What’s Wrong with Proof of Stake?

Bob McElrath
9 min readJun 14, 2016

--

Using computers to manage assets is not new. Indeed that’s a major reason computers were invented. What, then, makes Bitcoin and blockchains different?

An early Cuneiform tablet for accounting. Someone owes me some goats.

All digital financial assets before Bitcoin can be called IOU systems. The systems and databases themselves do not hold assets. The records in the database are an accounting of an external asset. Indeed this kind of accounting has been with us since the earliest days of writing, and computers do not fundamentally change it.

In these kinds of IOU databases, the marginal cost of adding an extra row is zero. Once I’ve decided to eat the initial capital expenditure of obtaining a sharp stick and clay tablet (or 1U server and a copy of MySQL), the cost of adding adding an extra row and tracking an extra asset is zero. The reason we use such record keeping tools is precisely that the cost of keeping the record is much less than the value of the asset being tracked.

For such IOU systems, their flaw is that no matter how ironclad your records, they must be tied to the real world assets. Just because my clay tablet says you have three goats, and owe me two, doesn’t prove that you possess three goats or are capable of producing two. This is counterparty risk, and is fundamental to IOU-based accounting systems, leading to the creation of government regulated central counterparties.

Why is Bitcoin different? Because the database record is the asset. In other words it is the first example of a digital bearer bond. It’s the “distributed database” part there that enables it to be a bearer bond. Centralized databases cannot hold bearer bonds since they cannot be removed from the central database.

Bitcoin’s consensus mechanism is based on Proof-of-Work, where miners compete to create a new block, update the ledger, and it costs substantial real-world assets to perform. The competition involves a process which brute-forces a hash function. It is not in itself a valuable process, but it serves to (a) randomly select a miner to allocate coins to and (b) provide an anchor for the asset in the real world.

Let us repeat that last piece because I think a lot of people are missing this important point:

Mining provides a value anchor for the cryptographic asset in terms of real-world expenditures.

Mining costs a certain amount of money, and the calculus going on in the heads and balance sheets of those performing mining is: how much does mining hardware cost, how much does electricity cost, and what is the price of Bitcoin? Though cryptographic signatures and proofs, this initial capital expenditure is related by coin transfers in a chain of custody. This is fundamentally the reason that no one is paying for individual rows in SQL databases. Their marginal cost is zero. This is also why it’s extremely challenging to allow for the fast settlement of IOU assets that Bitcoin has and why using blockchains to fix post-trade settlement is an uphill climb. The reason Bitcoin achieves its settlement without counterparty risk is because the database record is the asset. Only if assets are issued in a cryptographic manner can the power of central counterparty-free blockchains be brought to them. This is why the issuance of private securities being pursued by Symbiont and Nasdaq Linq are (probably) good ideas. The database record must be the asset. This database record must be the only form in which the asset exists; the asset is not an IOU.

The database record is the asset.

The mining process is arguably wasteful, and justifiably has environmentally conscious people concerned. This is the major reason that many have tied their hopes to an alternate idea called “Proof of Stake”.

Proof of Stake

The idea behind Proof of Stake is to replace miners with “stakers” or “forgers” or “validators” — entities who hold coins and, as in proof of work, seek to maximize their “stake”. We’ll call them validators. In Bitcoin, it is the profit-maximizing strategy of miners which both provides consensus and allocates the coin asset. Bitcoin conflates these two distinct ideas. Let us de-conflate them and address them individually.

Consensus

There exists a body of literature surrounding the creation of databases that are Byzantine Fault Tolerant (BFT), the most advanced of which is Honey Badger BFT. This has been a long-neglected topic by industry because basically, no one wants to share their database. So industry currently only sells databases which are tolerant to non-byzantine faults, like nodes crashing. This literature is the correct way to handle byzantine faults without an economic incentive.

The assumption that a profit-maximizing strategy can be applied to a coin assumes that the coin is worth something in the first place. But as we’ve argued, the marginal cost of a database row is zero, even if it’s a fancy cryptographically signed row. Maximization over a set of zero-value database rows is, well, zero. This an economic way to state the “Nothing at Stake” problem. The profit maximization calculation falls on its face. It costs nothing to create blocks (so they have zero worth) and costs nothing to create forks.

The fact that it costs nothing to create forks has led several coins to attempt to prevent reorganization of the chain. This has led to either disallowing chain reorganizations beyond a certain depth (720 blocks in NXT), or a “bonding time” meaning validators must pay a security deposit or bond in order to become a validator, and this bond must not move for a certain period of time (4 months in Ethereum’s proposed Casper). But these don’t solve the fundamental problem — they just tell me how large an attacking fork must be. Let’s call this the stake forking time F.

This notion of consensus is also based on a circular argument: I had consensus F blocks ago, and I can use that to decide on the consensus for block F+1. This argument is circular and logically incorrect. An attacker will simply create 10,000 forks starting F blocks ago. Good luck telling which one is correct. This has led certain people in the Ethereum community to embrace a notion of weak subjectivity, which basically means: “I think I can google what the most recent block hash is, and find the correct answer”. This is a fatally flawed argument when there are 10,000 potentially valid forks. Furthermore this is a sociopolitical solution to a technical problem. Attackers have proven willing and capable of setting up fake websites for their attacks. Presenting a false history through any medium costs nothing.

Finally there’s a pervasive belief among Ethereum and Tendermint aficionados that they can somehow “punish” attackers by destroying their bonded security deposit. However we can only “punish” attackers if we agree on a state of the ledger, that includes their punishment. An attacker would never create a ledger that included his own punishment. I think this belief is an application of the logic of fungibility to a non-fungible accounting system. That is, coins cannot be deducted from one fork and added to another. That’s not the way forks work. A fork is an entirely different history, and coins are fundamentally not fungible among forks. It is therefore not possible to “punish” attackers. One can only make the window of security deposits longer, and we’re back to a circular argument.

Finally, there’s an argument often made that “Proof-of-Stake coins exist so doesn’t it mean they work?” Indeed Peercoin, NXT, Bitshares and others have been running for years. However there’s a very serious negative incentive problem. It’s clear that one could become a validator on e.g. NXT and create a fork 720 blocks long. But in so doing I’d acquire a bunch of $BrokenCoin, which I couldn’t sell. This negative incentive has prevented these coins from seeing the level of attacks that have been levied at Bitcoin. Absence of Proof is not Proof of Absence.

Coin Allocation

In a Proof-of-Work currency such as Bitcoin, coins are additionally allocated with each block. The rational economic calculation of whether it’s profitable to mine is done by each miner individually, and provides the anchor to the real world. People don’t build things like Genesis Mining’s operation because of altruism or because “fuel for the world computer” is something they think they need.

An Ethereum mining operation in Iceland

Coins have an associated coin allocation schedule. In Bitcoin it is an exponentially decaying allocation. Ethereum allocates a constant number of coins per block. This coin schedule must be compatible with keeping more than 50% of the miners mining, or there will be a loss of mining power, and once more than 50% of the miners have departed, there’s a very real chance that the departed miners might mount a 51% attack.

For this reason I think that even Bitcoin’s coin allocation schedule is flawed. The asset in this case and the anchor to the real world is the Proof-of-Work hash, and coins should be awarded proportional to the difficulty of computing this hash. This is approximately true in Bitcoin’s case, with the exception of the halvings, in which the number of coins per block halves approximately every four years. This has already been blamed for the bankruptcy of the mining firm KnCMiner. Not many industries can afford to see their revenues suddenly halved. If Bitcoin continues with its halving schedule, and more than 50% of the hashpower departs, it will be problematic.

We’d be better off to award coins directly proportional to this difficulty. This would cause crypto-currency mining to be more similar to real-world mining. There isn’t actually a fixed supply of energy. We’ve got at least 5 billion years left on Sol, and that will let us create work-based cryptographic assets for a long time to come. Were we to allocate coins proportional to difficulty, it would enable us to heal network forks, for instance, without depriving miners on the short side of the fork. Bitcoin tries very hard to be independent of state, but its state is dependent on for the coin allocation schedule. Bitcoin could be made more robust without this dependence. More on this is coming in a future blog post.

Ethereum has activated a “difficulty bomb” which is exponentially increasing the difficulty, so as to force a move to Proof of Stake. Extrapolating the linear increase in hashrate over the last few months, this exponential increase will outpace natural hashrate growth in the first few months of 2018. After that point, Ethereum will lose its anchor to the real world, while still creating new coins. It becomes an inflationary currency at that point. Its anchor to the real world, in terms of its initial Proof-of-Work is fixed. Any potential validator is competing for a fixed pool of Proof-of-Work hashes, and being a validator is a zero sum game. Because there exist a set of accounts which are not validators, the coin allocation schedule amounts to an inflationary asset transfer from the non-validators to the validators. Thus the “difficulty bomb” is better termed an “inflation bomb”.

TL;DR

The whole idea of Proof of Stake seems to rest on circular logic, logical fallacies such as “Absence of Proof is Proof of Absence”, and a misunderstanding of fungibility and forks. These are fatal flaws that will not be fixed by rearranging security deposits. In other news, I hear the deck chairs on the Titanic were very neatly organized. Furthermore, even if Proof of Stake worked, such a coin would have no anchor in terms of real-world value. It would have zero cost and zero value. The correct application of technology in these cases to use a BFT database and recognize the fact that the assets being represented are IOU’s.

Ethereum’s determination to move to proof of stake is ill-conceived, and will result in an inflationary destruction of the currency.

Moving to an award schedule which is proportional to difficulty will enable organic growth of the asset, and is a more direct representation of exactly what the asset is in the first place.

SolidX Partners provides consulting and strategy solutions to organizations seeking to learn about blockchain and implementation solutions. The firm also provides blockchain-based software solutions relating to the indelible recording of records, transfer of assets, and identity. For more information, please visit www.sldx.com or email the team at info@sldx.com.

--

--

Bob McElrath

Reverse-engineering the universe and remaking money. Ph.D. Theoretical Physics; Bitcoin hacker; SolidX CTO