Informal proofs on system bounds

This is an attempt to informally prove the properties of our system assuming it can be played in some idealized state with a linear external notional.

Game definition

The core of the system is the dispute game. A manipulator's turn begins when the true price has drifted a distance Y in their favor from an established report. At this point, the manipulator submits a new report a further distance R away from the true price.

This game can be played from two positions:

1. As an Initial Reporter: The manipulator makes the first-ever report, so their opportunity to play is guaranteed (effectively, P(G) = 1 for their first move).

2. As a Disputer: The manipulator challenges a pre-existing report and must wait for the price to drift by Y to make their move (P(G) < 1).

In the case either the manipulated report or dispute are not themselves disputed, the manipulator earns R on their external notional. In the case where the prior report or dispute was disputed in the manipulator's favor, they earn the right to place a new manipulative report R away. If not disputed in the manipulator's favor, an honest disputer corrects the price to neutral.

Core variable definitions

R = absolute distance of the manipulator’s optimal report (≤ swap-fee F) from the price at time of manipulation. Optimal maximizes EV. For simplicity, we treat R as a fixed profit. In reality, because a manipulated report creates a lopsided 'safe zone' for the true price, the price conditional on an undisputed round is expected to drift further from the closer dispute boundary than it was at the start of the round, which negatively impacts the manipulator. Y = The absolute distance from report at which the manipulator decides to submit a dispute F = swap fee of the report. P(G) = probability the price first hits Y after an honest report (entry to the game) P(A) = probability that a manipulator’s report survives undisputed. Gain R against external notional. P(B) = probability the first dispute in the manipulator's report goes against their external position. Still receive fair starting price so 0 EV from price moving. Game continues in a new dispute. P(C) = probability the first dispute in the manipulator's report benefits them (gives them a chance to report an even more beneficial price R away from that). Game continues in a new dispute. They go immediately to the A game state without needing P(G) to go their way. P(A) + P(B) + P(C) = 1

R_i = absolute distance of the initial manipulative report from the true price ( ≤ F )

Goal 1

Characterize and bound the arbitrage loss by analyzing the game's two core states: the Neutral State (with value E_0) and the Active State (with value E_1). We will use these to determine the value for the privileged Initial Reporter (E_initial).

Proof 1

The ongoing dispute game is defined by two linked states. E_0 is the value from a neutral state, where a manipulator must wait for an opportunity. E_1 is the value from an active state, where a manipulative report is already live.

The system is defined by the following two equations:

1. E_0 = P(G) * E_1

2. E_1 = P(A) * R + P(B) * E_0 + P(C) * E_1

Substitute (1) into (2): E_1 = P(A) * R + P(B) * (P(G) * E_1) + P(C) * E_1

Solve for E_1: => E_1 - P(C) * E_1 - P(B) * P(G) * E_1 = P(A) * R => E_1 * (1 - P(C) - P(B) * P(G)) = P(A) * R => E_1 = (P(A) * R) / (1 - P(C) - P(B) * P(G))

Using the identity 1 - P(C) = P(A) + P(B), the denominator becomes P(A) + P(B) * (1 - P(G)). => E_1 = (P(A) * R) / (P(A) + P(B) * (1 - P(G)))

This analysis holds for non-degenerate cases with denominator > 0. This condition fails only if P(A) = 0 and P(B) = 0 (implying P(C) = 1), which represents a zombie game state with no arbitrage loss that never ends. Now we can find E_0, the value for a Disputer starting from neutral: E_0 = P(G) * E_1 = (P(G) * P(A) * R) / (P(A) + P(B) * (1 - P(G)))

Since P(G) is a probability between 0 and 1, (1 - P(G)) is >= 0. This means the denominator P(A) + P(B) * (1 - P(G)) is always >= P(A). So, E_1 = R * (P(A) / Denominator) <= R. Since E_1 <= R, it follows that E_0 <= R as well. So, the ongoing dispute game is bounded by R <= F.

The Initial Reporter gets one privileged first move. If that move is disputed, they are demoted to a normal player, and the future value is determined by the game states E_0 and E_1.

E_initial = P(A) * R_i + P(B) * E_0 + P(C) * E_1

We know E_0 <= R and E_1 <= R. Assuming R_i is also <= R for a consistent strategy: => E_initial <= P(A) * R + P(B) * R + P(C) * R => E_initial <= R * (P(A) + P(B) + P(C)) => E_initial <= R * (1) => E_initial <= R <= F

The maximum system loss is the Initial Reporter's value, E_initial, which is strictly bounded.

P(G) upper limit with unbiased walk bound assumption:

Let X = F/(F+Y) and assuming P(G) <= X. => E_0 = P(G) * E_1 <= X * E_1

Substituting this into E_initial formula: => E_initial = P(A) * R_i + P(B) * E_0 + P(C) * E_1 => E_initial <= P(A) * R_i + P(B) * (X * E_1) + P(C) * E_1

Because R_i <= F and E_1 <= F: => E_initial <= F * [P(A) + P(B) * X + P(C)]

Goal 2

To assert bounds for the manipulator's optimal report placement Y*. Recall a dishonest report is submitted when the true price has drifted a distance Y in the manipulator's favor. We will calculate the one-shot game EV of the manipulator as EV(Y) and use it in the proof. An arbitrarily low Y* would imply a low P(A) which would mean extremely long finalization times, so a bound on it would be nice to have.

Additional variables:

K_min = A constant representing the slope of survival probability vs. the distance to the nearest dispute boundary. It captures how quickly P(A) increases with Y. 0 < K_min <= 1. Empirical, not needed in final bound as it cancels.

L(Y) = A function representing the fraction of Y by which the surviving price is biased. It captures the strength of the "survival bias" effect. L(Y) ≥ 0. L(Y) higher is strictly worse for the manipulator. L'(Y) <= 0 for any unbiased walk. Let Lmax(Y) be the worst-case ceiling of L(Y). It is non-increasing, so L'max <= 0. Bias = how far the conditional mean is pulled toward the farther barrier in an unbiased walk. Bias <= F * Y /(F+Y), per settlement window. For example, if i told you the price of ETH was $999, and then four weeks later I told you it's still under $1000 but over $900, you would expect it to be much further than just a dollar away from $1000, without knowing the actual price. R_eff = effective gain on manipulated report adjusting for the conditional probability of staying inside the barrier's effect on biasing the expected distance from the closer barrier. S = standard deviation over time period T

Proof

EV(Y) = P(A)*(R-bias) bias = L(Y)*Y, R_eff = R - bias ⇒ EV(Y) = P(A) * R_eff let L = L(Y) R_eff = (F-Y) - (L*Y) = F - (1+L)*Y One-shot EV of manipulator: EV(Y) = P(A) * [F − (1+L)*Y] Given P(A) = K_min * Y / F, manipulator's EV floor (worst possible outcome): ⇒ EV(Y) = K_min * ( Y / F )* [F - (1+Lmax)*Y] take derivative of EV(Y) with respect to Y, set to 0 to find the choice of Y which maximizes EV: ⇒ F - 2 * (1 + Lmax) * Y - L'max * Y^2 = 0 Sparing the reader proof of maxima vs minima we rearrange: ⇒ F = 2 * ( 1 + Lmax ) * Y + L'max * Y^2 Because Lmax is a decreasing function, its derivative L'max is either negative or 0. So, we know the following to be true: F <= 2 * ( 1 + Lmax) * Y Rearrange and set Y = Y*: Y* ≥ F / ( 2 * (1 + Lmax)) Next, 1 + Lmax in the denominator implies the Lmax that makes Y* lowest is the highest Lmax we can get. Without any distributional assumptions, there is no cap on Lmax. We will use a Brownian upper envelope to attempt to bound the bias so we can have a lower bound on Y*. Lmax ceiling: if Y < S * sqrt(T) / 2 ⇒ Lmax <= 1 else ⇒ Lmax <= S * sqrt(T) / Y

Case 1 (Y < S * sqrt(T) / 2): Y* ≥ F / 4 Case 2 (Y >= S * sqrt(T) / 2) Y* ≥ (F - 2 * S * sqrt(T)) / 2 Since Y<S* sqrt(T) / 2 ⇒ Y* ≥ S * sqrt(T) / 2 ⇒ Y* ≥ max( F/4 , S * sqrt(T) / 2) Next, we have only proven a lower bound for some Y* (call it Y_floor) for the floor EV of the manipulator, call it EV_floor(Y). We need to prove that for all Y in [0,F] , EV_true(Y) >= EV_floor(Y). This would prove a lower bound on the Y* for the strategy maximizing EV for the manipulator. We will attempt to prove this by contradiction. By definition K_min is a global infimum of P(A)/(Y/F) and L_max is a global supremum of L(Y), so EV_true(Y) ≥ EV_floor(Y) for every Y. However, we still are not sure where the peak of the EV_true(Y) curve is with respect to Y. Assume, for contradiction, that the true EV curve IS actually maximized at some Y strictly below the lower bound we just derived. So,

1. Let Y₀ < Y_floor, where Y_floor = max( F⁄4 , S * sqrt(T) ⁄ 2 ).

2. By construction of the floor curve we proved earlier, for every Y EV_true(Y) ≥ EV_floor(Y). (The floor is the worst case the manipulator can ever face.)

3. We also showed EV_floor(Y) is strictly increasing on the interval 0 < Y < Y_floor (L'max <= 0). Therefore EV_floor(Y_floor) > EV_floor(Y₀).

4. Combine (2) and (3): EV_true(Y_floor) ≥ EV_floor(Y_floor) > EV_floor(Y₀).

5. Again using (2) at Y₀: EV_true(Y₀) ≥ EV_floor(Y₀).

6. Chain the inequalities from (4) and (5): EV_true(Y_floor) > EV_floor(Y₀) ≤ EV_true(Y₀).

So we have EV_true(Y_floor) > EV_true(Y₀).

1. But Y₀ was assumed to maximize EV_true. That contradicts step 6.

Hence no maximizer of EV_true can lie below Y_floor. Therefore the manipulator’s optimal patience Y* is bounded below by

 Y* ≥ max( F⁄4 , S * sqrt(T) ⁄ 2 ). So how can we get Y* ≥ F/4? S * sqrt(T) / 2 ≥ F/4 ⇒ S * sqrt(T) ≥ F/2 So, when S = T = 1, Y* ≥ F/2 and we recover something resembling R = Y = 0.5, in the worst outcome for the manipulator which bounds their best possible outcome to at least the same Y*. There's an interesting result when we have the standard deviation of the settlement window be greater than two times the swap fee: Y* >= S * sqrt(T) /2 ⇒ Y* > 2F * sqrt(1) / 2 ⇒ Y* > F Since we know Y <= F, it seems like, as soon as S > 2F, it becomes unprofitable to even try to manipulate the oracle because there is no Y with positive EV. So the game collapses to only honest disputers with no arbitrage loss at the tradeoff of more honest disputes prolonging the game. Take-away: Y* is bounded below depending on the parameters set for the oracle instance. Y-close-to-zero attacks are not the optimal strategy.