Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pelion.dev/llms.txt

Use this file to discover all available pages before exploring further.

The numbers below are projections based on the spec and current Bittensor subnet state. They will be re-grounded with live data when the Bittensor integration is operational.
The protocol’s integrity reduces to three defense layers. Subnet economic security, relay challenge economics, and adapter contract correctness. An attacker must defeat all three to produce a bad verdict that gets paid.

Single-subnet attack cost

The first defense is the cost of corrupting subnet-level consensus. To move a single subnet’s weighted verdict, an attacker must acquire enough alpha-weighted validator influence to override honest validators. The approximate cost formula. 
Attack cost  ≈  (alpha_required_for_majority × alpha_price_after_attack)
              + cost_of_bribing_independent_validators
              + slashing_risk_if_caught
Each term compounds. Alpha required for majority. A meaningful fraction of the subnet’s total validator alpha weight. Not 51% of supply, because much of the supply is illiquid or held by honest participants, but enough weighted stake to swing consensus. In practice this is a multi-million-dollar position for a mature subnet, and the price moves against the attacker as they buy (alpha → TAO AMM slippage). Alpha price after attack. Acquiring a large alpha position pushes the price up on entry. Liquidating after the attack pushes it down on exit. The round-trip cost is significant and separate from the ostensible acquisition cost. Bribing independent validators. An attacker who cannot acquire majority weight cheaply can try to bribe honest validators to vote their way. Each validator must be paid more than their expected value from honest behavior, which includes emissions earned through reputation. Slashing risk if caught. Bittensor subnets have their own slashing mechanisms. An obviously adversarial validator gets caught and slashed. The attacker’s stake is at risk for the duration of the attack. For SN6 at current alpha market caps, plausible attack cost for a single verdict is on the order of several million dollars plus ongoing operational overhead. Questions with market stakes below this threshold are uneconomic to attack at the subnet level.

Multi-subnet defense

For higher-stakes questions, Pelion’s adapter supports routing the same question to multiple subnets. The verdicts must agree (or meet a quorum rule) before finalization. An attacker must now corrupt a quorum of subnets simultaneously. The cost of this scales close to multiplicatively across subnets because the attacks are largely independent. Acquiring alpha in SN6 does not give any advantage when attacking SN28. There is some sub-linearity from shared attack infrastructure (bot nets, coordination) but the dominant term is independent per-subnet cost. Routing policy. Low-stakes questions default to a single subnet to keep cost down. High-stakes questions fan out to multiple subnets. The threshold is configurable and is expected to move with observed attack attempts.

Relay challenge economics

Even with corrupted subnet consensus, the relay challenge layer provides an orthogonal defense. Here’s how. The relayer that posts a verdict to Base bonds USDC. The verdict it posts carries validator signatures claiming to represent subnet consensus at a specific block height. A challenger running a 24/7 verification client can (a) watch VerdictSubmitted events on Base, (b) independently fetch the actual subnet consensus at the cited block height, (c) compare, and (d) submit a counter-verdict with their own bond if the two don’t match. The economics make honest challenging rational. Challenger bonds are sized so that successful challenges earn the challenger a portion of the losing relayer’s bond. Unsuccessful challenges (challenger’s verdict doesn’t match actual consensus either) forfeit the challenger’s bond. For this defense to be effective, at least one honest challenger must be watching. With public subnet consensus data and a published challenger client, this is a low bar. A single aligned validator operator or a protocol-adjacent watchdog is enough. The attack requires compromising not just the subnet but also every honest observer watching the relay.

Quantitative comparison to UMA

PropertyUMAPelion
Economic security anchorUMA token market cap (~$95M)Alpha market caps across routed subnets, scaled by quorum
Attack vectorAcquire or coordinate UMAAcquire or coordinate alpha across multiple subnets, plus defeat bonded relay challenge
Security scalingLinear with voting-token market capRoughly multiplicative across routed subnets, plus relay layer
Attacker cost for single subnet (SN6 today)N/ASeveral million USD, plus operational overhead
Attacker cost for multi-subnet route (2 subnets)N/AMultiplies, roughly square of single-subnet cost
Breakeven against $100M marketRequires UMA market cap ≥ $100M, which it isn’tCovered by single-subnet routing at SN6 alpha levels
The asymmetry matters most at the high end. UMA’s security is bounded by its token market cap, no matter how large the market. Pelion’s security scales with the number of routed subnets, with each additional subnet adding roughly-independent defense.

Honest caveats

The attack cost model assumes rational adversaries. Coordination failures on the defender side narrow the margin. Emergent risks exist when alpha prices are volatile during an attack. The relay challenge defense requires at least one watching challenger. If challengers are asleep, the defense is latent, not active. The federated relay committee in v1 is a trust compromise explicitly called out. Its security derives from the committee’s reputation and bond, not from native subnet-signature verification. v2 migrates to a light-client bridge that removes this trust assumption. None of these caveats invalidate the comparison to UMA. They narrow the quantitative margin at the edges. The structural advantage (multi-subnet routing plus orthogonal relay defense) holds.