WHY ARE UNBONDING PERIODS SO LONG ON PROOF OF STAKE?!

Proof-of-Stake blockchains such as Cosmos zones allow fast confirmation of transactions but very slow unbonding of stake, with repercussions on user experience and liquidity of the blockchain. Why?

Proof-of-Stake Chains and the Unbonding Period

Proof-of-stake (PoS) blockchains have seen widespread interest due to their energy efficiency. To secure the system, PoS chains require the validators of the blockchain to stake tokens before they can propose or vote on blocks. This enables the PoS protocol to hold protocol violators accountable, and slash their staked, i.e., bonded, tokens as punishment. This gives another incentive for honest participation besides the block rewards.

In addition to energy efficiency, one important advantage of PoS chains is fast finality: transactions are confirmed fast, of the order of seconds. In contrast, stake unbonding is very slow, of the order of weeks (Table 1). Many PoS protocols require a lengthy unbonding period to elapse before a withdrawing validator can take back its staked funds. During the unbonding period, the validators cannot participate in the PoS protocol and do not accrue any block rewards or interest on their stake. They also cannot move the staked funds and use them for other purposes. The immobility of stake over a long unbonding period not only degrades user experience and creates financial friction, but also reduces the liquidity of the coins in the PoS system. Interestingly, Proof-of-Work chains are polar opposite: transactions are confirmed slowly but hash power can leave the network at will.

Table 1: Unbonding period on different Proof-of-Stake blockchains such as Cosmos zones, PoS Ethereum [1], Avalanche, Algorand and Cardano [2]

Can Liquid Staking Help?

Liquid staking aims to alleviate the problem of stake being locked up in a PoS chain. To engage in liquid staking, users deposit their funds in an escrow that stakes these funds on behalf of the user. In return, the users receive a tokenized version of their funds, which they can trade freely in the market. For instance, by staking Eth in a liquid staking contract, the user gets a ‘staked Eth’ (‘stEth’ for short), which it can put up as collateral for borrowing and yield farming.

Despite enabling new opportunities in DeFi, liquid staking has its drawbacks:

• The stake underlying a liquid token can be slashed due to network problems, or adversarial actions by the validators that have the custody of the stake. Such events that are beyond the control of the owner of the liquid token, can nevertheless reduce, and in the worst case, destroy the value of the token altogether.
• If liquid staking is handled by a smart contract, it can have bugs leading to the theft of the staked funds.
• The risks above might reflect in a price difference between the actual stake and the corresponding token. For instance, the price of stEth tokens offered by Lido has recently dropped as much as 8% of the Eth price due to market volatility and under-collateralization of the positions backed by stEth.
• Pooling of the stake deposited to large liquid staking services hurts the decentralization of the PoS chain, and reduces the sovereignty of the users over their funds. For instance, the largest liquid staking pool, Lido, holds 32.1% market share of all the staked Ethereum in the Ethereum beacon chain. This value is just below the 33% that would be sufficient for an adversary to double-spend or stall the chain. The risks such cartelization of stake implies for Ethereum continues to be a source of worry for the community.

Why Is the Unbonding Period So Long?

Risks of liquid staking underlines the importance of reducing the unbonding period itself rather than finding work-arounds for the liquidity problem. For this goal, we have to understand what purpose the unbonding period serves, and why it is so long in the first place. Thus, we first look into long range attacks, the reason why PoS chains such as Cosmos zones adopted long unbonding periods.

Long Range Attacks on Proof-of-Stake Chains

Figure 1: The canonical chain. Old validators are shown in dark green, and the new ones are shown in blue. Upon withdrawing their stake, the old, dark green, validators are replaced with the new, blue ones.

Figure 2: Long range attack on the canonical chain. After withdrawing their stake, old, dark green, validators, e.g., the founders of the chain, are corrupted by the adversary. They then build a conflicting chain that forks from the canonical chain at a past block. On the conflicting chain, they inaugurate a new, purple, set of validators that are under adversary’s controls. The two chains look equally valid to clients that observe the system at a later time.

Security of the Cosmos zones rely on their ability to hold protocol violators accountable, and slash their stake as punishment. For instance, if validators sign and finalize two conflicting blocks to cause confusion among the clients, they can be identified as protocol violators by showing the conflicting signatures as evidence, and can subsequently be slashed. However, once the validators unbond, i.e., withdraw their stake from the chain, they can no longer be punished for protocol violations. As a result, an adversary can incentivize these old validators to stage a long range attack (c.f. Figures 1 and 2). A prominent example of long range attacks is the founders’ attack described below.

Before the attack starts, founders of the chain, i.e., the initial validators, withdraw their stake. Then, using their old keys, they build a new chain that conflicts with the existing, canonical chain. The conflicting chain forks from the canonical chain at a past block, where the founders, i.e., the old validators, constituted a majority of the validator set (c.f. Figure 2). On the conflicting chain, these founders withdraw again, and transfer their voting power to new validators with different keys, that are in fact controlled by the adversary (which can be the founders themselves!). This enables the adversary to continue building on the conflicting chain after the supposed withdrawal of the founders.

Long range attacks pose a serious threat to security since they can confuse late-coming clients to adopt a chain different from the canonical one adopted by the earlier clients. Unfortunately, these attacks are inherent to PoS protocols, which suffer from the nothing-at-stake problem. This problem arises when the same stake can be used multiple times to produce multiple conflicting blocks, as is the case for a long range attack. In comparison, Proof-of-Work chains such as Bitcoin, are not vulnerable to nothing-at-stake or long range attacks since the attacker cannot use the ‘same’ computation to build multiple separate blocks.

Mitigating Long Range Attacks: Social Consensus?

For protection against long range attacks, many PoS chains ask new joining clients and validators to identify a checkpoint block on the canonical chain with the help of a trusted source. For example, the suggested sources for a bootstrapping Cosmos light client include trusted websites, Discord channels containing the list of checkpoint blocks, or the trusted peers used to download the client code. Upon receiving a checkpoint block, clients can safely ignore conflicting chains built by old validators (c.f. Figure 3).

The reliance of the clients on an external trusted source is called social consensus to emphasize the subjectivity of the process that identifies the canonical, correct chain. Indeed, different peers might easily disagree about the canonical chain as there is no ground truth for the ‘correctness’ of the chain, unlike in Bitcoin, which always selects the chain with the most computational work as the ‘correct’ chain.

Although social consensus is a first step towards mitigating long range attacks, it comes with its own problems:

• Social consensus does not specify how to identify the trusted peers. As these peers can be different for different validators, it is often difficult to quantify the trust placed on them.
• In the case of a public trust source such as a website, social consensus exposes a single point of failure to potential attackers. What if the website that lists checkpoints gets hacked?
• Social consensus introduces issues around transparency, and can lead to centralization of chain-wide decisions around strong players of the blockchain ecosystem.

How does the Unbonding Period Fit In All This?

Figure 3: New joining client asks its peers for weak subjectivity checkpoints (the blocks with the green checkmarks) on the canonical chain. Upon observing the checkpoints, client can distinguish the conflicting attack chain (bottom) from the canonical chain (top).

Among the drawbacks of social consensus, the most serious one is its dismal latency: It can take days or weeks for all the trusted peers to agree on a checkpoint. This is due to the subjective and social aspect of the agreement process. For instance, the peers might be communicating via Telegram (c.f. Figure 3), where agreements on the chain would take much longer than, for example, the confirmation latency of a consensus protocol. That is why the last checkpoint on the canonical chain in Figure 3 is much older than the tip of the chain.

If the old validators can withdraw and create a conflicting chain while social consensus is still ongoing, the peers that should serve as the trusted source might fail to agree on the checkpoints. That is indeed why many PoS chain including Cosmos zones impose long unbonding periods. A long unbonding period means that the old validators must wait until social consensus terminates and a block is checkpointed on the canonical chain, before they can take back their staked funds. This in turn prevents the malicious validators from confusing the clients, as the clients would immediately identify the conflicting, malicious chain (bottom chain in Figure 3) as the one without the checkpoints. Old validators of course have the option to build a conflicting chain before taking their stake back. However, their stake might get slashed in this case due to double-signatures, and makes this attack highly unlikely in practice.

Conclusion

Long unbonding period degrades the user experience and the liquidity in a PoS system. Although some unbonding period is necessary to mitigate long range attacks, its length would be much shorter if social consensus could make decisions faster. Thus, in the next post, we will look into whether we can achieve a shorter unbonding period by replacing social consensus with a faster source of trust.

[1] 13 days was calculated for 130,000 attesters with an average balance of 32 ETH to accurately model the targeted attester numbers of PoS Ethereum, using Table 1 in this weak subjectivity analysis.

[2] Algorand and Cardano use key-evolving signatures, thus under an honest majority assumption, they can theoretically enable instant unbonding of stake. However, key-evolving signatures require bonded validators to willingly forget their old signing keys. This is not incentive-compatible as there might be a strong incentive for the validators to remember the old keys in case they later become useful. For this reason, Algorand still uses social consensus for checkpointing besides key-evolving signatures.