|
@@ -85,8 +85,10 @@ proposal and a DAO that offsets operational costs and rewards operators.
|
|
|
|
|
|
|
|
## Uncompromised hosts
|
|
## Uncompromised hosts
|
|
|
|
|
|
|
|
-This should go without saying - we assume that an adversary cannot read or write host memory, execute code, or otherwise
|
|
|
|
|
-compromise the running host operating system or platform while or after the node is running.
|
|
|
|
|
|
|
+This should go without saying - in the context of a single node, we assume that an adversary cannot read or write host
|
|
|
|
|
+memory, execute code, or otherwise compromise the running host operating system or platform while or after the node is
|
|
|
|
|
+running. If a supermajority of nodes is compromised, an attacker can produce arbitrary VAAs. If a superminority of nodes
|
|
|
|
|
+is compromised, the network may no longer achieve consensus.
|
|
|
|
|
|
|
|
Contrary to popular belief, hardware security modules do _not_ significantly change the risks associated with host
|
|
Contrary to popular belief, hardware security modules do _not_ significantly change the risks associated with host
|
|
|
compromise when dealing with cryptocurrency keys. A compromised host could easily abuse the HSM as a signing oracle,
|
|
compromise when dealing with cryptocurrency keys. A compromised host could easily abuse the HSM as a signing oracle,
|
Leo