LOGO
Create Project
LOGO
Get started
Login

Abuse Resistance

How ShipLock defends against whales, bribery, sybil attacks, and collusion.

Abuse Resistance

ShipLock's validation system involves human judgment, which means it can be attacked. The protocol is designed to make attacks expensive, detectable, and unsustainable.

The Two-Factor Acceptance Gate

A check-in is accepted only if it passes both requirements:

  1. totalWeight >= thresholdWeightEconomic conviction
  2. endorserCount >= minEndorsersDiversity / anti-collusion

Neither alone is sufficient:

  • Weight alone isn't enough (whale can dominate)
  • Endorser count alone isn't enough (sybil swarm with minimum stake)

Together they force both capital and coordination.

Anti-Whale: Square Root Weight

The sqrt(stake) weight function creates diminishing returns:

StakeWeightCost to double weight
10010300 more stake
400201,200 more stake
1,600404,800 more stake
10,00010030,000 more stake

Going from 100 → 400 stake doubles weight (10 → 20). But going from 10,000 → 40,000 also doubles weight (100 → 200), requiring massive capital.

This makes "buying control" exponentially expensive.

Why sqrt is the right choice

  • Easy to explain and implement
  • Predictable behavior
  • Common in governance systems for whale resistance
  • Diminishing returns are intuitive

Anti-Whale Hardening (Post-MVP)

Optional mechanisms that can be added later:

Per-wallet weight cap

Maximum contribution per wallet = 40% of threshold. Even with huge stake, you still need others.

Stake-age gate

Only stake that existed before check-in submission counts. Prevents flash-stake attacks.

Randomized validator spotlight

UI surfaces "reviewers needed" to diversify the endorsement set beyond usual validators.

Bribery Defense

The criticism: "But endorsements can be bribed."

Yes, bribery is possible in any human validation system. ShipLock still works because:

Bribery must be repeated

Unlike a one-time exploit, a project must bribe endorsements every single cycle to avoid slashing. This becomes a cost center, not a one-time hack.

Bribery has a public footprint

Every endorsement is on-chain. Bribery creates detectable patterns:

  • Suspicious repeated validators
  • Unusual endorsement timing
  • Low-quality proofs being accepted
  • Validator clusters always endorsing the same projects

Even if bribery "works," it damages credibility metrics that are visible to everyone.

Thresholds increase the cost

The two-factor gate (weight + endorser count) means bribing requires:

  • Enough stake-weighted wallets to clear threshold
  • Enough distinct wallets to clear minimum endorsers
  • Every cycle, indefinitely

The goal isn't "truth"

ShipLock's goal is credible commitments with consequences — not objective truth. If a project bribes its way through, the bond is still at risk and the on-chain record tells the story.

Sybil Defense

A true sybil-proof system requires identity, reputation graphs, or external proofs. MVP keeps it practical:

MVP Anti-Sybil Controls

ControlHow it helps
minStakeSHIP (100 SHIP)Cost per fake identity
Project creation fee + bond minimumSpam deterrent
minEndorsers (3)Forces multiple funded identities
sqrt(stake) weightReduces reward per extra identity at high stake

What MVP Explicitly Does NOT Solve

Determined attackers creating thousands of funded wallets. ShipLock does not try to solve identity in MVP. It increases the cost of sybil attacks and makes abuse detectable.

Collusion Defense

Attack: A project + a small group collude to accept bad check-ins. They coordinate endorsements until threshold is hit.

Why it's limited

  • Costs stake or bribery — real capital at risk
  • Must repeat every cycle — not a one-time exploit
  • Public footprint — validator cluster behavior is visible on-chain
  • Off-chain reputation — credibility metrics can penalize suspicious patterns
  • Bond at stake — one missed cycle (when colluders aren't available) triggers slashing

Collusion doesn't break the enforcement core. It only affects subjective proof quality — something ShipLock treats as emergent, not centrally judged.

Reward Design: Preventing "Endorse Everything" Spam

If all endorsements are rewarded equally, validators will mindlessly endorse everything. ShipLock prevents this:

Only accepted check-ins earn rewards

If you endorsed a check-in that ends up REJECTED, you earn nothing. This aligns incentives: endorse only if you believe others will also endorse and it's legitimate.

Timing incentives (optional)

Earlier endorsements can receive slightly higher rewards, incentivizing quick review instead of late pile-ons.

Per-wallet caps

No wallet can earn more than a percentage of epoch rewards, preventing reward concentration.

Endorsement accuracy (post-MVP)

A validator acceptance rate tracks how often a watcher's endorsements end up on accepted check-ins. Endorsing rejected check-ins reduces the score. This becomes a reputation layer — best added after MVP.

Summary

AttackDefense
Whale dominancesqrt(stake) + minEndorsers
BriberyRecurring cost + public footprint + two-factor gate
SybilMinimum stake + fees + endorser count
CollusionPublic on-chain record + bond at risk + cycle repetition
Spam endorsementsRewards only for accepted check-ins