The most important part of this post doesn't even have anything to do with cryptocurrency:
> If the broad masses of people disagree with the platform landlord, their opinion will be altered to conform with the rules, or else they will no longer have a voice.
Something about means of production and who owns it. This is most obvious on social media. The people participating on the platform do not get to decide the rules for how it operates. Which is a little ironic given that most people on social media are ostensibly in favor of democracy.
It’s already fixed to some extent. On Reddit, you make a new subreddit of your own. On GitHub, you fork. The problem is that some projects are too big to effectively fork (or forking would over leverage the community) or people are lazy and don’t want to do the forking themselves despite accurately identifying the presence of a problem.
I genuinely don't understand the fear generated by the youtube-dl storm in a teacup. It's a great example of the system working: someone thought they had a DMCA case so they filed a takedown, the takedown temporarily removed the content, then after a review the content was put back up.
This is just evidence that this particular slope isn't as slippery as some thought.
The repo is back up, but the project is dead. I suspect the developers got nasty letters from lawyers behind the scenes. I believe yt-dlp is the future of this project, but it's presently lesser known than youtube-dl so the lawyers got what they wanted in the end.
Copyright should just be a contract between seller and buyer.
You promise not to redistribute this.
If you didn't buy something, you have no contract with the seller and you can be free to download whatever you want or build whatever software or service you want.
The onus of finding who is the buyer breaking the contract and dragging them to court is on the seller.
We shouldn't have things like DMCA which allow you to censor anything tangentially related or being able to scare people off, but that's what you get when you have a corrupted government that does the bidding of Big Business.
Similarly, patents shouldn't be a thing.
You came up with something, you already have first mover advantage.
If someone comes along and does the same thing better, too bad, they were better than you.
If you have a manufacturing secret, protect it with contracts and sue for damage if they get broken.
This is effectively saying we just shouldn't have copyright.
Person A buys a movie and agrees to not distribute it, but goes ahead and does it anyway to Person B. Person B hosts it for everyone, and Persons C through Z get it and also host it. You're suggesting Person A is liable, but the cat's out of the bag and Persons B through Z can continue redistributing it forever because they never agreed to anything.
If this is the desired goal, you don't need copyright at all, you can already get Person A on violating Terms of Service or whatever.
So you can sit around in your new subreddit with enough subscribers that you can count them on your fingers, posting freely, while /r/politics (or wherever) has a subscriber base measured in millions.
Reminds me a bit of the "free speech zones". It's a poor facsimile of true freedom of speech.
Seeing as the new public squares are, by and large, digital spaces controlled by megacorps, we need to expand the first amendment to apply to private enterprise.
Freedom of speech is not the same thing as requirement that others listen. If someone has no audience, with all the platforms that are available, it's not because they're being censored. It's because nobody cares what they have to say.
It's not that nobody wants to listen. There are plenty of people who want to listen, but the megacorps refuse to let the talkers and listeners connect.
This is not what is happening on these platforms. r/thedonald had millions of subscribers and not a single one was forced to listen. Then it was banned by reddit for thoughtcrime.
You could have brought up hard left subreddits getting banned too. Like Chapo. So it doesn’t seem like only the right is persecuted/appearing to continue the trope of how the right are such victims.
> So you can sit around in your new subreddit with enough subscribers that you can count them on your fingers, posting freely, while /r/politics (or wherever) has a subscriber base measured in millions.
And if by some chance your subreddit manages to become popular, the admins and power mods will conspire to take it from you. Reddit sucks.
There's something akin to a law of nature at work on Reddit that goes something like this: Any sub-reddit (or it's topic-at-hand) that garners any national attention in the political sphere will become an echo chamber full of corporate shills unless there is constant and public vigilance to guard against it, and even then the sub's chances for surviving to fulfill its original mission is grim. I f'ing hate what Reddit has become.
Freedom of speech is exactly how you get r/politics, private propaganda syndicates, and qanonsense screaming loud enough that it drowns out everything else.
"More" of it isn't going to make any of those things go away.
"Freedom of speech" isn't a guarantee that your prefered brand of rational discourse is going to have an audience of millions. If anything, it's a guarantee that it won't, because someone with a self-serving profit motive is far more incentivized to shout over you.
Freedom of speech does not entitle you to broadcast to anyone else's audience.
The first amendment of the US constitution does apply to private enterprise.
This is why Congress cannot make a law that limits private enterprises' editing of third party content on the platforms they own.
What you are arguing for requires either an amendment to the constitution or nationalization of those private enterprises.
Proof of work has always had an economic flaw that you could theoretically temporarily rent enough mining power to perform double spends of more value than the cost of renting those devices.
But this attack has never been performed because the reality of all these cryptocurrencies is that the security depends only relatively weakly on proof of work. Instead it relies on trust between the main stakeholders: miners, big nodes and developers. This is just like any other human organisation. That trust is only reinforced by proof of work, making it easier for new parties to become trusted.
To execute a double spend, you the one sending the transaction and the miner must coordinate.
For large transactions, it is recommended to wait for six confirmations. (six blocks that agree with the transaction and have not been 51%ed.)
The 1 hour 51% cost of Bitcoin is 1.9m$. However, you would need much more time than that to find six consecutive blocks alone, without the help of the network. So, while the network is 6 blocks ahead, you need to find 7 blocks. The network moves forward a block, you must move forward more than one block to catch up. This could take a long time, and longer the more confirmations required- each confirmation makes each previous transaction exponentially more secure. Simply controlling the mining power momentarily only puts recent transactions vulnerable.
However, that much hardware is available for rent-see “Nicehashable.”
I don't see how more confirmations makes it exponenrially harder to mount a 51% attack: you just need to be mining faster privately than the remaining community until you (a) have a lead, and (b) have maintained that lead for the confirmation window.
There's luck involved too. In the limiting case, imagine you have 0.001% of the network hash rate and need a 1 block lead. This can happen every now and then, but getting a 2 block lead is basically impossible.
According to that formula, in a 51% attack, probability of success = 1 (since 51% attack means you are more likely to find a hash than all others combined), right?
Renting out equipment for miners is dangerous, as an attack on the network can wipe out all their sunk costs. Bitcoin miner farms are very strongly incentivized to be aligned with the long term health of the system, so they try to play nice close to the ethos of Bitcoin (they learned enough from the blocksize wars that they can get burned if they go against Bitcoin)
An attack on bitcoin might have other motivations. For instance, a powerful government might attack bitcoin specifically to undermine bitcoin's credibility and utility.
I was talking about motivations for renting out, not attacking. A goverment would just take over the miners with violence probably if it wanted to attack the system.
If a halving forces a bunch of miners off the market (because their expected revenue drops below operating cost), there could be a huge glut of hardware flooding the market that is not profitable for honest mining but allows a bad actor to temporarily accumulate hashrate.
Bitcoin's price goes up faster than the effect of the halving (16x vs 0.5x every 4 years), and with the current chip shortage and slowdown of improvements miners generally plan for 4 years, but old, inefficient miners with low utilization can become an attack vector.
This attack has happened, at least twice to ETC and many others.
Proof of work networks with the same hash algorithm are a threat to one another, particularly, if a network exists that is profitable enough to have exorbitant resources dedicated to mining, those resources are available to attack a much smaller network if that becomes more profitable for some period than just continuing to mine the bigger one.
Proof of work then only protects the largest projects using unique hash algorithms.
> Proof of work has always had an economic flaw that you could theoretically temporarily rent enough mining power to perform double spends of more value than the cost of renting those devices.
It’s not a flaw if it’s only theoretical. In practice, no miner with billions of dollars of capital bound in mining hardware would rent it out to someone who might do something that would significantly depreciate this capital (e.g. attack the Bitcoin network).
PoW systems rely on the "phone a friend method" as well. When you download a Bitcoin client from a "friend", you are trusting them to honestly introduce you to the network. If you fall asleep for a period of years, you have to trust your friends to honestly inform you of all of the PoW forks and policy changes that have occurred over that interval. The only difference is that PoS blockchain clients must be bundled with a modestly-recent block hash along with the thousands of lines of code that you have no practical way to audit.
The problem eventually reduces to Ken Thompson's "Trusting Trust" [1] problem. There's no way to externally validate the honesty of any system (cryptocurrency, or otherwise).
The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen. As most developers are not pseudonymous, this poses a threat to the honesty of the system.
You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
> The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen.
In Proof of Work, a lawsuit could force the distributor of the software to hard-code a transaction that reverses the coin theft. But in both the PoS case and the PoW case, anyone using that client would be partitioned off from the honest network majority.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
Bitcoin's PoW forked in 2013, when a database upgrade to the software made it incompatible between two recent versions. The Bitcoin developers had to jump in and tell people which PoW fork to follow and which one to abandon.
> The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen.
And with proof of work a lawsuit could force the distributor to change the consensus rule so that a particular transaction is invalid - just as Ethereum did voluntarily with the original DAO.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked
Instead it’s been soft forked, which turns the consensus rules into a popularity contest. If a soft fork produces two competing branches of the blockchain, old clients will go with whichever branch has more mining power. Which means you open yourself up to interesting attacks like convincing 51% to literally steal the funds of the other 49% (which is much worse than a mere double spend). Or, more realistically, in the case of a contentious soft fork that ends up roughly fifty-fifty, you could ‘just’ end up on a different side of the fork from the people you want to transact with. Either way, soft forks don’t make the downsides of policy changes go away.
Changing consensus rules requires coordinating a fork. This requires coordinating developers, miners and node operators. That may fly in pseudo decentralised chains where the community accepts whatever the leader says so, and even so, at high risk. In bitcoin, for instance, where there is no leader, this would never be a viable scenario.
Soft forks don't force you to download and run new clients just to be able to use the network, which is an important difference. You can use your existing client, you just don't have the new features and don't run validations on them.
The greatest risk on soft forks is that chain split you mention. That's why any reasonable soft fork deployment requires a long time window with a large majority of hashrate signaling support (like 95%).
Changing a PoS checkpoint would also require coordinating a fork. Even if a dev team were forced to make the change, they couldn't make everyone go along with it.
Is the threat of long range attacks in PoS any worse than PoW in practice?
Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...
The Bitcoin Core client includes a hardcoded list of DNS servers that point to thousands of nodes. These lists get updated frequently by different people. Other clients may use other lists. What is the threat model you're suggesting here, exactly? Do you know any other way to bootstrap a peer to peer network without centralised authorities?
All network participants are forced to verify the full chain from genesis. Some might be OK with validating block header signatures only, and not the full transaction set. It's a tradeoff.
You don't need to use those public key servers if you somehow distrust the CA certificates in your OS. Feel free to contact the repository maintainers or whatever else floats your boat.
Anyway, bitcoin is an open source protocol, not a particular client implementation. If you distrust everything and everyone, no one can stop you from building your own client that works with the rest of the network.
> Do you know any other way to bootstrap a peer to peer network without centralised authorities?
I’m not the parent, but – no, I don’t. But that’s exactly the point. The need to bootstrap from centralized authorities is what’s supposedly so bad about weak subjectivity in proof-of-stake. Yet in practice, it’s needed with proof-of-work as well.
Hi Nick, very well said and this is precisely my point as well.
Satoshi tried to convince us that we could decentralise trust by doing honest work instead of relying on authority. It turns out that doing work is actually pretty hard, people are lazy, and security is still the nemesis of efficiency.
Maybe I didn't word it right, but I wasn't calling bitcoin's method reliant on centralised authorities, just asking if there were more methods out there that weren't as well.
Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.
Also, you're not just connected to those bootstrapping nodes: you use them to find the rest of the peers in the network.
It seems that PoW is like recursion. You don't get it at all until you completely get it. It's a leap to understand it and somehow many very technical people don't understand a seemingly simple protocol even a decade after it became mainstream and is threatening national banks due to the very characteristics these people claim it doesn't have.
> Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.
I characterized this as relying on centralized authorities (albeit several of them), but sure, it can also be considered decentralized to some extent.
The point is that it's a mechanism outside of the proof-of-work network itself. Instead of relying on a machine to reach consensus via a formal protocol, you the human are probing for a social consensus by evaluating statements made by other humans (via GitHub, public forums, or private chats, or just talking to people in person).
In both proof-of-work and proof-of-stake, you need to find social consensus in order to initially obtain the software, after which point you can rely on the network's consensus.
The difference with proof-of-stake is that you have to redo this if you disconnect from the network for months on end.
In practice, for a variety of reasons, practically all users of cryptocurrencies download regular software updates, and thus continue to rely on social consensus, regardless of whether the currency is proof-of-work or proof-of-stake.
I want to take a moment to note what you're doing here. You're making a negative argument, in want of a better word. It goes something like this:
1. X is a problem?
2. But Y is also a problem, in my opinion.
3. X and Y are both the same, I think.
4. Therefore X is not a problem.
We can - theoretically - verify the correctness of PoW software by downloading the source code, reading it over, etc. We can also refuse to update, reducing ourselves to SPV security. We can internally verify the checkpoints using 100% objective standards. There are other things as well. This is not the case for PoS, where our "signature A existed at time B" has to be taken as faith, or evidence of things unseen. There is no internal way to verify the veracity of such a statement.
The fact that users aren't personally doing this, is not the same as saying it makes no difference whether they are able to or not. I'm not personally going to withdraw all the money in my bank account - that would be ridiculous - but if the bank informed me I was no longer able to withdraw the money in my account, that would not be suitable at all. The assurance that I can do it makes it so that I don't have to.
It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.
Granted, I only have to trust that a single bootstrap node from the list will faithfully connect me to the honest network. But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
Also, granted, if I pick bad bootstrap nodes, I can still detect if I'm being eclipsed by looking at the hash rate. But how do I know what hash rate to expect? I could check n websites with hash rate charts, but that brings us back to 1-of-n trust.
> 4. Therefore X is not a problem.
IMO it's a manageable problem. Users just need to be cognisant of these trust assumptions they're relying on, and be thoughtful about picking semi-trusted peers (whether bootstrap nodes or checkpoint providers).
> It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.
Right, but it's not about trust in the same way. I can add an infinite list of bootstrap nodes. Quantity matters, not quality.
> But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
"Very similar," not the same. You need "semi-trusted sources", and there's no objective standard in case they disagree.
It's not actually needed, its simply a convenience for users who just want it to work out of the box. You can hand configure the bootstrapping process with -connect and -addnode if you wish.
> Do you know any other way to bootstrap a peer to peer network without centralised authorities?
In IPv4 a client might have a chance at auto-discovering peers.
It's also not necessary to rely on a single centralized authority. There are many things (DNS, Encyclopedias, Linux kernel mirrors, etc.) where the majority of existing centralized authorities agree with each other.
DNS is based around central authority though. Every root zone has name servers that serve as the authority. Their responses get cached at various levels but take those servers offline until TTLs start expiring and everything breaks.
What part of DNS do you feel is possible without a centralized authority?
> Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It does, but it doesn't have to. You can use any mechanism you want to obtain one initial node and take it from there. You will still be connected to the network just as well, and you will be guaranteed to obtain the same results. This differs from Proof of Stake, where the quality of the results will be influenced by the quality of the bootstrap.
> As for auditing the the integrity of the code or binary, it is signed by GPG keys > hosted on public key servers accessed using X509 certificates pinned by a a
> couple of trust anchors preloaded in your OS. So much for distributed consensus...
You can literally validate the entire chain with a simple python script. Millions of those on github.
>Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
Absolutely wrong. The chain is validated in its entirety upon first sync. 100% from genesis to tip.
>Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It doesn't. Longest valid chain with most work is the canonical chain. Hardcoded seed nodes exist to speed up the discovery.
> You can literally validate the entire chain with a simple python script.
I challenge you to present a "simple python script" that implements the exact bitcoin consensus rules (as codified in bitcoin core). Bitcoin is not all that simple and there's a nontrivial amount of complexity in bitcoin script alone [1].
> The chain is validated in its entirety upon first sync. 100% from genesis to tip.
The default behavior is to skip signature verification for all signatures before some relatively recent block [2].
You're misunderstanding the default behavior which is fine becaue it's commonly misunderstood and discussed. At any rate signature verification is not skipped by default, what assumevalid skips is script verification. Everything else including UXTO, proof of work, the transactions themselves, are validated.
I verified the full chain a couple of weeks ago (But I admit I trusted umbrel to choose the "correct" bitcoin-core software to run), It took less than 3 days to sync on a Rpi4
'Policy changes' and hard forks have about as much to do with PoW as whether the Federal authorities should ban cryptocurrencies or not - they're outside the realm of consensus algorithms. In PoW there are no friends. If your blockchain is incorrect (i.e not the longest) your transactions on it are invalid and will be rejected by the rest of the network.
> If your blockchain is incorrect (i.e not the longest) your transactions on it are invalid
If your chain tip is on the dead side of a hard fork (i.e. if the majority of the network will predictably soon finish switching away from software which considers your chain tip valid, to software which considers your chain tip invalid), then nobody cares if your chain tip is the longest in the interrim, or how long you still hold out running the software that considers your chain tip valid. Your side of the fork no longer holds any economic value as a platform for transactions, so nobody will participate in it. You'll just be out there mining blocks all alone, blocks that say you earn all the virtual tokens, but where those tokens are worthless on your side of the fork.
It's a bit like how, in old pre *serv IRC networks, in cases of netsplits, you could end up on a partition of the network where you were the only one in a previously-moderated channel; and so you could effectively do whatever you wanted in that channel. But it didn't really matter, because nobody could hear you.
Um, yes. I should have phrased that as 'your transactions based on it are invalid in the network'. You just described consensus working correctly, but like I said hard-forks and policy changes are outside the scope of PoW, so saying PoW does not handle hard-forks is not really a valid criticism of PoW.
"nobody cares if your chain tip is the longest in the interrim,"
Except the people you bought something real-world from, once they figure out that their "tipcoin" is worthless. So now it's a question of convincing some people that your technobabble is valid enough. How hard is that?
Indeed. And even if you posit a PoW currency which never has policy changes, unlike Bitcoin or any other major cryptocurrency…
And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…
Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.
To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.
> But it's a threat for single nodes not for the network as a whole.
Indeed, but the same is true for attacks on "weak subjectivity" proof-of-stake. They're only a threat for nodes that have been disconnected for a long time (months) before they try to reconnect.
Except for the part where eclipse attacks can be resolved by simply feeding my node more data (it's not a problem if some of it is lies), while "weak subjectivity" requires recourse to an external authority.
i don't know as much about this as you, but it seems to me that the attack you describe in the blog post would also require a successful eclipse attack?
My understanding is that the attack you describe involves a cabal of "evil" validators signing some alternate chain (call it the "fake" chain) long after their stake is withdrawn, creating a fork in the distant past. Before they did this, they pretended to be good validators, which meant they signed the "real" chain's blocks and then signed the withdraw transaction. So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past). If this line of reasoning is correct, that suggests that anyone who is aware of both sets of signatures can identify the real chain?
> So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past).
I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?
An eclipse attack is so named because it requires you to keep all the light out so they're kept in the dark. But here, since there's no internal mechanism to tell the two chains apart, you don't only need the accurate information, but also outside information about which one is accurate.
If you actually see two conflicting chains (either proof-of-work or proof-of-stake) with large numbers of people vouching for both, then the correct chain is not necessarily "whichever one is longer". Well, it could be, for you; "correct" is subjective. But by assumption in this scenario, a large number of people disagree, and you might want to transact with some of them. There is no way for software to decide this objectively; it has to ask the user to decide based on factors external to the network.
Where proof-of-work really does have an advantage is that you can more easily distinguish that scenario from the scenario where either one of the chains is actually a Sybil attack, i.e. a single attacker pretending to be a large number of people. Similarly, if you only see a single chain, with proof-of-work you can try to detect an eclipse attack (which implies a Sybil attack) by seeing if the hashrate has gone down dramatically.
That's a real advantage. I don't think it's even close to enough to mitigate proof of work's disadvantages, especially since the circumstances where it would practically come into play are extremely unlikely, but it's not nothing.
However, it's undermined by the fact that proof of work naturally encourages centralization. Bitcoin is centralized enough that it's not completely impossible for the vast majority of the hashrate to end up on one side of a fork (either soft or hard), while the vast majority of users and developers end up on the other side. (To be clear, this is very, very unlikely to actually happen, but so are all of the attacks we're talking about.) If this happens, the objective proof-of-work standard will side with the miners, but not with the people you actually want to transact with.
Of course, a proof of stake currency can also suffer a schism, but there is (probably) less tendency for stakers to be centralized, and if a schism did occur, at least the client wouldn't provide a false sense of objectivity.
None of this actually refutes my point. You're just suggesting that the fact that PoS is incapable of producing a consensus is outweighed by it allegedly being more decentralized. Be that as it may, it's not relevant to this thread.
Is it even true? Steemit had the exchanges do a hostile takeover, because everyone was staking through them.
> I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?
I feel like you should be able to deduce it from the distribution of participation after the fork, right?
The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.
> The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.
But you don't know who's honest - you may as well be saying the real chain lost all the dishonest verifiers.
Exactly - that's where statistical analysis (like fakespot) comes in.
For each chain you'd be able to look at the age, stake & historical participation level of the post-fork participants and get a pretty good idea which (if either) of the chains is real. The absence of honest participants should look a lot different than the absence of dishonest ones.
Granted, this method is not nearly as simple as checking the number of 0s on a hash, but I would imagine it to be quite difficult to circumvent.
You any specific verifier/wallet, you won't - but the fake chain will have 0 uncompromised actors after the fork.
Which means that large stakeholders suddenly stop verifying blocks. Long-term active wallets stop transacting.
The same might be true for both chains after the fork, but I would imagine the fake one would have a larger change in participation (weighting older wallets and larger stakes) than the real one.
You really don't need to trust a "friend" while bootstrapping into the network with PoW, because the proof of work is irrevocably embedded within the blockchain, and the real world cost of creating those blocks can be pretty easily estimated.
So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.
Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.
It seems that PoW does not need phone a friend to compare "which of these two chains is the true one", whilst PoS does need phone a friend for that.
However, that presumes all forks are soft forks; that you are presented a correct chain; that you want the soft fork with consensus rules accepted by most miners. (If verifying with an old bitcoin client the BCH BCT split will be resolved for you without you having a say.
In summary, PoW has less need for Phone a Friend than PoS. But it still has some problems.
How the hell do you know? You've just admitted that you don't actually know how PoS and PoW work. You've repeatedly refused to "do your homework" by researching what's known about these things. And yet you have repeatedly been rude to other people who have done their homework, and have informed opinions, unlike you. Just shut up and stop talking about blockchains. You're an entitled internet nobody.
I have regrets about calling you a "nobody". I was annoyed, but that's going too far, and I apologise for saying that. Almost no one deserves that level of vitriol, especially if at worst they're just being annoying. And I think I get annoyed too quickly.
I think the difference is which kind of hash you needed.
For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.
For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.
> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.
Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.
You need to fork at low difficulty if you want to significantly lengthen the chain from that point, because creating a high difficulty, long chain that is valid is hard.
But-- there's nothing to preclude you making big steps up in difficulty at the end of the chain. It means that one evaluating the length of the chain for authenticity really needs to integrate the difficulty over the entire chain and not just look at the number of blocks.
Suppose I'm a new node and want to verify the blockchain. How do I verify that each block was mined with the correct difficulty?
I'd need some record about the actual real-world timestamps for each block. Then I could say something like "duration between block x and block x+1 was > 10 min, so the down-adjustment in block x+5 is justified".
But if those timestamps were stored on-chain, an attacker could simply lie about them and keep difficulty artificially low on its alternative chain.
On the other hand, if we had some un-forgeable record of block timestamps, wouldn't this solve the double-spend problem all on its own? Would we even need PoW at this point?
A while ago bitcoin clients changed from facoring the 'longest' chain to favoring the chain with the most work done on it. (To prevent long chains with low difficulty)
The client can choose properly, but it needs to "call a friend" in order to get the options - if the client doesn't receive the proper chain but only fake ones, it will chose the fake one with the most work done on it.
Because of withdrawal delays, the PoS hash isn't from the end of the chain, but from a few months before. So it changes only about as often as client software updates.
> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.
No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.
Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while
Finally someone actually mentioning the code. In PoS "trust" must exist along several points in time before you can engage with the system - and the most notable point being trusting that the rules (written in the code) are of your desire.
With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.
With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.
With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.
I was talking about the consensus part. You don't need any client code to understand which is the agreed-upon chain, you verify the hash was generated using lots of energy.
For transacting indeed you need to trust the various clients, but that's easy and can be done once. With the consensus isn't being tampered with, and, more importantly that others are using other types of rules.
not really, if you fall asleep for a period of years, you can still get a signal of how genuine any proposed fork is by observing the chain of blocks and their difficulties. that's the crucial bit of any PoW system - you can't fake the energy that was spent producing the chain. that's a way to externally validate the honesty of a system and a major scientific breakthrough that satoshi discovered.
No, policy changes makes for a new blockchain. That's what usually referred to as a "hard fork", as opposed to a "soft fork" where consensus rules are only allowed to get stricter, exactly beacuse ownership of a coin should be guaranteed forever.
You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.
I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.
“Decentralization” has been the argument ideologues have fallen back on time and again in crypto. It’s never well defined and typically used to oppose policies that would promote low transaction fees or increased transaction throughput. It’s why things like Solana which is focused on massive scale and low fees have found a foothold. Ethereum is repeating the mistakes of Bitcoin
Which often aligns with the people that elect them. Central banking fixes serious flaws in money systems, and provides levers to mitigate disasters caused by external forces.
Compare it to a boat. Central banking gives you the ability to steer, sure someone might be bad at it and lead you into dangerous waters. But decentralized currency is like shooting the helmsman and ripping out the rudder because someone did a bad job of it once.
Decentralized currency is the lifeboat if the captain goes mad and decides to steer into iceberg territory. It's harder to steer, but better than sinking in freezing waters (hyperinflation).
it's "decentralized" in the sense that most anyone can confirm that the bar of gold they are holding is real. Gold being taken out of the ground is literally Proof of the work that was put into it. Exactly why bitcoin takes work
The issue is what constitutes a sufficient amount of "decentralization". Extremists who may or may not have ulterior motives seem to oppose any change which by their estimation might decrease the decentralization. They want to minimize the cost of running a full node without consideration for the fact that optimizing that to the extreme causes transaction fees to go parabolic and thus also prices less well off users out of participating in the network and if the fees are too expensive to transact why would you run a full node for a network you can't use. There is no balance in their thinking.
I see you haven't discovered the wonders of ZKRollups yet. Have a read of the works of Polynya [0]. Ethereum will be a settlement layer for these execution chains that can do thousands of TPS at a fraction of the current fee, and their only limit on TPS is data storage, which will be expanded with data shards.
Yeah, I'm aware of that stuff I don't think it will get traction and adds complexity w/o really solving the fundamental problem. My bet is a practical competitor will find a way to balance the different tradeoffs and the winner will be a so called L1 network.
PoW equally rewards early participants because they take the lions share of the initial blocks. Satoshi is a multi-billionaire. There are very few blockchains that don't heavily favour early adopters and for good reason: it acts as a bootstrapping mechanism for the community. Why would anyone participate in a chain they would get heavily diluted rewards when there are many others that reward early loyalty?
proof of work proves that not just one miner had sufficient hash power, but that the entire network had a certain aggregate hash power that was required to mine the block.
can't this be emulated by requiring all major stakers to sign the block? (so rather than one miner staking being enough, all the aggregate staked was required to mine the block)
in any event i think the op is wrong in terms of the hard part of proof of stake, private mining attacks are solvable.
the stickier issues are around maintaining the decentralized nature of pow mining and the random and decentralized election of who mines the next block. under pow, everybody does their own thing and when someone finds a block they are able to publish it without direct collaboration with other miners. the fact that the miner is chosen at random gives rise to all sorts of anti-censorship and anti-collusional properties.
proof of stake will have to emulate this, and possibly make a few targeted and carefully chosen compromises in order to emulate the decentralized nature of pow mining. it's not obvious how this will play out, but i don't think it's impossible and efforts to do so certainly aren't a "scam."
The merge was expedited over miner concerns, prioritizing it over sharding as originally planned, so it’s actually the opposite of what you are saying.
Sorry, I didn't mean to draw such a straight line between the two things. My point is just that it didn't happen last year, and even after being expedited, it won't happen this year either.
Should we also ban clothes dryers, Christmas lights, porn, and video games? Each of those uses significantly more energy than Bitcion. If not, who gets to decide what a "good" use of electricity is?
But won't each of those take up significantly more energy once they use Bitcoin than today? I.e the costs will be additive , and crypto aims to replace fiat. So crypto would need to be more efficient at the same scale as fiat to make sense.
Also aren't each of those used by significantly more people than Bitcoin? So the per capita use is less and they scale better?
Also how are you estimating cost of porn? Viewing cost? Generation cost?
You're only talking about at any given moment in tjme, but Bitcoin hashing difficulty adjusts in an almost correlated way to number of transactions being performed (or more directly related to popularity at a given time)
What is your source according to which Christmas lights and porn use more energy than bitcoin? I fear you may seriously underestimate the energy usage of bitcoin.
Even clothes dryer seem to be using less energy than Bitcoin. If you run the dryer for an hour each week, you're at 12-15kWh per month, which is 1-2% of your average household energy usage in the US, Canada or the EU. Now households at most around a third of the electricity in cold countries with a decent amount of electric heating for which dryers are much less, but let's run with it. That still sets the upper bound to 0.6%, which incidentally is the same as bitcoin.
If we're going to start legislating how we're all allowed to use energy that civilization has made available, who gets to decide what's allowed?
Numbers I've seen suggest that global PC gaming alone (excluding consoles) currently uses about as much electricity as bitcoin. Should we ban that too since playing cards are readily available and use almost no energy? Maybe we can make a concession and only allow low powered handheld consoles?
If bitcoin mining actually becomes problematic, then by all means we can definitely ban it or add some sin taxes to it, and we probably will in a lot of jurisdictions. I'm actually kind of eager for that to happen, because it will force miners to actually become novel/stranded energy ventures. They'll be the capital drive that builds out energy sources that not enough humans live around to justify tapping and/or we can't economically justifying building without expensive transmission infrastructure. And once it's built out and paid off, it may be a lot easier to justify investing in building out long distance transmission infrastructure so the rest of civilization can also tap into these sources.
> If we're going to start legislating how we're all allowed to use energy that civilization has made available, who gets to decide what's allowed?
We already legislate different pricing for different applications. Household electricity has a different price than industrial usage. A 1000x price of electricity for certain applications is just a small extension of what we currently have.
it's called "we the people" or democracy if you will. We as a society decide that cryptocurrency aren't worth destroying the world over, and that's about it.
It's funny "we the people" always decide this when it's about something that would actually empower us. Meanwhile, "we" didn't only not ban cars, "we" destroyed public transport in the US and lobbied the government to massively subsidize roads and cars. Just as an example.
It's curious how much agitation there is concerning the energy consumption of PoW. I don't see nearly as many articles calling for restricting AWS & co. Coincidentally Bitcoin is the base layer of a decentralized finance world completely out of the control of traditional elites and banks.
Bitcoin is the base layer of a decentralized finance world completely out of the control of the traditional elites and banks, yes.
It's also a new finance world completely under the control of an even smaller elite of devs and mining pool owners (see the hard fork of Ethereum that happened a long time ago, and the upcoming fork of Ethereum that will move it to PoS; sure, Ethereum isn't Bitcoin, but there is nothing fundamentally different to prevent Bitcoin taking a similar step whenever the devs and miners decide).
What Bitcoin definitely is not is a new currency where the people have any kind of control. It is actively opposed to that goal, and takes away even the slight chance of a benevolent leader that exists with central bank controlled currencies.
You forgot a (perhaps even more) crucial part: the exchanges/stablecoins!
They're the whole reason this clown show is considered "finance" rather than funbux.
And they're all extremely suspicious. And by suspicious I mean obviously fraudulent. The value of Bitcoin (!) is propped up by Tether printing fake dollars backed by nothing.
By convincing the people in all of those country to vote the same way - ideally through pure argument, realistically through various carrot and stick negotiation techniques. This is really not rocket science.
If bitcoin mining uses renewable power (and pays for it), is that destroying the world or is that encouraging renewable adoption?
If bitcoin mining uses co2 producing power (because the economics supports it), is that the fault of bitcoin or the government for not sufficiently taxing the negative externalities of that means of production?
Using power is never a net good, regardless of the type of power. If we don't need more power for something specific, the ideal is to just not build more power - consumption is not some noble goal.
Unless we believe that Bitcoin has some use, its power consumption would be problematic even if it weren't so monstrously large. And vanishingly few people believe Bitcoin has any value beyond a get rich quick scheme.
The point isn't to increase the proportion of renewable power, but to decrease the total amount of non-renewable power. 10% renewables is the same as 90% renewables if the remaining consumption is the same total amount.
There is no market in the world where you are going to decrease consumption by increasing the demand. That's just not how economics works.
I'm just imagining downloading a porn client which fetches 300 gigabytes of bullshit before it finally lets me watch a movie at a whopping five frames per second.
And best of all, someone complaining that this is clearly a wasteful scam and being told back, "how much energy did videocassettes and magazines consume, huh?"
> Each of those uses significantly more energy than Bitcoin.
These discussions should talk about the ratio between a certain measure of productivity (e.g. GDP generated for the country) to the energy use; energy on its own does not mean much. I'm sure worldwide food production consumes more energy than Bitcoin.
Other than that, a problem with POW (at least as implemented in Bitcoin) is that technological advances won't result in less energy consumption as it's mostly a function of (price of Bitcoin, price of energy).
If the amount of throughput and everything else remains constant while more and more computers are in a zero-sum arms race to waste electricity to solve a useless hash problem, then it is by definition not useful except for “securing the network”.
And if you can secure a network some other way, then it definitely becomes better by any arbitrary order of magnitude, assuming your utility function doesn’t place infinite value on securing 10 transactions a second with to over 99.9999% certainty and willing to waste all the world’s electricity to do it.
Literally even if you value all other uses of electricity put together as 1/100000 of securing Bitcoin then in a few years banning PoW becomes the right move.
But I imagine it will be like the war on drugs — impossible to totally eradicate, since mining rewards become more lucrative every year forever. Until bitcoin blackouts are frequent in the first world, msot people won’t care though.
Imagine if people asked how many emails (SMTP), conversations (VOIP) or websites (HTTP) the Internet can ever handle pet second and the answer was 10, no matter how many computers joined the network. Because every time you had to make progress, everything went through one bottleneck called a miner. Would this be the topology you want to reward with ever-more-valuable rewards?
Imagine if BitTorrent worked this way, and every computer would seed every file. And maximalists said that this was the ONLY AND BEST WAY.
There is a difference between each of those uses of electricity and PoW.
PoW is throwing away electricity for the sake of it, and resists getting more efficient. If the goal is for the bitcoin network to cost $1M to do a single double spend, then PoW has to use $1M worth of electricity every 10 minutes.
Let's say we live in a future where we suddenly have 10x as much electricity. Due to supply and demand, electricity now costs 10% of what it did before.
Dryers etc all keep using the same amount of electricity with no issue, but bitcoin has a problem: it's now really cheap to double spend unless bitcoin uses 10x as much electricity. So of course, it does.
There's a similar proper with making things more efficient. If we make a christmas light more efficient (make it use an LED instead of an incandescent bulb or whatever), christmas lights will use less electricity.
If we make ASICs or GPUs more efficient, then people will just have to run more of them, or else bitcoin will be less secure.
I think this is a real and notable difference, and I think that's enough of a justification to consider a ban.
bitcoin incentivizes the search for cheaper energy, and allows for the instant monetization of once wasted energy. That's a LOT. this whole argument of energy use... i bet most of these people would have fallen for the same energy propaganda when the internet was just getting started... "what's email?? why would you waste electricity to send an electronic mail??"
There's rarely such a thing as 'wasted energy' outside crypto. Energy can be exported (even if at low efficiency) or stored in various forms (pumping water up a mountain, hydrolisis of water to fuel hydrogen plants, etc). Unfortunately, Bitcoin, Ethereum et al are actively making these productive uses of energy un-economical, as they have worse return on investment than simply burning that energy on crypto.
>There's rarely such a thing as 'wasted energy' outside crypto.
There is a lot of resources getting wasted in the real life. For example I'm from East Europe and we do not have good water pipes' infrastructure and lots of water gets leaked every month.
Speaking of wasting and leaking electricity I did a quick Google search and this is what I found:
"Are your appliances leaking electricity? Some of you might not be familiar with what this means. Not only do we have more small- and medium-sized appliances than ever before, but many of these never really stop using electricity. For example, if the television has a remote, then part of the TV is always on, waiting for a signal from the remote. If there is a clock on the microwave then the microwave is always using some electricity. Experts call this usage "standby consumption" or "leaking electricity" because people are often not aware that the appliance is using electricity.
A single appliance usually leaks only a small amount of electricity each hour (see Leaking Watts Chart below). Since these appliances leak electricity whenevery they are not turned on, and since people have a lot of these appliances, the amount of leaking electricity is significant. The average household spends about $40 a year on leaking electricity. The federal government works with appliance manufacturers to reduce the amount of electricity that leaks out of new appliances[1]."
Also here is another good resource on electricity leak which is related to the first web document I linked[2].
And then how much food is getting wasted every month globally? Probably billions of dollars of food is getting thrown away every month.
Other merit's aside, Bitcoin's incentivizing cheaper energy provides nothing new of value.
All uses of energy incentivize the search for cheaper energy.
Not all energy uses are optimized to increase usage over time, to cancel efficiencies. Proof of work, whatever it's merits, is anti-efficiency with respect to itself.
I made a strong statement, so maybe I need to be more precise with my point.
Bitcoin has merits. So proof of work, being a part that is currently necessary for it to work has merits.
But the argument that proof-of-work has the merit of incentivizing cheaper energy sources does not stand up.
1. All uses of energy already incentivize the search for cheaper energy. This isn't a novel incentive that proof-of-work provides.
2. But proof-of-work does have a relatively novel disadvantage. It won't just incentivize greater energy uses as prices come down, as in normal supply-demand curves, but must keep up the original and even grow the amount spent on energy.
This would not be a problem in a market without negative externalities, but energy is famously a huge industry that will be struggling with negative externalities for quite some time and at great cost.
You haven't addressed the parent commenter's point though: that PoW will cause increase of energy consumption every time you make any progress in making energy cheaper, hence cancelling out any improvements energy production efficiency.
It would only be benefitial if after a certain level of efficiency were achieved, PoW got banned and all that efficiency increase could actually benefit consumers of energy that did not have to keep increasing spend to keep up (though even that's not sure, because if energy becomes 10x cheaper, it's just a matter of time for people to invent new creative ways to use all that cheap energy that's prohebitevely expensive right now).
There's a trend now of Bitcoin mining businesses buying fossil fuel power plants in the US, in many cases plants that had already been shut down due to being unprofitable.
It's better to tax the harm created from electricity generation, which I suppose is mainly CO2 emissions. Then the market will decide how much PoW mining should be done compared to Christmas lights etc.
Nit: when you say better you mean "more economically efficient in terms of $s produced." That's not necessarily equivalent to a policy that would be the best for society.
Why do people keep propagating this claim that PoW is burning electricity for nothing? It directly provides security for the blockchain. I don't disagree with your arguments general direction, just with this piece of incorrect misinformation.
LED was a technological innovation. Nothing says Bitcoin can't have those. If you want more light, you need more lamps and you need to spend more energy. I don't really see the difference here.
About every 4 years the reward for mining a block will be halved. I don't see LED lights getting two times more efficient every 4 years.
Because "security of the blockchain" doesn't necessarily mean "good for society". Cryptocurrencies are most widely used for speculation, and then fraud, ransomware, all those very fun and pleasant things.
I thought there was enough historical data to draw the conclusion that command economy doesn't work. I also would appreciate if you could back up your claims on how Bitcoin is used.
Videogames share that property. The Atari 2600 was ~5 watts. That's about what the Playstation 5 consumes during rest mode; when you're playing it, it takes 150-200 watts.
It really sounds like you're rationalizing banning Bitcoin because you don't see any value in it. That's a dangerous way to decide who gets to use electricity.
I think Bitcoin is possible without PoW; decentralized peer to peer network in which nodes verify transactions and make agreements on which transaction came first and then draw consensus. But then someone needs to figure out how new coins would be distributed or in another words what incentive would be to verify transactions.
Btw Satoshi introduced blockchain checkpoint so no attacker can fork the existing Bitcoin chain and make a competing one.
Energy consumption of anything is irrelevant. The carbon footprint is the interesting marker of a technology and this will depend on the source of energy used.
You never mentioned why you think mining should be illegal. Probably because of the outrage published by the media based on intuitive assumptions that end up not being true. That bitcoin mining long term is bad for the environment. However, this is not true even though it intuitively seems that way. (Similar to how making highways wider actually ends up making traffic worse, not better).
We can actually start with 1 question: If electricity demand from PoW mining spurs new renewable plants to be built, is that bad for the environment?
I (and many electricity companies) actually think PoW mining is good for the grid/renewable adoption in the long term. Let me explain why:
Some indisputable facts to get us started:
1. Most renewable electricity has unpredictable supply
2. Introducing marginal capacity of the same type gives diminishing returns. Eg: you're producing more during high supply times where electricity rate is low. During lower production periods all of the same type of renewable will be producing less so you can't even take advantage of the higher rates.
3. Rational bitcoin miners will turn off their machines when cost of power is greater than marginal return.
As a result, PoW mining will help the economics of building new wind/solar plants. Eg, currently it may not be profitable to build a new wind plant because base load is too low that the excess power generated would need to be sold off at 0 or even negative prices. However if bitcoin mining could be turned on during these times and off during periods of high demand, there will need to be fewer peaker plants in operation and it would positively affect the economics of opening a new wind plant.
Bitcoin mining only cares about the cost of electricity at a given time, it is not like most other electricity demands that are very time based. With the large variance of electricity generation by renewables, I think bitcoin can in the future help smooth demand according to the real supply/demand curve.
It's kind of like a different implementation of the Tesla utility grid batteries. Instead of deploying batteries, you force the grid to build more renewable capacity (that the miners are paying for) that miners use except in peak periods, where you turn off and effectively provide the grid with more power.
> If electricity demand from PoW mining spurs new renewable plants to be built, is that bad for the environment?
Yes, obviously.
Even if every single miner pool built its own solar/wind plant to power 100% of its energy needs, that would still be horrible for the environment: building the power plant itself produces harm to the environment; and the space and work and money used to create the Bitcoin miner's power plant could have gone into replacing (closing down) a non-renewable power plant.
Silly arguments about pricing volatile electricity only work if we assume maximizing profit is the ultimate good or that PoW is the only way to use that excess power. In reality, if we want to avoid the worse catastrophes that our current economy is pushing the world towards, we have to stop looking at profit, and choose less profitable but more useful ways of handling volatility - batteries, long-distance transmission, etc.
Yes (with some help from nuclear, hydro), yes, and no/irrelevant.
Power generation is a social concern, and states provide plenty of incentive to build power plants, especially nuclear - crypto mining is a profit chasing wasteful afterthought.
I think it is a matter of months, before crypto mining is banned in Europe and the US. Just because cryptomining is a bottomless well : The more crypto miners earn money, the more they invest on graphic cards and the more they consume electricity. Inevitably, there will be supply problems
Such an idiotic proposal. How should we enforce this, do we need a government backdoor on every single turing complete hardware to verify they are not running """bad"" code (hashing data)? Or are just ASICs the problem, mining with CPUs is OK?
Or maybe you could just let people do what they like with the electricity they paid for
If electricity was an unlimited non-polluting resource, sure. But when my neighborhood mining rig coal power plant gives me cancer, it's not just a simple marketplace thing.
then tax the electricity use (or, specifically, the fossil fuel use)?
(alternatively, tax the electricity use beyond a certain per-person allocation).
I agree that there can be harms from PoW, but this is because of the electricity use, and so the thing to tax is the electricity use. Rather than the state deciding what things it considers valid for an individual to value and seek, it should put the restrictions on the thing that more directly causes negative externalities to others.
If there is a concern that this would harm things that we are sufficiently convinced is objectively valuable (e.g. making it more costly than is appropriate for people to heat their homes), so that we want to not significantly impact the finances of people who are like, using "reasonable" amounts of electricity, then we can, as I said, put some threshold amount of electricity use per person below which there's no tax on it, and increase the tax rate above that amount to account for this (and use the revenue to pay for CO2 removal and/or green energy development).
Or, like, I suppose in the most extreme case you could (on e.g. an annual basis) give everyone an initial amount of CO2 credits and no one is allowed to emit CO2 beyond the credits they have (but unused credits can be bought and sold).
Bitcoin is not predominantly mined by a ton of individuals running an ASIC or 2. It is mined in huge warehouses, which have to go through state/federal bureaucracy for business licenses, etc etc. It would be hard to enforce a complete ban on anyone mining any Bitcoin, but the vast, vast majority of mining could be easily shut down in the US, as it was in China.
I wouldn't say that HN is staunchly anti-crypto, more crypto skeptical. Many of us were in the scene from the beginning, and have made good money on the hype.
But one thing that's extremely apparent, is that for the past 10 years, the crypto community has been 95% greed, 5% innovation. With the innovation part having picked up speed only the past few years.
At first, it was the an-cap dream. Decentralized, trustless, govt free internet money. No longer were you a prisoner to slow bank-transfers, expensive middle-men (PayPal, etc.), and could purchase whatever you wanted.
Then the price shot up, and everyone wanted to become rich. So people "agreed" that BTC is no longer a coin made for spending, but rather a storage of value. Like gold. Use altcoins if you actually want to spend your crypto. But who wants to spend any, with the rising prices?
Meanwhile, centralized banks, 3rd party businesses, etc. have solved all the personal finance issues that plagued us 10 years ago. In most countries today, you can transfer money pretty much instantaneously, without getting anxiety every time you press "send".
I'll give DeFi, Dapps, etc. credit - they've finally managed to roll out usable things, but it's still way, way too hard for regular users. And most regular people do not give two shits whether something is decentralized and trustless.
I can think of multiple legit uses for the blockchain technology - but I'm gonna be honest, I'm having a harder and harder time seeing how cryptocurrencies will replace any national currency. As of right now, it's almost purely speculation and get-rich-quick schemes.
We're still in the wild west, but it's not gonna stay that for long. With regulations looming around, it's just a mater of time.
The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model. All of these topics (including valid ETH criticisms) are discussed in much better ways in many other places.
I have conquered [and seen others close to me] FOMO by stubbornly writing things off, and I suspect others have done the same thing: it's calorically inexpensive and cognitively frictionless. No one can reasonably assess everything that comes their way.
I am not saying that that's the reason with the writer, but it's surely the reason in some people, precisely because it's easy. And easier still to click upvote on a take that reinforces that stubbornness. It's this latter group whose motives are being questioned, as per the GP who asked why these takes get upvoted. I wasn't actually questioning the motive of the writer of the article, hence why I didn't engage in the arguments in the first place.
And of course you have the corollary of true believers who will support anything positive of X-thing-they-have-adopted.
It's seems to be only these two dichotomies we see, rarely balanced takes. And that's the real problem.
I would love to see the same content / angle of this article re-written. I think it could be condensed to a few paragraphs perhaps, for those who already understand Proof of Work. I found myself getting stuck in the analogies (infinite lottery tickets) and not being able to make progress. But I'm interested in the pros/cons of PoW vs PoS if you have recommendations.
"The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model"
This is one of those sentences that reads like it is saying a lot but might actually be nonsensical. Care to elaborate on this? i.e how exactly does the article 'frames distributed consensus mechanisms in an understanding of asset value'.
I read the article and I didn't see anything about asset value (whatever that is). As far as I can tell they point out that the article you cited pretty much agrees with what they're saying (about PoS by itself not being self-certifiable or irreversible) but disagree with the position that this can be acceptable in the real world. Whether you agree with that is subjective but the main criticism in the article seems to be directed at those who selling PoS as a sufficient distributed consensus algorithm to replace of PoW. There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them.
I don't particularly care to rebut the author point by point, but "asset valuation" is an extremely common term that anybody discussing the properties of a novel currency should understand: https://www.investopedia.com/terms/a/assetvaluation.asp
In relation to that I was specifically referring to the misunderstandings present in "Nothing at stake".
You say:
"There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them."
Are you not presupposing the correctness of the author's argument by calling it false? Have you already made up your mind?
Thanks for that link, it has been a few years since I've read it.
I spent a lot of time talking about this topic with people. The article does have a point, that the security model of proof of stake is fundamentally different and relies on a key assumption (from the article you linked):
> any new node coming onto the network with no knowledge except... the set of all blocks and other "important" messages that have been published...
This is referenced in the OP as a point of security failure. The assumption is that we can rely on social interactions between nodes and that that is good enough. The criticism is that a new node can have no way of definitively knowing that their copy of the chain is the widely used canonical chain. An eclipse attack can occur, or as the OP stated new nodes may need to rely on authoritative sources to get current state which puts centralized power centers in the security model.
It is not a deal breaker (IMO), remember, PoW relies on the security assumption that it is prohibitively difficult for more than half the network to collude. I'd argue these assumptions are equally tenuous. I think as long as disparate, non colluding sources of the canonical chain are available (arguable if this is foregone, seeing as we need PoW to ensure consensus and resistance to collusion, probably not, but all it takes is one person to not collude and contention exists) it wouldn't be a problem.
Another big sticking point is the fact that no external resources must be invested, and/or that there is no ongoing cost. I find this to be the big problem with PoS schemes, I've had quite a number of discussions focused on these two particular issues (stemming from the same fundamental difference, that an internal capital stake is made) and I see benefits of not having ongoing cost and benefits of having it, and also of having a fully self contained system as well as having a system grounded in the outside world. All in all I have come to the conclusion that these differences make neither better nor worse, but that they are simply two completely different game theoretical environments with different security and incentive properties.
I think the issue most have with the "no external stake" is that there was a common misunderstanding regarding Bitcoin value propagated for a while - that is, the cost of the consensus mechanism (compute + electricity) defines the price of Bitcoin. In reality it just sets a floor on the price of Bitcoin. The value of the dollar is not set by the cost of paper. So the "self-referential" nature of stake value and attack value just means that asset value is not pegged to the consensus mechanism in as strong a way as in PoW. As long as asset value is driven by other factors (e.g. utility) that is not really a major concern.
In practice social networks form a cornerstone of all of the unstated assumption of all consensus mechanisms. I'm more worried about supply chain compromise in wallet code than I am about an eclipse attack on a new node. At that point we know our models are too simple to make real world security comparisons.
Do people deploy PoS chain clients that are ok with blocks that totally ignore the historical leader schedule or use a leader schedule that could not have resulted from the distribution of stake in the network at the time? If not, how will the attacker who wants to swap out a single block a year later get all the other validators to sign a year worth of new blocks?
> That key is valid to sign any number of versions of, let’s say, block #200, and there is no objective, system-internal standard for which version is legitimate, other than “the one that was published first”.
The real block #200 will have hundreds of attestations courtesy of randomly-selected validators, each of those signatures attesting to its validity and finality.
The block 200 will be adding validation to the previous blocks, and will be validated by the future ones. Without other types of checks, nothing stops you from rewriting the previous 199 blocks and using block 200 to validate them.
This is not FUD, it's the most obvious PoS flaw, called long range attack, and the reason PoS chains often need more checks to be more trustworthy (e.g. keeping hardcoded checkpoints, choosing the first received block as valid, introducing penalties and so on).
It was voted for by 8000+ validators. Many of them have been validating since beacon chain genesis a year ago. There are like 260k validators active right now.
I find it highly unlikely some entity is going to come along and try to pretend their alternate history, with a whole new set of hundreds of thousands of validators (which wouldn’t be supported by any ETH1 deposits) and millions of signatures signed by 260k freshly generated public keys, is in any way legitimate.
Which parts of this are checked by the client software, and which parts are just checked by interested humans in the block explorer?
There's a trade-off here. If you require 8000 guys to all vote in favor of your block, what does the client do if it only sees 7999?
> which wouldn’t be supported by any ETH1 deposits ... signed by 260k freshly generated public keys
You misunderstand. What happens if some of those private keys get compromised? In Bitcoin, if I sell my miners to someone else, it's not like they're radioactive waste that has to be buried. In PoS, someone can cause quite a bit of damage with keys that ostensibly don't contain any money. And because I've already withdrawn, I have no reason to care.
The system is fault tolerant. You typically get 99.X% participating. Any validator that doesn't perform their duty in a timely fashion is penalized and eventually ejected if they are disruptive.
Those private keys are useless unless you had something like 50% of all the active validators' keys. So, hundreds of thousands of private keys hacked. You're not going to be able to damage consensus using a few old leaked private keys. The best you could do would be to slash some active validators and get them ejected, but the chain would carry on finalizing without them.
Whoever the 260k are (and I know some of them) if they’re all one entity, they would have had to stake eight million ETH and counting into the ETH2 deposit contract.
The 8k are randomly selected from this pool of 260k validators via RanDAO every 12 seconds.
ETH2 was years in the making, with multiple delays and not fully migrated yet precisely because of how unsafe standard PoS is. Vitalik and co spent years researching the best mitigations.
Right now, it seems to be one of the best protected PoS chains. It's still fairly new, with novel mitigations, so it still doesn't stand the test of time against all possible attack vectors.
In that sense, it still can't be considered as secure as a PoW chain with high hashrate, which is protected by thermodynamics (you can't produce more hashes than the physical energy you have access to allows).
PoS is more quantum-resistant though. If someone were to build a quantum computer capable of running Grover's algorithm on bitcoin hashes, they would get a quadratic speedup over classical miners. That's a threat that doesn't exist on PoS.
(Both would be vulnerable to Shor's but post-quantum signatures would fix that.)
PoS is a class of consensus protocol, not any particular blockchain. It's orthogonal to signature algorithms. A blockchain can incorporate any combination of consensus algorithm and signature algorithm. So yes, please use your terms correctly.
If sufficiently powerful quantum computers become readily available to anyone, sure, everybody will upgrade. Given the exotic hardware they typically require, it seems likely that for a while only a few large organizations will have them.
Grover's algorithm is pretty general, I don't think there is anything we know about that we could switch to.
Shor's is faster but more specific. It works on factoring and elliptic curves, but not on hashes. The advantage of Shor's is that if you have enough qubits, you can get the answer immediately. Grover's only offers quadratic speedup, effectively halving the number of bits in the hash function.
So for signatures we just need to switch to something like a hash-based signature algorithm, with keys having twice as many bits as we'd want against classical attackers. But we don't have hash functions that keep Grover's from working, so a quantum miner be way faster than classical miners.
But there are ways to mitigate the bootstrapping issue to some degree.
And PoW chains tend to have a low cost at the beginning making them similar not easy to bootstrap safely (through more easy then PoS).
In the end I don't think what theoretically is better matters, what only really matters is what practically matters for big crypto currencies (and smaller ones can during bootstrap (and potentially later one) interlink with the large chains).
It's similar in that 8k sigs are collected and coalesced to sign something. From there the differences begin. M-of-N schemes must be orchestrated ahead of time, using Shamir's or by constructing a BTC multisig UTXO or something. When signing, one may choose freely among the key shards. It's performed in the usual execution layer of the chain.
Whereas in ETH PoS, validation happens in the consensus layer, following strict self-imposed rules. With each new block, one validator is chosen to propose the block, and thousands of validators are asked to back the proposer. The proposer and attestors are chosen randomly but specifically with no freedom to mix and match; the chosen validators must attest (and receive a reward) or else be penalized. Validators don't know each other and they don't need to cooperate to create a shared key ahead of time, all they have to do is deposit and follow the rules. The signatures are agglomerated by [BLS ellipical curve stuff idk it's magic] and help to form the consensus chain itself.
Attestations don't have a real world economic cost that can be validated trustlessly within the system. If you compromise or coerce enough validators, you can rewrite the history for no cost.
That's what PoW provides that PoS just doesn't. Immutability.
In fact, I would argue that one of the most important products of bitcoin, is providing the hardest, most immutable database human civilization has ever created. We could theoretically lose it and we could control and manipulate what goes into it going forward, but once a piece of data gets confirmed and buried under a few days worth of bitcoin's PoW, it can never be changed or removed from the blockchain. This is a severely undervalued use case in my mind.
I suspect that most PoS coins will eventually decide to periodically peg themselves into bitcoin's blockchain to timelock their blockchains and provide some immutability to their users.
Having said that, humanity probably only needs one PoW blockchain. Bitcoin.
I have to say I appreciate your transparency in directly Bitcoin shilling.
> If you compromise or coerce enough validators, you can rewrite the history for no cost.
If you can. You would need to compromise thousands of randomly selected validators just to forge one block. That impossible task nonwithstanding, the validators are selected with maybe five minutes’ warning.
PoW doesn’t even offer absolute immutability, it’s just longest fork wins. Which is secure because of the economics, not because of a notion of perfect immutability.
Likewise, ETH2 provides a definition of finality that’s backed by economics.
Exactly. These PoS FUDers fail to realize that largely the same, even if not stronger, economical factors protect the PoS as does the PoW blockchain. Both fundamentally rely on that 50% of validators need to be honest. With PoW, anyone with sufficient computational resources can execute a 50% double spending attack. I am sure that if few of the largest BTC miners conspired, they could right now execute a 50% attack. That's not in their best interest however, as it would permanently ruin the reputation of BTC and they'd be left with whatever proceeds the attack yielded, but also millions of USD worth of mining equipment that'd be rendered largely useless.
With PoS exactly the same works. Most of the holders should be honest, and a successful attack would require spending at least 50% of the market cap of the coin to successfully execute - and then losing that stake as the reputation of the coin is soiled.
> but once a piece of data gets confirmed... it can never be changed or removed from the blockchain.
But it can, in the exact same manner as described in this article: have an 51% attacker build up a long chain and hide it from the world; then publish it.
PoW is vulnerable to exactly the same type of attack described in this article. In order to build a longer chain with non-negligible probability, you need to stake at least 51% of the pool.
no the difference is, to build a side chain you have to produce the work, work that has a real cost and takes time, remember in POW the chain with most work wins.
Am I understanding this correctly; is the threat model that a block signer, some time later after liquidating their stake, can go and publish arbitrary versions of that older block?
Yes, but it is a little more than that: that future nodes will not be able to distinguish these two blocks without relying on some authoritative source for the canonical chain, thus introducing centralization to the game environment.
This is like two homeless people arguing who is richer.
Yes both PoW, PoS solve the double-spend problem, but in a brute-force way. And they never really get rid of the ambiguity of which chain is the one to go by. They just aggregate all the little ambiguities into one or another consistent version of history (a chain) and let them duke it out by massive electricity or stake or whatever. But at any moment, someone could have been mining a chain in “secret” and will emerge to thwart the rest of the network for a while.
There is a better way. Blockchains are actually quite centralized since to make any progress every N seconds you need to send all transactions in the entire world to one miner, and the block is limited in size. Actually it’s worse than that in Proof of Work — because you don’t know who will solve the silly problem, you have to gossip every transaction to every miner!
Oh yeah, and if you store UTXOs then you have to store the history of everything. And even if you didn’t, you have to store the current state of everything. Oh how nice and decentralized! LMAO
I don't get your criticism. Why does requiring gossip to every node cause centralization? Why does everyone having the current state of everything cause centralization?
To make progress, every few seconds or minutes, all transactions in the world must be gathered in ONE place, and placed in ONE block, as the network and adoption grows this becomes more and more expensive for everyone.
There are various aspects of centralization. This is one major aspect: a bottleneck. Just like when all Web 2.0 conversations in the world would have to go through a centralized server. Even if it was a different server each time, it’s still an extremely centralized topology for that state transition.
It means that there can only be one transaction at a time for the whole world, no matter how many computers join the network. No concurrency — it is also why you can have flash loans. This is why Ethereum is called “the world computer” and why Bitcoin failed at being a peer to peer cash system and became a store of value.
I think you have some fundamental misunderstandings of the term "centralization". And also of the way bitcoin works.
All transactions are not gathered in one place, ever. All nodes receive all transactions independently. All nodes are capable of providing a copy of the ledger for verification.
Transactions don't go through a server. Historical record gets finalized by any one participating node. These two things are not the same thing. The transactions that will be mined are publicly known by all nodes before they are mined. Mining only ensures that nobody can change them after the fact.
There is no concurrency, this is true. The systems we have currently are single threaded systems, and from a classical standpoint, hugely inefficient single threaded systems. But this is not the same thing as centralization.
“Blockchains are politically decentralized (no one controls them) and architecturally decentralized (no infrastructural central point of failure) but they are logically centralized (there is one commonly agreed state and the system behaves like a single computeR”
I think you’re mistaken that I don’t know how Bitcoin works. Not only do I know, but I have spoken to many teams doing work in the last 10 years in various alternative systems, and I have even designed alternatives myself.
I used the word server in my analogies. The transactions are, however, all going through one COMPUTER which receives them, puts them in a envelope, and finds the right PoW input to “seal” the envelope, and sends it out to everyone. Whoever does that first, gets the rewards on that chain. If the transactions do not make it into the block, they don’t count on-chain.
Therefore, every 10 minutes, ALL TRANSACTIONS IN THE WORLD must be gathered by one computer, the one that will happen to mint the next block. This is a bottleneck, and it is the cause of the skyrocketing fees whenever the system sees any on-chain adoption.
But it’s actually worse than centralized — because we don’t know who will mint the next block so we have to send everything to on everyone. Imagine if all BitTorrent nodes seeded every file in the world. Bitcoin failed as a peer to peer cash system because of this topology and people on the group were telling Satoshi this back in the day.
>>Even if it was a different server each time, it’s still an extremely centralized topology for that state transition.
That doesn't make the network centralized, since the server that acts as the centralized state transitioner will be randomly selected from a very large pool of servers with equal authority.
Innovations that Rollups and Sharding further extend the scalability that is achievable with Ethereum's Proof of Stake consensus protocol, mostly by debundling tasks to create modular components, so that the consensus layer has to handle far less load per transaction.
My general observation is that blockchains are, at best, secure in the same way https is secure. Yes I have padlock icon on the browser address bar, and my connection is secure, there’s a security certificate, but the whole thing can still be a scam.
Who personally verifies every contract they use? Wallet implementation? Cold wallets are closed-source, trust-me devices, maybe with a security certificate from a centralised, government-linked security org.
The strongest link in any security chain is not irrelevant, but the whole system is really not perfectly trustless anyway.
It's actually suspected that happened during the blocksize wars when proponents of forks like Bitcoin Cash may have been spamming Bitcoin with transactions to feed their narrative that it is too expensive to use.
You'll eventually go bankrupt if you do this long enough.
This is actually another reason unlimited blocksizes that can allow for very low to no cost transactions are risky, and DDOS protection is likely why Satoshi added the 1MB limit in bitcoin to begin with.
He lost me at the part where he thinks you can sign messages after withdrawing your stake.
The whole point of proof of stake is that you can only sign blocks or messages while you have something staked. When you withdraw you are no longer allowed to sign anything.
He also didnt need to spend 1000 words going on about the history of bitcoin and proof of work.
This is literally just a filler piece with a provocative clickbait title to stir up the anti cryptocurrency folks here
After withdrawal is completed, your node would no longer be in the set of active validators and from that time could not validly propose a block or submit an attestation (or, more accurately, be selected as a block proposer, etc.)
I can still propose blocks invalidly, you see. And then someone who doesn't already have the consensus (e.g. trying to sync) will have no way to tell which is legitimate.
This is the problem - you can't look at what the system does when everything's working as it should, you have to look at what happens when it's outside of the comfort zone.
Even a relatively light reading of the Annotated Specs for Eth2[1] and/or the Eth Org's Proof of Stake FAQs[2] suggests the designers (and independent implementer-teams who gave feedback to designers, who gave direction to the implementers... lather, rinse, repeat) understand it's important to consider the overall system "outside of the comfort zone".
I think the biggest problem with his whole argument is when he wants to give some examples of community consensus being a problem, and gave examples from the PoW world (Bitcoin small block size decision, Ethereum bhard fork) - that to me complety destroyed his own argument that PoS is more community-dependent than PoW.
Those two examples were demonstrating what happens when you don't have provable consensus. They weren't issues with the validity of the blockchain, but debates over changing the software itself. They're good examples of why centralized development of a decentralized protocol still opens up the software to attacks (though with the option of continuing the blockchain without the software change, as Ethereum Classic did for a while), and demonstrates why having a provable consensus mechanism is important.
The argument he's making is, you could stake for blocks 10000-10005 and get your money back.
And then produce a big fake chain from 10,002 (in the middle of the time you were staking) -> 10,000,000 later, with an alternate history in which you didn't stop staking.
I don't think this attack is particularly realistic for a lot of reasons, but PoW does have some small amounts of additional strength against these scenarios.
What do you mean by "allowed to"? In a PoW system, the PoW is a distributed timekeeping device. That's the actual operation the PoW does, and the distributed timekeeping is then what you can build a blockchain on. PoS doesn't not do distributed timekeeping. If you sign a block now, then go back later and sign a different block with the same key, there's no distributed clock that can be used to prove which was actually signed first.
The obvious argument here is "the one that was signed first will then have other blocks built on top of it". But since there's no PoW, building a parallel blockchain is trivial to compute, the only restriction is being able to produce something that's actually convincing enough. That and having people say "well, I was there at the time and I saw a different block than this", but that's just relying on authority rather than something that can be proven within the system.
Basically, PoS requires something external to the system to prove that history hasn't been changed. PoW technically does too, but what it relies on is "physics" and "provable historical fact" (i.e. approximate computing power available in the past).
You certainly can build a system that depends on something external to itself to ensure its consistency, but this challenges its claim to being "decentralized" and limits the amount of trust you can place in the system (and consequently the power of what it can do).
The clock issue is an excellent point, but the ethereum PoS have a nano scale PoW mechanism for this exact problem. Look at VFD "Verifiable Delay Functions" [1].
In short:
If you take the pbkdf2 key derivation function: its job is to slow down hashing a thousand fold or so, so that hashing an entire search space becomes impractical. You give your secret in input, and it gives you a hash, let's say, in 1 second. You'll have to spend the time again to recompute the hash. With a faster machine, you can compute in maybe 100ms, but still, there is a limit in how fast you can obtain the result.
Now change the cryptographic properties of pbkdf2, so that you can go back from the output to the input in constant time, so you can find the secret from the hash in O(1). Then, it becomes useless for actual secrets, but you now have an instantly verifiable proof that a certain amount of time (or serial computation) had to pass to get from the input to the output. Plug the input to the previous block hash, and embed the result in the next block, and you have your clock, based on physics and provable historical facts.
The site isn’t particularly accessible for a quick discussion so I appreciate your explanation, thank you.
However, I’m not sure I understand how this is supposed to help. Proving that a few seconds passed just slows down block generation a little, but this cannot be a significant barrier to block generation or else you just have a full PoW system again. And if it’s not a significant barrier then it’s not clear to me what this is supposed to do, beyond preventing me from generating and signing a new block within milliseconds of some event happening.
But since the “nano scale” PoW doesn’t define the rate of block generation, it just establishes a lower bound, it feels like it’s just a speed bump for anyone trying to attack the system. If it only takes 10 seconds to rebuild the last 100 minutes worth of blocks, then it doesn’t establish a universal clock and therefore cannot prove which block came first.
With VDF you cannot rebuild the 100 minutes worth of blocks in less than 100 minutes, because with the VDF logging, you just proved that you would need at least 100 minutes to go from block n to n+(100 minutes). You can check in 10 seconds, but can only produce in 100 minutes, just like you can check in an instant that a bitcoin block starts with enough zeroes. So it defines the rate of generating blocks.
Of course, nothing can stop anyone from creating parallel 100-minute long branches if that was the only thing, as, unlike PoW, it does not cost anything (except time) to create branches.
So you still need a consensus mechanism, a way to, as an agent of the network, decide what is the right branch. On bitcoin, it is very simple: go to the longest chain, it's where the majority of mining power went, so that is clearly the consensus (with 1 joule = 1 vote).
On ethereum, it's much more complex, involving promises with money at stake locked somewhere, so that anyone can detect cheaters, automatically unlock and take their money as punishment, and reward the whistle-blower with it. So, unless everyone is foolish enough to watch their money seized by the network, it does not happen.
The exact way the correct branch is decided is by random election of one staker, where the randomness is proved to be actually random. After all, using a VDF, you can now prove that its output won't be known until x seconds have passed, if you put the most recent block hash as input. So during that time, you can agree on an fair pseudo-random election algorithm that will take this VDF output as a seed when it becomes available.
Ok I just looked at https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3b... for an explanation. VDF is proof of work. It's just proof of sequential work. It does seem plausible that a VDF would significantly reduce the amount of computing hardware being used in generating blocks, but it fundamentally is still a proof-of-work scheme, just one that requires faster processors rather than more nodes if you want to speed it up.
The thing though is that this doesn't prove that X seconds have passed. It proves that X seconds have passed on whatever baseline hardware has been used to calibrate it. I don't know who actually computes the VDF in the proposed proof-of-stake schemes, though I would assume it's "whoever is proposing a block" (is this the same as the staker? Does this mean every single staker is picking a block and computing their own VDF, meaning everyone is still burning CPU?). And this means the VDF can only establish a minimum CPU requirement. It can say "X seconds have passed on the minimum hardware we're requiring at the moment", but anyone with faster hardware can still compute it faster.
And also because this PoW scheme cannot require more than X seconds for any participant to compute, it means an attacker that starts computing their alternative blockchain at the same time as the block they want to replace faces no difficulty. All this does is interferes with the ability to decide after the fact that you want to attempt to replace history. And even then, if you have hardware faster than the baseline, you can still reach back in time to recalculate a block, you just have to wait longer to do so. And by that I mean if you want to edit a block from 100 minutes ago, and you've got a CPU that's twice as fast as whatever the VDF is tuned for, then it just takes you 100 minutes to compute the replacement blockchain (50 minutes to compute the past 100 minutes, and 50 minutes to compute the new blocks that have been added since you started the attack). So after 100 minutes you now have an alternative chain that everyone thinks took 200 minutes to compute.
Which means now we're just back at the problem of "attacking consensus", where nobody can look at the two blockchains and see within the system which one was calculated first.
---
I suppose the VDF could be calculated by some volunteer with the fastest hardware, though this requires rewarding them for doing so (which means you basically have a monopolist sucking up all of the VDF rewards and no real incentive for nearly all participants to even try and compete). And this is still attackable by someone who can put together hardware that is even just slightly faster than then volunteer. It just takes longer. If the security of the system relies on a volunteer being assumed to have the fastest hardware on the planet, then the system isn't secure. I also question what happens in this scenario when the volunteer goes offline and nobody else has hardware that's as fast. Now the next block isn't ready in X seconds. I assume there's some protocol for "oops nobody has finished computing the VDF in time", but this does provide another avenue of attack for anyone in a position to disrupt the volunteer's connection to the network. Of course, anyone in a position to do that is likely to have access to unusually fast hardware already, but the point is that you cannot rely on the idea that "nobody can possibly calculate this block faster than the VDF is tuned for".
This attack is possible in Bitcoin too, except because Bitcoin is parallelizable, the defense there is that this attack requires spending more money than it is worth as the computing power used to calculate blocks is roughly a function of the value of the network. The danger there is generally in centralizing too much of the computing power among ...
I think you basically ask the right questions. But when you have progressed in your understanding, and you're confronted with the next problem caused by PoS, you seem to assume that PoS is flawed, because you can't immediately think of a solution (which is expected, that's quite a hard problem). The reality is that the issues you mention are well identified and they have solutions for them.
About VDFs, there is a tolerance, you need to be in the same ballpark as the fastest, not _the_ absolute fastest. The more tolerance you need, the less snappy the PoS blockchain will be. They plan to make a low-power asic for that task, to be as close as the theoretical max speed for that, and have the lowest tolerance margin as a result.
Also, there is a way to reduce all VDFs results so that only one of the whole set of VFS-ers need to be honest.
So it's not one volunteer, but a pool of volunteers, using low powered asics so close to the theoretical max (ie speed of transistor switching) that you couldn't outrun them enough to profit from that speed up. I am not sure if they are incentivized, because it's not costing a lot, but maybe.
> Edit: I suppose the VDF's input might not be "the block being computed" but instead "the previous block", and the output then used to elect participants who are then trusted to build the new block. This would allow the new block to indicate whether the VDF actually took longer than expected.
Indeed, that's what I thought I was saying, but maybe I was not clear enough.
> When you withdraw you are no longer allowed to sign anything.
But I didn't withdraw my stake. I have a whole chain of blocks saying I never withdrew anything and it's perfectly valid because I signed it, and I still have a stake. Oh, you have another chain that says I did withdraw? Who are we going to believe? Who was first?
Signing is a cryptographic operation. You can still sign a block after you don’t have something staked. People won’t accept that signature unless you have something currently staked. But then the question arises- who decides who withdrew their stake? Other stakers?
> If a node can present a lottery ticket of rarity one-in-a-million, the network can conclude the node did about a million lottery tickets’ worth of work, on average.
This is not true. You will have scratched far fewer tickets on average than one million.
If you have one million tickets, one of them guaranteed to be a winner, you will on average scratch exactly half of them (500 000) before finding the winning ticket. If you have an infinite supply of tickets, each with a 0.000,001 chance of winning, the number becomes higher, but the number of tickets scratched on average is still lower than one million.
Finding an error regarding something I know makes me skeptical about the rest of the article.
Yeah, I think that's right. The hypothesis was that on average, one in a million cards is a hit. That implies that if you scratch a million cards, you have a 50:50 chance of a hit.
That the author got this basic thing wrong doesn't inspire much confidence in the rest of his reasoning.
Well, I guess in real life blockchains it’s like the latter case. You have a block and look for a nonce. There is an effectively infinite stream of nonces (“lottery tickets”). You have no guarantee that even one works, other than statistical hope. So then if probability of a match is 1 in X, you expect to have to do X attempts.
I have other issues with the article but this bit seems ok.
I'm not clear how "expected no. of attempts for X" is related to the probability of X. And I seem to be struggling to recall what little I used to know about probability.
I'd welcome a (link to a) clear unpacking of this scenario. I'm feeling rather stupid, as if I've had a stroke and lost a mental faculty. It seems to be a straightforward and obvious scenario, but I've lost confidence in my reasoning about it.
If it’s scam, the article could have presented a stronger case for it. The objection seems theoretical. If PoS is broken, I would expect to see a plausible attack spelled out.
As far as I am aware, these long-range forks can be hindered by using verifiable delay functions (VDFs) [1, p. 6]. Essentially, VDFs take a certain amount of steps to compute and cannot be parallelized. However, the correctness of their output can be verified efficiently.
Now if a proof of stake includes a VDF that needs to be computed for every block, then a long-range attack needs to recompute the VDF outputs as well. This is infeasible as it will take a long time given the correct choice of VDF parameters.
Notably, the Chia blockchain mentioned in the article would succumb to long-range attacks as well were it not for their usage of VDFs [2, p. 17].
> Essentially, VDFs take a certain amount of steps to compute and cannot be parallelized. However, the correctness of their output can be verified efficiently.
No, a VDF just proves that, given a certain input, you spent a certain amount of time to compute the unique (!) VDF output. As said, this computation must be carried out sequentially. Of course, it can still be sped up by creating an ASIC (the same technology used for Bitcoin miners nowadays). However, there is not point in running multiple ASICs (like a Bitcoin mining farm) because the computation cannot be parallelized and the output is unique. Thus, running one ASIC has exactly the same effect as running thousands ASICs and there is no energy waste.
If you go by the usual, energy-wasting meaning of "proof of work" that is also the one relevant to the discussion (i.e., Bitcoin-style PoW which is described in the article), then no.
Yes, in the strict sense of the meaning. In general, the comparison of VDFs (a cryptographic building block) and Bitcoin-style PoW (a consensus mechanism) is not that useful. However, using a VDF as part of a consensus mechanism (see e.g., Chia) does not introduce an energy overhead.
To demystify what a VDF is, consider the delay function (i.e., the majority of the work done to compute a VDF) used by the most prominent proposals:
Let N = p*q be a product of two large primes (so an RSA modulus) and assume that the primes p and q have been immediately thrown away/forgotten after initialization. Then, computing
f(x) = x^(2^T) mod N
is believed (dating back to a paper by Rivest, Shamir and Wagner in 1996) to take T sequential steps provided that T is large enough. For a large T, the only feasible approach seems to be repeated squaring modulo N. That is, compute y = x^2 mod N, y' = y^2 mod N, ... for T times.
> Proof of stake is a scam. When I say that, I mean that proof of stake is (1) claimed to be a consensus system, and (2) constitutionally incapable of actually producing a consensus.
Ok. Go break one of the many existing systems that operates using proof of stake then. If you've done this, you should be leading your article with it. If you haven't, you shouldn't be speaking.
Proof of stake is not some theoretical thing being proposed in the abstract. Many systems operate on it as we speak.
"Because of all the arguments above, we can safely conclude that this threat of an attacker building up a fork from arbitrarily long range is unfortunately fundamental, and in all non-degenerate implementations the issue is fatal to a proof of stake algorithm’s success in the proof of work security model. However, we can get around this fundamental barrier with a slight, but nevertheless fundamental, change in the security model." —Vitalik Buterin, saying the quiet part out loud
Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
Miners do not set the rules, they are merely a service that provides immutability to a ledger, with a nuclear option that will bankrupt all the billions they have invested, should they misbehave.
Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
You are quite literally being exploited right this minute, by the same methods outlined in the article.
> Miners do not set the rules, they are merely a service that provides immutability to a ledger, with a nuclear option that will bankrupt all the billions they have invested, should they misbehave.
Stakers do not set the rules any more than do large mining pools.
> Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
I'm not really knowledgeable about all this, but mining of PoW currencies right now seems to rely a lot on mining pools. Isn't there a risk that they are "the rich" and people trust them? What's the difference with PoS there?
Crypto currency weather PoW or PoS boils down to "give the few rich all the power while giving the many less rich a illusion of security".
In PoW it just slightly tweaks "richness of money" into "richness of computation resources (which you get through money)".
This difference has complicated effects like:
- benefits anyone with cheap electricity (i.e. either places with no environmental protection, government support in some way, or the few places with cheap clean power)
- benefits anyone with good connections to chip factories
- the investment needed for gaining power being less bound to the currency itself but computation power instead
It's incredible how people who read a few articles think they have found the smoking gun, against a technology on which a lot of crypto researchers devote years of their time to make and analyze. They must think themselves are geniuses, and researchers are fools. Oh well, nothing new under the sun.
If you'd read the article till the end, perhaps you'd understand where the author is coming from: PoS systems aren't getting hacked today because they aren't truly decentralised. You can't have decentralisation and security with POS, you have to choose one of these. All the projects currently active have chosen security for obvious reasons - they control the majority of validators to make sure nobody steals, and are just fancy centralised mints.
Sure, but if the majority of validators are actually run by the project owners it's effectively centralised. And it's easy to maintain this control if you have the majority of coins to stake. It's not Sybil resistant for this reason - all validators could be owned by one person and you would have no way of knowing.
> all bitcoin miners could be owned by one person and you would have no way of knowing....
Sure, it's entirely possible that BTC is also centralised and controlled by wales. I was merely suggesting that the reason PoS systems haven't been hacked (much) yet is because the validators are controlled by project owners, so they are really centralised payment systems in disguise.
There's a difference though: buying initial stake in PoS may be similar to buying an ASIC in PoW, but mining a chain has a real cost (electricity) in PoW. In PoS there's no cost to mining, so validators have an incentive to stake all possible forks. There's no way to have consensus on the correct chain, because real resources haven't gone into building one up.
(my day job is developer on Proof-of-Stake Algorand block chain, I'm a developer, this may not be polished official PR)
Article's theory about malicious old blocks doesn't hold up. Let's say I start a new node and verify history since the beginning. Somewhere along the line I'm connected to a malicious node which hands me a fictionalized block. It would need to have been signed by not just one but about 30-45 accounts _which had stake at that time_. Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network. So, if Warren Buffet comes along and wants to spam our network, I guess he could, but that would destroy the network and destroy his value that he sunk into the network. _That_ is a guardrail for PoS systems as much as any crypto or consensus-protocol element (and the algorithms are right, original article misunderstands them).
a coalition of wealthy interests can trivially dictate the consensus rules with very little to no recourse on your part. Even if the chain splits, they can maintain their share on both chains, and even suppress the minority chain.
In PoW miners risk going bankrupt overnight for egregious behaviour like that.
I'd like to see how one defines "slashing" programmatically that is impartial, works algorithmically, and does not have edge cases that can lead to catastrophic failures without handwavy assumptions that every single PoS network has today.
No, no, back up a second. The argument being made in the parent comment is that once there is one entity with enough stake in the network to dictate where it goes, they can just pull out before tanking the network.
But my understanding was that you can only have enough stake in the network to make decisions...by having that stake in the network. If you un-stake your crypto and cash out, by definition, you no longer have any stake in the network. If you no longer have any stake, how do you have a controlling stake?
If you go offline the penalties are very small. You can be offline a third of the time and break even. The real penalty happens if you send conflicting messages, and even that's not too severe unless a lot of other nodes do it at the same time.
You can fork far in the past, before you cashed out. Any new entrants into the network will not be able to distinguish your fork from the real chain.
You cannot be slashed for this in the real chain because you already cashed out your stake there.
This 'long range attack' is different from a 50% attack because it doesn't affect nodes that were running before the attack happened. But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.
This seems more viable for a value destruction attack than for a double spend. But value destruction can be lucrative for blackmail. It means a coalition of stakers could withdraw their stakes and state "increases the blocksize or suffer a long-range attack".
But why would a new entrant get the chain from a node that already exited, and why would this affect anyone other than the entrant itself? I assume the new entrant is itself liable if it copies the wrong chain, because other nodes will vote against it once it starts operating, so it will make an effort to get the correct chain (maybe by buying it from current nodes and ensuring they all provide the best chain). So maybe you would have some kind of cartel of running nodes that may or may not allow new nodes to enter, but I don't see a critical network-destroyig issue here.
Wouldn't anyone then be able to provide proof of that participant having exited? The participant would have generated a signature the moment they exit.
> But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.
This is an important point to consider, but it can be mitigated with exit delays. E.g. with Eth2's current settings, if an attacker had 2/3 stake at one point, I believe it would take them 6-7 months to exit all those validators. So while it's true that new entrants must sync from a trusted checkpoint, the checkpoint can be quite old.
Let's say my client has a hardcoded list of checkpoints, with a new one added once a month. The client would only accept forks containing all of those checkpoints in their history.
It seems like there are two ways an attacker with commit access might try to corrupt this checkpoint list. First, they could try to add bad checkpoints over a period of 6-7 months, until they've fully exited and can safely perform a long-fork attack. This seems impractical, since the bad checkpoints would be noticed by existing node operators (who would get stuck after upgrading their clients), and 6-7 months seems like plenty of time to raise the alarm.
Alternatively, an attacker could just delete 6+ good checkpoints, and replace them with 6+ bad ones, all at once. This would violate the convention of adding monthly checkpoints, so it should be easily recognized as a malicious change. One could argue that it might go unnoticed anyway, but sneaking in such a change seems roughly as hard as sneaking in any other clearly-malicious client change.
You've outlined only one, the most obvious and least probable, mode of failure.
The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
It's already visible on smaller scale in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour". No matter what smaller stakeholders do/say, the early big investors and dev team always win. Why would they structure it otherwise? The same dynamics exist in PoS, just not as grotesque.
Perhaps that's OK for a private company governance, but for a global currency?
You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe? Seems rather strange that so many have such a burning desire to be governed by someone much richer than them.
It gets a lot more complicated than that because setting up competing systems is cheap. It is like saying "nobody would write this piece of software for free". What we learned with open source is if the cost of distribution gets low enough then there needs to be just one person somewhere on earth willing to maintain it and it can work.
If the cost of creating trustworthy local (or international) monetary systems is basically 0 then it isn't obvious that plutocrats have an advantage beyond the one they already have by virtue of being powerful. If they can force you to use their system they already control the government so didn't need any technical help.
You can fork decentralized over (crypto) collateralized stablecoins even if you can't force a fork of a centralized stablecoin operated by incorporated entity to be recognized by them.
Unless we're going to pretend that there is only one way on and off networks and only in one currency denomination…
Just because you may not be willing to swap cash/gold/anything a local counter party values in whatever jurisdiction you reside in for a random networks gas and/or tokens that trade on them, doesn't mean others cannot.
If you want to use coinbase to buy crypto and tokens, that's on you.
If you are forking the chain state and not just the vm, that could be the case.
However, if you are only forking the vm and allowing for people de deploy other protocols (or forks of other protocols), this is not the case (they just start off at lower total supply relative to the native collateral available on that network from a lower demand base).
I don't consider it a fork unless it includes the state. For example, ZCash is based on Bitcoin code but nobody considers it a fork of Bitcoin and there are various chains like Avalanche that support EVM but they aren't forks of Ethereum.
> I don't consider it a fork unless it includes the state.
I think id agree for things like ZCash/Dash etc compared to BTC, but I'm not sure I'd agree when it comes to the all contracts deployed on all EVM networks and none of this has anything to do with decentralized stablecoins.
For example, you can mint MIM (a decentralized stablecoin) on both avalanche c-chain and ethereum (as well as polygon, fantom, bsc and arbitrum), and they are both worth $1, but have different collateral backing it on both networks. If users wanted to leave one or the other, they could just redeem their mim for the underlying, sell it and buy the collateral on another network and mint it on the other network. The collateral might trade lower on one network based on market factors (like if the narrative shifted to that the chain became too centralized or w/e, and this assumes that even the price movement of the underlying overwhelms the over collateralization ratio, it might not) but it would just mean that there would be more or less mim on that particular network as assets are liquidated and not that the MIM itself would be worth less.
They only go bankrupt if they don't hold the majority of the mining power, if they do they take over. How is this different from PoS?
Actually in PoS if you try to attack and you don't have a majority you will lose all your coins. in PoW if you try to attack and somehow you miscalculated you will lose a couple of hours worth of electricity after which you can go back to mining normally so much lower stakes for an attack.
And Proof of Work is better because the haves buy equipment the have-nots can't buy to vote?
Unless you have a citizenship based voting of some short where a single person gets a single vote and they actually vote (automatically I guess and assuming without delegating to the big whale because "I am bored") what do you think agreement via resource scarcity implies?
PoW is a service to the network, to create an immutable ledger. It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.
It's just a boring industrial business, like smelting aluminum or iron.
> It's a system with an immutable monetary policy.
Is it though? It seems minor protocol tweaks aren't uncommon and hard forks managing to eclipse the original protocol in popularity are also conceivable.
Every time there is a fork, the market decides how much to value each of the forks.
Personally, I think people will value bitcoin as good money if fiat money fails. And because they are seeking good money, will value the fork(s) that preserve bitcoin's prior monetary policy.
A fork that changes the monetary policy drastically (particularly, changing the 21M cap) would obviously make for bad money in practical terms.
No, not true. Nodes can literally just choose to use the version of software that provides the best money. You can’t choose to use the US monetary policy from 1960, for example.
This has happened multiple times with attempted hard forks of Bitcoin which have failed because once you change the monetary policy once, the promise of hard money effect disappears. So the original monetary policy remains in place and the original network continues as the reigning champion.
I imagine the idea of a hard fork of Bitcoin may become more popular as the supply limit is approached and transaction fees go up. The current transaction fee is only a few dollars but the cost is over a hundred. Eventually the fee will have to cover the full cost and a hard fork may start to look more interesting.
If this happens I can technically stay on the original protocol, but that would be rather pointless if a sufficient majority abandons it.
The natural scenario is that as the mining reward goes down, hash rate will dwindle until mining is profitable again.
The only real problem with that is that with a small hash rate, bitcoin can be attacked more easily.
If bitcoin is the monetary backbone for many nations, they will subsidize miners to maintain the balance of power. That is the actual scenario that I'm optimistically predicting.
If bitcoin isn't the monetary backbone for many nations, by then, then it's probably a failure, and should probably be allowed to die.
It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.
I don't see why many nations would jump at the opportunity to make Bitcoin their monetary backbone. For example because an immutable monetary policy won't be seen as a feature.
> For example because an immutable monetary policy won't be seen as a feature.
Each nation would love to be able to manipulate the supply itself—why not, if people will let you get away with it?—but the fact that other nations can't do the same could be seen as a feature.
If that's how it's going to work, what stopped nations from making a treaty in which everyone commits to an immutable monetary policy so far? And how does Bitcoin result in whatever it was not being a showstopper anymore?
Many countries already use money internally such as the USD (outside the US) or Euro (outside the EU) for which they do not control the policy. Explicit agreements to use a common currency across nations and share control of the policy are relatively rare; no examples come to mind apart from the EU, and that hasn't always gone according to plan, as Greece can attest. But hard currency is still a fairly common basis for exchange between nation-states, and other countries' currencies are more likely to be adopted when they are governed by relatively immutable policies. Of course, if those policies change to be less immutable it can take time for the effects to manifest. The USD was relatively stable until recently, but other countries are probably reconsidering their dependence on it at this point given the increase in the supply over the past few years.
If Bitcoin does eventually become a common instrument of trade at this level it will fill the same niche currently occupied by gold and other precious metals.
> It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.
I have to admit that I have no idea how much work is actually needed to secure the network. My point of view is that the current rate of energy expenditure outweighs whatever benefit Bitcoin does or could provide to society. But if this rate is a transient result of still-significant minting going on, things could definitely look different in the future.
Do you know of any analyses on how much work really has to be continuously expended in order for Bitcoin to remain reasonably secure at a given market capitalization?
I wouldn’t worry about it. Bitcoin incentivizes energy development. As the world moves to a Bitcoin standard, we will unlock new types of energy that were previously unproductive. It’s likely that energy will more cheap and plentiful under a Bitcoin standard, leading to downward pressure on transaction prices as mining is more economical. Also, more transactions are likely to move off chain to Lightning Network and sidechains.
Still plenty of scaling left in the Bitcoin ecosystem.
I agree with this. Just want to add, bitcoin mining can happen in remote locations with available power (hydro, geothermal) which are too far from cities to be transported by power wires. There is a limit to how far you can transmit electricity through wires. So, there are tons of untapped natural energy sources.
And precisely in places like these, such as Niagara Falls, you see coin mining displacing tangible goods production due to both needing cheap electricity and one being more profitable than the other. In this case the market is not thinking very clearly in long term priorities, nor is infinite development of hydro and geothermal possible. Actually, this is about realizing that we live on a finite planet with finite resources that a finite amount of humans can finitely exploit finite parts of before the whole thing goes catawumpus.
POW and current cryptocurrency systems are thoughtlessly and needlessly wasteful and represent inelegant architecture and brute force hackery like lightnig to correct what ultimately isn’t scalable: blockchain ledgers and fast transaction speeds vs centralization and speed. Look at DNS, for example, and how slow that is, and it’s architecture amd full vs partial copies of ledgers and jeiraexhical canonical lookups etc.
I don't see how cheaper energy would help. Bitcoin needs a certain amount of power in units of cost to be tied up mining to secure the network. If the cost of energy goes down ten times then the same PoW requires ten times the energy.
Bitcoin proof-of-work difficulty must always increase, the electrical needs are always ever-growing.
While you claim that incentivizing electrical production is what POW does, in reality it is a large drain of electricity on a finite electrical grids capacity and it DOES take away from other uses of electricity LIKE aluminum smelting or running hospitals. It is an active and actual source of pollution and uses more electricity than most countries. You can’t handwave this away or insist upon your rhetorical framework when. The apparent physical real world consequences of POW cryptocurrency cannot be evaded or ignored.
Bitcoin difficulty does not always increase and needs not always increase.
As for the rest... so what? It uses a lot of electricity and there is some pollution---but a lot of bitcoin mining is done with hydro or geothermal (and will be nuclear if bitcoin continues to grow), so, so what about some pollution?
Some mining is powered sustainably. And for some of THAT power it is true that it wouldn't be used for residential anyway. But for the majority of BTC's power needs the sources are not renewable.
So there's a simple question: how much value do we get out of this tech per CO2e it emits and per ton of e-waste it creates. And AFAICT the answer is: not enough to keep tolerating it in a time where humanity as a whole is seriously worried about climate change for the first time ever.
If you can magically move _all_ the miners to sites with excess renewable electricity and permanently slash the hash rate by 99.9% then maybe it can be tolerated. Until then I would welcome more China-style crackdowns on mining activity across the world.
I can't tolerate the global exploitation of non-ruling people in every nation by their rulers via fiat money manipulation. (And every nation calling itself a "democracy" is actually a "bureaucracy.")
If you aren't upset about this, you probably haven't studied it. I say that in a spirit of helpfulness. Fiat money grossly distorts all of humanity's economic output and therefore retards our progress on all things, including fixing climate problems. Just one example: The US is becoming a nation of renters because enormous funds are buying up the houses with fiat money they borrow nearly for free.
Fortunately, with bitcoin, we can do something about that, without (eventually) harming the environment.
The difficulty does and has (in the short term) decreased when the amount of hashpower being used goes down.
Presumably if the price went down by a substantial chunk and stayed down for a while, the hashpower would also decrease, and so the difficulty would also decrease.
Also, if electricity prices went up, or if CO2 emissions were taxed, then hashpower would decrease, and the difficulty would go down in turn.
Everything is mutable with the possibilty of physical destruction and long time scales. Even the existence of humanity is mutable when we play stupid games in MAD geopolitics, have foolish energy policy, and lack an ability to cooperate to mitigate tragedy-of-the-commons problems like, for example, what Proof of Work is causing.
If we do not bound the growth of PoW energy usage, I think it could easily destroy itself in a roundabout way: by destroying the fragile global order that keeps humanity going.
It's burning electricity (that could in an ideal world be renewable, maybe one day) to provide a service to the network, therefore making it more secure by providing additional processing capacity that is controlled by a good actor, making it harder for a bad actor to get 51% of the pie. It is a waste, but there are also a lot of other sources of wasted resources/energy that we could tackle first and get larger returns from.
You get compensated for your service, it may seem like a lottery, but if you do it for a long enough time, you'll get fairly steady returns as in theory it should be random and proportional to your hashrate.
I don't mine, and I think it's definitely overhyped at the moment, but maybe it will settle in the future and actually provide a useful service to us folk. It doesn't seem to be going away for now, and it is really easy to send money to friends and family, whether they're nextdoor or in another country.
It is not a waste, as it provides physical security, exactly the same as idle nuclear missiles on standby do, or standing armies that are "doing nothing", until a war happens.
The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
> It is not a waste, as it provides physical security, exactly the same as idle nuclear missiles on standby do, or standing armies that are "doing nothing", until a war happens.
You don't think those get very wasteful in the real world? And there's no equivalent to a real war situation. You can set it up so you don't need to defend against the equivalent of enemy armies.
> The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
What kind of sustainable?
When miners locate next to hydro, and buy it up, that doesn't help anything. That hydro could have been sold as somewhat less cheap power elsewhere, after going over long wires, and then it would have reduced the load on coal plants.
Miners that eat up excess solar can theoretically do a lot to encourage the installation of solar, but they need to be happy letting their machines be turned off a large fraction of the time. If it's still profitable to run 20 hours a day, then they're still encouraging fossil power plants.
> Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
Dishwashers are better than hand-washing, aren't they? Having plates is a lot more important than running cryptocurrencies in a particular way.
If heated swimming pools use that much, then sure let's go after that and use some kind of billing or taxes so they pay extra and encourage sustainable power sources.
I disagree that standing armies and nuclear weapons are a waste. They guarantee your security, which you seem to take for granted. Your views on this could change if you spend a few years in a warzone under artillery fire.
It is of course not 100% perfect analogy, nothing is, but I believe you understood the point I tried to get across: it's a security service, and that costs money. Blackwater stationary guard roles are 180-220k a year for someone with years of experience. I'd imagine monetary networks use a lot of physical security, some central banks are literally located in bunkers under mountains, with a backup site in a similar setup on a different geological plate.
I have not seen any PoS schemes so far that provide anything other than plutocracy as a service. There is a reason why ETH with a 100mil R&D budget is still on PoW, Vitalik is not a dummy.
as for the cheap sources of sustainable energy, those are usually stranded hydro and wind that's too remote to be economic, and stranded natgas (for natgas "green" might be a better term, i've used sustainable in the sense that CH4 is far more damaging that CO2. I've been told by regulators it is actually better to burn off CH4 from stranded wells)
Balancing of the grid also does happen, but I believe primarily with wind and hydro.
I, of course, agree that we should not pollute the Earth we live on. High energy usage in itself is not bad, only if it's a harmful polluter. I've only pointed out dishwashers and pools (don't have the stats handy, but they do indeed use a lot more, like a magnitude more), as a common hypocrisy.
We must rapidly scale up non-polluting energy sources, as it seems unlikely humanity can become a spacefaring species on a self-imposed tight energy budget, and this self-imposed handicap coupled with an unexpected asteroid impact can end us.
Pools in the US use 14 billion kwh it's hard to imagine it being even global orders of magnitude more than Bitcoin.
It's also hard to see how push button Armageddon has possibly made us more safe than nobody having nukes. We are only more safe than if only our enemies had them. The same could even be said of armies.
> but they need to be happy letting their machines be turned off a large fraction of the time
Or they need batteries. Or some other means of energy storage, for that matter; at the scale of a large mining farm, thermal (e.g. heating water) or kinetic (e.g. spinning a flywheel) might be practical.
Armies have to practice. Smart generals don't let their armies do nothing; to be any good at warfighting, they have to fight wars. Effective standing armies have to constantly be finding new wars to fight.
Nice to see you rationalizing expenditure that goes towards murdering people. Are you the people talking down to bitcoiners about being wasteful and not caring about future of humanity? Give me a break.
How many people aren’t murdered because of armies though? Humans have been grouping and fighting each other for thousands of years now. You’re under the impression everyone should just… what… pretend it doesn’t happen?
When attacking a neighbor state costs more (because your neighbors have arms too), it’s less likely to happen.
The cold war had plenty of awful hot action with proxies and third parties but the entirely hot version obviously would have been far more calamitous.
I suggest reading Herodotus’ Histories, or you can read up on Genghis Khan, Napoleon, Hitler, Alexander, the Crusades, or the myriad other conquerors and conflicts that have occurred.
> The vast majority of mining today uses sustainable energy (70%+)
Do you have an source for this? I remember the same number being flaunted before but it turned out not to be true. What was true was that 70%+ of miners use any amount of renewables in their energy mix.
PoW produces something intangible. You're probably basing on an assumption that tangible products are more worthy or justifiable of resources consumed than intangibles.
If you work with software development - which you probably do - I'd suggest checking what you do for a living, how much energy it consumes and how much physical product it generates.
That argument could even be somehow valid if it were only possible to demonstrate that these intangibles improve life for people, like contributing to food, housing, education or even only entertainment. They do not. We do not have to care for those who are affluent enough to burn electricity just in order to gamble. Those people have the resources to gamble in less harmful ways without raising electricity prices and polluting the air the way they do. Those people could even do something helpful and productive if they chose to. Cryptomining is wasting energy for the sake of wasting energy. You may argue we (the 99.999% who do not cryptomine) are too stupid to see the value of your imaginary intangibles but that's not true. We are the ones who want no part in a pyramid scheme, who do not want to succumb to gambling, and whose time and money are too scarce and too precious to be put on the line. Sure, all activity has its price, its waste, and sure, there are other occupations whose overall usefulness is doubtful and askew with the accompanying resource consumption. Doesn't mean you have too excuse bad behavior just because there are other guys doing no good.
Just as an aside, when you move a newspaper or a magazine from print to only existing as a web page, you certainly have 'dematerialized' it to a degree. However you still need hardware to keep and display the data and energy to move it around and light up the screens. In so far it does not stop being physical. The 'intangible' is somewhat of a red herring. Yes, it is less haptic, but it's still physics, physical all the way down. Other than that, currencies, freedom, equality, education, entertainment—we've been having intangibles all the time, at least from the dawn of human culture onward. Cryptomining does not bring anything genuinely new to the table in this respect. It's not even new in being a fraudulent, volatile scheme that betrays traits of a cult, one that benefits a few and hurts the many.
Perhaps we should insert humans in the loop, to verify whether useful work was performed.
Or some AI because humans are prone to bribery to some extent.
Or we could make it democratic. "Jeff Bezos asserts that he provided useful work for society and that he therefore deserves $1B this year. Please cast your votes".
PoW should actually stand for Proof of Waste. It's not even unprecedented in nature: many species will intentionally waste energy or resources to demonstrate mating fitness, as with a peacock's tail.
I'm less concerned with wasting resources (which is highly subjective), than with ecological and systemic harms. I don't care whether a terawatt is "wasted" on pointless SHA256 hashes, or calculating triangles for Yet Another Marvel Movie, so long as the externality is being paid for [0].
forkwars have shown in practise this isn't the case.
Status quo will be incredibly difficult to overcome for attackrs, even with a large chunk of industry, exchanges, miners and whales against the status quo, it prevailed.
The fork-wars of old will never happen again, IMO, on any chain of significance. These days, fork winners will be decided by the stablecoin operations they host. If ETH forks, for instance, hash power will follow whichever chain Jeremy Allaire deems the winner.
It's probably not renewable (well, neither is the Sun on large enough timescale), but do you believe nuclear, either fission or fusion, will play a large role in the future?
You make it sound like I need a new hobby - which I might haha.
> Do you consider nuclear energy sustainable?
Low-carbon, yes. Sustainable, yes. Renewable, not until we productionize extraction of uranium from seawater. [1]
> ... but do you believe nuclear, either fission or fusion, will play a large role in the future?
Fusion if we can crack it, totally. Seems like a clear winner. Fission probably will if there's some political will behind it, but not unless there's a change in sentiment.
> of which the following sources are considered to be renewable
in other words, it attempts to define the world "renewable" along favoured political ideologies.
From Wikipedia:
> Advances in breeder reactor technology could allow the current reserves of uranium to provide power for humanity for billions of years, thus making nuclear power a sustainable energy
TL;DR: nuclear is just as renewable as solar (beyond any likely duration of the human civilisation).
I saw the renewability as more of a thought exercise, because I agree with you, there's more than enough nuclear feedstock to keep us going indefinitely.
It’s not. There is a huge gulf between Bitcoin and the rest of the crypto space. Bitcoin is certifiably decentralized hard money with an ossified monetary policy. I believe it is reasonable to conclude that something like Bitcoin can only happen once. The rest of crypto space isn’t really trying to be money, or is only pretending to be.
Regardless of Monero's technicals, new upcoming updates to BTC will infuse with privacy, therefore making Monero et al redundant.
BTC is also getting smart contracts soon, which makes ETH redudant as well, but it will take a while before it catches up in terms of possible complexity of the contracts.
...just re-using the terms for continuity and simplicity sake.
yes, a PoW algo is probably better generic term, although I am not confident complex algos would be accepted as first-line replacements by the wider community.
Some of the hashing functions used with hashcash are exceedingly complex, such as RandomX used in a popular coin. Even scrypt, an extremely popular choice of hash function, is relatively complex, long after its 128KB memory footprint briefly served its purpose of resisting ASICs.
You're right that Bitcoin will never accept a change of PoW. At least not until SHA256 shows signs of being broken.
At the limit, proof of work and proof of stake converge - they are the same thing, except for the Kazakh coal that is burned in the former along the way.
PoS staking is simply committing a portion of your capital to the task of validating transactions. You benefit by receiving a reward in the form of additional tokens.
In a PoW system, the same exact thing can be accomplished by using your tokens to purchase a stake in a mining pool. You will similarly be unable to access your capital, be rewarded with additional tokens, and at the end of a period of your choice, you can liquidate your position in the mining pool to reclaim your tokens.
[edit] PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.
In this world, the "nothing at stake" problem also manifests in proof of work, where I believe ownership in the mining pool makes you agnostic to the outcome of any chain splits - although I'm still working this bit through in my head. Opinions welcome!
> PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.
Sounds wrong. Slashing is a means to prevent people from staking on multiple chains. In PoW, computing power is scarce, so if you allocate some compute time to one chain then you have less of it on another chain. You automatically get slashed. The difficulty in designing a PoS chain is in artificially re-creating this slashing and thereby solving the "nothing at stake" problem.
In a blockchain, the chain keeps splitting. Your tokens live on multiple competing chains simultaneously. In PoW, you are forced to pick one of those chains to mine on. In PoS, you can stake on all of them simultaneously.
The splitting is unavoidable and happens constantly. Multiple competing future states are constantly being created, and the network has to eventually arrive at a consensus about which possible future is the true one.
> Where is the difficulty in making miners expend their tokens (i.e. in a way that is irrevocable) instead of merely depositing them somewhere?
Figuring out how to make spending your tokens irrevocable is the whole point of PoW/PoS. Your question reads to me like "In trying to solve problem x, why don't you assume that you've already solved problem x, and use that to solve problem x."
Yes, I read it. As far as I can see, it talks about 'staking', so it doesn't address what happens when the tokens and 'expended' as opposed to 'staked'.
You have two competing chains: Chain 1 and chain 2. On chain 1, you spend a token on a good. On chain 2, you spend no token. You wait for chain 1 to win the race. You then stake on chain 2 to get your money back. If chain 2 then overtakes chain 1, you've executed a double-spend attack.
An equivalent attack wouldn't work on a PoW chain. If you do the equivalent of "staking" on chain 2, then you're computing hashes, which is costing real-life resources. In the PoS case, without slashing, staking on chain 2 is free. In fact, this is the rational move to make every time you spend a token; stake on competing chains to get your token back.
There was a PoS mechanism that makes people who cheat lose all their coins? I wonder if it is relevant here
... Aha, that's "slashing" -- the other members in the network would look at the two chains, and notice that you were misbehaving, and add transactions that remove parts of your coins? (They'd add to both chains? Or just the winning one?)
If you spend more tokens than the tokens that were spent mining the last two blocks you can erase the transactions in those blocks, but isn't that also the case with PoW?
What if I create a whole new chain? Will the transactions at the very beginning of that chain have to be added to the big, old chain? How far back do the common ancestors of two chains have to be for your auto-merging to happen? What happens if two histories conflict? Then in Version Control parlance, we have a "merge conflict".
Nodes decide if they will append your block to their chain.
A miner that decides to mine out of consensus blocks is just burning money, and will be on their own fork with their “100% votes” that nobody else uses.
Give it a try, spend a few million on mining equipment and then try forcing something on the network.
The proposed block must comply with the rules your node enforced, or it will not be accepted. It’s not just work, but also the entire consensus-set they must abide by.
Miners cannot force new rules, if there is no consensus.
No, you're misunderstanding everything. The consensus mechanism is about agreeing about the contents of the blockchain, not about the rules that make up the bitcoin protocol.
Eh? Can't miners refuse to include transactions that don't adhere to new conditions in addition to old ones?
If 51% of miners decide to, after block #N, not include any transaction that doesn't satisfy the predicate P in any block they produce, nor mine on any chain which has a block after block #N which has a transaction that doesn't satisfy predicate P, then the longest chain will have all the transactions after block #N be ones which satisfy P, and furthermore, if the other 49% of miners are aware that this is happening, if they want their blocks to be in the longest chain, they have incentive to follow the same rules when mining.
Nonsense. Mining gives you zero votes. Miners don’t control the protocol. Governance is not determined by hashrate. This is just another major flaw that all PoS shitcoins have.
No one is talking about governance. The term "consensus" refers to the decision about which transactions to append to the ledger, and the decision is to go with whatever set of transactions the miner that has spent the most money has chosen. It has nothing to do with governance issues.
then if you're not talking about governance, you're still wrong. there's no voting, only if you insist on re-defining what words mean, at which point i won't be interested in continuing the discussion.
Of course there is voting. Who do you think decides which transactions go in the chain, and in what order? The miner who wins leader election during this round (in Bitcoin anyway) does, and the rest of the nodes decide whether to accept its vote. The other nodes can also choose to reject this vote for a while, as long as after seeing it they don't accept a chain with less hashpower, and still follow the protocol (more or less).
The leader can even opt to put no transactions in the current block, something that has actually happened on many occasions: https://www.theblockcrypto.com/post/67928/bitcoin-miners-are.... Obviously, the leader was making a decision here, there were not actually zero transactions to process :)
No, there is no voting and there is no leader election. Miners construct blocks with transactions and if they manage to find a signature - that block is appended to the chain. If somebody does it faster - they append their block.
Please at least get the basics before you start arguing with people.
What, exactly, do you think the purpose of computing a SHA prefix is? It's to perform distributed, decentralized leader election. The leader who wins has the privilege of proposing the next block. "If somebody does it faster" is the voting aspect--nodes vote on who they think did it faster, and it is quite possible that they disagree (which can only be resolved by another round of leader election, since the next leader can choose which block to continue from). In the event that there's a longest chain, of course, nodes will go with the longest chain as a tiebreaker scenario.
I know far more about Bitcoin than I ever wanted to, believe me. You really should not be making these kinds of ad hominem arguments when you don't understand terms like "consensus" or "leader election."
> The leader who wins has the privilege of proposing the next block.
No, the hash that you win with, deterministically points to the only possible block that you can “propose”. Your understanding is completely backwards. You seriously don’t know how bitcoin works.
Whether leader election happens at the same time as the block is proposed or not is completely irrelevant to the nature of the problem from a distributed systems perspective. The point is that in each round, the leader both wins the election, and proposes the next block. There are other variants of proof of work in which the leader is allowed to continue generating new blocks for a period of time and (AFAIK) these inherit all of Bitcoin's security properties.
Here is my question to you: if the node that wins the election (and the ones that accept its mined block, of course) is not the one voting on which transactions get to go into the chain, rather than be stuck in the mempool somewhere, who is? Do you genuinely think there is no decision being made there?
There is no leader election. You trying to insist on this terminology is like trying to explain that the earth is really flat by proposing some very special space metric.
All miners “vote” by hashing and one of them wins. They don’t win because somebody voted for them, they win because they happened to find a satisfactory hash. The chance to win that hash faster than other miners is proportional to hashrate. The hash is determined by the block of transactions entirely, so once you win the race, you don’t get to propose anything other than that one predetermined block.
Which transactions go into a block is decided before any mining for that transaction happens.
You're coming off worse in this argument because you seem to realize on some level they're just using different (possibly wrong) terms in their accurate description of the mechanisms, but then you keep making snide remarks that imply they don't understand the mechanisms.
i in fact do insist on them not understanding the mechanism. trying to force incoherent terminology is just the largest red flag signifying that lack of understanding. snide remarks is my bad, i definitely lost my patience, it's hard to argue with somebody saying that sky is pink because they've changed what pink means.
Red flag, sure. But when they say things like "The peer-reviewed paper to which I linked, which I am not proposing as a replacement for Bitcoin, explains (to those who are willing to read it) why the block being chosen before or after the leader election does not matter when it comes to the security and consensus properties of Bitcoin." it seems very clear to me that they do understand the mechanism, despite that red flag.
I think your analogy to flat earth was better. Because sure, treating the earth as flat isn't correct, but it's often a perfectly good approximation, and arguing about whether a big field is flat or not is a giant waste of time. Don't completely dismiss someone because they use those terms.
"Leader" or not, it's basically equivalent. And the process of letting miners input yes/no values for whether they support a proposal into their block, averaged over thousands of blocks, gives you the same result as "voting". So talk about whether those results are useful.
There are variants of PoS where stakers can delegate their "votes" to other stakers and there are variants where validators compete for "leader" timeslots. These words carry certain meaning and none of it is useful or applicable to bitcoin. As with flat earth analogy, I agree that it's possible to have this perspective, i just think it's harmful for conveying the idea of bitcoin correctly.
You're confusing the discussion by trying to force the "leader" terminology. That term does not appear in the BTC whitepaper and the protocol's approach to consensus is different than a traditional leader elected system.
There is no "voting" and no "leader" except in the most abstract sense and I'm not sure why you're so determined to use those terms.
> No, there is no voting and there is no leader election.
Every 10 minutes a miner wins the right to append a block to the chain, by guessing a secret number. The chances of winning are proportional to the amount of money each miner has expended in the process of guessing the secret number. This is equivalent to holding a vote every 10 minutes in order to choose who gets to append the transaction block. Therefore, you're wrong. There's a vote. And if you can't understand this obvious fact about bitcoin, you have no business discussing bitcoin.
Obviously I can’t change your decision to use this terminology, but ponder this: when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain? No they don’t. So was it election of the leader or election of the block? And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
As I said in a sibling thread, it’s like arguing the earth is flat by proposing a very special metric of space. Feel free of course, I just don’t accept it.
> do they get a choice of what block they append to the chain? No they don’t.
Of course, they have a choice. If didn't, miners would serve no purpose. We would just have one block and that would be the block that would be appended. The consensus would be achieved automatically, without any need of guessing secret numbers.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
No, because the miner is elected at random. The crucial point to understand is that their chances of getting elected are proportional to the money they spent. That doesn't mean the largest miner will get elected 100% of the time.
a certain hash wins, every ~10 minutes. that hash is calculated from sha(block, nonce), where nonce is the randomized part that miner mutates to get different hashes. once a hash that satisfies the protocol is found - that's it, you can't choose a different block to append to the chain.
it is just laughable that i have to explain this level of basics.
Okay, and who chooses the block? (Hint: it's the node that wins leader election).
Maybe this article will help you understand just how nonessential the fact that the block is part of the SHA actually is: https://www.usenix.org/system/files/conference/nsdi16/nsdi16.... Please read the whole article, and then come back so we can have a discussion on equal footing.
well certainly not the winner of the "election", because by the time that "election" starts, the block is already constructed.
and i'm not going to read any of your links until you actually start understanding the basics of bitcoin protocol. though your lack of understanding explains perfectly why you fall for scammy bells and whistles of competing bitcoin-wannabes. "bitcoin new generation". lol, give me a break.
The peer-reviewed paper to which I linked, which I am not proposing as a replacement for Bitcoin, explains (to those who are willing to read it) why the block being chosen before or after the leader election does not matter when it comes to the security and consensus properties of Bitcoin. It is important for you to understand that this does not matter so you can understand why when the block is chosen does not change the fact that leader election is being performed.
Again, I'll ask you, since you keep dodging the question: if the node elected as leader is (according to you) not choosing the block, who is choosing the block? Why are you so obsessed with whether the value was chosen "before" or "after" the election, which is an irrelevant detail of the protocol? If you can't answer these things and won't read the paper, I don't really see any reason to keep talking to you, because all you've done is make the same irrelevant point over and over.
> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain?
and the answer is yes, the miner that gets elected chooses which transactions to append to the chain. Do they pick the transactions after getting elected? No, they pick them before getting elected. In fact, it doesn't matter whether they pick the transactions before or after getting elected, because their chances of getting elected are unaffected by which transactions they picked. Therefore, it makes absolutely no difference. The fact that you think it makes a difference tells me you're very confused about the role miners have in the bitcoin network.
The "leader" has no choice after they win the current round but they do have a choice as to what to include in the winning block before they start hashing.
Maybe they act like all the other rational miners and optimize by mining fees.
Maybe they include no transactions and only take the miner reward.
Maybe they they don't like the Dutch so all their transactions are excluded.
It really doesn't matter as all y'all have been arguing over is what to call the
person who won the current round.
I’ve been reading this thread. I have no idea why these people insist on using the word “leader” when it doesn’t fit. Is there some ideological reason for this?
There is no "ideological" reason. I don't even own cryptocurrency. It's just a fact that the entire purpose of proof of work is to perform leader election. The defining characteristic of leader election is that only the leader commits new values, and there should only be one leader eventually chosen for a given round; the definition has nothing to do with using some sort of majority vote or anything like that. To see how it differs from "ordinary" consensus, I want you to tell me how a Bitcoin-like system could be used to decide on any value other than either (i) one known in advance by all parties (which doesn't require a consensus protocol at all), or (ii) one chosen by the node that wins the block lottery.
This is expanded upon in the peer-reviewed Bitcoin-NG paper that both of you are refusing to read, which breaks down the Bitcoin protocol into distinct parts (which was why I linked it--not because I am proposing that it replace the Bitcoin protocol, but because I thought it would be useful for you to understand how Bitcoin performs leader election already). Specifically, it analyzes the effects of splitting up leader election and block commit parts of the protocol. As it turns out, it has essentially no effect on Bitcoin's security guarantees, which is not surprising--because the fact that block selection and leader election happen at the same time is an implementation detail that doesn't actually matter! Once you realize this detail that you are obsessing over (the block being decided at the same time the leader is) is not important for the protocol, you will also see that the leader election is in fact the critical part.
I think you're missing the larger picture of accruing blocks over time, and deciding what is the "canonical" largest chain.
A miner can choose which block to build on. At any given moment Bitcoin can have several competing "in progress" forks. This is why most exchanges require... 7, I think?... blocks on top of yours to consider the transaction more or less confirmed.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
Yes, this is a 51% attack in Bitcoin. If you have a majority of votes, you can disregard the current chain, fork from behind, and catch up.
> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain? No they don’t.
Yes, they do get to choose the block. Transactions to include in the block are (usually) chosen from the mempool, which is unique per node (it’s similar but never exactly the same between any two nodes). Miners can also choose to include transactions that were never publicly broadcasted, and therefore never appeared in another mempool. Typically the transactions with highest fees are chosen, although fees can also be paid (or bumped) outside the mempool.
The miner of a block doesn’t get to choose the contents of every transaction, but they do choose which transactions to include when they win a block.
It seems like you’re hung up on terms that aren’t commonly used in the context of bitcoin mining, but are valid and are commonly used in the broader context of distributed systems.
> It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.
Changing the hashing algo isn’t a realistic punishment for targeting misbehaving miners.
You end up with two choices:
1. Change to an algorithm that uses gpu/cpu instead of ASICs (and is ASIC-resistant), but then your algo runs on general-purpose computing and you can’t fork miners off ever again.
2. Move to another algo that benefits from ASICs. This has the extra overhead that you need to spin up manufacturing and distribution of these ASCIs to honest miners, which takes quite a long time to do and while you’re waiting, your network is being attacked.
In either case, you aren’t just punishing a misbehaving miner, you’re punishing *all* miners who now all need to get funding to buy and rack new hardware. You’re making a big assumption that the misbehaving miner won’t be able to get financing or sufficient capital while the honest ones will. If the dishonest miner’s attack was profitable while waiting for the fork, they get to keep all of that money and can spend it on new hardware.
In PoS, the attacker will lose their stake, meaning they lose the money they had before, and earned as a result of, the attack. It may be much more difficult for that validator to get access to capital and lenders will be hesitant to lend to an entity that now has a history of burning capital.
> Proof of Work does not get you any votes at all.
Hmm, maybe I’m ignorant, but in practice, don’t miners (socially, not technically) have substantial say in issues like the block size debate?
If you want to create a hard fork of the chain for any reason, whether people accept your fork as legitimate will in part reflect the total hashing power of that forked chain, right? So in practice what miners choose to follow will have a big impact.
Maybe not quite the same as PoS in-chain voting, but it still seems to give large miners outsized power, no?
PoW at least provides a decent and somewhat fair coin distribution mechanism.
With PoS, the coin creators can assign themselves an arbitrary fraction of the coins, concentrating the wealth. Even if there is a public record of all the funds raised in a public sale and all expenditures made (which is rarely the case), it's possible for the creators to participate in the public sale and recover large parts of funds used to buy their own token by generous expenditures on software development and such.
It could be interesting to bootstrap a PoS network using the wallet keys for all existing public blockchains, by allowing users to initialize their PoS wallet with the fiat value of their PoW keys held at some agreed moment in time. I toyed with this idea for a while, but I don't know how you could keep the network secure until a significant proportion of the total value has been claimed.
Anyway, I'd also be interested to know if there's existing or active research along these lines.
Yes, PoW coin emission curves often leave something to be desired, tending to emit too much in the first few years, which leads to some wealth concentration as well.
In my opinion a fixed block subsidy would be most equitable, but that's a very slow emission, taking 100 years to reach a yearly supply inflation under 1%.
Yes PoW is way better because miners need to constantly expend resources to maintain their right to participate. PoS validators keep their throne for life at virtually no cost.
But like PoS, PoW returns all spent resources and more back to the miner - both are designed to be profitable and self-sustaining.
I don't see much difference between a PoW mining setup that does $1000/day gross, $990/day expense, $10/day profit and a PoS staking setup that does $12/day gross, $2/day expense, $10/day profit. Both earn $10/day, both require maintenance, and both are run not at a net cost but at a net profit.
You can't transmute Bitcoin back into electricity and ASICs. You have to generate more of both, which is extrinsic to the protocol and thus available to currently-non-participating actors. PoS does not have this property.
The main difference is that the top miners don’t stay the top miners. There is constant churn. The top stakers remain the top stakers at virtually no cost, and they will almost always be custodians/financial institutions.
Additionally mining isn’t always profitable. There is financial risk and miners can go bust and take financial risk. Staking is basically always profitable if you don’t misbehave.
PoS in Ethereum is not a plutocracy...There is no voting with the token or any other governance. The stakers do not control the network, by design. The whole system works only if everybody (holders/users/stakere/devs) cooperate together.
I think what the parent referring to is the DAO hack (from 2016) and how Ethereum’s response was to renege on “Code is Law” (and the integrity of the blockchain) in order to void those transactions (smartcontract exploits), which is a case of centralization resurfacing because VB could subvert the proof of work system when his own money was at risk.
Ethereum Classic is the fork that refused to rewrite the blockchain to void the hack, and the linked tweet is VB affirming that he’s only working on the main (reneging) Ethereum fork (which goes by ETH), not Classic (goes by ETC).
Not sure why the parent linked that tweet, maybe Twitter just makes it too hard it identify what tweet you actually want.
"Code is Law" was never part of Ethereum's ethos. It was some meme created by the company behind The DAO, and perhaps many people in the community supported it, but it wasn't part of Ethereum.
I've recently read that the blockchain was not rewritten or unrolled. It was actually executed forward through an "irregular state change". In other words, it made a new transaction instead of erasing or modifying old transactions, and that was done with consensus of all those who ran the ETH client. Those who didn't agree went to ETC, but the market chose ETH in the end.
Regardless of how you word it, it amounts to the same thing: the protocol and signed, validated history say this happened, now we act like they did not, which is a violation of blockchain integrity.
No, that's not what happened. No history was changed, and nothing was re-validated as you suggest. There was no "violation of blockchain integrity". The only thing that happened was that the upgraded version executed what's known as an "irregular state-change" which moved the ETH from TheDAO's smart contract to a new secure contract. So, it wasn't a roll-back, but a roll-forward, and the change was mined using PoW in accordance with all the blockchain block selection rules.
No matter what fancy spin you put on it, that was absolutely a violation of the blockchain's integrity, as it violated the principle that accepted transactions can't be reversed after the fact, even if you call it an "irregular state-change" that just keeps things secure.
You can absolutely defend the position that this was best for the ETH ecosystem. But it was absolutely a reneging on the blockchain rules.
PoW and PoS are exactly the same, 1 dollar gets you 1 vote. If you want 1 person, 1 vote you need 1) a census, and 2) a mechanism to prevent the sale and purchase of votes.
>> consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players
Aren't you just describing capitalism here? The people that created the system and own the biggest share of it have gigantic influence on it. Matter of fact, isn't that exactly what happened in ethereums PoW network, too? The developers decided to switch to PoS regardless of what the current participants want.
In general, isn't the idea of using PoS that if you aren't happy with the current system, you can easily fork into a competitor? If enough people think the current system is unjust, then you can switch to the new one, where you will be part of the development. At the beginning of the fork you also wouldn't need that much compute, as PoS is more efficient and you aren't going to have many users/transactions in the first place.
Since it's easy to switch currency (at least easier than privately setting up a Dollar 2.0), members of the original currency have to behave fairly, else people are going to switch. Note: The thing people are switching to doesn't even have to be better in any way than the original currency. It just has to have different controllers to influence the members of the original system.
The way I see it, is that there's no meaningful way in which PoS based currencies are worse than the current monetary system: large stakeholders in current global currencies also have gigantic leverage (think of money printing during the pandemic or bailouts after the 2008 financial crisis). The real advantage I see with PoS systems is not the system itself, but the tooling that comes with it and allows for the development of competitor currencies that check the power of each other. With current global currencies there's no checks-and-balances system inside the monetary decision making process, while a fleet of independent PoS has the chance for checks and balances to be induced through competitive pressure.
It fairly describes every political system and economic system that has ever existed or will ever exist. What's being described is how humans always organize systems in regards to political and economic power.
See: Socialism, Communism, Fascism. It applies just the same to those. Except in those systems they'll murder you and your entire family, then burn your village/town to the ground, if you attempt to compete with the rulers or party (Chavez, Castro, Stalin, Lenin, Mao, Hitler, Mussolini, Pol Pot, Kim, Putin, Erdogan, Lukashenko, etc.).
Whereas I can freely compete with Coca Cola, Tesla, Salesforce, Splunk, DigitalOcean, Cloudflare, Starbucks, 3M and most other companies if I'm able to. Nobody is stopping me from inventing a new coffee drink and going after Starbucks with it, or setting up a better coffee chain on the corner. Nobody is stopping me from inventing a better soda-competing drink (see: Monster or Red Bull or 5hour Energy; those people weren't assassinated by the soda cartel). Nobody is preventing me from starting the next great convenience store (ask 7-11 how they feel about upcoming Sheetz; or ask KFC how they feel about Chic-fil-A).
> The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
And that's where competition between currencies provides checks and balances against such pathological behaviours.
People will opt out of currency regimes that are abusive. This is not like a terrestrial government where you are fucked for life because a bureaucracy controls the land you live on. You don’t have to immigrate to escape a corrupt currency. And you don’t have to all-in in one currency.
If you own dozens of coins, you liquidate the shitcoin that is controlled by corrupt tycoons.
> in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour"
I've been wondering about that recently - for all of the excitement about DAOs and Governance Tokens, are there any good examples of interesting decisions being made via their voting mechanisms?
What are some places I can go to see recent votes and their outcomes?
Charlie Munger is on record saying he hates crypto. I doubt Buffet is far off. How many billions would they need to sink into destroying something they hate?
As a POS developer, what do you think of HEX and Richard Heart (whose real name is Richard J Schueler)?
If you don't work on HEX, how is your POS get rich quick pyramid scheme any better or more trustworthy than HEX?
If you do work on HEX, then please ask Richard to drop by, join the discussion, and answer the questions below (to which he replied "Dodge Dodge"), and any other questions the HN community wants to ask him:
I don’t investigate every shitcoin out there, but all of them have the same flaws in general. Your particular shitcoin probably has something called voting quorum, where only a fraction of global supply is required to proceed in staking. By reducing that fraction you’re making large stake holders more and more able to overpower all others the moment they decide to become malicious.
In PoW all hashrate is always voting and security is paid for external expenditure, not something virtual within the system.
> if Warren Buffet comes along and wants to spam our network, I guess he could, but that would destroy the network and destroy his value that he sunk into the network
Not if he’s undetected and does it for years while extracting value at key points in time.
There are numerous people who could put up $50B with the ability to get very high returns.
It’s not even worrying about Buffet. I worry about hedge funds and sovereign wealth funds that would definitely manipulate PoS if it earned enough for them.
This explanation does not make sense to me, which is probably due to my lack of understanding, but perhaps you can expand on this:
> about 30-45 accounts _which had stake at that time
The this is stated makes it sound difficult. But if this is false history presented by a malicious node, surely they could make up anything, as it the data does not need to line up with any official history at any point. (Without a trusted party, no history line is really offical anyway, is't it?). Constructing a history with 30 accounts with stake at any given point in time isn't any harder or easier than constructing 3 or 3000.
With Ethereum at least, it's proof of work leading up to proof of stake, so you'd have to break proof of work to create a fake early history, so the initial stake has to be legal within the proof of work history of Ethereum.
Unsure how pure PoS chains work, maybe they hard code an early block's hash? Like, it's not a legit xorcist-chain unless block #10 has hash #deadbeef
The history still needs to be signed by former stakers to be valid. The "nothing at stake" problem is that a staker might break the rules by signing two mutually incompatible histories. During the staking period, they are strongly disincentivized from doing this because anyone can present proof that they've done so, causing the network to punish them by taking away all the funds they staked. But once that period expires, they can send those funds to someone else, and now they can't be punished. Someone who's sent away their funds is longer a staker moving forward, but they can still sign an alternate history for the time when they were a staker, potentially fooling clients who haven't connected to the network for a long time.
In practice, among the people who once staked large amounts of a proof-of-stake currency, most of them will probably continue being invested in its ecosystem moving forward. Even if they can't be personally punished for lying about the past, a successful history split would likely reduce the community's confidence in the currency, and thus its market value. Most of those people are also emotionally invested in the ecosystem and would not want to dishonestly subvert it. There will be exceptions. But to create an alternate history you need to subvert not just one validator, but most validators (or rather, validators who together control most of the currency being staked).
This is the “nothing at stake problem” from the article.
Warren Buffet buys up 70% of the network, induces a network partition, and then double spends it all, signing both transaction histories.
By the time he’s caught, he’s converted 2x the value of the POS network to POW bitcoins.
Replace “warren buffet” with “crypto exchanges selling bundled securities”, and the above is not just plausible, it’s inevitable.
The same scam has been run over and over again with conventional banks (who are inevitably bailed out on top of getting to take the money and run), POS just changes the nature of the obscure underlying financial instruments.
A trust assumption of PoS (Proof of Stake) is that >66% of the stake is honest. If you violate this trust assumption then yes PoS breaks. This is a similar trust assumption to requiring that 51% of the mining power in PoW (Proof of Work) is not malicious.
This risk can be mitigated:
1. The network should halt if a fork is detected. A fork with more than 66% of the stake behaving maliciously means a fundamental trust assumption of the network has been violated. Stop everything! Let humans figure out what is going on. I'm not saying every PoS system WILL halt under these circumstances, but as a countermeasure they SHOULD be designed to halt and value safety over partition resilience. Thus, an attacker forking a PoS must never allow parties to see either side of the fork. If a party notices a fork occurs, they will halt and can't be double spent against.
2. Following from 1, how do you prevent parties from communicating and discovering that a fork is occurring? Are you a tier-1 ISP and can control all internet traffic? You can defend against such attacks by making it very hard to hide the presence of a fork via redundant communication mechanisms. For instance the Bitcoin blockchain is broadcasted via satellite, a PoS blockchain could do that as well.
3. Additionally you can require that stakers lock their stake for long periods of time e.g., 6 months. This means that if an attacker wants to perform this attack and truly have nothing at stake they must cause a fork in the chain before the 6-months ago mark. Parties who are up to date with the latest chain are not vulnerable since they have already accepted the consensus history of chain. New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
> This is a similar trust assumption to requiring that 51% of the mining power in PoW (Proof of Work) is not malicious.
Yeah, but you're glossing over an important detail: It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today. In PoS, I need that, plus the miners of yesterday, plus the miners of a year ago, plus ..., in perpetuity.
> New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Right, maybe you can elaborate on this. Is checking block explorers a decentralized or trustless solution to, well, anything?
> It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today.
I don't quite get that. As far as I understand it the "nothing at stake" problem works by a malicious party inducing a fork, one of which they double-spend in.
Since it's in the best interest for everyone else to mine both forks, you can force your double-spend fork to become the longest chain by only validating the double-spend fork.
This means you have to trust that nobody part of your current chain has double-spent in this way. But isn't this the same as in PoW where you have to trust that nobody has launched a 51% attack to disrupt the network in the past?
Also, can't you just prevent people from mining all forks? I.e. for becoming a validator you have to deposit X as a security beforehand and you can only earn at most X via staking (so it is in the history before you can attack with nothing at stake). If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork. X goes to the person who found the fork, incentivising that the mallicious fork is identified on all forks (miners on competing forks are incentivised to look at all forks and quickly add the mallicious fork detection for their own benefit). If you want to retrieve your security and money earned, you have to announce this on all forks (you immediatly seize to be a validator). You are only allowed to retrieve the funds, if it is confirmed on all forks, or the forks are sufficiently behind the longest chain. This allows everybody ample time to look for dual-fork work and also incentivizes rapid solution of forks.
> If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork.
Yes, modern proof-of-stake algorithms work this way. The caveat is that at some point (on the order of months later) the security deposit is refunded, and at that point you can lie about the past without consequence. But this is a limited attack: you can only successfully lie to someone who has been offline since you were a staker, or else they would already have a record of the real successor chain (which now has a new set of stakers, who themselves still have their security deposit deposited).
The original article asserts that this does not work according to their requirements since there's no way to independently verify which is the "real successor chain" - they just have to trust someone's word that chain A is true and chain B is not, and a convincing liar could provide them with opposite data. In schemes like Bitcoin, there's objective validation of the "longest chain" with the most work invested; in your example where would that "record of the real successor chain" come from, and how can it be validated/verified in a decentralized manner in a way that a major ex-staker can't satisfy?
Like, this is trivially solved with a central authority (e.g. have some trusted core developer every day publish a signed message saying "this is the real successor chain"), but it does enable that central authority to arbitrarily bless a fake ex-staker's fork.
> they just have to trust someone's word that chain A is true and chain B is not, and a convincing liar could provide them with opposite data. In schemes like Bitcoin, there's objective validation of the "longest chain" with the most work invested;
Note that in Bitcoin you can have a fork in which both chains have equal length. The idea is that eventually the longest chain will be established, but if say 90% of the mining is malicious that malicious miner could ensure that most of the time both chains are of equal length.
With a PoS fork you can ask, which fork has the most amount of stake voting for it. An attacker that controls enough stake might be able to balance the total stake vote in the same way as a malicious miner could on Bitcoin.
In both cases if the core security assumption of the blockchain is violated, that blockchain should halt until that assumption is made sound again. If someone orphans the last two years of Bitcoin's blockchain something has gone horribly wrong. The fact that Bitcoin now switches to the longest chain doesn't actually address the problem that two years of transactions may have been rendered invalid.
> Stop everything! Let humans figure out what is going on.
What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?
It sounds hard to manage this type of maintenance breaks in a trustless way. Surely consensus rule changes during outages should not be handled any differently than changes when under normal operations.
> clients could be programmed to have hardcoded 6th month checkpoints
Who signs these checkpoints? Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
> What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?
We have a bunch of examples of this happening in practice. The humans are usually a mix of the developers, parties important to consensus (miners, stakers) and big ecosystem players.
> It sounds hard to manage this type of maintenance breaks in a trustless way.
When solving a problem that violates your core security assumption you are only longer in the world of security definitions. It doesn't really make sense to talk about "trustlessness". If the protocol is busted, you need to find a solution and get enough people on board with that solution that you can upgrade the protocol.
> Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
The checkpoints aren't trusted for safety but instead for availability. Instead you should think of them like alarms that "something has gone horribly horribly wrong, stop everything, don't transact, don't move, don't touch anything, pull the ebrake."
tl;dr Much like the fuse box in your house, my view is that checkpoints should turn safety failures (electrical fires) into availability failures (electricity is shut off).
I just read most of the article. As I understand it, the failure mode isn't that one attacker could hand you a malicious node, it's that the network doesn't actually reach unambiguous consensus -- all/most "stakers" could simultaneously be signing a different transaction history the whole time, at virtually no cost, which is just as valid as "the" one you believe in; there's no (cryptographic) way to distinguish them. And so it's possible for, one day, the whole network to get pulled out from under you. "Nope, this other one is the real deal."
Is this a problem in practice? As the article says, no ... but only because there is a sort of vaguely specified "proof of authority" that backs the current chain, which actually just reintroduces centralization. The author cites the Bitcoin Cash and DAO/ETH Classic forks as cases where that proof of authority gets tested and shows the actual centralization.
It's my understanding that Algorand has something on top of pure PoS that ensures the consensus (which the article says is necessary) so I'm not sure the same criticism is applicable there, but can't comment further until I get more familiar.
What if Buffett just wants to see the world burn and doesn't care about getting the money back out?
Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
It's a temporary state, until the PoS coin market cap gets too large to be attackable. Bitcoin's market cap is in the 1T range now, Ethereum is close to half that. Buffet couldn't do a thing against a PoS coin that large, and it would be a serious commitment and risk even for a nation state. Buffet could take down some random smaller coin, maybe, at the cost of most of his personal fortune, but if he did so the world would not burn.
It's _possible_ that a government might choose to attack a random small coin just to discredit the notion of PoS cryptocurrencies, but it's hard to picture a government gaining consensus to do it, and it would be obvious to knowledgeable onlookers that larger coins are immune (or anyway, much better protected), so the resulting disruption would probably be temporary.
PoS encourages centralized exchange-held staking, which means that there are only a handful of failure/pressure points. In other words, a government doesn’t have to buy 66% of the stake - merely compel the exchanges.
Not when the protocol actively encourages decentralization by cutting off staking rewards to larger pools, like what Cardano does (as one example). Sure, the exchanges can (and probably do) run multiple pools, but so can anyone else, and for far less expense than is required for mining.
> Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
While you are correct that burning $30 billion dollars to destroy trust in PoS blockchains isn't that much money, I disagree that such an action would actually destroy trust in PoS blockchains. We have seen serious attacks on a number of blockchains, Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain. Yet Ethereum is still going strong. Bitcoin suffered 51% attacks that were used to perform double spends and Bitcoin is more valuable than ever.
It might be cheap to burn $30B to destroy a blockchain, but what if you burn $30B and the blockchain recovers 12 hours later.
> Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain.
These weaknesses weren’t due to consensus failures or protocol failures, but bugs in applications running on Ethereum. If Ethereum’s protocol allowed arbitrary funds to be stolen, that could certainly cause a loss of trust.
Most investors don’t care at all and blow off things like “the blockchain you’re using requires this fully centralized component”, but many players in the ecosystem that enable the speculation we see now, do care about protocol safety. If the Ethereum protocol was shown to be unsafe, they’d publicly promote safer alternatives and push their users to move.
"Blockchains get knocked down but they get up again." - Chumbawamba, ...probably
So two of the Bitcoin examples I gave was a consensus failure which already establishes the point, but lets do a very recent example from Ethereum:
A few months ago in August 2021 when Ethereum had a serious consensus failure and about three quarters of the clients in the network and some miners [0] forked off from the miners. How many people even noticed? [1]
> "Ethereum has weathered a bug that split the world’s most-used blockchain and opened up the risk of counterfeit Ether tokens." [2]
The issue at play is that the ability to cripple the consensus of a blockchain for the most part only impacts its availability not its security or the trust placed in that blockchain. Social consensus can just reset the bad transactions. If the theft or doublespend is big enough. We've seen that happen time and time again. They are somewhat robust but highly resilient.
Now it is possible that perhaps someone could perform an action that can not be so easily reset. For instance a huge doublespend where both parties receiving the funds are honest and have traded an object of extreme value for the doublespent funds. That is very hard to pull off. For instance how do you non-reversibly send something of that much value before the fork/doublespend/consensus bug is discovered? If you are moving something worth say 1 billion dollars in a single transaction you should probably be using an escrow service. Perhaps someone will invent a better technique for turning consensus failures into blockchain killers but so far I'm not aware of such a technique.
You said there were “enormous amounts of money stolen or destroyed” as a result of “ weaknesses in the [Ethereum] blockchain.”
The consensus issue where one client forked off isn’t evidence of that at all. Even the article you link to says it seems that the network was stable and the impact was minimal. Even in this particular attack, doing a double spend would be rather difficult.
> Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network.
If a nation buys 2/3 of the coin and destroys the network, investors (as a whole) take a 1/3 loss. Then they can (re)start another PoS coin.
Ironically the nation would be up against the old saying that the market can stay irrational longer than you can remain solvent.
Hell, they might not even take a loss at all. A nation-state-level actor trying to buy a majority of the monetary supply would represent a substantial increase in demand and therefore price.
They wouldn’t need to spend money to ‘destroy the blockchain’, just legislate against it. For example, what would happen to the value of crypto-currencies if the US government simply banned them outright for entities within its jurisdiction, and also made it so if any foreign entity touches cryptos they get cut off from the US financial system (similar to how ‘sanctions’ work today). I imagine the destruction would be near total.
I would add that the silly argument that a super-wealthy individual or a government could in theory degrade or destroy a transaction platform is applicable, not just to Algorand and other block chains, but also, more generally, to ANY transaction platform.
I mean, if Doctor Evil suddenly decided to spend tens of billions of dollars to destroy the three main credit card networks, he could probably do it. In fact, it might be easier and cheaper than attempting to degrade or bring down a distributed block chain network. The credit card networks are built upon many layers of ancient, pre-Internet technology, full of discoverable vulnerabilities and critical points-of-failure.
But we all know that it wouldn't happen. Doctor Evil would never want to do so, because even him, the most evil person in the world, would still want to be able to use his credit cards to eat out, go to the movies, and order stuff online. Also, he would never want to do something that would make him enemy #1 of every other person in the planet, including every other super-criminal!
What Doctor Evil actually wants to be able to do is figure out ways to steal or get balances from participants in the network without destroying the network: steal poorly protected wallets, hack into poorly secured exchanges, find ways to get blackmail payments on the network (e.g., by launching DoS attacks on the web), etc. The network itself is too useful to everyone for anyone to want to destroy it.
--
PS. For the record: I have no economic connection to Algorand the block chain nor to Algorand the company, but I'm (superficially) familiar with some of Silvio Micali's past work and also, I know one of the company's top executives. In my judgement, the Algorand block chain has great technology, and Algorand the company has really great people. Their main challenge, as I see it, is overcoming the powerful network effects already accruing to other block chains.
IMO people listing things that discourage an attack (people will hate him, his credit cards won't work, etc) are just people trying to comfort themselves. It's like saying, "No one would break into my home because they might hurt themselves breaking in, or I might hurt them up, or they might get caught by the police and go to jail. It's just too risky."
At the end of the day, Dr. Evil will gladly spend 10s of billions to destroy the network if doing so nets him 100s of billions. Stop listing reasons people won't attack the network and start listing reasons they would.
That's not what I said. Please don't attack a straw man. My main point was, and is, that the same attack-logic applies to ANY transaction network. The example with Doctor Evil was about other transaction networks.
Why would Doctor Evil attack a block chain network when he could attack global/national/regional credit card/wire transfer/ACH networks, many of which are built upon ancient pre-Internet technology, are full of discoverable vulnerabilities and critical points-of-failure, and are operated by cash-rish financial institutions with liquid, easy-to-short stocks?
You didn’t answer the parent post. Your point was, in game theory, there’s no benefit in attacking the network or the loss is huge that it doesn’t worth the the attack. The parent post gave the counter point that there could be a benefit which we haven’t thought. If Dr Evil is heavily invested in 2 network, he might destroy one to focus on the remaining. The chance of the attack is low but it is not zero
I like this point, but (as I think you are saying as well) it’s true for POW as well, right?
Fundamentally, if there are off-chain incentives to destroy the value of a given blockchain, much of our reasoning about the game theory doesn’t hold up.
I addressed it in the first paragraph of my comment above. Let me quote from it here: The theoretical attack argument is indeed "applicable, not just to Algorand and other block chains, but also, more generally, to ANY transaction platform" -- VISA, Mastercard, Amex, ACH, Fedwire, etc. No one disagrees that it is applicable, i.e., a theoretical threat, to all transaction platforms.
Now, if you think such an attack is an important problem for block chains, then you must also think it is an important problem for all legacy transaction networks. Yet we're all comfortable using our credit cards and bank accounts every day, and for virtually all practical purposes, we don't worry about a "Doctor Evil scenario." Why should we think and behave differently for block chain networks?
Moreover, as I wrote before, in practice, legacy transaction networks (like, say, regional VISA networks run by 100-year-old banks) are easier and cheaper to attack. If the Doctor Evil scenario were a real threat, it would be more profitable for him to target one of the legacy networks!
Arguably the same thing blockchain tech got away from — a primary stakeholder with a "monopoly on violence" (i.e. a government with armed police et al). If you attack the US banking system, they will stop you in quite short order. The FBI doesn't screw around.
If you attack the blockchain, well ... uh ... the owners will ... be really unhappy with you?
Realistically you're only in trouble for doing that if you're pissing off someone else with "the means to violence". If you screw up money laundering operations for a cartel, then what you're likely looking at is acts of violence between two criminal organizations, but if one of them has the upper hand, they can basically act with impunity.
When you're looking at the "small fry" – individual people with their own bitcoin/whatever stakes? They're just fucked. It's true if someone steals your wallet, but it's also true if someone torpedoes the whole system. That's the cardinal problem with all of these blockchain technologies — by deliberately designing the whole thing to disintermediate the authorities; they accomplished exactly that: there are no authorities to deal with systemic problems.
Everything already has a shorting mechanism. Can you cite a single instance where short-selling has destroyed a legitimate business, ever?
This irrational fear of short selling is such a modern midwit view. There is way more value to fraud on the upside then there is on the downside, and we see that everyday.
The analogy to companies doesn't work because there isn't a legal mechanism by which you can make your short predictions come true. It's illegal to manipulate markets and most ways by which you could destroy a company (without spending more than you hope to gain) are also probably illegal. If you can think of any legal ones I'd be curious to hear
If it were legal to take a short position in a company and then take actions which blew the company up AND there existed cost-effective ways to do so, then you would definitely have seen more legitimate companies taken down by short-attacks. In contrast, here you have an entity where (a) there isn't the same legal safeguards and (b) there exists a claimed cost-effective way to tank the entity after taking a short position
If you disagree with (a) or (b) empirically then cool but it's clearly a totally different scenario to regular companies
That first paper describes a scheme whereby investors bought convertible warrants, used naked short selling to drive the stock price down, then covered by exercising their warrants. And apparently in many cases, as documented by the paper, this resulted in a delisting or even bankruptcy of the targeted firms.
The Algorand PoS consensus protocol assumes that honest nodes use so-called "ephemeral keys" (see Section 5.2 of the white paper). This implies they are supposed to "forget" part of their past state. A malicious node could choose not to forget their past state, thus making double-spend a possibility (assuming an adversary with majority of stake).
Therefore, the formal proof of security provided in the Algorand white paper does not resolve the nothing-at-stake problem, which is inherent to all PoS systems.
By this argument the only real consensus mechanism we need is FAITH. In PoS we trust.
As long as a sufficient number of people believe some currency has value - it has value. If they don't believe, it doesn't have value, and the stakes are worthless too.
> Article's theory about malicious old blocks doesn't hold up.
I don't mean to be rude here, but none of what you have said refutes my point.
The attack here is that you control keys that (1) once held 67% of the value, and (2) no longer do. Because they did hold value once, they are dangerous to consensus. Because they no longer hold value, nothing is sunk into the network, so the attacker bears no cost or risk.
To apply your analogy: I don't have to be Warren Buffet, I just have to riffle through his trash.
821 comments
[ 3.2 ms ] story [ 328 ms ] thread> If the broad masses of people disagree with the platform landlord, their opinion will be altered to conform with the rules, or else they will no longer have a voice.
We really need to fix that problem.
https://web.archive.org/web/20170720143148/https://www.reddi...
I know GitHub were only following the DMCA but it shows they have the capability to not only remove the project but also all of its forks.
This is just evidence that this particular slope isn't as slippery as some thought.
The repo is back up, but the project is dead. I suspect the developers got nasty letters from lawyers behind the scenes. I believe yt-dlp is the future of this project, but it's presently lesser known than youtube-dl so the lawyers got what they wanted in the end.
Copyright should just be a contract between seller and buyer. You promise not to redistribute this. If you didn't buy something, you have no contract with the seller and you can be free to download whatever you want or build whatever software or service you want.
The onus of finding who is the buyer breaking the contract and dragging them to court is on the seller.
We shouldn't have things like DMCA which allow you to censor anything tangentially related or being able to scare people off, but that's what you get when you have a corrupted government that does the bidding of Big Business.
Similarly, patents shouldn't be a thing.
You came up with something, you already have first mover advantage. If someone comes along and does the same thing better, too bad, they were better than you. If you have a manufacturing secret, protect it with contracts and sue for damage if they get broken.
Person A buys a movie and agrees to not distribute it, but goes ahead and does it anyway to Person B. Person B hosts it for everyone, and Persons C through Z get it and also host it. You're suggesting Person A is liable, but the cat's out of the bag and Persons B through Z can continue redistributing it forever because they never agreed to anything.
If this is the desired goal, you don't need copyright at all, you can already get Person A on violating Terms of Service or whatever.
Reminds me a bit of the "free speech zones". It's a poor facsimile of true freedom of speech.
Seeing as the new public squares are, by and large, digital spaces controlled by megacorps, we need to expand the first amendment to apply to private enterprise.
And if by some chance your subreddit manages to become popular, the admins and power mods will conspire to take it from you. Reddit sucks.
"More" of it isn't going to make any of those things go away.
"Freedom of speech" isn't a guarantee that your prefered brand of rational discourse is going to have an audience of millions. If anything, it's a guarantee that it won't, because someone with a self-serving profit motive is far more incentivized to shout over you.
Freedom of speech does not entitle you to broadcast to anyone else's audience.
What you are arguing for requires either an amendment to the constitution or nationalization of those private enterprises.
But this attack has never been performed because the reality of all these cryptocurrencies is that the security depends only relatively weakly on proof of work. Instead it relies on trust between the main stakeholders: miners, big nodes and developers. This is just like any other human organisation. That trust is only reinforced by proof of work, making it easier for new parties to become trusted.
To execute a double spend, you the one sending the transaction and the miner must coordinate.
For large transactions, it is recommended to wait for six confirmations. (six blocks that agree with the transaction and have not been 51%ed.)
The 1 hour 51% cost of Bitcoin is 1.9m$. However, you would need much more time than that to find six consecutive blocks alone, without the help of the network. So, while the network is 6 blocks ahead, you need to find 7 blocks. The network moves forward a block, you must move forward more than one block to catch up. This could take a long time, and longer the more confirmations required- each confirmation makes each previous transaction exponentially more secure. Simply controlling the mining power momentarily only puts recent transactions vulnerable.
However, that much hardware is available for rent-see “Nicehashable.”
The exact formula is given in the Bitcoin whitepaper <https://bitcoin.org/bitcoin.pdf>, see page 6 and on.
In other words, it relies not on one central authority but on a small clique of central authorities.
Proof of work networks with the same hash algorithm are a threat to one another, particularly, if a network exists that is profitable enough to have exorbitant resources dedicated to mining, those resources are available to attack a much smaller network if that becomes more profitable for some period than just continuing to mine the bigger one.
Proof of work then only protects the largest projects using unique hash algorithms.
Edit: I was lookimg for the artivle I was referring to and saw that Ethereoum Classic (ETC) has been attacked simce via just that method. https://www.coindesk.com/markets/2020/08/29/ethereum-classic...
It’s not a flaw if it’s only theoretical. In practice, no miner with billions of dollars of capital bound in mining hardware would rent it out to someone who might do something that would significantly depreciate this capital (e.g. attack the Bitcoin network).
The problem eventually reduces to Ken Thompson's "Trusting Trust" [1] problem. There's no way to externally validate the honesty of any system (cryptocurrency, or otherwise).
[1] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
In Proof of Work, a lawsuit could force the distributor of the software to hard-code a transaction that reverses the coin theft. But in both the PoS case and the PoW case, anyone using that client would be partitioned off from the honest network majority.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
Bitcoin's PoW forked in 2013, when a database upgrade to the software made it incompatible between two recent versions. The Bitcoin developers had to jump in and tell people which PoW fork to follow and which one to abandon.
And with proof of work a lawsuit could force the distributor to change the consensus rule so that a particular transaction is invalid - just as Ethereum did voluntarily with the original DAO.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked
Instead it’s been soft forked, which turns the consensus rules into a popularity contest. If a soft fork produces two competing branches of the blockchain, old clients will go with whichever branch has more mining power. Which means you open yourself up to interesting attacks like convincing 51% to literally steal the funds of the other 49% (which is much worse than a mere double spend). Or, more realistically, in the case of a contentious soft fork that ends up roughly fifty-fifty, you could ‘just’ end up on a different side of the fork from the people you want to transact with. Either way, soft forks don’t make the downsides of policy changes go away.
Soft forks don't force you to download and run new clients just to be able to use the network, which is an important difference. You can use your existing client, you just don't have the new features and don't run validations on them.
The greatest risk on soft forks is that chain split you mention. That's why any reasonable soft fork deployment requires a long time window with a large majority of hashrate signaling support (like 95%).
Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...
All network participants are forced to verify the full chain from genesis. Some might be OK with validating block header signatures only, and not the full transaction set. It's a tradeoff.
You don't need to use those public key servers if you somehow distrust the CA certificates in your OS. Feel free to contact the repository maintainers or whatever else floats your boat.
Anyway, bitcoin is an open source protocol, not a particular client implementation. If you distrust everything and everyone, no one can stop you from building your own client that works with the rest of the network.
I’m not the parent, but – no, I don’t. But that’s exactly the point. The need to bootstrap from centralized authorities is what’s supposedly so bad about weak subjectivity in proof-of-stake. Yet in practice, it’s needed with proof-of-work as well.
Satoshi tried to convince us that we could decentralise trust by doing honest work instead of relying on authority. It turns out that doing work is actually pretty hard, people are lazy, and security is still the nemesis of efficiency.
Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.
Also, you're not just connected to those bootstrapping nodes: you use them to find the rest of the peers in the network.
I characterized this as relying on centralized authorities (albeit several of them), but sure, it can also be considered decentralized to some extent.
The point is that it's a mechanism outside of the proof-of-work network itself. Instead of relying on a machine to reach consensus via a formal protocol, you the human are probing for a social consensus by evaluating statements made by other humans (via GitHub, public forums, or private chats, or just talking to people in person).
In both proof-of-work and proof-of-stake, you need to find social consensus in order to initially obtain the software, after which point you can rely on the network's consensus.
The difference with proof-of-stake is that you have to redo this if you disconnect from the network for months on end.
In practice, for a variety of reasons, practically all users of cryptocurrencies download regular software updates, and thus continue to rely on social consensus, regardless of whether the currency is proof-of-work or proof-of-stake.
1. X is a problem?
2. But Y is also a problem, in my opinion.
3. X and Y are both the same, I think.
4. Therefore X is not a problem.
We can - theoretically - verify the correctness of PoW software by downloading the source code, reading it over, etc. We can also refuse to update, reducing ourselves to SPV security. We can internally verify the checkpoints using 100% objective standards. There are other things as well. This is not the case for PoS, where our "signature A existed at time B" has to be taken as faith, or evidence of things unseen. There is no internal way to verify the veracity of such a statement.
The fact that users aren't personally doing this, is not the same as saying it makes no difference whether they are able to or not. I'm not personally going to withdraw all the money in my bank account - that would be ridiculous - but if the bank informed me I was no longer able to withdraw the money in my account, that would not be suitable at all. The assurance that I can do it makes it so that I don't have to.
It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.
Granted, I only have to trust that a single bootstrap node from the list will faithfully connect me to the honest network. But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
Also, granted, if I pick bad bootstrap nodes, I can still detect if I'm being eclipsed by looking at the hash rate. But how do I know what hash rate to expect? I could check n websites with hash rate charts, but that brings us back to 1-of-n trust.
> 4. Therefore X is not a problem.
IMO it's a manageable problem. Users just need to be cognisant of these trust assumptions they're relying on, and be thoughtful about picking semi-trusted peers (whether bootstrap nodes or checkpoint providers).
Right, but it's not about trust in the same way. I can add an infinite list of bootstrap nodes. Quantity matters, not quality.
> But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
"Very similar," not the same. You need "semi-trusted sources", and there's no objective standard in case they disagree.
In IPv4 a client might have a chance at auto-discovering peers.
It's also not necessary to rely on a single centralized authority. There are many things (DNS, Encyclopedias, Linux kernel mirrors, etc.) where the majority of existing centralized authorities agree with each other.
What part of DNS do you feel is possible without a centralized authority?
It does, but it doesn't have to. You can use any mechanism you want to obtain one initial node and take it from there. You will still be connected to the network just as well, and you will be guaranteed to obtain the same results. This differs from Proof of Stake, where the quality of the results will be influenced by the quality of the bootstrap.
You can literally validate the entire chain with a simple python script. Millions of those on github.
>Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
Absolutely wrong. The chain is validated in its entirety upon first sync. 100% from genesis to tip.
>Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It doesn't. Longest valid chain with most work is the canonical chain. Hardcoded seed nodes exist to speed up the discovery.
I challenge you to present a "simple python script" that implements the exact bitcoin consensus rules (as codified in bitcoin core). Bitcoin is not all that simple and there's a nontrivial amount of complexity in bitcoin script alone [1].
> The chain is validated in its entirety upon first sync. 100% from genesis to tip.
The default behavior is to skip signature verification for all signatures before some relatively recent block [2].
[1] https://github.com/bitcoin/bitcoin/blob/master/src/script/in...
[2] https://github.com/bitcoin/bitcoin/pull/9484
> Assuming ancestors of block %s have valid signatures.
when using -assumevalid. I agree it's imprecise, but it's not exactly wrong, since skipping scripts implies skipping signatures.
If your chain tip is on the dead side of a hard fork (i.e. if the majority of the network will predictably soon finish switching away from software which considers your chain tip valid, to software which considers your chain tip invalid), then nobody cares if your chain tip is the longest in the interrim, or how long you still hold out running the software that considers your chain tip valid. Your side of the fork no longer holds any economic value as a platform for transactions, so nobody will participate in it. You'll just be out there mining blocks all alone, blocks that say you earn all the virtual tokens, but where those tokens are worthless on your side of the fork.
It's a bit like how, in old pre *serv IRC networks, in cases of netsplits, you could end up on a partition of the network where you were the only one in a previously-moderated channel; and so you could effectively do whatever you wanted in that channel. But it didn't really matter, because nobody could hear you.
Except the people you bought something real-world from, once they figure out that their "tipcoin" is worthless. So now it's a question of convincing some people that your technobabble is valid enough. How hard is that?
And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…
Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.
To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.
It's called "Eclipse Attack". But it's a threat for single nodes not for the network as a whole.
Indeed, but the same is true for attacks on "weak subjectivity" proof-of-stake. They're only a threat for nodes that have been disconnected for a long time (months) before they try to reconnect.
My understanding is that the attack you describe involves a cabal of "evil" validators signing some alternate chain (call it the "fake" chain) long after their stake is withdrawn, creating a fork in the distant past. Before they did this, they pretended to be good validators, which meant they signed the "real" chain's blocks and then signed the withdraw transaction. So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past). If this line of reasoning is correct, that suggests that anyone who is aware of both sets of signatures can identify the real chain?
I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?
An eclipse attack is so named because it requires you to keep all the light out so they're kept in the dark. But here, since there's no internal mechanism to tell the two chains apart, you don't only need the accurate information, but also outside information about which one is accurate.
Where proof-of-work really does have an advantage is that you can more easily distinguish that scenario from the scenario where either one of the chains is actually a Sybil attack, i.e. a single attacker pretending to be a large number of people. Similarly, if you only see a single chain, with proof-of-work you can try to detect an eclipse attack (which implies a Sybil attack) by seeing if the hashrate has gone down dramatically.
That's a real advantage. I don't think it's even close to enough to mitigate proof of work's disadvantages, especially since the circumstances where it would practically come into play are extremely unlikely, but it's not nothing.
However, it's undermined by the fact that proof of work naturally encourages centralization. Bitcoin is centralized enough that it's not completely impossible for the vast majority of the hashrate to end up on one side of a fork (either soft or hard), while the vast majority of users and developers end up on the other side. (To be clear, this is very, very unlikely to actually happen, but so are all of the attacks we're talking about.) If this happens, the objective proof-of-work standard will side with the miners, but not with the people you actually want to transact with.
Of course, a proof of stake currency can also suffer a schism, but there is (probably) less tendency for stakers to be centralized, and if a schism did occur, at least the client wouldn't provide a false sense of objectivity.
Is it even true? Steemit had the exchanges do a hostile takeover, because everyone was staking through them.
I feel like you should be able to deduce it from the distribution of participation after the fork, right?
The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.
But you don't know who's honest - you may as well be saying the real chain lost all the dishonest verifiers.
For each chain you'd be able to look at the age, stake & historical participation level of the post-fork participants and get a pretty good idea which (if either) of the chains is real. The absence of honest participants should look a lot different than the absence of dishonest ones.
Granted, this method is not nearly as simple as checking the number of 0s on a hash, but I would imagine it to be quite difficult to circumvent.
Which means that large stakeholders suddenly stop verifying blocks. Long-term active wallets stop transacting.
The same might be true for both chains after the fork, but I would imagine the fake one would have a larger change in participation (weighting older wallets and larger stakes) than the real one.
So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.
Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.
However, that presumes all forks are soft forks; that you are presented a correct chain; that you want the soft fork with consensus rules accepted by most miners. (If verifying with an old bitcoin client the BCH BCT split will be resolved for you without you having a say.
In summary, PoW has less need for Phone a Friend than PoS. But it still has some problems.
For other people: https://news.ycombinator.com/item?id=29367857
What if Bitcoin and Bitcoin cash had the exact same amount of hashing? Which is the true Bitcoin and why?
For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.
For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.
Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.
But-- there's nothing to preclude you making big steps up in difficulty at the end of the chain. It means that one evaluating the length of the chain for authenticity really needs to integrate the difficulty over the entire chain and not just look at the number of blocks.
Suppose I'm a new node and want to verify the blockchain. How do I verify that each block was mined with the correct difficulty?
I'd need some record about the actual real-world timestamps for each block. Then I could say something like "duration between block x and block x+1 was > 10 min, so the down-adjustment in block x+5 is justified".
But if those timestamps were stored on-chain, an attacker could simply lie about them and keep difficulty artificially low on its alternative chain.
On the other hand, if we had some un-forgeable record of block timestamps, wouldn't this solve the double-spend problem all on its own? Would we even need PoW at this point?
Edit:
Ok, sibling comment seems to suggest bitcoin has solved this problem differently: https://news.ycombinator.com/item?id=29368166
Bitcoin doesn't decide what is called bitcoin, we as a community do
No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.
Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while
https://www.cs.umd.edu/~gasarch/BLOGPAPERS/cbit-4-2.pdf
With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.
With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.
With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.
For transacting indeed you need to trust the various clients, but that's easy and can be done once. With the consensus isn't being tampered with, and, more importantly that others are using other types of rules.
also, hi, long time! maksym here =)
You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.
I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.
PoW is apparently bad for the environment. So it leaves us in an interesting situation.
The Ethereum project has shown that the concept of decentralization only applies when it's on their terms. It's not a true principle.
Or rather it has shown that decentralization isn't aligned with the political or economic goals of those who conceive the monetary policy.
Compare it to a boat. Central banking gives you the ability to steer, sure someone might be bad at it and lead you into dangerous waters. But decentralized currency is like shooting the helmsman and ripping out the rudder because someone did a bad job of it once.
[0] https://polynya.medium.com/
proof of work proves that not just one miner had sufficient hash power, but that the entire network had a certain aggregate hash power that was required to mine the block.
can't this be emulated by requiring all major stakers to sign the block? (so rather than one miner staking being enough, all the aggregate staked was required to mine the block)
the stickier issues are around maintaining the decentralized nature of pow mining and the random and decentralized election of who mines the next block. under pow, everybody does their own thing and when someone finds a block they are able to publish it without direct collaboration with other miners. the fact that the miner is chosen at random gives rise to all sorts of anti-censorship and anti-collusional properties.
proof of stake will have to emulate this, and possibly make a few targeted and carefully chosen compromises in order to emulate the decentralized nature of pow mining. it's not obvious how this will play out, but i don't think it's impossible and efforts to do so certainly aren't a "scam."
To be clear, it wasn't delayed because miners complained, it was delayed because it wasn't ready yet.
https://vitalik.ca/general/2020/11/06/pos2020.html
To be honest, I don't understand why it hasn't been banned already.
Sweden has recently called for a EU wide ban because it identified PoW mining as a threat to transition their economy to renewable energy.
https://www.fi.se/en/published/presentations/2021/crypto-ass...
Also aren't each of those used by significantly more people than Bitcoin? So the per capita use is less and they scale better?
Also how are you estimating cost of porn? Viewing cost? Generation cost?
https://m.btc.com/stats/diff
So your statement ends up being incorrect over a period of time.
Even clothes dryer seem to be using less energy than Bitcoin. If you run the dryer for an hour each week, you're at 12-15kWh per month, which is 1-2% of your average household energy usage in the US, Canada or the EU. Now households at most around a third of the electricity in cold countries with a decent amount of electric heating for which dryers are much less, but let's run with it. That still sets the upper bound to 0.6%, which incidentally is the same as bitcoin.
If we're going to start legislating how we're all allowed to use energy that civilization has made available, who gets to decide what's allowed?
Numbers I've seen suggest that global PC gaming alone (excluding consoles) currently uses about as much electricity as bitcoin. Should we ban that too since playing cards are readily available and use almost no energy? Maybe we can make a concession and only allow low powered handheld consoles?
If bitcoin mining actually becomes problematic, then by all means we can definitely ban it or add some sin taxes to it, and we probably will in a lot of jurisdictions. I'm actually kind of eager for that to happen, because it will force miners to actually become novel/stranded energy ventures. They'll be the capital drive that builds out energy sources that not enough humans live around to justify tapping and/or we can't economically justifying building without expensive transmission infrastructure. And once it's built out and paid off, it may be a lot easier to justify investing in building out long distance transmission infrastructure so the rest of civilization can also tap into these sources.
We already legislate different pricing for different applications. Household electricity has a different price than industrial usage. A 1000x price of electricity for certain applications is just a small extension of what we currently have.
it's called "we the people" or democracy if you will. We as a society decide that cryptocurrency aren't worth destroying the world over, and that's about it.
It's curious how much agitation there is concerning the energy consumption of PoW. I don't see nearly as many articles calling for restricting AWS & co. Coincidentally Bitcoin is the base layer of a decentralized finance world completely out of the control of traditional elites and banks.
It's also a new finance world completely under the control of an even smaller elite of devs and mining pool owners (see the hard fork of Ethereum that happened a long time ago, and the upcoming fork of Ethereum that will move it to PoS; sure, Ethereum isn't Bitcoin, but there is nothing fundamentally different to prevent Bitcoin taking a similar step whenever the devs and miners decide).
What Bitcoin definitely is not is a new currency where the people have any kind of control. It is actively opposed to that goal, and takes away even the slight chance of a benevolent leader that exists with central bank controlled currencies.
You forgot a (perhaps even more) crucial part: the exchanges/stablecoins!
They're the whole reason this clown show is considered "finance" rather than funbux.
And they're all extremely suspicious. And by suspicious I mean obviously fraudulent. The value of Bitcoin (!) is propped up by Tether printing fake dollars backed by nothing.
If bitcoin mining uses co2 producing power (because the economics supports it), is that the fault of bitcoin or the government for not sufficiently taxing the negative externalities of that means of production?
Unless we believe that Bitcoin has some use, its power consumption would be problematic even if it weren't so monstrously large. And vanishingly few people believe Bitcoin has any value beyond a get rich quick scheme.
There is no market in the world where you are going to decrease consumption by increasing the demand. That's just not how economics works.
And best of all, someone complaining that this is clearly a wasteful scam and being told back, "how much energy did videocassettes and magazines consume, huh?"
These discussions should talk about the ratio between a certain measure of productivity (e.g. GDP generated for the country) to the energy use; energy on its own does not mean much. I'm sure worldwide food production consumes more energy than Bitcoin.
Other than that, a problem with POW (at least as implemented in Bitcoin) is that technological advances won't result in less energy consumption as it's mostly a function of (price of Bitcoin, price of energy).
If the amount of throughput and everything else remains constant while more and more computers are in a zero-sum arms race to waste electricity to solve a useless hash problem, then it is by definition not useful except for “securing the network”.
And if you can secure a network some other way, then it definitely becomes better by any arbitrary order of magnitude, assuming your utility function doesn’t place infinite value on securing 10 transactions a second with to over 99.9999% certainty and willing to waste all the world’s electricity to do it.
Literally even if you value all other uses of electricity put together as 1/100000 of securing Bitcoin then in a few years banning PoW becomes the right move.
But I imagine it will be like the war on drugs — impossible to totally eradicate, since mining rewards become more lucrative every year forever. Until bitcoin blackouts are frequent in the first world, msot people won’t care though.
Imagine if people asked how many emails (SMTP), conversations (VOIP) or websites (HTTP) the Internet can ever handle pet second and the answer was 10, no matter how many computers joined the network. Because every time you had to make progress, everything went through one bottleneck called a miner. Would this be the topology you want to reward with ever-more-valuable rewards?
Imagine if BitTorrent worked this way, and every computer would seed every file. And maximalists said that this was the ONLY AND BEST WAY.
Well, let's see
>Bright lights strung on American trees, rooftops and lawns account for 6.63 billion kilowatt hours of electricity consumption every year [1]
>Bitcoin mining consumes around 91 terawatt-hours of electricity annually. [2]
Huh. That's at least the same order of magnitude, at any rate.
[1] https://phys.org/news/2015-12-christmas-energy-entire-countr... [2] https://www.businessinsider.com/bitcoin-mining-electricity-u...
Did I miss something or is your comment factually incorrect?
Meanwhile, I'd reckon that the US accounts for the majority of Christmas lights.
Our legislators and regulators, because that's their job.
Just like we ban heroin, regulate over the counter drugs, and tax alcohol.
Mining BTC is a waste of everyone's time.
Electricity production is partly socialized - and - we're literally facing a kind of global crisis.
Ban it, and let the Cryto Warriers figure out other, better ways (of which there are numerous) for allocating magic numbers.
PoW is throwing away electricity for the sake of it, and resists getting more efficient. If the goal is for the bitcoin network to cost $1M to do a single double spend, then PoW has to use $1M worth of electricity every 10 minutes.
Let's say we live in a future where we suddenly have 10x as much electricity. Due to supply and demand, electricity now costs 10% of what it did before.
Dryers etc all keep using the same amount of electricity with no issue, but bitcoin has a problem: it's now really cheap to double spend unless bitcoin uses 10x as much electricity. So of course, it does.
There's a similar proper with making things more efficient. If we make a christmas light more efficient (make it use an LED instead of an incandescent bulb or whatever), christmas lights will use less electricity.
If we make ASICs or GPUs more efficient, then people will just have to run more of them, or else bitcoin will be less secure.
I think this is a real and notable difference, and I think that's enough of a justification to consider a ban.
There is a lot of resources getting wasted in the real life. For example I'm from East Europe and we do not have good water pipes' infrastructure and lots of water gets leaked every month.
Speaking of wasting and leaking electricity I did a quick Google search and this is what I found:
"Are your appliances leaking electricity? Some of you might not be familiar with what this means. Not only do we have more small- and medium-sized appliances than ever before, but many of these never really stop using electricity. For example, if the television has a remote, then part of the TV is always on, waiting for a signal from the remote. If there is a clock on the microwave then the microwave is always using some electricity. Experts call this usage "standby consumption" or "leaking electricity" because people are often not aware that the appliance is using electricity.
A single appliance usually leaks only a small amount of electricity each hour (see Leaking Watts Chart below). Since these appliances leak electricity whenevery they are not turned on, and since people have a lot of these appliances, the amount of leaking electricity is significant. The average household spends about $40 a year on leaking electricity. The federal government works with appliance manufacturers to reduce the amount of electricity that leaks out of new appliances[1]."
Also here is another good resource on electricity leak which is related to the first web document I linked[2].
And then how much food is getting wasted every month globally? Probably billions of dollars of food is getting thrown away every month.
[1] https://www.uwsp.edu/cnr-ap/KEEP/nres633/Pages/Unit3/Section...
[2] https://www.teachengineering.org/content/cla_/activities/cla...
All uses of energy incentivize the search for cheaper energy.
Not all energy uses are optimized to increase usage over time, to cancel efficiencies. Proof of work, whatever it's merits, is anti-efficiency with respect to itself.
This is a significant difference.
Bitcoin has merits. So proof of work, being a part that is currently necessary for it to work has merits.
But the argument that proof-of-work has the merit of incentivizing cheaper energy sources does not stand up.
1. All uses of energy already incentivize the search for cheaper energy. This isn't a novel incentive that proof-of-work provides.
2. But proof-of-work does have a relatively novel disadvantage. It won't just incentivize greater energy uses as prices come down, as in normal supply-demand curves, but must keep up the original and even grow the amount spent on energy.
This would not be a problem in a market without negative externalities, but energy is famously a huge industry that will be struggling with negative externalities for quite some time and at great cost.
It would only be benefitial if after a certain level of efficiency were achieved, PoW got banned and all that efficiency increase could actually benefit consumers of energy that did not have to keep increasing spend to keep up (though even that's not sure, because if energy becomes 10x cheaper, it's just a matter of time for people to invent new creative ways to use all that cheap energy that's prohebitevely expensive right now).
https://futurism.com/bitcoin-mining-company-buys-entire-coal... https://grist.org/technology/bitcoin-greenidge-seneca-lake-c... https://arstechnica.com/tech-policy/2021/09/old-coal-plant-i...
This is just like saying: let's burn as much coal and oil as fast as we can, so we can accelerate the need to develop alternative fuel sources.
LED was a technological innovation. Nothing says Bitcoin can't have those. If you want more light, you need more lamps and you need to spend more energy. I don't really see the difference here.
About every 4 years the reward for mining a block will be halved. I don't see LED lights getting two times more efficient every 4 years.
It really sounds like you're rationalizing banning Bitcoin because you don't see any value in it. That's a dangerous way to decide who gets to use electricity.
Btw Satoshi introduced blockchain checkpoint so no attacker can fork the existing Bitcoin chain and make a competing one.
- Director General at the Swedish Financial Supervisory Authority
- Director General at the Swedish Environmental Protection Agency
I’m not sure who you think is more qualified to have a stance that represents Sweden?
Right of ways are real, tweets are not.
I’m not sure if the people making the most money from crypto-mining’s energy usage, are to be believed?
We can actually start with 1 question: If electricity demand from PoW mining spurs new renewable plants to be built, is that bad for the environment?
I (and many electricity companies) actually think PoW mining is good for the grid/renewable adoption in the long term. Let me explain why:
Some indisputable facts to get us started:
1. Most renewable electricity has unpredictable supply
2. Introducing marginal capacity of the same type gives diminishing returns. Eg: you're producing more during high supply times where electricity rate is low. During lower production periods all of the same type of renewable will be producing less so you can't even take advantage of the higher rates.
3. Rational bitcoin miners will turn off their machines when cost of power is greater than marginal return.
As a result, PoW mining will help the economics of building new wind/solar plants. Eg, currently it may not be profitable to build a new wind plant because base load is too low that the excess power generated would need to be sold off at 0 or even negative prices. However if bitcoin mining could be turned on during these times and off during periods of high demand, there will need to be fewer peaker plants in operation and it would positively affect the economics of opening a new wind plant.
Bitcoin mining only cares about the cost of electricity at a given time, it is not like most other electricity demands that are very time based. With the large variance of electricity generation by renewables, I think bitcoin can in the future help smooth demand according to the real supply/demand curve.
It's kind of like a different implementation of the Tesla utility grid batteries. Instead of deploying batteries, you force the grid to build more renewable capacity (that the miners are paying for) that miners use except in peak periods, where you turn off and effectively provide the grid with more power.
Yes, obviously.
Even if every single miner pool built its own solar/wind plant to power 100% of its energy needs, that would still be horrible for the environment: building the power plant itself produces harm to the environment; and the space and work and money used to create the Bitcoin miner's power plant could have gone into replacing (closing down) a non-renewable power plant.
Silly arguments about pricing volatile electricity only work if we assume maximizing profit is the ultimate good or that PoW is the only way to use that excess power. In reality, if we want to avoid the worse catastrophes that our current economy is pushing the world towards, we have to stop looking at profit, and choose less profitable but more useful ways of handling volatility - batteries, long-distance transmission, etc.
2. do you agree that nuclear is a sustainable and necessary solution?
3. do you agree that mining provides massive incentives, on huge scale, to nuclear power developers?
Power generation is a social concern, and states provide plenty of incentive to build power plants, especially nuclear - crypto mining is a profit chasing wasteful afterthought.
Or maybe you could just let people do what they like with the electricity they paid for
(alternatively, tax the electricity use beyond a certain per-person allocation).
I agree that there can be harms from PoW, but this is because of the electricity use, and so the thing to tax is the electricity use. Rather than the state deciding what things it considers valid for an individual to value and seek, it should put the restrictions on the thing that more directly causes negative externalities to others.
If there is a concern that this would harm things that we are sufficiently convinced is objectively valuable (e.g. making it more costly than is appropriate for people to heat their homes), so that we want to not significantly impact the finances of people who are like, using "reasonable" amounts of electricity, then we can, as I said, put some threshold amount of electricity use per person below which there's no tax on it, and increase the tax rate above that amount to account for this (and use the revenue to pay for CO2 removal and/or green energy development).
Or, like, I suppose in the most extreme case you could (on e.g. an annual basis) give everyone an initial amount of CO2 credits and no one is allowed to emit CO2 beyond the credits they have (but unused credits can be bought and sold).
But one thing that's extremely apparent, is that for the past 10 years, the crypto community has been 95% greed, 5% innovation. With the innovation part having picked up speed only the past few years.
At first, it was the an-cap dream. Decentralized, trustless, govt free internet money. No longer were you a prisoner to slow bank-transfers, expensive middle-men (PayPal, etc.), and could purchase whatever you wanted.
Then the price shot up, and everyone wanted to become rich. So people "agreed" that BTC is no longer a coin made for spending, but rather a storage of value. Like gold. Use altcoins if you actually want to spend your crypto. But who wants to spend any, with the rising prices?
Meanwhile, centralized banks, 3rd party businesses, etc. have solved all the personal finance issues that plagued us 10 years ago. In most countries today, you can transfer money pretty much instantaneously, without getting anxiety every time you press "send".
I'll give DeFi, Dapps, etc. credit - they've finally managed to roll out usable things, but it's still way, way too hard for regular users. And most regular people do not give two shits whether something is decentralized and trustless.
I can think of multiple legit uses for the blockchain technology - but I'm gonna be honest, I'm having a harder and harder time seeing how cryptocurrencies will replace any national currency. As of right now, it's almost purely speculation and get-rich-quick schemes.
We're still in the wild west, but it's not gonna stay that for long. With regulations looming around, it's just a mater of time.
But I digress
The strongest point here is the strawman presentation of the altered security model that PoS can be proven to form consensus under. Reading the source he cites is far more informative: https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...
The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model. All of these topics (including valid ETH criticisms) are discussed in much better ways in many other places.
I have conquered [and seen others close to me] FOMO by stubbornly writing things off, and I suspect others have done the same thing: it's calorically inexpensive and cognitively frictionless. No one can reasonably assess everything that comes their way.
I am not saying that that's the reason with the writer, but it's surely the reason in some people, precisely because it's easy. And easier still to click upvote on a take that reinforces that stubbornness. It's this latter group whose motives are being questioned, as per the GP who asked why these takes get upvoted. I wasn't actually questioning the motive of the writer of the article, hence why I didn't engage in the arguments in the first place.
And of course you have the corollary of true believers who will support anything positive of X-thing-they-have-adopted.
It's seems to be only these two dichotomies we see, rarely balanced takes. And that's the real problem.
This is one of those sentences that reads like it is saying a lot but might actually be nonsensical. Care to elaborate on this? i.e how exactly does the article 'frames distributed consensus mechanisms in an understanding of asset value'.
I read the article and I didn't see anything about asset value (whatever that is). As far as I can tell they point out that the article you cited pretty much agrees with what they're saying (about PoS by itself not being self-certifiable or irreversible) but disagree with the position that this can be acceptable in the real world. Whether you agree with that is subjective but the main criticism in the article seems to be directed at those who selling PoS as a sufficient distributed consensus algorithm to replace of PoW. There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them.
In relation to that I was specifically referring to the misunderstandings present in "Nothing at stake".
You say:
"There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them."
Are you not presupposing the correctness of the author's argument by calling it false? Have you already made up your mind?
I spent a lot of time talking about this topic with people. The article does have a point, that the security model of proof of stake is fundamentally different and relies on a key assumption (from the article you linked):
> any new node coming onto the network with no knowledge except... the set of all blocks and other "important" messages that have been published...
This is referenced in the OP as a point of security failure. The assumption is that we can rely on social interactions between nodes and that that is good enough. The criticism is that a new node can have no way of definitively knowing that their copy of the chain is the widely used canonical chain. An eclipse attack can occur, or as the OP stated new nodes may need to rely on authoritative sources to get current state which puts centralized power centers in the security model.
It is not a deal breaker (IMO), remember, PoW relies on the security assumption that it is prohibitively difficult for more than half the network to collude. I'd argue these assumptions are equally tenuous. I think as long as disparate, non colluding sources of the canonical chain are available (arguable if this is foregone, seeing as we need PoW to ensure consensus and resistance to collusion, probably not, but all it takes is one person to not collude and contention exists) it wouldn't be a problem.
Another big sticking point is the fact that no external resources must be invested, and/or that there is no ongoing cost. I find this to be the big problem with PoS schemes, I've had quite a number of discussions focused on these two particular issues (stemming from the same fundamental difference, that an internal capital stake is made) and I see benefits of not having ongoing cost and benefits of having it, and also of having a fully self contained system as well as having a system grounded in the outside world. All in all I have come to the conclusion that these differences make neither better nor worse, but that they are simply two completely different game theoretical environments with different security and incentive properties.
In practice social networks form a cornerstone of all of the unstated assumption of all consensus mechanisms. I'm more worried about supply chain compromise in wallet code than I am about an eclipse attack on a new node. At that point we know our models are too simple to make real world security comparisons.
> That key is valid to sign any number of versions of, let’s say, block #200, and there is no objective, system-internal standard for which version is legitimate, other than “the one that was published first”.
The real block #200 will have hundreds of attestations courtesy of randomly-selected validators, each of those signatures attesting to its validity and finality.
This is not FUD, it's the most obvious PoS flaw, called long range attack, and the reason PoS chains often need more checks to be more trustworthy (e.g. keeping hardcoded checkpoints, choosing the first received block as valid, introducing penalties and so on).
It was voted for by 8000+ validators. Many of them have been validating since beacon chain genesis a year ago. There are like 260k validators active right now.
I find it highly unlikely some entity is going to come along and try to pretend their alternate history, with a whole new set of hundreds of thousands of validators (which wouldn’t be supported by any ETH1 deposits) and millions of signatures signed by 260k freshly generated public keys, is in any way legitimate.
Which parts of this are checked by the client software, and which parts are just checked by interested humans in the block explorer?
There's a trade-off here. If you require 8000 guys to all vote in favor of your block, what does the client do if it only sees 7999?
> which wouldn’t be supported by any ETH1 deposits ... signed by 260k freshly generated public keys
You misunderstand. What happens if some of those private keys get compromised? In Bitcoin, if I sell my miners to someone else, it's not like they're radioactive waste that has to be buried. In PoS, someone can cause quite a bit of damage with keys that ostensibly don't contain any money. And because I've already withdrawn, I have no reason to care.
Those private keys are useless unless you had something like 50% of all the active validators' keys. So, hundreds of thousands of private keys hacked. You're not going to be able to damage consensus using a few old leaked private keys. The best you could do would be to slash some active validators and get them ejected, but the chain would carry on finalizing without them.
The 8k are randomly selected from this pool of 260k validators via RanDAO every 12 seconds.
Right now, it seems to be one of the best protected PoS chains. It's still fairly new, with novel mitigations, so it still doesn't stand the test of time against all possible attack vectors.
In that sense, it still can't be considered as secure as a PoW chain with high hashrate, which is protected by thermodynamics (you can't produce more hashes than the physical energy you have access to allows).
(Both would be vulnerable to Shor's but post-quantum signatures would fix that.)
It might be, in the future, if you replaced the keys, but it isn't now. Words mean things, and it really is important to use them correctly.
(Also, wouldn't the network respond by just raising the difficulty, miners respond by buying quantum computers, and the world to spin as usual?)
If sufficiently powerful quantum computers become readily available to anyone, sure, everybody will upgrade. Given the exotic hardware they typically require, it seems likely that for a while only a few large organizations will have them.
Shor's is faster but more specific. It works on factoring and elliptic curves, but not on hashes. The advantage of Shor's is that if you have enough qubits, you can get the answer immediately. Grover's only offers quadratic speedup, effectively halving the number of bits in the hash function.
So for signatures we just need to switch to something like a hash-based signature algorithm, with keys having twice as many bits as we'd want against classical attackers. But we don't have hash functions that keep Grover's from working, so a quantum miner be way faster than classical miners.
Not "unsafe standard" but
"dangers/unsafe to bootstrap".
But there are ways to mitigate the bootstrapping issue to some degree.
And PoW chains tend to have a low cost at the beginning making them similar not easy to bootstrap safely (through more easy then PoS).
In the end I don't think what theoretically is better matters, what only really matters is what practically matters for big crypto currencies (and smaller ones can during bootstrap (and potentially later one) interlink with the large chains).
Whereas in ETH PoS, validation happens in the consensus layer, following strict self-imposed rules. With each new block, one validator is chosen to propose the block, and thousands of validators are asked to back the proposer. The proposer and attestors are chosen randomly but specifically with no freedom to mix and match; the chosen validators must attest (and receive a reward) or else be penalized. Validators don't know each other and they don't need to cooperate to create a shared key ahead of time, all they have to do is deposit and follow the rules. The signatures are agglomerated by [BLS ellipical curve stuff idk it's magic] and help to form the consensus chain itself.
That's what PoW provides that PoS just doesn't. Immutability.
In fact, I would argue that one of the most important products of bitcoin, is providing the hardest, most immutable database human civilization has ever created. We could theoretically lose it and we could control and manipulate what goes into it going forward, but once a piece of data gets confirmed and buried under a few days worth of bitcoin's PoW, it can never be changed or removed from the blockchain. This is a severely undervalued use case in my mind.
I suspect that most PoS coins will eventually decide to periodically peg themselves into bitcoin's blockchain to timelock their blockchains and provide some immutability to their users.
Having said that, humanity probably only needs one PoW blockchain. Bitcoin.
> If you compromise or coerce enough validators, you can rewrite the history for no cost.
If you can. You would need to compromise thousands of randomly selected validators just to forge one block. That impossible task nonwithstanding, the validators are selected with maybe five minutes’ warning.
PoW doesn’t even offer absolute immutability, it’s just longest fork wins. Which is secure because of the economics, not because of a notion of perfect immutability.
Likewise, ETH2 provides a definition of finality that’s backed by economics.
With PoS exactly the same works. Most of the holders should be honest, and a successful attack would require spending at least 50% of the market cap of the coin to successfully execute - and then losing that stake as the reputation of the coin is soiled.
But it can, in the exact same manner as described in this article: have an 51% attacker build up a long chain and hide it from the world; then publish it.
PoW is vulnerable to exactly the same type of attack described in this article. In order to build a longer chain with non-negligible probability, you need to stake at least 51% of the pool.
Could someone put child porn in the blockchain? Would that have legal consequences for anyone using Bitcoin in places that have laws about such porn?
https://fc18.ifca.ai/preproceedings/6.pdf
Yes both PoW, PoS solve the double-spend problem, but in a brute-force way. And they never really get rid of the ambiguity of which chain is the one to go by. They just aggregate all the little ambiguities into one or another consistent version of history (a chain) and let them duke it out by massive electricity or stake or whatever. But at any moment, someone could have been mining a chain in “secret” and will emerge to thwart the rest of the network for a while.
There is a better way. Blockchains are actually quite centralized since to make any progress every N seconds you need to send all transactions in the entire world to one miner, and the block is limited in size. Actually it’s worse than that in Proof of Work — because you don’t know who will solve the silly problem, you have to gossip every transaction to every miner!
Oh yeah, and if you store UTXOs then you have to store the history of everything. And even if you didn’t, you have to store the current state of everything. Oh how nice and decentralized! LMAO
I don't get your criticism. Why does requiring gossip to every node cause centralization? Why does everyone having the current state of everything cause centralization?
There are various aspects of centralization. This is one major aspect: a bottleneck. Just like when all Web 2.0 conversations in the world would have to go through a centralized server. Even if it was a different server each time, it’s still an extremely centralized topology for that state transition.
It means that there can only be one transaction at a time for the whole world, no matter how many computers join the network. No concurrency — it is also why you can have flash loans. This is why Ethereum is called “the world computer” and why Bitcoin failed at being a peer to peer cash system and became a store of value.
All transactions are not gathered in one place, ever. All nodes receive all transactions independently. All nodes are capable of providing a copy of the ledger for verification.
Transactions don't go through a server. Historical record gets finalized by any one participating node. These two things are not the same thing. The transactions that will be mined are publicly known by all nodes before they are mined. Mining only ensures that nobody can change them after the fact.
There is no concurrency, this is true. The systems we have currently are single threaded systems, and from a classical standpoint, hugely inefficient single threaded systems. But this is not the same thing as centralization.
https://medium.com/@VitalikButerin/the-meaning-of-decentrali...
“Blockchains are politically decentralized (no one controls them) and architecturally decentralized (no infrastructural central point of failure) but they are logically centralized (there is one commonly agreed state and the system behaves like a single computeR”
I think you’re mistaken that I don’t know how Bitcoin works. Not only do I know, but I have spoken to many teams doing work in the last 10 years in various alternative systems, and I have even designed alternatives myself.
I used the word server in my analogies. The transactions are, however, all going through one COMPUTER which receives them, puts them in a envelope, and finds the right PoW input to “seal” the envelope, and sends it out to everyone. Whoever does that first, gets the rewards on that chain. If the transactions do not make it into the block, they don’t count on-chain.
Therefore, every 10 minutes, ALL TRANSACTIONS IN THE WORLD must be gathered by one computer, the one that will happen to mint the next block. This is a bottleneck, and it is the cause of the skyrocketing fees whenever the system sees any on-chain adoption.
But it’s actually worse than centralized — because we don’t know who will mint the next block so we have to send everything to on everyone. Imagine if all BitTorrent nodes seeded every file in the world. Bitcoin failed as a peer to peer cash system because of this topology and people on the group were telling Satoshi this back in the day.
That doesn't make the network centralized, since the server that acts as the centralized state transitioner will be randomly selected from a very large pool of servers with equal authority.
Innovations that Rollups and Sharding further extend the scalability that is achievable with Ethereum's Proof of Stake consensus protocol, mostly by debundling tasks to create modular components, so that the consensus layer has to handle far less load per transaction.
Who personally verifies every contract they use? Wallet implementation? Cold wallets are closed-source, trust-me devices, maybe with a security certificate from a centralised, government-linked security org.
The strongest link in any security chain is not irrelevant, but the whole system is really not perfectly trustless anyway.
It's actually suspected that happened during the blocksize wars when proponents of forks like Bitcoin Cash may have been spamming Bitcoin with transactions to feed their narrative that it is too expensive to use.
You'll eventually go bankrupt if you do this long enough.
This is actually another reason unlimited blocksizes that can allow for very low to no cost transactions are risky, and DDOS protection is likely why Satoshi added the 1MB limit in bitcoin to begin with.
https://beincrypto.com/polygon-raise-network-fees-spam-trans...
you either dont pay enough and are ignored or you pay enough and... great?
The whole point of proof of stake is that you can only sign blocks or messages while you have something staked. When you withdraw you are no longer allowed to sign anything.
He also didnt need to spend 1000 words going on about the history of bitcoin and proof of work.
This is literally just a filler piece with a provocative clickbait title to stir up the anti cryptocurrency folks here
Allowed to by whom?
Who's to punish me if I disobey them?
After withdrawal is completed, your node would no longer be in the set of active validators and from that time could not validly propose a block or submit an attestation (or, more accurately, be selected as a block proposer, etc.)
I can still propose blocks invalidly, you see. And then someone who doesn't already have the consensus (e.g. trying to sync) will have no way to tell which is legitimate.
This is the problem - you can't look at what the system does when everything's working as it should, you have to look at what happens when it's outside of the comfort zone.
[1] one such: https://github.com/ethereum/annotated-spec/blob/master/phase...
[2] https://eth.wiki/en/concepts/proof-of-stake-faqs
And then produce a big fake chain from 10,002 (in the middle of the time you were staking) -> 10,000,000 later, with an alternate history in which you didn't stop staking.
I don't think this attack is particularly realistic for a lot of reasons, but PoW does have some small amounts of additional strength against these scenarios.
The obvious argument here is "the one that was signed first will then have other blocks built on top of it". But since there's no PoW, building a parallel blockchain is trivial to compute, the only restriction is being able to produce something that's actually convincing enough. That and having people say "well, I was there at the time and I saw a different block than this", but that's just relying on authority rather than something that can be proven within the system.
Basically, PoS requires something external to the system to prove that history hasn't been changed. PoW technically does too, but what it relies on is "physics" and "provable historical fact" (i.e. approximate computing power available in the past).
You certainly can build a system that depends on something external to itself to ensure its consistency, but this challenges its claim to being "decentralized" and limits the amount of trust you can place in the system (and consequently the power of what it can do).
In short:
If you take the pbkdf2 key derivation function: its job is to slow down hashing a thousand fold or so, so that hashing an entire search space becomes impractical. You give your secret in input, and it gives you a hash, let's say, in 1 second. You'll have to spend the time again to recompute the hash. With a faster machine, you can compute in maybe 100ms, but still, there is a limit in how fast you can obtain the result.
Now change the cryptographic properties of pbkdf2, so that you can go back from the output to the input in constant time, so you can find the secret from the hash in O(1). Then, it becomes useless for actual secrets, but you now have an instantly verifiable proof that a certain amount of time (or serial computation) had to pass to get from the input to the output. Plug the input to the previous block hash, and embed the result in the next block, and you have your clock, based on physics and provable historical facts.
[1] https://vdfresearch.org
However, I’m not sure I understand how this is supposed to help. Proving that a few seconds passed just slows down block generation a little, but this cannot be a significant barrier to block generation or else you just have a full PoW system again. And if it’s not a significant barrier then it’s not clear to me what this is supposed to do, beyond preventing me from generating and signing a new block within milliseconds of some event happening.
But since the “nano scale” PoW doesn’t define the rate of block generation, it just establishes a lower bound, it feels like it’s just a speed bump for anyone trying to attack the system. If it only takes 10 seconds to rebuild the last 100 minutes worth of blocks, then it doesn’t establish a universal clock and therefore cannot prove which block came first.
Said randomness is needed to elect the new quorum who will build the new block.
This does absolutely nothing with the fact that you need 66% honest stakers in the system for it to remain secure.
Of course, nothing can stop anyone from creating parallel 100-minute long branches if that was the only thing, as, unlike PoW, it does not cost anything (except time) to create branches.
So you still need a consensus mechanism, a way to, as an agent of the network, decide what is the right branch. On bitcoin, it is very simple: go to the longest chain, it's where the majority of mining power went, so that is clearly the consensus (with 1 joule = 1 vote).
On ethereum, it's much more complex, involving promises with money at stake locked somewhere, so that anyone can detect cheaters, automatically unlock and take their money as punishment, and reward the whistle-blower with it. So, unless everyone is foolish enough to watch their money seized by the network, it does not happen.
The exact way the correct branch is decided is by random election of one staker, where the randomness is proved to be actually random. After all, using a VDF, you can now prove that its output won't be known until x seconds have passed, if you put the most recent block hash as input. So during that time, you can agree on an fair pseudo-random election algorithm that will take this VDF output as a seed when it becomes available.
The thing though is that this doesn't prove that X seconds have passed. It proves that X seconds have passed on whatever baseline hardware has been used to calibrate it. I don't know who actually computes the VDF in the proposed proof-of-stake schemes, though I would assume it's "whoever is proposing a block" (is this the same as the staker? Does this mean every single staker is picking a block and computing their own VDF, meaning everyone is still burning CPU?). And this means the VDF can only establish a minimum CPU requirement. It can say "X seconds have passed on the minimum hardware we're requiring at the moment", but anyone with faster hardware can still compute it faster.
And also because this PoW scheme cannot require more than X seconds for any participant to compute, it means an attacker that starts computing their alternative blockchain at the same time as the block they want to replace faces no difficulty. All this does is interferes with the ability to decide after the fact that you want to attempt to replace history. And even then, if you have hardware faster than the baseline, you can still reach back in time to recalculate a block, you just have to wait longer to do so. And by that I mean if you want to edit a block from 100 minutes ago, and you've got a CPU that's twice as fast as whatever the VDF is tuned for, then it just takes you 100 minutes to compute the replacement blockchain (50 minutes to compute the past 100 minutes, and 50 minutes to compute the new blocks that have been added since you started the attack). So after 100 minutes you now have an alternative chain that everyone thinks took 200 minutes to compute.
Which means now we're just back at the problem of "attacking consensus", where nobody can look at the two blockchains and see within the system which one was calculated first.
---
I suppose the VDF could be calculated by some volunteer with the fastest hardware, though this requires rewarding them for doing so (which means you basically have a monopolist sucking up all of the VDF rewards and no real incentive for nearly all participants to even try and compete). And this is still attackable by someone who can put together hardware that is even just slightly faster than then volunteer. It just takes longer. If the security of the system relies on a volunteer being assumed to have the fastest hardware on the planet, then the system isn't secure. I also question what happens in this scenario when the volunteer goes offline and nobody else has hardware that's as fast. Now the next block isn't ready in X seconds. I assume there's some protocol for "oops nobody has finished computing the VDF in time", but this does provide another avenue of attack for anyone in a position to disrupt the volunteer's connection to the network. Of course, anyone in a position to do that is likely to have access to unusually fast hardware already, but the point is that you cannot rely on the idea that "nobody can possibly calculate this block faster than the VDF is tuned for".
This attack is possible in Bitcoin too, except because Bitcoin is parallelizable, the defense there is that this attack requires spending more money than it is worth as the computing power used to calculate blocks is roughly a function of the value of the network. The danger there is generally in centralizing too much of the computing power among ...
About VDFs, there is a tolerance, you need to be in the same ballpark as the fastest, not _the_ absolute fastest. The more tolerance you need, the less snappy the PoS blockchain will be. They plan to make a low-power asic for that task, to be as close as the theoretical max speed for that, and have the lowest tolerance margin as a result.
Also, there is a way to reduce all VDFs results so that only one of the whole set of VFS-ers need to be honest.
So it's not one volunteer, but a pool of volunteers, using low powered asics so close to the theoretical max (ie speed of transistor switching) that you couldn't outrun them enough to profit from that speed up. I am not sure if they are incentivized, because it's not costing a lot, but maybe.
> Edit: I suppose the VDF's input might not be "the block being computed" but instead "the previous block", and the output then used to elect participants who are then trusted to build the new block. This would allow the new block to indicate whether the VDF actually took longer than expected.
Indeed, that's what I thought I was saying, but maybe I was not clear enough.
But I didn't withdraw my stake. I have a whole chain of blocks saying I never withdrew anything and it's perfectly valid because I signed it, and I still have a stake. Oh, you have another chain that says I did withdraw? Who are we going to believe? Who was first?
This is not true. You will have scratched far fewer tickets on average than one million.
If you have one million tickets, one of them guaranteed to be a winner, you will on average scratch exactly half of them (500 000) before finding the winning ticket. If you have an infinite supply of tickets, each with a 0.000,001 chance of winning, the number becomes higher, but the number of tickets scratched on average is still lower than one million.
Finding an error regarding something I know makes me skeptical about the rest of the article.
If you have an effectively infinite stream of tickets and each have a 1 in X probability of winning, you will indeed go through X on average.
That the author got this basic thing wrong doesn't inspire much confidence in the rest of his reasoning.
I have other issues with the article but this bit seems ok.
I'm not clear how "expected no. of attempts for X" is related to the probability of X. And I seem to be struggling to recall what little I used to know about probability.
I'd welcome a (link to a) clear unpacking of this scenario. I'm feeling rather stupid, as if I've had a stroke and lost a mental faculty. It seems to be a straightforward and obvious scenario, but I've lost confidence in my reasoning about it.
Now if a proof of stake includes a VDF that needs to be computed for every block, then a long-range attack needs to recompute the VDF outputs as well. This is infeasible as it will take a long time given the correct choice of VDF parameters.
Notably, the Chia blockchain mentioned in the article would succumb to long-range attacks as well were it not for their usage of VDFs [2, p. 17].
[1] https://eprint.iacr.org/2018/601.pdf [2] https://www.chia.net/assets/ChiaGreenPaper.pdf
this...sounds exactly like proof of work?
so, proof of work?
To demystify what a VDF is, consider the delay function (i.e., the majority of the work done to compute a VDF) used by the most prominent proposals:
Let N = p*q be a product of two large primes (so an RSA modulus) and assume that the primes p and q have been immediately thrown away/forgotten after initialization. Then, computing
f(x) = x^(2^T) mod N
is believed (dating back to a paper by Rivest, Shamir and Wagner in 1996) to take T sequential steps provided that T is large enough. For a large T, the only feasible approach seems to be repeated squaring modulo N. That is, compute y = x^2 mod N, y' = y^2 mod N, ... for T times.
The global CPU and power use for the VDF calculations doesn't need to exceed what you could fit into a single server rack.
Ok. Go break one of the many existing systems that operates using proof of stake then. If you've done this, you should be leading your article with it. If you haven't, you shouldn't be speaking.
Proof of stake is not some theoretical thing being proposed in the abstract. Many systems operate on it as we speak.
about 40% in:
"Because of all the arguments above, we can safely conclude that this threat of an attacker building up a fork from arbitrarily long range is unfortunately fundamental, and in all non-degenerate implementations the issue is fatal to a proof of stake algorithm’s success in the proof of work security model. However, we can get around this fundamental barrier with a slight, but nevertheless fundamental, change in the security model." —Vitalik Buterin, saying the quiet part out loud
Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
I skimmed it. It made no serious arguments. If it had a serious argument, it would have exploited one of the many existing proof of stake systems.
> Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
You mean...exactly like PoW mining?
Miners do not set the rules, they are merely a service that provides immutability to a ledger, with a nuclear option that will bankrupt all the billions they have invested, should they misbehave.
Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
You are quite literally being exploited right this minute, by the same methods outlined in the article.
Stakers do not set the rules any more than do large mining pools.
> Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
You know MEV is a thing in PoW too, right?
Their contribution is what makes the currency work.
They are some of the main profiteers from the currency.
You can't do a fork or rule change without enough miners going along (I mean you can but it would not have much value).
So in practice have all the governing/decision making power (as a group not a single person).
Sure they might not come up with changes, but they do decide weather any change do take effect in the end.
Same for PoW.
Crypto currency weather PoW or PoS boils down to "give the few rich all the power while giving the many less rich a illusion of security".
In PoW it just slightly tweaks "richness of money" into "richness of computation resources (which you get through money)".
This difference has complicated effects like:
- benefits anyone with cheap electricity (i.e. either places with no environmental protection, government support in some way, or the few places with cheap clean power)
- benefits anyone with good connections to chip factories
- the investment needed for gaining power being less bound to the currency itself but computation power instead
all bitcoin miners could be owned by one person and you would have no way of knowing....
>it's effectively centralised
so your argument is not that it is not possible to have security AND decentralisation with POS, but that it currently is not the case, right?
Sure, it's entirely possible that BTC is also centralised and controlled by wales. I was merely suggesting that the reason PoS systems haven't been hacked (much) yet is because the validators are controlled by project owners, so they are really centralised payment systems in disguise.
There's a difference though: buying initial stake in PoS may be similar to buying an ASIC in PoW, but mining a chain has a real cost (electricity) in PoW. In PoS there's no cost to mining, so validators have an incentive to stake all possible forks. There's no way to have consensus on the correct chain, because real resources haven't gone into building one up.
Isn’t the whole point that by that time he would have withdrawn from the network so he would sink it without losing anything himself.
In PoW miners risk going bankrupt overnight for egregious behaviour like that.
I'd like to see how one defines "slashing" programmatically that is impartial, works algorithmically, and does not have edge cases that can lead to catastrophic failures without handwavy assumptions that every single PoS network has today.
But my understanding was that you can only have enough stake in the network to make decisions...by having that stake in the network. If you un-stake your crypto and cash out, by definition, you no longer have any stake in the network. If you no longer have any stake, how do you have a controlling stake?
Amazing breakthrough, realy. Now ddos blackmail can be actually measured in money.
At least you could point to avalanche or something else that's better constructed. Eth is a dinosaur at this point, albeit with the fattest treasury.
This 'long range attack' is different from a 50% attack because it doesn't affect nodes that were running before the attack happened. But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.
This seems more viable for a value destruction attack than for a double spend. But value destruction can be lucrative for blackmail. It means a coalition of stakers could withdraw their stakes and state "increases the blocksize or suffer a long-range attack".
This is an important point to consider, but it can be mitigated with exit delays. E.g. with Eth2's current settings, if an attacker had 2/3 stake at one point, I believe it would take them 6-7 months to exit all those validators. So while it's true that new entrants must sync from a trusted checkpoint, the checkpoint can be quite old.
Let's say my client has a hardcoded list of checkpoints, with a new one added once a month. The client would only accept forks containing all of those checkpoints in their history.
It seems like there are two ways an attacker with commit access might try to corrupt this checkpoint list. First, they could try to add bad checkpoints over a period of 6-7 months, until they've fully exited and can safely perform a long-fork attack. This seems impractical, since the bad checkpoints would be noticed by existing node operators (who would get stuck after upgrading their clients), and 6-7 months seems like plenty of time to raise the alarm.
Alternatively, an attacker could just delete 6+ good checkpoints, and replace them with 6+ bad ones, all at once. This would violate the convention of adding monthly checkpoints, so it should be easily recognized as a malicious change. One could argue that it might go unnoticed anyway, but sneaking in such a change seems roughly as hard as sneaking in any other clearly-malicious client change.
You've outlined only one, the most obvious and least probable, mode of failure.
The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
It's already visible on smaller scale in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour". No matter what smaller stakeholders do/say, the early big investors and dev team always win. Why would they structure it otherwise? The same dynamics exist in PoS, just not as grotesque.
Perhaps that's OK for a private company governance, but for a global currency?
You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe? Seems rather strange that so many have such a burning desire to be governed by someone much richer than them.
It gets a lot more complicated than that because setting up competing systems is cheap. It is like saying "nobody would write this piece of software for free". What we learned with open source is if the cost of distribution gets low enough then there needs to be just one person somewhere on earth willing to maintain it and it can work.
If the cost of creating trustworthy local (or international) monetary systems is basically 0 then it isn't obvious that plutocrats have an advantage beyond the one they already have by virtue of being powerful. If they can force you to use their system they already control the government so didn't need any technical help.
You can't even fork a stablecoin. in case of a split in a PoS chain, the correct fork will be decided for you by USDC and Coinbase.
Unless we're going to pretend that there is only one way on and off networks and only in one currency denomination…
If you want to use coinbase to buy crypto and tokens, that's on you.
In practice the value of the forked collateral is likely to be low, leaving the stablecoins insolvent.
However, if you are only forking the vm and allowing for people de deploy other protocols (or forks of other protocols), this is not the case (they just start off at lower total supply relative to the native collateral available on that network from a lower demand base).
I think id agree for things like ZCash/Dash etc compared to BTC, but I'm not sure I'd agree when it comes to the all contracts deployed on all EVM networks and none of this has anything to do with decentralized stablecoins.
For example, you can mint MIM (a decentralized stablecoin) on both avalanche c-chain and ethereum (as well as polygon, fantom, bsc and arbitrum), and they are both worth $1, but have different collateral backing it on both networks. If users wanted to leave one or the other, they could just redeem their mim for the underlying, sell it and buy the collateral on another network and mint it on the other network. The collateral might trade lower on one network based on market factors (like if the narrative shifted to that the chain became too centralized or w/e, and this assumes that even the price movement of the underlying overwhelms the over collateralization ratio, it might not) but it would just mean that there would be more or less mim on that particular network as assets are liquidated and not that the MIM itself would be worth less.
Actually in PoS if you try to attack and you don't have a majority you will lose all your coins. in PoW if you try to attack and somehow you miscalculated you will lose a couple of hours worth of electricity after which you can go back to mining normally so much lower stakes for an attack.
Unless you have a citizenship based voting of some short where a single person gets a single vote and they actually vote (automatically I guess and assuming without delegating to the big whale because "I am bored") what do you think agreement via resource scarcity implies?
P.S. Also lobbying...
Proof of Work does not get you any votes at all.
PoW is a service to the network, to create an immutable ledger. It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.
It's just a boring industrial business, like smelting aluminum or iron.
It's a system with an immutable monetary policy. Literally unprecedented in human history.
Hardly unprecedented, considering that until very recently nations did not have a monetary policy.
Is it though? It seems minor protocol tweaks aren't uncommon and hard forks managing to eclipse the original protocol in popularity are also conceivable.
https://en.wikipedia.org/wiki/List_of_bitcoin_forks
Personally, I think people will value bitcoin as good money if fiat money fails. And because they are seeking good money, will value the fork(s) that preserve bitcoin's prior monetary policy.
A fork that changes the monetary policy drastically (particularly, changing the 21M cap) would obviously make for bad money in practical terms.
So literally the same as every monetary policy change involving every currency that didn't use PoW in history...
This has happened multiple times with attempted hard forks of Bitcoin which have failed because once you change the monetary policy once, the promise of hard money effect disappears. So the original monetary policy remains in place and the original network continues as the reigning champion.
If this happens I can technically stay on the original protocol, but that would be rather pointless if a sufficient majority abandons it.
The only real problem with that is that with a small hash rate, bitcoin can be attacked more easily.
If bitcoin is the monetary backbone for many nations, they will subsidize miners to maintain the balance of power. That is the actual scenario that I'm optimistically predicting.
If bitcoin isn't the monetary backbone for many nations, by then, then it's probably a failure, and should probably be allowed to die.
It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.
Each nation would love to be able to manipulate the supply itself—why not, if people will let you get away with it?—but the fact that other nations can't do the same could be seen as a feature.
If Bitcoin does eventually become a common instrument of trade at this level it will fill the same niche currently occupied by gold and other precious metals.
I have to admit that I have no idea how much work is actually needed to secure the network. My point of view is that the current rate of energy expenditure outweighs whatever benefit Bitcoin does or could provide to society. But if this rate is a transient result of still-significant minting going on, things could definitely look different in the future.
Do you know of any analyses on how much work really has to be continuously expended in order for Bitcoin to remain reasonably secure at a given market capitalization?
Still plenty of scaling left in the Bitcoin ecosystem.
Niagara Falls is not what I had in mind. There is lots of untapped hydro power in extremely remote parts Canada where nobody lives, for example.
Mining doesn’t use a fixed amount of energy. As it becomes more economical more people will mine.
As for the rest... so what? It uses a lot of electricity and there is some pollution---but a lot of bitcoin mining is done with hydro or geothermal (and will be nuclear if bitcoin continues to grow), so, so what about some pollution?
So there's a simple question: how much value do we get out of this tech per CO2e it emits and per ton of e-waste it creates. And AFAICT the answer is: not enough to keep tolerating it in a time where humanity as a whole is seriously worried about climate change for the first time ever.
If you can magically move _all_ the miners to sites with excess renewable electricity and permanently slash the hash rate by 99.9% then maybe it can be tolerated. Until then I would welcome more China-style crackdowns on mining activity across the world.
If you aren't upset about this, you probably haven't studied it. I say that in a spirit of helpfulness. Fiat money grossly distorts all of humanity's economic output and therefore retards our progress on all things, including fixing climate problems. Just one example: The US is becoming a nation of renters because enormous funds are buying up the houses with fiat money they borrow nearly for free.
Fortunately, with bitcoin, we can do something about that, without (eventually) harming the environment.
Presumably if the price went down by a substantial chunk and stayed down for a while, the hashpower would also decrease, and so the difficulty would also decrease.
Also, if electricity prices went up, or if CO2 emissions were taxed, then hashpower would decrease, and the difficulty would go down in turn.
If we do not bound the growth of PoW energy usage, I think it could easily destroy itself in a roundabout way: by destroying the fragile global order that keeps humanity going.
You get compensated for your service, it may seem like a lottery, but if you do it for a long enough time, you'll get fairly steady returns as in theory it should be random and proportional to your hashrate.
I don't mine, and I think it's definitely overhyped at the moment, but maybe it will settle in the future and actually provide a useful service to us folk. It doesn't seem to be going away for now, and it is really easy to send money to friends and family, whether they're nextdoor or in another country.
The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
You don't think those get very wasteful in the real world? And there's no equivalent to a real war situation. You can set it up so you don't need to defend against the equivalent of enemy armies.
> The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
What kind of sustainable?
When miners locate next to hydro, and buy it up, that doesn't help anything. That hydro could have been sold as somewhat less cheap power elsewhere, after going over long wires, and then it would have reduced the load on coal plants.
Miners that eat up excess solar can theoretically do a lot to encourage the installation of solar, but they need to be happy letting their machines be turned off a large fraction of the time. If it's still profitable to run 20 hours a day, then they're still encouraging fossil power plants.
> Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
Dishwashers are better than hand-washing, aren't they? Having plates is a lot more important than running cryptocurrencies in a particular way.
If heated swimming pools use that much, then sure let's go after that and use some kind of billing or taxes so they pay extra and encourage sustainable power sources.
It is of course not 100% perfect analogy, nothing is, but I believe you understood the point I tried to get across: it's a security service, and that costs money. Blackwater stationary guard roles are 180-220k a year for someone with years of experience. I'd imagine monetary networks use a lot of physical security, some central banks are literally located in bunkers under mountains, with a backup site in a similar setup on a different geological plate.
I have not seen any PoS schemes so far that provide anything other than plutocracy as a service. There is a reason why ETH with a 100mil R&D budget is still on PoW, Vitalik is not a dummy.
as for the cheap sources of sustainable energy, those are usually stranded hydro and wind that's too remote to be economic, and stranded natgas (for natgas "green" might be a better term, i've used sustainable in the sense that CH4 is far more damaging that CO2. I've been told by regulators it is actually better to burn off CH4 from stranded wells)
Balancing of the grid also does happen, but I believe primarily with wind and hydro.
I, of course, agree that we should not pollute the Earth we live on. High energy usage in itself is not bad, only if it's a harmful polluter. I've only pointed out dishwashers and pools (don't have the stats handy, but they do indeed use a lot more, like a magnitude more), as a common hypocrisy.
We must rapidly scale up non-polluting energy sources, as it seems unlikely humanity can become a spacefaring species on a self-imposed tight energy budget, and this self-imposed handicap coupled with an unexpected asteroid impact can end us.
It's also hard to see how push button Armageddon has possibly made us more safe than nobody having nukes. We are only more safe than if only our enemies had them. The same could even be said of armies.
Or they need batteries. Or some other means of energy storage, for that matter; at the scale of a large mining farm, thermal (e.g. heating water) or kinetic (e.g. spinning a flywheel) might be practical.
Armies have to practice. Smart generals don't let their armies do nothing; to be any good at warfighting, they have to fight wars. Effective standing armies have to constantly be finding new wars to fight.
When attacking a neighbor state costs more (because your neighbors have arms too), it’s less likely to happen.
The cold war had plenty of awful hot action with proxies and third parties but the entirely hot version obviously would have been far more calamitous.
I suggest reading Herodotus’ Histories, or you can read up on Genghis Khan, Napoleon, Hitler, Alexander, the Crusades, or the myriad other conquerors and conflicts that have occurred.
Do you have an source for this? I remember the same number being flaunted before but it turned out not to be true. What was true was that 70%+ of miners use any amount of renewables in their energy mix.
Do you have some source for this? I see random numbers being thrown around a lot, would be nice to have a citation for yours.
If you work with software development - which you probably do - I'd suggest checking what you do for a living, how much energy it consumes and how much physical product it generates.
Just as an aside, when you move a newspaper or a magazine from print to only existing as a web page, you certainly have 'dematerialized' it to a degree. However you still need hardware to keep and display the data and energy to move it around and light up the screens. In so far it does not stop being physical. The 'intangible' is somewhat of a red herring. Yes, it is less haptic, but it's still physics, physical all the way down. Other than that, currencies, freedom, equality, education, entertainment—we've been having intangibles all the time, at least from the dawn of human culture onward. Cryptomining does not bring anything genuinely new to the table in this respect. It's not even new in being a fraudulent, volatile scheme that betrays traits of a cult, one that benefits a few and hurts the many.
Or some AI because humans are prone to bribery to some extent.
Or we could make it democratic. "Jeff Bezos asserts that he provided useful work for society and that he therefore deserves $1B this year. Please cast your votes".
https://en.wikipedia.org/wiki/Signalling_theory
The problems start, of course, when you take a concept to its logical extreme.
[0] https://en.wikipedia.org/wiki/Pigovian_tax
The trick is to enforce it in such a way that it can't be easily dodged via e.g. offshoring.
Within protocol, no. But when weighing a fork, those with the gold choose the rules.
Status quo will be incredibly difficult to overcome for attackrs, even with a large chunk of industry, exchanges, miners and whales against the status quo, it prevailed.
It's probably not renewable (well, neither is the Sun on large enough timescale), but do you believe nuclear, either fission or fusion, will play a large role in the future?
> Do you consider nuclear energy sustainable?
Low-carbon, yes. Sustainable, yes. Renewable, not until we productionize extraction of uranium from seawater. [1]
> ... but do you believe nuclear, either fission or fusion, will play a large role in the future?
Fusion if we can crack it, totally. Seems like a clear winner. Fission probably will if there's some political will behind it, but not unless there's a change in sentiment.
[1] https://www.forbes.com/sites/jamesconca/2016/03/24/is-nuclea...
> of which the following sources are considered to be renewable
in other words, it attempts to define the world "renewable" along favoured political ideologies.
From Wikipedia:
> Advances in breeder reactor technology could allow the current reserves of uranium to provide power for humanity for billions of years, thus making nuclear power a sustainable energy
TL;DR: nuclear is just as renewable as solar (beyond any likely duration of the human civilisation).
So probably more than 1 guy. maybe 5-10.
BTC is also getting smart contracts soon, which makes ETH redudant as well, but it will take a while before it catches up in terms of possible complexity of the contracts.
You mean Proof of Work algorithm. Which is not quite the same as hashing function [1].
[1] https://cryptorials.io/beyond-hashcash-proof-work-theres-min...
...just re-using the terms for continuity and simplicity sake.
yes, a PoW algo is probably better generic term, although I am not confident complex algos would be accepted as first-line replacements by the wider community.
am I wrong in that assessment?
You're right that Bitcoin will never accept a change of PoW. At least not until SHA256 shows signs of being broken.
PoS staking is simply committing a portion of your capital to the task of validating transactions. You benefit by receiving a reward in the form of additional tokens.
In a PoW system, the same exact thing can be accomplished by using your tokens to purchase a stake in a mining pool. You will similarly be unable to access your capital, be rewarded with additional tokens, and at the end of a period of your choice, you can liquidate your position in the mining pool to reclaim your tokens.
[edit] PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.
In this world, the "nothing at stake" problem also manifests in proof of work, where I believe ownership in the mining pool makes you agnostic to the outcome of any chain splits - although I'm still working this bit through in my head. Opinions welcome!
Sounds wrong. Slashing is a means to prevent people from staking on multiple chains. In PoW, computing power is scarce, so if you allocate some compute time to one chain then you have less of it on another chain. You automatically get slashed. The difficulty in designing a PoS chain is in artificially re-creating this slashing and thereby solving the "nothing at stake" problem.
The splitting is unavoidable and happens constantly. Multiple competing future states are constantly being created, and the network has to eventually arrive at a consensus about which possible future is the true one.
> Where is the difficulty in making miners expend their tokens (i.e. in a way that is irrevocable) instead of merely depositing them somewhere?
Figuring out how to make spending your tokens irrevocable is the whole point of PoW/PoS. Your question reads to me like "In trying to solve problem x, why don't you assume that you've already solved problem x, and use that to solve problem x."
Maybe I'm missing something... if miners are required to send the tokens to an invalid address, are these tokens not lost irrevocably?
An equivalent attack wouldn't work on a PoW chain. If you do the equivalent of "staking" on chain 2, then you're computing hashes, which is costing real-life resources. In the PoS case, without slashing, staking on chain 2 is free. In fact, this is the rational move to make every time you spend a token; stake on competing chains to get your token back.
There was a PoS mechanism that makes people who cheat lose all their coins? I wonder if it is relevant here
... Aha, that's "slashing" -- the other members in the network would look at the two chains, and notice that you were misbehaving, and add transactions that remove parts of your coins? (They'd add to both chains? Or just the winning one?)
This has a clear answer in PoW, but not in your scheme
It only buys you the right to append a block of transactions to the ledger, which is the same thing as having 100% of the votes.
Nodes decide if they will append your block to their chain.
A miner that decides to mine out of consensus blocks is just burning money, and will be on their own fork with their “100% votes” that nobody else uses.
Give it a try, spend a few million on mining equipment and then try forcing something on the network.
It’s not a democratic system, never was.
The proposed block must comply with the rules your node enforced, or it will not be accepted. It’s not just work, but also the entire consensus-set they must abide by.
Miners cannot force new rules, if there is no consensus.
If 51% of miners decide to, after block #N, not include any transaction that doesn't satisfy the predicate P in any block they produce, nor mine on any chain which has a block after block #N which has a transaction that doesn't satisfy predicate P, then the longest chain will have all the transactions after block #N be ones which satisfy P, and furthermore, if the other 49% of miners are aware that this is happening, if they want their blocks to be in the longest chain, they have incentive to follow the same rules when mining.
This is the logic behind soft forks, is it not?
The leader can even opt to put no transactions in the current block, something that has actually happened on many occasions: https://www.theblockcrypto.com/post/67928/bitcoin-miners-are.... Obviously, the leader was making a decision here, there were not actually zero transactions to process :)
No, there is no voting and there is no leader election. Miners construct blocks with transactions and if they manage to find a signature - that block is appended to the chain. If somebody does it faster - they append their block.
Please at least get the basics before you start arguing with people.
I know far more about Bitcoin than I ever wanted to, believe me. You really should not be making these kinds of ad hominem arguments when you don't understand terms like "consensus" or "leader election."
No, the hash that you win with, deterministically points to the only possible block that you can “propose”. Your understanding is completely backwards. You seriously don’t know how bitcoin works.
Here is my question to you: if the node that wins the election (and the ones that accept its mined block, of course) is not the one voting on which transactions get to go into the chain, rather than be stuck in the mempool somewhere, who is? Do you genuinely think there is no decision being made there?
All miners “vote” by hashing and one of them wins. They don’t win because somebody voted for them, they win because they happened to find a satisfactory hash. The chance to win that hash faster than other miners is proportional to hashrate. The hash is determined by the block of transactions entirely, so once you win the race, you don’t get to propose anything other than that one predetermined block.
Which transactions go into a block is decided before any mining for that transaction happens.
Just read, please.
You're coming off worse in this argument because you seem to realize on some level they're just using different (possibly wrong) terms in their accurate description of the mechanisms, but then you keep making snide remarks that imply they don't understand the mechanisms.
I think your analogy to flat earth was better. Because sure, treating the earth as flat isn't correct, but it's often a perfectly good approximation, and arguing about whether a big field is flat or not is a giant waste of time. Don't completely dismiss someone because they use those terms.
"Leader" or not, it's basically equivalent. And the process of letting miners input yes/no values for whether they support a proposal into their block, averaged over thousands of blocks, gives you the same result as "voting". So talk about whether those results are useful.
There is no "voting" and no "leader" except in the most abstract sense and I'm not sure why you're so determined to use those terms.
Every 10 minutes a miner wins the right to append a block to the chain, by guessing a secret number. The chances of winning are proportional to the amount of money each miner has expended in the process of guessing the secret number. This is equivalent to holding a vote every 10 minutes in order to choose who gets to append the transaction block. Therefore, you're wrong. There's a vote. And if you can't understand this obvious fact about bitcoin, you have no business discussing bitcoin.
As I said in a sibling thread, it’s like arguing the earth is flat by proposing a very special metric of space. Feel free of course, I just don’t accept it.
Of course, they have a choice. If didn't, miners would serve no purpose. We would just have one block and that would be the block that would be appended. The consensus would be achieved automatically, without any need of guessing secret numbers.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
No, because the miner is elected at random. The crucial point to understand is that their chances of getting elected are proportional to the money they spent. That doesn't mean the largest miner will get elected 100% of the time.
lol, no they don't.
a certain hash wins, every ~10 minutes. that hash is calculated from sha(block, nonce), where nonce is the randomized part that miner mutates to get different hashes. once a hash that satisfies the protocol is found - that's it, you can't choose a different block to append to the chain.
it is just laughable that i have to explain this level of basics.
Maybe this article will help you understand just how nonessential the fact that the block is part of the SHA actually is: https://www.usenix.org/system/files/conference/nsdi16/nsdi16.... Please read the whole article, and then come back so we can have a discussion on equal footing.
well certainly not the winner of the "election", because by the time that "election" starts, the block is already constructed.
and i'm not going to read any of your links until you actually start understanding the basics of bitcoin protocol. though your lack of understanding explains perfectly why you fall for scammy bells and whistles of competing bitcoin-wannabes. "bitcoin new generation". lol, give me a break.
Again, I'll ask you, since you keep dodging the question: if the node elected as leader is (according to you) not choosing the block, who is choosing the block? Why are you so obsessed with whether the value was chosen "before" or "after" the election, which is an irrelevant detail of the protocol? If you can't answer these things and won't read the paper, I don't really see any reason to keep talking to you, because all you've done is make the same irrelevant point over and over.
1. once the "leader" is "elected" 2. do they have a choice of what block to append?
you said they do, which is fundamental lack of understanding of how bitcoin works.
> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain?
and the answer is yes, the miner that gets elected chooses which transactions to append to the chain. Do they pick the transactions after getting elected? No, they pick them before getting elected. In fact, it doesn't matter whether they pick the transactions before or after getting elected, because their chances of getting elected are unaffected by which transactions they picked. Therefore, it makes absolutely no difference. The fact that you think it makes a difference tells me you're very confused about the role miners have in the bitcoin network.
Maybe they act like all the other rational miners and optimize by mining fees.
Maybe they include no transactions and only take the miner reward.
Maybe they they don't like the Dutch so all their transactions are excluded.
It really doesn't matter as all y'all have been arguing over is what to call the person who won the current round.
You really don’t see how this terminology is completely incoherent for this scenario?
This is expanded upon in the peer-reviewed Bitcoin-NG paper that both of you are refusing to read, which breaks down the Bitcoin protocol into distinct parts (which was why I linked it--not because I am proposing that it replace the Bitcoin protocol, but because I thought it would be useful for you to understand how Bitcoin performs leader election already). Specifically, it analyzes the effects of splitting up leader election and block commit parts of the protocol. As it turns out, it has essentially no effect on Bitcoin's security guarantees, which is not surprising--because the fact that block selection and leader election happen at the same time is an implementation detail that doesn't actually matter! Once you realize this detail that you are obsessing over (the block being decided at the same time the leader is) is not important for the protocol, you will also see that the leader election is in fact the critical part.
A miner can choose which block to build on. At any given moment Bitcoin can have several competing "in progress" forks. This is why most exchanges require... 7, I think?... blocks on top of yours to consider the transaction more or less confirmed.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
Yes, this is a 51% attack in Bitcoin. If you have a majority of votes, you can disregard the current chain, fork from behind, and catch up.
Yes, they do get to choose the block. Transactions to include in the block are (usually) chosen from the mempool, which is unique per node (it’s similar but never exactly the same between any two nodes). Miners can also choose to include transactions that were never publicly broadcasted, and therefore never appeared in another mempool. Typically the transactions with highest fees are chosen, although fees can also be paid (or bumped) outside the mempool.
The miner of a block doesn’t get to choose the contents of every transaction, but they do choose which transactions to include when they win a block.
It seems like you’re hung up on terms that aren’t commonly used in the context of bitcoin mining, but are valid and are commonly used in the broader context of distributed systems.
Changing the hashing algo isn’t a realistic punishment for targeting misbehaving miners.
You end up with two choices:
1. Change to an algorithm that uses gpu/cpu instead of ASICs (and is ASIC-resistant), but then your algo runs on general-purpose computing and you can’t fork miners off ever again.
2. Move to another algo that benefits from ASICs. This has the extra overhead that you need to spin up manufacturing and distribution of these ASCIs to honest miners, which takes quite a long time to do and while you’re waiting, your network is being attacked.
In either case, you aren’t just punishing a misbehaving miner, you’re punishing *all* miners who now all need to get funding to buy and rack new hardware. You’re making a big assumption that the misbehaving miner won’t be able to get financing or sufficient capital while the honest ones will. If the dishonest miner’s attack was profitable while waiting for the fork, they get to keep all of that money and can spend it on new hardware.
In PoS, the attacker will lose their stake, meaning they lose the money they had before, and earned as a result of, the attack. It may be much more difficult for that validator to get access to capital and lenders will be hesitant to lend to an entity that now has a history of burning capital.
Hmm, maybe I’m ignorant, but in practice, don’t miners (socially, not technically) have substantial say in issues like the block size debate?
If you want to create a hard fork of the chain for any reason, whether people accept your fork as legitimate will in part reflect the total hashing power of that forked chain, right? So in practice what miners choose to follow will have a big impact.
Maybe not quite the same as PoS in-chain voting, but it still seems to give large miners outsized power, no?
With PoS, the coin creators can assign themselves an arbitrary fraction of the coins, concentrating the wealth. Even if there is a public record of all the funds raised in a public sale and all expenditures made (which is rarely the case), it's possible for the creators to participate in the public sale and recover large parts of funds used to buy their own token by generous expenditures on software development and such.
Who is the top researcher on this subject these days?
Anyway, I'd also be interested to know if there's existing or active research along these lines.
There are plenty of PoW coins with unfair or absurd distributions, and plenty of PoS coins with somewhat equitable distributions.
In my opinion a fixed block subsidy would be most equitable, but that's a very slow emission, taking 100 years to reach a yearly supply inflation under 1%.
I don't see much difference between a PoW mining setup that does $1000/day gross, $990/day expense, $10/day profit and a PoS staking setup that does $12/day gross, $2/day expense, $10/day profit. Both earn $10/day, both require maintenance, and both are run not at a net cost but at a net profit.
Additionally mining isn’t always profitable. There is financial risk and miners can go bust and take financial risk. Staking is basically always profitable if you don’t misbehave.
https://twitter.com/vitalikbuterin/status/760232885483806720
Ethereum Classic is the fork that refused to rewrite the blockchain to void the hack, and the linked tweet is VB affirming that he’s only working on the main (reneging) Ethereum fork (which goes by ETH), not Classic (goes by ETC).
Not sure why the parent linked that tweet, maybe Twitter just makes it too hard it identify what tweet you actually want.
The hard fork reversed those transactions.
No matter what fancy spin you put on it, that was absolutely a violation of the blockchain's integrity, as it violated the principle that accepted transactions can't be reversed after the fact, even if you call it an "irregular state-change" that just keeps things secure.
You can absolutely defend the position that this was best for the ETH ecosystem. But it was absolutely a reneging on the blockchain rules.
Aren't you just describing capitalism here? The people that created the system and own the biggest share of it have gigantic influence on it. Matter of fact, isn't that exactly what happened in ethereums PoW network, too? The developers decided to switch to PoS regardless of what the current participants want.
In general, isn't the idea of using PoS that if you aren't happy with the current system, you can easily fork into a competitor? If enough people think the current system is unjust, then you can switch to the new one, where you will be part of the development. At the beginning of the fork you also wouldn't need that much compute, as PoS is more efficient and you aren't going to have many users/transactions in the first place.
Since it's easy to switch currency (at least easier than privately setting up a Dollar 2.0), members of the original currency have to behave fairly, else people are going to switch. Note: The thing people are switching to doesn't even have to be better in any way than the original currency. It just has to have different controllers to influence the members of the original system.
The way I see it, is that there's no meaningful way in which PoS based currencies are worse than the current monetary system: large stakeholders in current global currencies also have gigantic leverage (think of money printing during the pandemic or bailouts after the 2008 financial crisis). The real advantage I see with PoS systems is not the system itself, but the tooling that comes with it and allows for the development of competitor currencies that check the power of each other. With current global currencies there's no checks-and-balances system inside the monetary decision making process, while a fleet of independent PoS has the chance for checks and balances to be induced through competitive pressure.
It fairly describes every political system and economic system that has ever existed or will ever exist. What's being described is how humans always organize systems in regards to political and economic power.
See: Socialism, Communism, Fascism. It applies just the same to those. Except in those systems they'll murder you and your entire family, then burn your village/town to the ground, if you attempt to compete with the rulers or party (Chavez, Castro, Stalin, Lenin, Mao, Hitler, Mussolini, Pol Pot, Kim, Putin, Erdogan, Lukashenko, etc.).
Whereas I can freely compete with Coca Cola, Tesla, Salesforce, Splunk, DigitalOcean, Cloudflare, Starbucks, 3M and most other companies if I'm able to. Nobody is stopping me from inventing a new coffee drink and going after Starbucks with it, or setting up a better coffee chain on the corner. Nobody is stopping me from inventing a better soda-competing drink (see: Monster or Red Bull or 5hour Energy; those people weren't assassinated by the soda cartel). Nobody is preventing me from starting the next great convenience store (ask 7-11 how they feel about upcoming Sheetz; or ask KFC how they feel about Chic-fil-A).
Just how it works.
Somebody tell him about the r-family.
And that's where competition between currencies provides checks and balances against such pathological behaviours.
People will opt out of currency regimes that are abusive. This is not like a terrestrial government where you are fucked for life because a bureaucracy controls the land you live on. You don’t have to immigrate to escape a corrupt currency. And you don’t have to all-in in one currency.
If you own dozens of coins, you liquidate the shitcoin that is controlled by corrupt tycoons.
I've been wondering about that recently - for all of the excitement about DAOs and Governance Tokens, are there any good examples of interesting decisions being made via their voting mechanisms?
What are some places I can go to see recent votes and their outcomes?
As a POS developer, what do you think of HEX and Richard Heart (whose real name is Richard J Schueler)?
If you don't work on HEX, how is your POS get rich quick pyramid scheme any better or more trustworthy than HEX?
If you do work on HEX, then please ask Richard to drop by, join the discussion, and answer the questions below (to which he replied "Dodge Dodge"), and any other questions the HN community wants to ask him:
https://news.ycombinator.com/item?id=29367412
In PoW all hashrate is always voting and security is paid for external expenditure, not something virtual within the system.
PoS is a scam and you should stop supporting it.
Not if he’s undetected and does it for years while extracting value at key points in time.
There are numerous people who could put up $50B with the ability to get very high returns.
It’s not even worrying about Buffet. I worry about hedge funds and sovereign wealth funds that would definitely manipulate PoS if it earned enough for them.
> about 30-45 accounts _which had stake at that time
The this is stated makes it sound difficult. But if this is false history presented by a malicious node, surely they could make up anything, as it the data does not need to line up with any official history at any point. (Without a trusted party, no history line is really offical anyway, is't it?). Constructing a history with 30 accounts with stake at any given point in time isn't any harder or easier than constructing 3 or 3000.
Unsure how pure PoS chains work, maybe they hard code an early block's hash? Like, it's not a legit xorcist-chain unless block #10 has hash #deadbeef
In practice, among the people who once staked large amounts of a proof-of-stake currency, most of them will probably continue being invested in its ecosystem moving forward. Even if they can't be personally punished for lying about the past, a successful history split would likely reduce the community's confidence in the currency, and thus its market value. Most of those people are also emotionally invested in the ecosystem and would not want to dishonestly subvert it. There will be exceptions. But to create an alternate history you need to subvert not just one validator, but most validators (or rather, validators who together control most of the currency being staked).
Warren Buffet buys up 70% of the network, induces a network partition, and then double spends it all, signing both transaction histories.
By the time he’s caught, he’s converted 2x the value of the POS network to POW bitcoins.
Replace “warren buffet” with “crypto exchanges selling bundled securities”, and the above is not just plausible, it’s inevitable.
The same scam has been run over and over again with conventional banks (who are inevitably bailed out on top of getting to take the money and run), POS just changes the nature of the obscure underlying financial instruments.
This risk can be mitigated:
1. The network should halt if a fork is detected. A fork with more than 66% of the stake behaving maliciously means a fundamental trust assumption of the network has been violated. Stop everything! Let humans figure out what is going on. I'm not saying every PoS system WILL halt under these circumstances, but as a countermeasure they SHOULD be designed to halt and value safety over partition resilience. Thus, an attacker forking a PoS must never allow parties to see either side of the fork. If a party notices a fork occurs, they will halt and can't be double spent against.
2. Following from 1, how do you prevent parties from communicating and discovering that a fork is occurring? Are you a tier-1 ISP and can control all internet traffic? You can defend against such attacks by making it very hard to hide the presence of a fork via redundant communication mechanisms. For instance the Bitcoin blockchain is broadcasted via satellite, a PoS blockchain could do that as well.
3. Additionally you can require that stakers lock their stake for long periods of time e.g., 6 months. This means that if an attacker wants to perform this attack and truly have nothing at stake they must cause a fork in the chain before the 6-months ago mark. Parties who are up to date with the latest chain are not vulnerable since they have already accepted the consensus history of chain. New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Yeah, but you're glossing over an important detail: It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today. In PoS, I need that, plus the miners of yesterday, plus the miners of a year ago, plus ..., in perpetuity.
> New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Right, maybe you can elaborate on this. Is checking block explorers a decentralized or trustless solution to, well, anything?
I don't quite get that. As far as I understand it the "nothing at stake" problem works by a malicious party inducing a fork, one of which they double-spend in. Since it's in the best interest for everyone else to mine both forks, you can force your double-spend fork to become the longest chain by only validating the double-spend fork.
This means you have to trust that nobody part of your current chain has double-spent in this way. But isn't this the same as in PoW where you have to trust that nobody has launched a 51% attack to disrupt the network in the past?
Also, can't you just prevent people from mining all forks? I.e. for becoming a validator you have to deposit X as a security beforehand and you can only earn at most X via staking (so it is in the history before you can attack with nothing at stake). If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork. X goes to the person who found the fork, incentivising that the mallicious fork is identified on all forks (miners on competing forks are incentivised to look at all forks and quickly add the mallicious fork detection for their own benefit). If you want to retrieve your security and money earned, you have to announce this on all forks (you immediatly seize to be a validator). You are only allowed to retrieve the funds, if it is confirmed on all forks, or the forks are sufficiently behind the longest chain. This allows everybody ample time to look for dual-fork work and also incentivizes rapid solution of forks.
Yes, modern proof-of-stake algorithms work this way. The caveat is that at some point (on the order of months later) the security deposit is refunded, and at that point you can lie about the past without consequence. But this is a limited attack: you can only successfully lie to someone who has been offline since you were a staker, or else they would already have a record of the real successor chain (which now has a new set of stakers, who themselves still have their security deposit deposited).
Like, this is trivially solved with a central authority (e.g. have some trusted core developer every day publish a signed message saying "this is the real successor chain"), but it does enable that central authority to arbitrarily bless a fake ex-staker's fork.
Note that in Bitcoin you can have a fork in which both chains have equal length. The idea is that eventually the longest chain will be established, but if say 90% of the mining is malicious that malicious miner could ensure that most of the time both chains are of equal length.
With a PoS fork you can ask, which fork has the most amount of stake voting for it. An attacker that controls enough stake might be able to balance the total stake vote in the same way as a malicious miner could on Bitcoin.
In both cases if the core security assumption of the blockchain is violated, that blockchain should halt until that assumption is made sound again. If someone orphans the last two years of Bitcoin's blockchain something has gone horribly wrong. The fact that Bitcoin now switches to the longest chain doesn't actually address the problem that two years of transactions may have been rendered invalid.
What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?
It sounds hard to manage this type of maintenance breaks in a trustless way. Surely consensus rule changes during outages should not be handled any differently than changes when under normal operations.
> clients could be programmed to have hardcoded 6th month checkpoints
Who signs these checkpoints? Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
We have a bunch of examples of this happening in practice. The humans are usually a mix of the developers, parties important to consensus (miners, stakers) and big ecosystem players.
> It sounds hard to manage this type of maintenance breaks in a trustless way.
When solving a problem that violates your core security assumption you are only longer in the world of security definitions. It doesn't really make sense to talk about "trustlessness". If the protocol is busted, you need to find a solution and get enough people on board with that solution that you can upgrade the protocol.
> Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
The checkpoints aren't trusted for safety but instead for availability. Instead you should think of them like alarms that "something has gone horribly horribly wrong, stop everything, don't transact, don't move, don't touch anything, pull the ebrake."
tl;dr Much like the fuse box in your house, my view is that checkpoints should turn safety failures (electrical fires) into availability failures (electricity is shut off).
Is this a problem in practice? As the article says, no ... but only because there is a sort of vaguely specified "proof of authority" that backs the current chain, which actually just reintroduces centralization. The author cites the Bitcoin Cash and DAO/ETH Classic forks as cases where that proof of authority gets tested and shows the actual centralization.
It's my understanding that Algorand has something on top of pure PoS that ensures the consensus (which the article says is necessary) so I'm not sure the same criticism is applicable there, but can't comment further until I get more familiar.
Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
It's _possible_ that a government might choose to attack a random small coin just to discredit the notion of PoS cryptocurrencies, but it's hard to picture a government gaining consensus to do it, and it would be obvious to knowledgeable onlookers that larger coins are immune (or anyway, much better protected), so the resulting disruption would probably be temporary.
Not when the protocol actively encourages decentralization by cutting off staking rewards to larger pools, like what Cardano does (as one example). Sure, the exchanges can (and probably do) run multiple pools, but so can anyone else, and for far less expense than is required for mining.
While you are correct that burning $30 billion dollars to destroy trust in PoS blockchains isn't that much money, I disagree that such an action would actually destroy trust in PoS blockchains. We have seen serious attacks on a number of blockchains, Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain. Yet Ethereum is still going strong. Bitcoin suffered 51% attacks that were used to perform double spends and Bitcoin is more valuable than ever.
It might be cheap to burn $30B to destroy a blockchain, but what if you burn $30B and the blockchain recovers 12 hours later.
These weaknesses weren’t due to consensus failures or protocol failures, but bugs in applications running on Ethereum. If Ethereum’s protocol allowed arbitrary funds to be stolen, that could certainly cause a loss of trust.
So two of the Bitcoin examples I gave was a consensus failure which already establishes the point, but lets do a very recent example from Ethereum:
A few months ago in August 2021 when Ethereum had a serious consensus failure and about three quarters of the clients in the network and some miners [0] forked off from the miners. How many people even noticed? [1]
> "Ethereum has weathered a bug that split the world’s most-used blockchain and opened up the risk of counterfeit Ether tokens." [2]
The issue at play is that the ability to cripple the consensus of a blockchain for the most part only impacts its availability not its security or the trust placed in that blockchain. Social consensus can just reset the bad transactions. If the theft or doublespend is big enough. We've seen that happen time and time again. They are somewhat robust but highly resilient.
Now it is possible that perhaps someone could perform an action that can not be so easily reset. For instance a huge doublespend where both parties receiving the funds are honest and have traded an object of extreme value for the doublespent funds. That is very hard to pull off. For instance how do you non-reversibly send something of that much value before the fork/doublespend/consensus bug is discovered? If you are moving something worth say 1 billion dollars in a single transaction you should probably be using an escrow service. Perhaps someone will invent a better technique for turning consensus failures into blockchain killers but so far I'm not aware of such a technique.
[0]: https://twitter.com/TimBeiko/status/1431278258222338056
[1]: https://www.theblockcrypto.com/post/115822/bug-impacting-ove...
[2]: https://www.bloomberg.com/news/articles/2021-08-30/ethereum-...
You said there were “enormous amounts of money stolen or destroyed” as a result of “ weaknesses in the [Ethereum] blockchain.”
The consensus issue where one client forked off isn’t evidence of that at all. Even the article you link to says it seems that the network was stable and the impact was minimal. Even in this particular attack, doing a double spend would be rather difficult.
Spend $X billion, then just bleed everyone without power. Sort of like what we do now.
> Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network.
If a nation buys 2/3 of the coin and destroys the network, investors (as a whole) take a 1/3 loss. Then they can (re)start another PoS coin.
Ironically the nation would be up against the old saying that the market can stay irrational longer than you can remain solvent.
congrats, you've reinvented central banking and plutocracy.
I mean, if Doctor Evil suddenly decided to spend tens of billions of dollars to destroy the three main credit card networks, he could probably do it. In fact, it might be easier and cheaper than attempting to degrade or bring down a distributed block chain network. The credit card networks are built upon many layers of ancient, pre-Internet technology, full of discoverable vulnerabilities and critical points-of-failure.
But we all know that it wouldn't happen. Doctor Evil would never want to do so, because even him, the most evil person in the world, would still want to be able to use his credit cards to eat out, go to the movies, and order stuff online. Also, he would never want to do something that would make him enemy #1 of every other person in the planet, including every other super-criminal!
What Doctor Evil actually wants to be able to do is figure out ways to steal or get balances from participants in the network without destroying the network: steal poorly protected wallets, hack into poorly secured exchanges, find ways to get blackmail payments on the network (e.g., by launching DoS attacks on the web), etc. The network itself is too useful to everyone for anyone to want to destroy it.
--
PS. For the record: I have no economic connection to Algorand the block chain nor to Algorand the company, but I'm (superficially) familiar with some of Silvio Micali's past work and also, I know one of the company's top executives. In my judgement, the Algorand block chain has great technology, and Algorand the company has really great people. Their main challenge, as I see it, is overcoming the powerful network effects already accruing to other block chains.
At the end of the day, Dr. Evil will gladly spend 10s of billions to destroy the network if doing so nets him 100s of billions. Stop listing reasons people won't attack the network and start listing reasons they would.
Why would Doctor Evil attack a block chain network when he could attack global/national/regional credit card/wire transfer/ACH networks, many of which are built upon ancient pre-Internet technology, are full of discoverable vulnerabilities and critical points-of-failure, and are operated by cash-rish financial institutions with liquid, easy-to-short stocks?
Fundamentally, if there are off-chain incentives to destroy the value of a given blockchain, much of our reasoning about the game theory doesn’t hold up.
Now, if you think such an attack is an important problem for block chains, then you must also think it is an important problem for all legacy transaction networks. Yet we're all comfortable using our credit cards and bank accounts every day, and for virtually all practical purposes, we don't worry about a "Doctor Evil scenario." Why should we think and behave differently for block chain networks?
Moreover, as I wrote before, in practice, legacy transaction networks (like, say, regional VISA networks run by 100-year-old banks) are easier and cheaper to attack. If the Doctor Evil scenario were a real threat, it would be more profitable for him to target one of the legacy networks!
If you attack the blockchain, well ... uh ... the owners will ... be really unhappy with you?
Realistically you're only in trouble for doing that if you're pissing off someone else with "the means to violence". If you screw up money laundering operations for a cartel, then what you're likely looking at is acts of violence between two criminal organizations, but if one of them has the upper hand, they can basically act with impunity.
When you're looking at the "small fry" – individual people with their own bitcoin/whatever stakes? They're just fucked. It's true if someone steals your wallet, but it's also true if someone torpedoes the whole system. That's the cardinal problem with all of these blockchain technologies — by deliberately designing the whole thing to disintermediate the authorities; they accomplished exactly that: there are no authorities to deal with systemic problems.
This irrational fear of short selling is such a modern midwit view. There is way more value to fraud on the upside then there is on the downside, and we see that everyday.
If it were legal to take a short position in a company and then take actions which blew the company up AND there existed cost-effective ways to do so, then you would definitely have seen more legitimate companies taken down by short-attacks. In contrast, here you have an entity where (a) there isn't the same legal safeguards and (b) there exists a claimed cost-effective way to tank the entity after taking a short position
If you disagree with (a) or (b) empirically then cool but it's clearly a totally different scenario to regular companies
What kind of short-selling? For naked short selling I quickly found evidence: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=273488 That's the predecessor of a paper cited from 2003 SEC testimony of Robert J. Shapiro published at https://www.sec.gov/rules/proposed/s72303/rshapiro122403.htm..., which in turn may have been a related source for the Shapiro citation in a 2008 Time magazine article at https://web.archive.org/web/20080424032340/http://www.time.c..., which I found via the Wikipedia article on naked short selling at https://en.wikipedia.org/wiki/Naked_short_selling#Claimed_ef...
That first paper describes a scheme whereby investors bought convertible warrants, used naked short selling to drive the stock price down, then covered by exercising their warrants. And apparently in many cases, as documented by the paper, this resulted in a delisting or even bankruptcy of the targeted firms.
Therefore, the formal proof of security provided in the Algorand white paper does not resolve the nothing-at-stake problem, which is inherent to all PoS systems.
As long as a sufficient number of people believe some currency has value - it has value. If they don't believe, it doesn't have value, and the stakes are worthless too.
I don't mean to be rude here, but none of what you have said refutes my point.
The attack here is that you control keys that (1) once held 67% of the value, and (2) no longer do. Because they did hold value once, they are dangerous to consensus. Because they no longer hold value, nothing is sunk into the network, so the attacker bears no cost or risk.
To apply your analogy: I don't have to be Warren Buffet, I just have to riffle through his trash.
You can't do that with PoW without "additional" consensus rules, which is that slippery slope to PoS!