Criticisms of Proof of Stake

Oh boy.  What a week it’s been.  My previous post meant to give a brief overview of Proof of Stake for non technical readers seemed to strike a nerve.

To start, I think people misunderstood the motive of the post.  I was simply giving a brief technical explanation of proof of stake for non technical readers, and some readers seemed to interpret this as support for proof of stake.  I’m a software developer.  I don’t care about the moral or ethical implications of power consumption or immutability.  I’m purely interested in the mechanisms, and I’ve yet to find someone who doesn’t agree that the casper protocol isn’t at least interesting, which is why I blogged about it.

As some of my readers know, one of the main reasons I post is to partake in the discussion that ensues afterwards, and there was a lot of it.  My previous post was on the frontpage of /r/blockchain for two days as well as /r/ethermining for a day and a half, which is great because these were my target audience in writing the post.  However, I also posted on a whim to /r/btc and /r/ethereum where it stayed on the front page of controversial for an entire day, which in my opinion is also great.  I wasn’t expecting the feedback I received, however this is exactly my motivation for writing.  I would like to thank everyone who took the time to read and provide feedback.  In this post I’ll spell out some of the criticisms of Proof of Stake that I left out of the previous post (again, it was intended for a less technical reader), as well as some new ones that I’d never considered until now, thanks to my readership.

External/Internal Staking

It seemed the major criticism people levied against proof of stake was that the staking was internal to the system rather than external.  /u/jps_  makes the point concisely:

“Proof of Work has something physical at stake, namely the electricity necessary to probably solve the puzzle. In essence, the bits in the network are secured by activity outside the network: someone has to generate that electricity. This results in a stable equilibrium, because in order to compromise the bits in the network, one must expend considerable external energy. The laws of thermodynamics make it very difficult to profit by consuming energy”

I don’t buy that external staking makes proof of work superior.  If we assume a free market economy, I should be able to exchange my money for electricity or cryptocurrency.  Obviously markets aren’t rational and the price of a cryptocurrency or the price of electricity isn’t what it should at the particular time that I make this trade of cryptocurrency to electricity, but that’s a discussion for a different day.  The point I’m making is, technically, the $300 of cryptocurrency I bought is of equal staking value to the $300 of electricity I “staked” to mine the cryptocurrency at the moment I did both.  We can discuss the volatility of electricity prices vs cryptocurrency prices, and decide one is a more stable form of staking than the other, but the fact remains that $300 of electricity is equivalent to $300 in cryptocurrency at the time of mining, and it would therefore take an extra $300 more to perform a 51% attack in both cases.*

One argument you could make is that the ethereum casper roll out is premature.  If the market cap of the ether being used to stake is less than the cost of electricity miners are putting forth to mine ether, then you could make a case that this is raising the probability of a 51% attack.

Another argument is that once the electricity is used, it’s on the blockchain forever, while the staked cryptocurrency can easily be converted back into fiat.  As we saw with the casper smart contract from the previous post, the funds are locked for a certain number of blocks.  This may not be completely irreversible as in the proof of work case, but this number can be altered to suit the needs of the blockchain (which, depending on your opinion may or may not be a good thing, see below), to include irreversibility if need be.

Nothing to Stake

I introduced this briefly in the previous post, but didn’t go into much detail, as I didn’t want to confuse non blockchain readers.  Since it’s already been introduced, I’ll assume everyone is familiar with the problem and why it exists.  I mention that casper purports to solve this problem by use of an arbiter smart contract which penalizes malicious validators.  One argument that kept coming up was concern that a malicious chain could be built and hidden from the rest of the validators and then shown at an opportune time.  Casper handles this by locking the validator funds inside the smart contract and receiving “tattle-tell” transactions from validators in the event that evidence for malicious behaviour is found in previous blocks.  One of these malicious behaviours is not betting on a chain, another is betting on the “wrong” chain.  These are both actions that would be necessary to build this “hidden” chain, and since they’re penalized, you’d run out of ether far before you could pull the attack off.

Rather than discussing this particular case (many others were brought up, and many more will follow I’m sure**), the point is, this smart contract can be altered to ward off any sort of malicious proof of stake behaviour that may arise in the future.


This leads us to perhaps the most damning criticism of casper: the fact that casper’s proof of stake involves a smart contract that acts as the arbiter of the validators.  There is no clear analogue to this in the proof of work context, it simply doesn’t exist.  It’s obviously a single point of failure, as well as an attack vector, and, depending on your perspective of the blockchain, a terrible case of centralization.  One point continually driven home in my discussions with /u/Erumara was his/her reluctance to support something so complex compared to proof of work.  And I have to admit, I do agree that proof of work is much simpler than every proof of stake solution I’ve seen proposed.

However, as /u/naterush1997 points out:

In both cases, there is “centralizing” code – in that it is code that everyone relies on. However, the Casper contract being public means that we have the benefit of seeing if there is some fatal flaw and/or bug. In the case of the attack on PoW described above, this would be impossible, as the attack described is indistinguishable from someone having a ton of computing power.

And even if it is overly centralized, I don’t think the technology shouldn’t still be explored.  Obviously there is a large difference in opinion between the bitcoin and ethereum community in this regard, and I intend on exploring these differences in a future post.  For now, let’s just say the ethereum developers are more willing to take concrete risks with their software even if it ends badly. and in fact, I agree with this strategy.  It’s one thing to pursue an idea simply for the sake of it (as in the case of pure research), it’s entirely different to have millions of dollars at stake in the pursuit of an idea.  This is part of what got me into cryptocurrency.  This mixture of direct financial skin in the game of all parties involved (investors, users, developers) and interesting technology can’t be found anywhere else in the world.


One of the best outcomes from the post was this Andreas video /u/dietrolldietroll passed me.  He makes the External/Internal staking argument, but at the end of the video (at around 42:56) when pressed by a question, he says that both proof of stake and proof of work can coexist in the market due to their different use cases.  I’d say that sums up my opinion of the matter fairly well.  As I said before, tech needs to crash and burn to move forward.  I’m not saying proof of stake will be a catastrophic failure for ethereum, but even if it is, it will be a success for the blockchain movement at large.

I received a bunch of criticism (bunch of haters man) in /r/ethermining for an off hand conjecture I made about proof of stake privacy coins, so I intend to fully rectify this in my next post.  Until then!

*After considering this idea during my writing I came upon a new idea.  If it’s true that bitcoin is defended directly by the cost of electricity used to mine coins, could the sum of all electricity used up to block A be considered the true “value” of bitcoin at that block?

**For example, what if a validator never checked in to the smart contract, and is therefore never penalized, then finally showed up, having rewritten the entire blockchain to look much more attractive to the rest of the validators.  They’d need 51% of the currency to pull off this attack, but I believe using the casper smart contract, even this might be possible to defend against.


EDIT: /u/jps_ in response to my argument against external staking:

If you buy $300 worth of Electricity and use it to secure a PoW network, it buys a finite time/amount of security. After the expenditure, the electricity is consumed and there is no more security. The only residual value you hold is the rewards earned along the way. These rewards cost you an extrinsic $300 that is not returned to you. This creates an objectively extrinsic value of the reward generated in return for security: basically, the reward is worth the expenditure in electricity generated to consume it.

If you take $300 and buy ETH and stake it, you can stake that $300 for as long as you want. Whenever you cease participating in securing the network, your $300 in ETH is returned to you, in addition to your rewards from staking.

Therefore, when you started staking you had $300 you exchanged for ETH. You finish staking and you hold ETH you can sell for $300. Plus rewards. Your net extrinsic expenditure is zero, and your net gain is the staking rewards.

So PoS is a value tautology. It creates something at no external cost, which has a putative external value greater than zero.


Proof Of Stake vs Proof Of Work

I’ve decided to write post about the differences between proof of stake (a protocol currently being used by Neo and being worked on by Ethereum), and proof of work (a protocol made famous by Bitcoin, and currently in use by coins like ZCash and Monero).  I felt motivated to write this post because there seems to be a bit of confusion when I talk with people about the proof of stake protocol as to what exactly happens.  Many I’ve talked with seem to view it as creating money out of thin air (as if mining wasn’t that already), or at the very least less secure than proof of work.

Proof of Work

I believe people feel more comfortable with proof of work because it’s the simpler of the two protocols.  The idea is this: Your computer is going to try billions of different inputs to a hash algorithm (it’s going to put in work), and if it comes up with the right output (it’s proved that it’s worked on the puzzle sufficiently), you’ll be rewarded. Here is an example proof of work algorithm from the Ethereum cryptocurrency tutorial:

// The coin starts with a challenge
bytes32 public currentChallenge;
// Variable to keep track of when rewards were given
uint public timeOfLastProof;
//Difficulty starts reasonably low
uint public difficulty = 10**32;

function proofOfWork(uint nonce){
    // Generate a random hash based on input
    bytes8 n = bytes8(sha3(nonce, currentChallenge));
    // Check if it's under the difficulty
    require(n >= bytes8(difficulty));
    // Calculate time since last reward was given
    uint timeSinceLastProof = (now - timeOfLastProof);
    // Rewards cannot be given too quickly
    require(timeSinceLastProof >=  5 seconds);
    // The reward to the winner grows by the minute
    balanceOf[msg.sender] += timeSinceLastProof / 60 seconds;
    // Adjusts the difficulty
    difficulty = difficulty * 10 minutes / timeSinceLastProof + 1;
    // Reset the counter
    timeOfLastProof = now;
    // Save a hash that will be used as the next proof
    currentChallenge = sha3(nonce, currentChallenge, block.blockhash(block.number - 1));

If you were to mine this coin, you’d essentially send your input (nonce) to the proofOfWork function in this smart contract.  If your input is below the current difficulty level, and it’s been long enough since the last block was mined, you receive a reward, otherwise the function returns (that’s what the require statement does in solidity) and you try the next input you think might result in a sha3 hash below the current difficulty.  This is proof of work mining in a nutshell.

Proof of Stake

Proof of stake has the same goal as proof of work: to achieve distributed consensus of the state of the blockchain.  Going back to the git perspective, both protocols are trying to select maintainers of the blockchain “branch” without allowing anyone too much control.  Proof of stake does this by substituting out hash power for economic power.  The more coins you have, the more likely you, or the block you’ve chosen, is to be used and the more you’ll be rewarded for it.  I believe cryptocurrency developers are moving in this direction because unlike proof of work, proof of stake has the added property that the more coins you’re holding, the more likely you are to act in solidarity with the will of the users of blockchain when selecting blocks.  In proof of work there is a tension between miners and users of the blockchain that may not exist in a proof of stake protocol (this is yet to be seen), as often the users will also be the validators (a miner in proof of stake is often called a validator).  There’s also the added benefit that proof of stake doesn’t cost millions of dollars in power and bandwidth every year to maintain the blockchain.


Let’s use the Ethereum casper protocol as a detailed example for proof of stake, as this one seems to be getting so many people interested in what proof of stake is.

The casper protocol will involve a smart contract being deployed to the Ethereum blockchain.  An address interested in becoming a validator will send the amount of ETH they would like to stake on blocks to the smart contract.  The smart contract will then receive two messages from validator addresses, PREPARE and COMMIT.  Prepare is essentially a validator saying “I think this set of transactions should be the next block”, if one of these blocks attains a 2/3’s economic vote in the smart contract, it becomes a possibility for a COMMIT.  After the possible PREPARE blocks have been selected, validators vote on this set of blocks with the COMMIT message, once again, if 2/3’s economic vote is found on a COMMIT block, it will be added to the block chain and all the validators who took part in selecting this block will be rewarded for minting the block in proportion to the amount of ETH they deposited to the smart contract when joining the validator pool.  As far as I’m aware, there doesn’t exist a mechanism for selecting validators*, but it could easily be something like a random subset selection of all possible validators weighted by the amount of their deposit in each dynasty.

Nothing to Stake

One of the problems with proof of work is the “nothing to stake” problem.  The idea is as follows: If I don’t have to compute any hard hash puzzles, why not bet on every block that comes my way? Since this incentive structure exists for everyone in a nothing to stake protocol, everyone decides to stake their hard earned crypto currency on every block.  Now we have no consensus, there are 50 different chains all growing at the same rate and all possibly legitimate because no one wants to take the lead and decide on one.  Also because of this lack of consensus, double spend attacks become much easier and more likely than they are on a proof of work protocol.

Ethereum’s casper protocol circumvents the nothing to stake protocol by locking the funds in the smart contract discussed above, only paying them out after a sufficient amount of time, and destroying the ether, or penalizing it, for various kinds of behaviour (to include malicious).



I think people are uneasy about proof of stake due to a misunderstanding of proof of work more so than anything else.  As I stated in my git perspective of the blockchain the only reason miners exist is to act as the “maintainer” of the blockchain, and since we want this maintainer to change often, mining was used as a mechanism to distribute time as the maintainer evenly.  With proof of stake, the same thing is happening, it’s just the mechanism to choose maintainers is based on the amount of cryptocurrency a person holds, rather than their hash power.  The 51% attack we saw in the previous post  now becomes a 51% currency attack, whereby you’d have to own 51% of the cryptocurrency in which you’re attacking.  This is a presumably much more difficult feat to accomplish than purchasing 51% of the hash power.  In the currency case, you’ve just purchased 51% of the currency, all the while raising it’s market price and only have 49% of the rest of the currency to defraud, at which point, news will probably have broken that someone purchased 51% of the currency on the market, and the currency is now socially worthless.  In the case of proof of work, you just secretly buy more computing power, or bribe, or even hack existing mining pools, and rather than defrauding 49% of the currency you’re able to defraud all of it.

As you can see, we aren’t creating money out of thin air, at least in the casper protocol, there is a very real chance of losing your money, and your money is also stuck in the smart contract, so it’s no different than a government bond gaining interest, or mining for that matter.

Until next time!

* if someone has any information let me know.  There is a reddit discussion here, but since it’s a year old, I hesitate to trust it given how much Ethereum proof of stake has changed, this seems to suggest its proportionate to the ETH you deposit, Vlad also mentions it as a possibility here.  I looked briefly at the casper source code and didn’t see validator selection anywhere, but since I was brief, there’s a very good chance I wasn’t looking in the correct place.