Proof of Stake’s security model is being dramatically misunderstood

Proof of Stake’s security model is being dramatically misunderstood.

The biggest obstacle to understanding its security model is applying existing security frameworks to it. More specifically, the only security model we’ve come close to understanding is Proof of Work (PoW) so we take its security characteristics and transfer them over to Proof of Stake (PoS) to try and compare. This article will go into how these security models are different, why PoW attacks are ineffective in PoS systems, and what some of the real risks to PoS look like.

PoW and PoS have drastically different attack costs

In Proof of Work you think largely about hardware costs, electricity, and operational expenses so it can be straightforward to calculate exactly how much you’ve spent, what % of network hashpower you have, and how much money you are making from it. If you want more hash, you just buy more machines and do it all over again.

Applying the PoW framework to PoS, where your token holdings determine your say in consensus, leads people to calculate how much it would cost to acquire 33%+ of the network’s staked tokens. This is the math for PBFT networks like Cosmos, but we can generalize to all PoS for the purposes of this article. So if the average PoS protocol has 70%+ of it’s tokens staked, you’d need to acquire ~25% of the protocol’s total outstanding tokens to launch an attack. Although every PoS is different, 33% is generally only enough to halt the chain so it can’t come to consensus and produce new blocks, not to actually perform a double spend. For that you’d need a whopping 66%.

Assuming PoW attack vectors are rational in PoS prevents us from seeing the real risks and attack vectors.

In practice, no one will go out and start buying up tokens to attack PoS networks. It doesn’t make any sense. Putting aside that it is incredibly expensive, even for “small” networks, it is also just operationally difficult to find that many willing token holders that are willing to part with their stakes as you start driving the market price up.

Well what about lending? Could you borrow that many tokens? You could try, but it’ll be quite hard, as PoS networks (e.g., Cosmos and Tezos) tend to have 70%+ of their tokens staked so you’d be borrowing from whatever was left over. A lending provider might be giving a higher APY than the participatory rewards rate, but it would take a significant amount of time to get enough people to switch over (including unbonding time). In addition, the lending provider is probably not the attacker, simply the conduit for an attacker, and would be extremely wary of being used in such a manner as it would destroy their reputation.

But let’s say that you do acquire 33%, what now? The big problem is that now you have to somehow profit from it. There’s generally two ways to profit — double spending and profiting from the token price’s decline. Both are very challenging to execute.

Can you profit from double spending?

Double spending is basically impossible to make worthwhile because the max reasonable size of the payment generally scales with the network’s marketcap. Take Cosmos, for example, with a marketcap of $500m, 71.3% of which is staked. You would need $236m staked and validating to attack the network. If caught, you would be slashed for $12m (5% of your stake) so you would only try to double spend payments in excess of $12m. Probably far in excess of that minimum since your coins might be forked out through social consensus, your reputation would be ruined, and the price of Atoms would fall, taking the value of your stake and stolen tokens down with it.

So let’s say you’d conservatively only double spend payments in excess of $25m. To put that into perspective:

• That’s 5% of the network’s value, which is equivalent to a $9.3bn transaction on Bitcoin
• That is more than 17% of the outstanding, unstaked tokens

But even if we assume that you have successfully found someone to do a $25m trade with you on Cosmos, there is still one last line of defense: trust. You’re probably not going to go around doing $25m deals with random CT cat avatars. You will know the party you’re doing business with. They will have real world identities, companies, business partners, and reputations, as will you. The blockchain makes double spending theft quickly discoverable, provable, and trackable by anyone.

Can you profit from a price decline?

This argument generally states that at some future point there will be enough liquidity and counterparties to make it possible to profit from shorting the token or collecting some insurance payout. This is unlikely to happen.

Before we even get into liquidity or counterparty analysis, let’s be clear — every real-world contract/relationship you get into will likely have a clause letting them not pay you if you maliciously attack the network which causes a price decline. It’s in the same vein for why you can’t take out life insurance on other people (potentially profit from murder). A counter argument here might be “but wait, attacking the chain is still following the rules of the chain — there’s nothing illegal about it!” And you’d be right. Except that legality isn’t the only consideration put into contracts — it’s not even the main one. Most contracts spend about 10% of the time focused on legal/illegal distinctions and 90% stating how specific situations will play out (e.g., someone made a mistake, required methods of communication, etc.). DeFi is of course another choice to circumvent that, but it is practically guaranteed to have less liquidity than traditional markets for probably the next 25 years, so we can come back to this point then.

The other bit is that building a big position is really hard. The pool of counterparties you’d be able to do that with is extremely limited and they all know one another. If someone starts going around opening huge shorts, word will spread and no one will take the other side of that deal with you. Amateur crypto traders seem to think there’ll always be a willing counterparty if you pay a high enough fee, but financial institutions aren’t risk-taking “traders” — they’re risk managers. Tarun Chitra of Gauntlet covers this well on the Zero Knowledge Podcast (St. Petersburg Paradox).

The last bit to consider is that we don’t even have evidence that chain double spends or halts will have immediate or lasting price impact. After Ethereum Classic had doublespends totaling $1.1m in early January its price dipped before rising back up in the following months. Regular users and traders don’t even care about the attacks because they’re never the ones hurt — it’s almost always exchanges. A particularly malicious attacker could purge all other transactions from the blocks and cause havoc, which might more negatively impact price, but why would they? They want the price to remain high for when they offload it! And besides, truth and history are subjective, so people don’t really care about recent rewrites as they weren’t the ones who got rewritten.

Stellar actually unexpectedly went down completely for 2 hours in mid-May which had no impact on its price in the following two months. This isn’t to say network halts aren’t bad, just that we’re nowhere near having a mature enough market to price in such events quickly and accurately.

The real dangers are much more permanent

Hacking and theft is one of the main real dangers to PoS, especially from aggressive nation states. This is a problem for all cryptocurrencies, but isn’t as dangerous for PoW chains. Stolen PoS tokens can keep growing in perpetuity, increasing one’s ownership of the network over time (since not everyone will stake). This is different from PoW chains like Bitcoin in that if you steal BTC, it will appreciate, but you won’t get more BTC out of it. The other bit is that once stolen, PoS tokens can be kept forever and won’t lose their use. You don’t even have to let the hacked party know they’ve been hacked until you’ve accumulated enough for an attack (e.g., zero-day vulnerability against a popular crypto library).

This is different from PoW because if you steal some ASICs, they will work for a while, but they will break down after some time. You would have to constantly reinvest in infrastructure if you wish to keep your hash rate. The good news is that while token theft is a problem, it’s actually getting harder to execute as custodian security practices are improving and protocols sequester participation from storage, allowing active consensus participation from funds in cold wallets.

Slashing sabotage resulting from compromised node infrastructure is also dangerous as a coordinated attack can knock a large amount of stake offline simultaneously. This of course increases the attackers relative share of the outstanding tokens, but also opens up the network to other attacks like halting or double spends. We haven’t seen this attack in the wild yet, but seeing as how most validators don’t have security expertise, it is only a matter of time until such an attack occurs.

Taxation is another hypothetical danger. What happens when governments decide to accept taxes in PoS tokens and begin staking for themselves instead of converting to fiat? They can fund the OpEx costs in perpetuity with our tax dollars and reinvest all the taxed crypto proceeds and inflationary rewards into additional stake. They would slowly take over the entire network at that rate.

Network centralization is widely recognized as one of the biggest problems with PoS networks, but it actually exists on a spectrum. The spectrum is derived from additional protocol components, primarily governance, that change the expected value from amassing a large number of tokens.

When you look at chains without on-chain governance, there really is no additional value to owning a large portion of the network’s tokens. If anything, it’s bad to do so because all your eggs are tied up in that basket. People with good risk management will realize that and begin diversifying over time. This is similarly true with things like Bitcoin. After a while, you begin prioritizing getting a better sharpe ratio on your returns, whether that’s through VC or real estate, or something else.

The risk of centralization increases with on-chain, token-weighed governance because it risks becoming a plutocracy. Token holders actually have a way to influence the protocol to their benefit so the risk adjusted nature of those returns actually changes drastically. We like to think that on-chain governance votes will be largely about technical protocol improvements, but it is becoming more clear by the day that this will not be true long term. Blockchains by their nature have many different stakeholders engaged in healthy tension and a mechanism by which they can extend their will to their benefit will be used so. This doesn’t mean all on-chain governance is bad and doomed, just that we must stand on guard when deploying it. Protocols that had a limited initial token distribution are especially susceptible.

A good example is having 70% of voting shares or 70% of non-voting shares in a company. If you have non-voting shares it doesn’t matter how much equity you have because you have no say in what the company does. You’re overexposed. Compare that to having the voting shares — you’re in charge and can maximize your returns by any legal means necessary.

PoS isn’t perfect and that’s okay

PoW and PoS both have their problems, but they’re pretty distinct and we should recognize that. It’s on us to defend them and understanding the attack vectors is the first step in doing so. If you want to read more on how the PoS security model actually works, check out this amazing resource from Vitalik and the Ethereum team. For some more details on PoW attacks, check out this great Bitcoin Wiki article. I am overall very hopeful for PoS and if you want to read my thoughts on how PoS is pretty useful, click here.

Huge thanks to Aaron Henshaw, Evan Weiss, Mark Forscher, Gregory Rocco, Anthony Lusardi, and Bryant Eisenbach for their feedback on this article.