Why is Ethereum switching from Proof of Work to Proof of Stake

After Ethereum’s release of the Metropolis hardfork, a fourth and final hardfork is planned called Serenity. Serenity changes Ethereum’s consensus mechanism from Proof of Work to Proof of Stake. Many people wonder why this is necessary when Bitcoin has operated on Proof of Work for nearly a decade without issue. Let’s discuss why the Ethereum community decided to make the switch.

Proof of Work (PoW) is the original blockchain consensus mechanism proposed by Satoshi Nakamoto in the Bitcoin whitepaper. About every 10 minutes Bitcoin miners verify the transactions made on the Bitcoin blockchain in something called a block.

In order for a block to be accepted by the rest of the miners it must have a number in it, called a nonce, that proves a certain amount of work was done to mine the block.

This Proof of Work, manifested in the nonce, makes double-spending, modifying, or otherwise attacking the blockchain very difficult.

Furthermore, the amount of work that must be performed by miners increases at a regular rate. Because of this continual increase in work there is a subsequent increase in cost to mining. This is because work costs electricity. For instance, a single Antminer T9 ASIC (high end Bitcoin miner) requires about $100 of electricity per month just to run.

Also, as the price of Bitcoin has gone up so has the cost of buying Bitcoin miners. Again, the Antminer T9 ASIC currently retails at about $1300. The increasing cost of mining Bitcoin is supposed to decentralize the system and make it very difficulty (i.e. expensive) to carry out a 51% attack.

A 51% attack is when an entity or entities control 51% of the mining power to maliciously hijack the blockchain and create a new, longest chain. As there are currently tens of thousands to hundreds of thousands of ASICs mining Bitcoin it would be very costly for one entity to produce tens to hundreds of thousands of ASICs in an attempt to 51% attack the blockchain.

While it would be very costly, it would not be impossible. In February of 2017 Vitalik Buterin estimated the cost would be approximately $250 million. Given the recent boom in cryptocurrency it is likely this number has doubled to $500 million.

Most governments, many large corporations, and numerous single individuals could conceivably supply this amount of capital to attack Bitcoin for whatever reason. A scary outcome of this situation is that once this malicious attacker has the hashing power to attack the system, they can continue to attack until the blockchain is forced to change its PoW mechanism (effectively nuking the blockchain and rendering all ASICs obsolete).

Bitcoin’s likely next move would be to revert back to general purpose hardware (CPUs or GPUs) to mine Bitcoin on a new PoW system. However, if an attacker has $500m to attack Bitcoin with ASICs, they likely have the capital to out hash the system again with malicious CPU or GPU miners. Vitalik Buterin refers to this as a “Spawn Camping Attack.”

If someone wishes to Spawn Camp Attack a PoW network there is a fixed cost to the attack which in Bitcoin's blockchain current state, is achievable by numerous well-funded entities.

Enter Proof of Stake

Buterin has pushed for Ethereum to switch consensus algorithms to PoS as he feels it is more secure that PoW precisely because of the Spawn Camping Attack scenario.

In the PoS system proposed by Buterin validators will have to offer Ether up as collateral (aka stake) to ensure honesty. Essentially, a validator gives their own Ether as a hostage to the Ethereum blockchain when they want to mine. The validators’ actions will be auditable and if a validator is found to have acted maliciously their hostage Ether will be ‘burned’ (aka their staked Ether will be taken from them).

In PoS, making miners risk their own Ether to mine ensures the cost of attacking far outweighs the risk, similar to PoW in Bitcoin.

Unlike PoW, the cost of a 51% attack does not decrease per attack but instead remains the same or increases. This effectively eliminates the risk of Spawn Camping Attacks.

Let’s explore this further. An attacker wants to 51% attack the Ethereum PoS system. They must buy a large amount of Ether to do this (which will drive up Ether’s price). They then effectively 51% attack the blockchain 1 time. The Ethereum community realizes they have been attacked and know the nodes that attacked them. The Ethereum community then hardforks out the attack and burns the attacker’s Ether.

If the attacker wants to attack another time they would have to again buy a large amount of Ether (which is now more expensive due to increasing demand and decreasing supply after the initial attack) only to have it burned again after their attack.

The end result is a 51% attack on an auditable PoS blockchain would cause a minor disruptions in the short term but would ultimately fail due to its ever increasing cost.

In short, Ethereum plans to hardfork to a PoS consensus mechanism to provide extra security from a 51% attack that a PoW blockchain is vulnerable to.

The majority of my information for this post came from this interview with Vitalik Buterin on Epicenter, a podcast about blockchain. This link will take you to the interview.

What follows is a transcription of the relevant interview from the aforementioned Epicenter podcast, all credit goes to Epicenter and Vitalik for the following:

Vitalik: My opinion is that PoS blockchains are more secure against, kind of like, very large experienced attackers. The argument I raise here is that with PoW, ok, there is some cost to producing more ASICs than the rest of the network combined and using those ASICs to pull off a 51% attack and that cost is somewhere around $200m. Now the problem is if you can do that then for a fairly small additional increment in cost you could do what I call a “Spawn Camping Attack” which is basically an attack where you 51% attack the blockchain and as soon as it starts recovering you 51% attack it again and then 51% attack it again and so forth. And the end result is that you basically destroy all trust in the system.

Now generally when you bring this up to Bitcoin Core Developers they say “Oh, well if that starts happening then we could just hardfork to a new type of PoW and we can basically make all those ASICs useless.” But the problem is then let’s say an attacker has $250m or enough resources to spawn camp Bitcoin once. Well, once you move away from ASICs and onto general purpose hardware then I could probably spend another $100m... it’s going to be less than $200m because everyone’s hardware accumulation is going to start from scratch...but let’s say $100m to 51% attack and spawn camp Bitcoin again. Now the problem is though that the second time around you can’t hardfork to a different PoW algorithm anymore because the second time around everyone is mining with general purpose hardware and so if you do more hard forks the Spawn Camping Attack is going to continue. So the conclusion of this is that, realistically, there actually is a finite cost that a well resourced attacker can pay to essentially kill off a PoW blockchain for good.

In my opinion this is actually quite unsettling. My opinion is, one of the really nice things about the Cypherpunk spirit in general is that it focuses on the idea of attack defense asymmetry and cryptography. So if you look at systems in the world in general right now the cost of attack is generally much lower than the cost of defense. Building a building costs $5m, building an IED to blow it up costs less than $50k. Most adversarial environments in the world operate this way, but with few exceptions. One of the major exceptions is cryptography. You know, one of the really nice things about cryptography is I personally can sign messages with a public key and I can do this at a very low cost, you know the signature costs very little electricity to produce but the cost of cracking the signature is so large that even a big national government can’t do it.

The cost of attacking a PoW blockchain is always going to be less than the cost of defending it, it can’t be more. And the reason is basically that if you want to 51% attack a blockchain then that means you have to spend more on hardware plus electricity than everyone else combined but wait that means that if you can spend more money attacking than the network has spent defending then you can win. And realistically you can spend less because a large portion of those costs...the electricity for example, has already been spent and you’re never going to see it again.

So the nice thing about PoS is that I think it does come close to replicating this Cypherpunk spirit because instead of having this Spawn Camping vulnerability, sure someone can 51% a PoS blockchain, ok, fine. Now one of the key properties we are trying to design into Casper is Auditable Byzantine Fault Tolerance, which actually does go a bit beyond BFT because auditable BFT doesn’t just say if the network broke that means >⅓ of the nodes were Byzantine. It actually means, if the network breaks, more than ⅓ of the nodes are Byzantine AND you know who to blame. Right? So you have cryptographic proof that you can use in order to show that “Oh, these validators are the one that are responsible for the 51% attack.”

And what you can do is, you can just coordinate a hardfork on the community level and just continue the chain and those [malicious] validators can get their deposit destroyed and you just keep going from there. So the cost to the attacker would be something like $100m of Ether but the cost to the network would be “oh hey, it’s just an unexpected hardfork.” It would maybe be 2-3x as bad as what happened back in November when we had that consensus failure which we got from Parity but it’s not that much worse. Right? Like , Ok, people know what happened and we need to continue. These validators will get slashed and life goes on. Sure these attackers can keep on attacking again and again but the attacker would have to buy another $10m Ether and keep on doing it each time, right. So the equation is really tilted in favor of the defenders here.

I even say one of the nice properties of this approach is that because this system would be able to, like, honey-badger recover from a 51% attack so well I would argue that a 51% attack would actually increase the underlying value of the cryptocurrency because people would realize “Oh wait, there was an attacker and suddenly a bunch of Ether got burned so the rest of it is going to be worth more.”

Because of that I think the process of even trying to buy enough Ether to pull the attack off would, ironically enough, increase the price. So what I conjecture is that people would realise this and not even worth to try doing that kind of attack vector at all. And people would focus their energies on relatively cheaper attack vectors like finding software bugs in operating systems that let them hack into people’s computers or whatever else people can do.