Is Oxen a honeypot?
2022 June 5
I have concerns about the cryptocurrency Oxen (formerly Loki). Specifically, I think that the cryptocurrency and the privacy tools that run on top of it might be designed with the ulterior motive of enticing a government to try to take over.
This post is to present this possibility and why I think it's plausible, as well as arguments against this speculation. My purpose in this post is not to convince you one way or the other, but I do want you to consider the possibility.
Is "honeypot" the right word?
Probably not, but "Is Oxen a honeypot?" is a much less cumbersome title than "Is Oxen secretly a plot to entice a government takeover?"
Are you saying Oxen is a honeypot?
No. This post presents a possibility about Oxen. I don't know whether I believe it, myself, but it makes sense to me, so I'm raising a question (not giving an answer) which I think deserves to be part of the public discussion.
Why does this matter?
If Oxen is not properly decentralized (for example, if a government were to run a large proportion of the nodes), then users of Lokinet and Session could be deanonymized.
While Oxen and Lokinet still seem fairly obscure to me, I've seen a lot of discussion among other privacy enthusiasts about Session. I think it's particularly important to talk about this matter because it affects Session, a thing people actually use.
I have spent a decent amount of time already talking about Oxen. I've previously written two blog posts about Session, as well as one about Oxen. I did a nearly hour-long video series on the Oxen Ecosystem:
- Thoughts on the Oxen Ecosystem
I will provide a brief background in the next section, but I recommend watching that video series if you want a more thorough introduction.
What is Oxen?
Oxen is a privacy-focused proof-of-stake cryptocurrency that also powers a Tor-like anonymity mixnet called Lokinet and an anonymous, onion-routed, encrypted instant messaging app called Session. The Oxen Service Nodes which power the cryptocurrency are used for onion routing of Lokinet and Session traffic, and they are used to temporarily store Session messages so they can be sent even when the recipient is offline.
What is a Sybil attack?
A Sybil attack is when one entity creates many pseudonymous identities in a system to gain disproportionate influence over that system. In the context of an onion routing network like Tor or Lokinet, this means setting up many nodes. If nodes are chosen randomly, the more nodes you run, the more likely it is that a given circuit will contain more than one of your nodes. If you control all the nodes in a given circuit (or even just the beginning and the end nodes), then you can combine the information known by your nodes to deanonymize users.
Oxen and Sybil attack resistance
Is Oxen resistant to Sybil attacks?
In order to run an Oxen Service Node (the nodes which create new blocks for the Oxen cryptocurrency and provide infrastructure for Lokinet and Session), one must stake a certain amount of $OXEN cryptocurrency (currently 3,750 $OXEN, current USD value around $1,500). In other words, one must have 3,750 $OXEN per node that they run.
They don't have to spend this money (and, in fact, they're rewarded with more $OXEN for having it and running a node), but they have to acquire more and more of the cryptocurrency the more nodes they want to run.
According to the Oxen project, this should help the network resist Sybil attacks:
In our case, as an attacker accumulates $OXEN, the circulating supply decreases, in turn applying demand-side pressure and driving the price of $OXEN up. This effect spirals, making it increasingly costly for additional $OXEN to be purchased and thus making an attack prohibitively expensive.
Oxen also makes an effort to limit the available supply of $OXEN at a time to further limit an attacker's access.
These protections are further discussed in How blockchains protect themselves from Sybil attacks and Loki Cryptoeconomics.
(A member of the Oxen team pointed out another protection to me: In the event of a succeeding Sybil attack, it would be possible, if the network supported this action, to hard fork, burning the attacker's coins and shutting them out.)
Wait, so Sybil attacks are good for investors?
I see two important consequences of this model...
First, launching a Sybil attack is expensive and (it is argued in the "Loki Cryptoeconomics" paper) unlikely to pay off monetarily even if successful. In other words, Oxen discourages Sybil attacks specifically from rational economic actors whose goal is to gain money and avoid losing money. This still leaves room for patient, well-funded attackers with other motivations, such as a government aiming to surveil users seeking anonymity.
The second consequence I find more interesting: If someone attempts a Sybil attack, the line goes up. In other words, a Sybil attack against Oxen (attempted or successful) stands to make those "invested" in the cryptocurrency (presumably including the developers) richer.
Does Oxen encourage government attack?
Oxen makes privacy tools (Lokinet and Session) whose onion routing-based anonymity depends on the decentralization of the underlying Oxen Service Node network. In other words, the best path to deanonymizing the network is to take over a large proportion of the network. This is largely just the nature of onion routing, and Oxen argues that its approach does a better job of defending against this inherent weakness than, e.g., Tor where there is a very low barrier-to-entry for running a node.
For the most part, I think these tools might be attractive targets for government attack simply because they empower people with privacy and anonymity. I think these will be especially attractive targets if they become very popular and/or if they are known to be used for purposes that those governments are trying to combat. (These could be bad purposes like spreading child sexual abuse material, or good purposes like sharing subversive speech against a repressive government.) Obviously, I support privacy tools like these; I just find it suspicious that such an attack (a bad thing) would apparently be profitable by design.
I do want to look at Session, which has made a choice I find particularly suspect.
Session was made a more valuable target
Since Session does not have a traditional client-server model, it's non-trivial to capture a given user's messages. Let's look at how to do this.
To ensure deliverability, Session messages are temporarily stored on swarms of (usually 5-7) Oxen Service Nodes. Service Nodes do not choose in which swarms to participate, so an attacker who wants to participate in a given swarm (to access a given user's messages) must run a very large number of nodes, enough to be a participant in most or all swarms. This is to say, they must perform a Sybil attack.
But would an attacker be incentivized to do this costly attack?
Forward secrecy is a property that makes capturing and storing encrypted messages less valuable to an attacker. Without forward secrecy, an attacker who compromises a user's private key can go back and decrypt all past messages sent to that user. Forward secrecy regularly changes the encryption key to prevent this. In other words, launching a Sybil attack to capture Session users' messages would be more worthwhile if Session did not have forward secrecy and less worthwhile if Session did have forward secrecy.
Session originally used the Signal Protocol, which provides forward secrecy (as well as a similar "self-healing" property which also makes passively capturing and storing messages less worthwhile). However, in December 2020, the Session team announced that Session would be moving instead to its own Session Protocol, which provides neither forward secrecy nor self-healing. (They also added non-repudiable signatures.)
The stated motivation is that the new protocol is simpler and works better with Session's decentralized model (and, Session argues, those security properties aren't really that useful anyway), but I think it's significant that the Session team intentionally weakened the security properties of Session in a way that makes it a more valuable target for a Sybil attacker.
What does Oxen have to say?
I reached out to the Oxen team with these concerns. A member of the team replied and gave basically 2 arguments. (I was not given permission to publish the email itself, but I will summarize the points.)
The honest route is best
First, the best way for the team to get rich is to make apps that people believe in and want to use. They want lots of users, and if people think it's a honeypot, they won't use it.
This point makes sense, although I simply don't know what the cost-benefit analysis would look like, so I can't comment on whether I think the honest route would be more or less profitable.
Longevity of the project
Second, Oxen development has been going on for over 4 years and has achieved a lot, which is evidence that it's not a "get rich quick" scheme.
I've been following the development team for a while. They do a weekly dev update, which I follow. It definitely seems to me like they work hard on this project. (In fact, I complained in one of my videos about the software not feeling stable because they were doing too much work to change it!) They certainly have produced powerful, usable software in that time. I think this argument holds weight.
Ultimately, I'm asking a question about intentions, and we can't conclusively prove those one way or another. While I'm generally very anti-cryptocurrency, Oxen actually seems somewhat reasonable to me, and I would like to believe that the Oxen team has good intentions. Still, I think we should consider the possibility that they do not.
I think the design of Oxen creates misaligned incentives for the developers, and that this is cause for concern. I find the changes made to Session particularly suspicious. (I'm critical of these changes in general. I have been quite vocal about this in everything I've ever said about Session.)
On the other hand, I do think that the developers' hard work over the years speaks to their dedication to the project.
Ultimately, even with the best of intentions now, it's always possible that should a powerful adversary try to take over the network, the Oxen team will take it as an opportunity to simply sell their $OXEN and walk away.