For interest, a series of tweets from @hugohanoi, criticising Proof of Stake.
1/ Here’s why I think Ethereum & Proof-of-Stake are bad ideas.
2/ Bitcoin ledger (relative) immutability isn’t magic, it has that special property only because it pays an extremely high price for it. That price is PoW mining.
3/ PoS proponents claim they can achieve the same immutability property, while doing away with this “wasteful” mining and as a result, operate at a fraction of the cost.
4/ There’s something very similar to PoS in the history of technology, it’s called the idea of a Perpetual Motion Machine.
5/ In the 19th & 20th centuries, people spent tons of money & effort trying to create a Perpetual Motion Machine. A Perpetual Motion Machine produces perpetual motion without requiring any energy, essentially creating energy out of thin air.
6/ Similarly, PoS promises ledger immutability without requiring any upfront cost, basically creating ledger security out of thin air.
7/ (“Ledger security” is used here interchangeably with immutability, or the ledger’s ability to resist changes or tampering.)
8/ We know now why Perpetual Motion Machine doesn’t work. It violates the laws of physics. Specifically, the Conservation of Energy law: "Energy cannot be created or destroyed, it can only be changed from one form to another”.
9/ You cannot gain something without giving up something equivalent. This is the absolute law that governs our universe.
10/ Blockchains also have to follow the laws of physics. Everything in our world ultimately translates back to energy, at the lowest level. You are energy. I am energy. Blockchain is energy. Specifically:
11/ a- Ledger security is energy. This manifests in electricity cost in PoW mining.
12/ b- Decentralization is energy. This manifests in the cost required to run full nodes across the network and for these nodes to communicate. This includes costs for storage, bandwidth, TCP/IP routing, etc.
13/ c- Scalability is energy. This manifests in the cost required to support more and more transactions on the network.
14/ You can think of a blockchain as a fluid system where energy can flow from one property to another. You can move decentralization energy to scalability energy, and vice versa. You can move ledger security energy to scalability energy, and vice versa.
15/ The total utility of a blockchain should be roughly equal to the energy cost that goes into producing it. (In reality, utility is less than cost due to friction & other inefficiencies).
16/ What you cannot do, is to magically keep all properties the same while reducing total energy cost.
17/ The only way PoS can reduce energy cost while keeping the same properties, is by showing that PoW is truly “wasteful.” That PoW doesn’t contribute anything to ledger security.
18/ But PoW absolutely does contribute to ledger security, 100% ! Every single hash operation in PoW contributes to ledger security. In fact, PoW makes ledger security highly quantifiable & easy to calculate. Cost of rewriting X blocks == cost of mining X blocks.
19/ Since PoS removes billions of dollars of the mining that secures the ledger, it must follow that a PoS blockchain is billions of dollars less secure. Again, Conservation of Energy.
20/ So, the TL;DR is that PoS cannot work unless it violates the laws of physics: getting security without spending any energy.
21/ Let’s look at PoS from another angle. Concretely, PoS aims to achieve immutability via the idea of “punishment.”
22/ The idea is that if you misbehave, you pay a heavy penalty. PoS people hope this threat will deter bad actors from attacking. However, this has a fatal flaw.
23/ Threat of punishment works in real life, because in real life, there is only one version of reality.
24/ This does not translate to a distributed ledger. Each fork of a ledger is an alternate version of reality.
25/ Punishing bad actors in your version of reality works only if attackers choose to remain in your reality.
26/ But they don’t have to. By rewriting history, an attacker can wipe the slate clean. In an attacker’s version of reality, she’s the honest actor.
27/ PoS can only punish bad actors after the fact. By the time you get to punish somebody, it might already be too late.
28/ This is drastically different from PoW mining. In PoW mining, attackers have to pay upfront cost in order to mine a single block. In order to attack, you have to pay first. Period.
29/ Whether an attacker has to pay the cost upfront or after-the-fact, makes a huge difference. The difference is billions of dollars in security.
30/ PoS might be mildly interesting without being as secure as PoW. But I don’t really see the point. If you compromise on ledger security, you compromise on what makes blockchains special in the first place.
31/ PoS weaker security is also evidenced by its need to require a lot more “social consensus” (which is just a fancy word for manual human intervention) than PoW.
32/PoS plans to rely on “making it the user’s responsibility to authenticate the latest state out of band. They can do this by asking their friends, block explorers, businesses that they interact with, etc. for a recent block hash in the chain that they see as the canonical one.”
33/ Vitalik’s beloved defense against this type of weakness is that PoW also require social consensus. Well, DUH. All man-made systems require some degree of social consensus, there is no exception.
34/ The political system, the transportation system, the banking system, the dollar, Bitcoin, etc. All these systems require buy-in from humans collectively as a group, in order for them to work. Man-made systems would break down immediately without social consensus.
35/ To argue that since PoW needs social consensus, it’s OK for PoS to need social consensus, is a downright stupid argument. What matters is not whether you need social consensus, but how much?
36/ The less social consensus / human intervention a system needs, the stronger & more secure it is. The goal is to move as much as possible to machine consensus- to eliminate human biases & errors.
37/ PoW makes machine-level consensus a trivial problem. When there is a fork, a machine just has to pick the one with the most accumulated PoW. Yes, Bitcoin still needs some social consensus to get the system up & running. But after that, it’s mostly on auto-pilot.
38/ In contrast, in PoS you would continuously need social consensus in order to resolve forks. The reliance on social consensus is magnitudes bigger than PoW.
39/ In conclusion, there is just no comparison between PoW & PoS. It’s like a NBA team vs a highschool team.
40/ PoW is a system designed to withstand the worst, PoS involves obfuscated setups in order to hide its fatal weaknesses. One is a resilient platform for the future, the other is a toy.