Hacker News new | past | comments | ask | show | jobs | submit login
Ethereum Proof of Stake FAQ (github.com/ethereum)
188 points by justinzollars on Aug 19, 2017 | hide | past | favorite | 120 comments

Ethereum was supposed to have every feature under the sun from the start, proof-of-stake perhaps being the second most hyped. (Turing completeness being the clear first, which is problematic given the halting theorem and all that, so it's now rich statefullness instead.) And PoS is one of those ideas that most people looking at cryptocurrencies end up trying some variant of. PoW is obviously wasteful and it would be nice to improve on that. The problem is that it doesn't have the same properties as PoW have, and that are hard to do without.

The problems are the basic ones, how to avoid colluding stakers, how to neuter the market for consumed stakes, how to deter chain splits. There is a constant flow of new coins that try various approaches, but the ones that have survived have all had to resort to some variant of checkpoints where a trusted third party decides on regular intervals which chain is valid. This has obvious implications for a supposedly trustless digital currency, where you don't really need that complicated blockchain anymore.

This Ethereum PoS FAQ is much like other documentation from the Ethereum Foundation quite dense where most paragraphs introduce terms not seen elsewhere (economic finality? slashing? weak subjectivity?). If you want the interesting bit, the TL;DR, then skip to the part about weak subjectivity. Read it, and then read it again and bear in mind how other coins solved this problem.

Tell me I'm wrong, but I think this bit with the key part being that the node "authenticate out of band", involve a certain third party with a Very Important Key. In which case the rest of the theory in the document doesn't matter much, does it?

I'm in total agreement about the dangers here. It seems absolutely insane to institute these kind of untested changes on a production system. These belong in some other coin, not Ethereum.

Furthermore it's insane that miners are just going along with this plan. They think since they hold Ethereum now that they will receive greater future rewards - but this is literally a parable that we warn our children about - "The Goose That Laid The Golden Eggs".


If these changes were simply switched on then they would have absolutely no chance of standing, there would be an immense backlash. VB is exploiting social-engineering to push these changes with the whole "Ice Age" scheme. Gotta boil that frog slowly.

Proof of Stake was part of the original plan for Ethereum. Everyone knew going in that it would transition to it. The entire development team, not just Vitalik, has agreed to use ice ages to encourage the entire community to hard fork, to prevent orphan chains from emerging every time one of these planned changes is implemented.

It's unfair and inaccurate to describe the execution of a long-established plan that has been part of Ethereum since the beginning as some sort of nefarious plot being pushed through using manipulation.

Does it really make sense to push an untested, highly criticized, and drastically different security architecture onto a live $20 billion system? Especially from a team that has a history of borking updates (Spurious Dragon)?

If there was an ounce of sanity here you'd at least have a 12 month trial period in an altcoin to iron out the kinks.

Ethereum is the testing ground for Ethereum Classic ;)

Ethereum is not the first coin to use PoS.

...and other coins using it have run into severe problems. For example, Peercoin had to add a system of centrally managed checkpoints to avoid nothing at stake attacks: https://github.com/peercoin/peercoin/blob/fbc81b380221e55c94...

The assumption is that social consensus works but is slow, so can be effective for determining which coins were deposited for staking three months in the past, since the social consensus process would have had three months to arrive at that determination.

Individuals would likely use different means of arriving at this consensus, from public forums, to having personal lists of trusted nodes that their node polls, to referring to well known public blockchain explorers. And of course, if their own node was online three months ago, it wouldn't have to trust anyone.

Social consensus is vulnerable to the formation of factions, and only works when everyone is actually united. As we've seen from the 2-party US political system to the bch/segwit/segwit2x factions of Bitcoin, achieving social consensus around something is rare.

I personally would not want to use social consensus to determine the result of chain turbulence caused by a weakness in the consensus code. If we are going to fall back on social strategies, haven't we forgone the biggest advantage of blockchain in the first place? (the ability to know the state of consensus without needing to trust anyone)

Here is the irony in blockchain and computerized value systems in general: value is a collective social phenomenon. There is no way to avoid social consensus when creating a value exchange system between participants. In Bitcoin, it's people who have the biggest computational power decide what happens. In proof-of-stake, it's people with the most money decide what happens. In the latter, you might as well just argue that every country's government be set up as a trusted validator proportional to their population instead of Ethereum early adopters.

Cryptocurrencies are a platform attempting to solve the very human issue that value transfer systems are social and emotional. The original concept with Bitcoin was that your money could go from A -> B and no one could stop it -- except for those people who can actually stop it because they have vast amounts of network influence for whatever reason. Notwithstanding, even if you have millions of dollars in cryptocurrency, if someone really wants it badly enough they can probably hit you with a wrench until you reveal your keys. The only thing stopping this is a strong system of property law enforced by someone capable of physically removing you from the rest of society if they deem you to be in violation of social pacts.

The only major advantage offered by cryptocurrencies is that at least you can know the numbers appearing in your bank account aren't completely made up by a bureaucrat in an office somewhere. Regardless of your feelings about fiat, you can generally rest assured of this if you buy equities, which are well tracked and actually represent a corporeal stake in some company. So, aside from being a geeky toy and new market for gambling, where has cryptocurrency actually succeeded?

There's a significant difference between the social consensus you use to pick Bitcoin and the social consensus that you use to resolve a proof of stake fork. With Bitcoin, you choose it once and then it's stable forever.

With Etherum's social consensus, you have to re-choose your platform every time someone creates an alternate history. It's an ongoing process which can cause a lot of confusion and disruption in the future. It's a lot worse than a system you can be confident will not change once you have gotten set up.

The value of Bitcoin is that it is very difficult to manipulate. In this, we have already seen it succeed repeatedly. The inflation is the same, legacy nodes all still work, nobody has ever invalidated addresses or taken money they didn't have the keys to.

Yes, with bitcoin you lose your money if someone can find you and decides to hit you with a wrench repeatedly, and then somehow they get away without conviction of assault. In PayPal, you can lose access to your account simply because some low salary moderator flagged your account as violating their restrictive terms of service.

Just because bitcoin hasn't solved the problem entirely doesn't mean that it's not a big step forward. It's a big step forward!

> There's a significant difference between the social consensus you use to pick Bitcoin and the social consensus that you use to resolve a proof of stake fork. With Bitcoin, you choose it once and then it's stable forever.

A government with sufficient means can freely create a new history for Bitcoin and make that history canon. The work in blocks originating earlier in the chain is exponentially less than the blocks succeeding it.

>The value of Bitcoin is that it is very difficult to manipulate. In this, we have already seen it succeed repeatedly. The inflation is the same, legacy nodes all still work, nobody has ever invalidated addresses or taken money they didn't have the keys to.

The value of Bitcoin is whatever people believe it's worth. Control of the hashing power is trivial, and actually free, for the government of China. All they have to do is march their army into the mining warehouses and seize the means of production. Then there's nothing to stop Bitcoin from becoming the PBOCoin, with blacklists, inflation, and so on.

You could argue that, "Wait, it has the most work but it's not the valid chain! People elsewhere will continue the original chain." Okay, so which is the real chain? The answer is: whatever people believe is the real chain! And it comes back to being 100% established socially and emotionally by human beings.

Fun history of Bitcoin/cryptocurrency forks: 1. Value overflow bug in Bitcoin creates two Bitcoin chains, one with a person with 2 billion Bitcoins and one without. Which chain is the real Bitcoin chain? This is the first incident where 'the code is the contract except when no wait it's not'. 2. Berkeley DB bug makes two Bitcoins, just pick one and roll with it. 3. Ethereum DAO bug fiasco inadvertently creates two socially constructed versions of Ethereum, Ethereum Spicy Rollback Edition and Ethereum Classic. Which is the real Ethereum? 4. Bitcoin people can't agree with one another on anything, so one group of Bitcoin people make 8 MB Malleable Cash Bitcoin and another group makes Segwit2X Bitcoin, but some other people don't agree with the 2X part so maybe they'll make Segwit-not-2x Bitcoin too.

Which is the 'real' cryptocurrency that merits 2000 cheeseburgers of purchasing power today? Why, whatever we believe it to be!

> With Etherum's social consensus, you have to re-choose your platform every time someone creates an alternate history.

IIUC to get to the "every time" you're talking about just once, more money would need to be invested by attackers than it would cost to 51% attack bitcoin.

Miners and stakers are bound by the protocol. Their power to "decide what happens" is limited to the ordering of transactions, a subset of which is censoring them. Ordering transactions may sound trivial, but it is what gives the network resistance against double spends.

It is not in their power to affect consensus rules such as making money out of thin air or stealing other people's money. In that sense Bitcoin and many other cryptocurrency systems are trustless.

It is tempting to trivialize the creation of value in Bitcoin but there is are many diverse interests with an economic incentive to keep each other in check.

Virtually all of these currencies are very vulnerable to what's called a "Sybil attack." Bitcoin is no different [1].

Of course, to economists the concept of a "Sybil attack" is nonsense. Imagine if tomorrow the US Congress voted to give every citizen a billion dollars. Would this be a Sybil attack on the US dollar? Or would it be democracy at work? There's no difference. At the end of the day the majority (of the authority) sets the rules and does literally decide what happens.

[1] https://en.bitcoin.it/wiki/Weaknesses#Sybil_attack

It is easy to create a crypto currency that is not vulnerable to sybil attacks; define a central authority. The source of the sybil weekness is not being a crypto-currency, but rather being a peer to peer system.

A central authority isn't really required (depending on your definition of "central authority"), just a connection to at least one semi-trusted node. For example, Blockstream Satellite.

What you're saying is absolutely nothing new. There's a lot of FUD and confusion in this thread (no surprise) but this has been apparent from the very beginning. "A Proof of Stake Design Philosophy" [1] makes the essential nature of cryptoeconomics very clear. In short: (a) all currencies are social phenomena (b) all the fancy math does is replace the "men with guns" that protect physical currencies -- that is, currencies must be economically defensible and (c) what actually gives real-world currencies their value is the presence of a tax authority who creates the currency and then demands it back at some later point [2]. PoS creates an absolute demand for the currency; it is nothing more than a formalization of currency power.

> So, aside from being a geeky toy and new market for gambling, where has cryptocurrency actually succeeded?

A better question is -- why are there so many currencies to begin with? Why isn't there a single currency that everybody uses?

Once you understand the answer to this question the value of cryptocurrencies become clear. You said it yourself: currency is inherently a contextual and social value construct. Different communities have different values. Communities that develop currency power will always triumph over communities that don't because they can collaborate more effectively. Currencies don't "succeed," communities succeed -- and they do this partly by leveraging currency power. The answer to your question is right in front of you but you just don't want to see it: the cryptocurrency development communities themselves are already wildly successful and have demonstrated the ability to raise enormous funds and collaborate effectively.

[1] https://medium.com/@VitalikButerin/a-proof-of-stake-design-p...

[2] https://www.youtube.com/watch?v=boHE_dR159k

> A better question is -- why are there so many currencies to begin with? Why isn't there a single currency that everybody uses?

Groups of people live in bordered countries and like to have their own currencies for their own countries. There is, it's the United States Dollar. Why everyone uses USD, either directly or as a metric, is outside of the scope of this discussion.

Your argument about communities is where this all falls apart -- as I already stated, at some level you need the threat of violence to enforce the property rights necessary for any kind of personal wealth to flourish. Cryptocurrency doesn't solve this issue, or even approach it. It just creates a new virtual asset, backed by nothing and valued by faith, on top of an established system of community and law.

Social consensus's suitability depends on the use-case. For example, social consensus is used to determine 'what is Bitcoin', and works pretty well for that use (the BCH hard fork notwithstanding).

For determining the state of the blockchain at some point in the past, it is probably effective, because the fact unambiguously revealed itself at some point in the past.

The trusted sources can even be Trusted Execution Environments that automatically output the state at t minus 3 months. There is very little room for factionalism, given deviating from the truth is so obvious when the whole interested world could see the objective truth three months prior and would have trusted sources they can rely on to relay that fact to them.

The problem is that with social consensus you can argue for the way that it should have been in addition to arguing about the way that it was. This is exactly what happened with the DAO. Socially, the Etherum community decided that the DAO attack should not have happened, so they made a new client that required everyone to upgrade, and then they altered history that had actually happened.

This of course resulted in two factions, one that disagreed with the change and one that agreed with the change.

If you are using Etherum and your client complains that there are two valid histories and then asks you to use social consensus to pick the 'true' history, do you feel confident in the platform? Especially if you know that you have thousands of millions of dollars that you wanted to put into the system.

Agreeing to use social consensus to enforce the protocol doesn't give a green light to using it to change the protocol. As the DAO and the BCH hard fork showed, having an objective proof of work consensus protocol doesn't protect the blockchain from a social consensus to change the protocol.

That being said, depending social consensus to determine what happened could make it more likely that a faction will use it to determine what should have happened. I personally don't think it will make it very likely, given the inertia of the original chain, but we'll see.

Not taking away from your comment because what you describe could have happened but the DAO hard-fork didn't alter history.

Yes it did. In the unaltered version of events the attacker got away with what would be worth almost a billion dollars today.

It didn't alter history. No transactions were reverted. It changed the rules by moving ETH from the attacker-owned contract address to a new contract address from which DAO investors could withdraw their funds. You might say that's semantics but in this technical context it's important, had the HF suggested altering history it would have gained less support IMO.

I don't know much about the Etherium, but I don't see what problem there is with respect to Turing completeness and the halting problem.

My understanding was that programs are limited to a finite number of steps in the Etherium virtual machine.

The halting problem in essence states that no algorithm can exists which determines whether or not a given algorithm will terminate given some input.

Ethereum makes the assumption that given a user-defined algorithm and a user-defined input, that within the limitations of the EVM whether or not the algorithm will halt can be determined. We know that that this can not be the case due to the halting problem. It may always be possible for there to be an implementation specific EVM-escape which could result in a catastrophic failure and loss of Ethereum for the end user.

If my memory serves me well, every step of any program in Ethereum will consume some 'ether' from a predefined stash, that is, someone has paid to run the program. As soon as the ether runs out, the program can not and will not continue.

This hack sidesteps the halting program entirely. Now, we can not know if a program can halt with a theoretical unlimited ether, but as there's no unlimited ether, all programs will halt.

Correct. "Gas" (some amount of Eth set aside for fees) covers the cost of running the contract, so you're free to run a non halting program - the EVM will happily accept however much gas you set aside and continue chugging along.

This isn't the first time PoS has been used to secure a coin, either. (With the number of altcoins out there that's not even surprising). Eth shifting to it would just represent the first major coin to use it.

> Ethereum makes the assumption that given a user-defined algorithm and a user-defined input, that within the limitations of the EVM whether or not the algorithm will halt can be determined.

No, it does not make that assumption. It simply limits the algorithm to a finite number of steps (opcodes in EVM) based on the amount of ether that was paid for.

Imagine an actual Turing machine - a symbol based ticker tape. Each operation of the machine is one step. You can run it for a given number of cycles and stop without knowing or needing to know whether the algorithm expressed through the Turing machine will halt or not.

See this explanation of what "gas" is on the ethereum network: https://ethereum.stackexchange.com/questions/3/what-is-meant...

So is Ethereum's VM simply not Turing complete, then? :) Since by its nature it can not possibly compute every Turing-computable function. If so, why was it even advertised as such?

edit: Haha okay, so I guess I'm not the only person who stumbled on this.


Ethereum's VM is computationally universal, aka Turing complete. You can compute any function.

I'd be happy to help clarify these concepts if I can, but I don't understand what you see is the tension between the halting problem and Ethereum.

Imagine that I run a processor for a certain amount of time, like 10 seconds. We start a stopwatch when we begin executing an algorithm, and then we pause the processor after 10 seconds pass. The processor performs a fixed number of operations each second, e.g., a 1 MHz processor does a million instructions.

If we decide to run a program and stop it after 10 seconds or 10 million instructions, that has no bearing on whether the processor's computational model (or a VM simulating the processor) is Turing complete. Deciding to stop the processor after 10 seconds is an analogy for an Ethereum transaction with "gas" for 10 million instructions.

If you wish, you can think of it as an "external" force is stopping the computation.

The talk that you linked claims that Ethereum isn't Turing complete, but that talk is either: wrong, making a nonsensical distinction, or making an extremely nitpicky distinction (depending on how you want to look at it). By the talk's reasoning, a general personal computer is not Turing complete either. The Turing model specifies a machine with infinite tape, so by the standard of the talk, no machines that humanity has ever made are Turing machines, and none of their execution models are Turing complete, because all of our machines have bounded memory. For similar reasons, the fact that Ethereum executes transactions with a bounded number of computations doesn't influence whether it is Turing complete in a useful sense of the term.

If this hasn't clarified things, then I'd suggest articulating the reason why you think the halting problem matters for Ethereum. The halting problem states that one cannot design an algorithm that determines whether all other algorithms will halt or not. So what? Ethereum does not depend on the existence of such an algorithm. Ethereum doesn't try to predict or analyze whether a program will halt - it simply runs the program and finds out! Since these programs are executed for a finite number of steps, then we know that all programs will halt, either by choosing to halt, or by exhausting their number of allowed steps.

The reason I say that it's wrong that "Ethereum is not Turing complete" is because the amount of "gas" for a transaction, and therefore the number of allowed steps, is arbitrary. You pay for gas when submitting a transaction, and so you can supply as much gas as is needed for any program that you wish to run. Because the user chooses how large the fixed bound is (and pays for it), Ethereum is Turing complete in a practical sense. If you make a mistake and submit a transaction with insufficient gas, then you can try again with a larger amount of gas. Most of the time, you can probably simulate the program yourself locally to determine how much gas it requires ... or you can just provide far more gas than the program is likely to need, since excess gas is returned.

It can, if you have the funds ;)

> PoW is obviously wasteful and it would be nice to improve on that.

PoW is only wasteful if either a) you consider distributed consensus worthless or b) there’s a cheaper way to achieve the same result. I think we all agree that distributed consensus is not worthless, and you spend the rest of your post arguing that there is currently no known way to achieve the same result while consuming fewer resources. So how can we say it’s wasteful?

In many areas of work, human beings spend time and energy to produce valuable information, which they later sell (that’s what consultants do, basically). A proof of work spent is also valuable information, because it can be used to prevent double spending, and miners sell these proofs in exchange for bitcoins.

If consultants spend a month on producing information that is later sold at a price that exceeds what they spent on producing it, we say they have provided value. I would argue that, likewise, when a miner spends a day to produce information that is later sold at a profit (in bitcoins), it has provided value to the market — otherwise there’d be no one willing to pay for this information.

The assumption that PoW is wasteful is one with an ideological basis that comes from a lack of understanding of the purpose PoW serves, and I suggest you read the Satoshi white paper.

Ethereum uses a lot of handwaving to justify what is ultimately a pump program to make insiders and large ETH holders richer.

> The assumption that PoW is wasteful is one with an ideological basis that comes from a lack of understanding of the purpose PoW serves

I agree with this, but I think the real problem with PoW is the mining pools centralizing. People seem to think the recent swift soft fork is something to be celebrated, but I think it's kind of scary how swift it was. It just means that the mining pools are so centralized that the transition was so easy.

Then again, this is something even PoS will probably suffer from.


There's no disputing power bills.

> Turing completeness being the clear first, which is problematic given the halting theorem and all that, so it's now rich statefullness instead

Um, pretty sure it was a solved problem from the start? You could always submit a non halting contract, it'd just burn through your gas and stop.

Every coin has some level of weak subjectivity, since you have to go out of band to know what software to run.

Just for an other-side perspective, people that enjoy this might enjoy my technical deep dive into PoSv3: http://earlz.net/view/2017/07/27/1904/the-missing-explanatio...

It is a much older implementation that works on Bitcoin's UTXO model (rather than the account model in Ethereum) and without smart contracts. It doesn't have a solution to the nothing at stake long-term attack, but it thwarts all known short-term attacks. Personally, CASPER's solution to the nothing at stake problem is concerning. In an ideal world, it is ideal, but in a more practical world, I can definitely foresee someone doing something wrong or making a mistake (either developer bugs, or consumer running two wallets, etc), unintentionally making a block on another chain, and losing their $1M worth of ETH as a result. It only takes that happening once, maybe twice, to get people to think twice about staking, and when less people are staking with less coins, the network is much easier to attack

(disclaimer: I work on a blockchain project that is somewhat a competitor to Ethereum)

In every interaction with a blockchain, users have the chance to lose all of their funds. User error in with regular transactions is a far more likely issue than anything else (though there is no denying the importance of the validator code being written).

Also, running two wallets would not cause one to lose money. Running two instances of the validator code might - but why anyone would do that is unclear.

Does your project use PoS? Aside from the linked article, what PoS proposal has the best chance of solving the practical problems you mention?

Edit: It looks like your post was edited to answer the second question. I'll check it out.

I am curious why people don't talk much about the "rich get richer" aspect of proof of stake. Most say "proof of work also is rich get richer scheme" to justify this, but in my opinion they are completely different because proof of work involves efforts that exist in the atom world (need to buy all the mining pools) whereas proof of stake involves purely digital efforts therefore the scale can be completely different.

Am I missing something? Or is this people just being optimistic?

I don't see this as a problem, because proof of stake must compete with other mechanisms to convert time*capital into more capital, and it has diminishing returns. If PoS has higher risk-adjusted returns than other investments, it will become more crowded until this is no longer the case.

PoS provides real value - the maintenance of a blockchain - so it makes sense to reward the capital required for such maintenance accordingly.

If the coin supply is inflated at some % of current account balance, or old coins decay then large PoS holders are incentivized to reinvest into the economy.

Only online nodes provide value to blockchains. In a PoS blockchain an online node with 100,000 credits is generating equal value to a node with .03 credits.

I don't buy the idea that all votes in PoS should be considered with equal weight. Otherwise it seems pretty easy to DOS the network with a ton of low-weight votes, get 51% of the network, and do whatever you want.

The capital-weighted PoS system prevents this because if you want 51% to the network to be able to do abusive things, you have to risk devaluing your enormous PoS investment by destroying trust in the Ethereum network.

I don't understand your first point, could you clarify?

> if you want 51% to the network to be able to do abusive things, you have to risk devaluing your enormous PoS investment by destroying trust in the Ethereum network.

I have a hypothetical scenario I'm curious about. Let's say the Bitcoin network becomes so valuable that a huge chunk of the world economy depends on it, believing that it can't be manipulated. Most people would rather play nice with this than sabotage the network, but since the whole point of this consensus mechanism is assuming the worst case, let's say there's an entity (it could be a terrorist group or a nation) whose interest is to mess this up regardless of how much money they lose as a consequence.

This is an unlikely event but I think it's possible in some special cases that we can't foresee at the moment (just like nobody could predict that people will come up with ASICS for mining, or like people would form a pool to mine things) The only condition required is:

1. Get a hold of enough money to terrorize the network

2. Be at a position where you indirectly can gain more by losing all your money that's worth 51% of the network.

In this case, this entity can decide to attack the network without any consequences due to the pseudonymous nature of the blockchain. People will see this happen in daylight but won't be able to easily figure out who this was if this was based on proof of stake, because all you need to do this is to secure your fund in the bitcoin network.

However if Bitcoin was using proof of work, you will have to buy whole bunch of mining rigs (or build them yourself in some secret bunker) which is much more traceable than if you simply used money for this terrorism.

I'm not making up some convoluted scenario just to troll, I'm genuinely curious how this will work out and hope to be proven wrong because I also want to live in a world where proof of stake works.

I think what would happen in your scenario is this:

1. The terrorists use their 51% stake to interfere with the network.

2. People begin to notice that their transactions aren't going through as expected.

3. Some panic and try to pull out.

4. The price drops due to the rising supply.

5. The resulting feedback loop causes a crash.

6. The uncooperative nodes are identified.

7. The blockchain is forked to revoke the stake of those nodes.

8. Business continues as usual.

The only way I see the terrorists cause any long term damage is if they buy when the price is lowest and then repeat their attack. (Assuming balances aren't reset to pre-crash levels.) If it happens often enough, that would certainly erode the trust people place in the currency. On the other hand, if balances aren't reset, the second crash would be much less severe, since nobody will want to lose money selling when the price is down.

Essentially, no proof-of-X scheme can ensure that malicious interference doesn't happen, but it can make it costly enough that it happens only rarely. Then the occasional event can be handled manually (see also the DAO hack).

Interesting, as no technology is perfect, and people come up with clever hacking schemes for desktop computers till this day, I think the more valuable the network becomes, the more frequent this type of attack will be.

Do you think they will keep forking whenever major events like this happen? I worry that a couple of these attacks will be enough to drain all the trust from the network. Ethereum may have saved itself once by forking but a lot of people think this is not sustainable and think a couple more of these and people will leave.

DDoS'ing mining power would be more effective. You don't need to outcompete miners, just ensure they are slowed in their ability to push blocks to the network.

I'm not talking about effectiveness. I also think it's more effective to attack PoW than PoS, but my point is there may be cases where the attacker's top priority is not effectiveness.

Traceability is one such example, but there can be many other cases. Proof of work is pretty straight forward because the vulnerabilities are mostly technical issues, whereas proof of stake I think can have a lot of social vulnerabilities.

I bring this up because I feel like every discussion about blockchain security seems to mention "effectiveness" but the world is not perfect and there are plenty of cases where certain parties act in unintuitive manners.

People are fine with the rich getting richer as long as they're the rich.

Something something "temporarily embarrassed millionaire".

Doesn't the same apply to fiat economics? For example, if you have a lot of money, you can lock some of that in a term deposit for a set period of time with basically guaranteed income.

The richer you are, the smaller percentage of your net worth that investment likely is, so the rich get richer, with little risk to their total net worth.

Are you expecting some sort of magical system where people with less at stake earn more than those with more at stake?

If the rich are more likely to get a block, they are more likely to collect the reward for the block. Every block they get, the richer they become. The richer they become, the more likely they are to collect the reward for a block.


The author works out the math and it doesn't look that bad, especially compared to some proof-of-work centralization scenarios:

If that is the case, this user should control 50% of the stake in about 1,015 years and 90% of the stake in 1,275 years. In reality, it is probably less because not everyone stakes but that gives a rough idea about how long NXT can potentially last.

Proof of Stake is a mechanism by which people who own a lot of ethereum (notably the foundation and insiders) can get the mining rewards instead of the miners.

It also means locking up the supply of ethereum draining liquidity and thus pumping the price.

Technologically it is not good for security: http://www.truthcoin.info/blog/pow-cheapest/

But as a pump and dump, it's an excellent thing to do.

I am also wary of proof of stake, but this is not something you can say with such a certainty, like you're doing.

If someone asked "how safe is proof of work?" ten years ago, everyone would have laughed and thought you're joking.

I'm only saying this because you're making a snarky comment while pretending to know exactly how it will play out. Nobody knows how it will work. Who knows? Maybe some unexpected human behavior like mining pools will happen in proof of stake approaches and it may end up going in a completely unexpected direction.

> If someone asked "how safe is proof of work?" ten years ago, everyone would have laughed and thought you're joking

I see PoW and PoS as nearly analogous in this regard - the rich can dominate both and so on - except that PoS is far less wasteful.

I'm excited to see where this goes.

I agree. The article the GP posted posits that they are equally wasteful, but ignores the fact that:

- The thing that they are wasting, capital, was created out of thin air by the act of switching to PoS

- There are large negative externalities to burning power by mining with hashes, which increase the cost to society of using PoW vs. PoS.

Ok this article seems to be willfully ignoring two advantages of PoS:

- Liquidity and capital-over-time that you have to “burn” (which makes PoS just another type of PoW) is actually capital that was fabricated from thin-air. So while PoS is not less wasteful, the act of switching-to-PoS is a gigantic act of wealth-creation.

- A much bigger point, relevant to the future of humanity on Earth: there are externalities to PoW which makes mining cost more to society than its $ cost to the miners. Instead of lobbying to include those externalities in the mining cost via various pollution taxes, we can sidestep it entirely by doing PoW with something that doesn't do physical damage to the earth: PoS.

Proof of stake incentivizes low velocity of money - you have to stake to not have your funds diluted. This seems like the opposite of what the digital aspect of cryptocurrency should be bringing to the table.

Under proof of work you essentially end up "staking" money by buying ASICs/GPUs that take 9-12 months to break even. In general, miners are going to spend almost as much as the block reward, whether that's in hardware and electricity or in opportunity cost. http://www.truthcoin.info/blog/pow-cheapest/

And many people are "hodling" cryptocurrency as a long-term store of value anyway so presumably they aren't concerned with the velocity of money.

Long term hodlers who haven't locked their coins into staking can respond quickly to network events such as Bitcoin-cash. People who are running mining businesses can at least sell the business if they suddenly need access to a lot of capital. With proof of stake, it really is locked up for whatever period of time.

If your staking period is just a couple of weeks, this is probably less significant than owning a mining farm. But if your staking period is several months, the opportunity cost probably is greater than mining or hodling, because you sacrifice a lot in terms of flexibility.

When you put it that way, I expect to see a secondary market for stake. This could be implemented by selling the private key or by delegation similar to a mining pool.

Selling the private key would be a bad idea since you can't guarantee the seller destroys it. But you could have the staker address be a contract, with an ownership that can be transfered.

You could use an HSM to hold the private key and then sell the HSM. Overall it's still a bad idea to buy an HSM because you don't know what other transactions have been signed, but maybe the HSM keeps a history of everything it has signed as well.

Which, if you can still sell your staked coins, what is the point of locking them up in the first place?

Good point. Maybe they'll only allow deposits from non-contract addresses.

But you are essentially staking "off chain" by buying the gear in fiat money. So there is a built-in exchange rate arbitrage. And the on-chain velocity of value is not slowed down. This isn't true in ETH POS.

Ethereum's block hash algorithm is more memory intensive than bitcoin's and benefits less from ASIC work -- please correct me if I'm wrong but I don't think that it faces the same problems.

The same thing applies, you have to buy/power GPUs and decide they are best utilised mining ethereum, mining another coin or powering your new startup.

You're right and it's proven pretty robust at that. This is a good proof of work, because it means that anyone with commodity hardware can set up a miner, and the playing field is pretty level.

Assuming everyone has existing funds to acquire mining hardware.

Large existing expendable cash has a greater advantage to mine and mint. Mining pool operators are also in a position to manipulate minting and transactions in the network.

I would argue that Ethereum isn't building a monetary system - it's building a platform for decentralized applications.

If doing so decreases the native assets velocity (for the sake security, finality, ease of sharding, etc), so be it.

The whole "shielding from the inflation" thing incentivizes low velocity of money, too, so that is baked into most cryptocurrencies right from the start.

ETH is not money.

So that's what you think cryptocurrencies are doing the better? Improving the VELOCITY OF MONEY?

The goal is ~1% inflation, which is less than cash, and better than Bitcoin for many years (until ~2025 it's above 1%).

So with lower fees, lower inflation, and higher throughput the velocity is more likely to grow significantly than decrease.

Bitcoin inflation changes constantly, and by a lot more than 1%. Inflation is a measure of purchasing power. Not the issuance rates.

Inflation is a measure of the growth in supply of money.

Using purchasing power (or more specifically an artificially constructed and highly manipulated bag of goods measure called the CPI in the USA) is a switch to obscure the rate of inflation, as if it couldn't be measured directly.

But Inflation always has been issuance, not purchasing power. Pretending otherwise isa tactic used by people who engage in inflation to try and obscure its effects (because purchasing power is affected by things like growth in productivity.)

This post makes no sense. "Inflation" is an increase in the price of goods; this definition is both prescreptive and how inflation is actually measured. Since all the goods you can buy with cryptocurrency peg their prices to fiat, it's meaningless to talk about BTC/ETH inflation as a thing distinct from their exchange rates with the dollar, and that will continue to be true until a cryptocurrency economy develops that is not pegged to the dollar.

False. Inflation is as an economic term, the issuance of currency.

Pretending like it's a measure of the price of goods is a political (not economics) tactic used by governments to obscure it-- because the price of goods are affected by other things--like increases in productivity, lower cost goods from overseas and the like.

> In economics, inflation is a sustained increase in the general price level of goods and services in an economy over a period of time.

Currency issuance is related. Is not the same thing

Then there isn't very much incentive to stake.

The reward is targeted based on participation- If too few or too many people stake, the reward adjusts to return the chain to the targeted participation rate.

Economic models so far, however, suggest the reward needs to only be a tenth of POW reward.


So now the 1% (who own about 35% of wealth as far as I know) would get to write the rules however they like? Sounds fun.

Miners are not allowed to set the rules of Ethereum or most cryptocurrencies (Tezos being a major exception). Miners could announce new rules and attack any chain that doesn't follow them, but the "economic majority" could simply perform a hard fork that destroys/confiscates the attackers' stake (much like how The DAO hack was "fixed").

DAO hack?

The code is the contract ... except when it isn't.

No, because the economic majority can simply make a new chain. Just like the DAO hard fork. Ethereum Classic still exists, it just doesn't have (relatively) as much economic weight.

Likely because it's pretty obviously run and held by shysters looking to profit rather than write a line of code, but that's a whole other can of worms.

I agree with you in theory, but the BTC/BCH split would be a better example of the majority splitting off of profiteers rather than the other way around.

It's actually the exchanges that get to write the rules.

It's everybody that gets to write the rules. As long as everybody is in consensus, there's one network.

If separate groups end up with incompatible consensus rules, there's a network split.

Miners, exchanges, developers, etc. don't have any more power than anybody else. Everybody's power is limited by the extent to which other people want to trade with them.

Previous proof of stake cryptocurrencies have typically struggled to get above 30% participation during the 'exciting' days of the coin, and it only falls off from there. Exchanges will often have anywhere from 15% to 40% of all of the coins in a token, which means that if exchanges choose to participate in staking, they will very likely have the majority among the staking participants.

It's just as bad or worse in the alternative approaches, like POW.

False. Please read the satoshi white paper. PoW solved a hard problem. PoS seem to want to pretend it isn't a problem.

Also: http://www.truthcoin.info/blog/pow-cheapest/

If you're interested in proof of stake, it's definitely worth reading about delegated proof of stake [1]. The gist of it is that token holders vote for the nodes (miners). So far as I've seen, it's the best way to address the issue of governance on a blackchain.

1. https://bitshares.org/technology/delegated-proof-of-stake-co...

Delegated proof-of-stake suffers from the same problem that all consensus algorithms suffer from: people will always be willing to spend, at most, n coins on producing n coins. The only way to avoid it is by giving particular nodes the special privilege of producing coins, otherwise the free market will push up the price until there is no profit left[1].

[1] http://www.truthcoin.info/blog/pow-cheapest/

PoS will turn into a stealth PoW if it is possible in any way to influence the outcome with money. The history of all economic activity shows people being willing to spend $49.99 to make $50. Though spending $49.99 of bank balance probably beats $49.99 of carbon.

Have they got a proof of concept as yet, or is this all still vaporware that nobody on this thread should be talking about in the present tense?

Yeah, they have a proof of concept code up on their github, only started on it in the past few weeks though. Up till now it's all been math and research.

The first casper PoC was in 2015, and PoC2 was in early 2016.[1] However, there was a pivot from the early "consensus-by-bet" to the current version, which is based on "prepare and commit" messages. I think the current one is PoC4. [2,3]

1. https://blog.ethereum.org/2016/03/05/serenity-poc2/ 2. https://github.com/ethereum/casper 3. https://github.com/ethereum/pyethereum/pull/791

Thanks, that's a lot more than I thought.

Still vaporware.

The cryptocurrency mining industry is worth about 3 billion dollars per year. About sixty percent of that is from Ethereum mining.

Ethereum switching to proof of stake is a threat to billions of dollars in annual revenue. Miners should be rallying against this, and the budget they have for lobbying and pr could reasonably be nine figures.

Ethereum miners are not the only ones affected. If two million gpus suddenly flood the market, either the resale value of hardware will nosedive, or the difficulty of all other coins will skyrocket. Miners who do not even mine ethereum should still be actively opposed to ethereum switching to proof of stake.

I've felt like writing a "Money is not a real thing" article for a while, and this would be a prime example of why you don't optimize for revenue but rather e.g. physical goods.

The generalization of your argument is that rapidly increasing productivity of any good is bad, because it decreases the relative power of existing capital holders.

If all the miners on all proof-of-work currencies lost all their revenue and the currency was equally secure, I would consider this a good thing since the electricity could be allocated elsewhere.

I guess schumpeters point with creative destruction was the rupture required to replace one paradigm with another (Incidentally, he got this straight from marx). Technology, and markets, move in fits and starts as conservative tendencies meet with more efficient, or qualitatively different, competion. For both schumpeter and marx this view was seen as opposed to equilibrium models of economics on which much of mainstream economics and game theory still relies

If disney lost the copyright on their older works and copyright law started expiring after 20 or 50 years instead of the 100 plus today, I would consider this a good thing.

People who make billions of dollars from the status quo have great power to maintain the status quo.

This incentive to oppose the switch to a proof-of-stake consensus model is inherently self-centric.

While it may be rational to lobby for the continued use of proof-of-work from a short-sighted and egocentric point of view, the switch to proof-of-stake seems absolutely appealing from a long-term or holistic perspective.

What does any of that have to do with whether its better than proof of work?

Mining is an expense. Reducing expenses is good.

What happens in case of a hard fork? How will they ensure that no one will validate blocks in the wrong fork? With PoW the miners much choose one fork or at lest split the hash power. With PoS the miners can validate blocks in both hard forks without too much effort.

Moreover, if the 51% dislike the one fork, or the version before the fork, it's too easy to validate correctly in the part of the fork they like and launch a 51% attack to the other fork. This would have killed ETC and BCC instantly. (I'm not sure if this is a bug or a feature.)

No: If they validate blocks in both chains, their entire staking deposit is immediately destroyed (in both chains)

This is one of the main innovations in modern POS algorithms.

That is only true for coins that are recognized on both chains. In the event of a hard fork, all you need to do is send your hardforked coins to a new address, and then start staking from that address. You can then vote on both chains with your coins, and no penalty algorithms will punish you.

If there is a hardfork and you're staking then I'd imagine you'll also be automatically staking on both chains, nothing to do. Hardfork only matter if you're transacting at the time of the fork, your transaction could be replayed on the other chain or if a reorganisation happens, in that case you may want to wait until the fork gets resolved.

> all you need to do is send your hardforked coins to a new address

staking coins are locked for for a minimum 6 months.

You have now changed the game into how can I trick you into validating the wrong chain.

Not quite. Mining on the wrong chain doesn't penalize you, it's mining on multiple chains that does. Only a bad actor would mine on two chains simultaneously.

PoS has done a great job at attracting a loyal following e.g. http://reddit.com/r/ethtrader and it only looks like it's gaining in momentum.

This is a lovely faq and quite informative, however I'd feel a lot better if there were peer-reviewed papers by researchers with some prior work on Byzantine Fault Tolerance.

It's worth pointing out that Byzantine fault tolerance has been around for almost 40 years, and yet it wasn't until bitcoin that you could build a decentralized currency that people felt confident in.

Academic Byzantine fault tolerance is insufficient, because you cannot naively assume that most participants will behave honestly. They have to have an incentive to behave honestly, and there can be no room for dishonest behavior that would be more rewarding.

There's a reason that it took so long to get a working digital cash - a new breakthrough was needed and that breakthrough ended up being Proof of Work.

To trust a new system for decentralized money, I would want to see peer review not just from academics, but also from the leading bitcoin experts, who in my opinion are the only ones that really understand cryptocurrency.

It's true, it's an old field that remains (I think) in progress. I just fear that the confidence in decentralized currency you cite may be overly influenced by the profit early proponents have earned.

Perhaps a few academic collaborations could generate peer-reviewed papers that leverage those decades of research alongside the practical experience of bitcoin experts.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact