 12 and Equation 47, we find that

(1+\gamma)\pi_{\bigcup_{t}A_{t}\setminus A^{\prime}_{t}}\leq\sigma_{\left(% \bigcup_{t}B_{t}\cup D\right)\cap\Gamma(C)}\leq\sigma_{\bigcup_{t}B_{t}\cap% \Gamma(C)}+\psi\cdot\sigma_{\Gamma(C)}

(56)

Adding in Claim 11, we find that

$\displaystyle(1+\gamma)\sigma_{\bigcup_{t}B_{t}\cap\Gamma(C)}$	$\displaystyle<\sigma_{\bigcup_{t}B_{t}\cap\Gamma(C)}+\psi\cdot\sigma_{\Gamma(C)}$	(57)
	$\displaystyle\implies\frac{\sigma_{\bigcup_{t}B_{t}\cap\Gamma(C)}}{\sigma_{% \Gamma(C)}}<\frac{\psi}{\gamma}$	(58)
	$\displaystyle\implies R_{\psi}(C,G)<\left(1+\frac{1}{\gamma}\right)\psi$	(59)

as desired. To see that the Boolean function that checks whether Equation 47 holds for all attack headers is a local security condition, observe that it suffices to check that for all $X\subseteq C$ and $Y\subseteq N_{G}C\cap\Gamma(C)=\Gamma(C)$ such that $\left(X,Y\cup N_{G}C\setminus\Gamma(C)\right)$ is an attacking coalition, Equation 47 holds. Thus, for any restaking graph $G$ and $C$ -local variant $G^{\prime}$ , this function will evaluate to the same output. $\hfill\blacktriangleleft$

The condition in (47) can be checked via enumeration, although the time required to do so grows exponentially in the number of services in $C$ and the number of validators that contribute security exclusively to services in $C$ . In the event that this is a prohibitive amount of computation, the same guarantee holds under a stronger, easily checked local analog of the EigenLayer sufficient condition (3) which, in effect, treats as malicious all validators that contribute security to any services outside of $C$ .

Corollary 13.

For any restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ and coalition of services $C\subseteq S$ , satisfaction of the local condition

\sum_{s\in N_{G}\left\{v\right\}}\frac{\sigma_{v}}{\sigma_{N_{G}\left(\left\{s% \right\}\right)}}\cdot\frac{(1+\gamma)\pi_{s}}{\alpha^{\prime}_{s}}\leq\sigma_% {v}

(60)

for all $v\in N_{G}C$ with $N_{G}\left\{v\right\}\subseteq C$ guarantees that $R_{\psi}(C,G)<\left(1+\frac{1}{\gamma}\right)\psi$ , where for each $s\in C$ ,

\alpha^{\prime}_{s}:=\alpha_{s}-\frac{\sigma_{N_{G}\left\{s\right\}\setminus% \Gamma(C)}}{\sigma_{N_{G}\left\{s\right\}}}

(61)

Proof.

This follows from Theorem 10 and 1. Notice that to guarantee that the condition (47) from Theorem 10 holds for all attack headers $(X,Y)$ , it suffices to guarantee that no valid attacks exist, when (i) all profits from corruption for services in $C$ are inflated by a multiplicative factor of $(1+\gamma)$ , and (ii) the fraction of stake required to corrupt a given service is offset by the fraction of stake in that service that is also restaking for services that do not belong to $C$ . As 1 provides a sufficient condition to guarantee the existence of no valid attacks, Equation 60 will guarantee that all attack headers are overcollateralized by a multiplicative factor of $(1+\gamma)$ . $\hfill\blacktriangleleft$

7 Lower Bounds for Local Security

We next show senses in which Theorem 10 (and more strongly, Corollary 13) is tight.

Corollary 14.

For any $\psi,\gamma,\epsilon>0$ such that

0\leq\left(1+\frac{1}{\gamma}\right)\psi-\epsilon\leq 1,

(62)

there exists a restaking graph $G$ that satisfies the condition (60) from Corollary 13 but has $R_{\psi}(C,G)\geq\left(1+\frac{1}{\gamma}\right)\psi-\epsilon$ .

Proof.

Notice that if we take $C=S$ , the condition (60) from Corollary 13 is identical to the condition (17) from Corollary 5. Furthermore, $R_{\psi}(S,G)$ is the same as $R_{\psi}(G)$ except for the fact that $R_{\psi}(S,G)$ considers only stable attacks. Repeating the argument from Theorem 7, and noting that the attack given in the proof of that result is stable, we obtain the desired result. $\hfill\blacktriangleleft$

Theorem 15.

For any $\gamma>0$ , there exists a graph restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ that satisfies (17) from Corollary 5, but there exists a $C\subseteq S$ such that $R_{0}(C,G)=1$ .

Proof.

Let there be three services $S=\left\{x,y,z\right\}$ , three validators $V=\left\{a,b,c\right\}$ , and edges as follows:

E:=\left\{(x,a),(x,b),(y,b),(y,c),(z,c),(z,a)\right\}.

(63)

Next, let $\alpha_{s}=1$ for all $s\in S$ , and let $\pi_{x}=\pi_{y}=\pi_{z}=:\pi>0$ be an arbitrary positive constant. Next pick $\sigma_{a}$ such that

\sigma_{a}<2\pi,

(64)

let $\sigma_{b}:=2(1+\gamma)\pi$ , and let $\sigma_{c}:=2(1+\gamma)\pi$ . This graph satisfies (17) from Corollary 5 as

	$\displaystyle\frac{\sigma_{a}}{\sigma_{a}+\sigma_{b}}\cdot(1+\gamma)\pi+\frac{% \sigma_{a}}{\sigma_{a}+\sigma_{c}}\cdot(1+\gamma)\pi<(1+\gamma)\pi\left(\frac{% 1}{\sigma_{b}}+\frac{1}{\sigma_{c}}\right)\sigma_{a}=\sigma_{a}$		(65)
	$\displaystyle\frac{\sigma_{b}}{\sigma_{a}+\sigma_{b}}\cdot(1+\gamma)\pi+\frac{% \sigma_{b}}{\sigma_{b}+\sigma_{c}}\cdot(1+\gamma)\pi<\frac{3}{2}(1+\gamma)\pi<% \sigma_{b}$		(66)
	$\displaystyle\frac{\sigma_{c}}{\sigma_{a}+\sigma_{c}}\cdot(1+\gamma)\pi+\frac{% \sigma_{c}}{\sigma_{b}+\sigma_{c}}\cdot(1+\gamma)\pi<\frac{3}{2}(1+\gamma)\pi<% \sigma_{c}$		(67)

Next, let $C:=\left\{x,z\right\}$ , and observe that the shock $D=\left\{b,c\right\}$ is an element of $\mathbb{D}_{0}(C,G)$ . However, because $\sigma_{a}<\pi_{x}+\pi_{z}=2\pi$ , we must have that $(\left\{x,z\right\},\left\{a\right\})$ is a stable attack on $G\searrow D$ . As $\left\{a\right\}=\Gamma(C)$ , it follows that $R_{0}(C,G)=1$ . $\hfill\blacktriangleleft$

8 Long Cascades

Cascade Structure

Although Corollary 3 shows that all long cascades can be made into a short, one-step attack, it is arguably more dangerous if large attacks can be made through long cascades of small attacks that each require less coordination. In this section, we show how adding $\gamma$ -slack also enables us to upper-bound the length of a cascade in the worst case. Our results depend on what we call the reference depth of a cascading sequence of attacks. Formally, for a given restaking graph $G$ and coalition of validators $B_{0}$ , we say that a valid cascade of attacks $(A_{1},B_{1}),\dots,(A_{T},B_{T})$ on $\mathcal{C}(G\searrow{B_{0}})$ has reference depth $k$ if

k=\max\left\{i\in[T]\mid\exists t\in[T]\text{ s.t. }N_{G}(A_{t})\cap B_{t-i}% \neq\emptyset\right\}

(68)

In other words, a cascading sequence has reference depth $k$ if the services attacked in a given time step are not affected by validators that were slashed more than $k$ steps previous.

Theorem 16.

Suppose that a restaking graph $G=(S,V,E,\pi,\sigma,\alpha)$ is secure with $\gamma$ -slack for some $\gamma>0$ . Let $\epsilon=\min_{v\in V}\sigma_{v}$ denote the minimum stake held by a validator. Then, for any $\psi>0$ , $B_{0}\in\mathbb{D}_{\psi}(G)$ , and $(A_{1},B_{1}),\dots,(A_{T},B_{T})\in\mathcal{C}(G\searrow{B_{0}})$ with reference depth $k$ ,

T<k\left(1+\log_{1+\gamma}\frac{\psi\cdot\sigma_{V}}{\epsilon\gamma}\right)

(69)

Proof.

Because $(A_{1},B_{1}),\dots,(A_{T},B_{T})\in\mathcal{C}(G\searrow{B_{0}})$ has reference depth $k$ , it follows that if we define

$\displaystyle A^{\prime}_{i}$	$\displaystyle:=\bigcup_{t=k(i-1)+1}^{ki}A_{t}$	(70)
$\displaystyle B^{\prime}_{i}$	$\displaystyle:=\bigcup_{t=k(i-1)+1}^{ki}B_{t}$	(71)
$\displaystyle B^{\prime}_{0}$	$\displaystyle:=B_{0}$	(72)

for $i\in\left\{1,\dots,\left\lceil T/k\right\rceil\right\}$ , we must have that for all $j<i-1$ ,

N_{G}A^{\prime}_{i}\cap B^{\prime}_{j}=\emptyset

(73)

Furthermore, by Corollary 3, we must have that the sequence $(A^{\prime}_{i},B^{\prime}_{i})\in\mathcal{C}(G\searrow B_{0})$ . Applying Corollary 3 again, we further have that for every $i$ , $\left(\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}A^{\prime}_{i},\bigcup_{j=i% +1}^{\left\lceil T/k\right\rceil}B^{\prime}_{i}\right)$ is a valid attack on $G\searrow\bigcup_{j=0}^{i}B^{\prime}_{i}$ . It follows by Equation 2 that for any $i\in\left\{0,\dots,\left\lceil T/k\right\rceil-1\right\}$ ,

\displaystyle\pi_{\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}A^{\prime}_{j}}% >\sigma_{\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}B^{\prime}_{j}}=\sum_{j=% i+1}^{\left\lceil T/k\right\rceil}\sigma_{B^{\prime}_{j}}

(74)

Next, noting that

N_{G}\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}A_{i}^{\prime}\cap\bigcup_{j% =1}^{i-1}B_{i}^{\prime}=\emptyset

(75)

by Equation 73, it follows that indeed $\left(\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}A^{\prime}_{i},\bigcup_{j=i% +1}^{\left\lceil T/k\right\rceil}B^{\prime}_{i}\right)$ is also a valid attack on $G\searrow B_{i}^{\prime}$ . Applying Lemma 2, we then find that $\left(\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}A^{\prime}_{i},B^{\prime}_{% i}\cup\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}B^{\prime}_{i}\right)$ is an attacking coalition on the original graph $G$ . Because $G$ is secure with $\gamma$ -slack, Equation 11 must now hold on this pair, whence for all $i\in\left\{0,\dots,\left\lceil T/k\right\rceil-1\right\}$ ,

(1+\gamma)\pi_{\bigcup_{j=i+1}^{\left\lceil T/k\right\rceil}A^{\prime}_{j}}% \leq\sigma_{\bigcup_{j=i}^{\left\lceil T/k\right\rceil}B^{\prime}_{j}}=\sigma_% {B^{\prime}_{i}}+\sum_{j=i+1}^{\left\lceil T/k\right\rceil}\sigma_{B^{\prime}_% {j}}

(76)

Putting this together with Equation 74, we have that for all $i\in\left\{0,\dots,\left\lceil T/k\right\rceil-1\right\}$ ,

	$\displaystyle(1+\gamma)\sum_{j=i+1}^{\left\lceil T/k\right\rceil}\sigma_{B^{% \prime}_{j}}<\sigma_{B^{\prime}_{i}}+\sum_{j=i+1}^{\left\lceil T/k\right\rceil% }\sigma_{B^{\prime}_{j}}$		(77)
	$\displaystyle\implies\sigma_{B^{\prime}_{i}}>\gamma\sum_{j=i+1}^{\left\lceil T% /k\right\rceil}\sigma_{B^{\prime}_{j}}$		(78)

It can be shown inductively from Equation 78 that the sequence $\sigma_{B^{\prime}_{i}}>X_{i}$ , where we define the sequence $X_{i}$ by

	$\displaystyle X_{\left\lceil T/k\right\rceil}$	$\displaystyle:=\epsilon$			(79)
	$\displaystyle X_{i}$	$\displaystyle:=\gamma\sum_{j=i+1}^{\left\lceil T/k\right\rceil}X_{j}$	$\displaystyle i\in\left\{0,\dots,\left\lceil T/k\right\rceil-1\right\}$		(80)

Solving, we find that

X_{0}=\epsilon\gamma(1+\gamma)^{\left\lceil T/k\right\rceil-1}

(81)

It then follows as desired that

\displaystyle\psi\cdot\sigma_{V}=\sigma_{B_{0}}>\epsilon\gamma(1+\gamma)^{T/k-% 1}\implies T<k\left(1+\log_{1+\gamma}\frac{\psi\cdot\sigma_{V}}{\epsilon\gamma% }\right)

(82)

$\hfill\blacktriangleleft$

References

[1] Daron Acemoglu, Asuman Ozdaglar, and Alireza Tahbaz-Salehi. Networks, shocks, and systemic risk. Technical report, National Bureau of Economic Research, 2015.
[2] Daron Acemoglu, Asuman Ozdaglar, and Alireza Tahbaz-Salehi. Systemic risk and stability in financial networks. American Economic Review, 105(2):564–608, 2015.
[3] Carol Alexander. Leveraged restaking of leveraged staking: What are the risks? Available at SSRN 4840805, 2024.
[4] Stefano Battiston, Guido Caldarelli, Robert M May, Tarik Roukny, and Joseph E Stiglitz. The price of complexity in financial networks. Proceedings of the National Academy of Sciences, 113(36):10031–10036, 2016.
[5] Markus K Brunnermeier, Gary Gorton, and Arvind Krishnamurthy. Risk topography. Nber macroeconomics annual, 26(1):149–176, 2012.
[6] Chen Chen, Garud Iyengar, and Ciamac C Moallemi. An axiomatic approach to systemic risk. Management Science, 59(6):1373–1388, 2013. doi:10.1287/MNSC.1120.1631.
[7] Soubhik Deb, Robert Raynor, and Sreeram Kannan. Stakesure: Proof of stake mechanisms with strong cryptoeconomic safety. arXiv preprint, 2024. doi:10.48550/arXiv.2401.05797.
[8] Douglas W Diamond and Philip H Dybvig. Bank runs, deposit insurance, and liquidity. Journal of political economy, 91(3):401–419, 1983.
[9] Larry Eisenberg and Thomas H Noe. Systemic risk in financial systems. Management Science, 47(2):236–249, 2001. doi:10.1287/MNSC.47.2.236.9835.
[10] Zachary Feinstein, Birgit Rudloff, and Stefan Weber. Measures of systemic risk. SIAM Journal on Financial Mathematics, 8(1):672–708, 2017. doi:10.1137/16M1066087.
[11] Paul Glasserman and H Peyton Young. Contagion in financial networks. Journal of Economic Literature, 54(3):779–831, 2016.
[12] Subhash Khot and Rishi Saket. Hardness of bipartite expansion. In 24th Annual European Symposium on Algorithms (ESA 2016). Schloss-Dagstuhl – Leibniz Zentrum für Informatik, 2016. doi:10.4230/LIPIcs.ESA.2016.55.
[13] Eduard Kromer, Ludger Overbeck, and Katrin Zilch. Systemic risk measures on general measurable spaces. Mathematical Methods of Operations Research, 84:323–357, 2016. doi:10.1007/S00186-016-0545-1.
[14] Tarun Chitra Mike Neuder. The risks of lrts, 2024. URL: https://ethresear.ch/t/the-risks-of-lrts/18799.
[15] EigenLayer Team. Eigenlayer: The restaking collective, 2023. URL: https://docs.eigenlayer.xyz/overview/whitepaper.

[bib.bib1] [1] Daron Acemoglu, Asuman Ozdaglar, and Alireza Tahbaz-Salehi. Networks, shocks, and systemic risk. Technical report, National Bureau of Economic Research, 2015.

[bib.bib2] [2] Daron Acemoglu, Asuman Ozdaglar, and Alireza Tahbaz-Salehi. Systemic risk and stability in financial networks. American Economic Review, 105(2):564–608, 2015.

[bib.bib3] [3] Carol Alexander. Leveraged restaking of leveraged staking: What are the risks? Available at SSRN 4840805, 2024.

[bib.bib4] [4] Stefano Battiston, Guido Caldarelli, Robert M May, Tarik Roukny, and Joseph E Stiglitz. The price of complexity in financial networks. Proceedings of the National Academy of Sciences, 113(36):10031–10036, 2016.

[bib.bib5] [5] Markus K Brunnermeier, Gary Gorton, and Arvind Krishnamurthy. Risk topography. Nber macroeconomics annual, 26(1):149–176, 2012.

[bib.bib6] [6] Chen Chen, Garud Iyengar, and Ciamac C Moallemi. An axiomatic approach to systemic risk. Management Science, 59(6):1373–1388, 2013. doi:10.1287/MNSC.1120.1631.

[bib.bib7] [7] Soubhik Deb, Robert Raynor, and Sreeram Kannan. Stakesure: Proof of stake mechanisms with strong cryptoeconomic safety. arXiv preprint, 2024. doi:10.48550/arXiv.2401.05797.

[bib.bib8] [8] Douglas W Diamond and Philip H Dybvig. Bank runs, deposit insurance, and liquidity. Journal of political economy, 91(3):401–419, 1983.

[bib.bib9] [9] Larry Eisenberg and Thomas H Noe. Systemic risk in financial systems. Management Science, 47(2):236–249, 2001. doi:10.1287/MNSC.47.2.236.9835.

[bib.bib10] [10] Zachary Feinstein, Birgit Rudloff, and Stefan Weber. Measures of systemic risk. SIAM Journal on Financial Mathematics, 8(1):672–708, 2017. doi:10.1137/16M1066087.

[bib.bib11] [11] Paul Glasserman and H Peyton Young. Contagion in financial networks. Journal of Economic Literature, 54(3):779–831, 2016.

[bib.bib12] [12] Subhash Khot and Rishi Saket. Hardness of bipartite expansion. In 24th Annual European Symposium on Algorithms (ESA 2016). Schloss-Dagstuhl – Leibniz Zentrum für Informatik, 2016. doi:10.4230/LIPIcs.ESA.2016.55.

[bib.bib13] [13] Eduard Kromer, Ludger Overbeck, and Katrin Zilch. Systemic risk measures on general measurable spaces. Mathematical Methods of Operations Research, 84:323–357, 2016. doi:10.1007/S00186-016-0545-1.

[bib.bib14] [14] Tarun Chitra Mike Neuder. The risks of lrts, 2024. URL: https://ethresear.ch/t/the-risks-of-lrts/18799.

[bib.bib15] [15] EigenLayer Team. Eigenlayer: The restaking collective, 2023. URL: https://docs.eigenlayer.xyz/overview/whitepaper.