Attack Cost Modeling: Measuring the True Security of a Blockchain

1. Introduction: The Economic Nature of Distributed Security

In the realm of centralized computing, security is binary and architectural. A system is secured by firewalls, access control lists, and encryption keys held by trusted administrators. Penetration requires finding a flaw in the code or compromising a human element. In the decentralized paradigm of blockchain technology, however, security is fundamentally different: it is economic, probabilistic, and thermodynamic. It is not defined by an absolute barrier that prevents entry, but by a dynamic cost function that renders malicious behavior economically irrational. The study of this function is known as Attack Cost Modeling (ACM).

The security of a permissionless ledger, such as Bitcoin or Ethereum, relies on the assumption that the cost to attack the network exceeds the potential profit derived from such an attack. This inequality, often expressed as the relationship between the Cost of Corruption (CoC) and the Profit from Corruption (PfC), forms the bedrock of cryptoeconomics.1 If the cost to acquire 51% of the network’s resource (hashrate in Proof-of-Work, stake in Proof-of-Stake) is lower than the value an attacker can extract via double-spending, censorship, or short-selling, the system is considered insecure.

This report provides an exhaustive analysis of Attack Cost Modeling, tracing its evolution from the early thermodynamic models of Bitcoin to the complex, capital-intensive structures of modern Proof-of-Stake (PoS) and Restaking ecosystems. We will examine the transition from physical costs to capital costs, the emergence of “rented” security threats via marketplaces like NiceHash and EigenLayer, and the theoretical “Goldfinger” attacks where the objective is destruction rather than theft. Furthermore, we will integrate data from late 2024 and 2025 to assess the current security budgets of major networks, analyzing how the maturation of the asset class has shifted the primary threat vectors from the base layer to the governance and interoperability layers.

The analysis reveals that while the “thermodynamic walls” protecting Bitcoin and the “capital walls” protecting Ethereum have grown to heights that preclude attacks by all but the largest state actors, the complexity of the ecosystem has introduced new vulnerabilities. The financialization of security—through derivatives, liquid staking, and bribe markets—has created opaque leverage in the security model, requiring a new generation of risk assessment tools beyond simple market capitalization metrics.

2. Theoretical Foundations of Cryptoeconomic Security

To accurately measure the security of a blockchain, one must first establish a rigorous theoretical framework that defines the incentives of the participants. The underlying logic of all permissionless consensus protocols is rooted in Game Theory, specifically the interaction between honest nodes (who follow the protocol to maximize standard rewards) and Byzantine nodes (who deviate to maximize attack profit).

2.1 The Zero-Profit Condition and Marginal Revenue

The economic foundation of a blockchain’s security budget is described by the Zero-Profit Condition. In a perfectly competitive market with low barriers to entry and exit—such as Bitcoin mining or Ethereum validating—the marginal revenue of the marginal provider must equal their marginal cost.2

Miners and validators are profit-seeking entities. If the revenue from block rewards and transaction fees exceeds the cost of electricity and hardware (or capital opportunity cost), new participants will enter the network, increasing the difficulty or total stake until profits are competed down to the equilibrium level. Mathematically, this implies that the total amount spent by the network on security (issuance + fees) is a proxy for the total cost an attacker must overcome to disrupt it.

This relationship creates a linear correlation between the asset price and network security. As the value of the native token rises, the block reward becomes more valuable, incentivizing more miners/stakers to join, thereby raising the “wall” of hashrate or stake that an attacker must scale. Conversely, if the asset price collapses, the security budget contracts. This dynamic introduces a potential “death spiral” vulnerability: a loss of confidence leads to a price drop, which lowers security, which invites attacks, which further destroys confidence.3

2.2 The Cost of Corruption (CoC) vs. Profit from Corruption (PfC)

While the Zero-Profit Condition describes the behavior of honest actors, Attack Cost Modeling focuses on the adversary. The fundamental inequality for a secure blockchain is:

 

$$Cost\ of\ Corruption\ (CoC) > Profit\ from\ Corruption\ (PfC)$$

• Cost of Corruption (CoC): The explicit financial cost required to gain control of the consensus mechanism. In PoW, this is the cost of hardware (CapEx) and electricity (OpEx). In PoS, this is the cost of acquiring 51% (or 33% for liveness attacks) of the staked supply.1
• Profit from Corruption (PfC): The total value an attacker can extract. This includes:

• Double-Spending: Reversing transactions to spend the same coins twice.
• MEV Extraction: Reordering transactions to capture arbitrage or liquidation profits.
• Short-Selling: Profiting from the decline in the asset’s price on external derivatives markets (the Goldfinger scenario).3

Historically, models focused heavily on the double-spend value. However, the rise of deep derivatives markets has made the “Short-Selling” component of PfC potentially unbounded. If an attacker can open a sufficiently large short position, the profit from destroying the coin could theoretically exceed even a very high CoC.

2.3 The Zero Net Attack Cost Theorem

A sophisticated evolution of this framework is the “Zero Net Attack Cost Theorem.” This theorem challenges the assumption that attacks are expensive. It posits that the gross cost of an attack can be subsidized by the rewards earned during the attack itself.6

When an attacker successfully mines a secret chain to reorganize the network, they are not just creating blocks; they are earning block rewards. If the attacker eventually broadcasts this chain and it becomes the canonical chain, they claim the block subsidies and fees contained within it. In a high-inflation network, these rewards might be substantial enough to offset the electricity or capital costs of the attack.

 

$$Net\ Attack\ Cost = Gross\ Cost\ (Electricity/Stake) – Block\ Rewards\ Earned$$

If the Block Rewards > Gross Cost, the attack is effectively subsidized by the protocol itself. This “parasitic security” paradox suggests that high inflation, often thought to buy security, can actually subsidize an attacker if the token value does not collapse immediately upon the attack’s execution. This theorem forces architects to consider “suicide pill” mechanisms where the chain’s value or the attacker’s rewards are destroyed instantly upon detection, a feature more easily implemented in Proof-of-Stake via slashing than in Proof-of-Work.6

3. Proof-of-Work (PoW): The Thermodynamic Barrier

Proof-of-Work (PoW) was the first successful mechanism to solve the Sybil resistance problem in permissionless networks. It ties digital identity to physical scarcity—specifically, the consumption of energy and the depreciation of specialized hardware. The “Attack Cost” in PoW is thermodynamic; it requires the expenditure of joules to rewrite history.

3.1 The Logistics of Physical Security

In the classic PoW model, modeled famously by Kroll, Davey, and Felten, the attacker is assumed to be a rational agent who must purchase hardware and pay for electricity. The security of the network is therefore protected by two distinct types of costs:

1. CAPEX (Capital Expenditure): The cost of buying ASICs (Application-Specific Integrated Circuits) or GPUs.
2. OPEX (Operational Expenditure): The ongoing cost of electricity, cooling, and facility maintenance.

For a network like Bitcoin, these barriers are immense. As of December 2025, the Bitcoin network hashrate has reached approximately 1,031 Exahashes per second (EH/s).7 This figure represents a 30% increase year-over-year from 2024. To attack Bitcoin, an adversary would need to manufacture and deploy roughly 1,000 EH/s of new capacity.

This introduces a “Logistical Security” barrier that transcends pure economics. Even if a nation-state had unlimited fiat currency to purchase miners, the global supply chain for 3nm and 5nm silicon wafers (produced primarily by TSMC and Samsung) has a finite throughput. The lead time to manufacture, ship, and plug in millions of ASIC units is measured in years. Thus, Bitcoin’s security in 2025 is defended not just by the cost of money, but by the physical constraints of semiconductor manufacturing and global energy grid capacity.8

3.2 The NiceHash Vector: Commoditized Hashrate

For smaller PoW networks, however, the physical barrier does not exist. The emergence of hashrate marketplaces, most notably NiceHash, fundamentally altered the threat landscape. NiceHash allows miners to sell their hashing power to the highest bidder on an open market. This effectively converts the CAPEX of mining (buying rigs) into a pure OPEX (renting hashrate for an hour).9

This “Rent-an-Attack” model gave rise to the Crypto51 vulnerability metric. The website Crypto51.app tracks the theoretical cost to rent 51% of a network’s hashrate for one hour.

• Methodology: The model compares the available hashrate on NiceHash for a specific algorithm (e.g., Scrypt, Equihash) against the total hashrate of the target network.
• Result: For many small-cap chains, the cost to launch a 51% attack was found to be shockingly low—often under $1,000 per hour.11

This commoditization of force led to a spate of 51% attacks on networks like Ethereum Classic (ETC), Bitcoin Gold (BTG), and Vertecoin in the 2018-2020 era. Attackers would rent hashrate, mine a private chain, double-spend coins on an exchange, and then release the longer private chain to overwrite the honest history. These events proved that for minority hashrate chains, thermodynamic security is an illusion if the hardware is fungible and available for rent.

3.3 The Goldfinger Attack: Asymmetric Destruction

The standard 51% attack assumes the attacker wants to steal money (double-spend). However, a more sinister threat model is the Goldfinger Attack, named after the antagonist in the James Bond film who intended to irradiate the U.S. gold reserve to increase the value of his own holdings.

In the context of blockchain, a Goldfinger attacker seeks to destroy the credibility of the network to profit from a short position or to boost the value of a rival chain.

• Mechanism: The attacker acquires 51% hashrate and proceeds to mine only empty blocks (Denial of Service) or continuously reorganize the chain to prevent transaction finality.
• Motivation: If the attacker holds a leveraged short position worth $1 billion, and the cost to attack the network for a week is $100 million, the attack is highly profitable ($900M profit), even if they steal zero coins from the chain itself.3

This vector is particularly dangerous because it bypasses the “Zero Net Attack Cost” defense; the attacker doesn’t care about the block rewards. They are playing a meta-game on the derivatives markets. However, executing a Goldfinger attack against Bitcoin is becoming increasingly infeasible due to the sheer market depth required to short that much size without alerting the market, combined with the aforementioned physical impossibility of acquiring sufficient ASICs.4

3.4 Bitcoin’s Security Budget in 2025

Entering 2025, the debate around Bitcoin’s long-term security budget has intensified. The network relies on block subsidies (which halve every 4 years) and transaction fees. With the subsidy declining, fees must rise to maintain the total security budget (the CoC barrier).

• Current State: As of late 2024/early 2025, miner revenue is heavily dependent on the subsidy. While events like the rise of Ordinals and BRC-20 tokens have occasionally spiked fee revenue, the “base load” of security is still inflationary issuance.14
• The Threat: If the price of Bitcoin does not double with every halving, or if fees do not structurally increase, the relative cost to attack the network decreases over time compared to the total value stored on the network.
• Counter-Argument: Proponents argue that the hardware efficiency curve is flattening (Moore’s Law slowing down), meaning old miners stay profitable longer, keeping hashrate high even with lower revenue. Furthermore, the institutionalization of mining (with publicly traded miners in the US controlling 38% of hashrate) suggests that miners have access to cheaper capital, allowing them to defend the network even at lower margins.8

Table 1: Bitcoin Network Security Parameters (Dec 2025)

Metric	Value	Implication for Attack Cost
Network Hashrate	~1,031 EH/s	Requires massive industrial coordination to disrupt.
Year-over-Year Growth	+30%	Attack barrier is rising faster than inflation.
Primary Hardware	ASIC (SHA-256)	Non-fungible; cannot be rented from generic cloud providers.
NiceHash Capacity	< 1% of Network	“Rental Attack” vector is strictly impossible.
Dominant Jurisdiction	USA (38%)	Geopolitical centralization risk, but high rule-of-law protection.

4. Proof-of-Stake (PoS): The Capital Barrier

The transition of Ethereum to Proof-of-Stake (The Merge) and the proliferation of PoS chains (Solana, Avalanche, Cosmos) shifted the paradigm of Attack Cost Modeling from Energy to Capital. In PoS, the validator does not prove they spent energy; they prove they have locked value (Stake).

4.1 “Virtual Mining” and the Security Budget

In PoS, the “miners” are validators who lock native tokens into a smart contract. The “Security Budget” is practically defined as the Total Value Staked (TVS).

• Ethereum 2025 Status: By July 2024, Ethereum had over $111 billion worth of ETH staked (approx. 28% of supply). Entering 2025, this number has continued to grow as the asset matures.16
• The Calculation: To attack Ethereum, an entity needs control of 1/3 of the stake to halt finality, or 2/3 to finalize an invalid chain.
  
  $$Cost\ to\ Halt = \frac{\$111\ Billion}{3} \approx \$37\ Billion$$
  $$Cost\ to\ Takeover = \frac{\$111\ Billion \times 2}{3} \approx \$74\ Billion$$

This capital barrier is explicitly quantifiable, unlike the “hardware + electricity” estimate of PoW. It makes the cost of corruption transparent.

4.2 Slashing: The Nuclear Deterrent

The critical innovation in PoS security is Slashing. In PoW, a failed attack wastes electricity, but the attacker keeps their hardware. They can try again tomorrow. In PoS, the protocol can programmatically destroy the attacker’s capital.

• Mechanism: If a validator signs two conflicting blocks (equivocation) or surrounds a vote illegally, the protocol’s consensus rules trigger a slashing penalty. A portion of the staked ETH is burned immediately, and the validator is ejected.5
• Social Slashing: In the event of a 51% attack where the attacker controls the majority and prevents the protocol from automatically slashing them, the “Social Layer” (the community of nodes, exchanges, and users) can coordinate a User-Activated Soft Fork (UASF). This fork would manually modify the state to delete the attacker’s stake.

This possibility—that the community can burn the attacker’s money via a software update—introduces an “Infinite Risk” component to the Attack Cost model. The attacker risks losing 100% of their deployed capital ($74 Billion in the Ethereum example) with near certainty.5 This property is what Vitalik Buterin refers to when he argues PoS offers superior security to PoW: “You can’t hard fork ASICs, but you can hard fork Stake.”

4.3 Long-Range Attacks and Weak Subjectivity

PoS introduces a unique vulnerability known as the Long-Range Attack.

• Scenario: An attacker buys the private keys of validators who were active 5 years ago but have since withdrawn their stake. Since these keys have no current stake, they have nothing to lose. The attacker uses these keys to rewrite the entire history of the chain from 5 years ago to the present, creating a “longer” chain that looks valid to a new node joining the network.
• Solution (Weak Subjectivity): PoS networks utilize a security model called Weak Subjectivity. New nodes cannot purely trust the longest chain from genesis. They must utilize a “checkpoint” hash from a trusted social source (a friend, a block explorer, a default config) that is within the “unbonding period” (usually 2-3 weeks).

This reliance on a social checkpoint technically means PoS is not “objectively” secure in the same way Bitcoin is (where the heaviest chain is always truth), but modeled economically, it imposes a “timestamping” cost on the attacker.19

5. The Liquidity Defense: Why Market Cap $\neq$ Attack Cost

A common error in early attack cost modeling was assuming that an attacker could buy 51% of the tokens at the current market price. This ignores the economic reality of Slippage and Market Depth.

5.1 Modeling Slippage

Slippage is the difference between the expected price of a trade and the price at which the trade is executed. As an attacker begins buying massive quantities of a token to accumulate stake, they consume the liquidity on the order books, driving the price up exponentially.

The true Cost of Corruption is the integral of the supply curve:

 

$$CoC = \int_{0}^{Target\ Supply} Price(Quantity) \,dQ$$

For a token with low liquidity, attempting to buy 51% of the supply might cost 10x or 100x the current market capitalization. This “Liquidity Wall” is the primary defense for smaller PoS chains. Even if their market cap is only $100 million, if only $1 million of liquidity exists on exchanges, the cost to acquire a controlling interest is prohibitive.20

5.2 Flash Loans and “Infinite” Capital

However, Decentralized Finance (DeFi) introduced a mechanism that bypasses the need to own capital: Flash Loans. A Flash Loan allows an attacker to borrow hundreds of millions of dollars for a single transaction block, provided they pay it back by the end of the block.

• Attack Vector: While Flash Loans cannot be used to stake (which requires long lock-up periods), they can be used to manipulate Governance or Oracle prices. An attacker can borrow $100M, use it to skew a spot price on Uniswap, trigger a false liquidation on a lending protocol, and pocket the profit—all without putting up their own collateral.
• Defense: This forces protocols to use Time-Weighted Average Prices (TWAP) or decentralized oracles like Chainlink to dampen the effect of single-block price manipulation. Attack Cost Modeling for DeFi protocols must therefore include the cost to manipulate the oracle, not just the cost to hack the contract.22

6. Restaking and Shared Security: The 2025 Paradigm

The most significant development in cryptoeconomic security in the 2024-2025 cycle is Restaking, pioneered by EigenLayer. Restaking changes the fundamental calculus of the “Security Budget” by allowing the same capital (ETH) to secure multiple networks simultaneously.

6.1 Pooled vs. Fragmented Security

Traditionally, every new blockchain (or Oracle, or Bridge) had to bootstrap its own set of validators and its own token. This led to “Fragmented Security,” where each small chain had a low Cost of Corruption and was vulnerable to attack.

• EigenLayer Model: Stakers on Ethereum can “re-stake” their ETH to secure these new services (Actively Validated Services or AVSs). If they misbehave in the AVS, their ETH is slashed on the main Ethereum layer.
• Impact on CoC: This dramatically increases the Cost of Corruption for the small services. Instead of attacking a $10M market cap chain, the attacker faces a validator set backed by billions of dollars of restaked ETH.24

6.2 The “House of Cards” Risk

While Restaking boosts the CoC for AVSs, it introduces systemic risk to the main Ethereum network.

• Leverage: If $1 of ETH secures $10 worth of protocols, the system is effectively leveraged.
• Correlation: If a bug in a major AVS triggers a massive slashing event, thousands of honest validators might lose their ETH. This would instantly reduce the security budget of Ethereum itself, potentially leading to a cascading failure.

Researchers in 2025 have focused on modeling “Target Stake” requirements—calculating exactly how much stake is needed to secure a specific AVS based on its “Value at Risk,” to prevent this over-leverage. The consensus is that while Restaking improves efficiency, it turns security into a complex financial derivative that requires rigorous risk management.26

7. Governance Attacks: The Soft Underbelly

As the “Hard Security” of Layer 1 blockchains becomes unassailable (due to the immense CoC of Bitcoin and Ethereum), attackers have moved up the stack to the Governance Layer. Governance attacks exploit the mechanisms of Decentralized Autonomous Organizations (DAOs).

7.1 The Curve Wars: A Case Study in Bribe Efficiency

The “Curve Wars” (circa 2021-2022) provided the definitive empirical data for governance attack costs. The Curve protocol controls billions in stablecoin liquidity. The “veCRV” token grants voting power on where that liquidity goes (and thus, which pools get high yields).

• The Mechanism: Rather than buying CRV tokens (which is expensive), protocols like Terra and Frax realized they could “bribe” existing veCRV voters. Platforms like Votium and Hidden Hand emerged to facilitate this.29
• Bribe Efficiency: Data showed that $1 spent on bribes often generated more than $4 in emission value.
  
  $$Bribe\ Efficiency = \frac{Value\ of\ Emissions\ Gained}{Cost\ of\ Bribes\ Paid} > 1$$
  
  This implies that the Cost of Corruption for a governance attack is significantly lower than the market cap of the governance token. An attacker doesn’t need to buy the company; they just need to tip the board members.31

7.2 Dark DAOs and Vote Buying

A theoretical escalation of this is the Dark DAO. This is a smart contract designed to automate the bribery process trustlessly.

• Concept: An attacker deploys a contract that says, “I will pay $X to anyone who proves they voted ‘YES’ on Proposal 12.”
• Threat: This allows an attacker to buy a vote for the “decoupling fee” (the small amount required to convince a holder to vote against their long-term interest). It exploits the tragedy of the commons: each voter takes the bribe thinking their single vote won’t destroy the protocol, but collectively they vote for destruction.
• Defense: “Futarchy” (governance by prediction markets) and Encrypted Voting are being explored to obscure the vote and prevent vote-buying contracts from verifying compliance.33

7.3 Quantifying Governance Risk

To measure this risk, analysts use the Nakamoto Coefficient, adapted for governance.

• Definition: The minimum number of entities required to pass a governance proposal.
• Reality: For many DAOs, this number is shockingly low—often less than 10. In many cases, a coalition of 3 or 4 venture capital firms and the protocol foundation can pass any vote. This centralization significantly lowers the “Social Cost” of coordination for an attack, even if the “Financial Cost” of their tokens is high.34

8. Social Consensus: The Ultimate Backstop

When cryptoeconomic models fail—when the CoC is lower than the PfC, or when a bug is exploited—the blockchain falls back on its final line of defense: Social Consensus.

8.1 The Hard Fork as a Governance Mechanism

Social Consensus is the ability of the human participants (node operators, exchanges, developers, users) to agree on the state of the ledger outside of the protocol rules.

• The DAO Hack (Ethereum, 2016): The most famous example. The code allowed the attacker to drain the funds. “Code is Law” dictated the theft was valid. The Social Layer disagreed. They coordinated a hard fork to reverse the theft, splitting the chain into ETH (forked) and ETC (original).
• Defense against 51% Attacks: If Bitcoin or Ethereum were 51% attacked today, the assumption is that the community would not accept the attacker’s chain. They would coordinate a fork that changes the PoW algorithm (bricking the attacker’s ASICs) or deletes the attacker’s stake (User-Activated Soft Fork).

8.2 The “Proof of Vitalik” and Coordination Costs

Critics facetiously refer to this as “Proof of Vitalik”—implying that security relies on a central figure to coordinate the defense. While humorous, it highlights a real variable in Attack Cost Modeling: Coordination Cost.

• High Coordination Cost: A decentralized, leaderless network (like Bitcoin) might struggle to agree on a fork quickly, leaving the network in chaos during an attack.
• Low Coordination Cost: A network with strong leadership (like Ethereum or Solana) can react swiftly to neutralize a threat.

Thus, “Social Layer Robustness” is a hidden variable in the Security Budget. A strong social layer acts as a deterrent because the attacker knows their victory will be pyrrhic—they will win the block, but lose the war.18

9. Conclusion: The State of Blockchain Security in 2025

The discipline of Attack Cost Modeling has evolved from simple arithmetic (Hashrate * Rental Price) to a complex system of differential equations involving liquidity curves, derivatives pricing, and social game theory.

9.1 Summary of Findings

1. L1 Security is Mature: Bitcoin and Ethereum have achieved “Maximum Viable Security.” The cost to attack them via their base consensus mechanisms (PoW/PoS) exceeds the resources of rational economic actors and borders on the logistical limits of nation-states.37
2. The Threat Has Migrated: Vulnerabilities have shifted to the edges:

• Restaking: Complexity risk and correlation risk.
• Governance: Low-cost bribery vectors and centralization.
• Bridges: Smart contract bugs remain the cheapest way to steal funds (PfC > CoC because CoC is effectively zero for a bug).

1. Financialization is a Double-Edged Sword: Deep liquidity markets prevent slippage attacks, but deep derivatives markets incentivize Goldfinger destruction attacks.

9.2 Future Outlook

Looking ahead, the integration of AI Agents into blockchain economies presents the next frontier for Attack Cost Modeling. AI agents capable of simulating millions of attack vectors per second may discover “arbitrage” opportunities in security budgets that humans have missed. Conversely, AI-driven defense systems may automate the “Social Slashing” response, creating self-healing networks.

Ultimately, the true security of a blockchain is not found in a single number or formula. It is found in the resilience of its community and the alignment of its economic incentives. As long as the honest majority has more to lose from the network’s failure than the attacker has to gain from its destruction, the chain will survive.

Comparative Data Appendix

Table 2: Comparative Attack Cost Structures (PoW vs PoS vs Governance)

Metric	Bitcoin (PoW)	Ethereum (PoS)	DAO Governance
Primary Resource	Energy (Watts) + Hardware (ASIC)	Capital (ETH)	Voting Tokens
Attack Threshold	> 50% Hashrate	> 33% Stake (Halt) > 66% Stake (Finalize)	> 50% Participating Quorum
Cost Type	OpEx (Electricity) + CapEx	CapEx (Locked Capital)	OpEx (Bribes) or CapEx (Tokens)
Recovery Mechanism	PoW Algo Change (Hard Fork)	Social Slashing (UASF)	Fork / Rage Quit
2025 Status	~1,031 EH/s (Logistically Difficult)	~$111B Staked (Economically Prohibitive)	High Risk (Bribe Markets active)
“Rental” Risk	Low (NiceHash < 1%)	Medium (Restaking leverage)	High (Votium/Hidden Hand)

Table 3: Evolution of Attack Cost Models

Era	Model Name	Key Insight	Shortcoming
2009-2013	Nakamoto/Classic	Security depends on CPU power.	Assumed honest majority is automatic.
2013-2018	Kroll-Davey-Felten	Added Market Dynamics (Goldfinger).	Underestimated hashrate rental markets.
2018-2020	Budish / Crypto51	Quantified Rental Cost (NiceHash).	Ignored slippage and ASIC scarcity.
2020-2022	DeFi/Flash Loan	Infinite Capital via Flash Loans.	Focused on App layer, not Consensus.
2023-Present	Restaking/CoC	Pooled Security & Slashing Risk.	Complexity of correlated failures.