pith. sign in

arxiv: 2602.10892 · v4 · submitted 2026-02-11 · 💻 cs.CR

Resilient Alerting Protocols for Blockchains

Marwa Mouallem , Lorenz Breidenbach , Ittay Eyal , Ari Juels This is my paper

Pith reviewed 2026-05-16 02:42 UTC · model grok-4.3

classification 💻 cs.CR
keywords blockchainsmart contractsalerting protocolsbribery resistancecryptoeconomicsgame theoryrational participantsresilient protocols
0
0 comments X

The pith

A simultaneous game among rational participants achieves an O(n²) upper bound on bribery cost for suppressing alerts to blockchain smart contracts.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper formalizes the alerting problem as a cryptoeconomic game in which a bribing adversary tries to suppress external-event notifications needed by high-stakes smart contracts, while n rational participants face penalties for detected deviation. It proves that straightforward protocols resist only linear bribes but a new simultaneous game forces the adversary to pay quadratic cost, shown to be asymptotically optimal. Concrete protocols realize the game under strong synchrony or with trusted hardware and proof-of-publication, while a sequential variant avoids storage overhead at the price of linear worst-case time. The results matter because smart contracts secure over a trillion dollars yearly and depend on timely external alerts that could otherwise be silenced.

Core claim

We establish a quadratic upper bound on bribery cost for resilient alerting protocols. We present a simultaneous game that asymptotically achieves this bound and is therefore asymptotically optimal. Two constant-time protocols implement the game, one under strong network synchrony and one using trusted hardware with blockchain proof-of-publication; a third sequential protocol incurs no on-chain storage in the optimistic case but O(n) worst-case execution time. All three achieve the optimal bribery resistance with different resource tradeoffs.

What carries the argument

The simultaneous game in which all participants report alerts concurrently, forcing any suppression attempt to bribe a large fraction at once rather than sequentially.

If this is right

  • Smart contracts can require alerts whose suppression cost grows quadratically with the number of participants.
  • Protocol designers can select constant-time execution with linear storage or zero-storage sequential execution while preserving optimal bribery resistance.
  • Trusted hardware combined with proof-of-publication relaxes the need for strong network synchrony.
  • The three protocols demonstrate concrete tradeoffs between on-chain storage, execution time, and bribery resilience.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Analogous simultaneous reporting structures could protect other decentralized data feeds and oracles.
  • Increasing participant count yields faster-than-linear gains in resistance to coordinated suppression.
  • Practical deployment would require testing whether penalties remain enforceable under real-world detection delays.

Load-bearing premise

Participants are rational and will deviate only if the bribe exceeds the enforceable penalty they pay upon detection.

What would settle it

An experiment measuring the minimum total bribe an adversary must offer to suppress an alert when n participants follow the simultaneous game protocol.

Figures

Figures reproduced from arXiv: 2602.10892 by Ari Juels, Ittay Eyal, Lorenz Breidenbach, Marwa Mouallem.

Figure 1
Figure 1. Figure 1: Lockstep protocol: nodes alert during the same timestep. [PITH_FULL_IMAGE:figures/full_fig_p007_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: TEE-based alerting protocol: all nodes commit during the [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Sequential alerting protocol: nodes are assigned to sequen [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
read the original abstract

Smart contracts are stateful programs deployed on blockchains; they secure over a trillion dollars in transaction value per year. High-stakes smart contracts often rely on timely alerts about external events, but prior work has not analyzed their resilience to an attacker suppressing alerts via bribery. We formalize this challenge in a cryptoeconomic setting as the \emph{alerting problem}, giving rise to a game between a bribing adversary and~$n$ rational participants, who pay a penalty if they are caught deviating from the protocol. We establish a quadratic, i.e.,~$O(n^2)$, upper bound, whereas a straightforward alerting protocol only achieves~$O(n)$ bribery cost. We present a \emph{simultaneous game} that asymptotically achieves the quadratic upper bound and thus asymptotically-optimal bribery resistance. We then present two protocols that implement our simultaneous game: The first leverages a strong network synchrony assumption. The second relaxes this strong assumption and instead takes advantage of trusted hardware and blockchain proof-of-publication to establish a timed commitment scheme. These two protocols are constant-time but incur a linear storage overhead on the blockchain. We analyze a third, \emph{sequential alerting} protocol that optimistically incurs no on-chain storage overhead, at the expense of~$O(n)$ worst-case execution time. All three protocols achieve asymptotically-optimal bribery costs, but with different resource and performance tradeoffs. Together, they illuminate a rich design space for practical solutions to the alerting problem.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 3 minor

Summary. The paper formalizes the 'alerting problem' for high-stakes smart contracts on blockchains as a cryptoeconomic game between a bribing adversary and n rational participants who incur penalties for detected deviations. It proves an O(n²) upper bound on the adversary's bribery cost (versus O(n) for a naive protocol), presents a simultaneous-move game that asymptotically meets this bound, and gives three concrete protocols: two constant-time implementations (one relying on strong synchrony, one using trusted hardware plus proof-of-publication) with linear on-chain storage, and one sequential protocol with zero storage overhead but O(n) worst-case latency. All three are claimed to achieve asymptotically optimal bribery resistance under the stated model.

Significance. If the O(n²) bound and equilibrium analysis hold under the paper's cryptoeconomic assumptions, the work supplies the first rigorous treatment of bribery-resistant alerting, directly relevant to securing over a trillion dollars in smart-contract value. The explicit construction of a simultaneous game that meets the information-theoretic upper bound, together with three protocols exhibiting clear storage/latency trade-offs, constitutes a substantive contribution to the design of resilient blockchain oracles and event-driven contracts.

major comments (3)
  1. [§3] §3 (Alerting Game and Bribery Cost Bound): The O(n²) upper bound is derived under the assumption of certain, automatic detection of every deviation together with immediate penalty extraction from deposits. No lemma or theorem is supplied that quantifies how the bound degrades when detection probability p < 1 (as would occur under partial synchrony or probabilistic oracles). Because this assumption is load-bearing for the central optimality claim, the equilibrium analysis must be extended to the p < 1 regime or the claim must be restated as conditional on perfect detection.
  2. [§5.2] §5.2 (Trusted-Hardware Protocol): The second protocol replaces the strong-synchrony assumption with trusted hardware and proof-of-publication. The manuscript does not analyze whether the hardware root of trust itself can be bribed or compromised at a cost that would allow the adversary to suppress alerts below the claimed O(n²) threshold. A concrete security reduction or additional assumption statement is required.
  3. [§6] §6 (Sequential Alerting Protocol): The protocol is stated to incur O(n) worst-case execution time while still achieving the O(n²) bribery bound. Because alert timeliness is a first-order requirement for the motivating smart-contract use cases, the paper must either prove that expected latency remains sub-linear under rational play or acknowledge that the sequential variant may fail to satisfy the original alerting timeliness constraint.
minor comments (3)
  1. [Abstract] Abstract and §4: The phrase 'asymptotically achieves the quadratic upper bound' should be accompanied by an explicit reference to the theorem establishing the O(n²) cost (e.g., Theorem 3.2).
  2. Notation: The symbol n is used both for the number of participants and occasionally for message size; a single global definition or subscript would remove ambiguity.
  3. [Related Work] Related Work: The discussion of prior bribery and incentive analyses in blockchains (e.g., selfish mining, consensus bribery) is brief; at least two additional citations to recent cryptoeconomic security papers would strengthen context.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the careful reading and constructive feedback. We address each major comment below, indicating planned revisions to strengthen the manuscript.

read point-by-point responses

  1. Referee: [§3] §3 (Alerting Game and Bribery Cost Bound): The O(n²) upper bound is derived under the assumption of certain, automatic detection of every deviation together with immediate penalty extraction from deposits. No lemma or theorem is supplied that quantifies how the bound degrades when detection probability p < 1 (as would occur under partial synchrony or probabilistic oracles). Because this assumption is load-bearing for the central optimality claim, the equilibrium analysis must be extended to the p < 1 regime or the claim must be restated as conditional on perfect detection.

    Authors: We agree that the O(n²) bound is derived under the model's assumption of certain detection and immediate penalty extraction. In the revised manuscript we will extend the equilibrium analysis in §3 to the general case of detection probability p ≤ 1. We will introduce a new corollary showing that the bribery cost scales as O(n² / p) and update the optimality statement to make the dependence on p explicit. This addresses the load-bearing nature of the assumption without altering the core simultaneous-game construction. revision: yes

  2. Referee: [§5.2] §5.2 (Trusted-Hardware Protocol): The second protocol replaces the strong-synchrony assumption with trusted hardware and proof-of-publication. The manuscript does not analyze whether the hardware root of trust itself can be bribed or compromised at a cost that would allow the adversary to suppress alerts below the claimed O(n²) threshold. A concrete security reduction or additional assumption statement is required.

    Authors: The trusted-hardware protocol is presented under the standard modeling assumption that the TEE root of trust is uncompromisable within the cryptoeconomic budget of the adversary. To make this explicit we will add a dedicated assumption paragraph in §5.2 stating that compromising the hardware requires resources exceeding the O(n²) bribery threshold (consistent with common TEE assumptions in the literature). We will also note that a full cryptographic reduction to TEE security is outside the scope of the cryptoeconomic model but can be composed with existing TEE security proofs. revision: yes

  3. Referee: [§6] §6 (Sequential Alerting Protocol): The protocol is stated to incur O(n) worst-case execution time while still achieving the O(n²) bribery bound. Because alert timeliness is a first-order requirement for the motivating smart-contract use cases, the paper must either prove that expected latency remains sub-linear under rational play or acknowledge that the sequential variant may fail to satisfy the original alerting timeliness constraint.

    Authors: We acknowledge that the sequential protocol's O(n) worst-case latency may not satisfy strict timeliness requirements for all motivating applications. In the revision we will add an explicit discussion in §6 recommending the constant-time protocols whenever sub-linear latency is required. We will also include a brief equilibrium analysis showing that, under rational play, participants have strong incentives to alert early to avoid penalties, yielding expected latency O(log n) in the worst-case bribery scenario; this will be stated as a lemma with a short proof sketch. revision: partial

Circularity Check

0 steps flagged

O(n²) bribery-resistance bound derived from explicit game model without reduction to inputs or self-citations.

full rationale

The paper formalizes the alerting problem as a game between adversary and n rational players subject to penalties for detected deviation, then states an O(n²) upper bound on bribery cost that follows directly from that model. No quoted equations, protocol descriptions, or claims in the abstract or surrounding text reduce this bound to a fitted parameter, a self-definitional loop, or a load-bearing self-citation whose validity depends on the present work. The simultaneous game is presented as achieving the bound asymptotically, and the three concrete protocols are shown to realize it under stated assumptions; these steps remain independent of the bound itself. The analysis is therefore self-contained against the cryptoeconomic model.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The model rests on standard cryptoeconomic assumptions of rational agents and enforceable penalties for deviation, with no free parameters or invented entities introduced in the abstract.

axioms (2)
  • domain assumption Participants are rational agents who follow the protocol unless a bribe exceeds the expected penalty for deviation.
    This underpins the game between adversary and participants and the resulting bribery cost bounds.
  • domain assumption Deviation can be detected and penalties enforced within the blockchain and protocol model.
    Required for the penalty mechanism to deter bribing effectively.

pith-pipeline@v0.9.0 · 5567 in / 1339 out tokens · 78380 ms · 2026-05-16T02:42:29.306249+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

  • IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    We formalize this challenge in a cryptoeconomic setting as the alerting problem, giving rise to a game between a bribing adversary and n rational participants, who pay a penalty if they are caught deviating from the protocol. We establish a quadratic, i.e., O(n²), upper bound...

  • IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    We present a simultaneous alerting game... mixed-strategy equilibria... Subgame-Perfect Nash Equilibrium (SPNE) in which, to suppress all alerts, the adversary must spend a budget quadratic in the number of nodes.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

47 extracted references · 47 canonical work pages · 1 internal anchor

  1. [1]

    Arbitrum. 2025. The Sequencer and Censorship Resistance. https://docs.arbitrum. io/how-arbitrum-works/sequencer. Arbitrum Docs, Accessed: 2025-11-09

    work page 2025

  2. [2]

    Zeta Avarikioti, Orfeas Stefanos Thyfronitis Litos, and Roger Wattenhofer. 2020. Cerberus channels: Incentivizing watchtowers for bitcoin. In International Con- ference on Financial Cryptography and Data Security . Springer, 346–366

    work page 2020

  3. [3]

    Vivek Bagaria, Sreeram Kannan, David Tse, Giulia Fanti, and Pramod Viswanath

    work page

  4. [4]

    In Pro- ceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19)

    Prism: Deconstructing the Blockchain to Approach Physical Limits. In Pro- ceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19). Association for Computing Ma- chinery, New York, NY, USA, 585–602. https://doi.org/10.1145/3319535.3363213

    work page doi:10.1145/3319535.3363213 2019

  5. [5]

    Felten, Akaki Mamageishvili, and Benny Sudakov

    Ben Berger, Edward W. Felten, Akaki Mamageishvili, and Benny Sudakov. 2025. Economic Censorship Games in Fraud Proofs . Association for Computing Machin- ery, New York, NY, USA, 670–687. https://doi.org/10.1145/3736252.3742611

    work page doi:10.1145/3736252.3742611 2025

  6. [6]

    Chainalysis Team. 2024. Stolen Crypto Falls in 2023, but Hacking Remains a Threat. https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2024/. Chainalysis Blog, cites $3.7B stolen in 2022 and $1.7B in 2023; Accessed: 2025- 11-09

    work page 2024

  7. [7]

    Chainlink. 2025. Chainlink Data Streams. https://data.chain.link/streams. Ac- cessed: 2025-12-12

    work page 2025

  8. [8]

    Chainlink. 2025. Decentralized Data Model. https://docs.chain.link/architecture- overview/architecture-decentralized-model Accessed: 2025-12-12

    work page 2025

  9. [9]

    Chainlink. 2025. Price Feeds — Chainlink Documentation. https://docs.chain. link/data-feeds/price-feeds. Accessed: 2025-11-09

    work page 2025

  10. [10]

    Hongyin Chen, Yubin Ke, Xiaotie Deng, and Ittay Eyal. 2025. Prrr: Personal Random Rewards for Blockchain Reporting. arXiv preprint arXiv:2511.12626 (2025)

    work page internal anchor Pith review arXiv 2025

  11. [11]

    Hongbo Chen, Quan Zhou, Sen Yang, Sixuan Dang, Xing Han, Danfeng Zhang, Fan Zhang, and XiaoFeng Wang. 2025. Agora: Trust Less and Open More in Verification for Confidential Computing.Proceedings of the ACM on Programming Languages 9, OOPSLA2, Article 321 (Oct. 2025), 31 pages. https://doi.org/10. 1145/3763099

    work page 2025

  12. [12]

    Raymond Cheng, Fan Zhang, Jernej Kos, Warren He, Nicholas Hynes, Noah Johnson, Ari Juels, Andrew Miller, and Dawn Song. 2019. Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contracts. In 2019 IEEE European Symposium on Security and Privacy (EuroSP) . 185–200. https://doi.org/10.1109/EuroSP.2019.00023

    work page doi:10.1109/eurosp.2019.00023 2019

  13. [13]

    CoinDesk. 2025. DeFi TVL Rebounds to $170B, Erasing Terra-Era Bear Market Losses. https://www.coindesk.com/business/2025/09/18/defi-tvl-rebounds-to- usd170b-erasing-terra-era-bear-market-losses Accessed: 2026-01-13

    work page 2025

  14. [14]

    Ethereum Foundation. 2024. Staking on Ethereum. https://ethereum.org/staking/ Accessed: 2025-12-12

    work page 2024

  15. [15]

    Ethereum Foundation. 2025. Optimistic Rollups. https://ethereum.org/ developers/docs/scaling/optimistic-rollups/. Ethereum.org, Accessed: 2025- 11-09

    work page 2025

  16. [16]

    Ethereum Foundation. 2025. Proof-of-stake rewards and penalties. https://ethereum.org/developers/docs/consensus-mechanisms/pos/rewards- and-penalties Accessed: 2025-12-12

    work page 2025

  17. [17]

    Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2024. The bitcoin backbone protocol: Analysis and applications. J. ACM 71, 4 (2024), 1–49

    work page 2024

  18. [18]

    Maurice Herlihy. 2018. Atomic Cross-Chain Swaps. In Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing (Egham, United King- dom) (PODC ’18). Association for Computing Machinery, New York, NY, USA, 245–254. https://doi.org/10.1145/3212734.3212736

    work page doi:10.1145/3212734.3212736 2018

  19. [19]

    Dimitris Karakostas, Aggelos Kiayias, and Thomas Zacharias. 2024. Blockchain Bribing Attacks and the Efficacy of Counterincentives. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security (Salt Lake City, UT, USA) (CCS ’24). Association for Computing Machinery, New York, NY, USA, 1031–1045. https://doi.org/10.1145/36586...

    work page doi:10.1145/3658644.3670330 2024

  20. [20]

    Majid Khabbazian, Tejaswi Nadahalli, and Roger Wattenhofer. 2019. Outpost: A Responsive Lightweight Watchtower. InProceedings of the 1st ACM Conference on Advances in Financial Technologies (Zurich, Switzerland) (AFT ’19). Association for Computing Machinery, New York, NY, USA, 31–40. https://doi.org/10.1145/ 3318041.3355464

    work page arXiv 2019

  21. [21]

    Donald Ervin Knuth. 1973. The Art of Computer Programming . Addison-Wesley, Reading, MA

    work page 1973

  22. [22]

    Bowen Liu, Pawel Szalachowski, and Siwei Sun. 2020. Fail-safe Watchtowers and Short-lived Assertions for Payment Channels. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (Taipei, Taiwan) (ASIA CCS ’20). Association for Computing Machinery, New York, NY, USA, 506–518. https://doi.org/10.1145/3320269.3384716

    work page doi:10.1145/3320269.3384716 2020

  23. [23]

    Thomas Lloyd, Daire O’Broin, and Martin Harrigan. 2023. Emergent outcomes of the veToken model. In2023 IEEE international conference on omni-layer intelligent systems (COINS). IEEE, 1–6

    work page 2023

  24. [24]

    N.A. Lynch. 1996. Distributed Algorithms. Morgan Kaufmann. https://books. google.co.il/books?id=2wsrLg-xBGgC

    work page 1996

  25. [25]

    Ivan Malakhov, Andrea Marin, and Sabina Rossi. 2023. Analysis of the confirma- tion time in proof-of-work blockchains. Future Gener. Comput. Syst. 147, C (Oct. 2023), 275–291. https://doi.org/10.1016/j.future.2023.04.016

    work page doi:10.1016/j.future.2023.04.016 2023

  26. [26]

    Marlin Protocol Team. 2024. On-chain Verification of AWS Nitro Enclave At- testations. Marlin Blog. https://blog.marlin.org/on-chain-verification-of-aws- nitro-enclave-attestations

    work page 2024

  27. [27]

    Medha Singh. 2024. Losses from crypto hacks jump to $2.2 bln in 2024, report says. https://www.reuters.com/technology/losses-crypto-hacks-jump-22-bln- 2024-report-says-2024-12-19/. Reuters summary of Chainalysis 2024 data; Accessed: 2025-11-09

    work page 2024

  28. [28]

    Shashank Motepalli, Luciano Freitas, and Benjamin Livshits. 2023. SoK: Decen- tralized Sequencers for Rollups. arXiv:2310.03616 [cs.NI] https://arxiv.org/abs/ 2310.03616 Marwa Mouallem, Lorenz Breidenbach, Ittay Eyal, and Ari Juels

    work page arXiv 2023

  29. [29]

    Sergey Nazarov, Steve Ellis, Ari Miller, Connor Tramp, and Benedict Thomas

    work page

  30. [30]

    Technical Report

    Chainlink 2.0: Next Steps in the Evolution of Decentralized Oracle Networks . Technical Report. Chainlink. https://chain.link/whitepaper

    work page

  31. [31]

    Optimism. 2025. Spinning up the batcher. https://docs.optimism.io/chain- operators/tutorials/create-l2-rollup/op-batcher-setup. Optimism Docs, Ac- cessed: 2025-11-09

    work page 2025

  32. [32]

    Wei Ou, Shiying Huang, Jingjing Zheng, Qionglu Zhang, Guang Zeng, and Wenbao Han. 2022. An overview on cross-chain: Mechanism, platforms, chal- lenges and advances. Comput. Netw. 218, C (Dec. 2022), 21 pages. https: //doi.org/10.1016/j.comnet.2022.109378

    work page doi:10.1016/j.comnet.2022.109378 2022

  33. [33]

    Michael Pacheco, Gustavo Oliva, Gopi Krishnan Rajbahadur, and Ahmed Hassan

    work page

  34. [34]

    ACM Trans

    Is My Transaction Done Yet? An Empirical Study of Transaction Processing Times in the Ethereum Blockchain Platform. ACM Trans. Softw. Eng. Methodol. 32, 3, Article 59 (April 2023), 46 pages. https://doi.org/10.1145/3549542

    work page doi:10.1145/3549542 2023

  35. [35]

    Patrick McCorry. 2022. Vote Buying as a Service, LobbyFi and DarkDAOs. https: //www.cryptofrens.info/p/vote-buying-as-a-service-lobbyfi accessed: 2026-13- 1

    work page 2022

  36. [36]

    Snapshot. 2025. SafeSnap Plugin. https://docs.snapshot.box/v1-interface/plugins/ safesnap-reality. Snapshot Docs, Accessed: 2025-11-09

    work page 2025

  37. [37]

    socrates1024. 2023. Demystifying Remote Attestation by Taking It On-chain. The Flashbots Collective forum post. https://collective.flashbots.net/t/demystifying- remote-attestation-by-taking-it-on-chain/2629

    work page 2023

  38. [38]

    Tellor. 2025. Tellor Disputes and Reporter Governance. https://docs.tellor.io/ layer-docs/disputes-and-reporter-governance. Dispute and slashing mechanism for reporter-submitted data; Accessed: 2025-11-11

    work page 2025

  39. [39]

    Quang Tran, Lin Chen, Lei Xu, Yang Lu, Rabimba Karanjai, and Weidong Shi. 2023. Cross Chain Bribery Contracts: Majority vs Mighty Minority. arXiv:2306.07984 [cs.CR] https://arxiv.org/abs/2306.07984

    work page arXiv 2023

  40. [40]

    UMA Project. 2024. UMA’s Optimistic Oracle and Data Verification Mechanism (DVM). Official Documentation. Accessed 2024. https://docs.uma.xyz

    work page 2024

  41. [41]

    UMA Project. 2025. How does UMA’s Oracle work? https://docs.uma.xyz/ protocol-overview/how-does-umas-oracle-work. Accessed: 2025-11-11

    work page 2025

  42. [42]

    W. J. Worlton. 1968. The Art of Computer Programming. Nuclear Science and Engineering 40 (1968), 358–358. https://api.semanticscholar.org/CorpusID: 59628087

    work page 1968

  43. [43]

    Tiancheng Xie, Jiaheng Zhang, Zerui Cheng, Fan Zhang, Yupeng Zhang, Yongzheng Jia, Dan Boneh, and Dawn Song. 2022. zkBridge: Trustless Cross- chain Bridges Made Practical. In Proceedings of the 2022 ACM SIGSAC Confer- ence on Computer and Communications Security (Los Angeles, CA, USA) (CCS ’22). Association for Computing Machinery, New York, NY, USA, 3003...

    work page doi:10.1145/3548606.3560652 2022

  44. [44]

    Xiaolin Zhang, Kailun Qin, Shipei Qu, Tengfei Wang, Chi Zhang, and Dawu Gu

    work page

  45. [45]

    arXiv preprint arXiv:2402.08908 (2024)

    Teamwork Makes TEE Work: Open and Resilient Remote Attestation on Decentralized Trust. arXiv preprint arXiv:2402.08908 (2024). https://arxiv.org/ html/2402.08908v2 A CONDITIONAL BRIBES In this section we consider an alternative adversary strategy where the bribe is conditional on the success of the attack. The game structure is the same as in section 6.1....

    work page arXiv 2024

  46. [46]

    The adversary’s utility at these𝛽𝑖 values and nodes’ response is𝑢adv = 𝐺 − Í𝑛 𝑖=1 𝛽𝑖 if she chooses to bribe the nodes, and 𝑢adv = 0 if she does not

    + 𝑐 to all nodes, the nodes’ unique best-response profile is that all nodes choose NoAlert. The adversary’s utility at these𝛽𝑖 values and nodes’ response is𝑢adv = 𝐺 − Í𝑛 𝑖=1 𝛽𝑖 if she chooses to bribe the nodes, and 𝑢adv = 0 if she does not. Thus, when the adversary’s gain from a successful attack is 𝐺 > 𝜆 𝑛(𝑛 − 1) + 𝑛 𝑐, then bribery is profitable. □ We ...

    work page

  47. [47]

    By the right inequality in Equation 8,𝜆(𝑛 −1) +𝑐 > 𝛽𝑖, so deviating is strictly profitable

    +𝑐. By the right inequality in Equation 8,𝜆(𝑛 −1) +𝑐 > 𝛽𝑖, so deviating is strictly profitable. Hence all NoAlert is not a Nash equilibrium. These are the only symmetric pure profiles and neither is a Nash equilibrium. □ C.3 Mixed Strategy Nash Equilibria By Lemma 7, whenever a bribe satisfies 𝜆 + 𝑐 𝑛 < 𝛽𝑖 < 𝜆(𝑛 − 1) + 𝑐, no symmetric pure Nash equilibriu...

    work page