This is a really thorough and understandable explanation. Helped me fill in lots of gaps I had.
One thought it does raise in my mind, though - this is complicated.
Bitcoin is simple. The rules are simple. Simple is really good when it comes to securing a currency.
This, in comparison... I mean, oof. I get the high-level "proof of stake" idea, which (in my mind) has a similar mental complexity to Bitcoin's. But all the algorithms that need to work to support it... it introduces the idea in my mind that somewhere in one of those algorithms is a small oversight. Even if that's not the case, the thought is there.
My opinions on proof-of-stake hasn't changed (seems much better than PoW in real-world use for so many reasons) but it does seem to erode the beautiful simplicity of proof-of-work.
That complexity distracts you from the fact that proof-of-stake is self-referential and is not resilient to the kind of hard fork that Ethereum has already experienced.
Someday there will be another doctrinal conflict with a near 50/50 split in the community. Probably for the same reason - some DAO hack too massive to ignore. In a proof-of-work world, we can evaluate the health of each fork by measuring the scarce physical resources allocated to each.
In a proof-of-stake world, each fork can have a valid voting majority of stakers. There's no actually-scarce resource to split, so no external mechanism to decide which fork is the "real" one.
I wouldn't bet a potential future world monetary system on this scheme.
Are you referring to the “nothing at stake” problem? Ethereum’s PoS is designed to protect against validators signing transactions across multiple forks of the same network. The Gasper “finality” and “fork choice” rules ensure that one chain is always selected by the validator set to be the “real” canonical chain for the network.
What might eventually happen is that some % of the validators exit Ethereum mainnet and enter their deposit into an another blockchain, perhaps giving it a different name and set of features and tradeoffs.
I think they're referring more to a scenario like a contention in which chain constitutes ETH Mainnet in the first place. Like fork split like the following:
45% of validators sign on fork A
45% of validators sign on fork B
10% of validators sign both A and B (coincidentally such that they get evenly slashed between the two)
That is, there question of what "Ethereum Mainnet" is will not be clear-cut and depending on who you ask.
This seems like a false problem. The state you are describing is not stable, as validators have an incentive
1) to validate, instead of just sitting doing nothing
2) to choose the chain with the most likely chance of being the next main, otherwise they will be slashed
As soon as even the slightiest imbalance appears between the two forks, it will bias validators to choose one against the other and thus exponentially make it the preferred fork.
> and that external incentives don't outweigh enclosed ones.
I think this is actually the most commonly overlooked assumption. The protocol seems very robust, *assuming* perfect information (aka all incentives are known to the system).
I encountered this problem a few years back when trying to design a protocol for a decentralized prediction market. It's very hard to account for hedges or huge bets on other markets.
In this scenario, the 10% would be forced to exit as their deposit would be slashed, and would drop below the required minimum for a security deposit. So within a short period, you would end up with 50% signing on A, and 50% signing on B.
These would have to have different network or chain IDs to avoid slashing events. One of them, presumably B, would have had to actually change this number from whatever the previously standard/agreed-upon chain ID is.
I could imagine this scenario happening in a contentious split or attack, but it would create two very clearly different blockchains with different goals and needs, like what happened with Eth and EthClassic, or Eth and EthPoW.
That's a good thing. Cryptocurrencies are supposed to operate by consent, and that includes the ability to separate when consent for a ruleset can no longer be maintained. One of the main problems with PoW is that those who support the stronger fork can attack those who support the weaker fork if they are willing to expend the resources. Ethereum's PoS solves that and ensures that every user has an equal technical ability to withdraw their consent and take their money to a chain with rules they support.
The key is in the fact that violating the rules on Ethereum's PoS causes you to lose Ether, which means you eventually lose all your Ether and can no longer sabotage the chain. This is in contrast with PoW systems, where your mining hardware doesn't deteriorate any faster just because you are mining empty or invalid blocks, so you can do that forever and effectively shut down a chain that is small enough relative to your computer power. The only defence a PoW fork has against such an attack is to switch to a different algorithm that is less compatible to the attacker's hardware, but that harms non-attacking miners just as much. PoW has an element of "might make right" while PoS is completely consensual.
There is a special type of node called slasher that can submit proof of your voting on a different chain (your vote is signed by you, so it could be verify that you sign something not on the current chain), then you lose your stake on the chain. Supposedly both chain should have their own slasher nodes, so eventually you will lose your stake on both chains.
Don't cite me on the details, but that is the idea
Your stake is locked for a non trivial amount of time. Right now you can't even get them out, in the future after withdrawing stake is implemented, the locked out time is something like 12 months or more (I think).
You're correct which is why I don't stake on ETH. Until the powers that be decided on the rules I won't participate. Until then most of my coins are in PoW.
In order to automatically destroy the stake, I presume a majority of stake holders need to agree though? And if people think the stakeholders aren’t acknowledging it, they can just do another fork? Hrm…
Any block proposer can submit a whistleblower report. There is a pretty significant bounty if you discover a slashable offence, so there is strong incentive to include these in any proposed blocks.
But you still need a majority to acknowledge the report
> Slashing is triggered by the evidence of the offence being included in a beacon chain block. Once the evidence is confirmed by the network, the offending validator (or validators) is slashed.
It is a powerless mechanic if the majority of validates don’t want to play along.
There may be other solutions or defence mechanisms, but one solution would be to fork again and remove the Ether those validators have staked from your chain as part of your fork.
A chain is defined by a set of rules that everyone on the chain agrees to abide by. Braking the rules damages the economic utility of the chain, so the Ether on the chain where the validators colluded to break the rules would be worth less, as a result of their actions. The validators are locked on that chain (as they can't prevent a fork from excluding them), so they have a strong incentive against harming the chain. Ethereum is not majoritarian. I don't have to abide by the will of the majority. I only need to come to a consensus about the rules and state of the chain with the people with whom I want to share the chain.
PoS makes it much easier to escape a malicious majority compared to PoW where the hashing power majority can follow the minority anywhere unless the minority is willing to switch to a different hashing algorithm. Even then, the majority could sell their mining equipment and buy new equipment that will work on the new chain on the same terms as that chain's honest minority can. With PoS, the malicious majority would need to buy new Ether from the honest minority who can then just fork again after having made a profit on the attack, and can continue to do that until the malicious majority runs out of resources or realizes that they cannot censor a fork in Ethereum's PoS system.
> Braking the rules damages the economic utility of the chain, so the Ether on the chain where the validators colluded to break the rules would be worth less, as a result of their actions.
So you’re going to create a new fork, remove the money from the majority of the wealthy stakeholders who are governing the system, and expect this one to be be seen as legitimate? The one that is explicitly giving the finger to the wealthy?
I don't think legitimacy is a meaningful concept in this context. I would use the chain with the greatest utility, which is determined by whether I like the rules, whether the rules are consistently and predictably enforced, and whether other people I want to interact with are using that chain. Whether the people who use the chain have more Ether or more computer power compared to the people who use a competing chain doesn't affect utility.
While I don't think it's meaningful to say that one chain is more legitimate than another, if I was forced to make such a deamination in this case, I would consider the chain where the rules are consistently and predictably enforced in a way that leads to predictable outcomes more legitimate than a chain where validators have colluded to arbitrarily subvert the enforcement of the rules.
Do you have a source for this? As I understand from the spec[1], any block proposer can submit a slashing report while including their block in the chain, and the protocol (ie: the client software that everybody runs) will reward them automatically if the slashing conditions are satisfied.
The majority of validators could perhaps block this by all running forks of the various consensus client software, with some code changed to set the reward to zero, but why would they do that?
Anyone can include a slashing report in their block, but it does nothing unless the block is approved by a majority.
If we imagine a 90/10 split of opinions that leads to a hard fork, the 90 majority can either be satisfied and with their fork and be nice or they can stonewall the 10% fork and refuse to approve any blocks that supports the idea that they deserve to be slashed. Because the only thing that can punish the majority is the approval of the majority. And because allowing another fork to exist reduces the value of the other forks. And because it would just be nicer if instead of having two forks we just kicked out all those annoying validates we don’t agree with.
In your scenario, the 10% who are running forked software risk losing all their deposit by double-signing blocks on the same network and chain ID as the majority 90%. In practice, if 10% wanted to split off from the majority and run incompatible clients, they would be forced to use a different network or chain id, which means they are running a different blockchain.
In my scenario the it is the 90% that is double signing, and they are risking nothing because it is the same 90% that gets to punish them.
If the 10% wants to fork off and do a completely different blockchain, what happens to the folks who aren’t colluding either way? I mean, while we’re down to just throw away people’s stakes, why not do so for everyone who isn’t explicitly on our side?
The scenario sounds extremely implausible; a chain with 90% colluding actors would be worthless, and the remaining 10% of honest users would likely exit to another chain that is not majority run by malicious nodes.
For example: migrating to a new chain ID and restarting with a validator set limited only to the public keys of the 10% who are acting honestly, and loosening that restriction slowly over time.
The attack would end up being extremely costly: not only because it makes the original chain’s token price worthless (who wants to be on a malicious chain?), but because the attacker may also have their deposit slashed in the new chain by the now-majority of honest users defending it.
The 90% is an arbitrary and unnecessary figure. Note it is not 90% of actors either. It is the bag holders of the bulk of the wealth. Far easier to imagine. And if you try to fork off into a world where the most important financial players have nothing, you will not be taken seriously. The money is more important than the crypto.
That is true. However, to the point made above, proof of work is actually using a scarce resource. If you fork a proof of work chain, the amount of mining power remains the same. You can’t mine both chains with the same resources. If you fork a proof of stake chain… everything just copies over. And then maybe if people place nicely in the name of the being good crypto citizens they agree to only focus on one chain.
My (maybe naive) understanding is that proof of stake is actually better here, no? Stakers would need to commit to one particular fork and accept that their stake (in ETH) would be lost/slashed in all other forks.
In contrast, in PoW, there's nothing stopping miners from creating a hostile fork that is economically advantageous to them (despite maybe being "worse" overall) and then flipping back to the original chain if their fork doesn't work out. Their hash power can't be slashed in the same way stakers ETH can be in PoS.
Doesn't a fork in both cases continue with the existing chain? In PoW that means that mining power has to be allocated between the two chains, thus constituting a vote for legitimacy. In PoS each party keeps their stake in both new chains and can vote in both of them. There is no need to pick a lane.
The validators choose which to support. If you think one will fail, you will be selling off the forked eth, bridging it over, and buying more eth on the chain you want to support
> In a proof-of-stake world, each fork can have a valid voting majority of stakers. There's no actually-scarce resource to split, so no external mechanism to decide which fork is the "real" one.
So what really happened when a PoS chain forked? Justin Sun learned the hard way.
With Bitcoin and Bitcoin Cash (and Ethereum and Ethereum Classic), it's no different from a demerger from the perspective of a company shareholder. You own a greater number of shares because the company has split in two, but they are not the same shares. They are shares in different companies that have the same origin but will go in different directions. Same with those currencies. The current version of Ethereum works a bit differently, as explained elsewhere in this comment section.
The complication is a huge red flag for me. Enormous. Red. Flag. What are we missing in all that complexity? What perverse incentives and unintended consequences are hiding in all that?
Also, you can't even unstake your eth. The developers promise it's coming soon, but right now, you can't.
IMO complication is due to lack of good explanations and lack of understanding of the subject. Bitcoin’s PoW is complicated, the idea is simple but in practice you run into many insecurities (forks, confirmation time, lack of verifiable light client, rule of more work vs longest chain, 51% attacks and how to bootstrap a new chain, centralization of miners, etc.)
On the other hand the hotstuff protocol is much more easy to grasp IMO (check my explanation in the book Real-World Cryptography)
PS: oh and also Bitcoin proof of security seems like a nightmare. It’s nice to create protocols that look simple but if you can’t prove their security it’s a bit dumb :) on the other hand the safety proof of hotstuff is quite comprehensive : https://www.davidwong.fr/lbft_safety/
Bitcoin's proof of work is not that complicated, even though you threw out some words that are peripherally related to it. Nice try though.
I had to look up hotstuff proof of stake. As far as I can tell that's not what Ethereum (the coin we are discussing here) uses? Not sure where you are going with this.
this line of thinking is quite difficult to get by in the modern world, same applies to vaccines, or to your car, or to the food you eat the browser you use, etc, in fact if you randomly look in your room right now it is very likely that you will be shocked (e.g. the complexity of the HDMI cable)
My HDMI cable is not asking me to trust it with my hard earned money ;-)
Vaccines and cars and everything else you hint at have been around a long time and the trade-offs are pretty well understood. Proof of stake (and it's various implementations) have a long way to go before they reach that status
Compared to the likes of Ethereum, Bitcoin is super simple.
Compared to others, it's still somewhat complicated.
While the use of PoW for consensus is super simple (most cumulative difficulty wins), Bitcoin script is a huge source of complexity in itself, with tons of warts. As it turns out, you don't need script to do payments, multi-signatures, atomic swaps, discreet log contracts, bidirectional payment channels etc., i.e. nearly all of the functionality that script is used for.
All those can be done with so-called script-less scripts [1], which is mostly creative use of Schnorr signatures.
Bitcoin's emission is not that simple either with the reward halvings every 4 years. A fixed block subsidy (i.e. pure linear emission) is not only simpler, but arguably fairer too, avoiding a concentration of wealth on early miners/adopters, and leaving later generations more than mere crumbs.
> Bitcoin's emission is not that simple either with the reward halvings every 4 years. A fixed block subsidy (i.e. pure linear emission) is not only simpler, but arguably fairer too, avoiding a concentration of wealth on early miners/adopters, and leaving later generations more than mere crumbs.
The halving is probably the reason for the high tides of Bitcoin prices and the inflow of capital to all of cryptocurrency.
Agree, PoW + halving was good for the bootstrapping phase. Now it's a ticking time bomb with no obvious way to change course. Best solution of course is for bitcoin to adjust the schedule and do one final cycle to distribute the remaining coins, and then transition into being an Eth rollup, but good luck with that argument.
> A fixed block subsidy (i.e. pure linear emission) is not only simpler, but arguably fairer too, avoiding a concentration of wealth on early miners/adopters, and leaving later generations more than mere crumbs
Yet Ethereum had a premine of around 60M, roughly half of all existing coins today. Later emission seems negligible regarding fairness.
If your goal is to passively hold coins without losing share, Ethereum is the best option I know of.
With both PoS and PoW, a holder loses share when the total coin supply increases. On Ethereum at least, this is less of a problem with staking than mining, because staking is less costly so there's a tenth as much issuance.
However, with sufficient usage, the ETH supply actually shrinks, because a portion of fee revenue is burned. This means non-staking holders actually increase their share.
You are not supposed to buy ETH as a way to speculate on its price.
ETH is a resource used to represent processing and storage power. You can think of it as "AWS credits" that you can buy and use to run programs.
The absolute price of ETH is of no interest. The only meaningful number that you should care about is "what is the gas price compared to the ETH price", as in, "how expensive is it to access decentralized computing".
Speculating on ETH value is an investment strategy that is completely separate for ETH utility. People interested in the latter shouldn't care about the former. Just as people using AWS shouldn't really care about AWS stock price.
If I'm using AWS I definitely care about the stock price since if it goes to zero I'm gonna have to find a new cloud. Also I have to buy shares to run my program, apparently.
DAO hack? Ah, the incident where someone read the contract carefully and got completely screwed.
It's bizarre to me that people wrote a contract that says one can take the money in certain circumstances, but then completely refused to abide by that.
I really feel bad for the person who figured out how to get the money but then was denied by insecure bullies. What an absolute joke.
The primary one is that in the presence of byzantine faults it goes for consistency over availability, however the Avalanche ecosystem generally prefers that choice.
This seems like it would be extremely simple for tech folks to understand.
Strikes me as strongly analogous as to why each of us doesn't run our own email server? Which is, when email was first invented, may have not seemed like a bad idea, but in terms of scale something like federation works better?
Bitcoin is a money, Ethereum is becoming a Rube Goldberg machine to obfuscate the fact that it was issued as a security - where the issuers were paid WITH MONEY.
Yup. I've always said that Bitcoin is the grey brick cellphone or the Model T; the famous proof-of-concept that nonetheless ends up getting overtaken by better tech.
In the case of Bitcoin simple actually doesn’t mean more secure (since bitcoin forks constantly).
Simple protocols take time to land, and are often digestions of much more complicated protocols. We’ve seen that with TLS being simplified into Noise, or the sponge function for hash functions. If you look at the history of consensus protocols they are getting simpler and simpler as well, arguably hotstuff and streamlet and all the hotstuff variants are simpler and simpler to understand.
One thought it does raise in my mind, though - this is complicated.
Bitcoin is simple. The rules are simple. Simple is really good when it comes to securing a currency.
This, in comparison... I mean, oof. I get the high-level "proof of stake" idea, which (in my mind) has a similar mental complexity to Bitcoin's. But all the algorithms that need to work to support it... it introduces the idea in my mind that somewhere in one of those algorithms is a small oversight. Even if that's not the case, the thought is there.
My opinions on proof-of-stake hasn't changed (seems much better than PoW in real-world use for so many reasons) but it does seem to erode the beautiful simplicity of proof-of-work.