👩🏻‍🤝‍👨🏼 🐣 👱🏿 Nothing At Stake: compromises with conscience 🌊 👨🏾‍🎓 🔐

Very briefly about yourself.

Once upon a time in Habré, they wrote about me in this article, however, part of the audience interested in blockchain technologies is almost certainly familiar with my work through the Monero project, in which the original code base (CryptoNote) was developed mainly by my efforts (this is confirmed in particular my last name in the source). The last 7 years for me have been associated exclusively with development in this area, and there are thoughts that I would like to share.

Want to know why PoW projects will die out?

There will probably be a skeptical sigh now, and someone will roll their eyes at all. There is nothing to be done, everywhere they write that the heading “with a challenge” will make you read at least the beginning of the article (interestingly, did it work?).

In a recent conversation with the editor of a major Russian crypto-media, I found out that criticism of PoW already at the subconscious level is perceived by many as heresy. And when it came to practical difficulties, for example, for a small beginner blockchain project with pure PoW, the chances of resisting an attack of 51% are rather weak, I heard that PoW is (attention) only for large projects!
Endless discussions (and, as you know, the Internet is a place for rational and thoughtful comments) on the topic of “PoW vs PoS” lead to the fact that the polarization of the cryptocurrency community is almost religious in nature.
In this article, I will explain why Nothing at Stake is considered to be the Achilles heel of PoS, and then I will show why this is not so.

The advent of PoS

The history of PoS goes back to 2011, when the good old bitcointalk began to express consensus ideas based on the vote of “holders” (not miners), and fueled interest in them at that time useless burning of electricity during PoW mining.
The first implementation was PeerCoin [9], which, as it turned out later, also had a number of disadvantages typical for PoS. But the rubicon was passed, and a gradual understanding of the new paradigm began.
Today there are a huge number of projects that one way or another use one of the varieties of PoS models (DPoS, LPOS, POI, PoA, etc.). Despite the fact that all these algorithms have their own names, from the author’s point of view, these are mainly variations on the topic of PoS. At the end of the article we will look very briefly at a few examples that are interesting precisely in the context of the problem raised.

Nothing at stake problem in PoS systems

Almost every PoS model is criticized for being vulnerable to the so-called “Nothing at stake” problem. The idea of this attack is connected with the phenomenon known as the “Tragedy of the commons” [1]. In general terms, “Tragedies of shared resources” are described as a series of phenomena in which the interests of individuals may contradict the common good, and as the simplest example are given by a common pasture, the irrational use of which by the majority leads to the depletion of this resource as a whole. In the same way, an arbitrary blockchain project can be considered in which the possibility of mining and receiving rewards is implied as a benefit to the general public.
Unlike PoW, where mining is a computationally expensive process and can be carried out simultaneously in relation to any one chain, in PoS mining no additional costs / efforts are made (significant) for voting in an alternative chain, in other words, mine is also the second chain , PoS miner loses nothing (Nothing at stake). Obviously, the project’s software by default will not facilitate a 51% attack by mining any available chains, but the game theory (and this is not about Dota, but about what John Nash wrote about) suggests that if individual interests will dictate a different strategy, the theoretical PoS miner modifies the code accordingly, following this strategy.
For example, consider a conditional blockchain project with POS and with already issued 18 million coins, where all coins are distributed among 1800,000 holders in equal parts (10 coins for each holder). Some of the holders (maybe all) participate in PoS mining, so every time a block is created, one of the 1800,000 owners does it.
Suppose someone decides to initiate a 51% attack and decides to bribe miners to take part in mining a malicious chain (for example, a chain that carries out double spending in the interests of the attacker), motivating them that the one who finds the block receives increased remuneration (bribe).
Clarification *: It is important to emphasize here that for an attacker, the most economically advantageous bribing strategy will be a bribe in the form of assigning an additional block reward in his alt chain, so he does not need to bribe each miner individually, and the cost of the attack is reduced to the amount of block rewards in its alt chains (6 blocks, for example).
It is believed that the attack will be successful if the miner managed to motivate 51% of the PoS miners to participate in the attack, and since miners do not computationally mine any number of chains, it is believed that they are easy (cheap) to motivate to participate in the attack.

Case Study

It is impossible to consider the theory of games nothing at stake, without considering that the PoS miner is a holder, and, from the point of view of personal interests, is also interested in maintaining / increasing the price of a coin. The cost of a coin consists of a huge number of factors, but the direct condition for the existence of liquidity is the actual ability of the network to perform its direct function - to make payments securely (here we are talking about actual blockchain projects, not tokens), and if the network is compromised by a double spend through an attack 51 %, the consequences can be most fatal - starting with serious collapses in the exchange rate and ending with delisting from exchanges, which primarily suffer from such attacks.
Thus, in the event that the network switches to a malicious chain, the bribed PoS miner risks only the equivalent value of its coins. Similar to the “Shared Resources Tragedy,” the average PoS miner is motivated by personal gain more than concern for network security. If his own profit (in the case when he wins a block in a malicious alternative chain) is greater than his potential loss (i.e. more than 10 coins), then the miner will still have motivation to join the attack.

Now let's look at practical circumstances and, most importantly, compare them with classic PoW systems. Let me remind you that the above example describes an unrealistic currency with a completely uniform distribution, which is not found in real life.
Several times I heard an interesting opinion that any cryptocurrency, being a typical financial system, has the same model as the global distribution of wealth [2] (Fig. Below), and supposedly the behavior of cryptocurrency markets confirms this.

In order to approximately evaluate the nature of the distribution of coins, as an example, take the largest project with the most developed ecosystem and the largest number of holders - Bitcoin. Fortunately, the privacy model allows you to do this without much difficulty. The table below is taken from [3] and reflects the current distribution of coins at the addresses present in the blockchain.

*: Bitcoin , Bitcoin , - [4], , . , , , , « ».
**: , , PoS, , , .
In order to maintain impartiality, we will not operate with the word Bitcoin in the analysis of 51% attacks, which will go below. This would be wrong for a number of objective reasons: Bitcoin is a unique project, and it exists in a slightly different technological reality (it is almost impossible to find an additional hashrate for such a large player, it is difficult to bribe ASIC miners due to the specificity of their equipment, etc.). We will analyze further the impersonal technological aspect.
Now let's return to table 1 and assume that we have two separate but identical projects with exactly the same wide distribution of coins - the PoS project and the PoW project, which we will try to attack.

PoS

As we found out above, in order to motivate PoS miners with a bribe, it must be at least equivalent to the value of the coins that the miner has. If we set the size of the bribe, for example, to 0.01 coin, we cover only the owners of wallets for the first and second lines (0.15% of all coins), for the rest the motivation will be insufficient. If you increase to 1 coin, then we already cover 4 lines, and this is 4.57% - it is still hopelessly small. In order to get 51%, we have to get to the line with balances of 100-1000 coins. A bribe of 100 coins will cover only 38.44% of the coins, and of 1000 coins will cover as much as 58.29%, so we believe by eye - a bribe of 750 coins can convince 51% of miners to take part in the attack.

PoW

Let's say that the reward for the block at the moment is 12.5 coins, and, roughly speaking, the extraction of 6 blocks (the number of confirmations by default) should cost no more than 75 coins (the equivalent value of these coins, in terms of the value of the hashrate). This is very important - in fact, the cost of an attack of 51% is 75 coins (76 if important to someone). This was not a problem before, in those days when miners themselves set up their rigs for mining a specific project, because they liked it or because their equipment worked most effectively with this hash. There was nowhere to take free capacities capable of overtaking the main chain. And now the equipment is freely available for rent on open areas (services like www.nicehash.com, something like uber in the mining world), and this makes a 51% attack on a PoW project at least 10, 10 times cheaper than an attack on a similar project with PoS. You can go crazy!

But we have not finished yet, there are a few more points:
1. In real PoS projects, as a rule, only a part of the issued coins is involved in mining, and it is characteristic that for minority holders, PoS mining is unprofitable due to the low probability of finding a block against electricity costs, so in reality most of the PoS power is created medium and relatively large holders, which makes the attack even more difficult, as described above. In addition, we took the distribution of coins for the largest and most massive project, and for a typical project in the first hundred coinmarket cap the distribution will further complicate the bribery attack, not to mention the beginning blockchain start-up, which you may be planning to do this weekend.
2. ASIC. Opinions split at the PoW camp: most consider it evil and invent hashes that should work most efficiently on mass equipment (ProgPoW, RandomX). Their opponents do not strain and use fast crypto-resistant hashes (sha256, sha3, blake), claiming that ASIC is, although centralization, but in fact - protection from 51%. And against the background of the above considerations, the latter look even more viable, but only until the moment when the ASIC devices suddenly gain the ability to mine not one, but several related hashes. But wait, they have already acquired this ability (for example, Giant + A2000). And one more important nuance must be taken into account - from the moment the project is launched until the first ASIC appears on the market for sale, it can take quite a lot of time, and all this time the project will be very vulnerable.
3. A Nothing At Stake attack is a purely theoretical attack with many assumptions. For example, a prerequisite is the assumption that the attacker has a direct channel of communication with all the holders that he intends to bribe in order to organize this attack. This is a little realistic, firstly. Secondly, it can hardly be kept secret from the exchanges themselves, which will be able to take measures to protect themselves from this (for example, temporarily suspend deposits or increase the number of confirmations to an inadequate amount). When we talk about a 51% attack against PoW, this is a very linear practical scenario, which, incidentally, has been done more than once, recently here, for example, on Ethereum Classic [11] [12].

How to Strengthen Consensus

As mentioned above, the Nothing at stake problem is purely theoretical, and did not find any confirmation of actually carried out attacks based on this vulnerability, however, if after reading the above it seems that the problem is completely irrelevant, then this is not so. The problem exists, albeit at a different level with respect to PoW, and considerable efforts are made to solve it. Among the existing solutions, I identified two main areas, which I will talk about very briefly.

Byzantine Fault Tolerance Solutions

BFT algorithms have been studied for about 30 years, and there is a good scientific basis proving the reliability of algorithms of this family, including pBFT (reliability is provided if the number of dishonest consensus participants in the system does not exceed one third). There are several projects that use this approach to implement or strengthen consensus, and most of them claim that in this connection they get a property called “finality”, which can be translated as “finality”. It is understood as impossibility to rebuild the chain (and, therefore, cancel the transaction) after a certain number of confirmations. Let me remind you that in the classic Nakamoto consensus, switching to another sub-chain can occur at any depth (but not deeper than the point check is obvious), and thereforeeven after multiple confirmations, there is no 100% guarantee that the transaction will not be canceled.

Consider the essence of this approach using the example of Casper technology , which is being developed by the Ethereum team [5].
Clarification ***: In fact, there are two PoS models in ethereum, one authored by Vlad Zamfir “A Template for Correct-by-construction consensus protocols” and the other authored by Vitalik Buterin and Virgil Griffith “Casper the Friendly Finality Gadget”. In this article we will consider the last option, because it will most likely be used in Ethereum.
Casper is positioned as an improvement to the consensus model, potentially applicable to any PoW system, and is architecturally an add-on to PoW. The basic idea is that once every 100 blocks, a group of PoS validators dynamically generates checkpoints. In order to become a validator, you need to create a special deposit associated with the address of the validator, and in the future this deposit can be used to stimulate the honest behavior of the validator (more on this below). The algorithm is safe as long as ⅔ of the validators behave honestly, while ⅔ are determined precisely by the amount of money on deposit.
In order to encourage validators to conduct honest behavior, a mechanism called “Slasher” is used - in case it was noticed that the validator voted in an alternative chain (alternative to that considered at the same height), then he who notes this may attach evidence of such a vote in its chain, and then the deposit of the dishonest validator will be destroyed, the corresponding motivating commission will be paid to those who found the “violation”. In addition, it is assumed that if the user is registered as a PoS validator by making an appropriate deposit, but does not actually participate in the validation, then his deposit is gradually reduced.
Thus, from the point of view of the Casper protocol, after two checkpoints, the blocks have the “finality” property, i.e. if ⅔ validators were twice confirmed by checkpoints in the chain, then the block under the checkpoints cannot be canceled.
The dubious part in such a model, from the author’s point of view, is that the set of PoS validators is limited to a finite number. Obviously, such a number will be a kind of compromise between the size of the evidence (i.e. the number of signatures, numerically more validators - the size of the total evidence of voting) and the degree of decentralization - the fewer validators, the greater centralization. It all depends on what parameters will ultimately be chosen in a particular implementation, but in general, the model can turn out to be much more centralized than the general trend discussed in the first part.

There are also a number of projects in which consensus sustainability is achieved through the hybridization of PoW and PoS. Most often, the Decred project is associated with the PoW / PoS hybrid [6]. They use a system of tickets that are bought for a certain number of coins, and these tickets get the right to vote for a block after some time, and then the probability of confirming a block for a ticket increases with time - the greater the age, the greater the chances (in a sense) this is also a deposit system). The proof of Jake Yocom-Piatt is given in [7], which states that on the Decred network, the attack cost of 51% for an attacker with a small amount of PoS will be 20 times higher than for Bitcoin. However, when calculating for some reason, the purchase price of the equipment is indicated, despite the factthat in such models it is customary to calculate the cost of renting a hashrate for the duration of the attack.
Another interesting example of hybrid PoW / PoS is Zano [8], a project based on privacy technology (now I will say in great secret that this is our project - I know, unexpectedly). First of all, according to the Nothing at stake theory, the attacker must be able to communicate with the holders in order to convince them to take part in the attack. In the case of a privacy project, in the blockchain of which there is no information at all about addresses or wallet balances, this will be even more difficult. In addition, in order to protect itself from the Long Range attack, as well as from the Nothing at stake problem, Zano uses a special fork choice rule, which does not analyze the total complexity of the entire chain (from genesis), but always compares only two subchains relative to the branch point and prefers such a branch,which minimally changes the ratio of PoW complexity to PoS complexity, while maintaining or increasing cumulative complexity. Thus, in order to implement the 51% attack, even if the attacker managed to bribe some number of PoS miners, he will also have to invest a substantial amount of money to provide the PoW part of the attack, which is ultimately much more expensive than the attack on the classic PoW or PoS separately.

Summary

Despite the potential conflict with decentralization ideas, current pBFT-based solutions that provide “finality” look more secure against a wide range of attacks, including Long Range attacks and Nothing at stake, and also provide the opportunity to implement robust, clean PoS systems in future. But the question of where the right balance between centralization and reliability lies remains open, which gives good chances for hybrid solutions.

You can clarify the circumstances of the examples given and plunge into subtleties like “how much the price will fall during the attack, how much will the intention to sell immediately to a large number of holders aware of the attack affect liquidity, whether all the holders will have such a desire”, etc., but the main The concept of this article is that PoS miners, because the “mining resource” is not alienated from the network, the degree of natural loyalty to the network is higher than PoW miners, and I am deeply convinced that this circumstance Roedel horizon of development of the industry.
Do not agree? Write your point of view in the comments!

Sources:

Nothing At Stake: compromises with conscience