What would you suggest for Darksend to be implemented without being attacked? I think the collateral system is to protect DS from being attacked.
I think the collateral system is flawed.
If 3 people sign a Tx with a 0.1 DRK miners fee and, instead of publishing the Tx, it will only be cashed with a chance of 1/40, then there are a lot of unclaimed and uncashed but signed transactions in the hands of MN owners, and most of them will remain valid for quite some time (until the output used for this Tx is used in another Tx and broadcast).
So for each DS round on a MN, the Mn owner can collect signed but unpublished collateral transactions.
Now there are 2 scenarios.
1.) The MN owner is a miner himself. He waits until be finds a block and includes all of the signed collateral transactions that are still valid. He can increase the reward by a significant amount doing that.
2.) The MN owner sells the signed collateral Txs to a miner who then includes them in a block as soon as he finds one.
There is also another issue with MN Collateral: It's unmixed. That way, whatever MN you use, it always knows the (or an) origin address of yours that can potentially lead to your identity.
I have not quite finished my thoughts about a possible fix. However, one of my ideas is to not use the standard collateral anymore but instead pay the fee from the DS Tx itself.
To achieve the 1/40 of 0.1 DRK probability average, we could introduce a new denomination of 0.0025DRK (which represents 1/40 of 0.1 DRK). Unfortunately, since noone wanted to listened to by suggestion about convertibilty ( T_T ), this denomination would have to have the size of 0.0025000025 DRK (250,000.25 duffs) in order to fit the current implementation of denomination convertibility.
With my suggestion of leaving out the small amount at the end of each denomination that makes it recognizable as a denomination, a 0.0025 denomination would be convertible for this suggestion.
This "fee denomination" could be used to pay for the DS Transactions fee. Currently, there is no incentive for miners to mine DS Txs because there is no fee. With this, the "fee part" of the collateral would have been shifted right into the actual Tx, adding mining incentive and using mixed coins. Note that the fee denomination can be mixed just the same way as other denominations. That way, masternodes cannot spy on someones origin Tx by looking at the collateral Tx, which adds anonymity in regards to malicious masternode owners.
Furthermore, because of convertibility, no fee denominations have to be carried around when not needed. A DS Tx only having 1 DRK inputs can ouput 1 DRK outputs and 0.0025 DRK outputs, having already substracted the fee.
So who pays the fee?
I thought about X transactions getting created, where X is the amount of DS participants. Each of those Txs lets another participant pay the fee, but only 1 Tx will be published. Every participant has to sign the Tx with him paying the fee. However, the Tx won't be valid until everyone signed.
I am not done thinking about a way to decide which Tx will eventually be signed by the others, but something along the lines of what the provably fair betting sites do. Maybe even in combination with a proof of work element (last blocks hash?).
So what about ppl spamming the network then?
Well, good question, but one thing is sure: non-mixed collateral is a privacy issue and we will have to come up with something else eventually.
I will keep thinking about it.
It's 4:40 AM here and I am more than just tired, so forgive me if I made some mistakes. It's not a finished concept, I am just sharing my thoughts.
:grin: Great job!
