Why Proof-of-Work Is Not Viable in the Long-Term
A literature review of the challenges facing Nakamoto Consensus.
Note: Proof-of-Work (PoW) and Proof-of-Stake (PoS) are not consensus algorithms but rather Sybil control mechanisms that are compatible with a variety of consensus algorithms. For the sake of simplicity, in this article we will stick with popular convention and use PoW as a synonym for Nakamoto Consensus and PoS as a synonym for staking coupled with consensus algorithms like PBFT.
The success of Bitcoin and its pioneering Nakamoto Consensus based on proof-of-work showed incontrovertibly that decentralized networks can work and accrue value for users and network stakeholders by solving key problems such as Sybil control and economic incentivization. Nevertheless, it has been plagued in recent years by performance issues and inefficiencies, even with only marginal real-world adoption. Simultaneously, newer consensus models that promise greater efficiency and effectiveness have emerged, challenging proof-of-work’s hegemony as the choice for decentralized consensus.
In the face of these alternatives gaining traction, Bitcoin maximalists have become increasingly entrenched and dogmatic in their views, to the exclusion of reasonable discourse and empirical and mathematical evidence that challenges their views. Nevertheless, there is a growing pile of results that suggest that proof-of-work is not viable in the long-term for a healthy, mature network. While it served a key role as a proof-of-concept, it is strictly inferior to newer systems across all important aspects — security, cost, efficiency, performance.
In this article, I summarize the key issues that proof-of-work faces, both currently and as the network matures. For the sake of accessibility, I will keep things high level but will reference papers or articles that give additional technical details and proofs.
I will also keep the focus on proof-of-work and its challenges rather than its competitors, but the comparison throughout (whether explicitly or implicitly) is to proof-of-stake. For a more detailed discussion of PoS, I refer the reader to the myriad papers and articles that mathematically show how PoS improves on PoW, such as the Logos white paper.
1. PoW has weak security compared to PoS and may be unstable at maturity
1a. PoW has poor economic/game theoretic security that results in instability
Any trustless network must answer two questions: (1) what is the Byzantine security level (e.g. the network is secure assuming an attacker holds less than 50% of power), and (2) what is the probability that security level is met. Most projects answer (1), but (2) is just as critical. Distributed algorithm analysis gives us the Byzantine security level, but that alone is insufficient as it begs the question, what is the probability a validator becomes malicious? This is fundamentally a game theory question and can be answered via an analysis of the economic incentive system.
Nakamoto Consensus has a relatively weak economic model, and so incentive alignment for validators is quite poor. This is due to several reasons, including:
1. Inability to harshly penalize validators (like in slashing). Since mining is inherently anonymous and open, it is impossible to blacklist a malicious validator from participating in the network, and there is no way to confiscate their mining equipment as punishment for misbehaving.
2. Low correlation between the network value and the economic collateral of the validator. Mining equipment typically has a low “beta” (less than 1) to the value of the underlying network. While there is secular exposure, an attack on any particular network is unlikely to meaningfully impact the payout of a potential attacker. Ironically, the efforts of networks to thwart ASICs, which contribute to centralization (as discussed below), reduce this correlation to very low levels. Together with the lack of a direct penalization mechanism, this means that an attacker has only weak economic incentives to behave honestly.
3. High variance of validator payoffs. PoW has a lottery effect: either you get a big reward by chance (block rewards and transaction fees), or you get nothing. This variance in payout leads to unstable economic equilibria and perverse incentives.
4. Transaction finality is probabilistic, not guaranteed. After a transaction is included in a mined block, there is always a chance that a longer chain comes along and reverses the transaction, although this probability decreases as additional blocks are added.
These features lead to several known attack vectors and likely many more that are currently unknown that undermine the security and stability of the PoW system at maturity. Unfortunately, none of the root causes of these issues are correctable in PoW, which means that, even with increasing awareness of these attacks, there is no way to harden the system against most of them.
Original selfish miner attack:
The first major game theoretic attack that can compromise the long-term viability of PoW consensus is the selfish miner attack. Cornell researchers found that miners are economically incentivized to hide blocks they mine from the rest of the network to maximize their own payout. The idea is that only the selfish miner has the longest chain and so is advantaged in finding subsequent blocks; if another block is found on the old chain, the selfish miner can release their block and trigger a race condition that they might win.
This has major implications for both network decentralization and security:
“We present an attack with which colluding miners obtain a revenue larger than their fair share. This attack can have significant consequences for Bitcoin: Rational miners will prefer to join the selfish miners, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency.”
By hiding their blocks from the rest of the network, the selfish miners also reduce the effective hash power of the network since other miners are mining a stale chain and not contributing to the security of the network. If every miner is selfish, then effective hash power will only be a small fraction of deployed hash power. None of this requires miners to be outright malicious, just economically rational!
Selfish miner attack is way worse than previously thought:
The original selfish miner paper proposed a modification to PoW that would eliminate the selfish miner attack for mining pools that control less than 25% of the hash rate. Nevertheless, subsequent research from Princeton found additional selfish miner problems that occur when transaction fees grow relatively larger than the block rewards (summary). The paper outlines several deviant miner strategies that are economically rational, whereby miners undercut each other by promoting forks to capture large transaction fees:
“Bitcoin provides two incentives for miners: block rewards and transaction fees. The former accounts for the vast majority of miner revenues at the beginning of the system, but it is expected to transition to the latter as the block rewards dwindle. There has been an implicit belief that whether miners are paid by block rewards or transaction fees does not affect the security of the block chain. We show that this is not the case. Our key insight is that with only transaction fees, the variance of the block reward is very high due to the exponentially distributed block arrival time, and it becomes attractive to fork a “wealthy” block to “steal” the rewards therein. We show that this results in an equilibrium with undesirable properties for Bitcoin’s security and performance, and even non-equilibria in some circumstances. We also revisit selfish mining and show that it can be made profitable for a miner with an arbitrarily low hash power share, and who is arbitrarily poorly connected within the network.”
Thus, the economic equilibrium in a PoW network involves miners continuously undermining one another, leading to weaker network security and a centralization tendency. These perverse incentives are exacerbated at network maturity to the point that PoW networks will have seriously compromised security.
Hash renting minimizes the cost of a 51% attack:
These issues are made even worse by the growing ability of attackers to rent hash power rather than purchasing the equipment themselves. This means that the attacker’s exposure, however weak, to the correlation between mining equipment and network value, is eliminated. Combined with the tendency of miners to work against one another, resulting in lower effective network hash power, the cost of attacking a network via a 51% attack is much lower than typically thought.
Of course, as a whole, the owners of the mining equipment have some economic incentive to prevent such an attack. However, this is an economically irrational expectation in the absence of an enforcement mechanism (impossible in a pseudo-anonymous, decentralized network) due to the free rider and Tragedy of the Commons phenomena. The dominant unilateral strategy of any single miner is to rent out their hash rate for a better return, resulting in globally suboptimal Nash equilibrium.
Traditional security analysis of PoW assumes the attacker has fixed hash power, but, in reality, hash power can be acquired if economically rational. The resulting analysis shows that transaction security against a 51% attack is far weaker than typically assumed.
While the original Bitcoin white paper showed that the risk of a successful reorg attack for an attacker with less than 50% hash power declines exponentially with the number of blocks since validation, a recent BIS paper shows that the game theoretic risk of an attack from renting a majority of hash power declines only linearly and depends highly on block fees/reward. This means that the required number of blocks for probabilistically secure transactions is much higher than anticipated, and oftentimes prohibitively long:
“Equation (8) documents the high cost of decentralised payment security. For example, say that Bitcoin users are on average prepared to pay transaction costs of 1%, that rented hash power is twice as expensive as the underlying price of equipment and electricity for honest miners, and that bitcoin would lose one third of its value after a successful attack. Then, the required waiting time is 50 blocks (over eight hours). But if the average transaction cost is 0.1%, the required waiting time is 500 blocks, ie around three and a half days! … If users wait for six blocks or fewer (about one hour), the required average transaction costs (as a percentage of the transaction amount) are about 8.3%!”
So the higher the transaction fee (or block reward), the better the security. Unfortunately, this has a perverse interaction with the selfish miner attacks, whereby miners’ incentive to undermine each other increases as miner fees increase!
Additionally, there is yet another free rider problem with how users decide on transaction fees that results, at equilibrium, in untenable finality times:
“The key result is that the fee set on a decentralised basis is much lower than the optimal fee, resulting in extreme waiting times… With the above example of an attacker disadvantage of 1/2, 1,000 transactions, and a cost of waiting of 1% per block, the optimal fee is set at 7.07% of the payment … (resulting [waiting time is] around seven blocks), while it is set at 1%/1000=0.001% in the decentralised game. The resulting waiting time is 50,000 blocks, equivalent to almost a year!”
The key implication of these attacks is that: (1) Unless the block reward dominates transaction fees (meaning inflation is high), rational economic miners will undermine the network security; (2) unless miner rewards are very high (and transactions are very expensive), then wait time to finality will be prohibitive; and (3) proof-of-stake systems with proper incentive structures will very easily exceed the security level of Bitcoin/proof-of-work. All of these tradeoffs render PoW prohibitively limited for store-of-value, payments, and other use cases
Empirical evidence of poor economic security: Successful 51% attacks
It is becoming increasingly easier to rent hash power to attack a PoW network, even in Bitcoin (less than $300k for a 1 hour attack). This has resulted in several successful 51% attacks over the past 18 months (and historically).
Victims include:
— Vertcoin
1b. PoW has an inherent inclination toward centralization
There are several strong factors that result in a heavy incentive to centralize in any proof-of-work consensus:
— High cost of mining and sensitivity to operating and input costs like electricity price lead to huge economies of scale. Geographic differences exacerbate this phenomenon.
— Validators are inherently in a race with one another, which has resulted in the development of specialized relay networks between cartels of miners.
— Selfish miner attacks incentivize economically rational miners to form large cartels that can undermine other miner groups.
— The lottery effect of miner rewards leads to high variance of payout, incentivizing miners to consolidate or form pools that are centrally directed. This idea can be quantified by noting that a miner’s risk adjusted returns (analogous to Sharpe ratio) are monotonically increasing with share of mining power: x/sqrt(x*(1-x)). This means that it is always better unilaterally to consolidate.
Economic analysis of these factors suggests that mining is a natural monopoly.
Centralization tendencies have proven to be empirically true in Bitcoin, Ethereum, and other proof-of-work networks, where large pools dominate hash power. This has been confirmed by academic researchers:
“Both Bitcoin and Ethereum mining are very centralized, with the top four miners in Bitcoin and the top three miners in Ethereum controlling more than 50% of the hash rate. The entire blockchain for both systems is determined by fewer than 20 mining entities. While traditional Byzantine quorum systems operate in a different model than Bitcoin and Ethereum, a Byzantine quorum system with 20 nodes would be more decentralized than Bitcoin or Ethereum with significantly fewer resource costs. Of course, the design of a quorum protocol that provides open participation, while fairly selecting 20 nodes to sequence transactions, is non-trivial.”¹
This practical centralization has led to substantial agency and governance problems, such as in the Bitcoin Cash/Bitcoin SV fork.
Ultimately, centralization carries a high risk for any decentralized network whose security relies on assumptions of good validator behavior. Even though miners (for the most part) have acted relatively benignly, they are entirely unregulated and far less trustworthy than traditional institutions. Replacing an established, regulated, public system with an unregulated, anonymous one where the miners can arbitrarily attack the system is a poor tradeoff. This is particularly an issue due to the lack of economic incentives in place to police behavior.
The factors that result in a centralized equilibrium in proof-of-work either do not exist or are substantially attenuated in proof-of-stake.
1c. Nakamoto Consensus is not fully Byzantine fault tolerant; even with modifications it can only provide probabilistic guarantees
A basic requirement of a trustless network is that it provides a sufficient level of Byzantine fault tolerance (BFT); otherwise, how can you trust a network with potentially malicious participants? It has been known for several years that vanilla Nakamoto Consensus (as used by Bitcoin) is not truly BFT, even probabilistically:
“It is easy to see that Validity cannot be guaranteed with overwhelming probability unless the hashing power of the adversary is negligible compared to the honest players, i.e., t/n is negligible. This is because in case the adversary finds a solution first, then every honest player will extend the adversary’s solution and switch to the adversarial input hence abandoning the original input. While one can still show that Validity can be ensured with non-zero probability (and thus the protocol fails gracefully assuming honest majority), [Nakamoto Consensus] falls short from providing a solution to BA [Byzantine Agreement].”
See also Wattenhofer, R. The Science of the Blockchain, which argues that Bitcoin’s security properties are quite weak.
It has been shown that Nakamoto Consensus can be modified to provide probabilistic BFT (albeit with a 33% BFT, rather than the oft-quoted 51%), but given the governance issues with Bitcoin, it seems unlikely that any attempt to majorly change the protocol will be unsuccessful.
While Bitcoin has not suffered major double spend attacks yet (that we know of), relying on the benevolence of unregulated and low trust miners is an exceedingly poor security model. Who is to say they won’t attack the system going forward?
1d. Even ignoring the correlation issue, the economic power securing PoW is lower than in the equivalent in PoS
While Bitcoin appears to have a huge lead in economic security based purely on the value of the mining equipment behind it, in expectation an equivalently valued PoS network would have much more security, even ignoring any incentive alignments.
This is most easily seen from an investment lens. A validator on a PoW and PoS network both need to make an economic investment to gain validating power: mining equipment in the former, stake in the latter. The aggregate investment by the validators on the network must correspond to an economically efficient return on investment (ROI) for a given total validator reward (inflation + transaction fees), taking into account the costs of validation and risk (including variance of income).
PoS comes out ahead across all of these factors, thus ensuring that a PoS network will have more economic value securing the network than a PoW network, ceteris paribus. PoW has substantially higher costs due to the depreciation of assets and PoW security: as better miners develop, the value of existing miners falls, and the electricity costs that contribute to the security of historical blocks also falls (because it costs less to replicate that same work). Conversely, PoS stake does not depreciate per se (although it does have market exposure). PoW also has substantially higher income variance compared to a well-structured PoS network that eliminates the lottery effect present in PoW.
It is also relatively easy for a new staking-based network to bootstrap quickly to very high economic security and overcome the security advantage of Bitcoin. Specifically, the very existence of network value (and any subsequent accrual) confers security immediately without additional capex. In other words, mining hash power is definitively not a “killer feature”, as some claim.
Putting all these factors together in an example, let’s say a new network with PoS + slashing + classical non-probabilistic consensus is worth $100mm (at market price). It is plausible that validators could stake $30mm. If the network is tolerant of up to 1/3 malicious validators by stake, then the economic security of a particular transaction is $10mm. Conversely, as stated previously, a double spend in Bitcoin (by far the most valuable PoW network) could be plausibly achieved for well less than $1mm by renting sufficient hash power for several hours. This is a 6,300x difference in security when normalizing for network value!
1e. Practical security issues: Simple Payment Verification
The vast majority of users on any network cannot be expected to run full nodes and maintain complete local copies of the entire network state. Instead, such users will rely on light wallets that connect to third-party full nodes and ask for updated network information. When the user receives a payment and wishes to confirm that it was processed correctly, they can ask the node for the latest chain and look for the transaction in the appropriate block. This is called simple payment verification (SPV).
While a full node does not need to trust its peers on the network (assuming non-pathological connectivity) because it is monitoring the blockchain real-time, a SPV user in a PoW network does need to trust that the full node did, in fact, send the longest chain and not some false fork. This can be mitigated by asking several nodes for the longest chain and calculating which has the most accumulated work. While the probability of successful duping decreases exponentially with the number of nodes queried (unless attackers have overloaded the user’s peer table, which is far easier in a SPV context than in a full node), verifying the work is an expensive process on limited hardware.
There has been some research into making this process more efficient (see, for example, proofs-of-proof-of-work), but the problem remains the same: unless you are running a full node, there is some trust required. This is a consequence of the unpredictability of who will add the next block to the chain and the probabilistic consensus. In a PoS context (when properly constructed), a recipient of a transaction can verify that the transaction is completely final and genuine with a simple certificate showing the appropriate validator signatures.² This problem cannot be fixed in PoW, only mitigated, while it can be solved in PoS.
2. Severely limited scalability
Note: here, using PoW and Nakamoto consensus interchangeably gets a bit awkward. There are some PoW-compatible consensus algorithms that mitigate some of the scalability issues with Nakamoto consensus, such as ByzCoin, SPECTRE, Prism, and Hybrid Consensus. Nevertheless, these systems all suffer from all the issues presented in other sections and still have suboptimal performance due to using PoW insofar as resources used to compute PoW (which dominates overall computations) could otherwise be used for direct transaction validation. Nakamoto consensus networks like Bitcoin and Litecoin are the primary subjects of this section.
2a. Inherent mathematical limits on scalability due to block propagation before security guarantees break down
Proof-of-work has mathematical limits on scalability that are substantially lower than hardware limits. Specifically, the combination of block frequency and block size must be bounded to maintain security. This bounds throughput to low hundreds of TPS, far below requirements for many practical applications. These bounds cannot be avoided in proof-of-work, but they can in proof-of-stake. Attempts to increase capacity by decreasing the block time or increasing the block size very quickly become unintentional but serious threats to security.
The fact that PoW is inherently bound by architecture rather than hardware was first rigorously demonstrated mathematically by a consortium of researchers in 2016:
“We analyze how fundamental and circumstantial bottlenecks in Bitcoin limit the ability of its current peer-to-peer overlay network to support substantially higher throughputs and lower latencies. Our results suggest that reparameterization of block size and intervals should be viewed only as a first increment toward achieving next-generation, high-load blockchain protocols, and major advances will additionally require a basic rethinking of technical approaches.”
The basic idea is that security in PoW relies on as many miners as possible working on the longest chain. Otherwise, they will be working on competing or stale chains (i.e., forks of the true longest chain) and not contributing to the network security. This, in turn, limits the network throughput according to the speed at which data can propagate sufficiently through the peer-to-peer gossip network. Based on empirical observations of full node hardware and propagation speeds, it is possible to estimate reasonable limits on maximum safe throughput and latency:
“Observation 1 (Throughput limit) Given the current overlay network and today’s 10 minute average block interval, the block size should not exceed 4MB. A 4MB block size corresponds to a throughput of at most 27 transactions/sec.
Observation 2 (Latency limit) Given today’s overlay network, to retain at least 90% effective throughput and fully utilize the bandwidth of the network, the block interval should not be significantly smaller than 12s.”
These results were also nicely summarized in the bloxRoute whitepaper:
“An attempt to increase the block size (B) by a factor of 10, which would increase system capacity to ∼ 30 TPS, would increase the propagation time to t90th = 116 seconds. This in turn would increase the probability for a fork to occur to P(fork) = 17.58%, which is unacceptable for real-world usability. More importantly, it would increase the probability for a fork to remain unresolved for 6 blocks by a factor of 600,000, and users will have to wait for 14 blocks to be mined to maintain the same level of confidence. Scaling the system to ∼ 300 TPS, which is at least one order of magnitude too small for wide real-world adoption, would keep the blockchain at a continuous state of fork.”
2b. Nakamoto Consensus requires a strict synchronicity assumption that bounds performance
To ensure basic security properties such as consistency, Nakamoto consensus requires confirmation times to be proportional to a conservative upper bound on network delay. In practice, this upper bound must be large, substantially limiting potential performance.
Pass and Shi summarized the issues that this presents in practice (emphasis added):
“Remarkedly, the famous Nakamoto blockchain (that underlies Bitcoin) also works only in the synchronous model where the protocol must know an a-priori upper bound of the network delay (henceforth denoted ∆). Otherwise, if a delay upper bound ∆ is unknown, Pass et al. [link] shows that Nakamoto blockchain’s security can be broken. Pass et al. also show that the expected block interval of Nakamoto’s blockchain must be set to be, roughly speaking, a constant factor larger than ∆ for consistency.
Relying [on] a synchronous model, however, can be undesirable in practice. Since the synchrony parameter ∆ must be set conservatively to leave a sufficient safety margin, in practice the actual network’s delay is typically much better than this pessimistic upper bound. Unfortunately, any protocol that must wait for at least one synchronous round (or one blockinterval) for transaction confirmation cannot benefit from the network’s actual performance.”
This strong synchronicity requirement is not only an issue with performance, but also with security. Gervais et al., for example, demonstrated several potential attack vectors related to the need for fast propagation of blocks in Bitcoin:
“We show that current scalability measures adopted by Bitcoin come at odds with the security of the system. More specifically, we show that an adversary can exploit these measures in order to effectively delay the propagation of transactions and blocks to specific nodes — without causing a network partitioning in the system. We show that this allows the adversary to easily mount Denial-of-Service attacks, considerably increase its mining advantage in the network, and double-spend transactions in spite of the current countermeasures adopted by Bitcoin.”
2c. Practical incompatibility with scaling layers like Lightning and Sharding
Given the impossibility of safely scaling the first layer, much excitement has been centered around second layers and payment channels like Lightning Network as a way of achieving scalability while using the first layer as primarily a settlement layer for opening and closing channels.
There are several fundamental issues with assuming Lightning and other second layers will be a silver bullet solution for all payments needs. These include channel drift towards merchants, centralization concerns, routing difficulties for non-trivial payment amounts, and lockups of value in channels for extended periods of time. While these solutions are very promising for some targeted use cases (e.g. micropayments), in general they are a very incomplete solution for general payments, including some of the most compelling use cases like point-of-sale.
Since this result is generally well established, it is more important to note that first layer scalability is required for even these narrow use cases from both practical and security perspectives. That is, higher-layer throughput is a function of first layer capacity, not independent as many assume, and claims of “infinite scalability” fail to recognize this reality. As such, Bitcoin/proof-of-work is not practically compatible with second layer scalability.
I explained these practical and theoretical issues of second layers in a PoW context, where the first layer cannot provide adequate supporting capacity, in a previous article, to which I refer readers for more detail.
First layer scalability solutions also present a challenge. Most notably, sharding has proven to be very difficult under the legacy crypto model (blockchain + proof-of-work consensus), and the outlook for viable sharding is bleak without drastic changes (e.g. proof-of-stake with a more sharding compatible data structure). Regardless, sharding can only safely scale a first layer 10–50x given statistical realities (despite claims to the contrary that assume the wrong statistical distribution), and thus is inadequate in and of itself.
3. Other Issues
3a. Energy inefficiency
The environmental issues with proof-of-work are well known. Less appreciated is the practical usability impact it has. By requiring a large amount of energy per transaction, the fee per transaction (either direct or indirect via inflation) must be high enough to make up for that real cost. Lowering the energy per transaction of course commensurately lowers the security of each transaction. This makes proof-of-work far less efficient than proof-of-stake.
A recent economic analysis contextualized this energy inefficiency (emphasis added):
“The Bitcoin network consumes at least 2.55 GW of electricity currently, and that it could reach a consumption of 7.67 GW in the future, making it comparable with countries such as Ireland (3.1 GW) and Austria (8.2 GW). Additionally, economic models tell us that Bitcoin’s electricity consumption will gravitate toward the latter figure. A look at Bitcoin miner production estimates suggests that this figure could already be reached in 2018. With the Bitcoin network processing just 200,000 transactions per day, this means that the average electricity consumed per transaction equals at least 300 kWh, and could exceed 900 kWh per transaction by the end of 2018 … Bitcoin has a big problem, and it is growing fast.”
3b. Expense
The inefficiency of the Bitcoin in terms of energy and other factors results in a significant cost: the average Bitcoin transaction costs about $25 in total validator reward. The bulk of this cost is paid indirectly via inflation, but it is a real cost nonetheless, as I discussed in a recent article. As many validators have recently halted their activity due to price declines, we can be pretty sure that the current cost is close to the marginal cost of validation, i.e. there is no economic rent paid to miners. This means that we would not expect, at a mature equilibrium, substantially lower fees.
This expense is prohibitive for the vast majority of potential use cases and severely limits the usability of Bitcoin or any other successful PoW network.
3c. Confirmation latency
PoW consensus is, by construction, probabilistic. That is, a transaction is not finalized when it is included in a block since there is always a chance that an alternative chain overtakes it. The rule of thumb in Bitcoin is to wait 6 blocks — waiting any less puts the recipient at serious risk of becoming a victim of a double spend attack. As stated previously, this analysis is faulty in that it assumes constant attacker power; more robust, game-theoretic analysis suggests that the appropriate waiting time (at a mature state of the network) is far longer.
Regardless, even at just 6 blocks, Bitcoin requires recipients to wait 1 hour for a transaction to be confirmed in expectation. Since accumulated hash power is linear in time, increasing the block time (as in Ethereum) does nothing to decrease the latency for a given security level.³
While latency on the order of 15 minutes to 1 hour is fine in some contexts (wires, remittances, etc), it is prohibitive in many practical payments contexts that could benefit the most from DLT. Furthermore, even for those use cases where such a wait time is acceptable, there is a potentially large cost of exposure to the volatility of Bitcoin or network token, which cannot be minimized below this confirmation window.
Conclusion
While Bitcoin and proof-of-work has proven invaluable in bootstrapping the public’s understanding and acceptance of the concept of cryptocurrencies, it is critically hamstrung as the backbone of a viable, long-term solution.
There are serious security issues inherent in proof-of-work, and the traditional framework for parameterizing risks has proven to be woefully inadequate given increased understanding of the game theory of crypto networks. This is exacerbated by poor economic incentive alignment and the rise of a robust hash power market, both of which make it relatively inexpensive to pull off a 51% attack. Even in the absence of malice, the variance of miner incentives and lack of a punishment mechanism make PoW unstable without significant, long-run inflation, calling into question its viability even just as a pure store of value. Other factors, such as centralization tendencies and questionable mathematical basis of Byzantine fault tolerance, further undermine security.
PoW also suffers from performance issues that are not correctable given our current understanding. The first layer is inherently limited by consensus rather than hardware at very low capacities of (generously) low hundreds of TPS or less, while first layer scaling solutions like sharding are largely incompatible with PoW. The limited capacity of the first layer in turn makes PoW networks unsuitable for second layers due to both practical and security considerations. Confirmation latency similarly is constrained at high levels of 15 minutes or more, without any way to meaningfully shorten it.
Finally, inefficiencies such as energy usage lead to high costs per transaction, even with relatively weak security.
Given the evidence, it is hard to conclude anything other than that Bitcoin and proof-of-work is not the long-term answer for the decentralized applications of tomorrow. An alternative solution that solves all of these issues is non-trivial to construct, but it is certainly possible. Currently, the most promising approach involves a proof-of-stake Sybil control mechanism coupled with a non-probabilistic, classical consensus algorithm with a strong economic incentive system that includes features like slashing and low reward variance. Such a system can dramatically improve capacity, reduce confirmation latency, and minimize fees and is compatible with additional scaling solutions like second layers and sharding.
Unfortunately, due to the value at stake, the crypto space has become increasingly ideological and loathe to accept results that challenge established views. It is critical that participants and stakeholders move beyond tribalism and reembrace the spirit of cooperative innovation that characterized the early days of crypto in order to deliver on the transformative potential that Bitcoin originally promised.
[1] This is what Logos achieves.
[2] For a concrete example, see the Logos white paper.
[3] Increasing the block time does not decrease expected wait time in minutes at a given security parameter, but it does decrease variance.
If you’d like to keep up with what we are doing:
Follow us: Twitter | Discord | Telegram | Reddit
Read: White paper | Logos website
