Vitalik: Why choose PoS?

Written by: Vitalik Buterin

Original link: 《 Why Proof of Stake (Nov 2020)》

Compiled by: Tyronepan-Bifrost Finance

On September 15, a day that will be recorded in the history of cryptocurrency, Ethereum transitioned from a POW to a POS mechanism, seemingly marking the end of an era.

To choose between POW or POS, is that a question?

On this special day, Deep Tide TechFlow takes everyone back to three classic articles, namely "The Beauty of Hash Power" by Wu Jihan, the original founder of Bitmain, "Why Proof of Stake?" by Ethereum founder Vitalik, and "The Great Debate of PoW and PoS: Who Truly Has Openness? Who Can Escape the Thermodynamic End?" by Jan, Chief Architect of Nervos.

Why Choose Proof of Stake (PoS)?

Compared to the PoW (Proof of Work) consensus mechanism, PoS is a superior blockchain security mechanism for three main reasons:

1. PoS is more secure at the same cost

The simplest way to compare is to place the two side by side and see how much it costs to attack a network for every $1 of block reward per day.

• GPU-based mining PoW

Renting GPUs is quite cheap, so the cost to attack the network is just renting enough GPUs to surpass the existing miners. For every $1 of block reward, existing miners should spend about $1 (if they spend more, miners will exit due to lack of profit; if they spend less, new miners can join and earn high profits). Therefore, attacking the network only requires temporarily spending over $1 a day, and it only takes a few hours.

Total attack cost: approximately $0.26 (assuming an attack time of 6 hours), which could potentially drop to zero as the attacker receives block rewards.

• ASIC-based mining PoW

ASIC chips represent a capital cost, and it can be expected that they will last about 2 years before being worn out or replaced by better hardware. If a chain suffers a 51% attack, the community is likely to respond by changing the PoW algorithm, thus rendering ASIC chips worthless. On average, mining incurs about 1/3 ongoing costs and 2/3 capital costs. Therefore, for every $1 of block reward, miners will spend about $0.33 on electricity and maintenance, plus about $0.67 on ASIC costs. Assuming an ASIC chip has a lifespan of about 2 years, miners need to spend $486.67 on that amount of ASIC hardware.

Total attack cost: $486.67 (ASIC) + $0.08 (electricity + maintenance) = $486.75

Not only does the attack cost increase in ASIC-based mining PoW, but providing such high-cost attack prevention also leads to greater centralization of the entire network, as the barrier for miners to join becomes higher.

• Proof of Stake (PoS)

In Proof of Stake, almost all costs are capital costs (the coins deposited), and the only operational cost is the cost of running nodes. Now, how much capital are people willing to lock up to earn a daily reward of $1? Unlike using ASICs, the deposited coins do not depreciate, and after the staking period, they can be retrieved after a short waiting period. Therefore, participants should be willing to pay a higher capital cost for the same amount of rewards.

Let's assume that a return rate of about 15% is sufficient to incentivize people to stake (this is the expected return rate for Ethereum 2.0). Then, a daily reward of $1 will attract a deposit return of 6.667 years, which is $2433. The hardware and electricity costs for a node are minimal, and a computer costing a thousand dollars can support staking hundreds of thousands of dollars, with about $100 a month in electricity and internet fees sufficient to meet such needs. But conservatively speaking, these ongoing costs account for about 10% of the total staking cost, so the daily reward is only about $0.9, ultimately corresponding to capital costs, so the above data needs to be reduced by about 10%.

Total attack cost: $0.9 per day * 6.667 years = $2189

In the long run, as the staking rate increases, this cost is expected to be even higher. I personally expect this number to eventually rise to around $10,000.

The only "cost" of maintaining this security system is that the assets in staking lack liquidity. It may even happen that the public knows these assets are locked up, which could lead to an increase in coin prices, so the total amount of funds ready to invest in the community remains unchanged! In PoW, the "cost" of maintaining consensus is the consumption of a large amount of electricity.

Is it more secure or lower cost?

There are two ways to achieve a 5-20 times security gain at low cost. One is to keep the block reward unchanged and benefit from increased security; the other is to significantly reduce the block reward (thus reducing the "waste" of the consensus mechanism) while maintaining the same level of security.

Both methods are viable. I personally lean towards the latter, as we will see below that even successful attacks in Proof of Stake are much less harmful than attacks in Proof of Work and are much easier to recover from!

2. Recovery from attacks is easier under PoS consensus.

In a PoW network, if your chain suffers a 51% attack, what can you do? So far, the only practical response has been to "wait for the attacker to voluntarily withdraw the attack." But this overlooks a more dangerous possibility of attack, known as the Pawn Camping Attack, where the attacker repeatedly attacks with the clear goal of paralyzing the entire chain.

In a GPU-based system, there are no defensive measures, and a persistent attacker can easily render the entire chain permanently paralyzed (or switch to PoS or PoA). In fact, after a few days of attacking, the attacker's costs may drop to very low levels because honest miners cannot receive block rewards on the attacked chain and thus exit.

In an ASIC-based system, the community can respond to the first attack, but then becomes helpless. First, the community will respond to the first attack by hard forking to change the PoW algorithm, thereby "locking" all ASICs (both the attackers' and honest miners'). But if the attacker is willing to bear this initial cost, the situation will revert to that of GPUs (because there is not enough time to build and distribute a new algorithm for ASICs), so the attacker can cheaply continue the Pawn Camping Attack, which is inevitable.

Of course, the situation is much better in PoS. For certain types of 51% attacks (especially rolling back finalized blocks), there is a built-in "slashing" mechanism in Proof of Stake, through which most of the attacker's stake (excluding others') will be automatically destroyed.

For other harder-to-detect attacks (51% coalition censoring everyone else), the community can coordinate on a user-activated soft fork (UASF), and the attacker's funds will again be mostly destroyed (in Ethereum, this is accomplished through the "Inactivity Leak Mechanism"). There is no need for explicit "hard fork currency elimination"; aside from requiring coordination to select a few blocks on the UASF, everything else is automatic and just needs to be executed according to protocol rules.

Thus, the first attack on the chain will cost the attacker millions of dollars, while the community will recover to normal within a few days. A second attack will still cost the attacker millions of dollars, as they will need to purchase new coins to replace the destroyed old coins, and a third attack will incur even higher costs. This game is asymmetric and heavily disadvantages the attacker.

3. PoS is more decentralized compared to ASIC.

GPU-based mining PoW is reasonably decentralized; obtaining a GPU is not difficult. However, GPU-based mining essentially fails to meet the "security" standards mentioned above. ASIC-based mining, on the other hand, requires millions of dollars in capital to enter (if you buy ASICs from others, most of the time, the profits go more to the mining machine manufacturers).

This is also the correct answer to the common argument that "Proof of Stake means the rich get richer." ASIC mining also means the rich get richer, and this game is limited to the wealthy. At least in PoS, the minimum amount required for staking is relatively low, making it affordable for many ordinary people.

Additionally, PoS is more resistant to censorship. Both GPU and ASIC mining are very easy to detect: they require a large amount of electricity consumption, expensive hardware procurement, and large warehouses. PoS, however, can be done on an inconspicuous laptop, and even through a VPN.

Advantages of PoW

I believe PoW has two real advantages, although I think these advantages are quite weak.

1. PoS is more like a "closed system," and wealth concentration takes a long time.

In PoS, if you have some coins, you can stake them to earn more rewards. In PoW, you can continuously earn more rewards, but you need more external resources. Therefore, we can say that in the long run, the distribution of coins in PoS 中币 may become increasingly concentrated.

The general rewards in PoS (validator income) are quite low; in Ethereum 2.0, we expect the annual validator rewards to be about 0.5-2% of the total supply of ETH, and the more validators there are, the lower the interest. Therefore, centralization may take over a century to double, and on such a timescale, other pressures (people wanting to spend money, allocate money to charities or between children, etc.) are likely to dominate.

2. PoS requires "weak subjectivity," while PoW does not

Regarding the concept of "weak subjectivity" (see Vitalik's original introduction), essentially, when a node first comes online, or any node comes online after being offline for a long time (i.e., several months), that node must find some third-party source to determine the correct chain head. This could be their friends, exchanges, block search websites, client developers, etc. But PoW does not have this requirement.

It can be said that this requirement is easy to fulfill; users need to trust to some extent the content provided by client developers or the community. At the very least, users need to believe that someone (usually the client developers) will tell them what the protocol is and any updates to the protocol. This is inevitable in any software application. Therefore, the marginal additional trust requirement brought by PoS is still quite low.

Even if there may indeed be some risks involved, I still believe that PoS networks have far greater efficiency and recovery capabilities than PoW networks.