DAP staking changes significantly reduced Polkadot's security -- a wrong premise, and a bet against the industry

Summary

The case for the Dynamic Allocation Pool (DAP) asks the Polkadot community to measure economic security by a lower bound – validator self-stake plus an annuity of forfeited future rewards, about 12.5M DOT today – instead of the nominator-inclusive slashable stake, which the write-up’s own accounting puts at ~285M DOT and our independent computation puts at ~224M today (§4.1), and to conclude that removing nominator slashing is therefore safe.

This forum post reviews DAP, and we make three claims:

  1. DAP’s central premise – that a successful attack sends DOT’s value to zero – fails. It is internally inconsistent as used, it inverts how nine years of security literature treats value destruction, and it contradicts the accountable-safety design of Polkadot’s own finality gadget.
  2. DAP is a bet against the entire industry. Its argument uses nothing specific to Polkadot: if it is sound, every chain whose safety rests on slashing – Cosmos, Ethereum, every slashing-BFT design – is carrying two orders of magnitude more at-risk collateral than its security requires and could give delegated stake full consensus weight while exempting it from slashing, for free. None does. Polkadot under DAP would be the first chain to keep an accountable-safety consensus while giving full weight to the stake it has made unslashable.
  3. The real numbers, computed independently from chain state, show a significant reduction in Polkadot’s security. The collateral a corrupting third of the validator set must expose to slashing is ~224M DOT today. DAP’s substitute metric reports ~12.5M – an 18× reduction achieved by re-measurement, not by anything that happened on chain, and justified only by the failed premise. Worst-cased consistently, DAP’s own bound is ~2M. And referendum 1910 then makes ~2M the real figure: post-DAP, the at-risk floor is 2.01M DOT – a ~113× collapse that requires no assumption about post-attack price.

Thesis in one line: DAP is justified by a coordination attack whose chief antidote – slashable collateral – it switches off, on a value-destruction assumption that the security literature only ever places on the attacker’s side and that Polkadot’s own accountable-safety design contradicts.


1. The argument under review

Restated faithfully, DAP’s argument runs:

An adversary posts a bounty just above the lower bound L, payable to validators who help break consensus if the attack succeeds. If the attack succeeds, “all value would be wiped” (and, the write-up adds, the network’s value “diminishes and can’t be revived”), so a validator’s honestly-held stake becomes worthless anyway. Refusing the bribe therefore protects nothing; given that a chain-breaking coalition forms, each validator’s best response is to defect; all-defect is a Nash equilibrium. The operative worst case is therefore L – self-stake plus the net present value of forfeited future rewards – not the ~285M DOT of nominator-inclusive stake. Since L does not depend on nominator stake, removing nominator slashing does not lower the operative security floor.

On the live set (600 validators), our faithful recompute of L gives 12.45M DOT, of which 87% is the annuity of forfeited future rewards (era 2211–2212; the DAP write-up’s own status-quo figure is 14.7M). The slashable self-stake of the cheapest corrupting third of the set is ~2M DOT (1.98M, era 2221).

Every step of the argument routes through the clause “all value would be wiped”:

  • “Staying honest protects nothing” requires the honest stake to become worthless on success.
  • “The bounty is credibly collectible” requires the chain not to recover and claw it back.
  • “The floor is L” requires the forfeited future rewards – 87% of L – to still be worth something.

Remove the value-to-zero premise and none of the conclusions follow. The next section shows it fails three independent ways.


2. The premise fails

2.1 Internally: the premise that fires the cascade also dissolves the floor

L is a coherent security floor only in the world where DOT retains value. Its largest component – the annuity, 87% of the number – is a claim on future validator rewards, and a claim on future rewards presupposes a surviving, valuable chain. That is the value-not-zero world. But the same argument invokes value-to-zero to make honesty collapse. The premise cannot hold in the place the conclusion needs it and fail in the place the number needs it. Split the two cases and the conclusion loses in both:

Value → 0 true Value → 0 false
Is L the operative floor? No – refusing protects nothing, so the bribe collapses toward ε per validator (Buterin’s P+ε, §2.2), and the annuity that is 87% of L is worth zero YesL ≈ 12.5M is coherently computed
Does the coordination cascade fire? Yes No – honesty still protects live, valuable stake
Is removing nominator slashing safe? Moot – the price wipes honest and dishonest identically; unslashability changes nothing No – slashing is the live deterrent being removed

Read the columns. If value really goes to zero, then L is not the floor the argument claims – the operative bribe is far below it, because a validator that gains nothing from honesty defects for almost nothing – and unslashability is beside the point, because an indiscriminate price collapse cannot tell friend from foe (deterrence requires a penalty targeted at provable misbehavior; a universal wipeout equalizes the honest and the dishonest). If value does not go to zero, L is computed correctly, but the cascade never fires, honest validators keep live stake worth protecting, and nominator slashing is exactly the deterrent that holds them. There is no setting of the premise on which “the operative worst case is L, so removing nominator slashing is safe” follows.

2.2 Against the literature: value destruction belongs to the attacker

The bribery-coordination attack DAP invokes has a nine-year published lineage, and the falsifiable claim is this: whenever value destruction enters a security model in that lineage, it enters on the attacker’s side – as an external payoff or a cost-reducer – never as a defender-side source of security.

  • Buterin, The P+ε Attack (2015) – the paper whose “cost to attack collapses” headline the DAP argument echoes – achieves the collapse with a failure-conditional payment and needs no value destruction at all. The bribe pays out only if the attack fails, which makes defection weakly dominant and the attack near-costless in equilibrium. DAP’s success-conditional bribe is a different and weaker game (see FAQ), propped up by a value-to-zero assumption P+ε never needed.
  • Bonneau (Why Buy When You Can Rent?, FC 2016), Budish (The Economic Limits of Bitcoin and the Blockchain, NBER 2018; published as Trust at Scale, QJE 2025), Ford & Böhme (2019) all model the attack payoff as external to the token – a double-spend, a rental arbitrage, a short position that profits because the token collapses. In every case value destruction makes attacks cheaper or more profitable. It is the reason validators defect, not the reason they stay honest.
  • Karakostas, Kiayias & Zacharias (CCS 2024, arXiv:2402.06352) is the one paper that quantitatively parameterizes how much an attack destroys value – and derives the sign: the attacker’s budget to sustain the all-bribed equilibrium decreases as the attack’s value destruction increases. The same paper’s positive result – the field’s antidote – is that slashing and dilution can restore the honest protocol as an equilibrium. Slashable live collateral, not value collapse, is what defends.

DAP takes a phenomenon the literature uniformly scores as an attacker subsidy and re-labels it a security floor for the defender. That is a sign error relative to every source in the lineage.

2.3 Against Polkadot’s own design – and the historical record

GRANDPA, Polkadot’s finality gadget, is built on accountable safety (as is Casper FFG, from which the property is drawn): if a safety fault occurs – two conflicting finalized blocks, which requires ≥⅓ of validators to vote against the protocol rules – the misbehaving validators are provably identifiable from their own signed protocol messages (GRANDPA paper, Theorem 4.1: at least f+1 Byzantine voters can be identified). Attributable means slashable and forkable. The design premise of Polkadot’s own consensus is that a ≥⅓ safety fault is a recoverable, punishable event – the literal opposite of an unrecoverable extinction. If value-to-zero were true, accountable safety would be pointless: there would be no chain left to recover and no one worth slashing. Polkadot’s designers spent enormous effort on GRANDPA’s accountability precisely because they do not believe a safety fault ends the chain.

The historical record agrees. Ethereum Classic absorbed multiple 51%/deep-reorg attacks (January 2019; several in August 2020, including three in one month), suffered real double-spends – and survived, trading continuously since. The Monero/Qubic hashrate episode (2025, reorgs up to 18 blocks) produced a single-digit-percent dip that recovered within days, with no confirmed theft. Attacked chains get hurt and recover. None has gone to zero. (On why PoW reorgs are a fair reference class here, see the FAQ.)

Conclusion of §2: we live on the recovery branch. On that branch, honest validators hold live, valuable stake, so the cascade never fires; the bribe is not credibly collectible, because accountable safety names the defectors and the chain recovers; and the deterrent that holds the equilibrium is the targeted, full-exposure slash on live tokens. That is the deterrent DAP disables.


3. The bet against the industry

The DAP argument uses nothing specific to Polkadot. Read the coordination game on its own terms: a briber, a set of stake-weighted validators, a threshold coalition, a bounty. Nowhere does it invoke Phragmén election, maximin support, or anything else that distinguishes NPoS from generic delegated proof-of-stake. The argument is therefore portable: if it is sound on Polkadot, it is sound everywhere, and it proves the same thing everywhere – that slashing delegated stake buys no security, because the “real” floor is what a bribed operator personally forfeits, which delegated stake never raises.

So look at what the industry actually does. The relevant comparison class is the chains whose safety, like Polkadot’s, rests on slashing – the accountable-safety BFT designs that price the cost of corruption in burnable collateral: Tendermint/Cosmos, Ethereum’s Casper FFG, Polkadot’s GRANDPA finality and ELVES parachain-validity protocol. In this class, no production chain gives unslashable stake full weight in its safety denomination. Cosmos slashes delegations pro-rata alongside the validator. Ethereum has no protocol delegation to exempt, and its dominant liquid-staking venue (Lido) socializes slashing losses to the token holders who supply the stake. Polkadot, pre-DAP, slashes nominator backing at full weight. (Two apparent exceptions – the chains that never slash at all, and Tezos – are addressed in dedicated FAQ entries; neither is a counterexample.)

If the DAP argument is right, this entire class is over-provisioned. Cosmos could exempt its delegators, Lido could stop passing slashes to stETH holders – and every slashing-BFT chain is carrying roughly two orders of magnitude more at-risk collateral than its security requires, a free lunch a competitive, heavily-audited industry has somehow left on the table. Polkadot under DAP would be the first chain in the class to give full consensus weight to stake it has made unslashable – keeping an accountable-safety design whose entire purpose is to make faults attributable so collateral can be burned, while exempting from burning the stake that backs it.

Either the industry’s uniform practice is a hundred-fold error that DAP alone has seen through, or the argument for the full-weight exemption is missing something. §2 identified what it is missing.


4. From 224M to 2M

The descent from Polkadot’s actual security to DAP’s headline number happens in two reductions – one performed by argument in the DAP write-up, one performed on chain by referendum 1910. Neither survives scrutiny, and they end at the same place.

4.1 The pre-DAP figure, computed independently

The starting point needs no DAP methodology. Sort the active set by total slashable exposure (the on-chain Staking.ErasStakersOverview map), take the cheapest corrupting third (201 of 600 validators), and sum: 224.0M DOT. That is the minimum collateral any coalition capable of a GRANDPA safety fault must expose to slashing.

Its meaning as a security figure comes from the peer-reviewed, non-W3F literature. In Budish’s economic-limits framework (QJE 2025), a chain is secure against any attack whose external payoff is smaller than the capital the attacker stands to lose. For a self-inserting attacker – one that supplies or marshals the backing behind its own validators – that loss is the full 224M: an attacker supplying the backing internalizes the slash directly, and one marshaling third-party backing must compensate its owners for the same expected loss. Pre-DAP the 224M is borne either way. Karakostas–Kiayias–Zacharias’s positive result (CCS 2024) assigns the same quantity the same role: the destructible collateral of the deviating coalition is the counter-incentive that renders the honest protocol an equilibrium. In both frameworks, pre-DAP Polkadot is secure against attacks worth up to ~224M DOT.

The DAP write-up’s own accounting corroborates the number rather than contradicting it: DAP’s upper bound (“Scenario A,” ~285M, computed with a per-seat shortcut) and the naive ⅓-of-total-stake figure (~278M) land within ~30% of the independent computation. The dispute is not what the metric says; it is his decision to discard the metric.

4.2 First reduction: 224M → 12.5M, by re-measurement

The DAP write-up replaces this figure with the lower bound L ≈ 12.5M – an 18× reduction in which nothing on chain moves. (The two figures come from snapshots ~10 eras apart; the staked total moved under 2% between them, immaterial to the ratio.) The reduction is achieved entirely by swapping the measurement instrument: from collateral at risk (what the protocol can burn on a misbehaving coalition) to what a bribed incumbent personally forfeits (its self-stake plus its own forgone rewards). The swap’s only justification is the value-to-zero cascade – nominator stake is declared illusory as security because a successful attack allegedly wipes everyone out regardless – and that justification is what §2 dismantled.

Two properties of the substituted metric complete the picture. It is nominator-independent by construction, so it is guaranteed – before any economics is done – to read the same on both sides of a reform whose entire content is nominator collateral; its invariance under DAP is a property of the instrument, not evidence about the network. And the discarded metric is not some external standard: it is Cevallos & Stewart’s “total collateral susceptible to being lost” (arXiv:2004.12990), the quantity NPoS’s maximin-support election exists to maximize, which Gehrlein both computes himself (Scenario A) and has published within (arXiv:2312.11408).

4.3 Second reduction: 12.5M → 2M, by the argument’s own worst-case discipline

Even the 12.5M does not survive the argument’s own premise. As §2.1 showed, L is a coherent floor only in the value-not-zero world; in the value-to-zero world the argument needs, its 87%-annuity component is worthless and the operative bribe collapses below it. So the largest number the DAP framework can consistently defend as a worst-case floor is the slashable self-stake of the cheapest corrupting third: ~2M DOT.

So the honest reading of the DAP write-up’s own framework is not “security is 12.5M.” It is: security today is ~224M; the write-up re-measures it at 12.5M on a premise that fails; and consistent worst-casing of its own substitute yields ~2M. What makes this more than an accounting dispute is that referendum 1910 then makes the ~2M real.

4.4 DAP enacts the 2M floor

The mechanism in code

In the staking-async implementation, nominator slashability is a Root-controlled configuration flag:

  • AreNominatorsSlashable is a storage value defaulting to true, settable via set_staking_configs under ensure_root.
  • Offence processing branches on the per-era snapshot of the flag: when true, the full nominator-inclusive path (process_offence) runs; when false, process_offence_validator_only slashes the validator’s own stake with an empty others list – nominator exposures are simply not enumerated.
  • When the flag is false, nominators also receive fast unbonding (NominatorFastUnbondDuration = 2 eras, on the order of half a day) instead of the full bonding duration.

Referendum 1910 flips this flag to false. Two consequences of the flag mechanism deserve emphasis. First, keeping nominator slashing off is a standing governance choice, held by whoever controls governance – and (§5) the change’s largest beneficiary holds a large share of that vote. Second, “governance can flip it back in a crisis” is not a symmetric safety valve: fast unbonding means the backing behind an attacker’s validators can exit in an era or two, faster than governance can detect, propose, and enact re-enablement. The exit outruns the correction.

The effect on chain state

Post-DAP the attacker optimizes differently. Pre-DAP, the cheapest corrupting third is the 201 validators with the least total backing: 224.0M DOT at risk. Post-DAP, backing is riskless, so the attacker picks the 201 validators with the least self-stake: 2.01M DOT at risk – while that third carries 287M DOT of now-unslashable backing, more than the pre-DAP minimum, because backing has stopped costing the attacker anything. Same snapshot (era 2221), same chain-state query: the at-risk barrier falls ~113×, a ~99% collapse, with no assumption about post-attack price.

One term does not appear in this comparison, deliberately: the annuity of forfeited future rewards is unchanged by DAP – an attacking validator forfeits its future income before and after the reform alike – so it cancels out of the before/after comparison entirely. (And it cannot prop up the post-DAP floor at ~12.5M: it is forgone income, not collateral the protocol can seize, and §4.3 gave the reason it cannot serve as a worst-case floor.)

The attack this matters for

The value-to-zero-independent attack that slashable backing deters is not bribery of honest incumbents – it is self-insertion: an attacker runs its own ≥⅓ of the validator set atop backing it controls. Against self-insertion, the defenses that protect the bribery game – screening, reputation, repeated play – do nothing, because there is no independent counterparty. Two costs gate it: the acquisition cost of marshaling enough stake to win ⅓ of the seats under NPoS election, which DAP does not remove, and the at-risk cost – the exposure of that backing to slashing – which is exactly what DAP removes.

The collapse is most concrete for an attacker whose acquisition cost is already largely sunk – one that already holds backing at scale. The largest such entity holds ~17.5% of the set (§5), over half the distance to a corrupting third, and under the set reduction to 250–300 validators now on Polkadot’s own roadmap its existing ~105 seats would cross the ⅓ threshold outright. For an incumbent at that scale, the ~113× at-risk collapse is close to the entire security change: the backing behind its validators simply stops being hostage to their behavior, with little left to acquire. Section 5 documents that exactly one entity of this scale exists.

Which layers this hits

The collapse lands precisely on the slashing-dependent layers identified in §3. Block production (BABE) belongs to the honest-majority family and is largely unaffected – it degrades to roughly Cardano’s security model. Finality (GRANDPA) and parachain validity (ELVES) are the layers whose safety is denominated in slashable collateral, and they take the full ~99% reduction: liveness roughly unchanged, safety down two orders of magnitude. Note also what unslashability does not change: the fraction of validators needed to break safety stays ~⅓ – DAP lowers the cost of the attack, not its difficulty threshold.

Why does the thin residual floor matter only now? Because pre-DAP, the slashable-backing barrier dominates every softer number – the annuity, the bribery figures, the self-stake floor are all immaterial while ~224M of live collateral stands behind any corrupting third. DAP switches off the dominating barrier, and only then does the ~2M residual become the operative worst-case floor of the network.


5. The conflict of interest

Three facts:

  1. A single nominating entity backs ~17.5% of the active set. We have recently identified a large validator bloc, and we have strong evidence that this is simply W3F/Parity. The backing – on the order of 135M DOT – is entirely one entity’s.
  2. DAP converts that backing from slashable to unslashable. This holds regardless of who operates the nodes: the benefit accrues to the backer.
  3. The same affliated entity authored, proposed, and voted in relevant referenda enacting DAP.

Grouped by backing entity rather than by validator identity, Polkadot’s concentration picture also changes: counting backing groups, the top few groups exceed the ⅓ finality threshold at a coefficient on the order of 4.

Put plainly: the entity switching off the antidote is the entity whose position the antidote most constrains. We state this as a structural conflict to be disclosed and reconciled – not an allegation of bad faith. But a proposal that changes the economic security model cannot be evaluated as if authored behind a veil of ignorance about who holds the stake, and it raises the bar for the safety case: the party asking the community to accept “the lower bound is the right measure” is the party whose exposure that measure minimizes.


FAQ

“Pivotal-bribe worst-casing is standard method. Are you rejecting it?” No – it is the right method (Bonneau’s rent-vs-buy discipline), and we use it ourselves. We dispute what is plugged into it: a value-to-zero premise the frame does not need and the literature places on the other side of the ledger. The frame is sound; the instantiation is not.

“Doesn’t the naïve 285M figure genuinely overstate security?” Yes, read as an attack cost – a rational attacker bribes the pivotal fraction, it does not buy the whole set, and DAP is right to push back on 285M-as-price-of-attack. But attacker outlay and defender collateral-at-risk are two different numbers, and the second is the one NPoS was designed to maximize and the one DAP changes. “The attacker need only spend L” does not imply “only L is really at stake.” Conceding the first proposition – which we do – does not license removing the slashability of the second.

“The annuity is valued in the no-attack world and value-to-zero applies in the attack world – different branches, not a contradiction.” Correct that they are different branches – and that is the dilemma, not an escape from it. L is offered as the operative worst case that justifies removing nominator slashing. On the branch where value goes to zero – the one that makes the cascade fire – the annuity that is 87% of L is worthless, and a validator who gains nothing from honesty defects for almost nothing, so the operative bribe collapses below L: L is not the floor. On the branch where value survives, L is computed correctly, but the cascade never fires, honesty holds, and nominator slashing is the live deterrent. The standard pivotal-bribery defense of L – each member’s bribe must cover its opportunity cost in the counterfactual where it refuses and the attack fails – lives entirely on this second branch, the survival world where slashing binds. Neither branch yields “L is the worst case, so removing slashing is safe.”

“Post-DAP, doesn’t the attacker still risk its ~287M of backing through the price impact of the attack?” Three reasons that is not a slashing-equivalent deterrent. First, under DAP the backing need not be the attacker’s own capital: unslashable backing is risk-free to whoever supplies it, so an attacker can attract third-party nominators to back its validators rather than post the 287M itself. Second, an attacker that does hold the exposure can hedge or short it – by the same rent-vs-buy logic the literature applies to attackers (Bonneau; Ford & Böhme), a price decline becomes a payoff rather than a cost. Third, and decisively, a diffuse market dip is not a targeted protocol penalty: it falls on honest and dishonest backing alike, so it cannot supply the differential deterrence slashing does (the friend-from-foe point of §2.1). The price impact on the 287M is real, but it is neither reliably borne by the attacker nor differential; the ~1.98M slashable floor is what survives all three.

“Doesn’t the coordination game show honesty collapses regardless of slashing?” The game actually constructed doesn’t show that. Buterin’s P+ε earns the “cost collapses” headline because its bribe pays when the attack fails, making defection weakly dominant and eliminating the honest equilibrium. A bribe conditional on success – DAP’s construction – yields a stag hunt with two equilibria in which honesty survives, which is why he must concede that Nash equilibrium cannot select the played strategy. Nor does global-games selection rescue all-defect: that machinery requires players to observe payoffs through private noise, and a publicly announced bounty is common knowledge – exactly the regime where the uniqueness result does not apply.

“Cardano, Avalanche, and Algorand run fine without slashing – doesn’t that prove slashing is dispensable?” No, because these chains never had a slashing pillar to remove. Their safety was never claimed to rest on burnable collateral: Cardano’s Ouroboros is a longest-chain, honest-majority design with never-bonded, non-custodial delegation – there is no attributable finality fault whose economics depend on bonded stake – and the same holds for Avalanche, Algorand, and the accountable-BFT chains that simply chose not to slash (NEAR, Sui, Aptos). Their delegators risk nothing because the security model never asked them to. Removing a load-bearing pillar and never having built one are different operations. Polkadot’s GRANDPA finality and ELVES parachain-validity protocol do price their safety in slashable collateral – that is the class §3 compares against, and the class in which DAP’s change operates. (Within Polkadot itself, BABE block production belongs to the honest-majority family, which is why §4.4 finds liveness largely unaffected while safety collapses.)

“Doesn’t Tezos prove a BFT chain can run with unslashable delegation?” Tezos is the one accountable-BFT chain that exempts delegated funds from slashing, and its history is the strongest available natural experiment – pointing the other way. Delegation has been unslashable there since genesis (2018), with rewards passed through off-protocol by the baker minus a fee. When Tezos adopted BFT finality (Tenderbake, 2022), it briefly ran the closest configuration to post-DAP Polkadot: full-weight, unslashable delegation, gated only by the bakers’ frozen deposits. It then spent three consecutive upgrades engineering out of exactly that: Oxford and Paris (2024) introduced slashable third-party staking under Adaptive Issuance, and Quebec (2025) cut exempt delegated funds to one-third weight in consensus power, raised slashable staking’s rewards to 3× delegation, and capped external slashable stake at 9× a baker’s own. Today ~75% of Tezos baking power is slashable stake, and the exempt delegated half of participating funds supplies only ~25% of consensus power (live figures in the appendix). The one chain that lived with full-weight unslashable delegation under BFT concluded it needed more slashable skin in the game, not less – and paid three protocol upgrades to move in precisely the direction DAP proposes to leave.

“A coalition holding ⅓ can censor the slashing extrinsics – attribution without enforcement.” True, and it does not rescue value-to-zero; it relocates recovery to the social layer. Because equivocators are provably named by their own signed messages, the honest supermajority of stake, operators, clients, and parachains can fork them out – the template Ethereum executed in the DAO fork, and which Polkadot’s Root-level governance is designed to enact. For value to go to zero, the community must fail to coordinate a fork while able to name every culprit – an assumption contradicted everywhere it has been tested.

“ETC and Monero are PoW reorgs, not BFT finality faults. Bad analogy.” They are the closest available natural experiments, not exact analogues – and the disanalogy runs in our favor. A PoW victim cannot attribute or punish its attacker; Polkadot’s accountable safety exists precisely so that a BFT safety fault is more recoverable: culprits identified from their own votes, slashable, forkable. The burden falls on the claim that a GRANDPA fault would end worse – at permanent zero – than attacks on chains with no attribution mechanism at all.

“Nominators can’t prevent a validator’s fault. Slashing them is unfair and suppresses participation.” The fairness and participation concerns are real, and DAP’s goal of addressing them is legitimate – we say so without reservation. But the security function of nominator exposure was never about nominator culpability: the at-risk backing is the seat-cost the protocol imposes on a self-inserting attacker. Removing the exposure to fix a fairness problem also removes that barrier – a side effect the safety case never modeled. Designs that keep both exist: a residual slash fraction, or a cap on unslashable backing per entity, would address the fairness concern for ordinary nominators while preserving the barrier.

“If it’s just a flag, governance can re-enable slashing when a threat appears.” The valve is not symmetric. With the flag off, nominators fast-unbond in two eras (on the order of half a day); by the time a threat is detected and governance enacts re-enablement, the backing behind an attacker’s validators can already have exited. The exit is faster than the correction.

“Is this an accusation that W3F designed DAP in bad faith?” No. Every claim in §5 is structural: who authored, who benefits, who votes. Structural conflicts arise routinely and have a standard remedy – disclosure and arms-length review. Nothing in this critique requires or asserts intent.

Thanks for the write-up. It raises good questions about the security model, and I’ll answer them in full below. Two structural errors have to be corrected first, though, because most of the quantitative claims are built on top of them.

First error: you’re critiquing the wrong mechanism

Your title and framing attack “the DAP”, but nothing in your post is about the DAP. The Dynamic Allocation Pool is an issuance buffer: it separates the outflows to validators, nominators, and a retained reserve from raw issuance so they can be directed to future expenses. It changes nothing about the staking system, and in fact was introduced without changing anything about it. Every mechanism you actually criticize, nominator unslashability and fast unbonding, is Referendum 1910.

Referendum 1910 and the reforms around it were public, debated, and votable for many months. I could not find you raising any of these concerns in any of those threads but your post appeared only a few hours after the referendum executed (coincidentally?). But a critique of this depth, arriving only once nothing can be changed by it, is a critique that chose not to shape the design. I hope the next one arrives while it still can.

This error in your mental model materializes in another problem about calculating the metrics properly.

Second error: your numbers measure the old system and label it the new one

You cite “the DAP write-up’s own status-quo figure of 14.7M.” That figure was the status quo of August 2025 (Era 1900), before the minimum self-stake existed and before Referendum 1909’s incentives were enacted. Presented without its date, it reads as my assessment of the current situation (labelling it as status-quo), which it is not. It was the pre-reform floor my post argued we must improve upon and much of what has since been enacted did exactly that. It appears you reached for it as a close match to your own 12.45M, but the two describe different systems, and relating them tells readers nothing.

The bigger problem is your own recompute. Executing the same methodology on the very eras you cite (2211 or 2212) yields a floor of ~23M DOT, not the 12.45M you report. That’s nearly a factor of two. And even that corrected figure understates today’s floor, because it does not yet capitalize the Ref-1909 incentive mechanism. Run the methodology on current chain state (Era 2222), with the reward mechanism that actually exists, and the lower bound is ~40M DOT. Neither the 12.45M your replication produces nor the 1.98M you headline remotely describes the current system. The floor did not collapse under the reforms, it rose by roughly 172% against the very 14.7M you cite, while the protocol’s staking expenses fell by roughly two thirds.

Hold those two corrections in mind, because they run through everything that follows. Now, your theoretical points.

Addressing your theoretical points

With that said, let me briefly address your three central points, then go into more detail in the sections below.

1) “The central premise — that a successful attack sends DOT’s value to zero — fails.”

You’ve misread what that assumption was for. It was never used to argue against slashing. It sets up the mental model for the coordination game I sketched, briefly and verbally: it lets expected future payouts collapse cleanly once validators coordinate on defection, because the game ends there. If instead you assume validators attack, get slashed, and later return to validating, or the chain is destroyed, but successfully hard-forked on a social layer, the payouts become intractable, hinging on highly subjective assumptions about residual value.

The point you don’t engage at all is the actual central one: nominator stake is hard to count toward economic security because there is no reliable monitoring tie between nominators and their validators. For the lower bound, we assume a validator internalizes only its own stake and future payouts. You make some argument for this yourself in §2.2: if value destruction is fundamentally an attacker subsidy (as the literature treats it) then the attacker that literature worries about is the one who profits from destruction, the short-seller or bridge-drainer. That attacker is completely indifferent to whether nominator stake was slashable.

2) “DAP is a bet against the entire industry.”

The premise underneath your claim is that stake determining the election outcome must be slashable to be legitimate, and that simply isn’t the standard. Cardano lets delegated stake decide block production and slashes no one. EOS elects its block producers by staked vote, with removal-by-revote rather than slashing as the deterrent. Algorand runs stake-weighted consensus and rejects slashing outright. You anticipate part of this in your FAQ, and your answer there gives the game away. You acknowledge that NEAR, Sui, and Aptos run accountable-BFT consensus and simply chose not to slash. That is, chains with the same ⅓ safety threshold already give full consensus weight to stake that risks nothing. Your grounds for excluding them is that their security model “never asked delegators to risk anything.” But that is exactly the design choice under debate. You cannot exclude the counterexamples because they share the disputed property, that is assuming your conclusion, not defending it. Whether a BFT chain’s safety must be denominated in slashable delegated collateral is the question; chains securing tens of billions without it are evidence on that question, not exceptions to it. And unlike every chain in that list, Polkadot still slashes the party that actually misbehaves: the validator, on its own stake, with provable identification and removal. If there is a spectrum here, post-1910 Polkadot sits at its conservative end.

You mention Cosmos as a close peer Polkadot should stick with. They have a similar model and an explicit demand that delegators actively monitor and vet their validators, the assumption that never materialized for Polkadot’s retail nominators.

Ethereum has no in-protocol delegation to slash at all; that risk-sharing lives one layer up, in staking pools and liquid-staking arrangements enforced by contracts and token design, not by a protocol slash on a passive third party. If anything, Ethereum is evidence for re-centering security on the validator’s own stake, the direction Polkadot has taken. And the point you skip entirely: the previous model bought that collateral at a cost to the protocol that was not sustainable, which we’ll discuss later.

3) “Current economic security is only ~2M.”

Calling ~2M the “real” current security is disingenuous, more so because you argue against the very assumption it depends on. The 1.98M you headline is the lower bound with its largest component, the forfeited-rewards annuity, deleted, and deleting it requires exactly the value → 0 premise you spend your post refuting. Even the lower bound in my post should be read as an academic construct, meant to help conceptualize the economic security of proof-of-stake systems. To present that floor as the actual security level, and headline a “113× collapse” off it, is to take a modelling concept and dress it up as a measurement. The honest current figure, derived transparently from chain state, is ~40M. But that is not the “real” number either: it’s the lower bound of an economic model, useful for comparing configurations of the network and guiding decisions, because it underpins every more realistic measure of security.

As we go into more details, a short overview of the rest of this post:

  • §1 - A few clarifications.
  • §2 - Why we needed change.
  • §3 - What the lower bound actually means.
  • §4 - Perspective on attakcs.
  • §5 - Conclusion

§1 - A few clarifications

Let me clarify what the post you frequently cite was actually arguing. Its purpose was to show why the “upper bound” (total validator stake, including all nominator backing, taken as security collateral) is the wrong way to conceptualize the economic security of Polkadot, or of any PoS system with delegations.

The underlying argument was that for the most vulnearable 1/3, we cannot assume that nominator’s stake enters the validator’s payout function. Note, that we don’t say that this is not possible. We do identify a few reasonable on-chain signals that hint on off-chain contractual agreements between nominators and validators (such as 100% commission, non-nominatable) and treat the total stake as security collateral accordingly. But arguably this does not rely on whether the stake is slashed or not. A misbehavior of the validator itself would be enough to trigger off-chain enforcement.

You build much of your critique on the “value → 0” framing of the coordination game, and I can see how that phrasing invited being read as the load-bearing claim. It was never meant to be. The argument was always about internalization: a validator weighs its own self-stake and its own forfeited rewards, not its nominators’ stake. Again, we have no evidence of a close relationship between nominators and their validators, particularly for the most vulnerable 1/3, and strong evidence that nominators optimize for yield and little else. Many of the relevant validators ran low or zero commission with negligible self-stake, and are often not even identifiable by on-chain identity. Largely by construction, it is these validators, backed by inattentive nominators gathered over the few years that Polkadot currently runs, that make up the critical 1/3 of the analysis. Luckily, it seems that we are currently in an equilibrium with an honest set of validators fuled by these early stage nominations. A situation that we should not take for granted. I want to be clear that I do not insinuate any bad intentions on these validators (many of whom are strong supporters of the ecosystem for a long time), but within the model for economic security, we’d want these validators to have more observable measures of economic security, something we kicked off with the various recent changes. The strong but unobservable other factors contributing to security remain intact.

So when a defecting validator’s future payouts collapse, it is not because the DOT price goes to zero; it is because the validator is slashed and removed from the set. That mechanism operates on a surviving chain, at any price, and it is why the annuity of forfeited rewards belongs in the lower bound without any appeal to value → 0.

I’ll put the underlying view plainly: a malicious entity cares only about its own losses and has no empathy for its nominators, particularly if there is no social or contractual bound between them. A security assumption that says otherwise, absent any clear indication that nominators can enforce anything after the fact, is simply faulty. And note that even your own FAQ accepts the upper-bound number should not be taken blindly as Polkadot’s security. Once that is granted, taking ~224M as the baseline for a “113× collapse” appears questionnable: the baseline was never a real security level in the first place.

§2 - Why we needed change

Something your post ignores entirely: continuing as before was not an option. The cost Polkadot paid by diluting the token supply to rent nominator collateral bore no relation to the economic value that collateral protected, and it was not sustainable. Reducing the budget for nominator rewards was necessary and the community voted to contract new issuance sharply, which makes the question not whether to spend less on security but how to spend what remains well.

You raise Ethereum’s consensus as a point against us, but it reinforces our approach: Ethereum draws its security solely from validators’ own stake, with no protocol-level delegation at all. That is precisely the direction we are moving. The goal of the reform is to cut the excessive cost of the staking system and put every DOT issued where it matters most for security: incentivizing validator self-stake, and paying validators enough that they want to keep validating into the future. I assume that you would not disagree with the premise that a DOT held at a validator’s stake is contributing at least equal but likely more to security than in the hand of a nominator. Another point you fail to mention is that even without slashing, nominator’s payouts are still dependend on their validators performing the work and following consensus.

§3 - What the lower bound actually means

The lower bound is the metric worth observing and optimizing, and I want to be careful about what it is and isn’t. It is a conceptual floor, the cost of an attack under the most attacker-favourable coherent assumptions, not a live reading of what an attack costs today. Its value is that it lets us compare configurations of the network on a common footing and underpins every more realistic estimate of security.

I also want to name the disagreement precisely, because we are measuring two different things. You measure burnable collateral-at-risk — what the protocol can seize on the cheapest corrupting third. I measure internalized loss: what a defector personally forfeits, self-stake plus forgone rewards. My claim is normative: collateral deters only to the extent that someone internalizes its loss. Backing behind a validator with no enforceable tie to the attacker deters no one, the protocol can burn it, but no attacker weighs it. That is why the internalized floor, not gross collateral, is the security-relevant number.

Computed honestly from current chain state, that floor sits at roughly 40M DOT, replicating my methodology with the changes enacted in Ref-1909.

Two things to hold onto about that figure. First, it is expected to rise: the self-stake incentives are calibrated to pull validators off the minimum and lift the self-stake of the lowest 1/3, which is exactly the part that sets the floor. Second, the real economic resilience of Polkadot is almost certainly orders of magnitude higher than any lower bound, fuelled by factors a model cannot observe: coordination costs among validators, reputational concerns, the risk of off-chain legal enforcement, and plain ethical constraints. The lower bound is deliberately blind to all of that. It is a floor, not a measurement of an actual number.

§4 - Perspective on Attacks

Whether removing nominator slashing lowers the real barrier depends entirely on which attacker you have in mind. First, let me point ot a layer distinction: this is not about block production (BABE), which is honest-majority and unaffected. The layers whose safety is denominated in collateral are GRANDPA finality and ELVES parachain validity, and that is where I’ll argue.

A currently active cartel of ⅓ turning malicious: Here, as you argue and I agree, the cost of getting into the active set is sunk. What such a cartel forfeits by committing a safety fault, a GRANDPA equivocation or an invalid parachain block under ELVES, is its self-stake and its forgone future income (a malicious validator always retains the option to stay honest and keep earning). That is precisely the lower bound, ~40M across the cheapest third. The nominator stake that was fooled into backing that cartel does not enter the equation, because the cartel never internalized it, slashable or not. So for this attacker, removing nominator slashing changes the barrier by nothing.

A self-inserting cartel: Here we agree the cost of winning ⅓ of the seats through NPoS is not sunk and must be paid. I’d argue that the reform we did actually improved our security here. Your own ~2.01M figure is not a number that collapsed. It is 201 validators multiplied by the 10,000 DOT minimum self-stake, a requirement that did not exist before these reforms. Previously there was no minimum self-stake at all: a validator could be elected on backing alone, holding effectively zero of its own slashable capital. On top of that, their commission likely was close to zero, not granting any future income. So for a self-inserter fielding its own ⅓, the internalized, at-risk floor was close to zero. The reform did not lower the self-insertion floor to 2M, it lifted it from ~0 to ~2M. In the only terms that actually deter a self-inserter, capital it internalizes and stands to lose, ELVES and GRANDPA safety against fresh self-insertion got more expensive, not less.

The acquisition cost sits on top of that, and it remains fully intact. To seat ⅓ of its own validators, an attacker needs enough backing to win election under Phragmén, and here the nominator inattention might actually be beneficial: sticky, set-and-forget backing does not migrate. The nominators who “barely log in” are exactly the ones who will not move their stake onto a newcomer’s validators for a better yield. They are not bribable because they are not paying attention. So the self-inserter cannot cheaply attract riskless backing; it must supply it, and now also post 10k of slashable self-stake per seat it never had to before.

There is a secondary point, stated carefully so it isn’t confused with slashing. Even with nominator stake unslashable, a validator only sits in consensus while its backing is bonded, and unbonding is not instant. Since virtually all safety offences are attributable and detectable immediately, a self-inserter’s own bonded capital is still exposed to the market’s repricing of the attack while it remains locked. This is price exposure, not a protocol slash. You rightly point out that there are off-chain devices to increase the profitability of an attack (e.g., shorting DOT), but these affect the framework with or without slashing.

§5 - Conclusion

Your post ignores the argument that actually justifies removing nominator slashing: for the critical lowest ⅓ of validators, that backing provided little real security, because the assumptions it relied on (nominators are attentive to whom they nominate, and have off-chain ways to enforce good behavior after the fact) simply do not hold. And it came at an unsustainable cost to the protocol. The key mistake running through your critique is to keep assuming nominator stake enters the validator’s payoff function for the weakest ⅓ coalition, despite ample evidence that these nominators optimize purely for yield. The relevant entities tend to be the least-backed, lowest-commission validators in the first place.

The changes now underway are designed to fix precisely this. They bolster the lower bound, the security that is real and internalized and it underpins every more realistic (“real”) measure: lifting it shifts all of them upward. Concretely, the reform rests on three levers:

  • a minimum self-stake requirement,
  • strong incentives to increase self-stake across the whole validator set,
  • and a competitive payout so validators want to keep validating.

Together these are built to optimize security for the cost the protocol actually incurs, and, just as importantly, they expose clear, adjustable levers (the minimum self-stake first among them) that we can be tweaked in the future.

Some striking number that deserves appreciation after treating the lower bound as a key foundation of the security: Before the new capped issuance model and staking reforms that number equated to ~14.7M DOT (Era 1900, timestamp 2025-08-15) as quoted in my report and came at an expense for the protocol of ~120M DOT per year. We increased that metric with the changes (most notably Ref-1909) by ~172% while reducing the expenses for staking (nominators included) by 68%.

Given that the Web3 Foundation holds a significant amount of DOT and operates a considerable number of validator nodes, this specific risk is currently limited.

Exactly right. See The Nakamoto Coefficient of Polkadot is At Most 25 - #15 by sorpaas

We did later find strong evidence that this is W3F/Parity. It runs completely against the decentralization story. This means that if you are an external team, you probably don’t want to launch on Polkadot because it doesn’t practically provide shared security, but a lot of centralization.

Re @jonas post, we already see some categorical errors and his argument actually already concedes a significant portion of the original DAP rationale. We do agree that some of his numbers do look more recent / better computed, but those really don’t do much to the logic of our arguments (which is the fact that DAP staking change significantly reduced Polkadot’s security).

We only plan to publish our response slightly later as we want to do some more reviews.