The attestation of code running in the SGX enclaves seems to provide a strong argument in favor of the network being secure. How would we falsify this, though? The thing that would convince me is to pay some skilled security researchers to attempt attacks on the testnet, or if there were a large bounty that could be claimed by demonstrating attacks.
I have some ideas for attack vectors, but I haven’t done the work to really understand the security model, so maybe these ideas are naive.
What if an attacker was able to create a large number of validator nodes? It shouldn’t be much more expensive than hosting costs to outnumber honest nodes with dishonest nodes.
Maybe there is a way to fake the attestation service?
What is the discovery process like to determine which MobileCoin network to connect to? Would anything be gained by making a user’s mobile device connect to another network entirely?
The design of Stellar makes it politically hard to introduce a sybil attack (spamming dishonest nodes). Further, a node joining the network with proper attested code couldn’t falsify a validation due to SGX attestation. There’s basically a two-part check here: are you a member of my quorum set AND do you have a valid attestation? The first is enforced with your SSL cert, the second with the enclave measurement quote. It’s definitely possible that both of these things could be faked, but such an attack on the entirety of the network (even one enclave with a real quote would scream if fake transactions were emitted by the rest of the network) is larger than we’ve ever seen in practice on the Internet. Again, anything is possible, but it’s definitely harder to imagine this attack than an attack against most other cryptocurrencies.
Right now this would involve compromising Intel. We expect Intel to allow the decentralization of attestation over time (there are a bunch of technical movements in this direction) which will make this harder. It is theoretically possible to fake the attestation service, but no one has seen this done in practice. Also, if a bunch of nodes start signing bad transactions, the rest of the network will scream. Again, even a single honest node in the entire network means we will know when any badness is happening.
Every validator configures their own quorum set. If a user’s device connects to another network they would have whatever state their keys have on that network and it wouldn’t impact their state on any other MobileCoin network. If a MobileCoin network that has forked attempts to rejoin a different MobileCoin network, the largest chain with quorum will win and destroy the shorter chain (this is a wholesale ledger replacement on conflict).