Understanding Proof of Stake: The Nothing at Stake Theory

Ethereum is not the first protocol to attempt to use proof of stake (PoS) as a consensus method. Peercoin implemented PoS in 2013 and other projects implemented their own versions of PoS not too long after (PIVX, Reddcoin, etc). These projects hoped that PoS would eliminate the problems associated with energy intensive mining while maintaining the high levels of security and decentralization required of a cryptocurrency network.

The PoS community was enthusiastic about their new consensus method, but skeptics were quick to cite two theoretical security issues facing PoS; the long range attack problem and the nothing at stake problem. In this post, I describe the nothing at stake problem and then discuss how Ethereum’s Casper upgrade aims to resolve this problem.

What is the Stake in Proof of Stake?

When I first learned about proof of stake, I thought that “stake” referred to the security deposits that validators (aka PoS miners) had to submit before they were allowed to propose and validate blocks. This is true for Ethereum’s planned PoS upgrade, but the first blockchain projects implementing PoS did not require a security deposit.

In early versions of PoS, you only needed to own tokens in order to be eligible to be a validator (aka PoS miner). Holding tokens in your wallet was your stake. If validators attacked the network, nothing happened to their “staked” coins.

If No Security Deposit, Why Call It Stake?

So here is why they still call it stake. The idea was that if you owned a PoS network’s token, you had an interest in the success of that network. The more of the token you owned, the more you had “at stake” if the network was attacked. This is because, if the network was successfully attacked, the value of your tokens was likely to significantly drop.

Under this logic, it made sense to grant validation rights proportional to the amount of stake you had in the network. For instance, if your staked tokens represent 10% of all tokens that are collectively staked by validators, you can expect to propose and validate ~ 10% of all blocks. With 10% stake, you are allowed to have more influence over the network compared to people with less stake because, theoretically, you have more to lose if you disrupt the network.

The Nothing at Stake Theory

When PoS first appeared, a large part of the crypto community was unconvinced that merely owning a token was enough to disincentivize bad behavior. One of their major concerns was called the nothing at stake problem (which I will refer to as a theory from this point forward).

The nothing at stake theory is the assumption that in early versions of PoS, every validator will build on every fork when a fork takes place.

On the left, we an ideal situation. Sometimes forks occur, but they are resolved quickly. On the right, every validator is building on both forks. People refer to this hypothetical problem as the nothing at stake problem.

There are two primary reasons why validators are expected to do this.

First, unlike in proof of work (PoW), it costs a validator nothing to validate transactions on multiple forks. It is computationally inexpensive to build on every fork because you no longer need PoW to create a block.

Second, validators are expected to build on every fork because it is theorized that it is in their financial self-interest to do so. If validators mine on both (or more) chains, they will collect transaction fees on whichever fork ends up winning. If validators stake on every fork, this will be disruptive to consensus at minimum and could leave the network more vulnerable to double spend attacks.

In PoW, the incentive to simultaneously mine on multiple chains does not exist. If a miner chooses to split their hash power (computational power) between two chains, it will not improve their chances of mining a block.

Strict Security Assumptions

It is important to highlight the fact that the nothing at stake theory takes extremely strict security assumptions into account. Here is a list of the security assumptions:

  1. It assumes that a validator will seek profit whenever there is an opportunity to do so, even if it is at the expense of the security or quality of the network. This is a standard (and smart) security assumption in the crypto world.
  2. It assumes that 0 validators will act altruistically (aka no validators will mine on only 1 chain at a time out of the goodness of their hearts).
  3. It assumes that validators went out of their way to either modify their validation software or download software that someone else modified. Standard validation software will not come with the ability to mine on all forks. This is because standard software comes with an internal logic for choosing a “true” fork when a fork occurs.

Attacks Enabled by this Theoretical Problem

The fear of the nothing at stake theory is not just that it might delay or complicate consensus, the primary fear is that it will enable cheaper attacks compared to proof of work. In PoW, an attacker needs 51% of the total hash power to attack the network, but in PoS it is suspected that it costs as little as purchasing 1% of the stake in the network.

Here what the 1% attack is suspected to look like.

First, let’s assume that a fork has occurred and all validators are actively building on both forks. Veronica, our attacker, is interested in executing a double spend attack. She sends her crypto to an exchange in one fork (fork A) and to a public key she controls in the other fork (Fork B). After enough time passes, the exchange accepts her deposit because it is recognizing fork A. Veronica then buys some Bitcoin with her deposit and quickly takes that Bitcoin off the exchange.

Now this is how she gets away with it.

Now she points her 1% staking power to fork B. Eventually she is selected to validate a block and builds only on Fork B. Being that everyone was building on both and there wasn’t a clear “longest chain,” the entire network now converges on (aka chooses) Fork B.

Veronica has now successfully stolen Bitcoin off an exchange. The crypto she sent to the exchange has returned to a public key in her control and now she has some extra Bitcoin too.

A more realistic attack scenario

The previous attack scenario was dependent on the assumption that every validator would build on every fork when a fork took place. This is how our attacker was able to double spend with only a 1% stake in the network. In a more realistic scenario, it is safe to assume that there will be honest validators that refuse to build on forked chains.

If Veronica wanted to double spend in this scenario, she would either have to buy more stake in the network or bribe other validators to help her in the attack.

Is Nothing at Stake Really a Problem?

While reading through this, you might have thought that these scenarios felt like a stretch at times. I felt that too. After researching for any evidence or even mention of the nothing at stake problem actually occurring, I could not find anything.

Was this just a product of proof of work maximalism? Possibly.

Either way, Ethereum’s Casper aims to take the potential of the nothing at stake theory seriously. In order to reduce the likelihood that validators builds on all forks, validators will be penalized by losing a portion or all of their security deposit. It seems likely that penalizing validators through security deposits will keep this theory an impossibility.

Like what you read? Follow me on twitter @jmartinez_43

Read my other articles in my series on proof of stake:

Citations/Resources/LearnMore:

Vitalik Buterin — On Stake

Ethereum Foundation — Proof of Stake Problems

NEC Laboratories Europe, Germany — Securing Proof of Work Protocols

Peercoin Myths