Nothing is worse than Proof of Stake
Summary: Proof of Stake (PoS) achieves the exact opposite of decentralizing control expected of cryptocurrency protocols.
- PoS is permissioned by internally held tokens owned by a central party that can deny entry to independent external parties
- There is no mechanism in PoS that forces anyone to ever give up control they already have. Ever.
- PoS gives the internal (central) parties a mechanism (staking) to guarantee perpetual growth in fraction of control they have
- Proof of Stake slashing variants are self-damaging and incentivize attacks
“Cryptocurrency” term was created in 2009 to describe Bitcoin’s unique achievement to use cryptographic primitives to decentralize control. This term since then when applied to other networks implies being similar to Bitcoin and decentralized. Proof of Stake digital currencies appeared around 2013 and sounded great, promising environmentally friendly alternative. What can go wrong with the design of “let’s weight consensus by coin ownership instead of accumulated work so block producers have stake in the network.”
Apparently, a lot.
This summary is inspired by Nothing is Cheaper than Proof of Work and constant misconceptions.
PoS is permissioned by internally held tokens that can deny entry to independent external parties
There’s a popular saying “Proof of Stake is secure in same way a database is secure.”
Your access from outside is quite literally permissioned by internally held tokens, not much different from auth tokens in databases.
What made Proof of Work (PoW) novel and amazing is providing economic finality in a permissionless system.
Ability to grant or deny permission is control.
Instead of securing a network via a limited number of tokens already held internally (or dare I say centrally), the beauty of PoW is it is permissionless by relying on external to it resources: all you need is access to electricity and matter present all over the universe to get coins, to include your own transactions, or to effect consensus by weight you get to decide.
Control distributed to only permitted parties is indistinguishable from centralized control. Decentralization is specifically distribution of control to independent parties with independent interests. Since permission to independent external parties can be denied for both access and, more importantly, weight in consensus, it cannot provide decentralized security. It’s trivial to only pick your own anonymous accounts or those who already agreed to collude with you. The moment the network seizes to be permissionless, it becomes not relevant to topic of decentralized technology like cryptocurrencies.
Proof of Work is secured by permissionless external resources of the universe, Proof of Stake is secured by a permissioned internally owned limited resource.
Example: In Proof of Stake system with 100 coins I printed, I can choose to only allow 10 on open markets. Only I get to decide if all others combined can effect consensus by more than 10 coins I permitted.
Decentralization is also not merely distributing control, but being resistant to collusion taking advantage of minor users by having entry wide open. This is why securing outsiders coins via a multisig or multi-party computation is not considered trust minimized for outside parties: internal parties have ability to profitably steal. Control distributed to many accounts of the same party appears indistinguishable on-chain to many independent parties receiving the distribution. Therefore, users in PoS are forced to rely only on trust that control is altruistically given up. Gini coefficients, ICO participation, coin distributions are all pure speculation on who owns the accounts. Only the design itself allowing permissionless entry or not is objectively known.
PoS is simply not an alternative to trust minimized consensus protocols nor a panacea for 51% attacks. “Pain is the cost of living” and, similarly, PoW costs and possibility of 51% attacks are the cost of permissionless decentralized networks.
This alone should be reason enough already to disqualify all Proof of Stake designs, but let’s go even further.
There is NO mechanism in Proof of Stake that forces anyone to ever give up control they already have. EVER.
PoS has no continuous permissionless or costly distribution mechanism. Staking provides new coin emission distributed equivalently per staked coin. Not only does the central party get to decide exactly how much control others are allowed to have, if any, they also get to keep or grow control forever at no cost.
It’s helpful to understand what makes continuous decentralization possible with PoW. PoW coin emission has built-in unforgeable costliness resulting in that:
- PoW forces continuous costs for everyone with no exceptions
- Equipment ages out forcing rotation & replacement costs (an external type of stake in the network)
- Miners join w/o permission until costs ≈ rewards, and that costliness on scale of the rewards forces miners to sell majority of new coins to continue mining
- The never ending costs are forcing never ending re-distribution of block subsidies and fees via markets. This is effectively continuously distributing control available to anyone with access to the markets of these coins.
- The markets, in return, get to price the value of incentives that the miners depend on for recovering value.
PoS staking is opposite: without costs it cannot force distribution of coins or control. It gives already internal members continuous perpetual rewards. Equipment does not age out. Staking can continue forever at no additional costs. Emission in PoS applies to all staked coins equally which means control distribution does not change: if you had 70% of stake, you can have 70% of stake forever. If any of others’ coins aren’t staked, PoS provides the central party a mechanism to guarantee perpetual growth in % of control they already have. Assuming the blockchain is used by many other users more frequently than the possibly single dominant central party, there’s almost certainly to be unstaked coins to guarantee continuous centralization of control.
In fact, you can continuously sell coins out of fraction of that perpetual growth without ever giving up % control (and can even increase % control simultaneously). Worst case scenario is to use mostly centrally pre-mined stake (i.e. printed for free) on Proof of Stake blockchain, literally designing for a permanent trusted party in control with no practical way to ever be confident they gave it up (short of burning premined coins).
PoS is not only designed centralized via permissioned entry but also provides a mechanism to centralize control. But wait, it gets worse when PoS implementation also uses slashing.
Proof of Stake slashing not only cancels part of itself out, but can even be abused to attack others
The basic idea of Proof of Stake is that stake owners have coins at stake. If they attack the block chain the market value of their stake can drop to ~0 (this applies to really any blockchain). Slashing attempts to add additional mechanisms where malicious party coins are destroyed. Strangely, the total magnitude of the deterrent to participants is still same - the value of their stake, punished by either the markets or slashing. Accurate detection of malicious actions, however, is not always accurate or possible as every tool can be misused.
It’s important to understand the network value is roughly based on their market capitalization (market cap). The percentage of the market cap measures the value and control owned by any party (the actual number of coins market cap is split into to derive the price of each coin is irrelevant).
Front-running transactions is an example of a trivial attack for block producers to execute that would be hard to detect and can be profitable, for example, in liquidity pool based on-chain exchanges.
If staking nodes can get slashed for being unavailable, that’s an incentive to DDoS block producers to get them slashed and to increase your own % ownership of market cap. This is an example of irreversible profitable attacks robust networks should not allow.
Users risk being slashed for accidentally signing 2 slightly different block versions from something as common as a redundant backup node.
If a large owner get slashed for, let’s say, double spends, the % of market cap they lose is affected less the more they own. Slashing that hurts accidental cases almost plays no role for large holders:
Example: if you own 90/100 coins and are slashed 9 coins (10%), now you own 81/91 coins. In theory 9 was supposed to be 10% of your holdings, but at constant market cap and % wise you went from 90% of market cap to 89% of market cap. You only lost 1% value & control!
It gets worse.
Censorship slashing is an idea to punish block producers attempting censorship. However, anyone can claim censorship but not actually broadcast what was allegedly censored or can intercept the censored message. This type of slashing has to slash both parties to prevent fake claims: party claiming censorship and party allegedly censoring. It’s supposed to be equivalent to mutually assured destruction. However, since coins in PoS are equivalent to control, larger holder (or collusion) can use it to attack minor holders profitably:
Example: If you own 90/100 coins and others own 10/100 coins and censorship slashing takes away 5 coins from each, you now own 85/90 and others own 5/90. So your value went up from 90% of market cap to 94%, literally incentivized collusion and attacks!
Proof of Stake is quite literally in almost every aspect of design backwards from rational for the cryptocurrency use case. Proof of Work is simply the only known solution to secure the dominant permissionless decentralized network. Claims of PoW inefficiency compared to PoS for decentralized networks are wrong since
Efficiency = (useful output) / (input costs),
and PoW is the only one of the two that has non-zero numerator (useful output is security through decentralization).
Other issues with PoS
No other issues are necessary to rule out PoS for cryptocurrencies. But, for completeness, here are references to work covering other additional issues and false pro-PoS arguments:
- Nothing at Stake : the idea based on fact that all and any PoS blocks cost nothing to produce unlike PoW (1, 2, 3). This is also given as the reason some implementations invented slashing conditions that only break the protocol further.
- Cost of attack is unknown, humans are not good at consensus, resiliency (1, 2)
- history key attack or history revision attack (1) : idea of using previously known keys by large owner (e.g. premine, exchange) to create a more valid long chain.
- checkpoints, weak subjectivity, long range attacks (1, 2, 3)
- False equivalency with “centralized miners in China”: miners don’t control the blockchain (1,2)
- Reliance on subjectively manually deleting attacker’s stake:
Weirdly enough, there’s also blatant lying about size of trusted (premined) supply to be used in PoS (1). There’s also blaming criticism of broken PoS technical security design on fictional bias from Bitcoin (or Proof of Work) “maximalism.” The former attempts to mislead or disguise ICO as a trust minimized distribution method that it definitely is not for the simple reason buying for sellers is free (1,2). The latter is an ad hominem to divert from discussed topic to attempting to discredit the speaker, all too common in cryptocurrencies.
Cryptocurrency and decentralized technology field ultimate goal is to provide unprecedented levels of security. The very well being of its users is at stake. Failing to provide technology that matches the security properties claimed by greedy developers puts real people in danger and is indistinguishable from a scam. Journalists and developers covering this field have a responsibility to “do no harm” and provide accurate information at the very least as a priority.
Possible alternatives & “Virtual Mining”
I understand the desire to want to find alternative to Proof of Work with something that doesn’t cost as much for energy or equipment. May I suggest it’s already possible and has been done a little before.
So what is the ideal design for an alternative:
- unforgeable equivalent costs for all (to force distribution of control)
- permissionless access via external resources available to any independent parties (to allow independent parties)
- low barrier to access (maximize number of parties to distribute control to)
- environmentally friendly (PoS’s only upside)
Proof of Burn (PoB) can satisfy all of these requirements by continuously burning EXTERNAL coins of a “parent” chain (e.g. Bitcoin) to secure a dependent “child” chain. Burning coins here means rendering coins unspendable by anyone ever with transactions secured by another blockchain (e.g. Bitcoin) as proof. Bitcoin burns are equally costly and equally available to everyone.
Burning coins also the ultimate ASIC resistance (nobody can secretly create a device that lets them burn coins cheaper). For example, you could replace Proof of Work on all but 1 parent block chain with proof of burning coins for valid child chain commitments so then the child chains follow the chaintip with most total accumulated burn. Similarly to Proof of Work, this external resource isn’t burned for free, but to get paid from the fees or block rewards on the child chain.
Bonus: When burning Bitcoin is required for child chain block validity, you suddenly have this continuous novel stream of external coins. Validity for consensus can easily also require that 1% of however much is burned is used to redeem peg-outs (withdrawals) to the parent chain. That means, in theory, you can have a token on a child chain that can be redeemed 1:1 for real Bitcoin. No trusted oracles, no federations, no multi sigs. Redeem risk is on same scale as security risk and risk can be evaluated by each participant.
Example PoB designs: altcoin child chain, child chain without an altcoin, perpetual one-way peg, soft peg child chain, blind merged mining (lean)
The only aspect I haven’t quite seen yet is simulating PoW’s expensive single purpose equipment aging and cost (e.g. ASICs) we have in PoW for miner skin in the game, but it tentatively doesn’t seem that difficult to implement. Proof of Stake proponents sometimes call PoS “virtual mining” but it’s the opposite as explained in this work and compared to PoB more deserving of the term.
The other sidechain design that does not require additional PoW is a drivechain which is merge-mined.
It’s not clear if there are major issues to these proposals but, regardless, they are far superior to Proof of Stake.