(my day job is developer on Proof-of-Stake Algorand block chain, I'm a developer, this may not be polished official PR)
Article's theory about malicious old blocks doesn't hold up. Let's say I start a new node and verify history since the beginning. Somewhere along the line I'm connected to a malicious node which hands me a fictionalized block. It would need to have been signed by not just one but about 30-45 accounts _which had stake at that time_. Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network. So, if Warren Buffet comes along and wants to spam our network, I guess he could, but that would destroy the network and destroy his value that he sunk into the network. _That_ is a guardrail for PoS systems as much as any crypto or consensus-protocol element (and the algorithms are right, original article misunderstands them).
I would add that the silly argument that a super-wealthy individual or a government could in theory degrade or destroy a transaction platform is applicable, not just to Algorand and other block chains, but also, more generally, to ANY transaction platform.
I mean, if Doctor Evil suddenly decided to spend tens of billions of dollars to destroy the three main credit card networks, he could probably do it. In fact, it might be easier and cheaper than attempting to degrade or bring down a distributed block chain network. The credit card networks are built upon many layers of ancient, pre-Internet technology, full of discoverable vulnerabilities and critical points-of-failure.
But we all know that it wouldn't happen. Doctor Evil would never want to do so, because even him, the most evil person in the world, would still want to be able to use his credit cards to eat out, go to the movies, and order stuff online. Also, he would never want to do something that would make him enemy #1 of every other person in the planet, including every other super-criminal!
What Doctor Evil actually wants to be able to do is figure out ways to steal or get balances from participants in the network without destroying the network: steal poorly protected wallets, hack into poorly secured exchanges, find ways to get blackmail payments on the network (e.g., by launching DoS attacks on the web), etc. The network itself is too useful to everyone for anyone to want to destroy it.
--
PS. For the record: I have no economic connection to Algorand the block chain nor to Algorand the company, but I'm (superficially) familiar with some of Silvio Micali's past work and also, I know one of the company's top executives. In my judgement, the Algorand block chain has great technology, and Algorand the company has really great people. Their main challenge, as I see it, is overcoming the powerful network effects already accruing to other block chains.
IMO people listing things that discourage an attack (people will hate him, his credit cards won't work, etc) are just people trying to comfort themselves. It's like saying, "No one would break into my home because they might hurt themselves breaking in, or I might hurt them up, or they might get caught by the police and go to jail. It's just too risky."
At the end of the day, Dr. Evil will gladly spend 10s of billions to destroy the network if doing so nets him 100s of billions. Stop listing reasons people won't attack the network and start listing reasons they would.
That's not what I said. Please don't attack a straw man. My main point was, and is, that the same attack-logic applies to ANY transaction network. The example with Doctor Evil was about other transaction networks.
Why would Doctor Evil attack a block chain network when he could attack global/national/regional credit card/wire transfer/ACH networks, many of which are built upon ancient pre-Internet technology, are full of discoverable vulnerabilities and critical points-of-failure, and are operated by cash-rish financial institutions with liquid, easy-to-short stocks?
You didn’t answer the parent post. Your point was, in game theory, there’s no benefit in attacking the network or the loss is huge that it doesn’t worth the the attack. The parent post gave the counter point that there could be a benefit which we haven’t thought. If Dr Evil is heavily invested in 2 network, he might destroy one to focus on the remaining. The chance of the attack is low but it is not zero
I addressed it in the first paragraph of my comment above. Let me quote from it here: The theoretical attack argument is indeed "applicable, not just to Algorand and other block chains, but also, more generally, to ANY transaction platform" -- VISA, Mastercard, Amex, ACH, Fedwire, etc. No one disagrees that it is applicable, i.e., a theoretical threat, to all transaction platforms.
Now, if you think such an attack is an important problem for block chains, then you must also think it is an important problem for all legacy transaction networks. Yet we're all comfortable using our credit cards and bank accounts every day, and for virtually all practical purposes, we don't worry about a "Doctor Evil scenario." Why should we think and behave differently for block chain networks?
Moreover, as I wrote before, in practice, legacy transaction networks (like, say, regional VISA networks run by 100-year-old banks) are easier and cheaper to attack. If the Doctor Evil scenario were a real threat, it would be more profitable for him to target one of the legacy networks!
I like this point, but (as I think you are saying as well) it’s true for POW as well, right?
Fundamentally, if there are off-chain incentives to destroy the value of a given blockchain, much of our reasoning about the game theory doesn’t hold up.
Arguably the same thing blockchain tech got away from — a primary stakeholder with a "monopoly on violence" (i.e. a government with armed police et al). If you attack the US banking system, they will stop you in quite short order. The FBI doesn't screw around.
If you attack the blockchain, well ... uh ... the owners will ... be really unhappy with you?
Realistically you're only in trouble for doing that if you're pissing off someone else with "the means to violence". If you screw up money laundering operations for a cartel, then what you're likely looking at is acts of violence between two criminal organizations, but if one of them has the upper hand, they can basically act with impunity.
When you're looking at the "small fry" – individual people with their own bitcoin/whatever stakes? They're just fucked. It's true if someone steals your wallet, but it's also true if someone torpedoes the whole system. That's the cardinal problem with all of these blockchain technologies — by deliberately designing the whole thing to disintermediate the authorities; they accomplished exactly that: there are no authorities to deal with systemic problems.
Everything already has a shorting mechanism. Can you cite a single instance where short-selling has destroyed a legitimate business, ever?
This irrational fear of short selling is such a modern midwit view. There is way more value to fraud on the upside then there is on the downside, and we see that everyday.
That first paper describes a scheme whereby investors bought convertible warrants, used naked short selling to drive the stock price down, then covered by exercising their warrants. And apparently in many cases, as documented by the paper, this resulted in a delisting or even bankruptcy of the targeted firms.
The analogy to companies doesn't work because there isn't a legal mechanism by which you can make your short predictions come true. It's illegal to manipulate markets and most ways by which you could destroy a company (without spending more than you hope to gain) are also probably illegal. If you can think of any legal ones I'd be curious to hear
If it were legal to take a short position in a company and then take actions which blew the company up AND there existed cost-effective ways to do so, then you would definitely have seen more legitimate companies taken down by short-attacks. In contrast, here you have an entity where (a) there isn't the same legal safeguards and (b) there exists a claimed cost-effective way to tank the entity after taking a short position
If you disagree with (a) or (b) empirically then cool but it's clearly a totally different scenario to regular companies
The Algorand PoS consensus protocol assumes that honest nodes use so-called "ephemeral keys" (see Section 5.2 of the white paper). This implies they are supposed to "forget" part of their past state. A malicious node could choose not to forget their past state, thus making double-spend a possibility (assuming an adversary with majority of stake).
Therefore, the formal proof of security provided in the Algorand white paper does not resolve the nothing-at-stake problem, which is inherent to all PoS systems.
This explanation does not make sense to me, which is probably due to my lack of understanding, but perhaps you can expand on this:
> about 30-45 accounts _which had stake at that time
The this is stated makes it sound difficult. But if this is false history presented by a malicious node, surely they could make up anything, as it the data does not need to line up with any official history at any point. (Without a trusted party, no history line is really offical anyway, is't it?). Constructing a history with 30 accounts with stake at any given point in time isn't any harder or easier than constructing 3 or 3000.
The history still needs to be signed by former stakers to be valid. The "nothing at stake" problem is that a staker might break the rules by signing two mutually incompatible histories. During the staking period, they are strongly disincentivized from doing this because anyone can present proof that they've done so, causing the network to punish them by taking away all the funds they staked. But once that period expires, they can send those funds to someone else, and now they can't be punished. Someone who's sent away their funds is longer a staker moving forward, but they can still sign an alternate history for the time when they were a staker, potentially fooling clients who haven't connected to the network for a long time.
In practice, among the people who once staked large amounts of a proof-of-stake currency, most of them will probably continue being invested in its ecosystem moving forward. Even if they can't be personally punished for lying about the past, a successful history split would likely reduce the community's confidence in the currency, and thus its market value. Most of those people are also emotionally invested in the ecosystem and would not want to dishonestly subvert it. There will be exceptions. But to create an alternate history you need to subvert not just one validator, but most validators (or rather, validators who together control most of the currency being staked).
This is the “nothing at stake problem” from the article.
Warren Buffet buys up 70% of the network, induces a network partition, and then double spends it all, signing both transaction histories.
By the time he’s caught, he’s converted 2x the value of the POS network to POW bitcoins.
Replace “warren buffet” with “crypto exchanges selling bundled securities”, and the above is not just plausible, it’s inevitable.
The same scam has been run over and over again with conventional banks (who are inevitably bailed out on top of getting to take the money and run), POS just changes the nature of the obscure underlying financial instruments.
A trust assumption of PoS (Proof of Stake) is that >66% of the stake is honest. If you violate this trust assumption then yes PoS breaks. This is a similar trust assumption to requiring that 51% of the mining power in PoW (Proof of Work) is not malicious.
This risk can be mitigated:
1. The network should halt if a fork is detected. A fork with more than 66% of the stake behaving maliciously means a fundamental trust assumption of the network has been violated. Stop everything! Let humans figure out what is going on. I'm not saying every PoS system WILL halt under these circumstances, but as a countermeasure they SHOULD be designed to halt and value safety over partition resilience. Thus, an attacker forking a PoS must never allow parties to see either side of the fork. If a party notices a fork occurs, they will halt and can't be double spent against.
2. Following from 1, how do you prevent parties from communicating and discovering that a fork is occurring? Are you a tier-1 ISP and can control all internet traffic? You can defend against such attacks by making it very hard to hide the presence of a fork via redundant communication mechanisms. For instance the Bitcoin blockchain is broadcasted via satellite, a PoS blockchain could do that as well.
3. Additionally you can require that stakers lock their stake for long periods of time e.g., 6 months. This means that if an attacker wants to perform this attack and truly have nothing at stake they must cause a fork in the chain before the 6-months ago mark. Parties who are up to date with the latest chain are not vulnerable since they have already accepted the consensus history of chain. New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
> This is a similar trust assumption to requiring that 51% of the mining power in PoW (Proof of Work) is not malicious.
Yeah, but you're glossing over an important detail: It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today. In PoS, I need that, plus the miners of yesterday, plus the miners of a year ago, plus ..., in perpetuity.
> New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Right, maybe you can elaborate on this. Is checking block explorers a decentralized or trustless solution to, well, anything?
> It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today.
I don't quite get that. As far as I understand it the "nothing at stake" problem works by a malicious party inducing a fork, one of which they double-spend in.
Since it's in the best interest for everyone else to mine both forks, you can force your double-spend fork to become the longest chain by only validating the double-spend fork.
This means you have to trust that nobody part of your current chain has double-spent in this way. But isn't this the same as in PoW where you have to trust that nobody has launched a 51% attack to disrupt the network in the past?
Also, can't you just prevent people from mining all forks? I.e. for becoming a validator you have to deposit X as a security beforehand and you can only earn at most X via staking (so it is in the history before you can attack with nothing at stake). If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork. X goes to the person who found the fork, incentivising that the mallicious fork is identified on all forks (miners on competing forks are incentivised to look at all forks and quickly add the mallicious fork detection for their own benefit). If you want to retrieve your security and money earned, you have to announce this on all forks (you immediatly seize to be a validator). You are only allowed to retrieve the funds, if it is confirmed on all forks, or the forks are sufficiently behind the longest chain. This allows everybody ample time to look for dual-fork work and also incentivizes rapid solution of forks.
> If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork.
Yes, modern proof-of-stake algorithms work this way. The caveat is that at some point (on the order of months later) the security deposit is refunded, and at that point you can lie about the past without consequence. But this is a limited attack: you can only successfully lie to someone who has been offline since you were a staker, or else they would already have a record of the real successor chain (which now has a new set of stakers, who themselves still have their security deposit deposited).
The original article asserts that this does not work according to their requirements since there's no way to independently verify which is the "real successor chain" - they just have to trust someone's word that chain A is true and chain B is not, and a convincing liar could provide them with opposite data. In schemes like Bitcoin, there's objective validation of the "longest chain" with the most work invested; in your example where would that "record of the real successor chain" come from, and how can it be validated/verified in a decentralized manner in a way that a major ex-staker can't satisfy?
Like, this is trivially solved with a central authority (e.g. have some trusted core developer every day publish a signed message saying "this is the real successor chain"), but it does enable that central authority to arbitrarily bless a fake ex-staker's fork.
> they just have to trust someone's word that chain A is true and chain B is not, and a convincing liar could provide them with opposite data. In schemes like Bitcoin, there's objective validation of the "longest chain" with the most work invested;
Note that in Bitcoin you can have a fork in which both chains have equal length. The idea is that eventually the longest chain will be established, but if say 90% of the mining is malicious that malicious miner could ensure that most of the time both chains are of equal length.
With a PoS fork you can ask, which fork has the most amount of stake voting for it. An attacker that controls enough stake might be able to balance the total stake vote in the same way as a malicious miner could on Bitcoin.
In both cases if the core security assumption of the blockchain is violated, that blockchain should halt until that assumption is made sound again. If someone orphans the last two years of Bitcoin's blockchain something has gone horribly wrong. The fact that Bitcoin now switches to the longest chain doesn't actually address the problem that two years of transactions may have been rendered invalid.
> Stop everything! Let humans figure out what is going on.
What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?
It sounds hard to manage this type of maintenance breaks in a trustless way. Surely consensus rule changes during outages should not be handled any differently than changes when under normal operations.
> clients could be programmed to have hardcoded 6th month checkpoints
Who signs these checkpoints? Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
> What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?
We have a bunch of examples of this happening in practice. The humans are usually a mix of the developers, parties important to consensus (miners, stakers) and big ecosystem players.
> It sounds hard to manage this type of maintenance breaks in a trustless way.
When solving a problem that violates your core security assumption you are only longer in the world of security definitions. It doesn't really make sense to talk about "trustlessness". If the protocol is busted, you need to find a solution and get enough people on board with that solution that you can upgrade the protocol.
> Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
The checkpoints aren't trusted for safety but instead for availability. Instead you should think of them like alarms that "something has gone horribly horribly wrong, stop everything, don't transact, don't move, don't touch anything, pull the ebrake."
tl;dr Much like the fuse box in your house, my view is that checkpoints should turn safety failures (electrical fires) into availability failures (electricity is shut off).
With Ethereum at least, it's proof of work leading up to proof of stake, so you'd have to break proof of work to create a fake early history, so the initial stake has to be legal within the proof of work history of Ethereum.
Unsure how pure PoS chains work, maybe they hard code an early block's hash? Like, it's not a legit xorcist-chain unless block #10 has hash #deadbeef
What if Buffett just wants to see the world burn and doesn't care about getting the money back out?
Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
> Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
While you are correct that burning $30 billion dollars to destroy trust in PoS blockchains isn't that much money, I disagree that such an action would actually destroy trust in PoS blockchains. We have seen serious attacks on a number of blockchains, Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain. Yet Ethereum is still going strong. Bitcoin suffered 51% attacks that were used to perform double spends and Bitcoin is more valuable than ever.
It might be cheap to burn $30B to destroy a blockchain, but what if you burn $30B and the blockchain recovers 12 hours later.
> Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain.
These weaknesses weren’t due to consensus failures or protocol failures, but bugs in applications running on Ethereum. If Ethereum’s protocol allowed arbitrary funds to be stolen, that could certainly cause a loss of trust.
Most investors don’t care at all and blow off things like “the blockchain you’re using requires this fully centralized component”, but many players in the ecosystem that enable the speculation we see now, do care about protocol safety. If the Ethereum protocol was shown to be unsafe, they’d publicly promote safer alternatives and push their users to move.
"Blockchains get knocked down but they get up again." - Chumbawamba, ...probably
So two of the Bitcoin examples I gave was a consensus failure which already establishes the point, but lets do a very recent example from Ethereum:
A few months ago in August 2021 when Ethereum had a serious consensus failure and about three quarters of the clients in the network and some miners [0] forked off from the miners. How many people even noticed? [1]
> "Ethereum has weathered a bug that split the world’s most-used blockchain and opened up the risk of counterfeit Ether tokens." [2]
The issue at play is that the ability to cripple the consensus of a blockchain for the most part only impacts its availability not its security or the trust placed in that blockchain. Social consensus can just reset the bad transactions. If the theft or doublespend is big enough. We've seen that happen time and time again. They are somewhat robust but highly resilient.
Now it is possible that perhaps someone could perform an action that can not be so easily reset. For instance a huge doublespend where both parties receiving the funds are honest and have traded an object of extreme value for the doublespent funds. That is very hard to pull off. For instance how do you non-reversibly send something of that much value before the fork/doublespend/consensus bug is discovered? If you are moving something worth say 1 billion dollars in a single transaction you should probably be using an escrow service. Perhaps someone will invent a better technique for turning consensus failures into blockchain killers but so far I'm not aware of such a technique.
You said there were “enormous amounts of money stolen or destroyed” as a result of “ weaknesses in the [Ethereum] blockchain.”
The consensus issue where one client forked off isn’t evidence of that at all. Even the article you link to says it seems that the network was stable and the impact was minimal. Even in this particular attack, doing a double spend would be rather difficult.
They wouldn’t need to spend money to ‘destroy the blockchain’, just legislate against it. For example, what would happen to the value of crypto-currencies if the US government simply banned them outright for entities within its jurisdiction, and also made it so if any foreign entity touches cryptos they get cut off from the US financial system (similar to how ‘sanctions’ work today). I imagine the destruction would be near total.
It's a temporary state, until the PoS coin market cap gets too large to be attackable. Bitcoin's market cap is in the 1T range now, Ethereum is close to half that. Buffet couldn't do a thing against a PoS coin that large, and it would be a serious commitment and risk even for a nation state. Buffet could take down some random smaller coin, maybe, at the cost of most of his personal fortune, but if he did so the world would not burn.
It's _possible_ that a government might choose to attack a random small coin just to discredit the notion of PoS cryptocurrencies, but it's hard to picture a government gaining consensus to do it, and it would be obvious to knowledgeable onlookers that larger coins are immune (or anyway, much better protected), so the resulting disruption would probably be temporary.
PoS encourages centralized exchange-held staking, which means that there are only a handful of failure/pressure points. In other words, a government doesn’t have to buy 66% of the stake - merely compel the exchanges.
Not when the protocol actively encourages decentralization by cutting off staking rewards to larger pools, like what Cardano does (as one example). Sure, the exchanges can (and probably do) run multiple pools, but so can anyone else, and for far less expense than is required for mining.
> Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network.
If a nation buys 2/3 of the coin and destroys the network, investors (as a whole) take a 1/3 loss. Then they can (re)start another PoS coin.
Ironically the nation would be up against the old saying that the market can stay irrational longer than you can remain solvent.
Hell, they might not even take a loss at all. A nation-state-level actor trying to buy a majority of the monetary supply would represent a substantial increase in demand and therefore price.
You've outlined only one, the most obvious and least probable, mode of failure.
The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
It's already visible on smaller scale in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour". No matter what smaller stakeholders do/say, the early big investors and dev team always win. Why would they structure it otherwise? The same dynamics exist in PoS, just not as grotesque.
Perhaps that's OK for a private company governance, but for a global currency?
You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe? Seems rather strange that so many have such a burning desire to be governed by someone much richer than them.
And Proof of Work is better because the haves buy equipment the have-nots can't buy to vote?
Unless you have a citizenship based voting of some short where a single person gets a single vote and they actually vote (automatically I guess and assuming without delegating to the big whale because "I am bored") what do you think agreement via resource scarcity implies?
PoW is a service to the network, to create an immutable ledger. It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.
It's just a boring industrial business, like smelting aluminum or iron.
> It's a system with an immutable monetary policy.
Is it though? It seems minor protocol tweaks aren't uncommon and hard forks managing to eclipse the original protocol in popularity are also conceivable.
Every time there is a fork, the market decides how much to value each of the forks.
Personally, I think people will value bitcoin as good money if fiat money fails. And because they are seeking good money, will value the fork(s) that preserve bitcoin's prior monetary policy.
A fork that changes the monetary policy drastically (particularly, changing the 21M cap) would obviously make for bad money in practical terms.
No, not true. Nodes can literally just choose to use the version of software that provides the best money. You can’t choose to use the US monetary policy from 1960, for example.
This has happened multiple times with attempted hard forks of Bitcoin which have failed because once you change the monetary policy once, the promise of hard money effect disappears. So the original monetary policy remains in place and the original network continues as the reigning champion.
I imagine the idea of a hard fork of Bitcoin may become more popular as the supply limit is approached and transaction fees go up. The current transaction fee is only a few dollars but the cost is over a hundred. Eventually the fee will have to cover the full cost and a hard fork may start to look more interesting.
If this happens I can technically stay on the original protocol, but that would be rather pointless if a sufficient majority abandons it.
The natural scenario is that as the mining reward goes down, hash rate will dwindle until mining is profitable again.
The only real problem with that is that with a small hash rate, bitcoin can be attacked more easily.
If bitcoin is the monetary backbone for many nations, they will subsidize miners to maintain the balance of power. That is the actual scenario that I'm optimistically predicting.
If bitcoin isn't the monetary backbone for many nations, by then, then it's probably a failure, and should probably be allowed to die.
It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.
> It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.
I have to admit that I have no idea how much work is actually needed to secure the network. My point of view is that the current rate of energy expenditure outweighs whatever benefit Bitcoin does or could provide to society. But if this rate is a transient result of still-significant minting going on, things could definitely look different in the future.
Do you know of any analyses on how much work really has to be continuously expended in order for Bitcoin to remain reasonably secure at a given market capitalization?
I don't see why many nations would jump at the opportunity to make Bitcoin their monetary backbone. For example because an immutable monetary policy won't be seen as a feature.
> For example because an immutable monetary policy won't be seen as a feature.
Each nation would love to be able to manipulate the supply itself—why not, if people will let you get away with it?—but the fact that other nations can't do the same could be seen as a feature.
If that's how it's going to work, what stopped nations from making a treaty in which everyone commits to an immutable monetary policy so far? And how does Bitcoin result in whatever it was not being a showstopper anymore?
Many countries already use money internally such as the USD (outside the US) or Euro (outside the EU) for which they do not control the policy. Explicit agreements to use a common currency across nations and share control of the policy are relatively rare; no examples come to mind apart from the EU, and that hasn't always gone according to plan, as Greece can attest. But hard currency is still a fairly common basis for exchange between nation-states, and other countries' currencies are more likely to be adopted when they are governed by relatively immutable policies. Of course, if those policies change to be less immutable it can take time for the effects to manifest. The USD was relatively stable until recently, but other countries are probably reconsidering their dependence on it at this point given the increase in the supply over the past few years.
If Bitcoin does eventually become a common instrument of trade at this level it will fill the same niche currently occupied by gold and other precious metals.
I wouldn’t worry about it. Bitcoin incentivizes energy development. As the world moves to a Bitcoin standard, we will unlock new types of energy that were previously unproductive. It’s likely that energy will more cheap and plentiful under a Bitcoin standard, leading to downward pressure on transaction prices as mining is more economical. Also, more transactions are likely to move off chain to Lightning Network and sidechains.
Still plenty of scaling left in the Bitcoin ecosystem.
Bitcoin proof-of-work difficulty must always increase, the electrical needs are always ever-growing.
While you claim that incentivizing electrical production is what POW does, in reality it is a large drain of electricity on a finite electrical grids capacity and it DOES take away from other uses of electricity LIKE aluminum smelting or running hospitals. It is an active and actual source of pollution and uses more electricity than most countries. You can’t handwave this away or insist upon your rhetorical framework when. The apparent physical real world consequences of POW cryptocurrency cannot be evaded or ignored.
The difficulty does and has (in the short term) decreased when the amount of hashpower being used goes down.
Presumably if the price went down by a substantial chunk and stayed down for a while, the hashpower would also decrease, and so the difficulty would also decrease.
Also, if electricity prices went up, or if CO2 emissions were taxed, then hashpower would decrease, and the difficulty would go down in turn.
Bitcoin difficulty does not always increase and needs not always increase.
As for the rest... so what? It uses a lot of electricity and there is some pollution---but a lot of bitcoin mining is done with hydro or geothermal (and will be nuclear if bitcoin continues to grow), so, so what about some pollution?
Some mining is powered sustainably. And for some of THAT power it is true that it wouldn't be used for residential anyway. But for the majority of BTC's power needs the sources are not renewable.
So there's a simple question: how much value do we get out of this tech per CO2e it emits and per ton of e-waste it creates. And AFAICT the answer is: not enough to keep tolerating it in a time where humanity as a whole is seriously worried about climate change for the first time ever.
If you can magically move _all_ the miners to sites with excess renewable electricity and permanently slash the hash rate by 99.9% then maybe it can be tolerated. Until then I would welcome more China-style crackdowns on mining activity across the world.
I can't tolerate the global exploitation of non-ruling people in every nation by their rulers via fiat money manipulation. (And every nation calling itself a "democracy" is actually a "bureaucracy.")
If you aren't upset about this, you probably haven't studied it. I say that in a spirit of helpfulness. Fiat money grossly distorts all of humanity's economic output and therefore retards our progress on all things, including fixing climate problems. Just one example: The US is becoming a nation of renters because enormous funds are buying up the houses with fiat money they borrow nearly for free.
Fortunately, with bitcoin, we can do something about that, without (eventually) harming the environment.
I don't see how cheaper energy would help. Bitcoin needs a certain amount of power in units of cost to be tied up mining to secure the network. If the cost of energy goes down ten times then the same PoW requires ten times the energy.
I agree with this. Just want to add, bitcoin mining can happen in remote locations with available power (hydro, geothermal) which are too far from cities to be transported by power wires. There is a limit to how far you can transmit electricity through wires. So, there are tons of untapped natural energy sources.
And precisely in places like these, such as Niagara Falls, you see coin mining displacing tangible goods production due to both needing cheap electricity and one being more profitable than the other. In this case the market is not thinking very clearly in long term priorities, nor is infinite development of hydro and geothermal possible. Actually, this is about realizing that we live on a finite planet with finite resources that a finite amount of humans can finitely exploit finite parts of before the whole thing goes catawumpus.
POW and current cryptocurrency systems are thoughtlessly and needlessly wasteful and represent inelegant architecture and brute force hackery like lightnig to correct what ultimately isn’t scalable: blockchain ledgers and fast transaction speeds vs centralization and speed. Look at DNS, for example, and how slow that is, and it’s architecture amd full vs partial copies of ledgers and jeiraexhical canonical lookups etc.
Everything is mutable with the possibilty of physical destruction and long time scales. Even the existence of humanity is mutable when we play stupid games in MAD geopolitics, have foolish energy policy, and lack an ability to cooperate to mitigate tragedy-of-the-commons problems like, for example, what Proof of Work is causing.
If we do not bound the growth of PoW energy usage, I think it could easily destroy itself in a roundabout way: by destroying the fragile global order that keeps humanity going.
It's burning electricity (that could in an ideal world be renewable, maybe one day) to provide a service to the network, therefore making it more secure by providing additional processing capacity that is controlled by a good actor, making it harder for a bad actor to get 51% of the pie. It is a waste, but there are also a lot of other sources of wasted resources/energy that we could tackle first and get larger returns from.
You get compensated for your service, it may seem like a lottery, but if you do it for a long enough time, you'll get fairly steady returns as in theory it should be random and proportional to your hashrate.
I don't mine, and I think it's definitely overhyped at the moment, but maybe it will settle in the future and actually provide a useful service to us folk. It doesn't seem to be going away for now, and it is really easy to send money to friends and family, whether they're nextdoor or in another country.
It is not a waste, as it provides physical security, exactly the same as idle nuclear missiles on standby do, or standing armies that are "doing nothing", until a war happens.
The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
> It is not a waste, as it provides physical security, exactly the same as idle nuclear missiles on standby do, or standing armies that are "doing nothing", until a war happens.
You don't think those get very wasteful in the real world? And there's no equivalent to a real war situation. You can set it up so you don't need to defend against the equivalent of enemy armies.
> The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
What kind of sustainable?
When miners locate next to hydro, and buy it up, that doesn't help anything. That hydro could have been sold as somewhat less cheap power elsewhere, after going over long wires, and then it would have reduced the load on coal plants.
Miners that eat up excess solar can theoretically do a lot to encourage the installation of solar, but they need to be happy letting their machines be turned off a large fraction of the time. If it's still profitable to run 20 hours a day, then they're still encouraging fossil power plants.
> Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
Dishwashers are better than hand-washing, aren't they? Having plates is a lot more important than running cryptocurrencies in a particular way.
If heated swimming pools use that much, then sure let's go after that and use some kind of billing or taxes so they pay extra and encourage sustainable power sources.
I disagree that standing armies and nuclear weapons are a waste. They guarantee your security, which you seem to take for granted. Your views on this could change if you spend a few years in a warzone under artillery fire.
It is of course not 100% perfect analogy, nothing is, but I believe you understood the point I tried to get across: it's a security service, and that costs money. Blackwater stationary guard roles are 180-220k a year for someone with years of experience. I'd imagine monetary networks use a lot of physical security, some central banks are literally located in bunkers under mountains, with a backup site in a similar setup on a different geological plate.
I have not seen any PoS schemes so far that provide anything other than plutocracy as a service. There is a reason why ETH with a 100mil R&D budget is still on PoW, Vitalik is not a dummy.
as for the cheap sources of sustainable energy, those are usually stranded hydro and wind that's too remote to be economic, and stranded natgas (for natgas "green" might be a better term, i've used sustainable in the sense that CH4 is far more damaging that CO2. I've been told by regulators it is actually better to burn off CH4 from stranded wells)
Balancing of the grid also does happen, but I believe primarily with wind and hydro.
I, of course, agree that we should not pollute the Earth we live on. High energy usage in itself is not bad, only if it's a harmful polluter. I've only pointed out dishwashers and pools (don't have the stats handy, but they do indeed use a lot more, like a magnitude more), as a common hypocrisy.
We must rapidly scale up non-polluting energy sources, as it seems unlikely humanity can become a spacefaring species on a self-imposed tight energy budget, and this self-imposed handicap coupled with an unexpected asteroid impact can end us.
Pools in the US use 14 billion kwh it's hard to imagine it being even global orders of magnitude more than Bitcoin.
It's also hard to see how push button Armageddon has possibly made us more safe than nobody having nukes. We are only more safe than if only our enemies had them. The same could even be said of armies.
> but they need to be happy letting their machines be turned off a large fraction of the time
Or they need batteries. Or some other means of energy storage, for that matter; at the scale of a large mining farm, thermal (e.g. heating water) or kinetic (e.g. spinning a flywheel) might be practical.
> The vast majority of mining today uses sustainable energy (70%+)
Do you have an source for this? I remember the same number being flaunted before but it turned out not to be true. What was true was that 70%+ of miners use any amount of renewables in their energy mix.
Armies have to practice. Smart generals don't let their armies do nothing; to be any good at warfighting, they have to fight wars. Effective standing armies have to constantly be finding new wars to fight.
Nice to see you rationalizing expenditure that goes towards murdering people. Are you the people talking down to bitcoiners about being wasteful and not caring about future of humanity? Give me a break.
How many people aren’t murdered because of armies though? Humans have been grouping and fighting each other for thousands of years now. You’re under the impression everyone should just… what… pretend it doesn’t happen?
When attacking a neighbor state costs more (because your neighbors have arms too), it’s less likely to happen.
The cold war had plenty of awful hot action with proxies and third parties but the entirely hot version obviously would have been far more calamitous.
I suggest reading Herodotus’ Histories, or you can read up on Genghis Khan, Napoleon, Hitler, Alexander, the Crusades, or the myriad other conquerors and conflicts that have occurred.
PoW produces something intangible. You're probably basing on an assumption that tangible products are more worthy or justifiable of resources consumed than intangibles.
If you work with software development - which you probably do - I'd suggest checking what you do for a living, how much energy it consumes and how much physical product it generates.
That argument could even be somehow valid if it were only possible to demonstrate that these intangibles improve life for people, like contributing to food, housing, education or even only entertainment. They do not. We do not have to care for those who are affluent enough to burn electricity just in order to gamble. Those people have the resources to gamble in less harmful ways without raising electricity prices and polluting the air the way they do. Those people could even do something helpful and productive if they chose to. Cryptomining is wasting energy for the sake of wasting energy. You may argue we (the 99.999% who do not cryptomine) are too stupid to see the value of your imaginary intangibles but that's not true. We are the ones who want no part in a pyramid scheme, who do not want to succumb to gambling, and whose time and money are too scarce and too precious to be put on the line. Sure, all activity has its price, its waste, and sure, there are other occupations whose overall usefulness is doubtful and askew with the accompanying resource consumption. Doesn't mean you have too excuse bad behavior just because there are other guys doing no good.
Just as an aside, when you move a newspaper or a magazine from print to only existing as a web page, you certainly have 'dematerialized' it to a degree. However you still need hardware to keep and display the data and energy to move it around and light up the screens. In so far it does not stop being physical. The 'intangible' is somewhat of a red herring. Yes, it is less haptic, but it's still physics, physical all the way down. Other than that, currencies, freedom, equality, education, entertainment—we've been having intangibles all the time, at least from the dawn of human culture onward. Cryptomining does not bring anything genuinely new to the table in this respect. It's not even new in being a fraudulent, volatile scheme that betrays traits of a cult, one that benefits a few and hurts the many.
Perhaps we should insert humans in the loop, to verify whether useful work was performed.
Or some AI because humans are prone to bribery to some extent.
Or we could make it democratic. "Jeff Bezos asserts that he provided useful work for society and that he therefore deserves $1B this year. Please cast your votes".
PoW should actually stand for Proof of Waste. It's not even unprecedented in nature: many species will intentionally waste energy or resources to demonstrate mating fitness, as with a peacock's tail.
I'm less concerned with wasting resources (which is highly subjective), than with ecological and systemic harms. I don't care whether a terawatt is "wasted" on pointless SHA256 hashes, or calculating triangles for Yet Another Marvel Movie, so long as the externality is being paid for [0].
At the limit, proof of work and proof of stake converge - they are the same thing, except for the Kazakh coal that is burned in the former along the way.
PoS staking is simply committing a portion of your capital to the task of validating transactions. You benefit by receiving a reward in the form of additional tokens.
In a PoW system, the same exact thing can be accomplished by using your tokens to purchase a stake in a mining pool. You will similarly be unable to access your capital, be rewarded with additional tokens, and at the end of a period of your choice, you can liquidate your position in the mining pool to reclaim your tokens.
[edit] PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.
In this world, the "nothing at stake" problem also manifests in proof of work, where I believe ownership in the mining pool makes you agnostic to the outcome of any chain splits - although I'm still working this bit through in my head. Opinions welcome!
> PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.
Sounds wrong. Slashing is a means to prevent people from staking on multiple chains. In PoW, computing power is scarce, so if you allocate some compute time to one chain then you have less of it on another chain. You automatically get slashed. The difficulty in designing a PoS chain is in artificially re-creating this slashing and thereby solving the "nothing at stake" problem.
In a blockchain, the chain keeps splitting. Your tokens live on multiple competing chains simultaneously. In PoW, you are forced to pick one of those chains to mine on. In PoS, you can stake on all of them simultaneously.
The splitting is unavoidable and happens constantly. Multiple competing future states are constantly being created, and the network has to eventually arrive at a consensus about which possible future is the true one.
> Where is the difficulty in making miners expend their tokens (i.e. in a way that is irrevocable) instead of merely depositing them somewhere?
Figuring out how to make spending your tokens irrevocable is the whole point of PoW/PoS. Your question reads to me like "In trying to solve problem x, why don't you assume that you've already solved problem x, and use that to solve problem x."
What if I create a whole new chain? Will the transactions at the very beginning of that chain have to be added to the big, old chain? How far back do the common ancestors of two chains have to be for your auto-merging to happen? What happens if two histories conflict? Then in Version Control parlance, we have a "merge conflict".
If you spend more tokens than the tokens that were spent mining the last two blocks you can erase the transactions in those blocks, but isn't that also the case with PoW?
Yes, I read it. As far as I can see, it talks about 'staking', so it doesn't address what happens when the tokens and 'expended' as opposed to 'staked'.
You have two competing chains: Chain 1 and chain 2. On chain 1, you spend a token on a good. On chain 2, you spend no token. You wait for chain 1 to win the race. You then stake on chain 2 to get your money back. If chain 2 then overtakes chain 1, you've executed a double-spend attack.
An equivalent attack wouldn't work on a PoW chain. If you do the equivalent of "staking" on chain 2, then you're computing hashes, which is costing real-life resources. In the PoS case, without slashing, staking on chain 2 is free. In fact, this is the rational move to make every time you spend a token; stake on competing chains to get your token back.
There was a PoS mechanism that makes people who cheat lose all their coins? I wonder if it is relevant here
... Aha, that's "slashing" -- the other members in the network would look at the two chains, and notice that you were misbehaving, and add transactions that remove parts of your coins? (They'd add to both chains? Or just the winning one?)
The fork-wars of old will never happen again, IMO, on any chain of significance. These days, fork winners will be decided by the stablecoin operations they host. If ETH forks, for instance, hash power will follow whichever chain Jeremy Allaire deems the winner.
It’s not. There is a huge gulf between Bitcoin and the rest of the crypto space. Bitcoin is certifiably decentralized hard money with an ossified monetary policy. I believe it is reasonable to conclude that something like Bitcoin can only happen once. The rest of crypto space isn’t really trying to be money, or is only pretending to be.
Regardless of Monero's technicals, new upcoming updates to BTC will infuse with privacy, therefore making Monero et al redundant.
BTC is also getting smart contracts soon, which makes ETH redudant as well, but it will take a while before it catches up in terms of possible complexity of the contracts.
It's probably not renewable (well, neither is the Sun on large enough timescale), but do you believe nuclear, either fission or fusion, will play a large role in the future?
You make it sound like I need a new hobby - which I might haha.
> Do you consider nuclear energy sustainable?
Low-carbon, yes. Sustainable, yes. Renewable, not until we productionize extraction of uranium from seawater. [1]
> ... but do you believe nuclear, either fission or fusion, will play a large role in the future?
Fusion if we can crack it, totally. Seems like a clear winner. Fission probably will if there's some political will behind it, but not unless there's a change in sentiment.
> of which the following sources are considered to be renewable
in other words, it attempts to define the world "renewable" along favoured political ideologies.
From Wikipedia:
> Advances in breeder reactor technology could allow the current reserves of uranium to provide power for humanity for billions of years, thus making nuclear power a sustainable energy
TL;DR: nuclear is just as renewable as solar (beyond any likely duration of the human civilisation).
I saw the renewability as more of a thought exercise, because I agree with you, there's more than enough nuclear feedstock to keep us going indefinitely.
forkwars have shown in practise this isn't the case.
Status quo will be incredibly difficult to overcome for attackrs, even with a large chunk of industry, exchanges, miners and whales against the status quo, it prevailed.
> Proof of Work does not get you any votes at all.
Hmm, maybe I’m ignorant, but in practice, don’t miners (socially, not technically) have substantial say in issues like the block size debate?
If you want to create a hard fork of the chain for any reason, whether people accept your fork as legitimate will in part reflect the total hashing power of that forked chain, right? So in practice what miners choose to follow will have a big impact.
Maybe not quite the same as PoS in-chain voting, but it still seems to give large miners outsized power, no?
> It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.
Changing the hashing algo isn’t a realistic punishment for targeting misbehaving miners.
You end up with two choices:
1. Change to an algorithm that uses gpu/cpu instead of ASICs (and is ASIC-resistant), but then your algo runs on general-purpose computing and you can’t fork miners off ever again.
2. Move to another algo that benefits from ASICs. This has the extra overhead that you need to spin up manufacturing and distribution of these ASCIs to honest miners, which takes quite a long time to do and while you’re waiting, your network is being attacked.
In either case, you aren’t just punishing a misbehaving miner, you’re punishing *all* miners who now all need to get funding to buy and rack new hardware. You’re making a big assumption that the misbehaving miner won’t be able to get financing or sufficient capital while the honest ones will. If the dishonest miner’s attack was profitable while waiting for the fork, they get to keep all of that money and can spend it on new hardware.
In PoS, the attacker will lose their stake, meaning they lose the money they had before, and earned as a result of, the attack. It may be much more difficult for that validator to get access to capital and lenders will be hesitant to lend to an entity that now has a history of burning capital.
...just re-using the terms for continuity and simplicity sake.
yes, a PoW algo is probably better generic term, although I am not confident complex algos would be accepted as first-line replacements by the wider community.
Some of the hashing functions used with hashcash are exceedingly complex, such as RandomX used in a popular coin. Even scrypt, an extremely popular choice of hash function, is relatively complex, long after its 128KB memory footprint briefly served its purpose of resisting ASICs.
You're right that Bitcoin will never accept a change of PoW. At least not until SHA256 shows signs of being broken.
Nonsense. Mining gives you zero votes. Miners don’t control the protocol. Governance is not determined by hashrate. This is just another major flaw that all PoS shitcoins have.
No one is talking about governance. The term "consensus" refers to the decision about which transactions to append to the ledger, and the decision is to go with whatever set of transactions the miner that has spent the most money has chosen. It has nothing to do with governance issues.
then if you're not talking about governance, you're still wrong. there's no voting, only if you insist on re-defining what words mean, at which point i won't be interested in continuing the discussion.
Of course there is voting. Who do you think decides which transactions go in the chain, and in what order? The miner who wins leader election during this round (in Bitcoin anyway) does, and the rest of the nodes decide whether to accept its vote. The other nodes can also choose to reject this vote for a while, as long as after seeing it they don't accept a chain with less hashpower, and still follow the protocol (more or less).
The leader can even opt to put no transactions in the current block, something that has actually happened on many occasions: https://www.theblockcrypto.com/post/67928/bitcoin-miners-are.... Obviously, the leader was making a decision here, there were not actually zero transactions to process :)
No, there is no voting and there is no leader election. Miners construct blocks with transactions and if they manage to find a signature - that block is appended to the chain. If somebody does it faster - they append their block.
Please at least get the basics before you start arguing with people.
What, exactly, do you think the purpose of computing a SHA prefix is? It's to perform distributed, decentralized leader election. The leader who wins has the privilege of proposing the next block. "If somebody does it faster" is the voting aspect--nodes vote on who they think did it faster, and it is quite possible that they disagree (which can only be resolved by another round of leader election, since the next leader can choose which block to continue from). In the event that there's a longest chain, of course, nodes will go with the longest chain as a tiebreaker scenario.
I know far more about Bitcoin than I ever wanted to, believe me. You really should not be making these kinds of ad hominem arguments when you don't understand terms like "consensus" or "leader election."
> The leader who wins has the privilege of proposing the next block.
No, the hash that you win with, deterministically points to the only possible block that you can “propose”. Your understanding is completely backwards. You seriously don’t know how bitcoin works.
Whether leader election happens at the same time as the block is proposed or not is completely irrelevant to the nature of the problem from a distributed systems perspective. The point is that in each round, the leader both wins the election, and proposes the next block. There are other variants of proof of work in which the leader is allowed to continue generating new blocks for a period of time and (AFAIK) these inherit all of Bitcoin's security properties.
Here is my question to you: if the node that wins the election (and the ones that accept its mined block, of course) is not the one voting on which transactions get to go into the chain, rather than be stuck in the mempool somewhere, who is? Do you genuinely think there is no decision being made there?
You're confusing the discussion by trying to force the "leader" terminology. That term does not appear in the BTC whitepaper and the protocol's approach to consensus is different than a traditional leader elected system.
There is no "voting" and no "leader" except in the most abstract sense and I'm not sure why you're so determined to use those terms.
There is no leader election. You trying to insist on this terminology is like trying to explain that the earth is really flat by proposing some very special space metric.
All miners “vote” by hashing and one of them wins. They don’t win because somebody voted for them, they win because they happened to find a satisfactory hash. The chance to win that hash faster than other miners is proportional to hashrate. The hash is determined by the block of transactions entirely, so once you win the race, you don’t get to propose anything other than that one predetermined block.
Which transactions go into a block is decided before any mining for that transaction happens.
You're coming off worse in this argument because you seem to realize on some level they're just using different (possibly wrong) terms in their accurate description of the mechanisms, but then you keep making snide remarks that imply they don't understand the mechanisms.
i in fact do insist on them not understanding the mechanism. trying to force incoherent terminology is just the largest red flag signifying that lack of understanding. snide remarks is my bad, i definitely lost my patience, it's hard to argue with somebody saying that sky is pink because they've changed what pink means.
Red flag, sure. But when they say things like "The peer-reviewed paper to which I linked, which I am not proposing as a replacement for Bitcoin, explains (to those who are willing to read it) why the block being chosen before or after the leader election does not matter when it comes to the security and consensus properties of Bitcoin." it seems very clear to me that they do understand the mechanism, despite that red flag.
I think your analogy to flat earth was better. Because sure, treating the earth as flat isn't correct, but it's often a perfectly good approximation, and arguing about whether a big field is flat or not is a giant waste of time. Don't completely dismiss someone because they use those terms.
"Leader" or not, it's basically equivalent. And the process of letting miners input yes/no values for whether they support a proposal into their block, averaged over thousands of blocks, gives you the same result as "voting". So talk about whether those results are useful.
There are variants of PoS where stakers can delegate their "votes" to other stakers and there are variants where validators compete for "leader" timeslots. These words carry certain meaning and none of it is useful or applicable to bitcoin. As with flat earth analogy, I agree that it's possible to have this perspective, i just think it's harmful for conveying the idea of bitcoin correctly.
> No, there is no voting and there is no leader election.
Every 10 minutes a miner wins the right to append a block to the chain, by guessing a secret number. The chances of winning are proportional to the amount of money each miner has expended in the process of guessing the secret number. This is equivalent to holding a vote every 10 minutes in order to choose who gets to append the transaction block. Therefore, you're wrong. There's a vote. And if you can't understand this obvious fact about bitcoin, you have no business discussing bitcoin.
Obviously I can’t change your decision to use this terminology, but ponder this: when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain? No they don’t. So was it election of the leader or election of the block? And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
As I said in a sibling thread, it’s like arguing the earth is flat by proposing a very special metric of space. Feel free of course, I just don’t accept it.
> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain? No they don’t.
Yes, they do get to choose the block. Transactions to include in the block are (usually) chosen from the mempool, which is unique per node (it’s similar but never exactly the same between any two nodes). Miners can also choose to include transactions that were never publicly broadcasted, and therefore never appeared in another mempool. Typically the transactions with highest fees are chosen, although fees can also be paid (or bumped) outside the mempool.
The miner of a block doesn’t get to choose the contents of every transaction, but they do choose which transactions to include when they win a block.
It seems like you’re hung up on terms that aren’t commonly used in the context of bitcoin mining, but are valid and are commonly used in the broader context of distributed systems.
> do they get a choice of what block they append to the chain? No they don’t.
Of course, they have a choice. If didn't, miners would serve no purpose. We would just have one block and that would be the block that would be appended. The consensus would be achieved automatically, without any need of guessing secret numbers.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
No, because the miner is elected at random. The crucial point to understand is that their chances of getting elected are proportional to the money they spent. That doesn't mean the largest miner will get elected 100% of the time.
a certain hash wins, every ~10 minutes. that hash is calculated from sha(block, nonce), where nonce is the randomized part that miner mutates to get different hashes. once a hash that satisfies the protocol is found - that's it, you can't choose a different block to append to the chain.
it is just laughable that i have to explain this level of basics.
Okay, and who chooses the block? (Hint: it's the node that wins leader election).
Maybe this article will help you understand just how nonessential the fact that the block is part of the SHA actually is: https://www.usenix.org/system/files/conference/nsdi16/nsdi16.... Please read the whole article, and then come back so we can have a discussion on equal footing.
well certainly not the winner of the "election", because by the time that "election" starts, the block is already constructed.
and i'm not going to read any of your links until you actually start understanding the basics of bitcoin protocol. though your lack of understanding explains perfectly why you fall for scammy bells and whistles of competing bitcoin-wannabes. "bitcoin new generation". lol, give me a break.
The peer-reviewed paper to which I linked, which I am not proposing as a replacement for Bitcoin, explains (to those who are willing to read it) why the block being chosen before or after the leader election does not matter when it comes to the security and consensus properties of Bitcoin. It is important for you to understand that this does not matter so you can understand why when the block is chosen does not change the fact that leader election is being performed.
Again, I'll ask you, since you keep dodging the question: if the node elected as leader is (according to you) not choosing the block, who is choosing the block? Why are you so obsessed with whether the value was chosen "before" or "after" the election, which is an irrelevant detail of the protocol? If you can't answer these things and won't read the paper, I don't really see any reason to keep talking to you, because all you've done is make the same irrelevant point over and over.
> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain?
and the answer is yes, the miner that gets elected chooses which transactions to append to the chain. Do they pick the transactions after getting elected? No, they pick them before getting elected. In fact, it doesn't matter whether they pick the transactions before or after getting elected, because their chances of getting elected are unaffected by which transactions they picked. Therefore, it makes absolutely no difference. The fact that you think it makes a difference tells me you're very confused about the role miners have in the bitcoin network.
The "leader" has no choice after they win the current round but they do have a choice as to what to include in the winning block before they start hashing.
Maybe they act like all the other rational miners and optimize by mining fees.
Maybe they include no transactions and only take the miner reward.
Maybe they they don't like the Dutch so all their transactions are excluded.
It really doesn't matter as all y'all have been arguing over is what to call the
person who won the current round.
I think you're missing the larger picture of accruing blocks over time, and deciding what is the "canonical" largest chain.
A miner can choose which block to build on. At any given moment Bitcoin can have several competing "in progress" forks. This is why most exchanges require... 7, I think?... blocks on top of yours to consider the transaction more or less confirmed.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
Yes, this is a 51% attack in Bitcoin. If you have a majority of votes, you can disregard the current chain, fork from behind, and catch up.
I’ve been reading this thread. I have no idea why these people insist on using the word “leader” when it doesn’t fit. Is there some ideological reason for this?
There is no "ideological" reason. I don't even own cryptocurrency. It's just a fact that the entire purpose of proof of work is to perform leader election. The defining characteristic of leader election is that only the leader commits new values, and there should only be one leader eventually chosen for a given round; the definition has nothing to do with using some sort of majority vote or anything like that. To see how it differs from "ordinary" consensus, I want you to tell me how a Bitcoin-like system could be used to decide on any value other than either (i) one known in advance by all parties (which doesn't require a consensus protocol at all), or (ii) one chosen by the node that wins the block lottery.
This is expanded upon in the peer-reviewed Bitcoin-NG paper that both of you are refusing to read, which breaks down the Bitcoin protocol into distinct parts (which was why I linked it--not because I am proposing that it replace the Bitcoin protocol, but because I thought it would be useful for you to understand how Bitcoin performs leader election already). Specifically, it analyzes the effects of splitting up leader election and block commit parts of the protocol. As it turns out, it has essentially no effect on Bitcoin's security guarantees, which is not surprising--because the fact that block selection and leader election happen at the same time is an implementation detail that doesn't actually matter! Once you realize this detail that you are obsessing over (the block being decided at the same time the leader is) is not important for the protocol, you will also see that the leader election is in fact the critical part.
Nodes decide if they will append your block to their chain.
A miner that decides to mine out of consensus blocks is just burning money, and will be on their own fork with their “100% votes” that nobody else uses.
Give it a try, spend a few million on mining equipment and then try forcing something on the network.
The proposed block must comply with the rules your node enforced, or it will not be accepted. It’s not just work, but also the entire consensus-set they must abide by.
Miners cannot force new rules, if there is no consensus.
Eh? Can't miners refuse to include transactions that don't adhere to new conditions in addition to old ones?
If 51% of miners decide to, after block #N, not include any transaction that doesn't satisfy the predicate P in any block they produce, nor mine on any chain which has a block after block #N which has a transaction that doesn't satisfy predicate P, then the longest chain will have all the transactions after block #N be ones which satisfy P, and furthermore, if the other 49% of miners are aware that this is happening, if they want their blocks to be in the longest chain, they have incentive to follow the same rules when mining.
No, you're misunderstanding everything. The consensus mechanism is about agreeing about the contents of the blockchain, not about the rules that make up the bitcoin protocol.
PoW at least provides a decent and somewhat fair coin distribution mechanism.
With PoS, the coin creators can assign themselves an arbitrary fraction of the coins, concentrating the wealth. Even if there is a public record of all the funds raised in a public sale and all expenditures made (which is rarely the case), it's possible for the creators to participate in the public sale and recover large parts of funds used to buy their own token by generous expenditures on software development and such.
Yes, PoW coin emission curves often leave something to be desired, tending to emit too much in the first few years, which leads to some wealth concentration as well.
In my opinion a fixed block subsidy would be most equitable, but that's a very slow emission, taking 100 years to reach a yearly supply inflation under 1%.
It could be interesting to bootstrap a PoS network using the wallet keys for all existing public blockchains, by allowing users to initialize their PoS wallet with the fiat value of their PoW keys held at some agreed moment in time. I toyed with this idea for a while, but I don't know how you could keep the network secure until a significant proportion of the total value has been claimed.
Anyway, I'd also be interested to know if there's existing or active research along these lines.
Yes PoW is way better because miners need to constantly expend resources to maintain their right to participate. PoS validators keep their throne for life at virtually no cost.
But like PoS, PoW returns all spent resources and more back to the miner - both are designed to be profitable and self-sustaining.
I don't see much difference between a PoW mining setup that does $1000/day gross, $990/day expense, $10/day profit and a PoS staking setup that does $12/day gross, $2/day expense, $10/day profit. Both earn $10/day, both require maintenance, and both are run not at a net cost but at a net profit.
You can't transmute Bitcoin back into electricity and ASICs. You have to generate more of both, which is extrinsic to the protocol and thus available to currently-non-participating actors. PoS does not have this property.
The main difference is that the top miners don’t stay the top miners. There is constant churn. The top stakers remain the top stakers at virtually no cost, and they will almost always be custodians/financial institutions.
Additionally mining isn’t always profitable. There is financial risk and miners can go bust and take financial risk. Staking is basically always profitable if you don’t misbehave.
It gets a lot more complicated than that because setting up competing systems is cheap. It is like saying "nobody would write this piece of software for free". What we learned with open source is if the cost of distribution gets low enough then there needs to be just one person somewhere on earth willing to maintain it and it can work.
If the cost of creating trustworthy local (or international) monetary systems is basically 0 then it isn't obvious that plutocrats have an advantage beyond the one they already have by virtue of being powerful. If they can force you to use their system they already control the government so didn't need any technical help.
You can fork decentralized over (crypto) collateralized stablecoins even if you can't force a fork of a centralized stablecoin operated by incorporated entity to be recognized by them.
Unless we're going to pretend that there is only one way on and off networks and only in one currency denomination…
If you are forking the chain state and not just the vm, that could be the case.
However, if you are only forking the vm and allowing for people de deploy other protocols (or forks of other protocols), this is not the case (they just start off at lower total supply relative to the native collateral available on that network from a lower demand base).
I don't consider it a fork unless it includes the state. For example, ZCash is based on Bitcoin code but nobody considers it a fork of Bitcoin and there are various chains like Avalanche that support EVM but they aren't forks of Ethereum.
> I don't consider it a fork unless it includes the state.
I think id agree for things like ZCash/Dash etc compared to BTC, but I'm not sure I'd agree when it comes to the all contracts deployed on all EVM networks and none of this has anything to do with decentralized stablecoins.
For example, you can mint MIM (a decentralized stablecoin) on both avalanche c-chain and ethereum (as well as polygon, fantom, bsc and arbitrum), and they are both worth $1, but have different collateral backing it on both networks. If users wanted to leave one or the other, they could just redeem their mim for the underlying, sell it and buy the collateral on another network and mint it on the other network. The collateral might trade lower on one network based on market factors (like if the narrative shifted to that the chain became too centralized or w/e, and this assumes that even the price movement of the underlying overwhelms the over collateralization ratio, it might not) but it would just mean that there would be more or less mim on that particular network as assets are liquidated and not that the MIM itself would be worth less.
Just because you may not be willing to swap cash/gold/anything a local counter party values in whatever jurisdiction you reside in for a random networks gas and/or tokens that trade on them, doesn't mean others cannot.
If you want to use coinbase to buy crypto and tokens, that's on you.
PoW and PoS are exactly the same, 1 dollar gets you 1 vote. If you want 1 person, 1 vote you need 1) a census, and 2) a mechanism to prevent the sale and purchase of votes.
> The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
And that's where competition between currencies provides checks and balances against such pathological behaviours.
> in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour"
I've been wondering about that recently - for all of the excitement about DAOs and Governance Tokens, are there any good examples of interesting decisions being made via their voting mechanisms?
What are some places I can go to see recent votes and their outcomes?
They only go bankrupt if they don't hold the majority of the mining power, if they do they take over. How is this different from PoS?
Actually in PoS if you try to attack and you don't have a majority you will lose all your coins. in PoW if you try to attack and somehow you miscalculated you will lose a couple of hours worth of electricity after which you can go back to mining normally so much lower stakes for an attack.
PoS in Ethereum is not a plutocracy...There is no voting with the token or any other governance. The stakers do not control the network, by design. The whole system works only if everybody (holders/users/stakere/devs) cooperate together.
I think what the parent referring to is the DAO hack (from 2016) and how Ethereum’s response was to renege on “Code is Law” (and the integrity of the blockchain) in order to void those transactions (smartcontract exploits), which is a case of centralization resurfacing because VB could subvert the proof of work system when his own money was at risk.
Ethereum Classic is the fork that refused to rewrite the blockchain to void the hack, and the linked tweet is VB affirming that he’s only working on the main (reneging) Ethereum fork (which goes by ETH), not Classic (goes by ETC).
Not sure why the parent linked that tweet, maybe Twitter just makes it too hard it identify what tweet you actually want.
I've recently read that the blockchain was not rewritten or unrolled. It was actually executed forward through an "irregular state change". In other words, it made a new transaction instead of erasing or modifying old transactions, and that was done with consensus of all those who ran the ETH client. Those who didn't agree went to ETC, but the market chose ETH in the end.
Regardless of how you word it, it amounts to the same thing: the protocol and signed, validated history say this happened, now we act like they did not, which is a violation of blockchain integrity.
No, that's not what happened. No history was changed, and nothing was re-validated as you suggest. There was no "violation of blockchain integrity". The only thing that happened was that the upgraded version executed what's known as an "irregular state-change" which moved the ETH from TheDAO's smart contract to a new secure contract. So, it wasn't a roll-back, but a roll-forward, and the change was mined using PoW in accordance with all the blockchain block selection rules.
No matter what fancy spin you put on it, that was absolutely a violation of the blockchain's integrity, as it violated the principle that accepted transactions can't be reversed after the fact, even if you call it an "irregular state-change" that just keeps things secure.
You can absolutely defend the position that this was best for the ETH ecosystem. But it was absolutely a reneging on the blockchain rules.
"Code is Law" was never part of Ethereum's ethos. It was some meme created by the company behind The DAO, and perhaps many people in the community supported it, but it wasn't part of Ethereum.
People will opt out of currency regimes that are abusive. This is not like a terrestrial government where you are fucked for life because a bureaucracy controls the land you live on. You don’t have to immigrate to escape a corrupt currency. And you don’t have to all-in in one currency.
If you own dozens of coins, you liquidate the shitcoin that is controlled by corrupt tycoons.
>> consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players
Aren't you just describing capitalism here? The people that created the system and own the biggest share of it have gigantic influence on it. Matter of fact, isn't that exactly what happened in ethereums PoW network, too? The developers decided to switch to PoS regardless of what the current participants want.
In general, isn't the idea of using PoS that if you aren't happy with the current system, you can easily fork into a competitor? If enough people think the current system is unjust, then you can switch to the new one, where you will be part of the development. At the beginning of the fork you also wouldn't need that much compute, as PoS is more efficient and you aren't going to have many users/transactions in the first place.
Since it's easy to switch currency (at least easier than privately setting up a Dollar 2.0), members of the original currency have to behave fairly, else people are going to switch. Note: The thing people are switching to doesn't even have to be better in any way than the original currency. It just has to have different controllers to influence the members of the original system.
The way I see it, is that there's no meaningful way in which PoS based currencies are worse than the current monetary system: large stakeholders in current global currencies also have gigantic leverage (think of money printing during the pandemic or bailouts after the 2008 financial crisis). The real advantage I see with PoS systems is not the system itself, but the tooling that comes with it and allows for the development of competitor currencies that check the power of each other. With current global currencies there's no checks-and-balances system inside the monetary decision making process, while a fleet of independent PoS has the chance for checks and balances to be induced through competitive pressure.
It fairly describes every political system and economic system that has ever existed or will ever exist. What's being described is how humans always organize systems in regards to political and economic power.
See: Socialism, Communism, Fascism. It applies just the same to those. Except in those systems they'll murder you and your entire family, then burn your village/town to the ground, if you attempt to compete with the rulers or party (Chavez, Castro, Stalin, Lenin, Mao, Hitler, Mussolini, Pol Pot, Kim, Putin, Erdogan, Lukashenko, etc.).
Whereas I can freely compete with Coca Cola, Tesla, Salesforce, Splunk, DigitalOcean, Cloudflare, Starbucks, 3M and most other companies if I'm able to. Nobody is stopping me from inventing a new coffee drink and going after Starbucks with it, or setting up a better coffee chain on the corner. Nobody is stopping me from inventing a better soda-competing drink (see: Monster or Red Bull or 5hour Energy; those people weren't assassinated by the soda cartel). Nobody is preventing me from starting the next great convenience store (ask 7-11 how they feel about upcoming Sheetz; or ask KFC how they feel about Chic-fil-A).
You can fork far in the past, before you cashed out. Any new entrants into the network will not be able to distinguish your fork from the real chain.
You cannot be slashed for this in the real chain because you already cashed out your stake there.
This 'long range attack' is different from a 50% attack because it doesn't affect nodes that were running before the attack happened. But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.
This seems more viable for a value destruction attack than for a double spend. But value destruction can be lucrative for blackmail. It means a coalition of stakers could withdraw their stakes and state "increases the blocksize or suffer a long-range attack".
> But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.
This is an important point to consider, but it can be mitigated with exit delays. E.g. with Eth2's current settings, if an attacker had 2/3 stake at one point, I believe it would take them 6-7 months to exit all those validators. So while it's true that new entrants must sync from a trusted checkpoint, the checkpoint can be quite old.
Let's say my client has a hardcoded list of checkpoints, with a new one added once a month. The client would only accept forks containing all of those checkpoints in their history.
It seems like there are two ways an attacker with commit access might try to corrupt this checkpoint list. First, they could try to add bad checkpoints over a period of 6-7 months, until they've fully exited and can safely perform a long-fork attack. This seems impractical, since the bad checkpoints would be noticed by existing node operators (who would get stuck after upgrading their clients), and 6-7 months seems like plenty of time to raise the alarm.
Alternatively, an attacker could just delete 6+ good checkpoints, and replace them with 6+ bad ones, all at once. This would violate the convention of adding monthly checkpoints, so it should be easily recognized as a malicious change. One could argue that it might go unnoticed anyway, but sneaking in such a change seems roughly as hard as sneaking in any other clearly-malicious client change.
But why would a new entrant get the chain from a node that already exited, and why would this affect anyone other than the entrant itself? I assume the new entrant is itself liable if it copies the wrong chain, because other nodes will vote against it once it starts operating, so it will make an effort to get the correct chain (maybe by buying it from current nodes and ensuring they all provide the best chain). So maybe you would have some kind of cartel of running nodes that may or may not allow new nodes to enter, but I don't see a critical network-destroyig issue here.
Wouldn't anyone then be able to provide proof of that participant having exited? The participant would have generated a signature the moment they exit.
a coalition of wealthy interests can trivially dictate the consensus rules with very little to no recourse on your part. Even if the chain splits, they can maintain their share on both chains, and even suppress the minority chain.
In PoW miners risk going bankrupt overnight for egregious behaviour like that.
I'd like to see how one defines "slashing" programmatically that is impartial, works algorithmically, and does not have edge cases that can lead to catastrophic failures without handwavy assumptions that every single PoS network has today.
No, no, back up a second. The argument being made in the parent comment is that once there is one entity with enough stake in the network to dictate where it goes, they can just pull out before tanking the network.
But my understanding was that you can only have enough stake in the network to make decisions...by having that stake in the network. If you un-stake your crypto and cash out, by definition, you no longer have any stake in the network. If you no longer have any stake, how do you have a controlling stake?
If you go offline the penalties are very small. You can be offline a third of the time and break even. The real penalty happens if you send conflicting messages, and even that's not too severe unless a lot of other nodes do it at the same time.
> if Warren Buffet comes along and wants to spam our network, I guess he could, but that would destroy the network and destroy his value that he sunk into the network
Not if he’s undetected and does it for years while extracting value at key points in time.
There are numerous people who could put up $50B with the ability to get very high returns.
It’s not even worrying about Buffet. I worry about hedge funds and sovereign wealth funds that would definitely manipulate PoS if it earned enough for them.
I just read most of the article. As I understand it, the failure mode isn't that one attacker could hand you a malicious node, it's that the network doesn't actually reach unambiguous consensus -- all/most "stakers" could simultaneously be signing a different transaction history the whole time, at virtually no cost, which is just as valid as "the" one you believe in; there's no (cryptographic) way to distinguish them. And so it's possible for, one day, the whole network to get pulled out from under you. "Nope, this other one is the real deal."
Is this a problem in practice? As the article says, no ... but only because there is a sort of vaguely specified "proof of authority" that backs the current chain, which actually just reintroduces centralization. The author cites the Bitcoin Cash and DAO/ETH Classic forks as cases where that proof of authority gets tested and shows the actual centralization.
It's my understanding that Algorand has something on top of pure PoS that ensures the consensus (which the article says is necessary) so I'm not sure the same criticism is applicable there, but can't comment further until I get more familiar.
> Article's theory about malicious old blocks doesn't hold up.
I don't mean to be rude here, but none of what you have said refutes my point.
The attack here is that you control keys that (1) once held 67% of the value, and (2) no longer do. Because they did hold value once, they are dangerous to consensus. Because they no longer hold value, nothing is sunk into the network, so the attacker bears no cost or risk.
To apply your analogy: I don't have to be Warren Buffet, I just have to riffle through his trash.
I don’t investigate every shitcoin out there, but all of them have the same flaws in general. Your particular shitcoin probably has something called voting quorum, where only a fraction of global supply is required to proceed in staking. By reducing that fraction you’re making large stake holders more and more able to overpower all others the moment they decide to become malicious.
In PoW all hashrate is always voting and security is paid for external expenditure, not something virtual within the system.
By this argument the only real consensus mechanism we need is FAITH. In PoS we trust.
As long as a sufficient number of people believe some currency has value - it has value. If they don't believe, it doesn't have value, and the stakes are worthless too.
Charlie Munger is on record saying he hates crypto. I doubt Buffet is far off. How many billions would they need to sink into destroying something they hate?
PoW systems rely on the "phone a friend method" as well. When you download a Bitcoin client from a "friend", you are trusting them to honestly introduce you to the network. If you fall asleep for a period of years, you have to trust your friends to honestly inform you of all of the PoW forks and policy changes that have occurred over that interval. The only difference is that PoS blockchain clients must be bundled with a modestly-recent block hash along with the thousands of lines of code that you have no practical way to audit.
The problem eventually reduces to Ken Thompson's "Trusting Trust" [1] problem. There's no way to externally validate the honesty of any system (cryptocurrency, or otherwise).
You really don't need to trust a "friend" while bootstrapping into the network with PoW, because the proof of work is irrevocably embedded within the blockchain, and the real world cost of creating those blocks can be pretty easily estimated.
So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.
Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.
It seems that PoW does not need phone a friend to compare "which of these two chains is the true one", whilst PoS does need phone a friend for that.
However, that presumes all forks are soft forks; that you are presented a correct chain; that you want the soft fork with consensus rules accepted by most miners. (If verifying with an old bitcoin client the BCH BCT split will be resolved for you without you having a say.
In summary, PoW has less need for Phone a Friend than PoS. But it still has some problems.
How the hell do you know? You've just admitted that you don't actually know how PoS and PoW work. You've repeatedly refused to "do your homework" by researching what's known about these things. And yet you have repeatedly been rude to other people who have done their homework, and have informed opinions, unlike you. Just shut up and stop talking about blockchains. You're an entitled internet nobody.
I have regrets about calling you a "nobody". I was annoyed, but that's going too far, and I apologise for saying that. Almost no one deserves that level of vitriol, especially if at worst they're just being annoying. And I think I get annoyed too quickly.
Indeed. And even if you posit a PoW currency which never has policy changes, unlike Bitcoin or any other major cryptocurrency…
And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…
Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.
To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.
> But it's a threat for single nodes not for the network as a whole.
Indeed, but the same is true for attacks on "weak subjectivity" proof-of-stake. They're only a threat for nodes that have been disconnected for a long time (months) before they try to reconnect.
Except for the part where eclipse attacks can be resolved by simply feeding my node more data (it's not a problem if some of it is lies), while "weak subjectivity" requires recourse to an external authority.
i don't know as much about this as you, but it seems to me that the attack you describe in the blog post would also require a successful eclipse attack?
My understanding is that the attack you describe involves a cabal of "evil" validators signing some alternate chain (call it the "fake" chain) long after their stake is withdrawn, creating a fork in the distant past. Before they did this, they pretended to be good validators, which meant they signed the "real" chain's blocks and then signed the withdraw transaction. So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past). If this line of reasoning is correct, that suggests that anyone who is aware of both sets of signatures can identify the real chain?
> So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past).
I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?
An eclipse attack is so named because it requires you to keep all the light out so they're kept in the dark. But here, since there's no internal mechanism to tell the two chains apart, you don't only need the accurate information, but also outside information about which one is accurate.
> I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?
I feel like you should be able to deduce it from the distribution of participation after the fork, right?
The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.
> The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.
But you don't know who's honest - you may as well be saying the real chain lost all the dishonest verifiers.
Exactly - that's where statistical analysis (like fakespot) comes in.
For each chain you'd be able to look at the age, stake & historical participation level of the post-fork participants and get a pretty good idea which (if either) of the chains is real. The absence of honest participants should look a lot different than the absence of dishonest ones.
Granted, this method is not nearly as simple as checking the number of 0s on a hash, but I would imagine it to be quite difficult to circumvent.
You any specific verifier/wallet, you won't - but the fake chain will have 0 uncompromised actors after the fork.
Which means that large stakeholders suddenly stop verifying blocks. Long-term active wallets stop transacting.
The same might be true for both chains after the fork, but I would imagine the fake one would have a larger change in participation (weighting older wallets and larger stakes) than the real one.
If you actually see two conflicting chains (either proof-of-work or proof-of-stake) with large numbers of people vouching for both, then the correct chain is not necessarily "whichever one is longer". Well, it could be, for you; "correct" is subjective. But by assumption in this scenario, a large number of people disagree, and you might want to transact with some of them. There is no way for software to decide this objectively; it has to ask the user to decide based on factors external to the network.
Where proof-of-work really does have an advantage is that you can more easily distinguish that scenario from the scenario where either one of the chains is actually a Sybil attack, i.e. a single attacker pretending to be a large number of people. Similarly, if you only see a single chain, with proof-of-work you can try to detect an eclipse attack (which implies a Sybil attack) by seeing if the hashrate has gone down dramatically.
That's a real advantage. I don't think it's even close to enough to mitigate proof of work's disadvantages, especially since the circumstances where it would practically come into play are extremely unlikely, but it's not nothing.
However, it's undermined by the fact that proof of work naturally encourages centralization. Bitcoin is centralized enough that it's not completely impossible for the vast majority of the hashrate to end up on one side of a fork (either soft or hard), while the vast majority of users and developers end up on the other side. (To be clear, this is very, very unlikely to actually happen, but so are all of the attacks we're talking about.) If this happens, the objective proof-of-work standard will side with the miners, but not with the people you actually want to transact with.
Of course, a proof of stake currency can also suffer a schism, but there is (probably) less tendency for stakers to be centralized, and if a schism did occur, at least the client wouldn't provide a false sense of objectivity.
None of this actually refutes my point. You're just suggesting that the fact that PoS is incapable of producing a consensus is outweighed by it allegedly being more decentralized. Be that as it may, it's not relevant to this thread.
Is it even true? Steemit had the exchanges do a hostile takeover, because everyone was staking through them.
I think the difference is which kind of hash you needed.
For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.
For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.
> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.
Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.
A while ago bitcoin clients changed from facoring the 'longest' chain to favoring the chain with the most work done on it. (To prevent long chains with low difficulty)
The client can choose properly, but it needs to "call a friend" in order to get the options - if the client doesn't receive the proper chain but only fake ones, it will chose the fake one with the most work done on it.
You need to fork at low difficulty if you want to significantly lengthen the chain from that point, because creating a high difficulty, long chain that is valid is hard.
But-- there's nothing to preclude you making big steps up in difficulty at the end of the chain. It means that one evaluating the length of the chain for authenticity really needs to integrate the difficulty over the entire chain and not just look at the number of blocks.
Suppose I'm a new node and want to verify the blockchain. How do I verify that each block was mined with the correct difficulty?
I'd need some record about the actual real-world timestamps for each block. Then I could say something like "duration between block x and block x+1 was > 10 min, so the down-adjustment in block x+5 is justified".
But if those timestamps were stored on-chain, an attacker could simply lie about them and keep difficulty artificially low on its alternative chain.
On the other hand, if we had some un-forgeable record of block timestamps, wouldn't this solve the double-spend problem all on its own? Would we even need PoW at this point?
> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.
No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.
Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while
Because of withdrawal delays, the PoS hash isn't from the end of the chain, but from a few months before. So it changes only about as often as client software updates.
Finally someone actually mentioning the code. In PoS "trust" must exist along several points in time before you can engage with the system - and the most notable point being trusting that the rules (written in the code) are of your desire.
With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.
With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.
With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.
I was talking about the consensus part. You don't need any client code to understand which is the agreed-upon chain, you verify the hash was generated using lots of energy.
For transacting indeed you need to trust the various clients, but that's easy and can be done once. With the consensus isn't being tampered with, and, more importantly that others are using other types of rules.
Is the threat of long range attacks in PoS any worse than PoW in practice?
Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...
> As for auditing the the integrity of the code or binary, it is signed by GPG keys > hosted on public key servers accessed using X509 certificates pinned by a a
> couple of trust anchors preloaded in your OS. So much for distributed consensus...
You can literally validate the entire chain with a simple python script. Millions of those on github.
>Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
Absolutely wrong. The chain is validated in its entirety upon first sync. 100% from genesis to tip.
>Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It doesn't. Longest valid chain with most work is the canonical chain. Hardcoded seed nodes exist to speed up the discovery.
> You can literally validate the entire chain with a simple python script.
I challenge you to present a "simple python script" that implements the exact bitcoin consensus rules (as codified in bitcoin core). Bitcoin is not all that simple and there's a nontrivial amount of complexity in bitcoin script alone [1].
> The chain is validated in its entirety upon first sync. 100% from genesis to tip.
The default behavior is to skip signature verification for all signatures before some relatively recent block [2].
You're misunderstanding the default behavior which is fine becaue it's commonly misunderstood and discussed. At any rate signature verification is not skipped by default, what assumevalid skips is script verification. Everything else including UXTO, proof of work, the transactions themselves, are validated.
The Bitcoin Core client includes a hardcoded list of DNS servers that point to thousands of nodes. These lists get updated frequently by different people. Other clients may use other lists. What is the threat model you're suggesting here, exactly? Do you know any other way to bootstrap a peer to peer network without centralised authorities?
All network participants are forced to verify the full chain from genesis. Some might be OK with validating block header signatures only, and not the full transaction set. It's a tradeoff.
You don't need to use those public key servers if you somehow distrust the CA certificates in your OS. Feel free to contact the repository maintainers or whatever else floats your boat.
Anyway, bitcoin is an open source protocol, not a particular client implementation. If you distrust everything and everyone, no one can stop you from building your own client that works with the rest of the network.
> Do you know any other way to bootstrap a peer to peer network without centralised authorities?
I’m not the parent, but – no, I don’t. But that’s exactly the point. The need to bootstrap from centralized authorities is what’s supposedly so bad about weak subjectivity in proof-of-stake. Yet in practice, it’s needed with proof-of-work as well.
Maybe I didn't word it right, but I wasn't calling bitcoin's method reliant on centralised authorities, just asking if there were more methods out there that weren't as well.
Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.
Also, you're not just connected to those bootstrapping nodes: you use them to find the rest of the peers in the network.
It seems that PoW is like recursion. You don't get it at all until you completely get it. It's a leap to understand it and somehow many very technical people don't understand a seemingly simple protocol even a decade after it became mainstream and is threatening national banks due to the very characteristics these people claim it doesn't have.
> Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.
I characterized this as relying on centralized authorities (albeit several of them), but sure, it can also be considered decentralized to some extent.
The point is that it's a mechanism outside of the proof-of-work network itself. Instead of relying on a machine to reach consensus via a formal protocol, you the human are probing for a social consensus by evaluating statements made by other humans (via GitHub, public forums, or private chats, or just talking to people in person).
In both proof-of-work and proof-of-stake, you need to find social consensus in order to initially obtain the software, after which point you can rely on the network's consensus.
The difference with proof-of-stake is that you have to redo this if you disconnect from the network for months on end.
In practice, for a variety of reasons, practically all users of cryptocurrencies download regular software updates, and thus continue to rely on social consensus, regardless of whether the currency is proof-of-work or proof-of-stake.
I want to take a moment to note what you're doing here. You're making a negative argument, in want of a better word. It goes something like this:
1. X is a problem?
2. But Y is also a problem, in my opinion.
3. X and Y are both the same, I think.
4. Therefore X is not a problem.
We can - theoretically - verify the correctness of PoW software by downloading the source code, reading it over, etc. We can also refuse to update, reducing ourselves to SPV security. We can internally verify the checkpoints using 100% objective standards. There are other things as well. This is not the case for PoS, where our "signature A existed at time B" has to be taken as faith, or evidence of things unseen. There is no internal way to verify the veracity of such a statement.
The fact that users aren't personally doing this, is not the same as saying it makes no difference whether they are able to or not. I'm not personally going to withdraw all the money in my bank account - that would be ridiculous - but if the bank informed me I was no longer able to withdraw the money in my account, that would not be suitable at all. The assurance that I can do it makes it so that I don't have to.
It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.
Granted, I only have to trust that a single bootstrap node from the list will faithfully connect me to the honest network. But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
Also, granted, if I pick bad bootstrap nodes, I can still detect if I'm being eclipsed by looking at the hash rate. But how do I know what hash rate to expect? I could check n websites with hash rate charts, but that brings us back to 1-of-n trust.
> 4. Therefore X is not a problem.
IMO it's a manageable problem. Users just need to be cognisant of these trust assumptions they're relying on, and be thoughtful about picking semi-trusted peers (whether bootstrap nodes or checkpoint providers).
> It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.
Right, but it's not about trust in the same way. I can add an infinite list of bootstrap nodes. Quantity matters, not quality.
> But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
"Very similar," not the same. You need "semi-trusted sources", and there's no objective standard in case they disagree.
Hi Nick, very well said and this is precisely my point as well.
Satoshi tried to convince us that we could decentralise trust by doing honest work instead of relying on authority. It turns out that doing work is actually pretty hard, people are lazy, and security is still the nemesis of efficiency.
> Do you know any other way to bootstrap a peer to peer network without centralised authorities?
In IPv4 a client might have a chance at auto-discovering peers.
It's also not necessary to rely on a single centralized authority. There are many things (DNS, Encyclopedias, Linux kernel mirrors, etc.) where the majority of existing centralized authorities agree with each other.
DNS is based around central authority though. Every root zone has name servers that serve as the authority. Their responses get cached at various levels but take those servers offline until TTLs start expiring and everything breaks.
What part of DNS do you feel is possible without a centralized authority?
> Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It does, but it doesn't have to. You can use any mechanism you want to obtain one initial node and take it from there. You will still be connected to the network just as well, and you will be guaranteed to obtain the same results. This differs from Proof of Stake, where the quality of the results will be influenced by the quality of the bootstrap.
I verified the full chain a couple of weeks ago (But I admit I trusted umbrel to choose the "correct" bitcoin-core software to run), It took less than 3 days to sync on a Rpi4
'Policy changes' and hard forks have about as much to do with PoW as whether the Federal authorities should ban cryptocurrencies or not - they're outside the realm of consensus algorithms. In PoW there are no friends. If your blockchain is incorrect (i.e not the longest) your transactions on it are invalid and will be rejected by the rest of the network.
> If your blockchain is incorrect (i.e not the longest) your transactions on it are invalid
If your chain tip is on the dead side of a hard fork (i.e. if the majority of the network will predictably soon finish switching away from software which considers your chain tip valid, to software which considers your chain tip invalid), then nobody cares if your chain tip is the longest in the interrim, or how long you still hold out running the software that considers your chain tip valid. Your side of the fork no longer holds any economic value as a platform for transactions, so nobody will participate in it. You'll just be out there mining blocks all alone, blocks that say you earn all the virtual tokens, but where those tokens are worthless on your side of the fork.
It's a bit like how, in old pre *serv IRC networks, in cases of netsplits, you could end up on a partition of the network where you were the only one in a previously-moderated channel; and so you could effectively do whatever you wanted in that channel. But it didn't really matter, because nobody could hear you.
Um, yes. I should have phrased that as 'your transactions based on it are invalid in the network'. You just described consensus working correctly, but like I said hard-forks and policy changes are outside the scope of PoW, so saying PoW does not handle hard-forks is not really a valid criticism of PoW.
"nobody cares if your chain tip is the longest in the interrim,"
Except the people you bought something real-world from, once they figure out that their "tipcoin" is worthless. So now it's a question of convincing some people that your technobabble is valid enough. How hard is that?
No, policy changes makes for a new blockchain. That's what usually referred to as a "hard fork", as opposed to a "soft fork" where consensus rules are only allowed to get stricter, exactly beacuse ownership of a coin should be guaranteed forever.
You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.
I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.
not really, if you fall asleep for a period of years, you can still get a signal of how genuine any proposed fork is by observing the chain of blocks and their difficulties. that's the crucial bit of any PoW system - you can't fake the energy that was spent producing the chain. that's a way to externally validate the honesty of a system and a major scientific breakthrough that satoshi discovered.
The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen. As most developers are not pseudonymous, this poses a threat to the honesty of the system.
You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
> The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen.
And with proof of work a lawsuit could force the distributor to change the consensus rule so that a particular transaction is invalid - just as Ethereum did voluntarily with the original DAO.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked
Instead it’s been soft forked, which turns the consensus rules into a popularity contest. If a soft fork produces two competing branches of the blockchain, old clients will go with whichever branch has more mining power. Which means you open yourself up to interesting attacks like convincing 51% to literally steal the funds of the other 49% (which is much worse than a mere double spend). Or, more realistically, in the case of a contentious soft fork that ends up roughly fifty-fifty, you could ‘just’ end up on a different side of the fork from the people you want to transact with. Either way, soft forks don’t make the downsides of policy changes go away.
Changing consensus rules requires coordinating a fork. This requires coordinating developers, miners and node operators. That may fly in pseudo decentralised chains where the community accepts whatever the leader says so, and even so, at high risk. In bitcoin, for instance, where there is no leader, this would never be a viable scenario.
Soft forks don't force you to download and run new clients just to be able to use the network, which is an important difference. You can use your existing client, you just don't have the new features and don't run validations on them.
The greatest risk on soft forks is that chain split you mention. That's why any reasonable soft fork deployment requires a long time window with a large majority of hashrate signaling support (like 95%).
Changing a PoS checkpoint would also require coordinating a fork. Even if a dev team were forced to make the change, they couldn't make everyone go along with it.
> The difference in Proof of Stake is a lawsuit could force the distributor of the software to change the hash to one where coins weren’t stolen.
In Proof of Work, a lawsuit could force the distributor of the software to hard-code a transaction that reverses the coin theft. But in both the PoS case and the PoW case, anyone using that client would be partitioned off from the honest network majority.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
Bitcoin's PoW forked in 2013, when a database upgrade to the software made it incompatible between two recent versions. The Bitcoin developers had to jump in and tell people which PoW fork to follow and which one to abandon.
Proof of work has always had an economic flaw that you could theoretically temporarily rent enough mining power to perform double spends of more value than the cost of renting those devices.
But this attack has never been performed because the reality of all these cryptocurrencies is that the security depends only relatively weakly on proof of work. Instead it relies on trust between the main stakeholders: miners, big nodes and developers. This is just like any other human organisation. That trust is only reinforced by proof of work, making it easier for new parties to become trusted.
This attack has happened, at least twice to ETC and many others.
Proof of work networks with the same hash algorithm are a threat to one another, particularly, if a network exists that is profitable enough to have exorbitant resources dedicated to mining, those resources are available to attack a much smaller network if that becomes more profitable for some period than just continuing to mine the bigger one.
Proof of work then only protects the largest projects using unique hash algorithms.
To execute a double spend, you the one sending the transaction and the miner must coordinate.
For large transactions, it is recommended to wait for six confirmations. (six blocks that agree with the transaction and have not been 51%ed.)
The 1 hour 51% cost of Bitcoin is 1.9m$. However, you would need much more time than that to find six consecutive blocks alone, without the help of the network. So, while the network is 6 blocks ahead, you need to find 7 blocks. The network moves forward a block, you must move forward more than one block to catch up. This could take a long time, and longer the more confirmations required- each confirmation makes each previous transaction exponentially more secure. Simply controlling the mining power momentarily only puts recent transactions vulnerable.
However, that much hardware is available for rent-see “Nicehashable.”
I don't see how more confirmations makes it exponenrially harder to mount a 51% attack: you just need to be mining faster privately than the remaining community until you (a) have a lead, and (b) have maintained that lead for the confirmation window.
There's luck involved too. In the limiting case, imagine you have 0.001% of the network hash rate and need a 1 block lead. This can happen every now and then, but getting a 2 block lead is basically impossible.
According to that formula, in a 51% attack, probability of success = 1 (since 51% attack means you are more likely to find a hash than all others combined), right?
Renting out equipment for miners is dangerous, as an attack on the network can wipe out all their sunk costs. Bitcoin miner farms are very strongly incentivized to be aligned with the long term health of the system, so they try to play nice close to the ethos of Bitcoin (they learned enough from the blocksize wars that they can get burned if they go against Bitcoin)
An attack on bitcoin might have other motivations. For instance, a powerful government might attack bitcoin specifically to undermine bitcoin's credibility and utility.
I was talking about motivations for renting out, not attacking. A goverment would just take over the miners with violence probably if it wanted to attack the system.
If a halving forces a bunch of miners off the market (because their expected revenue drops below operating cost), there could be a huge glut of hardware flooding the market that is not profitable for honest mining but allows a bad actor to temporarily accumulate hashrate.
Bitcoin's price goes up faster than the effect of the halving (16x vs 0.5x every 4 years), and with the current chip shortage and slowdown of improvements miners generally plan for 4 years, but old, inefficient miners with low utilization can become an attack vector.
> Proof of work has always had an economic flaw that you could theoretically temporarily rent enough mining power to perform double spends of more value than the cost of renting those devices.
It’s not a flaw if it’s only theoretical. In practice, no miner with billions of dollars of capital bound in mining hardware would rent it out to someone who might do something that would significantly depreciate this capital (e.g. attack the Bitcoin network).
He lost me at the part where he thinks you can sign messages after withdrawing your stake.
The whole point of proof of stake is that you can only sign blocks or messages while you have something staked. When you withdraw you are no longer allowed to sign anything.
He also didnt need to spend 1000 words going on about the history of bitcoin and proof of work.
This is literally just a filler piece with a provocative clickbait title to stir up the anti cryptocurrency folks here
What do you mean by "allowed to"? In a PoW system, the PoW is a distributed timekeeping device. That's the actual operation the PoW does, and the distributed timekeeping is then what you can build a blockchain on. PoS doesn't not do distributed timekeeping. If you sign a block now, then go back later and sign a different block with the same key, there's no distributed clock that can be used to prove which was actually signed first.
The obvious argument here is "the one that was signed first will then have other blocks built on top of it". But since there's no PoW, building a parallel blockchain is trivial to compute, the only restriction is being able to produce something that's actually convincing enough. That and having people say "well, I was there at the time and I saw a different block than this", but that's just relying on authority rather than something that can be proven within the system.
Basically, PoS requires something external to the system to prove that history hasn't been changed. PoW technically does too, but what it relies on is "physics" and "provable historical fact" (i.e. approximate computing power available in the past).
You certainly can build a system that depends on something external to itself to ensure its consistency, but this challenges its claim to being "decentralized" and limits the amount of trust you can place in the system (and consequently the power of what it can do).
The clock issue is an excellent point, but the ethereum PoS have a nano scale PoW mechanism for this exact problem. Look at VFD "Verifiable Delay Functions" [1].
In short:
If you take the pbkdf2 key derivation function: its job is to slow down hashing a thousand fold or so, so that hashing an entire search space becomes impractical. You give your secret in input, and it gives you a hash, let's say, in 1 second. You'll have to spend the time again to recompute the hash. With a faster machine, you can compute in maybe 100ms, but still, there is a limit in how fast you can obtain the result.
Now change the cryptographic properties of pbkdf2, so that you can go back from the output to the input in constant time, so you can find the secret from the hash in O(1). Then, it becomes useless for actual secrets, but you now have an instantly verifiable proof that a certain amount of time (or serial computation) had to pass to get from the input to the output. Plug the input to the previous block hash, and embed the result in the next block, and you have your clock, based on physics and provable historical facts.
The site isn’t particularly accessible for a quick discussion so I appreciate your explanation, thank you.
However, I’m not sure I understand how this is supposed to help. Proving that a few seconds passed just slows down block generation a little, but this cannot be a significant barrier to block generation or else you just have a full PoW system again. And if it’s not a significant barrier then it’s not clear to me what this is supposed to do, beyond preventing me from generating and signing a new block within milliseconds of some event happening.
But since the “nano scale” PoW doesn’t define the rate of block generation, it just establishes a lower bound, it feels like it’s just a speed bump for anyone trying to attack the system. If it only takes 10 seconds to rebuild the last 100 minutes worth of blocks, then it doesn’t establish a universal clock and therefore cannot prove which block came first.
With VDF you cannot rebuild the 100 minutes worth of blocks in less than 100 minutes, because with the VDF logging, you just proved that you would need at least 100 minutes to go from block n to n+(100 minutes). You can check in 10 seconds, but can only produce in 100 minutes, just like you can check in an instant that a bitcoin block starts with enough zeroes. So it defines the rate of generating blocks.
Of course, nothing can stop anyone from creating parallel 100-minute long branches if that was the only thing, as, unlike PoW, it does not cost anything (except time) to create branches.
So you still need a consensus mechanism, a way to, as an agent of the network, decide what is the right branch. On bitcoin, it is very simple: go to the longest chain, it's where the majority of mining power went, so that is clearly the consensus (with 1 joule = 1 vote).
On ethereum, it's much more complex, involving promises with money at stake locked somewhere, so that anyone can detect cheaters, automatically unlock and take their money as punishment, and reward the whistle-blower with it. So, unless everyone is foolish enough to watch their money seized by the network, it does not happen.
The exact way the correct branch is decided is by random election of one staker, where the randomness is proved to be actually random. After all, using a VDF, you can now prove that its output won't be known until x seconds have passed, if you put the most recent block hash as input. So during that time, you can agree on an fair pseudo-random election algorithm that will take this VDF output as a seed when it becomes available.
Ok I just looked at https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3b... for an explanation. VDF is proof of work. It's just proof of sequential work. It does seem plausible that a VDF would significantly reduce the amount of computing hardware being used in generating blocks, but it fundamentally is still a proof-of-work scheme, just one that requires faster processors rather than more nodes if you want to speed it up.
The thing though is that this doesn't prove that X seconds have passed. It proves that X seconds have passed on whatever baseline hardware has been used to calibrate it. I don't know who actually computes the VDF in the proposed proof-of-stake schemes, though I would assume it's "whoever is proposing a block" (is this the same as the staker? Does this mean every single staker is picking a block and computing their own VDF, meaning everyone is still burning CPU?). And this means the VDF can only establish a minimum CPU requirement. It can say "X seconds have passed on the minimum hardware we're requiring at the moment", but anyone with faster hardware can still compute it faster.
And also because this PoW scheme cannot require more than X seconds for any participant to compute, it means an attacker that starts computing their alternative blockchain at the same time as the block they want to replace faces no difficulty. All this does is interferes with the ability to decide after the fact that you want to attempt to replace history. And even then, if you have hardware faster than the baseline, you can still reach back in time to recalculate a block, you just have to wait longer to do so. And by that I mean if you want to edit a block from 100 minutes ago, and you've got a CPU that's twice as fast as whatever the VDF is tuned for, then it just takes you 100 minutes to compute the replacement blockchain (50 minutes to compute the past 100 minutes, and 50 minutes to compute the new blocks that have been added since you started the attack). So after 100 minutes you now have an alternative chain that everyone thinks took 200 minutes to compute.
Which means now we're just back at the problem of "attacking consensus", where nobody can look at the two blockchains and see within the system which one was calculated first.
---
I suppose the VDF could be calculated by some volunteer with the fastest hardware, though this requires rewarding them for doing so (which means you basically have a monopolist sucking up all of the VDF rewards and no real incentive for nearly all participants to even try and compete). And this is still attackable by someone who can put together hardware that is even just slightly faster than then volunteer. It just takes longer. If the security of the system relies on a volunteer being assumed to have the fastest hardware on the planet, then the system isn't secure. I also question what happens in this scenario when the volunteer goes offline and nobody else has hardware that's as fast. Now the next block isn't ready in X seconds. I assume there's some protocol for "oops nobody has finished computing the VDF in time", but this does provide another avenue of attack for anyone in a position to disrupt the volunteer's connection to the network. Of course, anyone in a position to do that is likely to have access to unusually fast hardware already, but the point is that you cannot rely on the idea that "nobody can possibly calculate this block faster than the VDF is tuned for".
This attack is possible in Bitcoin too, except because Bitcoin is parallelizable, the defense there is that this attack requires spending more money than it is worth as the computing power used to calculate blocks is roughly a function of the value of the network. The danger there is generally in centralizing too much of the computing power among too few participants rather than an outsider breaking the scheme. This attack does work on smaller PoW coins of course, generally by folks who control a chunk of Bitcoin computing power and just redirect it temporarily (if the value in attacking the coin is greater than the expected bitcoin mining rewards for the time it takes to do the attack, then this makes sense).
Honestly, it really seems like we should only have one global PoW network, and everything else should use other systems. Perhaps they should satisfy security by doing things like VDFs for short-term security and storing their blockchain hashes into Bitcoin for long-term security. Bitcoin using up a ton of power is still a problem of course, but maybe there's some sort of approach that can be used to solve the problem of "PoW to establish a global distributed clock" once you remove the "and we want to use this as a currency" part that doesn't invoke a massive arms race. This may involve ditching the idea of "anyone can participate", which also then allows you to change the incentives for running the PoW scheme.
---
Edit: I suppose the VDF's input might not be "the block being computed" but instead "the previous block", and the output then used to elect participants who are then trusted to build the new block. This would allow the new block to indicate whether the VDF actually took longer than expected. But then we're back at a probabilistic function with PoS, where those with the highest stake are now most likely to be trusted and therefore are in a position to abuse that trust.
I suppose reading up more on PoS systems might answer this question. But I really don't want to do that. I've already spent far longer on this than I intended to.
I think you basically ask the right questions. But when you have progressed in your understanding, and you're confronted with the next problem caused by PoS, you seem to assume that PoS is flawed, because you can't immediately think of a solution (which is expected, that's quite a hard problem). The reality is that the issues you mention are well identified and they have solutions for them.
About VDFs, there is a tolerance, you need to be in the same ballpark as the fastest, not _the_ absolute fastest. The more tolerance you need, the less snappy the PoS blockchain will be. They plan to make a low-power asic for that task, to be as close as the theoretical max speed for that, and have the lowest tolerance margin as a result.
Also, there is a way to reduce all VDFs results so that only one of the whole set of VFS-ers need to be honest.
So it's not one volunteer, but a pool of volunteers, using low powered asics so close to the theoretical max (ie speed of transistor switching) that you couldn't outrun them enough to profit from that speed up. I am not sure if they are incentivized, because it's not costing a lot, but maybe.
> Edit: I suppose the VDF's input might not be "the block being computed" but instead "the previous block", and the output then used to elect participants who are then trusted to build the new block. This would allow the new block to indicate whether the VDF actually took longer than expected.
Indeed, that's what I thought I was saying, but maybe I was not clear enough.
I think the biggest problem with his whole argument is when he wants to give some examples of community consensus being a problem, and gave examples from the PoW world (Bitcoin small block size decision, Ethereum bhard fork) - that to me complety destroyed his own argument that PoS is more community-dependent than PoW.
Those two examples were demonstrating what happens when you don't have provable consensus. They weren't issues with the validity of the blockchain, but debates over changing the software itself. They're good examples of why centralized development of a decentralized protocol still opens up the software to attacks (though with the option of continuing the blockchain without the software change, as Ethereum Classic did for a while), and demonstrates why having a provable consensus mechanism is important.
> When you withdraw you are no longer allowed to sign anything.
But I didn't withdraw my stake. I have a whole chain of blocks saying I never withdrew anything and it's perfectly valid because I signed it, and I still have a stake. Oh, you have another chain that says I did withdraw? Who are we going to believe? Who was first?
The argument he's making is, you could stake for blocks 10000-10005 and get your money back.
And then produce a big fake chain from 10,002 (in the middle of the time you were staking) -> 10,000,000 later, with an alternate history in which you didn't stop staking.
I don't think this attack is particularly realistic for a lot of reasons, but PoW does have some small amounts of additional strength against these scenarios.
Signing is a cryptographic operation. You can still sign a block after you don’t have something staked. People won’t accept that signature unless you have something currently staked. But then the question arises- who decides who withdrew their stake? Other stakers?
After withdrawal is completed, your node would no longer be in the set of active validators and from that time could not validly propose a block or submit an attestation (or, more accurately, be selected as a block proposer, etc.)
I can still propose blocks invalidly, you see. And then someone who doesn't already have the consensus (e.g. trying to sync) will have no way to tell which is legitimate.
This is the problem - you can't look at what the system does when everything's working as it should, you have to look at what happens when it's outside of the comfort zone.
Even a relatively light reading of the Annotated Specs for Eth2[1] and/or the Eth Org's Proof of Stake FAQs[2] suggests the designers (and independent implementer-teams who gave feedback to designers, who gave direction to the implementers... lather, rinse, repeat) understand it's important to consider the overall system "outside of the comfort zone".
> That key is valid to sign any number of versions of, let’s say, block #200, and there is no objective, system-internal standard for which version is legitimate, other than “the one that was published first”.
The real block #200 will have hundreds of attestations courtesy of randomly-selected validators, each of those signatures attesting to its validity and finality.
Attestations don't have a real world economic cost that can be validated trustlessly within the system. If you compromise or coerce enough validators, you can rewrite the history for no cost.
That's what PoW provides that PoS just doesn't. Immutability.
In fact, I would argue that one of the most important products of bitcoin, is providing the hardest, most immutable database human civilization has ever created. We could theoretically lose it and we could control and manipulate what goes into it going forward, but once a piece of data gets confirmed and buried under a few days worth of bitcoin's PoW, it can never be changed or removed from the blockchain. This is a severely undervalued use case in my mind.
I suspect that most PoS coins will eventually decide to periodically peg themselves into bitcoin's blockchain to timelock their blockchains and provide some immutability to their users.
Having said that, humanity probably only needs one PoW blockchain. Bitcoin.
I have to say I appreciate your transparency in directly Bitcoin shilling.
> If you compromise or coerce enough validators, you can rewrite the history for no cost.
If you can. You would need to compromise thousands of randomly selected validators just to forge one block. That impossible task nonwithstanding, the validators are selected with maybe five minutes’ warning.
PoW doesn’t even offer absolute immutability, it’s just longest fork wins. Which is secure because of the economics, not because of a notion of perfect immutability.
Likewise, ETH2 provides a definition of finality that’s backed by economics.
Exactly. These PoS FUDers fail to realize that largely the same, even if not stronger, economical factors protect the PoS as does the PoW blockchain. Both fundamentally rely on that 50% of validators need to be honest. With PoW, anyone with sufficient computational resources can execute a 50% double spending attack. I am sure that if few of the largest BTC miners conspired, they could right now execute a 50% attack. That's not in their best interest however, as it would permanently ruin the reputation of BTC and they'd be left with whatever proceeds the attack yielded, but also millions of USD worth of mining equipment that'd be rendered largely useless.
With PoS exactly the same works. Most of the holders should be honest, and a successful attack would require spending at least 50% of the market cap of the coin to successfully execute - and then losing that stake as the reputation of the coin is soiled.
> but once a piece of data gets confirmed... it can never be changed or removed from the blockchain.
But it can, in the exact same manner as described in this article: have an 51% attacker build up a long chain and hide it from the world; then publish it.
PoW is vulnerable to exactly the same type of attack described in this article. In order to build a longer chain with non-negligible probability, you need to stake at least 51% of the pool.
no the difference is, to build a side chain you have to produce the work, work that has a real cost and takes time, remember in POW the chain with most work wins.
The block 200 will be adding validation to the previous blocks, and will be validated by the future ones. Without other types of checks, nothing stops you from rewriting the previous 199 blocks and using block 200 to validate them.
This is not FUD, it's the most obvious PoS flaw, called long range attack, and the reason PoS chains often need more checks to be more trustworthy (e.g. keeping hardcoded checkpoints, choosing the first received block as valid, introducing penalties and so on).
It was voted for by 8000+ validators. Many of them have been validating since beacon chain genesis a year ago. There are like 260k validators active right now.
I find it highly unlikely some entity is going to come along and try to pretend their alternate history, with a whole new set of hundreds of thousands of validators (which wouldn’t be supported by any ETH1 deposits) and millions of signatures signed by 260k freshly generated public keys, is in any way legitimate.
ETH2 was years in the making, with multiple delays and not fully migrated yet precisely because of how unsafe standard PoS is. Vitalik and co spent years researching the best mitigations.
Right now, it seems to be one of the best protected PoS chains. It's still fairly new, with novel mitigations, so it still doesn't stand the test of time against all possible attack vectors.
In that sense, it still can't be considered as secure as a PoW chain with high hashrate, which is protected by thermodynamics (you can't produce more hashes than the physical energy you have access to allows).
But there are ways to mitigate the bootstrapping issue to some degree.
And PoW chains tend to have a low cost at the beginning making them similar not easy to bootstrap safely (through more easy then PoS).
In the end I don't think what theoretically is better matters, what only really matters is what practically matters for big crypto currencies (and smaller ones can during bootstrap (and potentially later one) interlink with the large chains).
PoS is more quantum-resistant though. If someone were to build a quantum computer capable of running Grover's algorithm on bitcoin hashes, they would get a quadratic speedup over classical miners. That's a threat that doesn't exist on PoS.
(Both would be vulnerable to Shor's but post-quantum signatures would fix that.)
PoS is a class of consensus protocol, not any particular blockchain. It's orthogonal to signature algorithms. A blockchain can incorporate any combination of consensus algorithm and signature algorithm. So yes, please use your terms correctly.
If sufficiently powerful quantum computers become readily available to anyone, sure, everybody will upgrade. Given the exotic hardware they typically require, it seems likely that for a while only a few large organizations will have them.
Grover's algorithm is pretty general, I don't think there is anything we know about that we could switch to.
Shor's is faster but more specific. It works on factoring and elliptic curves, but not on hashes. The advantage of Shor's is that if you have enough qubits, you can get the answer immediately. Grover's only offers quadratic speedup, effectively halving the number of bits in the hash function.
So for signatures we just need to switch to something like a hash-based signature algorithm, with keys having twice as many bits as we'd want against classical attackers. But we don't have hash functions that keep Grover's from working, so a quantum miner be way faster than classical miners.
Which parts of this are checked by the client software, and which parts are just checked by interested humans in the block explorer?
There's a trade-off here. If you require 8000 guys to all vote in favor of your block, what does the client do if it only sees 7999?
> which wouldn’t be supported by any ETH1 deposits ... signed by 260k freshly generated public keys
You misunderstand. What happens if some of those private keys get compromised? In Bitcoin, if I sell my miners to someone else, it's not like they're radioactive waste that has to be buried. In PoS, someone can cause quite a bit of damage with keys that ostensibly don't contain any money. And because I've already withdrawn, I have no reason to care.
The system is fault tolerant. You typically get 99.X% participating. Any validator that doesn't perform their duty in a timely fashion is penalized and eventually ejected if they are disruptive.
Those private keys are useless unless you had something like 50% of all the active validators' keys. So, hundreds of thousands of private keys hacked. You're not going to be able to damage consensus using a few old leaked private keys. The best you could do would be to slash some active validators and get them ejected, but the chain would carry on finalizing without them.
Whoever the 260k are (and I know some of them) if they’re all one entity, they would have had to stake eight million ETH and counting into the ETH2 deposit contract.
The 8k are randomly selected from this pool of 260k validators via RanDAO every 12 seconds.
It's similar in that 8k sigs are collected and coalesced to sign something. From there the differences begin. M-of-N schemes must be orchestrated ahead of time, using Shamir's or by constructing a BTC multisig UTXO or something. When signing, one may choose freely among the key shards. It's performed in the usual execution layer of the chain.
Whereas in ETH PoS, validation happens in the consensus layer, following strict self-imposed rules. With each new block, one validator is chosen to propose the block, and thousands of validators are asked to back the proposer. The proposer and attestors are chosen randomly but specifically with no freedom to mix and match; the chosen validators must attest (and receive a reward) or else be penalized. Validators don't know each other and they don't need to cooperate to create a shared key ahead of time, all they have to do is deposit and follow the rules. The signatures are agglomerated by [BLS ellipical curve stuff idk it's magic] and help to form the consensus chain itself.
The author has good points, bad points and badly explained stuff. The article is a bit confusing at best and disorientating at worst.
But I'll try to explain here, why the author thinks that PoW is magical. It's still bound to the readers, or philosophers, to pull whatever they want from this.
Proof of Work creates time. In a decentralized system, you don't have time. If time was provable, the double-spending problem would not happen. You would sign a transaction and broadcast it; a second transaction that you would sign later, will have a higher timestamp. Obviously, you can sign a transaction later and have a lower timestamp, there is nothing that prevents you from that.
What Proof of Work does, is create an arrow of time. Using this arrow of time, the nodes create a ledger (the blockchain).
The OP is arguing that PoS cannot create an arrow of time; and as a result, the PoS is still liable to the double-spending problem.
> Proof of stake is a scam. When I say that, I mean that proof of stake is (1) claimed to be a consensus system, and (2) constitutionally incapable of actually producing a consensus.
Ok. Go break one of the many existing systems that operates using proof of stake then. If you've done this, you should be leading your article with it. If you haven't, you shouldn't be speaking.
Proof of stake is not some theoretical thing being proposed in the abstract. Many systems operate on it as we speak.
"Because of all the arguments above, we can safely conclude that this threat of an attacker building up a fork from arbitrarily long range is unfortunately fundamental, and in all non-degenerate implementations the issue is fatal to a proof of stake algorithm’s success in the proof of work security model. However, we can get around this fundamental barrier with a slight, but nevertheless fundamental, change in the security model." —Vitalik Buterin, saying the quiet part out loud
Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
Miners do not set the rules, they are merely a service that provides immutability to a ledger, with a nuclear option that will bankrupt all the billions they have invested, should they misbehave.
Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
You are quite literally being exploited right this minute, by the same methods outlined in the article.
> Miners do not set the rules, they are merely a service that provides immutability to a ledger, with a nuclear option that will bankrupt all the billions they have invested, should they misbehave.
Stakers do not set the rules any more than do large mining pools.
> Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
I'm not really knowledgeable about all this, but mining of PoW currencies right now seems to rely a lot on mining pools. Isn't there a risk that they are "the rich" and people trust them? What's the difference with PoS there?
Crypto currency weather PoW or PoS boils down to "give the few rich all the power while giving the many less rich a illusion of security".
In PoW it just slightly tweaks "richness of money" into "richness of computation resources (which you get through money)".
This difference has complicated effects like:
- benefits anyone with cheap electricity (i.e. either places with no environmental protection, government support in some way, or the few places with cheap clean power)
- benefits anyone with good connections to chip factories
- the investment needed for gaining power being less bound to the currency itself but computation power instead
If you'd read the article till the end, perhaps you'd understand where the author is coming from: PoS systems aren't getting hacked today because they aren't truly decentralised. You can't have decentralisation and security with POS, you have to choose one of these. All the projects currently active have chosen security for obvious reasons - they control the majority of validators to make sure nobody steals, and are just fancy centralised mints.
Sure, but if the majority of validators are actually run by the project owners it's effectively centralised. And it's easy to maintain this control if you have the majority of coins to stake. It's not Sybil resistant for this reason - all validators could be owned by one person and you would have no way of knowing.
> all bitcoin miners could be owned by one person and you would have no way of knowing....
Sure, it's entirely possible that BTC is also centralised and controlled by wales. I was merely suggesting that the reason PoS systems haven't been hacked (much) yet is because the validators are controlled by project owners, so they are really centralised payment systems in disguise.
There's a difference though: buying initial stake in PoS may be similar to buying an ASIC in PoW, but mining a chain has a real cost (electricity) in PoW. In PoS there's no cost to mining, so validators have an incentive to stake all possible forks. There's no way to have consensus on the correct chain, because real resources haven't gone into building one up.
It's incredible how people who read a few articles think they have found the smoking gun, against a technology on which a lot of crypto researchers devote years of their time to make and analyze. They must think themselves are geniuses, and researchers are fools. Oh well, nothing new under the sun.
While the discussion about consensus algorithms is interesting and each side has good points, it should not be confused with the much more pertinent decision about simbolic currency (conceptually similar to fiat) versus proof of burned resources money (conceptually similar to gold).
We should not confuse the two topics. It's entirely possible to have a chain where the consensus is established by PoW, yet the monetary base is created by decree without any wasted resources, for example gifted to some charities or dropped by helicopter to anyone who has a Twitter account.
While the security PoW chains create is proportional to the amount of resources spent, there is absolutely no reason to think the current level of burn in Bitcoin is optimal - and strong reason to think that there is massive waste, that is, Bitcoin protects against double spend to a degree orders of magnitude harder than what a credible attacker might be willing to spend. What results is wasted energy that brings no tangible security to the users of the currency.
“Decentralization” has been the argument ideologues have fallen back on time and again in crypto. It’s never well defined and typically used to oppose policies that would promote low transaction fees or increased transaction throughput. It’s why things like Solana which is focused on massive scale and low fees have found a foothold. Ethereum is repeating the mistakes of Bitcoin
Which often aligns with the people that elect them. Central banking fixes serious flaws in money systems, and provides levers to mitigate disasters caused by external forces.
Compare it to a boat. Central banking gives you the ability to steer, sure someone might be bad at it and lead you into dangerous waters. But decentralized currency is like shooting the helmsman and ripping out the rudder because someone did a bad job of it once.
Decentralized currency is the lifeboat if the captain goes mad and decides to steer into iceberg territory. It's harder to steer, but better than sinking in freezing waters (hyperinflation).
it's "decentralized" in the sense that most anyone can confirm that the bar of gold they are holding is real. Gold being taken out of the ground is literally Proof of the work that was put into it. Exactly why bitcoin takes work
The issue is what constitutes a sufficient amount of "decentralization". Extremists who may or may not have ulterior motives seem to oppose any change which by their estimation might decrease the decentralization. They want to minimize the cost of running a full node without consideration for the fact that optimizing that to the extreme causes transaction fees to go parabolic and thus also prices less well off users out of participating in the network and if the fees are too expensive to transact why would you run a full node for a network you can't use. There is no balance in their thinking.
I see you haven't discovered the wonders of ZKRollups yet. Have a read of the works of Polynya [0]. Ethereum will be a settlement layer for these execution chains that can do thousands of TPS at a fraction of the current fee, and their only limit on TPS is data storage, which will be expanded with data shards.
Yeah, I'm aware of that stuff I don't think it will get traction and adds complexity w/o really solving the fundamental problem. My bet is a practical competitor will find a way to balance the different tradeoffs and the winner will be a so called L1 network.
PoW equally rewards early participants because they take the lions share of the initial blocks. Satoshi is a multi-billionaire. There are very few blockchains that don't heavily favour early adopters and for good reason: it acts as a bootstrapping mechanism for the community. Why would anyone participate in a chain they would get heavily diluted rewards when there are many others that reward early loyalty?
I wouldn't say that HN is staunchly anti-crypto, more crypto skeptical. Many of us were in the scene from the beginning, and have made good money on the hype.
But one thing that's extremely apparent, is that for the past 10 years, the crypto community has been 95% greed, 5% innovation. With the innovation part having picked up speed only the past few years.
At first, it was the an-cap dream. Decentralized, trustless, govt free internet money. No longer were you a prisoner to slow bank-transfers, expensive middle-men (PayPal, etc.), and could purchase whatever you wanted.
Then the price shot up, and everyone wanted to become rich. So people "agreed" that BTC is no longer a coin made for spending, but rather a storage of value. Like gold. Use altcoins if you actually want to spend your crypto. But who wants to spend any, with the rising prices?
Meanwhile, centralized banks, 3rd party businesses, etc. have solved all the personal finance issues that plagued us 10 years ago. In most countries today, you can transfer money pretty much instantaneously, without getting anxiety every time you press "send".
I'll give DeFi, Dapps, etc. credit - they've finally managed to roll out usable things, but it's still way, way too hard for regular users. And most regular people do not give two shits whether something is decentralized and trustless.
I can think of multiple legit uses for the blockchain technology - but I'm gonna be honest, I'm having a harder and harder time seeing how cryptocurrencies will replace any national currency. As of right now, it's almost purely speculation and get-rich-quick schemes.
We're still in the wild west, but it's not gonna stay that for long. With regulations looming around, it's just a mater of time.
As far as I am aware, these long-range forks can be hindered by using verifiable delay functions (VDFs) [1, p. 6]. Essentially, VDFs take a certain amount of steps to compute and cannot be parallelized. However, the correctness of their output can be verified efficiently.
Now if a proof of stake includes a VDF that needs to be computed for every block, then a long-range attack needs to recompute the VDF outputs as well. This is infeasible as it will take a long time given the correct choice of VDF parameters.
Notably, the Chia blockchain mentioned in the article would succumb to long-range attacks as well were it not for their usage of VDFs [2, p. 17].
> Essentially, VDFs take a certain amount of steps to compute and cannot be parallelized. However, the correctness of their output can be verified efficiently.
No, a VDF just proves that, given a certain input, you spent a certain amount of time to compute the unique (!) VDF output. As said, this computation must be carried out sequentially. Of course, it can still be sped up by creating an ASIC (the same technology used for Bitcoin miners nowadays). However, there is not point in running multiple ASICs (like a Bitcoin mining farm) because the computation cannot be parallelized and the output is unique. Thus, running one ASIC has exactly the same effect as running thousands ASICs and there is no energy waste.
If you go by the usual, energy-wasting meaning of "proof of work" that is also the one relevant to the discussion (i.e., Bitcoin-style PoW which is described in the article), then no.
Yes, in the strict sense of the meaning. In general, the comparison of VDFs (a cryptographic building block) and Bitcoin-style PoW (a consensus mechanism) is not that useful. However, using a VDF as part of a consensus mechanism (see e.g., Chia) does not introduce an energy overhead.
To demystify what a VDF is, consider the delay function (i.e., the majority of the work done to compute a VDF) used by the most prominent proposals:
Let N = p*q be a product of two large primes (so an RSA modulus) and assume that the primes p and q have been immediately thrown away/forgotten after initialization. Then, computing
f(x) = x^(2^T) mod N
is believed (dating back to a paper by Rivest, Shamir and Wagner in 1996) to take T sequential steps provided that T is large enough. For a large T, the only feasible approach seems to be repeated squaring modulo N. That is, compute y = x^2 mod N, y' = y^2 mod N, ... for T times.
I thought I understood what author says.
After reading comments, I am lost again. I will continue my journey clueless, without ever touching this burning pile of trash with scammers on top.
After reading this whole article, I find it really scary that something like this can get so much attention.
It looks like the author read about PoS circa 2014 and hasn't read anything written or done since then. It's true that the "nothing at stake" problem exists, but there are tons of practical solutions and mitigations that work, many of which are already deployed and protecting >$100M. Soon ETH will be securing trillions with such mitigations.
To address the specific points the author makes:
1. If a node signs another version of the same block within a reasonably short time period, “slash” their deposits (e.g. punish them inside of the system)
You don't have to know which came first, just like in BTC. You just need a longest chain rule with the property that the longest chain is final after a certain point (subject to certain assumptions about the % of stake that is honest). This is how nearly every blockchain works and it's not special in proof of stake.
2. If a node signs another version of the same block, like, a year later, just ignore it.
Yes, that's fine. Lots of chains do this. It's called a "finality mechanism". Even ETC has one called MESS while still using proof of work (although MESS is probably broken). Bitcoin could add one too. This is orthogonal to PoS vs PoW.
I'm trying to understand the central technical argument being made here. Please tell me if I got this right.
---
Somebody has a stake in a PoS crypto currency. They can now do two things: 1) sell their stake 2) sign something fraudulent (like a double spend).
Since there is no decentralized timestamp service, a node validating those two actions doesn't know how to order them, so different validating nodes come to different conclusions, and no global consensus is reached.
---
Is that what the article is trying to say?
And if yes, isn't the solution fairly easy? Within the same "chain link" of the block chain, require each action singed by the same private key to have a strictly monotonic sequence number, and if two actions appear with the same sequence number, discard both these two and all actions signed by that private key.
PoS does produce a reliable monotonic sequence, it's just that it doesn't go back to genesis. Every few months you need a checkpoint hash. The idea here is that this is rare enough so it's easy to find the accepted checkpoint out of band, like we pretty much do for client software already.
Note that I meant a strictly monotonic sequence number PER PRIVATE KEY.
This only means that each holder of a private key must have some sort of synchronization mechanism (if they use several agents/clients), but it doesn't centralize the whole network.
This is like two homeless people arguing who is richer.
Yes both PoW, PoS solve the double-spend problem, but in a brute-force way. And they never really get rid of the ambiguity of which chain is the one to go by. They just aggregate all the little ambiguities into one or another consistent version of history (a chain) and let them duke it out by massive electricity or stake or whatever. But at any moment, someone could have been mining a chain in “secret” and will emerge to thwart the rest of the network for a while.
There is a better way. Blockchains are actually quite centralized since to make any progress every N seconds you need to send all transactions in the entire world to one miner, and the block is limited in size. Actually it’s worse than that in Proof of Work — because you don’t know who will solve the silly problem, you have to gossip every transaction to every miner!
Oh yeah, and if you store UTXOs then you have to store the history of everything. And even if you didn’t, you have to store the current state of everything. Oh how nice and decentralized! LMAO
I don't get your criticism. Why does requiring gossip to every node cause centralization? Why does everyone having the current state of everything cause centralization?
To make progress, every few seconds or minutes, all transactions in the world must be gathered in ONE place, and placed in ONE block, as the network and adoption grows this becomes more and more expensive for everyone.
There are various aspects of centralization. This is one major aspect: a bottleneck. Just like when all Web 2.0 conversations in the world would have to go through a centralized server. Even if it was a different server each time, it’s still an extremely centralized topology for that state transition.
It means that there can only be one transaction at a time for the whole world, no matter how many computers join the network. No concurrency — it is also why you can have flash loans. This is why Ethereum is called “the world computer” and why Bitcoin failed at being a peer to peer cash system and became a store of value.
I think you have some fundamental misunderstandings of the term "centralization". And also of the way bitcoin works.
All transactions are not gathered in one place, ever. All nodes receive all transactions independently. All nodes are capable of providing a copy of the ledger for verification.
Transactions don't go through a server. Historical record gets finalized by any one participating node. These two things are not the same thing. The transactions that will be mined are publicly known by all nodes before they are mined. Mining only ensures that nobody can change them after the fact.
There is no concurrency, this is true. The systems we have currently are single threaded systems, and from a classical standpoint, hugely inefficient single threaded systems. But this is not the same thing as centralization.
“Blockchains are politically decentralized (no one controls them) and architecturally decentralized (no infrastructural central point of failure) but they are logically centralized (there is one commonly agreed state and the system behaves like a single computeR”
I think you’re mistaken that I don’t know how Bitcoin works. Not only do I know, but I have spoken to many teams doing work in the last 10 years in various alternative systems, and I have even designed alternatives myself.
I used the word server in my analogies. The transactions are, however, all going through one COMPUTER which receives them, puts them in a envelope, and finds the right PoW input to “seal” the envelope, and sends it out to everyone. Whoever does that first, gets the rewards on that chain. If the transactions do not make it into the block, they don’t count on-chain.
Therefore, every 10 minutes, ALL TRANSACTIONS IN THE WORLD must be gathered by one computer, the one that will happen to mint the next block. This is a bottleneck, and it is the cause of the skyrocketing fees whenever the system sees any on-chain adoption.
But it’s actually worse than centralized — because we don’t know who will mint the next block so we have to send everything to on everyone. Imagine if all BitTorrent nodes seeded every file in the world. Bitcoin failed as a peer to peer cash system because of this topology and people on the group were telling Satoshi this back in the day.
>>Even if it was a different server each time, it’s still an extremely centralized topology for that state transition.
That doesn't make the network centralized, since the server that acts as the centralized state transitioner will be randomly selected from a very large pool of servers with equal authority.
Innovations that Rollups and Sharding further extend the scalability that is achievable with Ethereum's Proof of Stake consensus protocol, mostly by debundling tasks to create modular components, so that the consensus layer has to handle far less load per transaction.
This person doesn’t have any idea how PoS works and all of the people upvoting it don’t either.
It’s very astonishing that the HN crowd still doesn’t understand blockchain after 13 years.
The article is complete nonsense because:
1. The author thinks that PoS is about having computing power. If someone thinks that they seriously don’t know anything about PoS and haven’t done any research
2. Proof of Work is 100x more centralized because 2 companies control the majority of mining equipment production and 4 companies control the hashpower including all kinds of attack vectors, instead of the around 200 entities in PoS.
3. There are many attack vectors for the PoW model of which many only require malicious behaviour of 1 person, be it the CEO of one of these companies or a disgruntled worker that is bribed with a couple of million dollars.
3. The cost of taking over consensus for a PoS network, such as Solana or Ethereum 20 requires billions or trillions of dollars worth of coins that then all would rank heavily in value
That’s why PoS is around 1,000x -1,000,000x more secure than PoW depending on how big the market cap of the PoS network is.
Do people deploy PoS chain clients that are ok with blocks that totally ignore the historical leader schedule or use a leader schedule that could not have resulted from the distribution of stake in the network at the time? If not, how will the attacker who wants to swap out a single block a year later get all the other validators to sign a year worth of new blocks?
The most important part of this post doesn't even have anything to do with cryptocurrency:
> If the broad masses of people disagree with the platform landlord, their opinion will be altered to conform with the rules, or else they will no longer have a voice.
Something about means of production and who owns it. This is most obvious on social media. The people participating on the platform do not get to decide the rules for how it operates. Which is a little ironic given that most people on social media are ostensibly in favor of democracy.
It’s already fixed to some extent. On Reddit, you make a new subreddit of your own. On GitHub, you fork. The problem is that some projects are too big to effectively fork (or forking would over leverage the community) or people are lazy and don’t want to do the forking themselves despite accurately identifying the presence of a problem.
I genuinely don't understand the fear generated by the youtube-dl storm in a teacup. It's a great example of the system working: someone thought they had a DMCA case so they filed a takedown, the takedown temporarily removed the content, then after a review the content was put back up.
This is just evidence that this particular slope isn't as slippery as some thought.
The repo is back up, but the project is dead. I suspect the developers got nasty letters from lawyers behind the scenes. I believe yt-dlp is the future of this project, but it's presently lesser known than youtube-dl so the lawyers got what they wanted in the end.
Copyright should just be a contract between seller and buyer.
You promise not to redistribute this.
If you didn't buy something, you have no contract with the seller and you can be free to download whatever you want or build whatever software or service you want.
The onus of finding who is the buyer breaking the contract and dragging them to court is on the seller.
We shouldn't have things like DMCA which allow you to censor anything tangentially related or being able to scare people off, but that's what you get when you have a corrupted government that does the bidding of Big Business.
Similarly, patents shouldn't be a thing.
You came up with something, you already have first mover advantage.
If someone comes along and does the same thing better, too bad, they were better than you.
If you have a manufacturing secret, protect it with contracts and sue for damage if they get broken.
This is effectively saying we just shouldn't have copyright.
Person A buys a movie and agrees to not distribute it, but goes ahead and does it anyway to Person B. Person B hosts it for everyone, and Persons C through Z get it and also host it. You're suggesting Person A is liable, but the cat's out of the bag and Persons B through Z can continue redistributing it forever because they never agreed to anything.
If this is the desired goal, you don't need copyright at all, you can already get Person A on violating Terms of Service or whatever.
So you can sit around in your new subreddit with enough subscribers that you can count them on your fingers, posting freely, while /r/politics (or wherever) has a subscriber base measured in millions.
Reminds me a bit of the "free speech zones". It's a poor facsimile of true freedom of speech.
Seeing as the new public squares are, by and large, digital spaces controlled by megacorps, we need to expand the first amendment to apply to private enterprise.
Freedom of speech is not the same thing as requirement that others listen. If someone has no audience, with all the platforms that are available, it's not because they're being censored. It's because nobody cares what they have to say.
It's not that nobody wants to listen. There are plenty of people who want to listen, but the megacorps refuse to let the talkers and listeners connect.
This is not what is happening on these platforms. r/thedonald had millions of subscribers and not a single one was forced to listen. Then it was banned by reddit for thoughtcrime.
You could have brought up hard left subreddits getting banned too. Like Chapo. So it doesn’t seem like only the right is persecuted/appearing to continue the trope of how the right are such victims.
> So you can sit around in your new subreddit with enough subscribers that you can count them on your fingers, posting freely, while /r/politics (or wherever) has a subscriber base measured in millions.
And if by some chance your subreddit manages to become popular, the admins and power mods will conspire to take it from you. Reddit sucks.
There's something akin to a law of nature at work on Reddit that goes something like this: Any sub-reddit (or it's topic-at-hand) that garners any national attention in the political sphere will become an echo chamber full of corporate shills unless there is constant and public vigilance to guard against it, and even then the sub's chances for surviving to fulfill its original mission is grim. I f'ing hate what Reddit has become.
The first amendment of the US constitution does apply to private enterprise.
This is why Congress cannot make a law that limits private enterprises' editing of third party content on the platforms they own.
What you are arguing for requires either an amendment to the constitution or nationalization of those private enterprises.
Freedom of speech is exactly how you get r/politics, private propaganda syndicates, and qanonsense screaming loud enough that it drowns out everything else.
"More" of it isn't going to make any of those things go away.
"Freedom of speech" isn't a guarantee that your prefered brand of rational discourse is going to have an audience of millions. If anything, it's a guarantee that it won't, because someone with a self-serving profit motive is far more incentivized to shout over you.
Freedom of speech does not entitle you to broadcast to anyone else's audience.
> If you have a file on a computer, despite what NFT promoters believe, it is not possible to prevent people from copying it.
Not sure if these quips are meant to be jokes or serious, but nonsense like this detracts from the credibility of the argument. Nobody believes the data corresponding to an NFT cannot be copied.
Part of the problem of the NFT hype is that some people DO believe this to sure degree and believe that those redistributing the NFT content are somehow attacking the NFT itself.
My opinion on PoS is that because no other community that I know of outside of bitcoin has a culture of running nodes normal people will just stake through exchanges. Now you have these exchanges acting not only as the in and out ramps but also as the biggest network validators meaning that they can direct transactions. Congratulations. You’ve just went full circle and invented central banks.
In a chain like Tezos, the validator software is relatively easy to run if you have a Raspberry Pi and some terminal chops, and a lot of hobbyists do stake this way.
But it’s easier for most people to delegate to another party. This is where decentralized staking pools for ETH2[1] built around smart contract interactions could be a good alternative for many users, and may compete with centralized staking platforms.
The mere fact that these peer-to-peer and decentralized alternatives exist, and that some portion of users will prefer to use them, is what makes this technology distinct.
> The mere fact that these peer-to-peer and decentralized alternatives exist, and that some portion of users will prefer to use them, is what makes this technology distinct.
I can imagine projects that can run on cheap hardware thriving but what happens when you put the weight of exchanges like Coinbase and their users against the hobbyst node count?
This is already happening; centralized exchanges and staking pools like Kraken make up a high percentage of ETH2 validators (just as PoW seems to gravitate toward large mining pools).
Despite that, PoS has the benefit of offering decentralized staking pools like RocketPool, and the fact that they are growing may indicate that the chain will over time become more decentralized and less able to be centrally attacked[1]. The PoS mechanism itself is also perhaps more resilient to these kind of attacks, see [2].
None of this mechanism is as simple as PoW (which has worked quite well for BTC and ETH so far), but the environmental cost makes it worth exploring an alternative mechanism.
Ethereum has over 260,000 validators right now [0], and you can run one on a Raspberry Pi. Some are on centralized exchanges but most are not.
Rocketpool [1] also recently launched which is a decentralized service that makes it super easy to setup your own node, and more profitable than staking anywhere else.
My node is generating the normal staking rewards (~5.5%), plus another 12% bonus (from ETH from individuals being paired with my node), plus another 50% in RPL rewards. That 50% will surely drop, but it will always be better than just staking by itself.
RocketPool also allows individuals to stake as little as 0.01 ETH, the same as centralized exchanges, but it's decentralized, and they get rETH in return, which they can use in Decentralized Finance, giving them even better returns.
Put together Rocketpool gives better returns in a more decentralized way than any centralized exchange does, and unless you're really new and don't want to move off your exchange, it's a no brainer better alternative.
In practice PoS chains have hundreds of nodes or more. In Bitcoin, nodes can't stop a 51% attack and I don't know if the software would even alert you when a 51% attack is likely going on.
> In practice PoS chains have hundreds of nodes or more.
Is that supposed to be a lot? I look at the node requirements for these new chains and they mention monstrous amounts of cpu and storage power.
> In Bitcoin, nodes can't stop a 51% attack and I don't know if the software would even alert you when a 51% attack is likely going on.
My question was about regulated exchanges dominating huge percentage of PoS validators. What are you going to do when, due to regulatory pressure, Coinbase and Binance start to implement blackists and OFAC based validators into those PoS chains?
If it’s scam, the article could have presented a stronger case for it. The objection seems theoretical. If PoS is broken, I would expect to see a plausible attack spelled out.
My general observation is that blockchains are, at best, secure in the same way https is secure. Yes I have padlock icon on the browser address bar, and my connection is secure, there’s a security certificate, but the whole thing can still be a scam.
Who personally verifies every contract they use? Wallet implementation? Cold wallets are closed-source, trust-me devices, maybe with a security certificate from a centralised, government-linked security org.
The strongest link in any security chain is not irrelevant, but the whole system is really not perfectly trustless anyway.
The author's objection to proof-of-stake seems to be based entirely on some ostensibly-inherent vulnerability to the nothing-at-stake problem, but at least one consensus protocol¹ has had explicit mitigations against that vulnerability (and numerous others) for almost half a decade now, and I'd be very surprised if other protocols haven't adopted any mitigations at all.
This is a silly article. Only working in a weaker security model does not, a priori, mean that proof of stake is a scam; it just means you need to convince yourself that the weaker security model holds. You can read the post linked (https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...) and decide for yourself.
Personally, I think this kind of "quiescent" knowledge, letting you differentiate the real chain from the fake chain on long enough timescales (which basically amounts to knowledge of a single hash, when you get right down to it), is perfectly reasonable to assume under realistic circumstances, for the same reason that synchronized time is not a remotely difficult problem on long enough timespans. The only problem lies in new nodes (that enter the system when there's not a quiescent state, and the longer chain is being withheld) being exposed to fake chains.
By using a VDF as mentioned below to make sure it takes just as long to construct a new chain as it took to construct the old one, one can ensure that as long as at the time the stakers held their keys (rather than for all time) a majority were trustworthy, then the probability that they were able to maintain a longer chain becomes vanishingly small. Therefore, nodes will be able to reliably choose the longer chain on reconnecting to the system. This trust model seems pretty realistic to me, and it's not like Bitcoin can handle the case of a continuous partition to begin with.
So this just reduces to "once a majority is not trustworthy, the chain can't be trusted anymore" which is the actual security tradeoff of PoW vs. PoS (PoW puts trust in hashpower rather than staked coins, so by definition it's immune to this sort of issue; if your private key is stolen you "only" lose your coins, not any voting power). I don't think this is news to anyone who's done much research into cryptocurrency.
> Essentially, VDFs take a certain amount of steps to compute and cannot be parallelized. However, the correctness of their output can be verified efficiently.
this...sounds exactly like proof of work?
Indeed, you can probably fix plutocracy with some PoW.
It is not. At least, not in the usual environmentally destructive sense that people tend to mean by PoW. The idea behind VDFs is that they can only be computed in a single-threaded fashion, so you don't gain any benefit from computing them on giant server farms. This is the exact opposite of PoW which is designed to be computable massively in parallel. In this context, of course, not benefiting from giant server farms is good, because it means people won't wreck the environment to compute them.
The tradeoff is fundamental: because VDFs don't benefit from throwing computational resources at them, there is no disadvantage to computing a bunch of them in parallel. So if you had bad intentions from the getgo (and you had a majority of stake at the time), you could still secretly compute a fake bad chain starting at time t, and then release an alternative at time t+n that was as long or longer than the real chain; the security they provide is that if someone compromises your keys later (after you already lost your majority), they can't do this. Since in practice proof of stake chains start very centralized and then distribute over time, this is a useful practical thing to care about!
With PoW, on the other hand, computing a fake chain requires you to not use all your hashpower, which opens you up to economic attacks from someone else who is willing to use that hashpower. When someone uses more hashpower than you were, they'll be able to make a longer chain faster (before the difficulty readjusts again), so now all your secret chains have been made useless (and in cases of equal chain length, people tiebreak by hashpower, so you can't just maintain a little side network that eventually catches up when hashpower decreases, either). That's the theory, anyway: it's heavily based on economic incentives, so if some government decided that they didn't really care about the economics and just wanted to screw over chain users by pumping out hashpower, they could do so quite easily. Note that by contrast, proof of stake is not susceptible to this: you actually do have to compromise a majority of the active stakers no matter how much money you have.
Personally, I think this is a distinction without a difference because I don't think any cryptocurency can stand up to sustained attacks by large nation-states (which is part of why I don't think it's very useful). But like I said, that's an assessment of the threat model, so it's subjective and up to you to decide.
> Indeed, you can probably fix plutocracy with some PoW.
Uh... great! Glad you agree that this is a solution?
Let's switch to this new "some PoW" system as soon as possible, because it uses less than a megawatt to calculate proofs. Total, for the entire network.
The more complex is the math, the more opportunities to screw up, or should we say, optimizations.
VDFs are far too new, at best bleeding edge research, nobody is going to gamble serious money on the robustness of such new constructions.
You would need unanimous agreement from the entire cryptology field.
However, yes, there are some workshops on quantum and implications for mining, and some other fanciful stuff that are also just research at this point.
The current setup of PoW relies on rather well understood, battle hardened primitives, that have been in actual usage under adversarial conditions for decades.
Do you think any major central bank will hold any asset that's secured by a paper written last year?
> nobody is going to gamble serious money on the robustness of such new constructions
Thounsands of buttcoiners would gamble their entire life savings on shitcoin, pisscoin, asscoin, PonziCoin, whatever. When there's enough of them, it gets big enough so institutional investors start gambling on that too. It really doesn't seem like "serious money" is spending anything on actual technological research, the management of big money is also often done by idiots who follow any kind of hype.
Great comment, let's do a TL;DR of the article:
- Clickbait title.
- Some of the claims can be debunked with a 2014 blog post.
- Tradeoffs pow/pos are known and accepted for a long time. Nothing new added except drama.
Tezos is Proof of stake, decentralized and clearly has consensus, the three things the author argues cannot occur in a proof of stake system.
I did not find this post convincing especially as many proof of stake systems have been running consistently for years now and with significant transaction and economic volume.
As an example Tezos has decentralized apps such as liquidity pools, collateral based stablecoin systems, nft ecosystems, coin bridges to other networks such as Ethereum (two way) I use these smart contracts on a weekly basis and have done for a long time now.
Tezos manages several orders of magnitude more transaction throughput based on opcode count count vs Bitcoin, transactions, even complex ones cost pennies the network has not been attacked, is worth billions and Tezos energy usage is easily a million times less than Bitcoin.
> the three things the author argues cannot occur in a proof of stake system.
The author appears to be saying that "any decentralized consensus via proof of stake system is vulnerable to timing attacks"
The counter-argument that "This here proof of stake system has not been successfully attacked ... that we know of ... yet" does not seem to be watertight.
Am I understanding this correctly; is the threat model that a block signer, some time later after liquidating their stake, can go and publish arbitrary versions of that older block?
Yes, but it is a little more than that: that future nodes will not be able to distinguish these two blocks without relying on some authoritative source for the canonical chain, thus introducing centralization to the game environment.
I was thinking deeply about the threat model in a PoS posed about coordinated pooling of resources to effectively mimic the size of a large institutional borrowers with high collateral, i.e. proof of work in the present economic system (US Dollars gathered by him by providing real world value).
The main reason proof of work works so effectively is that it deals in physics with the actual expenditure of electricity as the punishment system for failing to produce the correct desired outcome.
Abstracting this away again, we have reality itself to content with. Evolutionarily we have evolved in respect to the dominance hierarchy (https://youtu.be/rUiG5_GcMyY) Where effort itself is a necessary precursor to ascending the ranks and being fit to lead.
Not to get too metaphysical, but essentially it boils down to:
- Social Status is based on real world implications and not self derived from the perceived ranking itself, that is if it is to be most stable across time. Being labeled the boss is essentially useless long term unless you truthfully represent the ideal or most capable individual. (Michael Scott from the television series The Office is a funny example of this)
- PoS offers reliability for the system based on its election of stake amount in the system that favors inventors, early adopters, and pre ordained position holders where distribution was not derived from effort in the real world with non-reversible consequences (burning electricity)
- Instead the selection mechanism its own value structure which may or may not accurately assess competence for reliable trust in a domain where zero-trust is key to consensus.
- Outsourcing consensus to something mediated by the laws of physics is more stable across time, and is yet another abstraction upon competence taking it outside the realm of US Dollars for social proof, but also adding in the component of physical consequences towards the chain of proof.
I'm also thinking as I write this that it would be important to consider changes in the environment as useful to the selection pressures. Why purely basing it upon success (stake) at one point in time is non-useful as the rules of the game may change, or reputation lost or abused in a PoS system would not accurately reflect changes in the need for rotation of positions of voting authority.
This article completely misunderstands proof-of-stake and the distributed consensus space in general. Both proof-of-work and proof-of-stake are mechanisms for making distributed consensus sybil-resistant.
Distributed consensus is the problem of getting a bunch of computers to agree on some state when some of the computers can behave maliciously. In the case of cryptocurrency, the state is a log of transactions, which when replayed tells you who owns what. There are well-known algorithms for distributed consensus, such as Paxos and Raft, that are used in real-world applications, e.g., the Chubby lockservice.
Distributed consensus algorithms can be proven to reach consensus as long as at most a fixed percentage (e.g., 1/3) of the computers are behaving maliciously. This assumption is fine for applications like Chubby, where Google is running all 5 of the computers participating in the consensus, and no one can add additional computers. However, this assumption breaks down in the case of cryptocurrency, where anyone can spin up computers to participate. In fact, an adversary can effectively spin up an infinite number of computers. This form of attack is known as a sybil attack.
Proof-of-work and proof-of-stake add sybil-resistance to distributed consensus algorithms by requiring the adversary to commit a scarce resource in order to participate in the consensus process. In the case of proof-of-work, the scarce resource is computing power. For proof-of-stake, the resource is the currency secured by the system itself. This may seem a bit circular, but it's fine. In order to attack the system, the adversary would have to purchase or borrow a bunch of the currency on the open market, which has an economic cost. Proof-of-work permits the same attack, where the adversary buys or rents computing power instead.
From this perspective, the bitcoin consensus algorithm is in fact the odd one. Most distributed consensus algorithms (like Paxos and Raft) rely on some kind of voting system.
The main point the author is making is that PoS doesn’t require spending of any scarce resource on a per block level so the accuracy of the distributed clock is not to be trusted. I don't think they misunderstand their argument. You’re just not replying to it.
You spend "safety of your stacked money while having stacked a lot of money" it's a scarce resource as if you over spend it you lose your money. And the more money you have stacked the less interest you have into braking the currency as it makes you lose that money.
The article addresses that in the section starting:
>>Therefore, once they have withdrawn their deposits, they are untouchable. This is the “nothing at stake” problem. There will inevitably come a point when a node is free to liquidate their entire stake and cash out.
And later concludes that, In order to know which is the valid staking, you have to already have a decentralized mechanism for ordering transactions, which was the problem to begin with.
> To use an analogy, it is as if someone would sit down to design a building in the following way: first, they draw how they would like for the exterior to look. Then, they draw how they would like for the interior to look. They make basic measurements, to confirm that the interior does not exceed the exterior in terms of dimensions. They then suggest that the house is plausible, and send it off to the construction workers to build.
For what it’s worth, this is how plenty of buildings are designed. Ignoring silly things like the inside not fitting in the outside, an architect may design the building and hand it off to a technical architect who works out how to make it stand up and has some back and forth with the architect modifying the design. At a later stage it goes to a structural engineer who will make sure that it really is likely to stand.
Not really, its unfair but not a scam. Can we talk about the actual scam known as layer 2 rollup chains? Optimism is completely centralized and even Vatalik is shilling it like a good thing. At least the PoS shill makes sense, it artificially benefits early adopters.
Developing PoS systems for 8 years, the research is completely dated on both old Bitcoin-like PoS and modern PoS.
That, and the author has a wrong understanding of the Nothing at Stake problem. At the time, the argument was there was nothing stopping someone from staking on multiple forks to hedge their bet on the dominate chain, giving them nothing at stake on the forked branches since the get equal ownership on each chain.
Mind you, Nakamoto consensus is pretty awful and completely ignored these days. Why do you believe that nodes flagged for support of protocols and miners with dominate hashrate LOST the big block debate? Because of the nodes, and community consensus.
Why the change in HN title? "Proof of stake is a scam and the people promoting it are scammers" is clickbait for sure but it's the author own title and it is the subject of the article.
I am a retired PoW miner and whereas on one hand I think proof of work is a revolutionary, life altering idea, on the other hand it is a self fulfilling apocalyptic premise with no endgame.
I think what rubs a lot of people wrong about PoS is that it puts a name behind the validator and people don't trust people. One may claim that all validations require some level of trust, but it s the same reason why people trust google and not <person>'s link directory. And people have reasons to be suspicious because they know that when humans become actively malicious they find devilish ways to coopt others, while algoritms can just fail.
It seems the author is confused about the meaning of the word "scam". PoS might not be as secure as PoW but that does not make the concept some sort of fraud.
This article is terrible and does not explain how proof of stake works let alone how it's broken, but links to another (probably better article on etheruem.org). back to studying it for myself, then. I literally have a headache after reading the bitcoin analogy and trying to guess which parts of the analogy I will need to remember for later in the article (hint: none). It would have been simpler to just explain what a nonce and hash is.
In some systems Ive seen, bad actors get slashed (lose stake). I like pOs but it gives too much power to centralized exchanges that hold a large % of stake...
proof of work proves that not just one miner had sufficient hash power, but that the entire network had a certain aggregate hash power that was required to mine the block.
can't this be emulated by requiring all major stakers to sign the block? (so rather than one miner staking being enough, all the aggregate staked was required to mine the block)
in any event i think the op is wrong in terms of the hard part of proof of stake, private mining attacks are solvable.
the stickier issues are around maintaining the decentralized nature of pow mining and the random and decentralized election of who mines the next block. under pow, everybody does their own thing and when someone finds a block they are able to publish it without direct collaboration with other miners. the fact that the miner is chosen at random gives rise to all sorts of anti-censorship and anti-collusional properties.
proof of stake will have to emulate this, and possibly make a few targeted and carefully chosen compromises in order to emulate the decentralized nature of pow mining. it's not obvious how this will play out, but i don't think it's impossible and efforts to do so certainly aren't a "scam."
Proof of work is good for jobs that require skill (science, technology, productivity, markets). It’s ok to have proof of stake (corporation shareholders) or proof of vote (communities, unions, families) for things that don’t require skill so much.
This article is complete BS. Proof of Stake is more secure than Proof of Work for a simple reason. The cost of doing a 51% attack (to stop the blockchain or to start censoring specific transactions) on a PoS blockchain is exponential, whereas the cost of doing such an attack on a PoW network is linear. This is because as an attacker acquires more tokens, the price of remaining tokens increases exponentially as the attacker approaches the 50% mark. If the network is well decentralized in terms of token ownership, it may not ever be possible for the attacker to acquire 50% of tokens; also, their incentive to continue with the attack decreases as their stake in the blockchain increases. Unlike with PoS which requires the attacker to keep buying more (limited-supply) tokens, with PoW, ASIC miners don't become more expensive as the attacker gets closer to having 51% of the hash power; this is because the market will produce more ASIC miners to compensate for any increase in demand. The global supply of ASIC miners has no upper bound.
The article is also misleading in inferring that there is a very narrow range of ways to implement PoS; in reality, there are many ways and all of the 'drawbacks' mentioned only apply to certain (poorly designed) implementations which no modern PoS blockchain would ever use.
> What happens if you’re presented with two identical blocks, and have to decide which one to pick?
Easy, you can just have a vote on one of the block and choose the one with the majority votes; it can be chosen on the basis of any attribute of the block (E.g. commonly you can look at block IDs). This is what PoS blockchains like COSMOS do with the Tendermint protocol. Other blockchains like Lisk have a delayed voting so that consensus is reached after a certain number of blocks.
> The entire point of the consensus mechanism was to allow us to tell which transaction was first, without personally having seen it take place.
Anyone who understands distributed systems knows that the exact order of transactions (down to a few hundreds of millisecond) cannot be physically determined due to latency between the nodes and the unpredictable geography of participants. This is as true for PoW as it is for PoS. The most important thing (for certain use cases such as DeFi) is that transactions cannot be predictably front-run; using block ID ordering with voting as the basis for selecting between two valid blocks guarantees this. If the forger tried to cheat the system by producing multiple blocks, the network may not be able to reach consensus on the block vote and the forger would not receive any block rewards.
The merge was expedited over miner concerns, prioritizing it over sharding as originally planned, so it’s actually the opposite of what you are saying.
Sorry, I didn't mean to draw such a straight line between the two things. My point is just that it didn't happen last year, and even after being expedited, it won't happen this year either.
> If a node can present a lottery ticket of rarity one-in-a-million, the network can conclude the node did about a million lottery tickets’ worth of work, on average.
This is not true. You will have scratched far fewer tickets on average than one million.
If you have one million tickets, one of them guaranteed to be a winner, you will on average scratch exactly half of them (500 000) before finding the winning ticket. If you have an infinite supply of tickets, each with a 0.000,001 chance of winning, the number becomes higher, but the number of tickets scratched on average is still lower than one million.
Finding an error regarding something I know makes me skeptical about the rest of the article.
Yeah, I think that's right. The hypothesis was that on average, one in a million cards is a hit. That implies that if you scratch a million cards, you have a 50:50 chance of a hit.
That the author got this basic thing wrong doesn't inspire much confidence in the rest of his reasoning.
Well, I guess in real life blockchains it’s like the latter case. You have a block and look for a nonce. There is an effectively infinite stream of nonces (“lottery tickets”). You have no guarantee that even one works, other than statistical hope. So then if probability of a match is 1 in X, you expect to have to do X attempts.
I have other issues with the article but this bit seems ok.
I'm not clear how "expected no. of attempts for X" is related to the probability of X. And I seem to be struggling to recall what little I used to know about probability.
I'd welcome a (link to a) clear unpacking of this scenario. I'm feeling rather stupid, as if I've had a stroke and lost a mental faculty. It seems to be a straightforward and obvious scenario, but I've lost confidence in my reasoning about it.
I'd expect we get more and more of these pieces as Ethereum gets closer to moving to proof of stake. The current estimate is that it'll transition 2022Q1
The author suggests proof of space as an interesting option but then deliberately avoids commenting on Chia’s implementation of proof of space time. Can someone explain that to me? Is it the pre-mine that drives people away? If so there is already a fork (Flax) with a much smaller pre-mine that is surely worthy of assessment and scrutiny at an algorithmic/system level... Or is the author simply acknowledging they aren't ready or qualified to comment on PoST versions of Nakamoto consensus?
The actual truth is that PoS is infinitely safer than PoW in the short to medium term, while theoretically weaker in the long term. A long-term attack would require first buying obsolete signing keys, which would stop nodes that sync starting from the pre-fork point from syncing - ie. a denial of service attack. Which is in a very weak threat, as online nodes wouldn't even notice it.
A short to medium term attack would stop finalization for a while at an enormous cost of slashing.
It's a denial of service attack because nodes would be able to see contradictory signing from the same keys - so while without out of band data they won't be able to decide which one is the commonly accepted chain, it's enough information to recognize than an attack is happening.
PoW is very weak in the short term to medium term because runtime cost of attack is equal to mining rewards + epsilon, which is negligible, meaning it's just a question of hardware. Contrary to PoS, mining hardware is an external resource - it's always possible to get enough of it, given enough money (single digit billions for bitcoin). Getting 2/3 stake of a long-running PoS system is impossible - it's a scarce internal resource and there isn't enough for sale.
Reverting years of blocks is indeed infeasible - but interestingly in practice it would also amount to a DoS attack, as everyone would notice it and pause all payments. Contrary to PoS, where it would only work on newly syncing nodes, it would stop everyone. However, while theoretically more expensive, it's still only a matter of money - while a long-run DoS attack against newly syncing nodes in PoS would require buying obsolete keys, which is very likely to be impossible in practice.
Is this even an advantage? I don't think so, but it's arguable. However, for this singular arguable point PoW pays with a 4 orders of magnitude higher cost and a much, much weaker short and medium term security.
Empirically, lower security of PoW is confirmed: multiple 51% attacks happened (most famously ETC), while even a much weaker DPoS coins never had a successful double spend attempt.
In terms of public trust, not many people are able or even interested in technical arguments - they just observe if something works. In reality, consensus-level attacks are very rare as it's currently very hard to profit from them regardless of the consensus method, and the biggest danger is from software bugs in nodes, most likely unrelated to consensus.
If any PoW blockchain became a foundation of global commerce, attacking it would become very profitable, or even a military target - but that's never going to happen. So I don't expect bitcoin to get 51% attacked in any near future - at best years in the future when value of block rewards is so low one person with lots of old mining hardware can attack it just for fun.
It's actually suspected that happened during the blocksize wars when proponents of forks like Bitcoin Cash may have been spamming Bitcoin with transactions to feed their narrative that it is too expensive to use.
You'll eventually go bankrupt if you do this long enough.
This is actually another reason unlimited blocksizes that can allow for very low to no cost transactions are risky, and DDOS protection is likely why Satoshi added the 1MB limit in bitcoin to begin with.
Decred witch is a dao focused on evolving with governance had an interesting block reward split, 60% miners, 30% pos (you get chosen randomly) and 10% tresuary.
Seems miners have been driving the price down for years and a new proposal just was written to give them only 10%, and 80 to stakeholders.
Who is "they"? Why would they be scared of it? Did you buy more Ethereum after seeing this article? And if you did not see this article you would be still be buying Ethereum, but "less" right?
“They” is Bitcoin holders, of which I will no longer be one by Dec. 1. Proof of work makes no sense anymore and proof of stake will take over with the launch of Ethereum 2.0 in 2022. I’m unbiased, this is just the market and math I see coming.
PoW only works for the biggest chains that use the specific heading Algo. Smaller PoW chains regularly experience re-orgs.
IMO PoW for the bigger chains produce far too much waste & none of the supposed PoS attacks have materialized even though hundreds of millions are up for grabs
Speaking of POS scammers, what ever happened to Richard "Dodge Dodge" Heart, winner of the "Golden Pump Award" for "Best New Scam" for his POS get-rich-quick pyramid scheme called "HEX", who falsely claims that proof of stake is a proven successful replacement for proof of work, and who shills HEX and tries to recruit unsuspecting developers and victims here on HN and many other places, by making illegal false claims of providing CDs (certificates of deposit)?
To be fair, I'd love to hear him chime in on this discussion, and tell his side of the story, relate his exploits and prosecution as a viagra spammer, and finally answer all those unanswered questions people have asked him, to which he replied "Dodge Dodge".
Not that he's unique or special: POS shills like him are a dime a dozen. But he hangs out here and shills on HN, and has won awards for his deceptive scams (and also lost court cases too), and claims to "help people" on his web site, so I hope to hear from him again.
His real name is actually Richard J Schueler, under which he is famously known as the "Spam King", for being one of the first people in the world to be successfully sued for online spam, specifically the Viagra spam scheme that he ran from Panama (which he lost).
Richard Hart (aka "Spam King" Richard J Schueler) wins the "Golden Pump Award" for "Best New Scam" for his POS shitcoin Ponzi scheme "HEX":
>Free-speech group Peacefire.org wins a legal round in its fight against unsolicited e-mail, invoking Washington state's anti-spam law.
>The King County District Court in Bellevue, Wash., on Monday granted Peacefire $1,000 in damages in each of three complaints filed by Peacefire Webmaster Bennett Haselton. The small-claims suit alleged that Red Moss Media, Paulann Allison and Richard Schueler [who now operates under the pseudonum "Richard Hart"] sent unsolicited commercial messages to Haselton that bore deceptive information such as a forged return e-mail address or misleading subject line.
Confronting Richard Heart of HEX - SPAM KING and Crypto Scammer
>During ANON Summit 2020, I participated in a “fireside chat” with Richard Heart, founder of HEX. HEX is one of the most sophisticated, if not THE most sophisticated scams I have ever seen.
>Why was I so aggressive with Richard? I have a lot of experience fighting with scammers, at events, and in online discussions. I’m familiar with their bullshit techniques. Richard is the sort of “master debater” who will answer a question without actually answering the content of the question. I watched more than 6 hours of his previous talks and learned how to tell when he was trying to avoid a real answer.
>If you don't want to sit through hours of interviews yourself, this 4 minute video not only sheds light on Heart's motivation for establishing HEX, but also shows just how abrasive and crude he can be. This video was not created or edited by Cointelligence.
>I want to draw your attention to the quote in the video above: "What am I going to make more money doing? Promoting my token, that I own a whole ton of? Or promoting bitcoin, where I own one-one zillionth of the available supply?" He's clearly in this to make money for himself in any way possible. [...]
>When asked why HEX was not categorized as a security, at around the 21 minute mark, Richard offered an explanation that has no legal grounding. On the website, HEX claims that it is "The first high interest blockchain certificate of deposit." However, HEX has no legal authority to issue CDs. Richard is illegally claiming to provide CDs when in fact the instruments are nothing but glorified savings accounts.
More quotes: "What's up now, fggot? What are you going to do now, you little btch? Get the fuck out of here! That's the dumbest piece of shit I've ever seen in my fucking life. [...] Let me give you some more bullshit, ok?" -Richard Heart aka Richard J Schueler
>During the interview at ANON, Richard confirmed that he was one of the first people in the world to be sued for online spam, back in 2002. This shows us Richard has experience abusing unregulated markets, as he is doing with crypto these days.
Richard: this an accurate quote of your own words?
>When I pressed the matter and asked for a simple “yes” or “no” as to whether he, as the FOUNDER of HEX, knows who benefits from the funds sent to the “Origin Address” he flat-out said “I’m dodging your question.” Dodging the question! He proceeds to repeat “Dodge, dodge.”
Richard, your tag-line "Do you want to develop my new cryptocurrency?" is the new "Do you want to develop an app?"
Whether PoS will work, I don't know. But the author didn't realize that PoW is certainly doomed.
PoW miners tend to spend more and more resources on finding blocks, until the cost approaches the rewards. But the rewards go up as the cryptocurrency becomes more popular, because the price and transaction fees go up. Therefore, a PoW cryptocurrency tends to "eat the world" as it becomes bigger.
That's why Bitcoin is already approaching 1% of global electricity consumption, if it hasn't passed that point already. If the price were to go up tenfold, then so would electricity usage (roughly). That's not sustainable, both technically for grids and economically because electricity prices go up.
Because of that, I foresee two possible futures for PoW cryptocurrencies:
1. The resource usage overshoots and PoW collapses because it gets banned everywhere. (This seems to be playing out now with China having banned crypto mining, Kazakhstan running into grid issues because of the miner influx, and Sweden arguing for a ban in the EU.)
2. The popularity of these currencies stops growing and only some niche applications remain. Speculators leave because there's no more money to be made. Prices go down.
The bitcoin reward also halves every 4 year, so even if price continues to appreciate, the effect is evened out by the fact that less is created every block over time.
Lastly, bitcoin mining to could sustained solely by using stranded energy, which would otherwise be unused. Flared gas in texas, for instance, could provide more power than the network currently uses. There is no reason bitcoin mining has to take power from anyone, and it will trend this way over time because the economics are in favor of finding the cheapest power source.
> Flared gas in texas, for instance, could provide more power than the network currently uses.
While the amount of gas that is flared off is immense (25-30% of the actual consumption of the US and Europe), the problem is that it is only flared off because there are no pipelines to transport the gas away and the amount that the small oil wells produce is too low to justify the cost.
If it were for me I'd force oil well operators to either build a small secondary pipeline for flare gas alongside oil pipelines or place a small power generator to contribute to the electric grid, but unfortunately "regulation" of any kind is seen as a bad thing in wide parts of the US.
>[...] and the amount that the small oil wells produce is too low to justify the cost.
>If it were for me I'd force oil well operators to [....]
Maybe it's too costly for a reason? Building power lines or pipelines to the middle of nowhere has economic and environmental costs as well, so top down legislation forcing every single well to do it might result in worse overall outcomes. For instance, the resources it takes to construct a pipeline/power line to the nearest town might be more than the electricity/methane that can be generated from the well.
> For instance, the resources it takes to construct a pipeline/power line to the nearest town might be more than the electricity/methane that can be generated from the well.
Well, there already is a pipeline for the oil product (so the additional overhead for a small gas pipe isn't that huge) and an electric grid hookup for the pump. That can be used even for a small-scale electrical generator.
>Well, there already is a pipeline for the oil product
not every oil well is hooked up to a pipeline. Some (many? most? not sure) are only serviced by trucks, presumably because they're too remote to profitably operate a pipeline for.
Yeah, but this exposes the issue with "bitcoin takes X percent of the energy production, therefore it's evil".
If you want you can build a generator near those wells. It's just cheaper to get the energy from somewhere else, because energy is fungible. A watt is not good or evil, it's the same as any other watt. Which means crypto energy consumption can be offset just like anything else, and is exactly as evil as any other convenience - driers, for instance, or flood lights, or inefficient heating, or anything else.
Focusing on crypto in particular says more about the author than anything else.
no it's not. A watt that's in the middle of south dakota, with no power lines in sight, is worth much less than a watt in southern california and is connected to the power grid.
>Lastly, bitcoin mining to could sustained solely by using stranded energy, which would otherwise be unused.
You can make that argument about any sort of waste of electricity, like blasting your A/C with the windows open. The problem is you can't guarantee that people are only using wasted energy. People don't mine Bitcoin to generously find a use for surplus energy. They do so for a profit. Also, people will require mining for Bitcoin transactions regardless of whether there happens to be surplus energy.
You cannot have PoW running on burning a free or cheap resource, the entire point of PoW is that the resource you are burning is costly, which pushes up the amount burned to close to the break-even point.
The amount of energy consumed now is not at its current level because of some fixed power requirement of the network. It’s there due to competition. If power was cheaper miners would run their ops using more power and the only thing that would change would be more energy would be wasted.
> ... stranded energy, which would otherwise be unused. Flared gas in Texas, for instance, could provide more power than the network currently uses.
I do like the idea of using energy that would have otherwise gone to waste. Or the concept of putting mining hardware in remote areas where there is energy to be tapped, but no customers for it. I wonder about all the steam that emits from a nuclear plant's cooling tower. It seems like such a waste to let all that energy just go up into the air.
One thing that troubles me is the various reports of theft associated with mining. I occasionally see various stories of energy and CPU-time theft. Plus there was that truck full of GPUs that was recently stolen.
I wonder what parallels could be drawn to the California gold rush. Theft was probably rampant then too.
3. Speculators move to yet another doge coin where the cost is still lower than the rewards.
Hasn't that happened already a number of times? If everyone was still aboard the Bitcoin bandwagon, it would have stopped being profitable long ago; however you have plenty of other bandwagons to jump into. They are all technically practically interchangeable.
I assume this is also the reason PoS will never work. People will just stay with PoW until really forced to, and if forced it's highly likely they will just jump into another PoW bandwagon. Guess this is part of the resistance seen with Ethereum. The alternative is to find a PoS schema which is even more lucrative for speculators (possible what the article is describing), and then everyone will jump into that bandwagon en-masse, but it will not have fixed anything.
If Bitcoin dropped PoW and miners switched to other PoW cryptocurrencies, then that would be a huge reduction in power consumption worldwide because all the other PoW coins combined probably don't have the transactions Bitcoin does.
Additionally, the Lightning Network drastically cuts mining power consumption.
No they are not. For mining a block of BTC a miner gets a reward of 6.25 BTC. Transaction fees, by looking at the past few blocks, don't go much beyond 0.05 BTC. That is not even close.
> Bitcoin is already approaching 1% of global electricity consumption, if it hasn't passed that point already
And this is the reason why I cannot take any climate change conversation seriously unless it includes the topic of cryptocurrencies.
Whatever the promises of cryptocurrencies were, now most (all?) degenerated into a mechanism for speculation, and effectively into a self-sustaining and self-promoting mechanism for transferring wealth from the poor to the rich. And, unfortunately, with the side effect of consuming vast amounts of energy.
A rapidly-growing 1% problem, one that has the potential to nullify other costly gains. Such problems need to die young, before they grow into 5/10/50% problems.
No, like others have stated, the climate challenge is switching our entire energy production (plus other fossile fuel end-uses) to net-zero or net-negative emissions.
If Bitcoin disappeared tomorrow, it would give a small reduction in energy use, but at best it buys you 6 months extra to decarbonize electricity production.
Not to mention pow mining is not location or resource specific. It encourages cheap and efficient use of energy. Miners preffer low cost, surplus energy and will relocate wherever that may be. Pow can use nuclear, thermal, wind, solar and alsoo dirty fuels, just like a Tesla. If you have an issue with the use of dirty fuels, then campaign against that specifically, throwing pow under the bus entirely is short sighted.
Also what does btc and crypto replace? The carbon footprint of traditional finance, banking and the military actions to preserve it are massive polluters. Even at its infancy, pow crypto is already a good direction to improve sustainability.
While I think it's fair to properly account for the carbon footprint of traditional banking and state military infrastructure, it is an utter fantasy that crypto is in direct competition with them. Crypto has been steadily integrating with existing banking institutions and regulations over the last five years; and barring some kind of new free-market, secrets-based "killer drones as a service", no distributed hash table can supplant raw military hegemony (aka, the $5 wrench attack [0]).
I think crypto has a lot of socially useful potential, beyond mere speculative gambling and Austrian-school value storage, but that's in addition to the centuries of momentum in our real-world political economy; crypto-currencies are unlikely to replace that entirely, anymore than the internet replaced the New York Times.
Yes. Bitcoin is a mechanism for arbitraging the conversion of energy production directly into black-market money. As such, there is no other possible use for energy so well adapted to exploiting the most horrible, polluting, illegally-in-operation energy production facilities as they get phased out.
What you do is buy up the dirtiest plants, run them until they break, bribe or evade any authorities (if they even exist) who would stop you, and if the plant is being shut down because it's failing to comply with pollution regulation (again, if such even exists) that just puts it in a weaker negotiating position. As such they HAVE to deal with you at whatever price you're willing to pay because they can't go anywhere else because they have to run illegally. But they're powering bitcoin, so it stops mattering if they're running illegally, because bitcoin is the currency in which it doesn't matter if you're being paid for crimes, only that the coin exists.
I consider that powerful motivation to arbitrage the energy system and exploit cases where energy suppliers are running out of options because they are too dirty. And this can be happening anywhere. Climate's global. If all the dirtiest coal burners are huddled together on a secret island for warmth and to eke out the last pennies (of real money) they can earn, they'll do that for bitcoin if they can't operate any other way.
And it'll still matter. It'll just be happening in secret, because bitcoin don't care.
A single percentage problem today. In order to become a mainstream everyday currency, use of Bitcoin will have to increase by three, four, possibly five orders of magnitude.
False. It's not linear, it's not directly related, but it's certainly not unrelated. As reliance on a blockchain increases, as it becomes normalised in our daily lives, the number of entities motivated to be part of the blockchain increases. As the number of entities increases, the number of compute cycles per transaction increases.
He probably speculates, like the degenerate speculators, that it won't end up there.
Why push around everyone to consume differently while distributing vast amount of tax money that immediately go into more wasteful crypto ? It will not stay at 1% and I agree with the OP that it's going to be difficulty to reduce electricity wastage on one end while ignore the elephant baby in the crib taking over the room.
I'm a random internet person in Hong Kong. I have a friend mining half his rent in a hotel room who decided that he doesn't need to pay rent the "normal way" anymore, he can just sleep next to a cluster of mining machines in a hotel room. Is he the stupid one, or am I, paying 3000 USD of my own money monthly ? I have another friend who lost half his saving in shitcoin speculation, I have colleagues who made a 10x profit this year, I mean it's all fucking around me and it's very hard to say it's just a 1% part of an important problem.
I feel sometimes it's going to become the main problem. I can't wait for a mega crash to calm down all this excess. I can't accept I'm the idiot working the traditional way to make traditional money paying for traditional things while the futuristic gamblers mine their hotel room fees on a bet I'm going to eventually be forced into using their tokens at whatever cost when it becomes legal tender, locking the future price into making them billionaires.
For your own sanity I suggest you stop taking the process of getting rich so seriously. It doesn't make sense, nor is the fact that it doesn't make sense a singularity in the grand scheme of time, it has been known since ancient days (I'm not religious, this is just evidence of it's timelessness): "I returned, and saw under the sun, that the race is not to the swift, nor the battle to the strong, neither yet bread to the wise, nor yet riches to men of understanding, nor yet favour to men of skill; but time and chance happeneth to them all"
This is 100% correct.
Chance is such a significant factor in the outcomes we observe in our lives, yet the majority of us have been fooled into believing otherwise. Sometimes you just have to do what you feel is right _for you_, and hope for the best.
>I'm going to eventually be forced into using their tokens at whatever cost when it becomes legal tender,
I'm assuming the large nation states would attack these tokens before allowing this to happen and I don't think any token ecosystem could withstand a strong nation state attack
We have a test of that unfolding, with China. If bitcoin is more powerful than China's state power I'm prepared to believe it is more powerful than any nation-state. Don't know if it's going to work out quite that way though.
Not taking climate change conversations seriously because a topic that is barely 1%-2% of the total consumption is neglected? That sounds like a poor excuse.
> And this is the reason why I cannot take any climate change conversation seriously unless it includes the topic of cryptocurrencies.
Bitcoin's electricity use (or the electricity use of any other single application) is pretty much irrelevant when it comes to addressing climate change. Proof:
• Too much of what we does depends on electricity and has no even remotely feasible substitutes for it to be plausible to give up on electricity. In fact, switching more things to electricity, such as transportation and heating, is a large part of what we will have to do to address climate change.
• Therefore to address climate change we are going to have to switch to sources of electricity that are climate neutral, which cleans up Bitcoin (and all the other uses of electricity) from a climate standpoint.
EDIT: to clarify, of course Bitcoin's electricity use now has a climate impact. My point is that this will eventually be taken care of by the necessary switch to clean electricity for all our electricity production.
Until that happens we of course should be trying to clean up current electricity uses, but there are currently bigger fish to fry on that end than Bitcoin. To dismiss taking climate change plans seriously because most conversation is about things with bigger impact is not sensible.
If we take too long on the supply side and Bitcoin continues to grow it may move up the list to where it is one of those uses that we will need to address before we clean up the electricity supply.
Yes we need to clean up electricity production, but drawing on more electricity doesn’t make that better, it makes it worse. Case in point, there are coal and natural gas plants in Montana and the Finger Lakes that would have been shut down or downsized, but haven’t been due to bitcoin mining.
Um, the difficulty of switching to renewable energy is directly proportional to the amount of capacity you need to build. That we’ll eventually reach net zero carbon so emissions now don’t matter is a rather outrageous claim
- electricity is the only part where Bitcoin produces emissions (emissions of mining hardware)
- wasting climate neutral energy does not matter (it does: it's harder, takes more time and resources to switch to climate neutral sources; iirc studies estimate Germany needs to cut 50% of energy consumption to achieve 1.5° conformity)
Even if BTC and every other POW cryptocurrency converted this afternoon to 100% renewable energy use (and we ignore the carbon cost of manufacturing the hardware), it is STILL a huge climate problem.
Why?
1) Because that ~1% of total energy consumption is being squandered on maintaining the cryptocurrency instead of any other use. Thus, it prevents those clean energy sources from displacing CO2-generating sources which would otherwise be taken offline.
2) Even if the BTC energy is entirely derived from some power source that could not be used by others, perhaps all geothermal generation on a remote volcanic island, it will still add net heat to the atmospheric system. and, of course, we still have the energy use and CO2 spewage of fabricating and moving the mining equipment into location.
So, no, this problem is NOT taking care of itself.
A while ago, I asked folks if PoW happened entirely off-Earth using the Sun. Predictably, that was still a problem to some people which, to me, says everything.
"folks" is not me, that is certainly not the point I was making, and your "predictability" indicates that your comment is no less based on fact-free as those you criticize.
Obviously, if the mining is done off-earth anywhere, it will not contribute to the CO2 problem, =ASSUMING= that it does not require on-earth energy resources to put the power generation there.
Crypto mining also stops being a problem when 100% of on-Earth power generation is de-carbonized — in that situation, it is no longer diverting energy generation that could be used to displace/reduce remaining CO2-spewing energy generation.
The problem is:
While CO2 power generation is still active, and especially when it dominates, every kW of electricity used for crypto mining either directly generates CO2, or it uses clean generation that could otherwise (but now does NOT) displace a kW of CO2-based generation capacity.
OK, “Crypto is bad until the entire grid is decarbonized” is a reasonable position. It’s not airtight: there are a number of grids and they aren’t all interconnected, but at least it’s on the right track.
Yes, I agree, and was thinking something like that after I wrote - the range is not actually global, but basically grid-scale.
For example, if the Texas grid became ~100% wind and other clean-source-powered, then BTC mining in that grid would not in any practical sense consume clean power that could otherwise displace dirty power. The 100kW you use to feed your miners could in theory be used to reduce production from a nearby coal plan in Oklahoma, but in practice, since the grids are not connected, they aren't, so that is probably the right scale.
That said, if it gets big and the miners are consuming enough production of solar panels and wind turbines to slow clean energy buildout on other grids, that's the second order of the same problem.
So, maybe everyone with crypto should, instead of convening to buy the constitution or a basketball team, go fund the takeover and conversion of an entire grid to clean energy, and build all the miners there.
> So, maybe everyone with crypto should, instead of convening to buy the constitution or a basketball team, go fund the takeover and conversion of an entire grid to clean energy, and build all the miners there.
Agreed.
> That said, if it gets big and the miners are consuming enough production of solar panels and wind turbines to slow clean energy buildout on other grids, that's the second order of the same problem.
True, but even that's not zero-sum: demand drives investment in production which increases supply leading to commoditization. Commoditization, in turn, makes the solution (solar, wind components) more accessible to a broader range of the economy.
GPUs for machine learning wouldn't be where they are today if it wasn't for gamers creating a demand floor that subsidized the research into better hardware.
You’ve created an impossible straw man: crypto is only running on renewables and the rest of the world isn’t because crypto hogs it all. That’s just not ever going to be reality.
It's important to remember that the direction of the causal link is from the value of each satoshi to the cost of electricity use by miners, not the other way around. People value sats, for whatever their reasons. Because they value sats, the mining costs can be financed. If people had no reason to value sats, there would be no mining. The best way to undermine Bitcoin energy use, would be to talk to your local central bank.
The mining is a kind of ratchet. Not really, but psychologically, which is enough. As speculation goes up, people add more mining equipment, which “props up” the price.
I don't think the author was arguing that PoW is perfect, only that PoS doesn't even solve some of the problems PoW does and is therefore even less viable as a currency.
It’s a system with feedback loops, it’ll eventually level out at some equilibrium. You didn’t provide an actual argument for why it should definitely collapse.
The existence of feedback loops very much doesn't imply a stable equilibrium. Actually, any system that is not overdamped will necessarily not reach an equilibrium.
Or maybe the equilibrium is that no country bans it, and PoW currencies don't die on their own due to lack of financial rewards, and PoW artificially inflates the demand and therefore price of energy, leading first to widespread economic issues, then widespread ecological issues, until there is no one left buy pizza from with your BTC. Very compelling equilibrium.
point is that it's not a closed system that just blows up at some point. as long as there are people interested in keeping bitcoin running - it will keep running. for now economic incentives are enough, and it'll probably be enough forever, worst case - ideological incentives will do it.
Is there any forecast of where the equilibrium happen? Say, if you're in a 1000-people closed society where cryptocurrency is the only thing used to buy stuff, what's the economic calculation for the long-term energy consumption? Seems like there should be papers about that...
Good question. Some function of how much PoW each person can deploy in order to attack the chain and how much value is secured by the chain. It’s like a relation between price of a bike and price of a lock to secure the bike.
I think you're right. I phrased my argument like all PoW must necessarily collapse once they get too popular, and that may not be true exactly.
E.g. if Bitcoin had no block rewards, then the income from transaction fees alone might provide a more reasonable ceiling for miner activity. Users will only pay fees that make sense vs the utility they get.
However, for Bitcoin that's not the case right now. The combination of high price and block rewards provide an enormous subsidy for miner activity. (Some back of the envelope numbers elsewhere in this thread[1].)
And if Bitcoin gets banned, all PoW will likely get banned, so it doesn't matter if other PoW systems can behave better.
Interestingly enough, as the ledgers are all public by nature, there would be nothing stopping states from forking blockchains into centralized solutions, outcompeting miners by reducing transaction costs to zero. Crypto-anarchists would lose their minds, but most consumers would probably pick whatever's cheapest and which "just works".
Don't get me wrong, I love the politics of decentralization. But it's worth remembering that decentralization tends to be a cost-center, not a profit-center, from the standpoint of efficiency and performance; and decentralized tech is no guarantee of decentralized results (see Amazon/Facebook/Google, who have quasi-monopolies in their niches, despite being delivered over open and federated web protocols).
3. cryptocurrencies stop the Austrian economics fetishism and index the coin reward to the mining difficulty. That means getting rid of the fixed coin supply.
That would stabilize the price of the token a lot (since price going up would increase the mining appeal, thus expanding the money supply, driving the price down) and also make it much more usable as a mean of payment (the number of token in circulation would grow in parallel with the growth in users).
Obviously it's not gonna happen, because those people have spent a decade convincing themselves that deflation is good and fixed money supply is the righteous way to manage a currency.
The difficulty is where the security comes from. Bitcoin's goal is to have the highest possible prices and difficulty so that nation-states and alien civilizations can't hack it. It's very easy to have a cheap low-difficulty coin. Equally worthless too. You need to understand that proof-of-work is actually proof-of-waste - the waste, the difficulty, the cost, is the security.
You've misunderstood my point: I'm not talking about reducing the difficulty, I'm talking about (sub-linearly) increasing the mining reward as the difficulty grow.
Also the difficulty scaling is important even if you don't take security into account: if you don't raise it, then the block mining frequency rise progressively, and then you end up with more and more orphaned blocks, until you end up with parallel chains that don't really converge to a single coherent one.
I see what you mean now. Interesting thought to peg inflation to difficulty. I think the main issue is that Bitcoin is not, and will not be, a means of payment. So price stability doesn't matter much. The nature of the system favors few, large transactions. The small-block size crystalized that. Bitcoin is truly suited as a clearing layer. Eventually it will process just the largest most expensive transactions in the world. Which is good since that's the only way miners will get paid and the high transaction costs will ensure continued security.
The focus on fixed money supply seems a little absurd to me anyway, given the triviality of creating new crypto-currencies, and the relatively low transaction costs of trading between them.
Imagine making a case for returning to the gold standard, when thousands of other choices for new precious metals, all with the same performance characteristics, were literally just lying around, and a network of drones would let you swap perfectly and instantly between those metals for pennies!
In that light, one can certainly understand the fervent contempt that Bitcoin maximalists hold for "shitcoins"; but a free-banking market cuts both ways. Barring a state blessing one chain and outlawing the rest, creating new cryptos and swapping between them won't go away. The proper way to measure the emergent "monetary policy" of crypto-currency is of the sum of all chains, not of Bitcoin itself.
Indeed. And I personally love to remind the fans of bitcoin's limited supply that with the different forks the bitcoin faced during its life, the bitcoin money supply grew a lot more than it was supposed to, without causing any price collapse.
> PoW miners tend to spend more and more resources on finding blocks, until the cost approaches the rewards. But the rewards go up as the cryptocurrency becomes more popular, because the price and transaction fees go up. Therefore, a PoW cryptocurrency tends to "eat the world" as it becomes bigger.
It’s actually the opposite since the block reward goes down over time
> It’s actually the opposite since the block reward goes down over time
It is true that 10 years ago block rewards were almost 10x what they are today in terms of BTC, but by USD value new rewards are worth several orders of magnitude more today.
> It’s actually the opposite since the block reward goes down over time
See history of block reward in dollars[1]. This the miner's collective budget to find blocks.
It's about 350K USD per 10 minutes now, or 2.1M USD/hour. Pick an industrial electricity price, say 0.05 USD/kWh. That budget will then buy 42 GWh/hour, or 42 gigawatt of power continuously (roughly 2% of global power consumption). Of course, miners have other costs, and their growth is lagging this ceiling. But it gives you an idea.
That's why I think we're heading for overshoot, and future block reward halvings will come too late.
I generally like to think about this from opposite direction: miners and bitcoin investors are incentivised for bitcoin to be used and for the price to go up.
Why miners? Because their main source of income is not the transaction fee, but basecoin, the guaranteed bitcoin payout for each mined block.
Due to Bitcoin being such a huge amount of money, unethical players do anything to lure people in, including MLM-style marketing, artificially inflating volume traded, and overplaying coin stats (like market cap). Then there's also media / influencers who, without second thought, introduce inexperienced people to investing in high-volatility assets.
It's interesting how this mechanism, purportedly for grown-ass adults, is a loot box mechanic.
Pump more energy in! Because you haven't hit a coin yet. And it is getting forever more unlikely that you will… but at the same time, the payoff is even greater than it was last week! Maybe you won't even hit a coin. Your operation is not big enough. But if you do…! So, MOAR…
Loot box mechanic. Turns out it is not just for manipulating children.
The assumption that a 10x increase in price results in a 10x increase in electricity usage is incorrect. There is some correlation but it is definitely not 1:1 as insinuated.
>1. The resource usage overshoots and PoW collapses because it gets banned everywhere.
Bitcoin difficulty adjusts dynamically with available hashpower, in other words if miners started to shut down the network would lower it's difficulty to keep blocktimes stable.
The chain will not collapse because someone somewhere will always keep it going.
As does the energy use by miners. So, energy use reacts to price, and then difficulty reacts to energy use. That's OP's point.
> if miners started to shut down...
Actually, that would be _very_ interesting. Then you'd have millions of dollars of hardware doing nothing. And doing nothing is losing money. Maybe at that point attacking the network is more profitable than watching your hardware depreciate.
>PoW miners tend to spend more and more resources on finding blocks, until the cost approaches the rewards. But the rewards go up as the cryptocurrency becomes more popular, because the price and transaction fees go up. Therefore, a PoW cryptocurrency tends to "eat the world" as it becomes bigger.
Are Google and Facebook eating the world? They are processing petabytes of data on daily basis and every year there is more data and information being shared on the internet. Moore's law is our friend because as long we have better chips more data can be processed and analyzed.
Bitcoin's PoW is based on economy and game theory meaning if people do not find Bitcoin useful they will stop processing transactions or in reality they will stop investing and spending computation power and electricity.
What you're saying is tautological in a sense that for for it to be true, you need to postulate that every human activity is also based on economy and game theory (otherwise, why would people behave as you say they would behave) . So your argument essentially is that governments banning bitcoin is also based on economy and game theory. Which is fine by me.
I'm saying that market needs to decide whether Bitcoin is toxic commodity or not and what I mean by not is Bitcoin being useful like oil and gas are or any other commodity.
And yes majority of people behave according to game theory because if they do not then they lose or in extreme cases die.
Read again what I wrote >majority of people behave according to game theory because if they do not then they lose or in extreme cases die.
Majority of people are not addicts but those who are lose or in extreme cases die like for example alcohol addicts, drug addicts even casino gambling addicts who tend to suicide when losses amass and loans come due.
All of this makes sense if you assume people won’t build new power plants for bitcoin. But they already are. They are renewable plants because these are now much cheaper. Bitcoin acts as a subsidy for the construction of new green power plants.
It is not about spent electricity bills, it is about spent time. This is the problem that needs to be solved, how can you make the work more time consuming without beeing able to go around this with computing here: electric power.
>A report from the security intelligence group RedLock found at least two companies which had their AWS cloud services compromised by hackers who wanted nothing more than to use the computer power to mine the cryptocurrency bitcoin. The hackers ultimately got access to Amazon's cloud servers after discovering that their administration consoles weren't password protected.
This is silly, computer time certainly isn't free and almost anything scaled up on a cloud service can become very expensive within minutes. Just go look at the poor developers that make 1 mistake in their Lambda code and get charged $80,000.
That’s the idea in Proof of time and space used by chia.net
You probably haven’t heard of this coin/network (invented by the inventor of bittorrent) b/c it doesn’t aim to be a speculative asset, but it does have a very sane programming model (in lisp)
Why is nobody talking about XCH (or XFX if you don’t like the size of the pre-mine)? It will have similar issues as PoW in the long long run (at a fraction of the cost), but it’s a clear iteration on the energy consumption issue of PoW chains that doesn’t concede the entire consensus idea is broken and advocate for switching to an oligarchy.
You haven't explained how mining hashrate causes popularity of the underlying cryptocurrency.
The cause and effect is the other way around. Popularity of the cryptocurrency causes popularity of mining (the price goes up so mining is more profitable and more mining can happen).
PoW generates heat, which is not waste, if it is utilized. The endgame of Bitcoin mining is that every bit of heat is utilized, because that's the only way mining will be profitable. Running these miners is profitable even without block rewards (heat alone is sold at a profit).
You didn't take into account, that:
- Bitcoin price growth won't continue forever; it'll find a stable price
- Mining rewards halve every 4 years
Therefore, it seems that the heat demand of humans can run the Bitcoin network securely, even without block rewards. It won't "eat the world", but find a beautiful balance.
> PoW generates heat, which is not waste, if it is utilized.
There are far more energy-efficient ways of generating that heat than PoW. This is an (extremely) flawed argument.
PoW is roughly akin to resistive heating. Heat pumps are about three times as energy-efficient as resistive heating. This does not even begin to take into account that there is no practical way to transfer the heat generated in massive server farm installations to where it would actually be useful without incurring massive losses.
There's also the need to heat water, and that requires resistive heaters. Also, heat pumps don't really work in colder climates as the only heat source. Resistive heating is the most common way to heat spaces with electricity.
> There's also the need to heat water, and that requires resistive heaters.
In terms of a kettle or cooking you're right, but you also can't cook/boil using mining hardware as they're heat limited to ~100C. For hot water heat pumps work great.
> Also, heat pumps don't really work in colder climates as the only heat source.
Ground source heat pumps work just fine in cold climates and have been rapidly getting cheaper.
You would think then that large bitcoin miners would already be doing this. Maybe installing their miners in large office buildings in cold climates. In theory they could eliminate their cost of electricity and outcompete other miners. Why isn't this happening?
There was a startup on here a year or so ago with this idea. They built self-contained cabinets and put them in people's houses as heaters. Wonder how they're doing. Sounds like an ops nightmare.
Yes, that's what's been happening for the longest time. But it doesn't scale endlessly because of real world practical scarcities like affordable electricity and enough affordable silicon to mine on.
Which then results in situations like miners buying up the majority of new GPU releases, leading to shortages for any other users, and still not having enough to keep up with the difficulty increases.
PoW is the optimal strategy for searching physics for the most effective means of transforming energy to electricity. There’s zero waste in this search — it directly converts electricity into money driving pure demand for more electricity which motivates the search for more efficient generation. It’s more efficient than Aluminum production in this regard— the economy can only absorb a certain amount of Aluminum.
A carbon tax would effectively and immediately steer this search away from using fossil fuels for generation.
People who clutch their pearls over PoW are unwitting Malthusians lacking an appreciation for E=mc^2.
Using the same environmental concern logic, the carbon footprint of traditional banking, which still hauls around, protects, and produces real currency, plastic cards, and financing for every other destructive activity… rather dwarfs Bitcoin.
Where are all your posts pointedly taking apart the system you are surely heavily invested in?
You’re part of the problem by being part of human society. Collective economic inaction must be part of the solution.
Producing less superfluous junk at scale must be part of the solution. That means our individual narratives around value stores must change; traditional banking scales even worse than Bitcoin.
Electricity will not be a problem for the world in the next 30 years...
1. We will all move to renewal or nuclear
2. Bitcoin will decentralize more as the miners will move where electricity is cheaper and thus will cover geography of whole world hydro,thermal,solar,wind etc..
3. Bitcoin can be the main chain and all side chains can rollup and commits.
4. The btc uses will be huge and there will be no dearth of transaction fees..
Companies are holding BTC instead of treasuries, nations are issuing Bitcoin bonds, millions of people are buying in as governments print themselves into sinkholes..
Where is the use case?
Bitcoin already proved its use case years ago, it already won. The only question now is how far can it go.
A positive side effect of your (1.) scenario is that it results in a surplus of renewable energy (mining needs the cheapest energy and renewable energy is generally the cheapest). Having a surplus of cheap green energy is probably good for the economy, though a lot more than 1% would probably be needed to see significant benefits.
A positive side effect of hitting your hand with a hammer is a surplus of morphine your doctor prescribes to make you stop feeling it, and a surplus of lithium your psychiatrist prescribes to make you stop doing it.
And no, renewable energy isn't generally the cheapest, coal is. (Until you factor in the health care and funeral service costs.)
Bitcoin is just China's way of exporting coal through the atmosphere.
It may be the case that coal is cheaper if you ignore the capital cost of the plant (e.g. running an old plant beyond its design life) but including capital costs amortised over the lifetime of the plant coal is not even cheaper than natural gas.
My understanding is that a major source of electricity used for bitcoin mining in China was hydro power during the wet season (when there is a natural power surplus because the level in the dam must be reduced)
Illegal coal is. Because if your plant has been shut down for being too dirty, you have no other option but to continue to operate illegally or just straight up die, and bitcoin is by FAR the best option for consuming that illegal-dirty-plant energy.
The reason it's the cheapest is that you're negotiating with somebody who is desperate and has no options left. They have to sell the energy to you for bitcoin production because there's literally nowhere else they can turn.
The more green energy proliferates and climate change action expands, the more of these plants will be reduced to this desperation. The worst energy production is the cheapest, so long as it's been outlawed and the plant has no other options.
As if that's insightful. But in the spirit of HN, can you say more? My understanding is that renewables are the cheapest and will likely continue to trend in that direction, causation or not. So are you suggesting maybe there's a chance of a super inexpensive non-renewable overtaking this trend?
I was responding to someone's argument along the lines of mining needs energy, the cheapest energy is renewable, therefore mining would drive an increase in the supply of renewable energy, and a forthcoming decline of mining would free up a supply of renewable energy.
I broke this chain of logic by pointing out that renewable is an unnecessary consideration and that mining activities will choose the cheapest option regardless of its renewability.
Furthermore I claim that renewable is not the cheapest. Various subsidies aside, renewable is often many times more expensive to deliver where and when required. The total system cost is many times higher.
I’m really struggling to understand what you’ve written. I certainly don’t feel like my “chain of logic” has been broken. Maybe I just don’t understand your argument. Or maybe I’m just being stupid.
To be clear, I think:
- having surplus (or cheaper) energy is good
- generating relatively more energy through renewable resources is good
- renewable energy is cheaper and so lower energy prices promote renewable energy more (but also reduce the supply in general)
- Current bitcoin mining increases demand and therefore generation and, to some extent, prices while supply catches up
- a drop in bitcoin mining would lead to a surplus of (renewable) energy which I think would be good
Can you help me find what the source of confusion is?
Right. The point is that you get renewable energy which is desirable rather than non-renewable energy. If the latter were cheaper the situation would be less appealing.
I feel like we’re talking past each other. I’m not saying we should want bitcoin wasting a bunch of power. I’m saying there could be positive outcomes to that power suddenly becoming available.
Or we could just have a surplus of green energy for everything else we need. And how can we even have a surplus of green energy when we're probably at a 90% of world energy production deficit?
Scenario 1 involves POWcoiners wasting a lot of energy for several years generating tokens which end up being worthless, keeping coal plants which could otherwise have been decommissioned open for longer to service the resulting higher energy demand, and then when the mining stops and the coal plants can finally be shut down, telling the rest of the world it's only thanks to their energy usage over the last few years that we've been investing in renewables for the last few decades
It's like claiming that if I steal a percentage of your paycheck for a few years and until the government stops me, leaving you with more disposable income than when I was stealing it, I've actually helped you by encouraging you to work really hard.
The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model. All of these topics (including valid ETH criticisms) are discussed in much better ways in many other places.
"The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model"
This is one of those sentences that reads like it is saying a lot but might actually be nonsensical. Care to elaborate on this? i.e how exactly does the article 'frames distributed consensus mechanisms in an understanding of asset value'.
I read the article and I didn't see anything about asset value (whatever that is). As far as I can tell they point out that the article you cited pretty much agrees with what they're saying (about PoS by itself not being self-certifiable or irreversible) but disagree with the position that this can be acceptable in the real world. Whether you agree with that is subjective but the main criticism in the article seems to be directed at those who selling PoS as a sufficient distributed consensus algorithm to replace of PoW. There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them.
I don't particularly care to rebut the author point by point, but "asset valuation" is an extremely common term that anybody discussing the properties of a novel currency should understand: https://www.investopedia.com/terms/a/assetvaluation.asp
In relation to that I was specifically referring to the misunderstandings present in "Nothing at stake".
You say:
"There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them."
Are you not presupposing the correctness of the author's argument by calling it false? Have you already made up your mind?
Thanks for that link, it has been a few years since I've read it.
I spent a lot of time talking about this topic with people. The article does have a point, that the security model of proof of stake is fundamentally different and relies on a key assumption (from the article you linked):
> any new node coming onto the network with no knowledge except... the set of all blocks and other "important" messages that have been published...
This is referenced in the OP as a point of security failure. The assumption is that we can rely on social interactions between nodes and that that is good enough. The criticism is that a new node can have no way of definitively knowing that their copy of the chain is the widely used canonical chain. An eclipse attack can occur, or as the OP stated new nodes may need to rely on authoritative sources to get current state which puts centralized power centers in the security model.
It is not a deal breaker (IMO), remember, PoW relies on the security assumption that it is prohibitively difficult for more than half the network to collude. I'd argue these assumptions are equally tenuous. I think as long as disparate, non colluding sources of the canonical chain are available (arguable if this is foregone, seeing as we need PoW to ensure consensus and resistance to collusion, probably not, but all it takes is one person to not collude and contention exists) it wouldn't be a problem.
Another big sticking point is the fact that no external resources must be invested, and/or that there is no ongoing cost. I find this to be the big problem with PoS schemes, I've had quite a number of discussions focused on these two particular issues (stemming from the same fundamental difference, that an internal capital stake is made) and I see benefits of not having ongoing cost and benefits of having it, and also of having a fully self contained system as well as having a system grounded in the outside world. All in all I have come to the conclusion that these differences make neither better nor worse, but that they are simply two completely different game theoretical environments with different security and incentive properties.
I think the issue most have with the "no external stake" is that there was a common misunderstanding regarding Bitcoin value propagated for a while - that is, the cost of the consensus mechanism (compute + electricity) defines the price of Bitcoin. In reality it just sets a floor on the price of Bitcoin. The value of the dollar is not set by the cost of paper. So the "self-referential" nature of stake value and attack value just means that asset value is not pegged to the consensus mechanism in as strong a way as in PoW. As long as asset value is driven by other factors (e.g. utility) that is not really a major concern.
In practice social networks form a cornerstone of all of the unstated assumption of all consensus mechanisms. I'm more worried about supply chain compromise in wallet code than I am about an eclipse attack on a new node. At that point we know our models are too simple to make real world security comparisons.
I would love to see the same content / angle of this article re-written. I think it could be condensed to a few paragraphs perhaps, for those who already understand Proof of Work. I found myself getting stuck in the analogies (infinite lottery tickets) and not being able to make progress. But I'm interested in the pros/cons of PoW vs PoS if you have recommendations.
I have conquered [and seen others close to me] FOMO by stubbornly writing things off, and I suspect others have done the same thing: it's calorically inexpensive and cognitively frictionless. No one can reasonably assess everything that comes their way.
I am not saying that that's the reason with the writer, but it's surely the reason in some people, precisely because it's easy. And easier still to click upvote on a take that reinforces that stubbornness. It's this latter group whose motives are being questioned, as per the GP who asked why these takes get upvoted. I wasn't actually questioning the motive of the writer of the article, hence why I didn't engage in the arguments in the first place.
And of course you have the corollary of true believers who will support anything positive of X-thing-they-have-adopted.
It's seems to be only these two dichotomies we see, rarely balanced takes. And that's the real problem.
I think it is a matter of months, before crypto mining is banned in Europe and the US. Just because cryptomining is a bottomless well : The more crypto miners earn money, the more they invest on graphic cards and the more they consume electricity. Inevitably, there will be supply problems
Such an idiotic proposal. How should we enforce this, do we need a government backdoor on every single turing complete hardware to verify they are not running """bad"" code (hashing data)? Or are just ASICs the problem, mining with CPUs is OK?
Or maybe you could just let people do what they like with the electricity they paid for
Bitcoin is not predominantly mined by a ton of individuals running an ASIC or 2. It is mined in huge warehouses, which have to go through state/federal bureaucracy for business licenses, etc etc. It would be hard to enforce a complete ban on anyone mining any Bitcoin, but the vast, vast majority of mining could be easily shut down in the US, as it was in China.
If electricity was an unlimited non-polluting resource, sure. But when my neighborhood mining rig coal power plant gives me cancer, it's not just a simple marketplace thing.
then tax the electricity use (or, specifically, the fossil fuel use)?
(alternatively, tax the electricity use beyond a certain per-person allocation).
I agree that there can be harms from PoW, but this is because of the electricity use, and so the thing to tax is the electricity use. Rather than the state deciding what things it considers valid for an individual to value and seek, it should put the restrictions on the thing that more directly causes negative externalities to others.
If there is a concern that this would harm things that we are sufficiently convinced is objectively valuable (e.g. making it more costly than is appropriate for people to heat their homes), so that we want to not significantly impact the finances of people who are like, using "reasonable" amounts of electricity, then we can, as I said, put some threshold amount of electricity use per person below which there's no tax on it, and increase the tax rate above that amount to account for this (and use the revenue to pay for CO2 removal and/or green energy development).
Or, like, I suppose in the most extreme case you could (on e.g. an annual basis) give everyone an initial amount of CO2 credits and no one is allowed to emit CO2 beyond the credits they have (but unused credits can be bought and sold).
Should we also ban clothes dryers, Christmas lights, porn, and video games? Each of those uses significantly more energy than Bitcion. If not, who gets to decide what a "good" use of electricity is?
There is a difference between each of those uses of electricity and PoW.
PoW is throwing away electricity for the sake of it, and resists getting more efficient. If the goal is for the bitcoin network to cost $1M to do a single double spend, then PoW has to use $1M worth of electricity every 10 minutes.
Let's say we live in a future where we suddenly have 10x as much electricity. Due to supply and demand, electricity now costs 10% of what it did before.
Dryers etc all keep using the same amount of electricity with no issue, but bitcoin has a problem: it's now really cheap to double spend unless bitcoin uses 10x as much electricity. So of course, it does.
There's a similar proper with making things more efficient. If we make a christmas light more efficient (make it use an LED instead of an incandescent bulb or whatever), christmas lights will use less electricity.
If we make ASICs or GPUs more efficient, then people will just have to run more of them, or else bitcoin will be less secure.
I think this is a real and notable difference, and I think that's enough of a justification to consider a ban.
It's better to tax the harm created from electricity generation, which I suppose is mainly CO2 emissions. Then the market will decide how much PoW mining should be done compared to Christmas lights etc.
Nit: when you say better you mean "more economically efficient in terms of $s produced." That's not necessarily equivalent to a policy that would be the best for society.
I think Bitcoin is possible without PoW; decentralized peer to peer network in which nodes verify transactions and make agreements on which transaction came first and then draw consensus. But then someone needs to figure out how new coins would be distributed or in another words what incentive would be to verify transactions.
Btw Satoshi introduced blockchain checkpoint so no attacker can fork the existing Bitcoin chain and make a competing one.
Videogames share that property. The Atari 2600 was ~5 watts. That's about what the Playstation 5 consumes during rest mode; when you're playing it, it takes 150-200 watts.
It really sounds like you're rationalizing banning Bitcoin because you don't see any value in it. That's a dangerous way to decide who gets to use electricity.
Why do people keep propagating this claim that PoW is burning electricity for nothing? It directly provides security for the blockchain. I don't disagree with your arguments general direction, just with this piece of incorrect misinformation.
LED was a technological innovation. Nothing says Bitcoin can't have those. If you want more light, you need more lamps and you need to spend more energy. I don't really see the difference here.
About every 4 years the reward for mining a block will be halved. I don't see LED lights getting two times more efficient every 4 years.
Because "security of the blockchain" doesn't necessarily mean "good for society". Cryptocurrencies are most widely used for speculation, and then fraud, ransomware, all those very fun and pleasant things.
I thought there was enough historical data to draw the conclusion that command economy doesn't work. I also would appreciate if you could back up your claims on how Bitcoin is used.
bitcoin incentivizes the search for cheaper energy, and allows for the instant monetization of once wasted energy. That's a LOT. this whole argument of energy use... i bet most of these people would have fallen for the same energy propaganda when the internet was just getting started... "what's email?? why would you waste electricity to send an electronic mail??"
You haven't addressed the parent commenter's point though: that PoW will cause increase of energy consumption every time you make any progress in making energy cheaper, hence cancelling out any improvements energy production efficiency.
It would only be benefitial if after a certain level of efficiency were achieved, PoW got banned and all that efficiency increase could actually benefit consumers of energy that did not have to keep increasing spend to keep up (though even that's not sure, because if energy becomes 10x cheaper, it's just a matter of time for people to invent new creative ways to use all that cheap energy that's prohebitevely expensive right now).
There's rarely such a thing as 'wasted energy' outside crypto. Energy can be exported (even if at low efficiency) or stored in various forms (pumping water up a mountain, hydrolisis of water to fuel hydrogen plants, etc). Unfortunately, Bitcoin, Ethereum et al are actively making these productive uses of energy un-economical, as they have worse return on investment than simply burning that energy on crypto.
>There's rarely such a thing as 'wasted energy' outside crypto.
There is a lot of resources getting wasted in the real life. For example I'm from East Europe and we do not have good water pipes' infrastructure and lots of water gets leaked every month.
Speaking of wasting and leaking electricity I did a quick Google search and this is what I found:
"Are your appliances leaking electricity? Some of you might not be familiar with what this means. Not only do we have more small- and medium-sized appliances than ever before, but many of these never really stop using electricity. For example, if the television has a remote, then part of the TV is always on, waiting for a signal from the remote. If there is a clock on the microwave then the microwave is always using some electricity. Experts call this usage "standby consumption" or "leaking electricity" because people are often not aware that the appliance is using electricity.
A single appliance usually leaks only a small amount of electricity each hour (see Leaking Watts Chart below). Since these appliances leak electricity whenevery they are not turned on, and since people have a lot of these appliances, the amount of leaking electricity is significant. The average household spends about $40 a year on leaking electricity. The federal government works with appliance manufacturers to reduce the amount of electricity that leaks out of new appliances[1]."
Also here is another good resource on electricity leak which is related to the first web document I linked[2].
And then how much food is getting wasted every month globally? Probably billions of dollars of food is getting thrown away every month.
Other merit's aside, Bitcoin's incentivizing cheaper energy provides nothing new of value.
All uses of energy incentivize the search for cheaper energy.
Not all energy uses are optimized to increase usage over time, to cancel efficiencies. Proof of work, whatever it's merits, is anti-efficiency with respect to itself.
I made a strong statement, so maybe I need to be more precise with my point.
Bitcoin has merits. So proof of work, being a part that is currently necessary for it to work has merits.
But the argument that proof-of-work has the merit of incentivizing cheaper energy sources does not stand up.
1. All uses of energy already incentivize the search for cheaper energy. This isn't a novel incentive that proof-of-work provides.
2. But proof-of-work does have a relatively novel disadvantage. It won't just incentivize greater energy uses as prices come down, as in normal supply-demand curves, but must keep up the original and even grow the amount spent on energy.
This would not be a problem in a market without negative externalities, but energy is famously a huge industry that will be struggling with negative externalities for quite some time and at great cost.
There's a trend now of Bitcoin mining businesses buying fossil fuel power plants in the US, in many cases plants that had already been shut down due to being unprofitable.
What is your source according to which Christmas lights and porn use more energy than bitcoin? I fear you may seriously underestimate the energy usage of bitcoin.
Even clothes dryer seem to be using less energy than Bitcoin. If you run the dryer for an hour each week, you're at 12-15kWh per month, which is 1-2% of your average household energy usage in the US, Canada or the EU. Now households at most around a third of the electricity in cold countries with a decent amount of electric heating for which dryers are much less, but let's run with it. That still sets the upper bound to 0.6%, which incidentally is the same as bitcoin.
If we're going to start legislating how we're all allowed to use energy that civilization has made available, who gets to decide what's allowed?
Numbers I've seen suggest that global PC gaming alone (excluding consoles) currently uses about as much electricity as bitcoin. Should we ban that too since playing cards are readily available and use almost no energy? Maybe we can make a concession and only allow low powered handheld consoles?
If bitcoin mining actually becomes problematic, then by all means we can definitely ban it or add some sin taxes to it, and we probably will in a lot of jurisdictions. I'm actually kind of eager for that to happen, because it will force miners to actually become novel/stranded energy ventures. They'll be the capital drive that builds out energy sources that not enough humans live around to justify tapping and/or we can't economically justifying building without expensive transmission infrastructure. And once it's built out and paid off, it may be a lot easier to justify investing in building out long distance transmission infrastructure so the rest of civilization can also tap into these sources.
> If we're going to start legislating how we're all allowed to use energy that civilization has made available, who gets to decide what's allowed?
We already legislate different pricing for different applications. Household electricity has a different price than industrial usage. A 1000x price of electricity for certain applications is just a small extension of what we currently have.
it's called "we the people" or democracy if you will. We as a society decide that cryptocurrency aren't worth destroying the world over, and that's about it.
If bitcoin mining uses renewable power (and pays for it), is that destroying the world or is that encouraging renewable adoption?
If bitcoin mining uses co2 producing power (because the economics supports it), is that the fault of bitcoin or the government for not sufficiently taxing the negative externalities of that means of production?
Using power is never a net good, regardless of the type of power. If we don't need more power for something specific, the ideal is to just not build more power - consumption is not some noble goal.
Unless we believe that Bitcoin has some use, its power consumption would be problematic even if it weren't so monstrously large. And vanishingly few people believe Bitcoin has any value beyond a get rich quick scheme.
The point isn't to increase the proportion of renewable power, but to decrease the total amount of non-renewable power. 10% renewables is the same as 90% renewables if the remaining consumption is the same total amount.
There is no market in the world where you are going to decrease consumption by increasing the demand. That's just not how economics works.
By convincing the people in all of those country to vote the same way - ideally through pure argument, realistically through various carrot and stick negotiation techniques. This is really not rocket science.
It's funny "we the people" always decide this when it's about something that would actually empower us. Meanwhile, "we" didn't only not ban cars, "we" destroyed public transport in the US and lobbied the government to massively subsidize roads and cars. Just as an example.
It's curious how much agitation there is concerning the energy consumption of PoW. I don't see nearly as many articles calling for restricting AWS & co. Coincidentally Bitcoin is the base layer of a decentralized finance world completely out of the control of traditional elites and banks.
Bitcoin is the base layer of a decentralized finance world completely out of the control of the traditional elites and banks, yes.
It's also a new finance world completely under the control of an even smaller elite of devs and mining pool owners (see the hard fork of Ethereum that happened a long time ago, and the upcoming fork of Ethereum that will move it to PoS; sure, Ethereum isn't Bitcoin, but there is nothing fundamentally different to prevent Bitcoin taking a similar step whenever the devs and miners decide).
What Bitcoin definitely is not is a new currency where the people have any kind of control. It is actively opposed to that goal, and takes away even the slight chance of a benevolent leader that exists with central bank controlled currencies.
You forgot a (perhaps even more) crucial part: the exchanges/stablecoins!
They're the whole reason this clown show is considered "finance" rather than funbux.
And they're all extremely suspicious. And by suspicious I mean obviously fraudulent. The value of Bitcoin (!) is propped up by Tether printing fake dollars backed by nothing.
I'm just imagining downloading a porn client which fetches 300 gigabytes of bullshit before it finally lets me watch a movie at a whopping five frames per second.
And best of all, someone complaining that this is clearly a wasteful scam and being told back, "how much energy did videocassettes and magazines consume, huh?"
If the amount of throughput and everything else remains constant while more and more computers are in a zero-sum arms race to waste electricity to solve a useless hash problem, then it is by definition not useful except for “securing the network”.
And if you can secure a network some other way, then it definitely becomes better by any arbitrary order of magnitude, assuming your utility function doesn’t place infinite value on securing 10 transactions a second with to over 99.9999% certainty and willing to waste all the world’s electricity to do it.
Literally even if you value all other uses of electricity put together as 1/100000 of securing Bitcoin then in a few years banning PoW becomes the right move.
But I imagine it will be like the war on drugs — impossible to totally eradicate, since mining rewards become more lucrative every year forever. Until bitcoin blackouts are frequent in the first world, msot people won’t care though.
Imagine if people asked how many emails (SMTP), conversations (VOIP) or websites (HTTP) the Internet can ever handle pet second and the answer was 10, no matter how many computers joined the network. Because every time you had to make progress, everything went through one bottleneck called a miner. Would this be the topology you want to reward with ever-more-valuable rewards?
Imagine if BitTorrent worked this way, and every computer would seed every file. And maximalists said that this was the ONLY AND BEST WAY.
But won't each of those take up significantly more energy once they use Bitcoin than today? I.e the costs will be additive , and crypto aims to replace fiat. So crypto would need to be more efficient at the same scale as fiat to make sense.
Also aren't each of those used by significantly more people than Bitcoin? So the per capita use is less and they scale better?
Also how are you estimating cost of porn? Viewing cost? Generation cost?
You're only talking about at any given moment in tjme, but Bitcoin hashing difficulty adjusts in an almost correlated way to number of transactions being performed (or more directly related to popularity at a given time)
> Each of those uses significantly more energy than Bitcoin.
These discussions should talk about the ratio between a certain measure of productivity (e.g. GDP generated for the country) to the energy use; energy on its own does not mean much. I'm sure worldwide food production consumes more energy than Bitcoin.
Other than that, a problem with POW (at least as implemented in Bitcoin) is that technological advances won't result in less energy consumption as it's mostly a function of (price of Bitcoin, price of energy).
Energy consumption of anything is irrelevant. The carbon footprint is the interesting marker of a technology and this will depend on the source of energy used.
You never mentioned why you think mining should be illegal. Probably because of the outrage published by the media based on intuitive assumptions that end up not being true. That bitcoin mining long term is bad for the environment. However, this is not true even though it intuitively seems that way. (Similar to how making highways wider actually ends up making traffic worse, not better).
We can actually start with 1 question: If electricity demand from PoW mining spurs new renewable plants to be built, is that bad for the environment?
I (and many electricity companies) actually think PoW mining is good for the grid/renewable adoption in the long term. Let me explain why:
Some indisputable facts to get us started:
1. Most renewable electricity has unpredictable supply
2. Introducing marginal capacity of the same type gives diminishing returns. Eg: you're producing more during high supply times where electricity rate is low. During lower production periods all of the same type of renewable will be producing less so you can't even take advantage of the higher rates.
3. Rational bitcoin miners will turn off their machines when cost of power is greater than marginal return.
As a result, PoW mining will help the economics of building new wind/solar plants. Eg, currently it may not be profitable to build a new wind plant because base load is too low that the excess power generated would need to be sold off at 0 or even negative prices. However if bitcoin mining could be turned on during these times and off during periods of high demand, there will need to be fewer peaker plants in operation and it would positively affect the economics of opening a new wind plant.
Bitcoin mining only cares about the cost of electricity at a given time, it is not like most other electricity demands that are very time based. With the large variance of electricity generation by renewables, I think bitcoin can in the future help smooth demand according to the real supply/demand curve.
It's kind of like a different implementation of the Tesla utility grid batteries. Instead of deploying batteries, you force the grid to build more renewable capacity (that the miners are paying for) that miners use except in peak periods, where you turn off and effectively provide the grid with more power.
> If electricity demand from PoW mining spurs new renewable plants to be built, is that bad for the environment?
Yes, obviously.
Even if every single miner pool built its own solar/wind plant to power 100% of its energy needs, that would still be horrible for the environment: building the power plant itself produces harm to the environment; and the space and work and money used to create the Bitcoin miner's power plant could have gone into replacing (closing down) a non-renewable power plant.
Silly arguments about pricing volatile electricity only work if we assume maximizing profit is the ultimate good or that PoW is the only way to use that excess power. In reality, if we want to avoid the worse catastrophes that our current economy is pushing the world towards, we have to stop looking at profit, and choose less profitable but more useful ways of handling volatility - batteries, long-distance transmission, etc.
Yes (with some help from nuclear, hydro), yes, and no/irrelevant.
Power generation is a social concern, and states provide plenty of incentive to build power plants, especially nuclear - crypto mining is a profit chasing wasteful afterthought.
The author takes issue with the Phone-a-friend-consensus (PFC) for establishing base consensus. I disagree with his objection for two reasons:
1. For all consensus systems, at least a vast majority will rely on PFC for base consensus since they will not personally audit the client software they download, and thus will rely on PFC to determine which software distribution channel to trust to download the client software from. In other words, there is in practice no pure PFC-free consensus protocol, to be taking such a hard stance on Proof of Stake for its reliance on it.
2. The Schelling Point PFC in Proof of Stake will always be the real order of transactions, and therefore PFC will be highly reliable. Cases like Bitcoin's block size hard limit dispute, and Ethereum's DAO hack rollback dispute, dealt with something other than order of transactions, and in both cases, the dispute was severe enough to lead to a hard fork - which jettisonning PFC can't protect against - regardless.
