NEAR Protocol Security Overview

NEAR, the sharded, carbon-neutral, and proof-of-stake (PoS) layer-1 (L1) blockchain, is widely regarded as a blockchain on the rise. In this article, part of our Blockchain Protocol series, we’ll briefly review what NEAR is, cover NEAR’s security model, discuss the potential issues that NEAR faces, and project how NEAR might evolve from here. 

A Brief Recap of NEAR

In the world of L1 blockchains, everybody is hunting for the crown currently held by Ethereum. While competitors such as Solana, Avalanche, and Cosmos have gone about this hunt by attempting to differentiate themselves from Ethereum, NEAR looks much like Ethereum’s completed roadmap.

NEAR is secured by PoS, just like Ethereum. It scales through its Nightshade sharding mechanism, similar to how Ethereum ultimately plans to scale. It is carbon-neutral, which Ethereum would love to eventually reach. It is even EVM compatible through its layer-2-like EVM solution, Aurora. 

The most significant difference between NEAR and Ethereum is its developer friendliness. Whether it be through its use of popular coding languages Rust, AssemblyScript, and JavaScript, its $800 million development incentive fund, or its developer share of transaction fees, NEAR has carved out a niche as the developer-friendly blockchain.

The result is the fastest-growing developer ecosystem in crypto and optimism that NEAR’s best days are ahead. 

An Overview of NEAR’s Security

NEAR is a decentralized network, meaning multiple people must collaborate to keep the chain safe. These people are known as validators. The most important of these collaborations is the consensus mechanism, which is how the validators trustlessly agree on the digital ledger’s correct shared state to prevent devastating attacks such as a 51% attack. 

As mentioned in the introduction, NEAR uses a PoS consensus mechanism. Specifically, NEAR uses a unique thresholded PoS system (TPoS). 

TPoS works very similarly to regular PoS. Validators stake (lock up) NEAR tokens in order to have the opportunity to process transactions, validate new blocks, and oversee other validators. These NEAR tokens can come from their own pockets or be delegated to them by other users. In return for this crucial work, validators are rewarded with a target number of NEAR every epoch (about 12 hours), currently computed so that validators annually receive 4.5% of NEAR’s total supply. 

TPoS introduces an election mechanism for choosing validators. The best way to think of TPoS is like an auction in which the highest bidders receive the most rewards. 

The TPoS system brings three main advantages over regular PoS:

• No Pooling: Because the rewards are directly proportional to the stake, there is no reason to pool stake or computational resources. In other words, because two accounts holding 10 tokens each receive the same rewards as one account holding 20 tokens, there is no reason for the two accounts holding 10 tokens to team up, as is often the case with PoS blockchains like Ethereum. This improves the decentralization and security of the chain.

• Less Forking: Forks are possible only when there is a severe network split in which less than ⅓ of the adversaries are present, which helps keep transaction finality times low and the chain’s security high.

• Security: It is very challenging to attack a TPoS chain as the attacker must obtain the private keys from those who hold ⅔ of the total stake amount over the two days in the past. For all intents and purposes, this is an impossible task.

Problems With NEAR’s Security

NEAR’s security is, for the most part, air-tight. 

Its use of Rust as a primary production-level language, due to the nature of Rust language and its compiler, decreases the risk of coding mistakes that lead to hacks and exploits. It is well-audited and even recently introduced its own smart contract audit program for apps in the NEAR ecosystem. Its bridge to Ethereum, Rainbow Bridge, is one of DeFi’s sturdiest bridges, thwarting multiple attacks and having an Immunefi bug bounty program which led to catching critical bugs. Finally, there’s much to like about its TPoS consensus mechanism. 

Unfortunately, despite these positives, NEAR is not perfect. 

The primary issue with NEAR is its lack of decentralization. NEAR only has ~200 validators as of the time of writing this article, with the top 10 validators controlling 35% of the total stake and the top 17 controlling 51%. 

As the Tornado Cash sanctions rudely reminded us, censorship attacks from powerful actors can come anytime. With such centralization of the stake among validators, NEAR is not currently as firmly positioned to resist such an attack as it perhaps should be.

Final Remarks on NEAR’s Security

NEAR is clearly an L1 with mountains of potential. Its team has consistently shipped and it is well-positioned to thrive once the bull market resumes.

However, even though NEAR’s security has a lot of positives, its lack of decentralization and censorship-resistance is a legitimate cause for concern. It is a long and arduous process to become sufficiently decentralized. However, NEAR is already taking steps to decentralize more. 

The November 2021 launch of Simple Nightshade was just the first step towards a completely decentralized, secure blockchain; the December 2021 release of the updated validator selection algorithm set NEAR up for 100 validator nodes on Mainnet, which brought the seat price down from 3.6 million $NEAR to 67,000. And, most recently, NEAR added chunk-only producers, which are a step below full-on validators and allow more people to become crucial to the network. 

Needless to say, NEAR is making immense progress on decentralizing. At the end of the day, it’s about the long term. The bear market is the perfect time to start this process. Hopefully, NEAR can make significant progress before the bull market mania returns.