Hacker News new | past | comments | ask | show | jobs | submit login
Proof of stake is incapable of producing a consensus (yanmaani.github.io)
786 points by alg0rith 52 days ago | hide | past | favorite | 796 comments



(my day job is developer on Proof-of-Stake Algorand block chain, I'm a developer, this may not be polished official PR) Article's theory about malicious old blocks doesn't hold up. Let's say I start a new node and verify history since the beginning. Somewhere along the line I'm connected to a malicious node which hands me a fictionalized block. It would need to have been signed by not just one but about 30-45 accounts _which had stake at that time_. Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network. So, if Warren Buffet comes along and wants to spam our network, I guess he could, but that would destroy the network and destroy his value that he sunk into the network. _That_ is a guardrail for PoS systems as much as any crypto or consensus-protocol element (and the algorithms are right, original article misunderstands them).


I would add that the silly argument that a super-wealthy individual or a government could in theory degrade or destroy a transaction platform is applicable, not just to Algorand and other block chains, but also, more generally, to ANY transaction platform.

I mean, if Doctor Evil suddenly decided to spend tens of billions of dollars to destroy the three main credit card networks, he could probably do it. In fact, it might be easier and cheaper than attempting to degrade or bring down a distributed block chain network. The credit card networks are built upon many layers of ancient, pre-Internet technology, full of discoverable vulnerabilities and critical points-of-failure.

But we all know that it wouldn't happen. Doctor Evil would never want to do so, because even him, the most evil person in the world, would still want to be able to use his credit cards to eat out, go to the movies, and order stuff online. Also, he would never want to do something that would make him enemy #1 of every other person in the planet, including every other super-criminal!

What Doctor Evil actually wants to be able to do is figure out ways to steal or get balances from participants in the network without destroying the network: steal poorly protected wallets, hack into poorly secured exchanges, find ways to get blackmail payments on the network (e.g., by launching DoS attacks on the web), etc. The network itself is too useful to everyone for anyone to want to destroy it.

--

PS. For the record: I have no economic connection to Algorand the block chain nor to Algorand the company, but I'm (superficially) familiar with some of Silvio Micali's past work and also, I know one of the company's top executives. In my judgement, the Algorand block chain has great technology, and Algorand the company has really great people. Their main challenge, as I see it, is overcoming the powerful network effects already accruing to other block chains.


IMO people listing things that discourage an attack (people will hate him, his credit cards won't work, etc) are just people trying to comfort themselves. It's like saying, "No one would break into my home because they might hurt themselves breaking in, or I might hurt them up, or they might get caught by the police and go to jail. It's just too risky."

At the end of the day, Dr. Evil will gladly spend 10s of billions to destroy the network if doing so nets him 100s of billions. Stop listing reasons people won't attack the network and start listing reasons they would.


That's not what I said. Please don't attack a straw man. My main point was, and is, that the same attack-logic applies to ANY transaction network. The example with Doctor Evil was about other transaction networks.

Why would Doctor Evil attack a block chain network when he could attack global/national/regional credit card/wire transfer/ACH networks, many of which are built upon ancient pre-Internet technology, are full of discoverable vulnerabilities and critical points-of-failure, and are operated by cash-rish financial institutions with liquid, easy-to-short stocks?


You didn’t answer the parent post. Your point was, in game theory, there’s no benefit in attacking the network or the loss is huge that it doesn’t worth the the attack. The parent post gave the counter point that there could be a benefit which we haven’t thought. If Dr Evil is heavily invested in 2 network, he might destroy one to focus on the remaining. The chance of the attack is low but it is not zero


I addressed it in the first paragraph of my comment above. Let me quote from it here: The theoretical attack argument is indeed "applicable, not just to Algorand and other block chains, but also, more generally, to ANY transaction platform" -- VISA, Mastercard, Amex, ACH, Fedwire, etc. No one disagrees that it is applicable, i.e., a theoretical threat, to all transaction platforms.

Now, if you think such an attack is an important problem for block chains, then you must also think it is an important problem for all legacy transaction networks. Yet we're all comfortable using our credit cards and bank accounts every day, and for virtually all practical purposes, we don't worry about a "Doctor Evil scenario." Why should we think and behave differently for block chain networks?

Moreover, as I wrote before, in practice, legacy transaction networks (like, say, regional VISA networks run by 100-year-old banks) are easier and cheaper to attack. If the Doctor Evil scenario were a real threat, it would be more profitable for him to target one of the legacy networks!


I like this point, but (as I think you are saying as well) it’s true for POW as well, right?

Fundamentally, if there are off-chain incentives to destroy the value of a given blockchain, much of our reasoning about the game theory doesn’t hold up.


he's a POS shill, there's no point arguing with these kinds of people. Proof of work will outlast all consensus protocols


Arguably the same thing blockchain tech got away from — a primary stakeholder with a "monopoly on violence" (i.e. a government with armed police et al). If you attack the US banking system, they will stop you in quite short order. The FBI doesn't screw around.

If you attack the blockchain, well ... uh ... the owners will ... be really unhappy with you?

Realistically you're only in trouble for doing that if you're pissing off someone else with "the means to violence". If you screw up money laundering operations for a cartel, then what you're likely looking at is acts of violence between two criminal organizations, but if one of them has the upper hand, they can basically act with impunity.

When you're looking at the "small fry" – individual people with their own bitcoin/whatever stakes? They're just fucked. It's true if someone steals your wallet, but it's also true if someone torpedoes the whole system. That's the cardinal problem with all of these blockchain technologies — by deliberately designing the whole thing to disintermediate the authorities; they accomplished exactly that: there are no authorities to deal with systemic problems.


Provided a shorting mechanism for X, destroying X will be incentivized.


Everything already has a shorting mechanism. Can you cite a single instance where short-selling has destroyed a legitimate business, ever?

This irrational fear of short selling is such a modern midwit view. There is way more value to fraud on the upside then there is on the downside, and we see that everyday.


> Can you cite a single instance where short-selling has destroyed a legitimate business, ever?

What kind of short-selling? For naked short selling I quickly found evidence: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=273488 That's the predecessor of a paper cited from 2003 SEC testimony of Robert J. Shapiro published at https://www.sec.gov/rules/proposed/s72303/rshapiro122403.htm..., which in turn may have been a related source for the Shapiro citation in a 2008 Time magazine article at https://web.archive.org/web/20080424032340/http://www.time.c..., which I found via the Wikipedia article on naked short selling at https://en.wikipedia.org/wiki/Naked_short_selling#Claimed_ef...

That first paper describes a scheme whereby investors bought convertible warrants, used naked short selling to drive the stock price down, then covered by exercising their warrants. And apparently in many cases, as documented by the paper, this resulted in a delisting or even bankruptcy of the targeted firms.


The analogy to companies doesn't work because there isn't a legal mechanism by which you can make your short predictions come true. It's illegal to manipulate markets and most ways by which you could destroy a company (without spending more than you hope to gain) are also probably illegal. If you can think of any legal ones I'd be curious to hear

If it were legal to take a short position in a company and then take actions which blew the company up AND there existed cost-effective ways to do so, then you would definitely have seen more legitimate companies taken down by short-attacks. In contrast, here you have an entity where (a) there isn't the same legal safeguards and (b) there exists a claimed cost-effective way to tank the entity after taking a short position

If you disagree with (a) or (b) empirically then cool but it's clearly a totally different scenario to regular companies


he would in case of war


The Algorand PoS consensus protocol assumes that honest nodes use so-called "ephemeral keys" (see Section 5.2 of the white paper). This implies they are supposed to "forget" part of their past state. A malicious node could choose not to forget their past state, thus making double-spend a possibility (assuming an adversary with majority of stake).

Therefore, the formal proof of security provided in the Algorand white paper does not resolve the nothing-at-stake problem, which is inherent to all PoS systems.


This explanation does not make sense to me, which is probably due to my lack of understanding, but perhaps you can expand on this:

> about 30-45 accounts _which had stake at that time

The this is stated makes it sound difficult. But if this is false history presented by a malicious node, surely they could make up anything, as it the data does not need to line up with any official history at any point. (Without a trusted party, no history line is really offical anyway, is't it?). Constructing a history with 30 accounts with stake at any given point in time isn't any harder or easier than constructing 3 or 3000.


The history still needs to be signed by former stakers to be valid. The "nothing at stake" problem is that a staker might break the rules by signing two mutually incompatible histories. During the staking period, they are strongly disincentivized from doing this because anyone can present proof that they've done so, causing the network to punish them by taking away all the funds they staked. But once that period expires, they can send those funds to someone else, and now they can't be punished. Someone who's sent away their funds is longer a staker moving forward, but they can still sign an alternate history for the time when they were a staker, potentially fooling clients who haven't connected to the network for a long time.

In practice, among the people who once staked large amounts of a proof-of-stake currency, most of them will probably continue being invested in its ecosystem moving forward. Even if they can't be personally punished for lying about the past, a successful history split would likely reduce the community's confidence in the currency, and thus its market value. Most of those people are also emotionally invested in the ecosystem and would not want to dishonestly subvert it. There will be exceptions. But to create an alternate history you need to subvert not just one validator, but most validators (or rather, validators who together control most of the currency being staked).


This is the “nothing at stake problem” from the article.

Warren Buffet buys up 70% of the network, induces a network partition, and then double spends it all, signing both transaction histories.

By the time he’s caught, he’s converted 2x the value of the POS network to POW bitcoins.

Replace “warren buffet” with “crypto exchanges selling bundled securities”, and the above is not just plausible, it’s inevitable.

The same scam has been run over and over again with conventional banks (who are inevitably bailed out on top of getting to take the money and run), POS just changes the nature of the obscure underlying financial instruments.


A trust assumption of PoS (Proof of Stake) is that >66% of the stake is honest. If you violate this trust assumption then yes PoS breaks. This is a similar trust assumption to requiring that 51% of the mining power in PoW (Proof of Work) is not malicious.

This risk can be mitigated:

1. The network should halt if a fork is detected. A fork with more than 66% of the stake behaving maliciously means a fundamental trust assumption of the network has been violated. Stop everything! Let humans figure out what is going on. I'm not saying every PoS system WILL halt under these circumstances, but as a countermeasure they SHOULD be designed to halt and value safety over partition resilience. Thus, an attacker forking a PoS must never allow parties to see either side of the fork. If a party notices a fork occurs, they will halt and can't be double spent against.

2. Following from 1, how do you prevent parties from communicating and discovering that a fork is occurring? Are you a tier-1 ISP and can control all internet traffic? You can defend against such attacks by making it very hard to hide the presence of a fork via redundant communication mechanisms. For instance the Bitcoin blockchain is broadcasted via satellite, a PoS blockchain could do that as well.

3. Additionally you can require that stakers lock their stake for long periods of time e.g., 6 months. This means that if an attacker wants to perform this attack and truly have nothing at stake they must cause a fork in the chain before the 6-months ago mark. Parties who are up to date with the latest chain are not vulnerable since they have already accepted the consensus history of chain. New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.


> This is a similar trust assumption to requiring that 51% of the mining power in PoW (Proof of Work) is not malicious.

Yeah, but you're glossing over an important detail: It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today. In PoS, I need that, plus the miners of yesterday, plus the miners of a year ago, plus ..., in perpetuity.

> New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.

Right, maybe you can elaborate on this. Is checking block explorers a decentralized or trustless solution to, well, anything?


> It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today.

I don't quite get that. As far as I understand it the "nothing at stake" problem works by a malicious party inducing a fork, one of which they double-spend in. Since it's in the best interest for everyone else to mine both forks, you can force your double-spend fork to become the longest chain by only validating the double-spend fork.

This means you have to trust that nobody part of your current chain has double-spent in this way. But isn't this the same as in PoW where you have to trust that nobody has launched a 51% attack to disrupt the network in the past?

Also, can't you just prevent people from mining all forks? I.e. for becoming a validator you have to deposit X as a security beforehand and you can only earn at most X via staking (so it is in the history before you can attack with nothing at stake). If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork. X goes to the person who found the fork, incentivising that the mallicious fork is identified on all forks (miners on competing forks are incentivised to look at all forks and quickly add the mallicious fork detection for their own benefit). If you want to retrieve your security and money earned, you have to announce this on all forks (you immediatly seize to be a validator). You are only allowed to retrieve the funds, if it is confirmed on all forks, or the forks are sufficiently behind the longest chain. This allows everybody ample time to look for dual-fork work and also incentivizes rapid solution of forks.


> If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork.

Yes, modern proof-of-stake algorithms work this way. The caveat is that at some point (on the order of months later) the security deposit is refunded, and at that point you can lie about the past without consequence. But this is a limited attack: you can only successfully lie to someone who has been offline since you were a staker, or else they would already have a record of the real successor chain (which now has a new set of stakers, who themselves still have their security deposit deposited).


The original article asserts that this does not work according to their requirements since there's no way to independently verify which is the "real successor chain" - they just have to trust someone's word that chain A is true and chain B is not, and a convincing liar could provide them with opposite data. In schemes like Bitcoin, there's objective validation of the "longest chain" with the most work invested; in your example where would that "record of the real successor chain" come from, and how can it be validated/verified in a decentralized manner in a way that a major ex-staker can't satisfy?

Like, this is trivially solved with a central authority (e.g. have some trusted core developer every day publish a signed message saying "this is the real successor chain"), but it does enable that central authority to arbitrarily bless a fake ex-staker's fork.


> they just have to trust someone's word that chain A is true and chain B is not, and a convincing liar could provide them with opposite data. In schemes like Bitcoin, there's objective validation of the "longest chain" with the most work invested;

Note that in Bitcoin you can have a fork in which both chains have equal length. The idea is that eventually the longest chain will be established, but if say 90% of the mining is malicious that malicious miner could ensure that most of the time both chains are of equal length.

With a PoS fork you can ask, which fork has the most amount of stake voting for it. An attacker that controls enough stake might be able to balance the total stake vote in the same way as a malicious miner could on Bitcoin.

In both cases if the core security assumption of the blockchain is violated, that blockchain should halt until that assumption is made sound again. If someone orphans the last two years of Bitcoin's blockchain something has gone horribly wrong. The fact that Bitcoin now switches to the longest chain doesn't actually address the problem that two years of transactions may have been rendered invalid.


> Stop everything! Let humans figure out what is going on.

What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?

It sounds hard to manage this type of maintenance breaks in a trustless way. Surely consensus rule changes during outages should not be handled any differently than changes when under normal operations.

> clients could be programmed to have hardcoded 6th month checkpoints

Who signs these checkpoints? Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?


> What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?

We have a bunch of examples of this happening in practice. The humans are usually a mix of the developers, parties important to consensus (miners, stakers) and big ecosystem players.

> It sounds hard to manage this type of maintenance breaks in a trustless way.

When solving a problem that violates your core security assumption you are only longer in the world of security definitions. It doesn't really make sense to talk about "trustlessness". If the protocol is busted, you need to find a solution and get enough people on board with that solution that you can upgrade the protocol.

> Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?

The checkpoints aren't trusted for safety but instead for availability. Instead you should think of them like alarms that "something has gone horribly horribly wrong, stop everything, don't transact, don't move, don't touch anything, pull the ebrake."

tl;dr Much like the fuse box in your house, my view is that checkpoints should turn safety failures (electrical fires) into availability failures (electricity is shut off).


With Ethereum at least, it's proof of work leading up to proof of stake, so you'd have to break proof of work to create a fake early history, so the initial stake has to be legal within the proof of work history of Ethereum.

Unsure how pure PoS chains work, maybe they hard code an early block's hash? Like, it's not a legit xorcist-chain unless block #10 has hash #deadbeef


What if Buffett just wants to see the world burn and doesn't care about getting the money back out?

Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.


> Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.

While you are correct that burning $30 billion dollars to destroy trust in PoS blockchains isn't that much money, I disagree that such an action would actually destroy trust in PoS blockchains. We have seen serious attacks on a number of blockchains, Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain. Yet Ethereum is still going strong. Bitcoin suffered 51% attacks that were used to perform double spends and Bitcoin is more valuable than ever.

It might be cheap to burn $30B to destroy a blockchain, but what if you burn $30B and the blockchain recovers 12 hours later.


> Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain.

These weaknesses weren’t due to consensus failures or protocol failures, but bugs in applications running on Ethereum. If Ethereum’s protocol allowed arbitrary funds to be stolen, that could certainly cause a loss of trust.


You overestimate the amount that people “investing” in crypto actually care about what it is. If my friends are anything to go by, anyway.


Most investors don’t care at all and blow off things like “the blockchain you’re using requires this fully centralized component”, but many players in the ecosystem that enable the speculation we see now, do care about protocol safety. If the Ethereum protocol was shown to be unsafe, they’d publicly promote safer alternatives and push their users to move.


"Blockchains get knocked down but they get up again." - Chumbawamba, ...probably

So two of the Bitcoin examples I gave was a consensus failure which already establishes the point, but lets do a very recent example from Ethereum:

A few months ago in August 2021 when Ethereum had a serious consensus failure and about three quarters of the clients in the network and some miners [0] forked off from the miners. How many people even noticed? [1]

> "Ethereum has weathered a bug that split the world’s most-used blockchain and opened up the risk of counterfeit Ether tokens." [2]

The issue at play is that the ability to cripple the consensus of a blockchain for the most part only impacts its availability not its security or the trust placed in that blockchain. Social consensus can just reset the bad transactions. If the theft or doublespend is big enough. We've seen that happen time and time again. They are somewhat robust but highly resilient.

Now it is possible that perhaps someone could perform an action that can not be so easily reset. For instance a huge doublespend where both parties receiving the funds are honest and have traded an object of extreme value for the doublespent funds. That is very hard to pull off. For instance how do you non-reversibly send something of that much value before the fork/doublespend/consensus bug is discovered? If you are moving something worth say 1 billion dollars in a single transaction you should probably be using an escrow service. Perhaps someone will invent a better technique for turning consensus failures into blockchain killers but so far I'm not aware of such a technique.

[0]: https://twitter.com/TimBeiko/status/1431278258222338056

[1]: https://www.theblockcrypto.com/post/115822/bug-impacting-ove...

[2]: https://www.bloomberg.com/news/articles/2021-08-30/ethereum-...


You’re now moving the goal post.

You said there were “enormous amounts of money stolen or destroyed” as a result of “ weaknesses in the [Ethereum] blockchain.”

The consensus issue where one client forked off isn’t evidence of that at all. Even the article you link to says it seems that the network was stable and the impact was minimal. Even in this particular attack, doing a double spend would be rather difficult.


Why destroy it, when you can co-opt and control?

Spend $X billion, then just bleed everyone without power. Sort of like what we do now.


Because nothing-at-stake attacks only allow double spending, not arbitrary forged transactions.


If you have 30 billion, and the motivation, then there are more entertaining ways of making the world burn than hacking somebody else's Ponzi scheme.


It's a temporary state, until the PoS coin market cap gets too large to be attackable. Bitcoin's market cap is in the 1T range now, Ethereum is close to half that. Buffet couldn't do a thing against a PoS coin that large, and it would be a serious commitment and risk even for a nation state. Buffet could take down some random smaller coin, maybe, at the cost of most of his personal fortune, but if he did so the world would not burn.

It's _possible_ that a government might choose to attack a random small coin just to discredit the notion of PoS cryptocurrencies, but it's hard to picture a government gaining consensus to do it, and it would be obvious to knowledgeable onlookers that larger coins are immune (or anyway, much better protected), so the resulting disruption would probably be temporary.


PoS encourages centralized exchange-held staking, which means that there are only a handful of failure/pressure points. In other words, a government doesn’t have to buy 66% of the stake - merely compel the exchanges.


> PoS encourages centralized exchange-held staking

Not when the protocol actively encourages decentralization by cutting off staking rewards to larger pools, like what Cardano does (as one example). Sure, the exchanges can (and probably do) run multiple pools, but so can anyone else, and for far less expense than is required for mining.


They wouldn’t need to spend money to ‘destroy the blockchain’, just legislate against it. For example, what would happen to the value of crypto-currencies if the US government simply banned them outright for entities within its jurisdiction, and also made it so if any foreign entity touches cryptos they get cut off from the US financial system (similar to how ‘sanctions’ work today). I imagine the destruction would be near total.


Everyone gets paid!

> Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network.

If a nation buys 2/3 of the coin and destroys the network, investors (as a whole) take a 1/3 loss. Then they can (re)start another PoS coin.

Ironically the nation would be up against the old saying that the market can stay irrational longer than you can remain solvent.


Hell, they might not even take a loss at all. A nation-state-level actor trying to buy a majority of the monetary supply would represent a substantial increase in demand and therefore price.


...or gradually alters consensus to pad their pockets at the expense of smaller stakeholders.

congrats, you've reinvented central banking and plutocracy.


PoS is Plutocracy on Steroids.

You've outlined only one, the most obvious and least probable, mode of failure.

The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.

It's already visible on smaller scale in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour". No matter what smaller stakeholders do/say, the early big investors and dev team always win. Why would they structure it otherwise? The same dynamics exist in PoS, just not as grotesque.

Perhaps that's OK for a private company governance, but for a global currency?

You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe? Seems rather strange that so many have such a burning desire to be governed by someone much richer than them.


And Proof of Work is better because the haves buy equipment the have-nots can't buy to vote?

Unless you have a citizenship based voting of some short where a single person gets a single vote and they actually vote (automatically I guess and assuming without delegating to the big whale because "I am bored") what do you think agreement via resource scarcity implies?

P.S. Also lobbying...


This is a common misunderstanding.

Proof of Work does not get you any votes at all.

PoW is a service to the network, to create an immutable ledger. It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.

It's just a boring industrial business, like smelting aluminum or iron.


Smelting metals actually produces something, proof of work just burns electricity for the random chance of winning a lottery


Simply because something is intangible and invisible, like atoms, does not make it any less valuable.

It's a system with an immutable monetary policy. Literally unprecedented in human history.


> It's a system with an immutable monetary policy.

Is it though? It seems minor protocol tweaks aren't uncommon and hard forks managing to eclipse the original protocol in popularity are also conceivable.

https://en.wikipedia.org/wiki/List_of_bitcoin_forks


Every time there is a fork, the market decides how much to value each of the forks.

Personally, I think people will value bitcoin as good money if fiat money fails. And because they are seeking good money, will value the fork(s) that preserve bitcoin's prior monetary policy.

A fork that changes the monetary policy drastically (particularly, changing the 21M cap) would obviously make for bad money in practical terms.


> Every time there is a fork, the market decides how much to value the forks

So literally the same as every monetary policy change involving every currency that didn't use PoW in history...


No, not true. Nodes can literally just choose to use the version of software that provides the best money. You can’t choose to use the US monetary policy from 1960, for example.

This has happened multiple times with attempted hard forks of Bitcoin which have failed because once you change the monetary policy once, the promise of hard money effect disappears. So the original monetary policy remains in place and the original network continues as the reigning champion.


I imagine the idea of a hard fork of Bitcoin may become more popular as the supply limit is approached and transaction fees go up. The current transaction fee is only a few dollars but the cost is over a hundred. Eventually the fee will have to cover the full cost and a hard fork may start to look more interesting.

If this happens I can technically stay on the original protocol, but that would be rather pointless if a sufficient majority abandons it.


The natural scenario is that as the mining reward goes down, hash rate will dwindle until mining is profitable again.

The only real problem with that is that with a small hash rate, bitcoin can be attacked more easily.

If bitcoin is the monetary backbone for many nations, they will subsidize miners to maintain the balance of power. That is the actual scenario that I'm optimistically predicting.

If bitcoin isn't the monetary backbone for many nations, by then, then it's probably a failure, and should probably be allowed to die.

It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.


> It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.

I have to admit that I have no idea how much work is actually needed to secure the network. My point of view is that the current rate of energy expenditure outweighs whatever benefit Bitcoin does or could provide to society. But if this rate is a transient result of still-significant minting going on, things could definitely look different in the future.

Do you know of any analyses on how much work really has to be continuously expended in order for Bitcoin to remain reasonably secure at a given market capitalization?


I don't see why many nations would jump at the opportunity to make Bitcoin their monetary backbone. For example because an immutable monetary policy won't be seen as a feature.


> For example because an immutable monetary policy won't be seen as a feature.

Each nation would love to be able to manipulate the supply itself—why not, if people will let you get away with it?—but the fact that other nations can't do the same could be seen as a feature.


If that's how it's going to work, what stopped nations from making a treaty in which everyone commits to an immutable monetary policy so far? And how does Bitcoin result in whatever it was not being a showstopper anymore?


Many countries already use money internally such as the USD (outside the US) or Euro (outside the EU) for which they do not control the policy. Explicit agreements to use a common currency across nations and share control of the policy are relatively rare; no examples come to mind apart from the EU, and that hasn't always gone according to plan, as Greece can attest. But hard currency is still a fairly common basis for exchange between nation-states, and other countries' currencies are more likely to be adopted when they are governed by relatively immutable policies. Of course, if those policies change to be less immutable it can take time for the effects to manifest. The USD was relatively stable until recently, but other countries are probably reconsidering their dependence on it at this point given the increase in the supply over the past few years.

If Bitcoin does eventually become a common instrument of trade at this level it will fill the same niche currently occupied by gold and other precious metals.


I wouldn’t worry about it. Bitcoin incentivizes energy development. As the world moves to a Bitcoin standard, we will unlock new types of energy that were previously unproductive. It’s likely that energy will more cheap and plentiful under a Bitcoin standard, leading to downward pressure on transaction prices as mining is more economical. Also, more transactions are likely to move off chain to Lightning Network and sidechains.

Still plenty of scaling left in the Bitcoin ecosystem.


Bitcoin proof-of-work difficulty must always increase, the electrical needs are always ever-growing. While you claim that incentivizing electrical production is what POW does, in reality it is a large drain of electricity on a finite electrical grids capacity and it DOES take away from other uses of electricity LIKE aluminum smelting or running hospitals. It is an active and actual source of pollution and uses more electricity than most countries. You can’t handwave this away or insist upon your rhetorical framework when. The apparent physical real world consequences of POW cryptocurrency cannot be evaded or ignored.


The difficulty does and has (in the short term) decreased when the amount of hashpower being used goes down.

Presumably if the price went down by a substantial chunk and stayed down for a while, the hashpower would also decrease, and so the difficulty would also decrease.

Also, if electricity prices went up, or if CO2 emissions were taxed, then hashpower would decrease, and the difficulty would go down in turn.


Bitcoin difficulty does not always increase and needs not always increase.

As for the rest... so what? It uses a lot of electricity and there is some pollution---but a lot of bitcoin mining is done with hydro or geothermal (and will be nuclear if bitcoin continues to grow), so, so what about some pollution?


Some mining is powered sustainably. And for some of THAT power it is true that it wouldn't be used for residential anyway. But for the majority of BTC's power needs the sources are not renewable.

So there's a simple question: how much value do we get out of this tech per CO2e it emits and per ton of e-waste it creates. And AFAICT the answer is: not enough to keep tolerating it in a time where humanity as a whole is seriously worried about climate change for the first time ever.

If you can magically move _all_ the miners to sites with excess renewable electricity and permanently slash the hash rate by 99.9% then maybe it can be tolerated. Until then I would welcome more China-style crackdowns on mining activity across the world.


I can't tolerate the global exploitation of non-ruling people in every nation by their rulers via fiat money manipulation. (And every nation calling itself a "democracy" is actually a "bureaucracy.")

If you aren't upset about this, you probably haven't studied it. I say that in a spirit of helpfulness. Fiat money grossly distorts all of humanity's economic output and therefore retards our progress on all things, including fixing climate problems. Just one example: The US is becoming a nation of renters because enormous funds are buying up the houses with fiat money they borrow nearly for free.

Fortunately, with bitcoin, we can do something about that, without (eventually) harming the environment.


I don't see how cheaper energy would help. Bitcoin needs a certain amount of power in units of cost to be tied up mining to secure the network. If the cost of energy goes down ten times then the same PoW requires ten times the energy.


“as mining is more economical”

Mining doesn’t use a fixed amount of energy. As it becomes more economical more people will mine.


I agree with this. Just want to add, bitcoin mining can happen in remote locations with available power (hydro, geothermal) which are too far from cities to be transported by power wires. There is a limit to how far you can transmit electricity through wires. So, there are tons of untapped natural energy sources.


And precisely in places like these, such as Niagara Falls, you see coin mining displacing tangible goods production due to both needing cheap electricity and one being more profitable than the other. In this case the market is not thinking very clearly in long term priorities, nor is infinite development of hydro and geothermal possible. Actually, this is about realizing that we live on a finite planet with finite resources that a finite amount of humans can finitely exploit finite parts of before the whole thing goes catawumpus. POW and current cryptocurrency systems are thoughtlessly and needlessly wasteful and represent inelegant architecture and brute force hackery like lightnig to correct what ultimately isn’t scalable: blockchain ledgers and fast transaction speeds vs centralization and speed. Look at DNS, for example, and how slow that is, and it’s architecture amd full vs partial copies of ledgers and jeiraexhical canonical lookups etc.


You're ignoring the potential good of bitcoin there. All economic activity looks like a waste if you ignore what it's good for.

Niagara Falls is not what I had in mind. There is lots of untapped hydro power in extremely remote parts Canada where nobody lives, for example.


Everything is mutable with the possibilty of physical destruction and long time scales. Even the existence of humanity is mutable when we play stupid games in MAD geopolitics, have foolish energy policy, and lack an ability to cooperate to mitigate tragedy-of-the-commons problems like, for example, what Proof of Work is causing.

If we do not bound the growth of PoW energy usage, I think it could easily destroy itself in a roundabout way: by destroying the fragile global order that keeps humanity going.


> Literally unprecedented in human history.

Hardly unprecedented, considering that until very recently nations did not have a monetary policy.


Monetary policy goes at least as far back as the Roman Empire, which adulterated their money supply over time.


I don't think this what economists understand by monetary policy.


It's burning electricity (that could in an ideal world be renewable, maybe one day) to provide a service to the network, therefore making it more secure by providing additional processing capacity that is controlled by a good actor, making it harder for a bad actor to get 51% of the pie. It is a waste, but there are also a lot of other sources of wasted resources/energy that we could tackle first and get larger returns from.

You get compensated for your service, it may seem like a lottery, but if you do it for a long enough time, you'll get fairly steady returns as in theory it should be random and proportional to your hashrate.

I don't mine, and I think it's definitely overhyped at the moment, but maybe it will settle in the future and actually provide a useful service to us folk. It doesn't seem to be going away for now, and it is really easy to send money to friends and family, whether they're nextdoor or in another country.


The service is worthless if you can trust a central authority like a government that 99.99% of people do.


There are many countries where people cannot trust a central authority like a government to keep their savings remotely safe and stable in value.


Even in those cases you can use dollars and trust the US government


It is not a waste, as it provides physical security, exactly the same as idle nuclear missiles on standby do, or standing armies that are "doing nothing", until a war happens.

The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.

Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.


> It is not a waste, as it provides physical security, exactly the same as idle nuclear missiles on standby do, or standing armies that are "doing nothing", until a war happens.

You don't think those get very wasteful in the real world? And there's no equivalent to a real war situation. You can set it up so you don't need to defend against the equivalent of enemy armies.

> The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.

What kind of sustainable?

When miners locate next to hydro, and buy it up, that doesn't help anything. That hydro could have been sold as somewhat less cheap power elsewhere, after going over long wires, and then it would have reduced the load on coal plants.

Miners that eat up excess solar can theoretically do a lot to encourage the installation of solar, but they need to be happy letting their machines be turned off a large fraction of the time. If it's still profitable to run 20 hours a day, then they're still encouraging fossil power plants.

> Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.

Dishwashers are better than hand-washing, aren't they? Having plates is a lot more important than running cryptocurrencies in a particular way.

If heated swimming pools use that much, then sure let's go after that and use some kind of billing or taxes so they pay extra and encourage sustainable power sources.


I disagree that standing armies and nuclear weapons are a waste. They guarantee your security, which you seem to take for granted. Your views on this could change if you spend a few years in a warzone under artillery fire.

It is of course not 100% perfect analogy, nothing is, but I believe you understood the point I tried to get across: it's a security service, and that costs money. Blackwater stationary guard roles are 180-220k a year for someone with years of experience. I'd imagine monetary networks use a lot of physical security, some central banks are literally located in bunkers under mountains, with a backup site in a similar setup on a different geological plate.

I have not seen any PoS schemes so far that provide anything other than plutocracy as a service. There is a reason why ETH with a 100mil R&D budget is still on PoW, Vitalik is not a dummy.

as for the cheap sources of sustainable energy, those are usually stranded hydro and wind that's too remote to be economic, and stranded natgas (for natgas "green" might be a better term, i've used sustainable in the sense that CH4 is far more damaging that CO2. I've been told by regulators it is actually better to burn off CH4 from stranded wells)

Balancing of the grid also does happen, but I believe primarily with wind and hydro.

I, of course, agree that we should not pollute the Earth we live on. High energy usage in itself is not bad, only if it's a harmful polluter. I've only pointed out dishwashers and pools (don't have the stats handy, but they do indeed use a lot more, like a magnitude more), as a common hypocrisy.

We must rapidly scale up non-polluting energy sources, as it seems unlikely humanity can become a spacefaring species on a self-imposed tight energy budget, and this self-imposed handicap coupled with an unexpected asteroid impact can end us.


Pools in the US use 14 billion kwh it's hard to imagine it being even global orders of magnitude more than Bitcoin.

It's also hard to see how push button Armageddon has possibly made us more safe than nobody having nukes. We are only more safe than if only our enemies had them. The same could even be said of armies.


> but they need to be happy letting their machines be turned off a large fraction of the time

Or they need batteries. Or some other means of energy storage, for that matter; at the scale of a large mining farm, thermal (e.g. heating water) or kinetic (e.g. spinning a flywheel) might be practical.


There is zero waste in PoW. It’s all useful service, therefore waste term doesn’t apply.


If you use 100 watts incandescent light bulb to light your room with 1 watt LED would do, that is waste.


usefulness is subjective.


> The vast majority of mining today uses sustainable energy (70%+)

Do you have an source for this? I remember the same number being flaunted before but it turned out not to be true. What was true was that 70%+ of miners use any amount of renewables in their energy mix.


You’re right. The correct number is somewhere around 50%, probably over the line already, which is significantly better than any other big industry.


> The correct number is somewhere around 50%

Do you have some source for this? I see random numbers being thrown around a lot, would be nice to have a citation for yours.



> standing armies that are "doing nothing"

Armies have to practice. Smart generals don't let their armies do nothing; to be any good at warfighting, they have to fight wars. Effective standing armies have to constantly be finding new wars to fight.


Nice to see you rationalizing expenditure that goes towards murdering people. Are you the people talking down to bitcoiners about being wasteful and not caring about future of humanity? Give me a break.


How many people aren’t murdered because of armies though? Humans have been grouping and fighting each other for thousands of years now. You’re under the impression everyone should just… what… pretend it doesn’t happen?

When attacking a neighbor state costs more (because your neighbors have arms too), it’s less likely to happen.

The cold war had plenty of awful hot action with proxies and third parties but the entirely hot version obviously would have been far more calamitous.

I suggest reading Herodotus’ Histories, or you can read up on Genghis Khan, Napoleon, Hitler, Alexander, the Crusades, or the myriad other conquerors and conflicts that have occurred.


But when conflict is resolved by energy expenditure, it involves even less suffering.


I was presenting a case against large standing armies!


When I write code for my work does it not exist? I'm in essence minting new programs using my time as proof of work.


No, I'm quite sure the proof of work is a program which works.


PoW produces something intangible. You're probably basing on an assumption that tangible products are more worthy or justifiable of resources consumed than intangibles.

If you work with software development - which you probably do - I'd suggest checking what you do for a living, how much energy it consumes and how much physical product it generates.


That argument could even be somehow valid if it were only possible to demonstrate that these intangibles improve life for people, like contributing to food, housing, education or even only entertainment. They do not. We do not have to care for those who are affluent enough to burn electricity just in order to gamble. Those people have the resources to gamble in less harmful ways without raising electricity prices and polluting the air the way they do. Those people could even do something helpful and productive if they chose to. Cryptomining is wasting energy for the sake of wasting energy. You may argue we (the 99.999% who do not cryptomine) are too stupid to see the value of your imaginary intangibles but that's not true. We are the ones who want no part in a pyramid scheme, who do not want to succumb to gambling, and whose time and money are too scarce and too precious to be put on the line. Sure, all activity has its price, its waste, and sure, there are other occupations whose overall usefulness is doubtful and askew with the accompanying resource consumption. Doesn't mean you have too excuse bad behavior just because there are other guys doing no good.

Just as an aside, when you move a newspaper or a magazine from print to only existing as a web page, you certainly have 'dematerialized' it to a degree. However you still need hardware to keep and display the data and energy to move it around and light up the screens. In so far it does not stop being physical. The 'intangible' is somewhat of a red herring. Yes, it is less haptic, but it's still physics, physical all the way down. Other than that, currencies, freedom, equality, education, entertainment—we've been having intangibles all the time, at least from the dawn of human culture onward. Cryptomining does not bring anything genuinely new to the table in this respect. It's not even new in being a fraudulent, volatile scheme that betrays traits of a cult, one that benefits a few and hurts the many.


It produces just what the person said. A lottery win.


Perhaps we should insert humans in the loop, to verify whether useful work was performed.

Or some AI because humans are prone to bribery to some extent.

Or we could make it democratic. "Jeff Bezos asserts that he provided useful work for society and that he therefore deserves $1B this year. Please cast your votes".


PoB: Proof of Bullshit


PoW should actually stand for Proof of Waste. It's not even unprecedented in nature: many species will intentionally waste energy or resources to demonstrate mating fitness, as with a peacock's tail.

https://en.wikipedia.org/wiki/Signalling_theory


... or people going to the gym.

The problems start, of course, when you take a concept to its logical extreme.


I'm less concerned with wasting resources (which is highly subjective), than with ecological and systemic harms. I don't care whether a terawatt is "wasted" on pointless SHA256 hashes, or calculating triangles for Yet Another Marvel Movie, so long as the externality is being paid for [0].

[0] https://en.wikipedia.org/wiki/Pigovian_tax


Exactly. And by forcing the internalization of that externality, that forces the market to consider things which lack that externality.

The trick is to enforce it in such a way that it can't be easily dodged via e.g. offshoring.


At the limit, proof of work and proof of stake converge - they are the same thing, except for the Kazakh coal that is burned in the former along the way.

PoS staking is simply committing a portion of your capital to the task of validating transactions. You benefit by receiving a reward in the form of additional tokens.

In a PoW system, the same exact thing can be accomplished by using your tokens to purchase a stake in a mining pool. You will similarly be unable to access your capital, be rewarded with additional tokens, and at the end of a period of your choice, you can liquidate your position in the mining pool to reclaim your tokens.

[edit] PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.

In this world, the "nothing at stake" problem also manifests in proof of work, where I believe ownership in the mining pool makes you agnostic to the outcome of any chain splits - although I'm still working this bit through in my head. Opinions welcome!


> PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.

Sounds wrong. Slashing is a means to prevent people from staking on multiple chains. In PoW, computing power is scarce, so if you allocate some compute time to one chain then you have less of it on another chain. You automatically get slashed. The difficulty in designing a PoS chain is in artificially re-creating this slashing and thereby solving the "nothing at stake" problem.


Where is the difficulty in making miners expend their tokens (i.e. in a way that is irrevocable) instead of merely depositing them somewhere?


In a blockchain, the chain keeps splitting. Your tokens live on multiple competing chains simultaneously. In PoW, you are forced to pick one of those chains to mine on. In PoS, you can stake on all of them simultaneously.

The splitting is unavoidable and happens constantly. Multiple competing future states are constantly being created, and the network has to eventually arrive at a consensus about which possible future is the true one.

> Where is the difficulty in making miners expend their tokens (i.e. in a way that is irrevocable) instead of merely depositing them somewhere?

Figuring out how to make spending your tokens irrevocable is the whole point of PoW/PoS. Your question reads to me like "In trying to solve problem x, why don't you assume that you've already solved problem x, and use that to solve problem x."


> Figuring out how to make spending your tokens irrevocable is the whole point of PoW/PoS.

Maybe I'm missing something... if miners are required to send the tokens to an invalid address, are these tokens not lost irrevocably?


What stops miners from sending their tokens somewhere, then hard forking from a previous block where they didn’t send them?

This has a clear answer in PoW, but not in your scheme


Easy, you put the transaction in the previous block. So the miner can only mine a block if they have already made the expenditure.


What if I create a whole new chain? Will the transactions at the very beginning of that chain have to be added to the big, old chain? How far back do the common ancestors of two chains have to be for your auto-merging to happen? What happens if two histories conflict? Then in Version Control parlance, we have a "merge conflict".


What stops me from doing a hard fork to roll back both blocks?


If you spend more tokens than the tokens that were spent mining the last two blocks you can erase the transactions in those blocks, but isn't that also the case with PoW?


You aren’t following. The hard fork lets me double spend the tokens from those blocks.


Indeed, I'm not following your argument.


Stop asking people to do your homework.


No. Did you not read the comment you were responding to?


Yes, I read it. As far as I can see, it talks about 'staking', so it doesn't address what happens when the tokens and 'expended' as opposed to 'staked'.


You have two competing chains: Chain 1 and chain 2. On chain 1, you spend a token on a good. On chain 2, you spend no token. You wait for chain 1 to win the race. You then stake on chain 2 to get your money back. If chain 2 then overtakes chain 1, you've executed a double-spend attack.

An equivalent attack wouldn't work on a PoW chain. If you do the equivalent of "staking" on chain 2, then you're computing hashes, which is costing real-life resources. In the PoS case, without slashing, staking on chain 2 is free. In fact, this is the rational move to make every time you spend a token; stake on competing chains to get your token back.


Thanks for explaining (I'm a different someone)

There was a PoS mechanism that makes people who cheat lose all their coins? I wonder if it is relevant here

... Aha, that's "slashing" -- the other members in the network would look at the two chains, and notice that you were misbehaving, and add transactions that remove parts of your coins? (They'd add to both chains? Or just the winning one?)


> Proof of Work does not get you any votes at all

Within protocol, no. But when weighing a fork, those with the gold choose the rules.


The fork-wars of old will never happen again, IMO, on any chain of significance. These days, fork winners will be decided by the stablecoin operations they host. If ETH forks, for instance, hash power will follow whichever chain Jeremy Allaire deems the winner.


So literally one guy has control of Ethereum?


and every other PoS chain that relies on USDC and major exchanges.

So probably more than 1 guy. maybe 5-10.


And how is that better than a government?


It’s not. There is a huge gulf between Bitcoin and the rest of the crypto space. Bitcoin is certifiably decentralized hard money with an ossified monetary policy. I believe it is reasonable to conclude that something like Bitcoin can only happen once. The rest of crypto space isn’t really trying to be money, or is only pretending to be.


& what about Monero?


Regardless of Monero's technicals, new upcoming updates to BTC will infuse with privacy, therefore making Monero et al redundant.

BTC is also getting smart contracts soon, which makes ETH redudant as well, but it will take a while before it catches up in terms of possible complexity of the contracts.


Do you consider nuclear energy sustainable?

It's probably not renewable (well, neither is the Sun on large enough timescale), but do you believe nuclear, either fission or fusion, will play a large role in the future?


You make it sound like I need a new hobby - which I might haha.

> Do you consider nuclear energy sustainable?

Low-carbon, yes. Sustainable, yes. Renewable, not until we productionize extraction of uranium from seawater. [1]

> ... but do you believe nuclear, either fission or fusion, will play a large role in the future?

Fusion if we can crack it, totally. Seems like a clear winner. Fission probably will if there's some political will behind it, but not unless there's a change in sentiment.

[1] https://www.forbes.com/sites/jamesconca/2016/03/24/is-nuclea...


This article is complete FUD.

> of which the following sources are considered to be renewable

in other words, it attempts to define the world "renewable" along favoured political ideologies.

From Wikipedia:

> Advances in breeder reactor technology could allow the current reserves of uranium to provide power for humanity for billions of years, thus making nuclear power a sustainable energy

TL;DR: nuclear is just as renewable as solar (beyond any likely duration of the human civilisation).


I saw the renewability as more of a thought exercise, because I agree with you, there's more than enough nuclear feedstock to keep us going indefinitely.


forkwars have shown in practise this isn't the case.

Status quo will be incredibly difficult to overcome for attackrs, even with a large chunk of industry, exchanges, miners and whales against the status quo, it prevailed.


> Proof of Work does not get you any votes at all.

Hmm, maybe I’m ignorant, but in practice, don’t miners (socially, not technically) have substantial say in issues like the block size debate?

If you want to create a hard fork of the chain for any reason, whether people accept your fork as legitimate will in part reflect the total hashing power of that forked chain, right? So in practice what miners choose to follow will have a big impact.

Maybe not quite the same as PoS in-chain voting, but it still seems to give large miners outsized power, no?


> It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.

Changing the hashing algo isn’t a realistic punishment for targeting misbehaving miners.

You end up with two choices:

1. Change to an algorithm that uses gpu/cpu instead of ASICs (and is ASIC-resistant), but then your algo runs on general-purpose computing and you can’t fork miners off ever again.

2. Move to another algo that benefits from ASICs. This has the extra overhead that you need to spin up manufacturing and distribution of these ASCIs to honest miners, which takes quite a long time to do and while you’re waiting, your network is being attacked.

In either case, you aren’t just punishing a misbehaving miner, you’re punishing *all* miners who now all need to get funding to buy and rack new hardware. You’re making a big assumption that the misbehaving miner won’t be able to get financing or sufficient capital while the honest ones will. If the dishonest miner’s attack was profitable while waiting for the fork, they get to keep all of that money and can spend it on new hardware.

In PoS, the attacker will lose their stake, meaning they lose the money they had before, and earned as a result of, the attack. It may be much more difficult for that validator to get access to capital and lenders will be hesitant to lend to an entity that now has a history of burning capital.


> hashing algo

You mean Proof of Work algorithm. Which is not quite the same as hashing function [1].

[1] https://cryptorials.io/beyond-hashcash-proof-work-theres-min...


hi tromp! good to see you are on here too.

...just re-using the terms for continuity and simplicity sake.

yes, a PoW algo is probably better generic term, although I am not confident complex algos would be accepted as first-line replacements by the wider community.

am I wrong in that assessment?


Some of the hashing functions used with hashcash are exceedingly complex, such as RandomX used in a popular coin. Even scrypt, an extremely popular choice of hash function, is relatively complex, long after its 128KB memory footprint briefly served its purpose of resisting ASICs.

You're right that Bitcoin will never accept a change of PoW. At least not until SHA256 shows signs of being broken.


> Proof of Work does not get you any votes at all.

It only buys you the right to append a block of transactions to the ledger, which is the same thing as having 100% of the votes.


Nonsense. Mining gives you zero votes. Miners don’t control the protocol. Governance is not determined by hashrate. This is just another major flaw that all PoS shitcoins have.


No one is talking about governance. The term "consensus" refers to the decision about which transactions to append to the ledger, and the decision is to go with whatever set of transactions the miner that has spent the most money has chosen. It has nothing to do with governance issues.


then if you're not talking about governance, you're still wrong. there's no voting, only if you insist on re-defining what words mean, at which point i won't be interested in continuing the discussion.


Of course there is voting. Who do you think decides which transactions go in the chain, and in what order? The miner who wins leader election during this round (in Bitcoin anyway) does, and the rest of the nodes decide whether to accept its vote. The other nodes can also choose to reject this vote for a while, as long as after seeing it they don't accept a chain with less hashpower, and still follow the protocol (more or less).

The leader can even opt to put no transactions in the current block, something that has actually happened on many occasions: https://www.theblockcrypto.com/post/67928/bitcoin-miners-are.... Obviously, the leader was making a decision here, there were not actually zero transactions to process :)


You have zero clue how bitcoin works.

No, there is no voting and there is no leader election. Miners construct blocks with transactions and if they manage to find a signature - that block is appended to the chain. If somebody does it faster - they append their block.

Please at least get the basics before you start arguing with people.


What, exactly, do you think the purpose of computing a SHA prefix is? It's to perform distributed, decentralized leader election. The leader who wins has the privilege of proposing the next block. "If somebody does it faster" is the voting aspect--nodes vote on who they think did it faster, and it is quite possible that they disagree (which can only be resolved by another round of leader election, since the next leader can choose which block to continue from). In the event that there's a longest chain, of course, nodes will go with the longest chain as a tiebreaker scenario.

I know far more about Bitcoin than I ever wanted to, believe me. You really should not be making these kinds of ad hominem arguments when you don't understand terms like "consensus" or "leader election."


> The leader who wins has the privilege of proposing the next block.

No, the hash that you win with, deterministically points to the only possible block that you can “propose”. Your understanding is completely backwards. You seriously don’t know how bitcoin works.


Whether leader election happens at the same time as the block is proposed or not is completely irrelevant to the nature of the problem from a distributed systems perspective. The point is that in each round, the leader both wins the election, and proposes the next block. There are other variants of proof of work in which the leader is allowed to continue generating new blocks for a period of time and (AFAIK) these inherit all of Bitcoin's security properties.

Here is my question to you: if the node that wins the election (and the ones that accept its mined block, of course) is not the one voting on which transactions get to go into the chain, rather than be stuck in the mempool somewhere, who is? Do you genuinely think there is no decision being made there?


You're confusing the discussion by trying to force the "leader" terminology. That term does not appear in the BTC whitepaper and the protocol's approach to consensus is different than a traditional leader elected system.

There is no "voting" and no "leader" except in the most abstract sense and I'm not sure why you're so determined to use those terms.


There is no leader election. You trying to insist on this terminology is like trying to explain that the earth is really flat by proposing some very special space metric.

All miners “vote” by hashing and one of them wins. They don’t win because somebody voted for them, they win because they happened to find a satisfactory hash. The chance to win that hash faster than other miners is proportional to hashrate. The hash is determined by the block of transactions entirely, so once you win the race, you don’t get to propose anything other than that one predetermined block.

Which transactions go into a block is decided before any mining for that transaction happens.

Just read, please.


> Just read, please.

You're coming off worse in this argument because you seem to realize on some level they're just using different (possibly wrong) terms in their accurate description of the mechanisms, but then you keep making snide remarks that imply they don't understand the mechanisms.


i in fact do insist on them not understanding the mechanism. trying to force incoherent terminology is just the largest red flag signifying that lack of understanding. snide remarks is my bad, i definitely lost my patience, it's hard to argue with somebody saying that sky is pink because they've changed what pink means.


Red flag, sure. But when they say things like "The peer-reviewed paper to which I linked, which I am not proposing as a replacement for Bitcoin, explains (to those who are willing to read it) why the block being chosen before or after the leader election does not matter when it comes to the security and consensus properties of Bitcoin." it seems very clear to me that they do understand the mechanism, despite that red flag.

I think your analogy to flat earth was better. Because sure, treating the earth as flat isn't correct, but it's often a perfectly good approximation, and arguing about whether a big field is flat or not is a giant waste of time. Don't completely dismiss someone because they use those terms.

"Leader" or not, it's basically equivalent. And the process of letting miners input yes/no values for whether they support a proposal into their block, averaged over thousands of blocks, gives you the same result as "voting". So talk about whether those results are useful.


There are variants of PoS where stakers can delegate their "votes" to other stakers and there are variants where validators compete for "leader" timeslots. These words carry certain meaning and none of it is useful or applicable to bitcoin. As with flat earth analogy, I agree that it's possible to have this perspective, i just think it's harmful for conveying the idea of bitcoin correctly.


You are really stretching, man. The term “leader” does not really apply in this mechanism.


> No, there is no voting and there is no leader election.

Every 10 minutes a miner wins the right to append a block to the chain, by guessing a secret number. The chances of winning are proportional to the amount of money each miner has expended in the process of guessing the secret number. This is equivalent to holding a vote every 10 minutes in order to choose who gets to append the transaction block. Therefore, you're wrong. There's a vote. And if you can't understand this obvious fact about bitcoin, you have no business discussing bitcoin.


Obviously I can’t change your decision to use this terminology, but ponder this: when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain? No they don’t. So was it election of the leader or election of the block? And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?

As I said in a sibling thread, it’s like arguing the earth is flat by proposing a very special metric of space. Feel free of course, I just don’t accept it.


> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain? No they don’t.

Yes, they do get to choose the block. Transactions to include in the block are (usually) chosen from the mempool, which is unique per node (it’s similar but never exactly the same between any two nodes). Miners can also choose to include transactions that were never publicly broadcasted, and therefore never appeared in another mempool. Typically the transactions with highest fees are chosen, although fees can also be paid (or bumped) outside the mempool.

The miner of a block doesn’t get to choose the contents of every transaction, but they do choose which transactions to include when they win a block.

It seems like you’re hung up on terms that aren’t commonly used in the context of bitcoin mining, but are valid and are commonly used in the broader context of distributed systems.


You’re not paying attention. Does miner have a choice what transactions to include after they win the “election”? Don’t rush, take your time.


> do they get a choice of what block they append to the chain? No they don’t.

Of course, they have a choice. If didn't, miners would serve no purpose. We would just have one block and that would be the block that would be appended. The consensus would be achieved automatically, without any need of guessing secret numbers.

> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?

No, because the miner is elected at random. The crucial point to understand is that their chances of getting elected are proportional to the money they spent. That doesn't mean the largest miner will get elected 100% of the time.


> Of course, they have a choice

lol, no they don't.

a certain hash wins, every ~10 minutes. that hash is calculated from sha(block, nonce), where nonce is the randomized part that miner mutates to get different hashes. once a hash that satisfies the protocol is found - that's it, you can't choose a different block to append to the chain.

it is just laughable that i have to explain this level of basics.


Okay, and who chooses the block? (Hint: it's the node that wins leader election).

Maybe this article will help you understand just how nonessential the fact that the block is part of the SHA actually is: https://www.usenix.org/system/files/conference/nsdi16/nsdi16.... Please read the whole article, and then come back so we can have a discussion on equal footing.


> Okay, and who chooses the block?

well certainly not the winner of the "election", because by the time that "election" starts, the block is already constructed.

and i'm not going to read any of your links until you actually start understanding the basics of bitcoin protocol. though your lack of understanding explains perfectly why you fall for scammy bells and whistles of competing bitcoin-wannabes. "bitcoin new generation". lol, give me a break.


The peer-reviewed paper to which I linked, which I am not proposing as a replacement for Bitcoin, explains (to those who are willing to read it) why the block being chosen before or after the leader election does not matter when it comes to the security and consensus properties of Bitcoin. It is important for you to understand that this does not matter so you can understand why when the block is chosen does not change the fact that leader election is being performed.

Again, I'll ask you, since you keep dodging the question: if the node elected as leader is (according to you) not choosing the block, who is choosing the block? Why are you so obsessed with whether the value was chosen "before" or "after" the election, which is an irrelevant detail of the protocol? If you can't answer these things and won't read the paper, I don't really see any reason to keep talking to you, because all you've done is make the same irrelevant point over and over.


Where do you think the transactions included in the block come from? The miner picks them.


and now the weaseling starts. i asked a very specific question:

1. once the "leader" is "elected" 2. do they have a choice of what block to append?

you said they do, which is fundamental lack of understanding of how bitcoin works.


The question that you asked was:

> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain?

and the answer is yes, the miner that gets elected chooses which transactions to append to the chain. Do they pick the transactions after getting elected? No, they pick them before getting elected. In fact, it doesn't matter whether they pick the transactions before or after getting elected, because their chances of getting elected are unaffected by which transactions they picked. Therefore, it makes absolutely no difference. The fact that you think it makes a difference tells me you're very confused about the role miners have in the bitcoin network.


The answer is no and you’re clueless if you think otherwise. The “leader” has no choice in blocks or transactions after they “win” the “election”.


The "leader" has no choice after they win the current round but they do have a choice as to what to include in the winning block before they start hashing.

Maybe they act like all the other rational miners and optimize by mining fees.

Maybe they include no transactions and only take the miner reward.

Maybe they they don't like the Dutch so all their transactions are excluded.

It really doesn't matter as all y'all have been arguing over is what to call the person who won the current round.


Everybody has that choice before they win the election, so are they all leaders?

You really don’t see how this terminology is completely incoherent for this scenario?


They become a "leader" when they get elected, so only one of them becomes the "leader". There's nothing incoherent about this terminology.


lol, they don't understand you


I think you're missing the larger picture of accruing blocks over time, and deciding what is the "canonical" largest chain.

A miner can choose which block to build on. At any given moment Bitcoin can have several competing "in progress" forks. This is why most exchanges require... 7, I think?... blocks on top of yours to consider the transaction more or less confirmed.

> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?

Yes, this is a 51% attack in Bitcoin. If you have a majority of votes, you can disregard the current chain, fork from behind, and catch up.


I’ve been reading this thread. I have no idea why these people insist on using the word “leader” when it doesn’t fit. Is there some ideological reason for this?


There is no "ideological" reason. I don't even own cryptocurrency. It's just a fact that the entire purpose of proof of work is to perform leader election. The defining characteristic of leader election is that only the leader commits new values, and there should only be one leader eventually chosen for a given round; the definition has nothing to do with using some sort of majority vote or anything like that. To see how it differs from "ordinary" consensus, I want you to tell me how a Bitcoin-like system could be used to decide on any value other than either (i) one known in advance by all parties (which doesn't require a consensus protocol at all), or (ii) one chosen by the node that wins the block lottery.

This is expanded upon in the peer-reviewed Bitcoin-NG paper that both of you are refusing to read, which breaks down the Bitcoin protocol into distinct parts (which was why I linked it--not because I am proposing that it replace the Bitcoin protocol, but because I thought it would be useful for you to understand how Bitcoin performs leader election already). Specifically, it analyzes the effects of splitting up leader election and block commit parts of the protocol. As it turns out, it has essentially no effect on Bitcoin's security guarantees, which is not surprising--because the fact that block selection and leader election happen at the same time is an implementation detail that doesn't actually matter! Once you realize this detail that you are obsessing over (the block being decided at the same time the leader is) is not important for the protocol, you will also see that the leader election is in fact the critical part.


You have it backwards.

Nodes decide if they will append your block to their chain.

A miner that decides to mine out of consensus blocks is just burning money, and will be on their own fork with their “100% votes” that nobody else uses.

Give it a try, spend a few million on mining equipment and then try forcing something on the network.

It’s not a democratic system, never was.


Nodes have zero decision power, as far as I understand. They just go with the chain that is the most expensive to produce.


That’s incorrect.

The proposed block must comply with the rules your node enforced, or it will not be accepted. It’s not just work, but also the entire consensus-set they must abide by.

Miners cannot force new rules, if there is no consensus.


Eh? Can't miners refuse to include transactions that don't adhere to new conditions in addition to old ones?

If 51% of miners decide to, after block #N, not include any transaction that doesn't satisfy the predicate P in any block they produce, nor mine on any chain which has a block after block #N which has a transaction that doesn't satisfy predicate P, then the longest chain will have all the transactions after block #N be ones which satisfy P, and furthermore, if the other 49% of miners are aware that this is happening, if they want their blocks to be in the longest chain, they have incentive to follow the same rules when mining.

This is the logic behind soft forks, is it not?


No, you're misunderstanding everything. The consensus mechanism is about agreeing about the contents of the blockchain, not about the rules that make up the bitcoin protocol.


And stakers in PoS do exactly the same thing. They don't have any more "votes" than miners do.


PoW at least provides a decent and somewhat fair coin distribution mechanism.

With PoS, the coin creators can assign themselves an arbitrary fraction of the coins, concentrating the wealth. Even if there is a public record of all the funds raised in a public sale and all expenditures made (which is rarely the case), it's possible for the creators to participate in the public sale and recover large parts of funds used to buy their own token by generous expenditures on software development and such.


I think this is organizational more than technological.

There are plenty of PoW coins with unfair or absurd distributions, and plenty of PoS coins with somewhat equitable distributions.


Yes, PoW coin emission curves often leave something to be desired, tending to emit too much in the first few years, which leads to some wealth concentration as well.

In my opinion a fixed block subsidy would be most equitable, but that's a very slow emission, taking 100 years to reach a yearly supply inflation under 1%.


Do you believe PoW can be used as bootstrap mechanism, and then some combo of PoS/Pow in the maintenance mode?

Who is the top researcher on this subject these days?


It could be interesting to bootstrap a PoS network using the wallet keys for all existing public blockchains, by allowing users to initialize their PoS wallet with the fiat value of their PoW keys held at some agreed moment in time. I toyed with this idea for a while, but I don't know how you could keep the network secure until a significant proportion of the total value has been claimed.

Anyway, I'd also be interested to know if there's existing or active research along these lines.


Yes PoW is way better because miners need to constantly expend resources to maintain their right to participate. PoS validators keep their throne for life at virtually no cost.


But like PoS, PoW returns all spent resources and more back to the miner - both are designed to be profitable and self-sustaining.

I don't see much difference between a PoW mining setup that does $1000/day gross, $990/day expense, $10/day profit and a PoS staking setup that does $12/day gross, $2/day expense, $10/day profit. Both earn $10/day, both require maintenance, and both are run not at a net cost but at a net profit.


You can't transmute Bitcoin back into electricity and ASICs. You have to generate more of both, which is extrinsic to the protocol and thus available to currently-non-participating actors. PoS does not have this property.


The main difference is that the top miners don’t stay the top miners. There is constant churn. The top stakers remain the top stakers at virtually no cost, and they will almost always be custodians/financial institutions.

Additionally mining isn’t always profitable. There is financial risk and miners can go bust and take financial risk. Staking is basically always profitable if you don’t misbehave.


> Why would they structure it otherwise?

It gets a lot more complicated than that because setting up competing systems is cheap. It is like saying "nobody would write this piece of software for free". What we learned with open source is if the cost of distribution gets low enough then there needs to be just one person somewhere on earth willing to maintain it and it can work.

If the cost of creating trustworthy local (or international) monetary systems is basically 0 then it isn't obvious that plutocrats have an advantage beyond the one they already have by virtue of being powerful. If they can force you to use their system they already control the government so didn't need any technical help.


You can't fork gigawatt powerplants and silicon foundries by clicking a button on Github.

You can't even fork a stablecoin. in case of a split in a PoS chain, the correct fork will be decided for you by USDC and Coinbase.


You can fork decentralized over (crypto) collateralized stablecoins even if you can't force a fork of a centralized stablecoin operated by incorporated entity to be recognized by them.

Unless we're going to pretend that there is only one way on and off networks and only in one currency denomination…


You can fork decentralized over (crypto) collateralized stablecoins

In practice the value of the forked collateral is likely to be low, leaving the stablecoins insolvent.


If you are forking the chain state and not just the vm, that could be the case.

However, if you are only forking the vm and allowing for people de deploy other protocols (or forks of other protocols), this is not the case (they just start off at lower total supply relative to the native collateral available on that network from a lower demand base).


I don't consider it a fork unless it includes the state. For example, ZCash is based on Bitcoin code but nobody considers it a fork of Bitcoin and there are various chains like Avalanche that support EVM but they aren't forks of Ethereum.


> I don't consider it a fork unless it includes the state.

I think id agree for things like ZCash/Dash etc compared to BTC, but I'm not sure I'd agree when it comes to the all contracts deployed on all EVM networks and none of this has anything to do with decentralized stablecoins.

For example, you can mint MIM (a decentralized stablecoin) on both avalanche c-chain and ethereum (as well as polygon, fantom, bsc and arbitrum), and they are both worth $1, but have different collateral backing it on both networks. If users wanted to leave one or the other, they could just redeem their mim for the underlying, sell it and buy the collateral on another network and mint it on the other network. The collateral might trade lower on one network based on market factors (like if the narrative shifted to that the chain became too centralized or w/e, and this assumes that even the price movement of the underlying overwhelms the over collateralization ratio, it might not) but it would just mean that there would be more or less mim on that particular network as assets are liquidated and not that the MIM itself would be worth less.


how do I send a wire to DAI?


You don't. You send a wire to someone who's willing to send you some DAI in return.


Just because you may not be willing to swap cash/gold/anything a local counter party values in whatever jurisdiction you reside in for a random networks gas and/or tokens that trade on them, doesn't mean others cannot.

If you want to use coinbase to buy crypto and tokens, that's on you.


PoW and PoS are exactly the same, 1 dollar gets you 1 vote. If you want 1 person, 1 vote you need 1) a census, and 2) a mechanism to prevent the sale and purchase of votes.


> The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.

And that's where competition between currencies provides checks and balances against such pathological behaviours.


> in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour"

I've been wondering about that recently - for all of the excitement about DAOs and Governance Tokens, are there any good examples of interesting decisions being made via their voting mechanisms?

What are some places I can go to see recent votes and their outcomes?


How is that different from PoW or our current political system?


miners go bankrupt in PoW for misbehaving. Large stakers can be rewarded for misbehaving, at your expense.


They only go bankrupt if they don't hold the majority of the mining power, if they do they take over. How is this different from PoS?

Actually in PoS if you try to attack and you don't have a majority you will lose all your coins. in PoW if you try to attack and somehow you miscalculated you will lose a couple of hours worth of electricity after which you can go back to mining normally so much lower stakes for an attack.


Because money can't literally buy votes. no matter how many ads you show me I would never vote for Trump.


PoS in Ethereum is not a plutocracy...There is no voting with the token or any other governance. The stakers do not control the network, by design. The whole system works only if everybody (holders/users/stakere/devs) cooperate together.


Only some, it seems, are more equal than others.

https://twitter.com/vitalikbuterin/status/760232885483806720


I'm not sure what you are linking to. This looks like a tweet from 2016.


I think what the parent referring to is the DAO hack (from 2016) and how Ethereum’s response was to renege on “Code is Law” (and the integrity of the blockchain) in order to void those transactions (smartcontract exploits), which is a case of centralization resurfacing because VB could subvert the proof of work system when his own money was at risk.

Ethereum Classic is the fork that refused to rewrite the blockchain to void the hack, and the linked tweet is VB affirming that he’s only working on the main (reneging) Ethereum fork (which goes by ETH), not Classic (goes by ETC).

Not sure why the parent linked that tweet, maybe Twitter just makes it too hard it identify what tweet you actually want.


I've recently read that the blockchain was not rewritten or unrolled. It was actually executed forward through an "irregular state change". In other words, it made a new transaction instead of erasing or modifying old transactions, and that was done with consensus of all those who ran the ETH client. Those who didn't agree went to ETC, but the market chose ETH in the end.


Regardless of how you word it, it amounts to the same thing: the protocol and signed, validated history say this happened, now we act like they did not, which is a violation of blockchain integrity.


No, that's not what happened. No history was changed, and nothing was re-validated as you suggest. There was no "violation of blockchain integrity". The only thing that happened was that the upgraded version executed what's known as an "irregular state-change" which moved the ETH from TheDAO's smart contract to a new secure contract. So, it wasn't a roll-back, but a roll-forward, and the change was mined using PoW in accordance with all the blockchain block selection rules.


The hackers ("hackers") made valid transactions.

The hard fork reversed those transactions.

No matter what fancy spin you put on it, that was absolutely a violation of the blockchain's integrity, as it violated the principle that accepted transactions can't be reversed after the fact, even if you call it an "irregular state-change" that just keeps things secure.

You can absolutely defend the position that this was best for the ETH ecosystem. But it was absolutely a reneging on the blockchain rules.


"Code is Law" was never part of Ethereum's ethos. It was some meme created by the company behind The DAO, and perhaps many people in the community supported it, but it wasn't part of Ethereum.


That’s absurd.

People will opt out of currency regimes that are abusive. This is not like a terrestrial government where you are fucked for life because a bureaucracy controls the land you live on. You don’t have to immigrate to escape a corrupt currency. And you don’t have to all-in in one currency.

If you own dozens of coins, you liquidate the shitcoin that is controlled by corrupt tycoons.


> You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe?

Somebody tell him about the r-family.


That’s going to be the effect with every currency as the people starting it are going to have the most.

Just how it works.


PoS validation does not have to include any more power than a bitcoin miner has.


>> consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players

Aren't you just describing capitalism here? The people that created the system and own the biggest share of it have gigantic influence on it. Matter of fact, isn't that exactly what happened in ethereums PoW network, too? The developers decided to switch to PoS regardless of what the current participants want.

In general, isn't the idea of using PoS that if you aren't happy with the current system, you can easily fork into a competitor? If enough people think the current system is unjust, then you can switch to the new one, where you will be part of the development. At the beginning of the fork you also wouldn't need that much compute, as PoS is more efficient and you aren't going to have many users/transactions in the first place.

Since it's easy to switch currency (at least easier than privately setting up a Dollar 2.0), members of the original currency have to behave fairly, else people are going to switch. Note: The thing people are switching to doesn't even have to be better in any way than the original currency. It just has to have different controllers to influence the members of the original system.

The way I see it, is that there's no meaningful way in which PoS based currencies are worse than the current monetary system: large stakeholders in current global currencies also have gigantic leverage (think of money printing during the pandemic or bailouts after the 2008 financial crisis). The real advantage I see with PoS systems is not the system itself, but the tooling that comes with it and allows for the development of competitor currencies that check the power of each other. With current global currencies there's no checks-and-balances system inside the monetary decision making process, while a fleet of independent PoS has the chance for checks and balances to be induced through competitive pressure.


> Aren't you just describing capitalism here?

It fairly describes every political system and economic system that has ever existed or will ever exist. What's being described is how humans always organize systems in regards to political and economic power.

See: Socialism, Communism, Fascism. It applies just the same to those. Except in those systems they'll murder you and your entire family, then burn your village/town to the ground, if you attempt to compete with the rulers or party (Chavez, Castro, Stalin, Lenin, Mao, Hitler, Mussolini, Pol Pot, Kim, Putin, Erdogan, Lukashenko, etc.).

Whereas I can freely compete with Coca Cola, Tesla, Salesforce, Splunk, DigitalOcean, Cloudflare, Starbucks, 3M and most other companies if I'm able to. Nobody is stopping me from inventing a new coffee drink and going after Starbucks with it, or setting up a better coffee chain on the corner. Nobody is stopping me from inventing a better soda-competing drink (see: Monster or Red Bull or 5hour Energy; those people weren't assassinated by the soda cartel). Nobody is preventing me from starting the next great convenience store (ask 7-11 how they feel about upcoming Sheetz; or ask KFC how they feel about Chic-fil-A).


“Meet the new boss, same as the old boss…”


> but that would destroy the network and destroy his value that he sunk into the network

Isn’t the whole point that by that time he would have withdrawn from the network so he would sink it without losing anything himself.


But...if you no longer have value on the network, doesn't that mean you no longer have enough stake to control the network?


You can fork far in the past, before you cashed out. Any new entrants into the network will not be able to distinguish your fork from the real chain. You cannot be slashed for this in the real chain because you already cashed out your stake there.

This 'long range attack' is different from a 50% attack because it doesn't affect nodes that were running before the attack happened. But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.

This seems more viable for a value destruction attack than for a double spend. But value destruction can be lucrative for blackmail. It means a coalition of stakers could withdraw their stakes and state "increases the blocksize or suffer a long-range attack".


> But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.

This is an important point to consider, but it can be mitigated with exit delays. E.g. with Eth2's current settings, if an attacker had 2/3 stake at one point, I believe it would take them 6-7 months to exit all those validators. So while it's true that new entrants must sync from a trusted checkpoint, the checkpoint can be quite old.

Let's say my client has a hardcoded list of checkpoints, with a new one added once a month. The client would only accept forks containing all of those checkpoints in their history.

It seems like there are two ways an attacker with commit access might try to corrupt this checkpoint list. First, they could try to add bad checkpoints over a period of 6-7 months, until they've fully exited and can safely perform a long-fork attack. This seems impractical, since the bad checkpoints would be noticed by existing node operators (who would get stuck after upgrading their clients), and 6-7 months seems like plenty of time to raise the alarm.

Alternatively, an attacker could just delete 6+ good checkpoints, and replace them with 6+ bad ones, all at once. This would violate the convention of adding monthly checkpoints, so it should be easily recognized as a malicious change. One could argue that it might go unnoticed anyway, but sneaking in such a change seems roughly as hard as sneaking in any other clearly-malicious client change.


But why would a new entrant get the chain from a node that already exited, and why would this affect anyone other than the entrant itself? I assume the new entrant is itself liable if it copies the wrong chain, because other nodes will vote against it once it starts operating, so it will make an effort to get the correct chain (maybe by buying it from current nodes and ensuring they all provide the best chain). So maybe you would have some kind of cartel of running nodes that may or may not allow new nodes to enter, but I don't see a critical network-destroyig issue here.


Wouldn't anyone then be able to provide proof of that participant having exited? The participant would have generated a signature the moment they exit.


a coalition of wealthy interests can trivially dictate the consensus rules with very little to no recourse on your part. Even if the chain splits, they can maintain their share on both chains, and even suppress the minority chain.

In PoW miners risk going bankrupt overnight for egregious behaviour like that.

I'd like to see how one defines "slashing" programmatically that is impartial, works algorithmically, and does not have edge cases that can lead to catastrophic failures without handwavy assumptions that every single PoS network has today.


No, no, back up a second. The argument being made in the parent comment is that once there is one entity with enough stake in the network to dictate where it goes, they can just pull out before tanking the network.

But my understanding was that you can only have enough stake in the network to make decisions...by having that stake in the network. If you un-stake your crypto and cash out, by definition, you no longer have any stake in the network. If you no longer have any stake, how do you have a controlling stake?


If you had a controlling stake in the past, couldn't you just rewrite history to make it seem like you still have stake?


You can look up how Ethereum's beacon chain implements slashing


Yep, isn't it great to get slashed for being DDoSed?

Amazing breakthrough, realy. Now ddos blackmail can be actually measured in money.

At least you could point to avalanche or something else that's better constructed. Eth is a dinosaur at this point, albeit with the fattest treasury.


If you go offline the penalties are very small. You can be offline a third of the time and break even. The real penalty happens if you send conflicting messages, and even that's not too severe unless a lot of other nodes do it at the same time.


> if Warren Buffet comes along and wants to spam our network, I guess he could, but that would destroy the network and destroy his value that he sunk into the network

Not if he’s undetected and does it for years while extracting value at key points in time.

There are numerous people who could put up $50B with the ability to get very high returns.

It’s not even worrying about Buffet. I worry about hedge funds and sovereign wealth funds that would definitely manipulate PoS if it earned enough for them.


I just read most of the article. As I understand it, the failure mode isn't that one attacker could hand you a malicious node, it's that the network doesn't actually reach unambiguous consensus -- all/most "stakers" could simultaneously be signing a different transaction history the whole time, at virtually no cost, which is just as valid as "the" one you believe in; there's no (cryptographic) way to distinguish them. And so it's possible for, one day, the whole network to get pulled out from under you. "Nope, this other one is the real deal."

Is this a problem in practice? As the article says, no ... but only because there is a sort of vaguely specified "proof of authority" that backs the current chain, which actually just reintroduces centralization. The author cites the Bitcoin Cash and DAO/ETH Classic forks as cases where that proof of authority gets tested and shows the actual centralization.

It's my understanding that Algorand has something on top of pure PoS that ensures the consensus (which the article says is necessary) so I'm not sure the same criticism is applicable there, but can't comment further until I get more familiar.


> Article's theory about malicious old blocks doesn't hold up.

I don't mean to be rude here, but none of what you have said refutes my point.

The attack here is that you control keys that (1) once held 67% of the value, and (2) no longer do. Because they did hold value once, they are dangerous to consensus. Because they no longer hold value, nothing is sunk into the network, so the attacker bears no cost or risk.

To apply your analogy: I don't have to be Warren Buffet, I just have to riffle through his trash.


Importantly, if "Warren Buffet comes along and wants to spam our network" his bad actions would be tied to addresses that can be blacklisted.

You can't do that with PoW without "additional" consensus rules, which is that slippery slope to PoS!


Glad to see an Algo dev here.


By this argument the only real consensus mechanism we need is FAITH. In PoS we trust.

As long as a sufficient number of people believe some currency has value - it has value. If they don't believe, it doesn't have value, and the stakes are worthless too.


I don’t investigate every shitcoin out there, but all of them have the same flaws in general. Your particular shitcoin probably has something called voting quorum, where only a fraction of global supply is required to proceed in staking. By reducing that fraction you’re making large stake holders more and more able to overpower all others the moment they decide to become malicious.

In PoW all hashrate is always voting and security is paid for external expenditure, not something virtual within the system.

PoS is a scam and you should stop supporting it.


Charlie Munger is on record saying he hates crypto. I doubt Buffet is far off. How many billions would they need to sink into destroying something they hate?


PoW systems rely on the "phone a friend method" as well. When you download a Bitcoin client from a "friend", you are trusting them to honestly introduce you to the network. If you fall asleep for a period of years, you have to trust your friends to honestly inform you of all of the PoW forks and policy changes that have occurred over that interval. The only difference is that PoS blockchain clients must be bundled with a modestly-recent block hash along with the thousands of lines of code that you have no practical way to audit.

The problem eventually reduces to Ken Thompson's "Trusting Trust" [1] problem. There's no way to externally validate the honesty of any system (cryptocurrency, or otherwise).

[1] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...


You really don't need to trust a "friend" while bootstrapping into the network with PoW, because the proof of work is irrevocably embedded within the blockchain, and the real world cost of creating those blocks can be pretty easily estimated.

So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.

Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.


It seems that PoW does not need phone a friend to compare "which of these two chains is the true one", whilst PoS does need phone a friend for that.

However, that presumes all forks are soft forks; that you are presented a correct chain; that you want the soft fork with consensus rules accepted by most miners. (If verifying with an old bitcoin client the BCH BCT split will be resolved for you without you having a say.

In summary, PoW has less need for Phone a Friend than PoS. But it still has some problems.


If Bitcoin cash had more mining power than Bitcoin would it be called Bitcoin instead?

What if Bitcoin and Bitcoin cash had the exact same amount of hashing? Which is the true Bitcoin and why?


Same thing applies to PoS.


How the hell do you know? You've just admitted that you don't actually know how PoS and PoW work. You've repeatedly refused to "do your homework" by researching what's known about these things. And yet you have repeatedly been rude to other people who have done their homework, and have informed opinions, unlike you. Just shut up and stop talking about blockchains. You're an entitled internet nobody.

For other people: https://news.ycombinator.com/item?id=29367857


I will talk about whatever I want to talk. If you don't like it, too bad.


I have regrets about calling you a "nobody". I was annoyed, but that's going too far, and I apologise for saying that. Almost no one deserves that level of vitriol, especially if at worst they're just being annoying. And I think I get annoyed too quickly.


Indeed. And even if you posit a PoW currency which never has policy changes, unlike Bitcoin or any other major cryptocurrency…

And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…

Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.

To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.


What you describe is indeed a viable threat in certain conditions.

It's called "Eclipse Attack". But it's a threat for single nodes not for the network as a whole.


> But it's a threat for single nodes not for the network as a whole.

Indeed, but the same is true for attacks on "weak subjectivity" proof-of-stake. They're only a threat for nodes that have been disconnected for a long time (months) before they try to reconnect.


Except for the part where eclipse attacks can be resolved by simply feeding my node more data (it's not a problem if some of it is lies), while "weak subjectivity" requires recourse to an external authority.


i don't know as much about this as you, but it seems to me that the attack you describe in the blog post would also require a successful eclipse attack?

My understanding is that the attack you describe involves a cabal of "evil" validators signing some alternate chain (call it the "fake" chain) long after their stake is withdrawn, creating a fork in the distant past. Before they did this, they pretended to be good validators, which meant they signed the "real" chain's blocks and then signed the withdraw transaction. So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past). If this line of reasoning is correct, that suggests that anyone who is aware of both sets of signatures can identify the real chain?


> So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past).

I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?

An eclipse attack is so named because it requires you to keep all the light out so they're kept in the dark. But here, since there's no internal mechanism to tell the two chains apart, you don't only need the accurate information, but also outside information about which one is accurate.


If you actually see two conflicting chains (either proof-of-work or proof-of-stake) with large numbers of people vouching for both, then the correct chain is not necessarily "whichever one is longer". Well, it could be, for you; "correct" is subjective. But by assumption in this scenario, a large number of people disagree, and you might want to transact with some of them. There is no way for software to decide this objectively; it has to ask the user to decide based on factors external to the network.

Where proof-of-work really does have an advantage is that you can more easily distinguish that scenario from the scenario where either one of the chains is actually a Sybil attack, i.e. a single attacker pretending to be a large number of people. Similarly, if you only see a single chain, with proof-of-work you can try to detect an eclipse attack (which implies a Sybil attack) by seeing if the hashrate has gone down dramatically.

That's a real advantage. I don't think it's even close to enough to mitigate proof of work's disadvantages, especially since the circumstances where it would practically come into play are extremely unlikely, but it's not nothing.

However, it's undermined by the fact that proof of work naturally encourages centralization. Bitcoin is centralized enough that it's not completely impossible for the vast majority of the hashrate to end up on one side of a fork (either soft or hard), while the vast majority of users and developers end up on the other side. (To be clear, this is very, very unlikely to actually happen, but so are all of the attacks we're talking about.) If this happens, the objective proof-of-work standard will side with the miners, but not with the people you actually want to transact with.

Of course, a proof of stake currency can also suffer a schism, but there is (probably) less tendency for stakers to be centralized, and if a schism did occur, at least the client wouldn't provide a false sense of objectivity.


None of this actually refutes my point. You're just suggesting that the fact that PoS is incapable of producing a consensus is outweighed by it allegedly being more decentralized. Be that as it may, it's not relevant to this thread.

Is it even true? Steemit had the exchanges do a hostile takeover, because everyone was staking through them.


> I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?

I feel like you should be able to deduce it from the distribution of participation after the fork, right?

The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.


> The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.

But you don't know who's honest - you may as well be saying the real chain lost all the dishonest verifiers.


Exactly - that's where statistical analysis (like fakespot) comes in.

For each chain you'd be able to look at the age, stake & historical participation level of the post-fork participants and get a pretty good idea which (if either) of the chains is real. The absence of honest participants should look a lot different than the absence of dishonest ones.

Granted, this method is not nearly as simple as checking the number of 0s on a hash, but I would imagine it to be quite difficult to circumvent.


How do you know what are honest verifiers and wallets?


You any specific verifier/wallet, you won't - but the fake chain will have 0 uncompromised actors after the fork.

Which means that large stakeholders suddenly stop verifying blocks. Long-term active wallets stop transacting.

The same might be true for both chains after the fork, but I would imagine the fake one would have a larger change in participation (weighting older wallets and larger stakes) than the real one.


Note that for bitcoin, because of soft forks, you could take a really old client and still find the 'true' chain.


I think the difference is which kind of hash you needed.

For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.

For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.


> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.

Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.


A while ago bitcoin clients changed from facoring the 'longest' chain to favoring the chain with the most work done on it. (To prevent long chains with low difficulty)


So... the consensus rules of the network changed, you need to make sure you have the correct client, and bitcoin is weakly subjective after all?


Asking "what's the correct client?" will always be a subjective question

Bitcoin doesn't decide what is called bitcoin, we as a community do


In practice this was essentially a soft-fork. But yes the consensus rules of bitcoin software changed.


The client can choose properly, but it needs to "call a friend" in order to get the options - if the client doesn't receive the proper chain but only fake ones, it will chose the fake one with the most work done on it.


Why fork at low difficulty?


You need to fork at low difficulty if you want to significantly lengthen the chain from that point, because creating a high difficulty, long chain that is valid is hard.

But-- there's nothing to preclude you making big steps up in difficulty at the end of the chain. It means that one evaluating the length of the chain for authenticity really needs to integrate the difficulty over the entire chain and not just look at the number of blocks.


I was wondering about that bit actually.

Suppose I'm a new node and want to verify the blockchain. How do I verify that each block was mined with the correct difficulty?

I'd need some record about the actual real-world timestamps for each block. Then I could say something like "duration between block x and block x+1 was > 10 min, so the down-adjustment in block x+5 is justified".

But if those timestamps were stored on-chain, an attacker could simply lie about them and keep difficulty artificially low on its alternative chain.

On the other hand, if we had some un-forgeable record of block timestamps, wouldn't this solve the double-spend problem all on its own? Would we even need PoW at this point?

Edit:

Ok, sibling comment seems to suggest bitcoin has solved this problem differently: https://news.ycombinator.com/item?id=29368166


Yes, Bitcoin effectively integrates the difficulty over the entire chain.


> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.

No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.

Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while


Because of withdrawal delays, the PoS hash isn't from the end of the chain, but from a few months before. So it changes only about as often as client software updates.


Finally someone actually mentioning the code. In PoS "trust" must exist along several points in time before you can engage with the system - and the most notable point being trusting that the rules (written in the code) are of your desire.

With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.

With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.

With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.


If you don't trust the code of a PoW client, how could you trust it to not simply empty your wallet as soon as you import your private key?


I was talking about the consensus part. You don't need any client code to understand which is the agreed-upon chain, you verify the hash was generated using lots of energy.

For transacting indeed you need to trust the various clients, but that's easy and can be done once. With the consensus isn't being tampered with, and, more importantly that others are using other types of rules.


Is the threat of long range attacks in PoS any worse than PoW in practice?

Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.

As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...


> As for auditing the the integrity of the code or binary, it is signed by GPG keys > hosted on public key servers accessed using X509 certificates pinned by a a > couple of trust anchors preloaded in your OS. So much for distributed consensus...

You can literally validate the entire chain with a simple python script. Millions of those on github.

>Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.

Absolutely wrong. The chain is validated in its entirety upon first sync. 100% from genesis to tip.

>Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.

It doesn't. Longest valid chain with most work is the canonical chain. Hardcoded seed nodes exist to speed up the discovery.


> You can literally validate the entire chain with a simple python script.

I challenge you to present a "simple python script" that implements the exact bitcoin consensus rules (as codified in bitcoin core). Bitcoin is not all that simple and there's a nontrivial amount of complexity in bitcoin script alone [1].

> The chain is validated in its entirety upon first sync. 100% from genesis to tip.

The default behavior is to skip signature verification for all signatures before some relatively recent block [2].

[1] https://github.com/bitcoin/bitcoin/blob/master/src/script/in...

[2] https://github.com/bitcoin/bitcoin/pull/9484


You're misunderstanding the default behavior which is fine becaue it's commonly misunderstood and discussed. At any rate signature verification is not skipped by default, what assumevalid skips is script verification. Everything else including UXTO, proof of work, the transactions themselves, are validated.


That seems a bit pedantic; the client itself prints

> Assuming ancestors of block %s have valid signatures.

when using -assumevalid. I agree it's imprecise, but it's not exactly wrong, since skipping scripts implies skipping signatures.


The Bitcoin Core client includes a hardcoded list of DNS servers that point to thousands of nodes. These lists get updated frequently by different people. Other clients may use other lists. What is the threat model you're suggesting here, exactly? Do you know any other way to bootstrap a peer to peer network without centralised authorities?

All network participants are forced to verify the full chain from genesis. Some might be OK with validating block header signatures only, and not the full transaction set. It's a tradeoff.

You don't need to use those public key servers if you somehow distrust the CA certificates in your OS. Feel free to contact the repository maintainers or whatever else floats your boat.

Anyway, bitcoin is an open source protocol, not a particular client implementation. If you distrust everything and everyone, no one can stop you from building your own client that works with the rest of the network.


> Do you know any other way to bootstrap a peer to peer network without centralised authorities?

I’m not the parent, but – no, I don’t. But that’s exactly the point. The need to bootstrap from centralized authorities is what’s supposedly so bad about weak subjectivity in proof-of-stake. Yet in practice, it’s needed with proof-of-work as well.


Maybe I didn't word it right, but I wasn't calling bitcoin's method reliant on centralised authorities, just asking if there were more methods out there that weren't as well.

Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.

Also, you're not just connected to those bootstrapping nodes: you use them to find the rest of the peers in the network.


It seems that PoW is like recursion. You don't get it at all until you completely get it. It's a leap to understand it and somehow many very technical people don't understand a seemingly simple protocol even a decade after it became mainstream and is threatening national banks due to the very characteristics these people claim it doesn't have.


Indeed, a very strange phenomena. Willful ignorance?


> Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.

I characterized this as relying on centralized authorities (albeit several of them), but sure, it can also be considered decentralized to some extent.

The point is that it's a mechanism outside of the proof-of-work network itself. Instead of relying on a machine to reach consensus via a formal protocol, you the human are probing for a social consensus by evaluating statements made by other humans (via GitHub, public forums, or private chats, or just talking to people in person).

In both proof-of-work and proof-of-stake, you need to find social consensus in order to initially obtain the software, after which point you can rely on the network's consensus.

The difference with proof-of-stake is that you have to redo this if you disconnect from the network for months on end.

In practice, for a variety of reasons, practically all users of cryptocurrencies download regular software updates, and thus continue to rely on social consensus, regardless of whether the currency is proof-of-work or proof-of-stake.


I want to take a moment to note what you're doing here. You're making a negative argument, in want of a better word. It goes something like this:

1. X is a problem?

2. But Y is also a problem, in my opinion.

3. X and Y are both the same, I think.

4. Therefore X is not a problem.

We can - theoretically - verify the correctness of PoW software by downloading the source code, reading it over, etc. We can also refuse to update, reducing ourselves to SPV security. We can internally verify the checkpoints using 100% objective standards. There are other things as well. This is not the case for PoS, where our "signature A existed at time B" has to be taken as faith, or evidence of things unseen. There is no internal way to verify the veracity of such a statement.

The fact that users aren't personally doing this, is not the same as saying it makes no difference whether they are able to or not. I'm not personally going to withdraw all the money in my bank account - that would be ridiculous - but if the bank informed me I was no longer able to withdraw the money in my account, that would not be suitable at all. The assurance that I can do it makes it so that I don't have to.


> 3. X and Y are both the same, I think.

It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.

Granted, I only have to trust that a single bootstrap node from the list will faithfully connect me to the honest network. But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.

Also, granted, if I pick bad bootstrap nodes, I can still detect if I'm being eclipsed by looking at the hash rate. But how do I know what hash rate to expect? I could check n websites with hash rate charts, but that brings us back to 1-of-n trust.

> 4. Therefore X is not a problem.

IMO it's a manageable problem. Users just need to be cognisant of these trust assumptions they're relying on, and be thoughtful about picking semi-trusted peers (whether bootstrap nodes or checkpoint providers).


> It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.

Right, but it's not about trust in the same way. I can add an infinite list of bootstrap nodes. Quantity matters, not quality.

> But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.

"Very similar," not the same. You need "semi-trusted sources", and there's no objective standard in case they disagree.


Hi Nick, very well said and this is precisely my point as well.

Satoshi tried to convince us that we could decentralise trust by doing honest work instead of relying on authority. It turns out that doing work is actually pretty hard, people are lazy, and security is still the nemesis of efficiency.


> Do you know any other way to bootstrap a peer to peer network without centralised authorities?

In IPv4 a client might have a chance at auto-discovering peers.

It's also not necessary to rely on a single centralized authority. There are many things (DNS, Encyclopedias, Linux kernel mirrors, etc.) where the majority of existing centralized authorities agree with each other.


DNS is based around central authority though. Every root zone has name servers that serve as the authority. Their responses get cached at various levels but take those servers offline until TTLs start expiring and everything breaks.

What part of DNS do you feel is possible without a centralized authority?


> Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.

It does, but it doesn't have to. You can use any mechanism you want to obtain one initial node and take it from there. You will still be connected to the network just as well, and you will be guaranteed to obtain the same results. This differs from Proof of Stake, where the quality of the results will be influenced by the quality of the bootstrap.


I verified the full chain a couple of weeks ago (But I admit I trusted umbrel to choose the "correct" bitcoin-core software to run), It took less than 3 days to sync on a Rpi4


Trusting trustlessness is the paper you want to consult with

https://www.cs.umd.edu/~gasarch/BLOGPAPERS/cbit-4-2.pdf


'Policy changes' and hard forks have about as much to do with PoW as whether the Federal authorities should ban cryptocurrencies or not - they're outside the realm of consensus algorithms. In PoW there are no friends. If your blockchain is incorrect (i.e not the longest) your transactions on it are invalid and will be rejected by the rest of the network.


> If your blockchain is incorrect (i.e not the longest) your transactions on it are invalid

If your chain tip is on the dead side of a hard fork (i.e. if the majority of the network will predictably soon finish switching away from software which considers your chain tip valid, to software which considers your chain tip invalid), then nobody cares if your chain tip is the longest in the interrim, or how long you still hold out running the software that considers your chain tip valid. Your side of the fork no longer holds any economic value as a platform for transactions, so nobody will participate in it. You'll just be out there mining blocks all alone, blocks that say you earn all the virtual tokens, but where those tokens are worthless on your side of the fork.

It's a bit like how, in old pre *serv IRC networks, in cases of netsplits, you could end up on a partition of the network where you were the only one in a previously-moderated channel; and so you could effectively do whatever you wanted in that channel. But it didn't really matter, because nobody could hear you.


Um, yes. I should have phrased that as 'your transactions based on it are invalid in the network'. You just described consensus working correctly, but like I said hard-forks and policy changes are outside the scope of PoW, so saying PoW does not handle hard-forks is not really a valid criticism of PoW.


"nobody cares if your chain tip is the longest in the interrim,"

Except the people you bought something real-world from, once they figure out that their "tipcoin" is worthless. So now it's a question of convincing some people that your technobabble is valid enough. How hard is that?


No, policy changes makes for a new blockchain. That's what usually referred to as a "hard fork", as opposed to a "soft fork" where consensus rules are only allowed to get stricter, exactly beacuse ownership of a coin should be guaranteed forever.

You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.

I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.


not really, if you fall asleep for a period of years, you can still get a signal of how genuine any proposed fork is by observing the chain of blocks and their difficulties. that's the crucial bit of any PoW system - you can't fake the energy that was spent producing the chain. that's a way to externally validate the honesty of a system and a major scientific breakthrough that satoshi discovered.

also, hi, long time! maksym here =)


The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen. As most developers are not pseudonymous, this poses a threat to the honesty of the system.

You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.


> The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen.

And with proof of work a lawsuit could force the distributor to change the consensus rule so that a particular transaction is invalid - just as Ethereum did voluntarily with the original DAO.

> You mention “POW forks”, but Bitcoin’s POW has never been hard forked

Instead it’s been soft forked, which turns the consensus rules into a popularity contest. If a soft fork produces two competing branches of the blockchain, old clients will go with whichever branch has more mining power. Which means you open yourself up to interesting attacks like convincing 51% to literally steal the funds of the other 49% (which is much worse than a mere double spend). Or, more realistically, in the case of a contentious soft fork that ends up roughly fifty-fifty, you could ‘just’ end up on a different side of the fork from the people you want to transact with. Either way, soft forks don’t make the downsides of policy changes go away.


Changing consensus rules requires coordinating a fork. This requires coordinating developers, miners and node operators. That may fly in pseudo decentralised chains where the community accepts whatever the leader says so, and even so, at high risk. In bitcoin, for instance, where there is no leader, this would never be a viable scenario.

Soft forks don't force you to download and run new clients just to be able to use the network, which is an important difference. You can use your existing client, you just don't have the new features and don't run validations on them.

The greatest risk on soft forks is that chain split you mention. That's why any reasonable soft fork deployment requires a long time window with a large majority of hashrate signaling support (like 95%).


Changing a PoS checkpoint would also require coordinating a fork. Even if a dev team were forced to make the change, they couldn't make everyone go along with it.


> The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen.

In Proof of Work, a lawsuit could force the distributor of the software to hard-code a transaction that reverses the coin theft. But in both the PoS case and the PoW case, anyone using that client would be partitioned off from the honest network majority.

> You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.

Bitcoin's PoW forked in 2013, when a database upgrade to the software made it incompatible between two recent versions. The Bitcoin developers had to jump in and tell people which PoW fork to follow and which one to abandon.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: