Paper 2020/175

Lower Bounds for Off-Chain Protocols: Exploring the Limits of Plasma

Stefan Dziembowski and Grzegorz Fabiański and Sebastian Faust and Siavash Riahi

Abstract

Most of blockchains do not scale well, i.e., they cannot process quickly large amounts of transactions. Moreover, using blockchains can be expensive in real life, since blockchain operations cost fees. One of the remedies for these problem are \emph{off-chain} (or: \emph{Layer-2}) protocols where the massive bulk of transactions is kept outside of the main blockchain. In the optimistic case, off-chain protocols drastically improve scalability, since typically the users only need to communicate with the blockchain when they enter, or when they exit the system. In the pessimistic case when parties are malicious a ``smart contract'' running on the underlying blockchain guarantees that no coins are stolen. In this work we initiate the study of the inherent limitations of off-chain protocols. Concretely, we investigate the so-called \emph{Plasma} systems (also called ``commit chains''), and show that malicious parties can always launch an attack that forces the honest parties to communicate large amounts of data to the blockchain. More concretely: the adversary can always (a) either force the honest parties to communicate a lot with the blockchain, even though they did not intend to (this is traditionally called \emph{mass exit}); or (b) an honest party that wants to leave the system needs to quickly communicate large amounts of data to the blockchain. What makes these attacks particularly hard to handle in real life (and also making our result stronger) is that these attacks do not have so-called \emph{uniquely attributable faults}, i.e.~the smart contract cannot determine which party is malicious, and hence cannot force it to pay the fees for the blockchain interaction. An important implication of our result is that the benefits of two of the most prominent Plasma types, called \emph{Plasma Cash} and \emph{Fungible Plasma}, cannot be achieved simultaneously. Our results apply to every Plasma system, and cannot be circumvent by introducing additional cryptographic assumptions.