To attack the system, the attacker must attack at least one AVS. Thus a simple bound says, Cost-of-system-corruption = {min i Fraction-slashable-for-AVSi} Amount-staked Hence the system is cryptoeconomically safe as long as the following security invariant is guaranteed: Cost-of-system-corruption iA Profit-from-corrupting AVSi in an interval of length Tredeem slots. We need to ensure that the amount slashed and burnt satisfies the DPF constraints for forking, i.e., the amount burnt should be greater than a DPF fraction. DPF value(bEIGEN1) burn min i Stake-slashable-for-AVSi. DPF burn (cid:18) min i {Fraction-slashable-for-AVSi} (cid:19) Fraction-staked

3.3.5 Attributable Security for Multiple AVSs under Full Restaking Because there are multiple AVSs, when slashing happens, we need a mechanism to know how to redistribute/allocate the slashed fund across the different AVS. One example mechanism to provide attributable security to an AVS is to make it proportional to the security fees paid by a given AVS over a past epoch period. The security fees paid by AVSs to stakers and operators over an epoch period are observable on-chain and so the attributable security held by the AVS is on-chain observable and computable. This is just one example of implementing attributable security for intersubjective staking, but there can be other examples of allocating attributable security.

We will now argue that it is insufficient to compensate only for the AVS that got attacked. If the protocol does that, it is possible for an attacker to attack AVS1, and then wait for a fork of the token to be created with redistribution only to AVS1, and then switch to attacking AVS2, etc. This leads to complex timing races between the attacker and the challenger. We will now propose a simple mechanism that does not have this timing race. Redistribution mechanism. As was done in single AVS scenario, attributable security under multiple AVS requires that whenever any operator is slashed, burn fraction of the stake held by the operator will always 21 (12) (13) (14) (15) be burnt. The remaining fraction of slashed stake is allocated across all the AVS. The fraction of this redistribution allocated to an AVS can be determined based on different mechanisms, but for concreteness, we consider simply allocating funds proportional to the security fee paid by the AVS.

Now, we can proceed to calculate how to make the system strongly cryptoeconomically secure. First we note the amount of stake slashed must satisfy the following relationship: Amount-slashed (cid:18) min i {Fraction-slashable-for-AVSi} (cid:19) Amount-staked. Out of the amount slashed, = 1 burn is redistributed and out of that, AVSi gets a fraction i of the redistribution (where i is the proportional fraction of fees paid by the AVS in the particular mechanism). (cid:18) (cid:19) Attributable-security-for-AVSi = i min i {Fraction-slashable-for-AVSi} Amount-staked See fig. 9 for an illustration. Strong Cryptoeconomic Security under Multiple AVS If AVSi ensures that the total harm from corruption during the Tredeem period is smaller than the attributable security, then AVSi is strongly cryptoeconomically secure. (cid:18) (cid:19) Attributale-security-for-AVSi = i min i {Fraction-slashable-for-AVSi} Amount-staked. 3.4 Risks & Mitigations