Sure, and become permanently controlled by the founders, who control 60% of the outstanding supply. Proof of Stake enables any party who at any point controls more than ⅓ of funds to rewrite the chain from that point forward, so this is an objectively terrible idea from an engineering perspective.
This difference is that in PoS, if anyone ever holds more than ⅓ of the total supply (as is the case with Ethereum's founders currently holding 65% of the overall issuance, for example), they can indefinitely control the chain through their re-org capability.
Could you:
1. Point me to the source that says, " if anyone ever holds more than ⅓ of the total supply (as is the case with Ethereum's founders currently holding 65% of the overall issuance, for example), they can indefinitely control the chain through their re-org capability."
2. Point me to the addresses of Ethereum's founders? Presumably it's then 65% of 115 million eth.
Like i said, it's just a rumour, but from a fairly informed source.
Do you have a better estimate?
Total amount of fundraising ETH did initially was about 20 mil? 1-2 mil sounds like a feasible early VC check to get 10%, not including games you can play later to increase your stack further.
all experiments with onchain voting seem to have that problem, just like with voting in real life.
read up on the DAO exploit and carbon vote. Even in a drastic situation turnout was low.
It's a permissionless industry and I suppose people can try different things, but one thing that sets apart Bitcoin from everything else - it is not a democracry.
Democracy was designed for cities of 50-60k in size, where only rich landowners got to vote and everyone else was basically peons. It doesn't scale and is not particularly great.
PoS is just another string of boneheaded attempts to make democracy great again...by marrying it with plutocracy? idk.
Would you care to vote with your measly stake if you know the insiders have over 50% anyway?
"the insiders have over 50% anyway?" This is false. Hard to take the rest of your premise seriously when they are not based on facts and sound more like maximalism.
We're building this, but on Bitcoin ("Plasma but as a framework for dapps" [with a focus on developer experience]) [0]. There's already robust infrastructure for L2 contracts in Bitcoin-land, and we've already heavily optimized the L1 to prepare for the load that a global, ubiquitous solution would need.
Honestly, I see no use for Ethereum (or other Turing Complete L1s) looking forward — smart contracts can be purely peer-to-peer, with the only pressure applied to L1 being dispute resolution. By pushing complex contracts up into Layer 2, we can keep the dangerous, money-destroying, theft-enabling Turing machines away from the main chain.
Proof of Stake not only replicates the same dynamics that Bitcoin was designed to eliminate (more wealth -> more power in system) but also can only be made secure against a maximum of ⅓ byzantine actors, compared to Proof of Work's superior ½.
As for using it for Layer 1 systems, Andrew Poelstra nailed it in his conclusion [0]:
"We showed that by depending only on resources within the system, proof of stake cannot be used to form a distributed consensus, since it depends on the very history it is trying to form to enforce loss of value."
Proof of Stake might be useful at Layer 2 (becoming equivalent to voting stock in a company), but not as a base-layer consensus mechanism.
> Proof of Stake not only replicates the same dynamics that Bitcoin was designed to eliminate (more wealth -> more power in system)
There is no legitimate sense in which PoS _is_ an instance of "rich have more power and get richer" but PoW is not. In fact, PoW is _worse_ than PoS in this regard, because PoW has economies of scale (if someone with a $100k investment earns $10k/year, someone with a $100m investment can earn significantly more than $10m/year). PoS on the other hand is much closer to a clean "what you earn is proportional to what you put in" design, which is realistically the best that you can do in an anonymous system where users can generate as many independent identities as they want.
> can only be made secure against a maximum of ⅓ byzantine actors, compared to Proof of Work's superior ½.
This is also not true. The 1/3 bound is for safety-under-asynchrony (a form of safety for which PoW's security margin is zero). If you assume synchrony, then PoS protocols' safety approaches 50% much like PoW does. Protocols like Casper FFG combine the "best of both worlds", giving you both of those security guarantees (50% BFT if the network is good, 33% BFT if the network is terrible) at the same time.
> There is no legitimate sense in which PoS _is_ an instance of "rich have more power and get richer" but PoW is not.
In PoW, miners must sell their tokens to buy capital-intensive mining equipment and power to stay competitive. In PoS, stakers have no incentive to sell enough tokens to anyone who could turn around and stake them as a competitor, since that would cut into the seller's future staking rewards.
> The 1/3 bound is for safety-under-asynchrony (a form of safety for which PoW's security margin is zero). If you assume synchrony, then PoS protocols' safety approaches 50% much like PoW does.
First, consensus protocols can be trivially safe regardless of the network's behavior -- you simply require a majority vote for any proposed agreement. Second, any consensus protocol can only remain live as long as there are no more than f faults out of 3f+1 replicas. This is again irrespective of the network model -- Leslie Lamport's proofs do not make any assumptions about the network.
> Second, any consensus protocol can only remain live as long as there are no more than f faults out of 3f+1 replicas. This is again irrespective of the network model
We actually know of consensus protocols that require synchrony including between participants and clients that go up to 99% fault tolerance for both liveness and safety; in fact Lamport himself described one in his original paper (remember that it's "written messages" and not "oral messages" in his vocab that's the relevant category; these days public key cryptography is cheap and uncontroversial so there's no need to care about the "oral" case). There's also a table on page 291 in the 1988 DLS paper (see https://groups.csail.mit.edu/tds/papers/Lynch/jacm88.pdf, the "authenticated byzantine" row and the "synchronous" column) that gives an overview of the fault tolerance levels in various different cases.
The original definition of consensus did not have a notion of passive clients needing to learn the result, so the "active participants synchronous, passive clients asynchronous" model common in blockchain land was not really analyzed well back then. It turns out that with a synchronous network, the passive client requirement is what brings safety and liveness down from 99% to 50%. And it also happens that the 50% fault tolerance protocols are less fragile in the case that the synchrony assumption breaks temporarily.
> We actually know of consensus protocols that require synchrony including between participants and clients that go up to 99% fault tolerance for both liveness and safety; in fact Lamport himself described one in his original paper (remember that it's "written messages" and not "oral messages" in his vocab that's the relevant category; these days public key cryptography is cheap and uncontroversial so there's no need to care about the "oral" case)
The "written messages" protocol does not tell the whole story. If you go back and re-read Lamport '82 [1], the assumptions that make the SM(m) algorithm ("written messages") work at all also make it a practically useless result. In particular, assumption A4(b) (top of page 391) requires that anyone can authenticate any general's messages at all times. How the generals are supposed to learn each other's public keys _without_ an instance of SM(m) is not addressed, but presumably they would need to fall back to OM(m) ("oral messages") to do so. So if you take a BFT system as a whole, where you can't assume the existence of a magical fool-proof way for generals to learn each other's keys a priori, my original claim stands.
> The original definition of consensus did not have a notion of passive clients needing to learn the result, so the "active participants synchronous, passive clients asynchronous" model common in blockchain land was not really analyzed well back then.
Prior literature doesn't consider "passive clients" because they're not protocol participants in the first place. Clients do not participate in deciding agreement; otherwise they wouldn't be called clients.
Last I checked this is very much still the case in blockchain-land. Your wallet (client) does not do anything to help miners/stakers determine the best chain tip or the next block, for example.
So, I'm not sure what you're trying to say here?
> It turns out that with a synchronous network, the passive client requirement is what brings safety and liveness down from 99% to 50%. And it also happens that the 50% fault tolerance protocols are less fragile in the case that the synchrony assumption breaks temporarily.
Unless you're assuming the existence of the magic fool-proof public-key distribution mechanism required for SM(m) to work, you're not going to get liveness unless you're either (a) assuming nodes do not exhibit arbitrary failure modes, or (b) requiring at least 2/3+e nodes are honest.
When I last looked at Ouroboros it still had the property that there's only "one confirmation per slot", so you need to wait ~log(n) slots before an attacker has a <1/n probability of reversing the chain. I personally think that a good PoS system should strive to have hundreds of confirmations per slot the way eth2's LMD GHOST does. That said, it's very possible that there's an improved version of Ouroboros that already does this and I just haven't caught up to it yet.
Is it realistic, assuming a heterogenous network the Internet, for having high percentage of block dissemination and 100 confirmations in almost every node in 12 seconds (and how many peer connections are assumed per node?) Would not that segment the network? Sorry, I am just asking as I have no knowledge how ETH 2.0 and its LMD GHOST works.
Hey Vitalik, looking to really get into the weeds of blockchain like you. There seems to be a barrier between new folks and engaging fully in learning material. Just too much of a learning curve, got my hands on everything I could find but am now stuck, where do you suggest I find the most information on especially the math behind it all?
Not sure if you are claiming that BTC currently solves the "more wealth -> more power in system" problem but it clearly doesn't. The current state of affairs is more wealth -> more ASICS R&D and infrastructure budget -> more hash power -> more power in the system.
There's a difference. You can't physically centralize energy production. Local energy price will increase when more energy is used. This ensures that no one can get in a position of control. In PoS, it's possible to get > 50% ownership, and it's game over.
Aren't 65% of all bitcoin miners in China? Couldn't the CCP sabotage the network at any time? Say, a month before the launch of their digital currency?
This specific visualization is limited to 37% of the hash power on the network. It's possible that it is a representative sample, but I don't think we can assume that.
Even better, it is limited to pools that primarily operate in China. I really wish someone would turn off that link. It is really awkwardly bad and mis-quoted a lot.
With proof of work you have economy of scale working in your favor. You'll get different deals on asic, power, server farms, etc. the more you buy.
PoW by design leads to centralization and we can see it happening live with bitcoin mining. At least with proof of stake there's no economy of scale. Everyone can participate fairly easily.
Does it matter? As long as there is enough mining that isn't controlled by a single entity (mining in China isn't a single entity), then the network is secure.
That is true, but its easy to centralize private ASIC designs or in a more extreme case the underlying chip fabs. If TSMC wanted to control the Bitcoin network they'd have a fair shot given they have by far and away the best fabrication technology for high performance chips
This doesn't work for ETH1, which is PoW, but memory hard, which ties the network to GPUs over ASICs due to the cost structure of producing ASICs. It is cheaper to buy an off the shelf GPU than it is to buy an ASIC.
You also have to factor in the fact that the latest GPUs are not necessarily the best ROI. If you can get lower speed GPUs for a fraction of the cost, then your return on that is much faster. Of course, that is starting to change now that mining is becoming so profitable again. But regardless, you are still tied to GPUs, so anything you can get there is good.
You know how much that costs? I specifically mentioned ROI.
If you did the research into that one, it also only has 4.4gigs of ram. It will also slow down (aka: zombie mode) starting early November 2021 once the DAG gets large enough.
It takes about an hour of running it, just to start mining because the DAG generation takes so long.
By the way, Linzhi only sells to large customers because they've taken so long to produce this thing (years now) that they don't have enough money to front the production run.
They are also a super sketchy company. You should have seen the stuff they pulled during the ProgPoW debate.
Disclosure: I'm a very very large GPU miner and I'm deeply involved in this business.
> only be made secure against a maximum of ⅓ byzantine actors
What is the threat model here, and in particular what is the outcome of a successful attack?
For example, if the only "power in the system" the attacker has is the ability to prevent transactions from occurring, then the attacker is damaging the value of their own coins. The honest majority could, as a last resort, also decide to manually fork the currency to invalidate the attacker's coins.
Assuming the ⅓ number is weighted by stake, the attacker is potentially risking billions of dollars in order to carry out this short-term attack. With that amount of money it would be cheaper to locate and destroy the major bitcoin mining farms.
There are concerns (or concern trolls) about an attacker buying old keys for almost nothing, trashing the chain, then profiting by shorting. And there are concerns that the honest majority can't figure out how to switch to the honest fork.
>And there are concerns that the honest majority can't figure out how to switch to the honest fork.
If that's always an option why bother with proof of stake in the first place? Just let it do whatever and switch to the "correct" fork once in a while!
Why not have the Supreme Court resolve every dispute? Because it's too expensive. Ultimately you can't exempt yourself from the judgement of society and the market. If you commit to a "most-work chain wins no matter what" policy it doesn't mean that chain will win economically.
For people like me who haven't heard of this feature: https://docs.cardano.org/projects/cardano-node/en/latest/sta... It's true that this prevents an attacker from using current keys to perform a long-range attack but old keys can still be used for attacks.
> Proof of Stake not only replicates the same dynamics that Bitcoin was designed to eliminate (more wealth -> more power in system)
Bitcoin may have been _aimed_ at eliminating the "rich get richer" system, but in fact it failed at it, as others comment below. It has been formally shown [1] that investors who have enough money to buy the most efficient ASICs out there earn disproportionately more, compared to smaller investors who can only afford less efficient ASICs/GPUs; in contrast, in PoS every investor has a fixed ROI for each one of their $ (regardless of their total investment); as also shown in that paper, this is the best you can hope for in an anonymous system. In other words, unless you can authenticate users and distribute rewards in a democratic (and possibly egalitarian) manner, the rich will always get richer, and the rate with which this happens is actually worse in PoW than PoS.
It's true that PoS requires subjectivity to prevent long-range attacks, but everyone is already using subjectivity so this is not an additional constraint. (People say that, in theory, new users might not use subjectivity in PoW but this is not actually true in practice.)
wmf's snarky comment aside, I think there is something important here. What's the big markets story this week and last? A bunch of people intentionally acting "irrationally" fuelled by their spite. How much "smash the system" energy can PoS systems accept?
No distributed consensus algorithm can tolerate more than f faults with 3f+1 replicas and maintain liveness. This includes Bitcoin (replace "replicas" with "hashes per unit time").
Oh? I have an intrinsic right to the land that I currently own, the car in my driveway, and the computer I'm typing this on? How did that intrinsic right derive? And why don't I have an intrinsic right to, say, the land of the entire continent of North America?
Property rights are entirely a social construct. They are not intrinsic; they are created and granted solely via the formalizations of that social contract in the form of the state.
It only provides this property when you've secured your keys, preferably in an offline wallet. These were hot wallet funds, so they're vulnerable to both physical and virtual seizure.
Has there been any progress on advancing BEP-46 (mutable torrents) [0] along the standards track? I didn't see any mention of it in this announcement, despite my hopes of seeing it as a flagship feature.
The BEP itself is almost trivial. The difficult work is implementing it in a client that makes it useful for users and content providers.
In the wild west of the internet "update" really only means "add" because you don't want the source you barely trust to provide some data to issue an update that deletes all the previous download from that source.
But you also want to avoid wasting storage so some size caps and rehashing old data to see if it's an incremental update will also be needed.
