I mean, if Doctor Evil suddenly decided to spend tens of billions of dollars to destroy the three main credit card networks, he could probably do it. In fact, it might be easier and cheaper than attempting to degrade or bring down a distributed block chain network. The credit card networks are built upon many layers of ancient, pre-Internet technology, full of discoverable vulnerabilities and critical points-of-failure.
But we all know that it wouldn't happen. Doctor Evil would never want to do so, because even him, the most evil person in the world, would still want to be able to use his credit cards to eat out, go to the movies, and order stuff online. Also, he would never want to do something that would make him enemy #1 of every other person in the planet, including every other super-criminal!
What Doctor Evil actually wants to be able to do is figure out ways to steal or get balances from participants in the network without destroying the network: steal poorly protected wallets, hack into poorly secured exchanges, find ways to get blackmail payments on the network (e.g., by launching DoS attacks on the web), etc. The network itself is too useful to everyone for anyone to want to destroy it.
--
PS. For the record: I have no economic connection to Algorand the block chain nor to Algorand the company, but I'm (superficially) familiar with some of Silvio Micali's past work and also, I know one of the company's top executives. In my judgement, the Algorand block chain has great technology, and Algorand the company has really great people. Their main challenge, as I see it, is overcoming the powerful network effects already accruing to other block chains.
At the end of the day, Dr. Evil will gladly spend 10s of billions to destroy the network if doing so nets him 100s of billions. Stop listing reasons people won't attack the network and start listing reasons they would.
Therefore, the formal proof of security provided in the Algorand white paper does not resolve the nothing-at-stake problem, which is inherent to all PoS systems.
> about 30-45 accounts _which had stake at that time
The this is stated makes it sound difficult. But if this is false history presented by a malicious node, surely they could make up anything, as it the data does not need to line up with any official history at any point. (Without a trusted party, no history line is really offical anyway, is't it?). Constructing a history with 30 accounts with stake at any given point in time isn't any harder or easier than constructing 3 or 3000.
In practice, among the people who once staked large amounts of a proof-of-stake currency, most of them will probably continue being invested in its ecosystem moving forward. Even if they can't be personally punished for lying about the past, a successful history split would likely reduce the community's confidence in the currency, and thus its market value. Most of those people are also emotionally invested in the ecosystem and would not want to dishonestly subvert it. There will be exceptions. But to create an alternate history you need to subvert not just one validator, but most validators (or rather, validators who together control most of the currency being staked).
Unsure how pure PoS chains work, maybe they hard code an early block's hash? Like, it's not a legit xorcist-chain unless block #10 has hash #deadbeef
Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
While you are correct that burning $30 billion dollars to destroy trust in PoS blockchains isn't that much money, I disagree that such an action would actually destroy trust in PoS blockchains. We have seen serious attacks on a number of blockchains, Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain. Yet Ethereum is still going strong. Bitcoin suffered 51% attacks that were used to perform double spends and Bitcoin is more valuable than ever.
It might be cheap to burn $30B to destroy a blockchain, but what if you burn $30B and the blockchain recovers 12 hours later.
It's _possible_ that a government might choose to attack a random small coin just to discredit the notion of PoS cryptocurrencies, but it's hard to picture a government gaining consensus to do it, and it would be obvious to knowledgeable onlookers that larger coins are immune (or anyway, much better protected), so the resulting disruption would probably be temporary.
> Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network.
If a nation buys 2/3 of the coin and destroys the network, investors (as a whole) take a 1/3 loss. Then they can (re)start another PoS coin.
Ironically the nation would be up against the old saying that the market can stay irrational longer than you can remain solvent.
You've outlined only one, the most obvious and least probable, mode of failure.
The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
It's already visible on smaller scale in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour". No matter what smaller stakeholders do/say, the early big investors and dev team always win. Why would they structure it otherwise? The same dynamics exist in PoS, just not as grotesque.
Perhaps that's OK for a private company governance, but for a global currency?
You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe? Seems rather strange that so many have such a burning desire to be governed by someone much richer than them.
Unless you have a citizenship based voting of some short where a single person gets a single vote and they actually vote (automatically I guess and assuming without delegating to the big whale because "I am bored") what do you think agreement via resource scarcity implies?
P.S. Also lobbying...
It gets a lot more complicated than that because setting up competing systems is cheap. It is like saying "nobody would write this piece of software for free". What we learned with open source is if the cost of distribution gets low enough then there needs to be just one person somewhere on earth willing to maintain it and it can work.
If the cost of creating trustworthy local (or international) monetary systems is basically 0 then it isn't obvious that plutocrats have an advantage beyond the one they already have by virtue of being powerful. If they can force you to use their system they already control the government so didn't need any technical help.
And that's where competition between currencies provides checks and balances against such pathological behaviours.
I've been wondering about that recently - for all of the excitement about DAOs and Governance Tokens, are there any good examples of interesting decisions being made via their voting mechanisms?
What are some places I can go to see recent votes and their outcomes?
People will opt out of currency regimes that are abusive. This is not like a terrestrial government where you are fucked for life because a bureaucracy controls the land you live on. You don’t have to immigrate to escape a corrupt currency. And you don’t have to all-in in one currency.
If you own dozens of coins, you liquidate the shitcoin that is controlled by corrupt tycoons.
Somebody tell him about the r-family.
Just how it works.
Aren't you just describing capitalism here? The people that created the system and own the biggest share of it have gigantic influence on it. Matter of fact, isn't that exactly what happened in ethereums PoW network, too? The developers decided to switch to PoS regardless of what the current participants want.
In general, isn't the idea of using PoS that if you aren't happy with the current system, you can easily fork into a competitor? If enough people think the current system is unjust, then you can switch to the new one, where you will be part of the development. At the beginning of the fork you also wouldn't need that much compute, as PoS is more efficient and you aren't going to have many users/transactions in the first place.
Since it's easy to switch currency (at least easier than privately setting up a Dollar 2.0), members of the original currency have to behave fairly, else people are going to switch. Note: The thing people are switching to doesn't even have to be better in any way than the original currency. It just has to have different controllers to influence the members of the original system.
The way I see it, is that there's no meaningful way in which PoS based currencies are worse than the current monetary system: large stakeholders in current global currencies also have gigantic leverage (think of money printing during the pandemic or bailouts after the 2008 financial crisis). The real advantage I see with PoS systems is not the system itself, but the tooling that comes with it and allows for the development of competitor currencies that check the power of each other. With current global currencies there's no checks-and-balances system inside the monetary decision making process, while a fleet of independent PoS has the chance for checks and balances to be induced through competitive pressure.
Isn’t the whole point that by that time he would have withdrawn from the network so he would sink it without losing anything himself.
Not if he’s undetected and does it for years while extracting value at key points in time.
There are numerous people who could put up $50B with the ability to get very high returns.
It’s not even worrying about Buffet. I worry about hedge funds and sovereign wealth funds that would definitely manipulate PoS if it earned enough for them.
Is this a problem in practice? As the article says, no ... but only because there is a sort of vaguely specified "proof of authority" that backs the current chain, which actually just reintroduces centralization. The author cites the Bitcoin Cash and DAO/ETH Classic forks as cases where that proof of authority gets tested and shows the actual centralization.
It's my understanding that Algorand has something on top of pure PoS that ensures the consensus (which the article says is necessary) so I'm not sure the same criticism is applicable there, but can't comment further until I get more familiar.
I don't mean to be rude here, but none of what you have said refutes my point.
The attack here is that you control keys that (1) once held 67% of the value, and (2) no longer do. Because they did hold value once, they are dangerous to consensus. Because they no longer hold value, nothing is sunk into the network, so the attacker bears no cost or risk.
To apply your analogy: I don't have to be Warren Buffet, I just have to riffle through his trash.
You can't do that with PoW without "additional" consensus rules, which is that slippery slope to PoS!
In PoW all hashrate is always voting and security is paid for external expenditure, not something virtual within the system.
PoS is a scam and you should stop supporting it.
As long as a sufficient number of people believe some currency has value - it has value. If they don't believe, it doesn't have value, and the stakes are worthless too.
The problem eventually reduces to Ken Thompson's "Trusting Trust" [1] problem. There's no way to externally validate the honesty of any system (cryptocurrency, or otherwise).
[1] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.
Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.
However, that presumes all forks are soft forks; that you are presented a correct chain; that you want the soft fork with consensus rules accepted by most miners. (If verifying with an old bitcoin client the BCH BCT split will be resolved for you without you having a say.
In summary, PoW has less need for Phone a Friend than PoS. But it still has some problems.
What if Bitcoin and Bitcoin cash had the exact same amount of hashing? Which is the true Bitcoin and why?
And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…
Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.
To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.
For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.
For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.
Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.
No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.
Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while
With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.
With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.
With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.
Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...
You can literally validate the entire chain with a simple python script. Millions of those on github.
>Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
Absolutely wrong. The chain is validated in its entirety upon first sync. 100% from genesis to tip.
>Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It doesn't. Longest valid chain with most work is the canonical chain. Hardcoded seed nodes exist to speed up the discovery.
All network participants are forced to verify the full chain from genesis. Some might be OK with validating block header signatures only, and not the full transaction set. It's a tradeoff.
You don't need to use those public key servers if you somehow distrust the CA certificates in your OS. Feel free to contact the repository maintainers or whatever else floats your boat.
Anyway, bitcoin is an open source protocol, not a particular client implementation. If you distrust everything and everyone, no one can stop you from building your own client that works with the rest of the network.
It does, but it doesn't have to. You can use any mechanism you want to obtain one initial node and take it from there. You will still be connected to the network just as well, and you will be guaranteed to obtain the same results. This differs from Proof of Stake, where the quality of the results will be influenced by the quality of the bootstrap.
If your chain tip is on the dead side of a hard fork (i.e. if the majority of the network will predictably soon finish switching away from software which considers your chain tip valid, to software which considers your chain tip invalid), then nobody cares if your chain tip is the longest in the interrim, or how long you still hold out running the software that considers your chain tip valid. Your side of the fork no longer holds any economic value as a platform for transactions, so nobody will participate in it. You'll just be out there mining blocks all alone, blocks that say you earn all the virtual tokens, but where those tokens are worthless on your side of the fork.
It's a bit like how, in old pre *serv IRC networks, in cases of netsplits, you could end up on a partition of the network where you were the only one in a previously-moderated channel; and so you could effectively do whatever you wanted in that channel. But it didn't really matter, because nobody could hear you.
You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.
I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.
also, hi, long time! maksym here =)
You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
And with proof of work a lawsuit could force the distributor to change the consensus rule so that a particular transaction is invalid - just as Ethereum did voluntarily with the original DAO.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked
Instead it’s been soft forked, which turns the consensus rules into a popularity contest. If a soft fork produces two competing branches of the blockchain, old clients will go with whichever branch has more mining power. Which means you open yourself up to interesting attacks like convincing 51% to literally steal the funds of the other 49% (which is much worse than a mere double spend). Or, more realistically, in the case of a contentious soft fork that ends up roughly fifty-fifty, you could ‘just’ end up on a different side of the fork from the people you want to transact with. Either way, soft forks don’t make the downsides of policy changes go away.
In Proof of Work, a lawsuit could force the distributor of the software to hard-code a transaction that reverses the coin theft. But in both the PoS case and the PoW case, anyone using that client would be partitioned off from the honest network majority.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
Bitcoin's PoW forked in 2013, when a database upgrade to the software made it incompatible between two recent versions. The Bitcoin developers had to jump in and tell people which PoW fork to follow and which one to abandon.
But this attack has never been performed because the reality of all these cryptocurrencies is that the security depends only relatively weakly on proof of work. Instead it relies on trust between the main stakeholders: miners, big nodes and developers. This is just like any other human organisation. That trust is only reinforced by proof of work, making it easier for new parties to become trusted.
Proof of work networks with the same hash algorithm are a threat to one another, particularly, if a network exists that is profitable enough to have exorbitant resources dedicated to mining, those resources are available to attack a much smaller network if that becomes more profitable for some period than just continuing to mine the bigger one.
Proof of work then only protects the largest projects using unique hash algorithms.
Edit: I was lookimg for the artivle I was referring to and saw that Ethereoum Classic (ETC) has been attacked simce via just that method. https://www.coindesk.com/markets/2020/08/29/ethereum-classic...
To execute a double spend, you the one sending the transaction and the miner must coordinate.
For large transactions, it is recommended to wait for six confirmations. (six blocks that agree with the transaction and have not been 51%ed.)
The 1 hour 51% cost of Bitcoin is 1.9m$. However, you would need much more time than that to find six consecutive blocks alone, without the help of the network. So, while the network is 6 blocks ahead, you need to find 7 blocks. The network moves forward a block, you must move forward more than one block to catch up. This could take a long time, and longer the more confirmations required- each confirmation makes each previous transaction exponentially more secure. Simply controlling the mining power momentarily only puts recent transactions vulnerable.
However, that much hardware is available for rent-see “Nicehashable.”
In other words, it relies not on one central authority but on a small clique of central authorities.
It’s not a flaw if it’s only theoretical. In practice, no miner with billions of dollars of capital bound in mining hardware would rent it out to someone who might do something that would significantly depreciate this capital (e.g. attack the Bitcoin network).
The whole point of proof of stake is that you can only sign blocks or messages while you have something staked. When you withdraw you are no longer allowed to sign anything.
He also didnt need to spend 1000 words going on about the history of bitcoin and proof of work.
This is literally just a filler piece with a provocative clickbait title to stir up the anti cryptocurrency folks here
The obvious argument here is "the one that was signed first will then have other blocks built on top of it". But since there's no PoW, building a parallel blockchain is trivial to compute, the only restriction is being able to produce something that's actually convincing enough. That and having people say "well, I was there at the time and I saw a different block than this", but that's just relying on authority rather than something that can be proven within the system.
Basically, PoS requires something external to the system to prove that history hasn't been changed. PoW technically does too, but what it relies on is "physics" and "provable historical fact" (i.e. approximate computing power available in the past).
You certainly can build a system that depends on something external to itself to ensure its consistency, but this challenges its claim to being "decentralized" and limits the amount of trust you can place in the system (and consequently the power of what it can do).
In short:
If you take the pbkdf2 key derivation function: its job is to slow down hashing a thousand fold or so, so that hashing an entire search space becomes impractical. You give your secret in input, and it gives you a hash, let's say, in 1 second. You'll have to spend the time again to recompute the hash. With a faster machine, you can compute in maybe 100ms, but still, there is a limit in how fast you can obtain the result.
Now change the cryptographic properties of pbkdf2, so that you can go back from the output to the input in constant time, so you can find the secret from the hash in O(1). Then, it becomes useless for actual secrets, but you now have an instantly verifiable proof that a certain amount of time (or serial computation) had to pass to get from the input to the output. Plug the input to the previous block hash, and embed the result in the next block, and you have your clock, based on physics and provable historical facts.
But I didn't withdraw my stake. I have a whole chain of blocks saying I never withdrew anything and it's perfectly valid because I signed it, and I still have a stake. Oh, you have another chain that says I did withdraw? Who are we going to believe? Who was first?
And then produce a big fake chain from 10,002 (in the middle of the time you were staking) -> 10,000,000 later, with an alternate history in which you didn't stop staking.
I don't think this attack is particularly realistic for a lot of reasons, but PoW does have some small amounts of additional strength against these scenarios.
Allowed to by whom?
Who's to punish me if I disobey them?
After withdrawal is completed, your node would no longer be in the set of active validators and from that time could not validly propose a block or submit an attestation (or, more accurately, be selected as a block proposer, etc.)
> That key is valid to sign any number of versions of, let’s say, block #200, and there is no objective, system-internal standard for which version is legitimate, other than “the one that was published first”.
The real block #200 will have hundreds of attestations courtesy of randomly-selected validators, each of those signatures attesting to its validity and finality.
That's what PoW provides that PoS just doesn't. Immutability.
In fact, I would argue that one of the most important products of bitcoin, is providing the hardest, most immutable database human civilization has ever created. We could theoretically lose it and we could control and manipulate what goes into it going forward, but once a piece of data gets confirmed and buried under a few days worth of bitcoin's PoW, it can never be changed or removed from the blockchain. This is a severely undervalued use case in my mind.
I suspect that most PoS coins will eventually decide to periodically peg themselves into bitcoin's blockchain to timelock their blockchains and provide some immutability to their users.
Having said that, humanity probably only needs one PoW blockchain. Bitcoin.
> If you compromise or coerce enough validators, you can rewrite the history for no cost.
If you can. You would need to compromise thousands of randomly selected validators just to forge one block. That impossible task nonwithstanding, the validators are selected with maybe five minutes’ warning.
PoW doesn’t even offer absolute immutability, it’s just longest fork wins. Which is secure because of the economics, not because of a notion of perfect immutability.
Likewise, ETH2 provides a definition of finality that’s backed by economics.
But it can, in the exact same manner as described in this article: have an 51% attacker build up a long chain and hide it from the world; then publish it.
PoW is vulnerable to exactly the same type of attack described in this article. In order to build a longer chain with non-negligible probability, you need to stake at least 51% of the pool.
Could someone put child porn in the blockchain? Would that have legal consequences for anyone using Bitcoin in places that have laws about such porn?
This is not FUD, it's the most obvious PoS flaw, called long range attack, and the reason PoS chains often need more checks to be more trustworthy (e.g. keeping hardcoded checkpoints, choosing the first received block as valid, introducing penalties and so on).
It was voted for by 8000+ validators. Many of them have been validating since beacon chain genesis a year ago. There are like 260k validators active right now.
I find it highly unlikely some entity is going to come along and try to pretend their alternate history, with a whole new set of hundreds of thousands of validators (which wouldn’t be supported by any ETH1 deposits) and millions of signatures signed by 260k freshly generated public keys, is in any way legitimate.
But I'll try to explain here, why the author thinks that PoW is magical. It's still bound to the readers, or philosophers, to pull whatever they want from this.
Proof of Work creates time. In a decentralized system, you don't have time. If time was provable, the double-spending problem would not happen. You would sign a transaction and broadcast it; a second transaction that you would sign later, will have a higher timestamp. Obviously, you can sign a transaction later and have a lower timestamp, there is nothing that prevents you from that.
What Proof of Work does, is create an arrow of time. Using this arrow of time, the nodes create a ledger (the blockchain).
The OP is arguing that PoS cannot create an arrow of time; and as a result, the PoS is still liable to the double-spending problem.
Can't you sign two transactions at the same time? If yes then you could double-spend even without faking timestamps.
The timestamp of a transaction in the bitcoin blockchain is the block height. The actual timestamp is merely informative.
Ok. Go break one of the many existing systems that operates using proof of stake then. If you've done this, you should be leading your article with it. If you haven't, you shouldn't be speaking.
Proof of stake is not some theoretical thing being proposed in the abstract. Many systems operate on it as we speak.
about 40% in:
"Because of all the arguments above, we can safely conclude that this threat of an attacker building up a fork from arbitrarily long range is unfortunately fundamental, and in all non-degenerate implementations the issue is fatal to a proof of stake algorithm’s success in the proof of work security model. However, we can get around this fundamental barrier with a slight, but nevertheless fundamental, change in the security model." —Vitalik Buterin, saying the quiet part out loud
Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
I skimmed it. It made no serious arguments. If it had a serious argument, it would have exploited one of the many existing proof of stake systems.
> Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
You mean...exactly like PoW mining?
Same for PoW.
Crypto currency weather PoW or PoS boils down to "give the few rich all the power while giving the many less rich a illusion of security".
In PoW it just slightly tweaks "richness of money" into "richness of computation resources (which you get through money)".
This difference has complicated effects like:
- benefits anyone with cheap electricity (i.e. either places with no environmental protection, government support in some way, or the few places with cheap clean power)
- benefits anyone with good connections to chip factories
- the investment needed for gaining power being less bound to the currency itself but computation power instead
We should not confuse the two topics. It's entirely possible to have a chain where the consensus is established by PoW, yet the monetary base is created by decree without any wasted resources, for example gifted to some charities or dropped by helicopter to anyone who has a Twitter account.
While the security PoW chains create is proportional to the amount of resources spent, there is absolutely no reason to think the current level of burn in Bitcoin is optimal - and strong reason to think that there is massive waste, that is, Bitcoin protects against double spend to a degree orders of magnitude harder than what a credible attacker might be willing to spend. What results is wasted energy that brings no tangible security to the users of the currency.
PoW is apparently bad for the environment. So it leaves us in an interesting situation.
The Ethereum project has shown that the concept of decentralization only applies when it's on their terms. It's not a true principle.
But one thing that's extremely apparent, is that for the past 10 years, the crypto community has been 95% greed, 5% innovation. With the innovation part having picked up speed only the past few years.
At first, it was the an-cap dream. Decentralized, trustless, govt free internet money. No longer were you a prisoner to slow bank-transfers, expensive middle-men (PayPal, etc.), and could purchase whatever you wanted.
Then the price shot up, and everyone wanted to become rich. So people "agreed" that BTC is no longer a coin made for spending, but rather a storage of value. Like gold. Use altcoins if you actually want to spend your crypto. But who wants to spend any, with the rising prices?
Meanwhile, centralized banks, 3rd party businesses, etc. have solved all the personal finance issues that plagued us 10 years ago. In most countries today, you can transfer money pretty much instantaneously, without getting anxiety every time you press "send".
I'll give DeFi, Dapps, etc. credit - they've finally managed to roll out usable things, but it's still way, way too hard for regular users. And most regular people do not give two shits whether something is decentralized and trustless.
I can think of multiple legit uses for the blockchain technology - but I'm gonna be honest, I'm having a harder and harder time seeing how cryptocurrencies will replace any national currency. As of right now, it's almost purely speculation and get-rich-quick schemes.
We're still in the wild west, but it's not gonna stay that for long. With regulations looming around, it's just a mater of time.
But I digress
Now if a proof of stake includes a VDF that needs to be computed for every block, then a long-range attack needs to recompute the VDF outputs as well. This is infeasible as it will take a long time given the correct choice of VDF parameters.
Notably, the Chia blockchain mentioned in the article would succumb to long-range attacks as well were it not for their usage of VDFs [2, p. 17].
[1] https://eprint.iacr.org/2018/601.pdf [2] https://www.chia.net/assets/ChiaGreenPaper.pdf
this...sounds exactly like proof of work?
It looks like the author read about PoS circa 2014 and hasn't read anything written or done since then. It's true that the "nothing at stake" problem exists, but there are tons of practical solutions and mitigations that work, many of which are already deployed and protecting >$100M. Soon ETH will be securing trillions with such mitigations.
To address the specific points the author makes:
1. If a node signs another version of the same block within a reasonably short time period, “slash” their deposits (e.g. punish them inside of the system)
2. If a node signs another version of the same block, like, a year later, just ignore it.
---
Somebody has a stake in a PoS crypto currency. They can now do two things: 1) sell their stake 2) sign something fraudulent (like a double spend).
Since there is no decentralized timestamp service, a node validating those two actions doesn't know how to order them, so different validating nodes come to different conclusions, and no global consensus is reached.
---
Is that what the article is trying to say?
And if yes, isn't the solution fairly easy? Within the same "chain link" of the block chain, require each action singed by the same private key to have a strictly monotonic sequence number, and if two actions appear with the same sequence number, discard both these two and all actions signed by that private key.
> you can sign a transaction later and have a lower timestamp, there is nothing that prevents you from that.
Then you lose decentralized property.
This only means that each holder of a private key must have some sort of synchronization mechanism (if they use several agents/clients), but it doesn't centralize the whole network.
Yes both PoW, PoS solve the double-spend problem, but in a brute-force way. And they never really get rid of the ambiguity of which chain is the one to go by. They just aggregate all the little ambiguities into one or another consistent version of history (a chain) and let them duke it out by massive electricity or stake or whatever. But at any moment, someone could have been mining a chain in “secret” and will emerge to thwart the rest of the network for a while.
There is a better way. Blockchains are actually quite centralized since to make any progress every N seconds you need to send all transactions in the entire world to one miner, and the block is limited in size. Actually it’s worse than that in Proof of Work — because you don’t know who will solve the silly problem, you have to gossip every transaction to every miner!
Oh yeah, and if you store UTXOs then you have to store the history of everything. And even if you didn’t, you have to store the current state of everything. Oh how nice and decentralized! LMAO
I don't get your criticism. Why does requiring gossip to every node cause centralization? Why does everyone having the current state of everything cause centralization?
There are various aspects of centralization. This is one major aspect: a bottleneck. Just like when all Web 2.0 conversations in the world would have to go through a centralized server. Even if it was a different server each time, it’s still an extremely centralized topology for that state transition.
It means that there can only be one transaction at a time for the whole world, no matter how many computers join the network. No concurrency — it is also why you can have flash loans. This is why Ethereum is called “the world computer” and why Bitcoin failed at being a peer to peer cash system and became a store of value.
It’s very astonishing that the HN crowd still doesn’t understand blockchain after 13 years.
The article is complete nonsense because:
1. The author thinks that PoS is about having computing power. If someone thinks that they seriously don’t know anything about PoS and haven’t done any research
2. Proof of Work is 100x more centralized because 2 companies control the majority of mining equipment production and 4 companies control the hashpower including all kinds of attack vectors, instead of the around 200 entities in PoS.
3. There are many attack vectors for the PoW model of which many only require malicious behaviour of 1 person, be it the CEO of one of these companies or a disgruntled worker that is bribed with a couple of million dollars.
3. The cost of taking over consensus for a PoS network, such as Solana or Ethereum 20 requires billions or trillions of dollars worth of coins that then all would rank heavily in value
That’s why PoS is around 1,000x -1,000,000x more secure than PoW depending on how big the market cap of the PoS network is.
> If the broad masses of people disagree with the platform landlord, their opinion will be altered to conform with the rules, or else they will no longer have a voice.
We really need to fix that problem.
I know GitHub were only following the DMCA but it shows they have the capability to not only remove the project but also all of its forks.
Reminds me a bit of the "free speech zones". It's a poor facsimile of true freedom of speech.
Seeing as the new public squares are, by and large, digital spaces controlled by megacorps, we need to expand the first amendment to apply to private enterprise.
Not sure if these quips are meant to be jokes or serious, but nonsense like this detracts from the credibility of the argument. Nobody believes the data corresponding to an NFT cannot be copied.
Am I wrong? Would gladly read counter arguments.
But it’s easier for most people to delegate to another party. This is where decentralized staking pools for ETH2[1] built around smart contract interactions could be a good alternative for many users, and may compete with centralized staking platforms.
The mere fact that these peer-to-peer and decentralized alternatives exist, and that some portion of users will prefer to use them, is what makes this technology distinct.
[1] - https://rocketpool.net/
Rocketpool [1] also recently launched which is a decentralized service that makes it super easy to setup your own node, and more profitable than staking anywhere else.
My node is generating the normal staking rewards (~5.5%), plus another 12% bonus (from ETH from individuals being paired with my node), plus another 50% in RPL rewards. That 50% will surely drop, but it will always be better than just staking by itself.
RocketPool also allows individuals to stake as little as 0.01 ETH, the same as centralized exchanges, but it's decentralized, and they get rETH in return, which they can use in Decentralized Finance, giving them even better returns.
Put together Rocketpool gives better returns in a more decentralized way than any centralized exchange does, and unless you're really new and don't want to move off your exchange, it's a no brainer better alternative.
Who personally verifies every contract they use? Wallet implementation? Cold wallets are closed-source, trust-me devices, maybe with a security certificate from a centralised, government-linked security org.
The strongest link in any security chain is not irrelevant, but the whole system is really not perfectly trustless anyway.
Personally, I think this kind of "quiescent" knowledge, letting you differentiate the real chain from the fake chain on long enough timescales (which basically amounts to knowledge of a single hash, when you get right down to it), is perfectly reasonable to assume under realistic circumstances, for the same reason that synchronized time is not a remotely difficult problem on long enough timespans. The only problem lies in new nodes (that enter the system when there's not a quiescent state, and the longer chain is being withheld) being exposed to fake chains.
By using a VDF as mentioned below to make sure it takes just as long to construct a new chain as it took to construct the old one, one can ensure that as long as at the time the stakers held their keys (rather than for all time) a majority were trustworthy, then the probability that they were able to maintain a longer chain becomes vanishingly small. Therefore, nodes will be able to reliably choose the longer chain on reconnecting to the system. This trust model seems pretty realistic to me, and it's not like Bitcoin can handle the case of a continuous partition to begin with.
So this just reduces to "once a majority is not trustworthy, the chain can't be trusted anymore" which is the actual security tradeoff of PoW vs. PoS (PoW puts trust in hashpower rather than staked coins, so by definition it's immune to this sort of issue; if your private key is stolen you "only" lose your coins, not any voting power). I don't think this is news to anyone who's done much research into cryptocurrency.
this...sounds exactly like proof of work?
Indeed, you can probably fix plutocracy with some PoW.
It's 100% green, and based purely on sustainable renewable resources.
NFTHC: Burn Weed, Not Coal!
I did not find this post convincing especially as many proof of stake systems have been running consistently for years now and with significant transaction and economic volume.
As an example Tezos has decentralized apps such as liquidity pools, collateral based stablecoin systems, nft ecosystems, coin bridges to other networks such as Ethereum (two way) I use these smart contracts on a weekly basis and have done for a long time now.
Tezos manages several orders of magnitude more transaction throughput based on opcode count count vs Bitcoin, transactions, even complex ones cost pennies the network has not been attacked, is worth billions and Tezos energy usage is easily a million times less than Bitcoin.
The author appears to be saying that "any decentralized consensus via proof of stake system is vulnerable to timing attacks"
The counter-argument that "This here proof of stake system has not been successfully attacked ... that we know of ... yet" does not seem to be watertight.
The main reason proof of work works so effectively is that it deals in physics with the actual expenditure of electricity as the punishment system for failing to produce the correct desired outcome.
Abstracting this away again, we have reality itself to content with. Evolutionarily we have evolved in respect to the dominance hierarchy (https://youtu.be/rUiG5_GcMyY) Where effort itself is a necessary precursor to ascending the ranks and being fit to lead.
Not to get too metaphysical, but essentially it boils down to:
- Social Status is based on real world implications and not self derived from the perceived ranking itself, that is if it is to be most stable across time. Being labeled the boss is essentially useless long term unless you truthfully represent the ideal or most capable individual. (Michael Scott from the television series The Office is a funny example of this)
- PoS offers reliability for the system based on its election of stake amount in the system that favors inventors, early adopters, and pre ordained position holders where distribution was not derived from effort in the real world with non-reversible consequences (burning electricity)
- Instead the selection mechanism its own value structure which may or may not accurately assess competence for reliable trust in a domain where zero-trust is key to consensus.
- Outsourcing consensus to something mediated by the laws of physics is more stable across time, and is yet another abstraction upon competence taking it outside the realm of US Dollars for social proof, but also adding in the component of physical consequences towards the chain of proof.
I'm also thinking as I write this that it would be important to consider changes in the environment as useful to the selection pressures. Why purely basing it upon success (stake) at one point in time is non-useful as the rules of the game may change, or reputation lost or abused in a PoS system would not accurately reflect changes in the need for rotation of positions of voting authority.
eg. Anything like "proof of latency"?
Distributed consensus is the problem of getting a bunch of computers to agree on some state when some of the computers can behave maliciously. In the case of cryptocurrency, the state is a log of transactions, which when replayed tells you who owns what. There are well-known algorithms for distributed consensus, such as Paxos and Raft, that are used in real-world applications, e.g., the Chubby lockservice.
Distributed consensus algorithms can be proven to reach consensus as long as at most a fixed percentage (e.g., 1/3) of the computers are behaving maliciously. This assumption is fine for applications like Chubby, where Google is running all 5 of the computers participating in the consensus, and no one can add additional computers. However, this assumption breaks down in the case of cryptocurrency, where anyone can spin up computers to participate. In fact, an adversary can effectively spin up an infinite number of computers. This form of attack is known as a sybil attack.
Proof-of-work and proof-of-stake add sybil-resistance to distributed consensus algorithms by requiring the adversary to commit a scarce resource in order to participate in the consensus process. In the case of proof-of-work, the scarce resource is computing power. For proof-of-stake, the resource is the currency secured by the system itself. This may seem a bit circular, but it's fine. In order to attack the system, the adversary would have to purchase or borrow a bunch of the currency on the open market, which has an economic cost. Proof-of-work permits the same attack, where the adversary buys or rents computing power instead.
From this perspective, the bitcoin consensus algorithm is in fact the odd one. Most distributed consensus algorithms (like Paxos and Raft) rely on some kind of voting system.
"Decentralized networks are a rare medium well-done."
For what it’s worth, this is how plenty of buildings are designed. Ignoring silly things like the inside not fitting in the outside, an architect may design the building and hand it off to a technical architect who works out how to make it stand up and has some back and forth with the architect modifying the design. At a later stage it goes to a structural engineer who will make sure that it really is likely to stand.
That, and the author has a wrong understanding of the Nothing at Stake problem. At the time, the argument was there was nothing stopping someone from staking on multiple forks to hedge their bet on the dominate chain, giving them nothing at stake on the forked branches since the get equal ownership on each chain.
Mind you, Nakamoto consensus is pretty awful and completely ignored these days. Why do you believe that nodes flagged for support of protocols and miners with dominate hashrate LOST the big block debate? Because of the nodes, and community consensus.
proof of work proves that not just one miner had sufficient hash power, but that the entire network had a certain aggregate hash power that was required to mine the block.
can't this be emulated by requiring all major stakers to sign the block? (so rather than one miner staking being enough, all the aggregate staked was required to mine the block)
the stickier issues are around maintaining the decentralized nature of pow mining and the random and decentralized election of who mines the next block. under pow, everybody does their own thing and when someone finds a block they are able to publish it without direct collaboration with other miners. the fact that the miner is chosen at random gives rise to all sorts of anti-censorship and anti-collusional properties.
proof of stake will have to emulate this, and possibly make a few targeted and carefully chosen compromises in order to emulate the decentralized nature of pow mining. it's not obvious how this will play out, but i don't think it's impossible and efforts to do so certainly aren't a "scam."
The article is also misleading in inferring that there is a very narrow range of ways to implement PoS; in reality, there are many ways and all of the 'drawbacks' mentioned only apply to certain (poorly designed) implementations which no modern PoS blockchain would ever use.
> What happens if you’re presented with two identical blocks, and have to decide which one to pick?
Easy, you can just have a vote on one of the block and choose the one with the majority votes; it can be chosen on the basis of any attribute of the block (E.g. commonly you can look at block IDs). This is what PoS blockchains like COSMOS do with the Tendermint protocol. Other blockchains like Lisk have a delayed voting so that consensus is reached after a certain number of blocks.
> The entire point of the consensus mechanism was to allow us to tell which transaction was first, without personally having seen it take place.
Anyone who understands distributed systems knows that the exact order of transactions (down to a few hundreds of millisecond) cannot be physically determined due to latency between the nodes and the unpredictable geography of participants. This is as true for PoW as it is for PoS. The most important thing (for certain use cases such as DeFi) is that transactions cannot be predictably front-run; using block ID ordering with voting as the basis for selecting between two valid blocks guarantees this. If the forger tried to cheat the system by producing multiple blocks, the network may not be able to reach consensus on the block vote and the forger would not receive any block rewards.
This is not true. You will have scratched far fewer tickets on average than one million.
If you have one million tickets, one of them guaranteed to be a winner, you will on average scratch exactly half of them (500 000) before finding the winning ticket. If you have an infinite supply of tickets, each with a 0.000,001 chance of winning, the number becomes higher, but the number of tickets scratched on average is still lower than one million.
Finding an error regarding something I know makes me skeptical about the rest of the article.
If you have an effectively infinite stream of tickets and each have a 1 in X probability of winning, you will indeed go through X on average.
The actual truth is that PoS is infinitely safer than PoW in the short to medium term, while theoretically weaker in the long term. A long-term attack would require first buying obsolete signing keys, which would stop nodes that sync starting from the pre-fork point from syncing - ie. a denial of service attack. Which is in a very weak threat, as online nodes wouldn't even notice it. A short to medium term attack would stop finalization for a while at an enormous cost of slashing. It's a denial of service attack because nodes would be able to see contradictory signing from the same keys - so while without out of band data they won't be able to decide which one is the commonly accepted chain, it's enough information to recognize than an attack is happening.
PoW is very weak in the short term to medium term because runtime cost of attack is equal to mining rewards + epsilon, which is negligible, meaning it's just a question of hardware. Contrary to PoS, mining hardware is an external resource - it's always possible to get enough of it, given enough money (single digit billions for bitcoin). Getting 2/3 stake of a long-running PoS system is impossible - it's a scarce internal resource and there isn't enough for sale.
Reverting years of blocks is indeed infeasible - but interestingly in practice it would also amount to a DoS attack, as everyone would notice it and pause all payments. Contrary to PoS, where it would only work on newly syncing nodes, it would stop everyone. However, while theoretically more expensive, it's still only a matter of money - while a long-run DoS attack against newly syncing nodes in PoS would require buying obsolete keys, which is very likely to be impossible in practice.
Is this even an advantage? I don't think so, but it's arguable. However, for this singular arguable point PoW pays with a 4 orders of magnitude higher cost and a much, much weaker short and medium term security.
Empirically, lower security of PoW is confirmed: multiple 51% attacks happened (most famously ETC), while even a much weaker DPoS coins never had a successful double spend attempt.
In terms of public trust, not many people are able or even interested in technical arguments - they just observe if something works. In reality, consensus-level attacks are very rare as it's currently very hard to profit from them regardless of the consensus method, and the biggest danger is from software bugs in nodes, most likely unrelated to consensus.
If any PoW blockchain became a foundation of global commerce, attacking it would become very profitable, or even a military target - but that's never going to happen. So I don't expect bitcoin to get 51% attacked in any near future - at best years in the future when value of block rewards is so low one person with lots of old mining hardware can attack it just for fun.
It's actually suspected that happened during the blocksize wars when proponents of forks like Bitcoin Cash may have been spamming Bitcoin with transactions to feed their narrative that it is too expensive to use.
You'll eventually go bankrupt if you do this long enough.
This is actually another reason unlimited blocksizes that can allow for very low to no cost transactions are risky, and DDOS protection is likely why Satoshi added the 1MB limit in bitcoin to begin with.
https://beincrypto.com/polygon-raise-network-fees-spam-trans...
you either dont pay enough and are ignored or you pay enough and... great?
Seems miners have been driving the price down for years and a new proposal just was written to give them only 10%, and 80 to stakeholders.
IMO PoW for the bigger chains produce far too much waste & none of the supposed PoS attacks have materialized even though hundreds of millions are up for grabs
Prof of stake is analogous to Wall Street institutions and probably modelled after them.
To be fair, I'd love to hear him chime in on this discussion, and tell his side of the story, relate his exploits and prosecution as a viagra spammer, and finally answer all those unanswered questions people have asked him, to which he replied "Dodge Dodge".
Not that he's unique or special: POS shills like him are a dime a dozen. But he hangs out here and shills on HN, and has won awards for his deceptive scams (and also lost court cases too), and claims to "help people" on his web site, so I hope to hear from him again.
His real name is actually Richard J Schueler, under which he is famously known as the "Spam King", for being one of the first people in the world to be successfully sued for online spam, specifically the Viagra spam scheme that he ran from Panama (which he lost).
Richard Hart (aka "Spam King" Richard J Schueler) wins the "Golden Pump Award" for "Best New Scam" for his POS shitcoin Ponzi scheme "HEX":
https://twitter.com/JuanSGalt/status/1233242355995750400
https://www.youtube.com/watch?time_continue=857&v=tf-lJu5iDh...
Peacefire.org beats spammers in court.
https://www.zdnet.com/article/peacefire-org-beats-spammers-i...
>Free-speech group Peacefire.org wins a legal round in its fight against unsolicited e-mail, invoking Washington state's anti-spam law.
>The King County District Court in Bellevue, Wash., on Monday granted Peacefire $1,000 in damages in each of three complaints filed by Peacefire Webmaster Bennett Haselton. The small-claims suit alleged that Red Moss Media, Paulann Allison and Richard Schueler [who now operates under the pseudonum "Richard Hart"] sent unsolicited commercial messages to Haselton that bore deceptive information such as a forged return e-mail address or misleading subject line.
Confronting Richard Heart of HEX - SPAM KING and Crypto Scammer
https://www.cointelligence.com/content/confronting-richard-h...
>During ANON Summit 2020, I participated in a “fireside chat” with Richard Heart, founder of HEX. HEX is one of the most sophisticated, if not THE most sophisticated scams I have ever seen.
>Why was I so aggressive with Richard? I have a lot of experience fighting with scammers, at events, and in online discussions. I’m familiar with their bullshit techniques. Richard is the sort of “master debater” who will answer a question without actually answering the content of the question. I watched more than 6 hours of his previous talks and learned how to tell when he was trying to avoid a real answer.
>If you don't want to sit through hours of interviews yourself, this 4 minute video not only sheds light on Heart's motivation for establishing HEX, but also shows just how abrasive and crude he can be. This video was not created or edited by Cointelligence.
https://www.youtube.com/watch?v=_MIdlXHedlU
>I want to draw your attention to the quote in the video above: "What am I going to make more money doing? Promoting my token, that I own a whole ton of? Or promoting bitcoin, where I own one-one zillionth of the available supply?" He's clearly in this to make money for himself in any way possible. [...]
>When asked why HEX was not categorized as a security, at around the 21 minute mark, Richard offered an explanation that has no legal grounding. On the website, HEX claims that it is "The first high interest blockchain certificate of deposit." However, HEX has no legal authority to issue CDs. Richard is illegally claiming to provide CDs when in fact the instruments are nothing but glorified savings accounts.
More quotes: "What's up now, fggot? What are you going to do now, you little btch? Get the fuck out of here! That's the dumbest piece of shit I've ever seen in my fucking life. [...] Let me give you some more bullshit, ok?" -Richard Heart aka Richard J Schueler
Richard Heart - Spam, ICOs, and Death Threats
https://imnotdead.co.uk/blog/richard-heart
Richard James Schueler - Friggin Spam King
https://web.archive.org/web/20190416235350/http://www.panama...
Why HEX is a Ponzi and not a solid investment (Part 2): Richard Heart
https://www.reddit.com/r/CryptoCurrency/comments/kwhjxa/why_...
>During the interview at ANON, Richard confirmed that he was one of the first people in the world to be sued for online spam, back in 2002. This shows us Richard has experience abusing unregulated markets, as he is doing with crypto these days.
Richard: this an accurate quote of your own words?
>When I pressed the matter and asked for a simple “yes” or “no” as to whether he, as the FOUNDER of HEX, knows who benefits from the funds sent to the “Origin Address” he flat-out said “I’m dodging your question.” Dodging the question! He proceeds to repeat “Dodge, dodge.”
Richard, your tag-line "Do you want to develop my new cryptocurrency?" is the new "Do you want to develop an app?"
https://www.youtube.com/watch?v=jVy0JWX5XEY&ab_channel=Adult...
"Dodge, dodge." -Richard Heart aka Richard J Schueler
PoW miners tend to spend more and more resources on finding blocks, until the cost approaches the rewards. But the rewards go up as the cryptocurrency becomes more popular, because the price and transaction fees go up. Therefore, a PoW cryptocurrency tends to "eat the world" as it becomes bigger.
That's why Bitcoin is already approaching 1% of global electricity consumption, if it hasn't passed that point already. If the price were to go up tenfold, then so would electricity usage (roughly). That's not sustainable, both technically for grids and economically because electricity prices go up.
Because of that, I foresee two possible futures for PoW cryptocurrencies:
1. The resource usage overshoots and PoW collapses because it gets banned everywhere. (This seems to be playing out now with China having banned crypto mining, Kazakhstan running into grid issues because of the miner influx, and Sweden arguing for a ban in the EU.)
2. The popularity of these currencies stops growing and only some niche applications remain. Speculators leave because there's no more money to be made. Prices go down.
The bitcoin reward also halves every 4 year, so even if price continues to appreciate, the effect is evened out by the fact that less is created every block over time.
Lastly, bitcoin mining to could sustained solely by using stranded energy, which would otherwise be unused. Flared gas in texas, for instance, could provide more power than the network currently uses. There is no reason bitcoin mining has to take power from anyone, and it will trend this way over time because the economics are in favor of finding the cheapest power source.
Hasn't that happened already a number of times? If everyone was still aboard the Bitcoin bandwagon, it would have stopped being profitable long ago; however you have plenty of other bandwagons to jump into. They are all technically practically interchangeable.
I assume this is also the reason PoS will never work. People will just stay with PoW until really forced to, and if forced it's highly likely they will just jump into another PoW bandwagon. Guess this is part of the resistance seen with Ethereum. The alternative is to find a PoS schema which is even more lucrative for speculators (possible what the article is describing), and then everyone will jump into that bandwagon en-masse, but it will not have fixed anything.
And this is the reason why I cannot take any climate change conversation seriously unless it includes the topic of cryptocurrencies.
Whatever the promises of cryptocurrencies were, now most (all?) degenerated into a mechanism for speculation, and effectively into a self-sustaining and self-promoting mechanism for transferring wealth from the poor to the rich. And, unfortunately, with the side effect of consuming vast amounts of energy.
3. cryptocurrencies stop the Austrian economics fetishism and index the coin reward to the mining difficulty. That means getting rid of the fixed coin supply.
That would stabilize the price of the token a lot (since price going up would increase the mining appeal, thus expanding the money supply, driving the price down) and also make it much more usable as a mean of payment (the number of token in circulation would grow in parallel with the growth in users).
Obviously it's not gonna happen, because those people have spent a decade convincing themselves that deflation is good and fixed money supply is the righteous way to manage a currency.
It’s actually the opposite since the block reward goes down over time
Why miners? Because their main source of income is not the transaction fee, but basecoin, the guaranteed bitcoin payout for each mined block.
Due to Bitcoin being such a huge amount of money, unethical players do anything to lure people in, including MLM-style marketing, artificially inflating volume traded, and overplaying coin stats (like market cap). Then there's also media / influencers who, without second thought, introduce inexperienced people to investing in high-volatility assets.
Bitcoin difficulty adjusts dynamically with available hashpower, in other words if miners started to shut down the network would lower it's difficulty to keep blocktimes stable.
The chain will not collapse because someone somewhere will always keep it going.
Are Google and Facebook eating the world? They are processing petabytes of data on daily basis and every year there is more data and information being shared on the internet. Moore's law is our friend because as long we have better chips more data can be processed and analyzed.
Bitcoin's PoW is based on economy and game theory meaning if people do not find Bitcoin useful they will stop processing transactions or in reality they will stop investing and spending computation power and electricity.
The cause and effect is the other way around. Popularity of the cryptocurrency causes popularity of mining (the price goes up so mining is more profitable and more mining can happen).
Europe is a museum. China would have to open its capital account, and that’s not going to happen.
The answer is obvious by now.
You didn't take into account, that:
- Bitcoin price growth won't continue forever; it'll find a stable price
- Mining rewards halve every 4 years
A carbon tax would effectively and immediately steer this search away from using fossil fuels for generation.
People who clutch their pearls over PoW are unwitting Malthusians lacking an appreciation for E=mc^2.
Where are all your posts pointedly taking apart the system you are surely heavily invested in?
You’re part of the problem by being part of human society. Collective economic inaction must be part of the solution.
Producing less superfluous junk at scale must be part of the solution. That means our individual narratives around value stores must change; traditional banking scales even worse than Bitcoin.
2. Bitcoin will decentralize more as the miners will move where electricity is cheaper and thus will cover geography of whole world hydro,thermal,solar,wind etc.. 3. Bitcoin can be the main chain and all side chains can rollup and commits. 4. The btc uses will be huge and there will be no dearth of transaction fees..
The strongest point here is the strawman presentation of the altered security model that PoS can be proven to form consensus under. Reading the source he cites is far more informative: https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...
The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model. All of these topics (including valid ETH criticisms) are discussed in much better ways in many other places.
This is one of those sentences that reads like it is saying a lot but might actually be nonsensical. Care to elaborate on this? i.e how exactly does the article 'frames distributed consensus mechanisms in an understanding of asset value'.
I read the article and I didn't see anything about asset value (whatever that is). As far as I can tell they point out that the article you cited pretty much agrees with what they're saying (about PoS by itself not being self-certifiable or irreversible) but disagree with the position that this can be acceptable in the real world. Whether you agree with that is subjective but the main criticism in the article seems to be directed at those who selling PoS as a sufficient distributed consensus algorithm to replace of PoW. There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them.
I spent a lot of time talking about this topic with people. The article does have a point, that the security model of proof of stake is fundamentally different and relies on a key assumption (from the article you linked):
> any new node coming onto the network with no knowledge except... the set of all blocks and other "important" messages that have been published...
This is referenced in the OP as a point of security failure. The assumption is that we can rely on social interactions between nodes and that that is good enough. The criticism is that a new node can have no way of definitively knowing that their copy of the chain is the widely used canonical chain. An eclipse attack can occur, or as the OP stated new nodes may need to rely on authoritative sources to get current state which puts centralized power centers in the security model.
It is not a deal breaker (IMO), remember, PoW relies on the security assumption that it is prohibitively difficult for more than half the network to collude. I'd argue these assumptions are equally tenuous. I think as long as disparate, non colluding sources of the canonical chain are available (arguable if this is foregone, seeing as we need PoW to ensure consensus and resistance to collusion, probably not, but all it takes is one person to not collude and contention exists) it wouldn't be a problem.
Another big sticking point is the fact that no external resources must be invested, and/or that there is no ongoing cost. I find this to be the big problem with PoS schemes, I've had quite a number of discussions focused on these two particular issues (stemming from the same fundamental difference, that an internal capital stake is made) and I see benefits of not having ongoing cost and benefits of having it, and also of having a fully self contained system as well as having a system grounded in the outside world. All in all I have come to the conclusion that these differences make neither better nor worse, but that they are simply two completely different game theoretical environments with different security and incentive properties.
To be honest, I don't understand why it hasn't been banned already.
Sweden has recently called for a EU wide ban because it identified PoW mining as a threat to transition their economy to renewable energy.
https://www.fi.se/en/published/presentations/2021/crypto-ass...
Or maybe you could just let people do what they like with the electricity they paid for
We can actually start with 1 question: If electricity demand from PoW mining spurs new renewable plants to be built, is that bad for the environment?
I (and many electricity companies) actually think PoW mining is good for the grid/renewable adoption in the long term. Let me explain why:
Some indisputable facts to get us started:
1. Most renewable electricity has unpredictable supply
2. Introducing marginal capacity of the same type gives diminishing returns. Eg: you're producing more during high supply times where electricity rate is low. During lower production periods all of the same type of renewable will be producing less so you can't even take advantage of the higher rates.
3. Rational bitcoin miners will turn off their machines when cost of power is greater than marginal return.
As a result, PoW mining will help the economics of building new wind/solar plants. Eg, currently it may not be profitable to build a new wind plant because base load is too low that the excess power generated would need to be sold off at 0 or even negative prices. However if bitcoin mining could be turned on during these times and off during periods of high demand, there will need to be fewer peaker plants in operation and it would positively affect the economics of opening a new wind plant.
Bitcoin mining only cares about the cost of electricity at a given time, it is not like most other electricity demands that are very time based. With the large variance of electricity generation by renewables, I think bitcoin can in the future help smooth demand according to the real supply/demand curve.
It's kind of like a different implementation of the Tesla utility grid batteries. Instead of deploying batteries, you force the grid to build more renewable capacity (that the miners are paying for) that miners use except in peak periods, where you turn off and effectively provide the grid with more power.
1. For all consensus systems, at least a vast majority will rely on PFC for base consensus since they will not personally audit the client software they download, and thus will rely on PFC to determine which software distribution channel to trust to download the client software from. In other words, there is in practice no pure PFC-free consensus protocol, to be taking such a hard stance on Proof of Stake for its reliance on it.
2. The Schelling Point PFC in Proof of Stake will always be the real order of transactions, and therefore PFC will be highly reliable. Cases like Bitcoin's block size hard limit dispute, and Ethereum's DAO hack rollback dispute, dealt with something other than order of transactions, and in both cases, the dispute was severe enough to lead to a hard fork - which jettisonning PFC can't protect against - regardless.