How decentralized is Ethereum’s Casper PoS, really?

Akbar Thobhani , 11 Jun 2018 - CasperEthereumOpinionPos

Ethereum’s upcoming Casper update looks set to positively alter the number two crypto's energy consumption footprint - but how will it affect decentralization?

One of the biggest criticisms of proof-of-work mining is that it leads to a high level of miner centralization, where a few miners control over 50% of hashing power on the network. On Bitcoin, the top four mining pools contribute over 50% of the hashing power, while on Ethereum, the top three mining pools contribute over 50%.

Ethereum’s planned Casper update is intended to change all that by shifting the network from a proof-of-work to a proof-of-stake consensus mechanism. While most people focus on the energy benefits of proof-of-stake — it’s far less resource intensive than mining — the single most overlooked feature of Casper is that it promises to introduce a greater level of decentralization to the Ethereum network.

What are Casper and Proof-of-Stake?

In the traditional, centralized financial system, there is typically an organization (a bank, or payments company) whose job it is to validate that a sender sent something of value, and that the receiver received it in a transaction. In a decentralized world, this role is currently played by miners who validate new transactions.

Casper is a planned upgrade to the Ethereum network that will move it from its current proof-of-work algorithm to a proof-of-stake algorithm.

  • Proof-of-work relies on miners running nodes on the network to solve computationally difficult math problems to validate new transaction blocks. In exchange for contributing hashing power to the network, they receive a financial reward.

  • Proof-of-stake relies on validator nodes on the network to take turns proposing and validating the next block in the chain. The weight of a validator’s node — and the size of its reward — depends on the size of the coins staked in the verification process.

With proof-of-stake, nodes on the network can validate new transactions by “staking” a certain amount of Ether. They then vote to validate transactions on the chain.

The problem with this occurs when there are multiple competing chains. In proof-of-work, this is solved by selecting the chain with the most work behind it. In a “naive” proof-of-stake implementation, there’s nothing to prevent nodes to “stake” on multiple chains to increase their rewards, which makes it harder for the system to converge around a consensus. This is commonly known as the “nothing at stake” problem.

Casper solves this problem through a “consensus by bet” mechanism. Nodes on the network stake a certain amount of Ether to validate new transactions. They then bet on which new blocks will be validated. They’re rewarded when they bet correctly and penalized when they bet incorrectly. This incentivizes miners to bet with the eventual consensus.

In doing so, Casper is replicating the economics of proof-of-work. In proof-of-work, miners are implicitly penalized from mining on competing chains because it wastes energy and finite resources. In proof-of-stake, nodes are explicitly penalized from staking the wrong chain because they lose their underlying stake — preventing them from launching another attack without new funds to stake.

Because proof-of-stake doesn’t rely on miners competing with hashing power to mine blocks, it’s much more energy efficient than traditional proof-of-work. But it can also create greater decentralization for Ethereum at the protocol layer.

How decentralized is proof-of-work?

Proof-of-work cryptocurrencies like Bitcoin and Ethereum were designed to be decentralized, and this is what makes them valuable. They’re not controlled by a single entity, are censorship resistant, and open.

Despite this, mining for proof-of-work chains typically is highly centralized.

Casper Ethereum Pic 1

The top three mining pools on Ethereum control over 51% of hashing power on the network (Source: Etherchain)

As the graph above shows, the top three mining pools on Ethereum control over 50% of hashing power on the network. If the top three mining pools colluded, they could launch a 51% attack on the network.

This wouldn’t be easy. Individual miners contribute their hashing power to large mining pools. The pools divide block rewards and transaction fees according to how much hashing power each miner contributed. It’s not always clear how much hash rate different mining pools actually control on their own and how much of it comes from individual miners.

It’s possible that independent miners would switch from mining on these pools to protect the greater network — but it’s not necessarily clear that they’d be able to detect this collusion in the first place. Once you give your hashing power to a mining pool, the mining pool can use it at its discretion. The safety of the protocol depends on miners acting in good faith. That’s already beginning to erode.

For one, Ethereum mining pools are relatively decentralized because Ethereum’s hashing algorithm doesn’t reward specialized hardware to the same degree as Bitcoin’s. This advantage, however, won’t hold up over the long term. The largest Bitcoin mining pool operator Bitmain recently announced that it had developed specialized ASIC mining rigs for Ethereum.

Ethereum Casper Pic 2

Bitmain’s recently launched E3 Ethereum ASIC Miner

Because of the high capital costs of mining on proof-of-work chains, miners that buy specialized, ASIC chips and that operate in countries with cheap electricity costs are able to take the lion’s share of block rewards. Bitmain, which operates the largest Bitcoin mining pool, is also the largest producer of mining chips for Bitcoin. They can sell chips at a profit and use them to put more mining rigs online.

Mining rewards centralization because companies that are able to buy more chips and run larger mining rigs can operate more cost-efficiently than smaller operations. Ethereum’s hashing algorithm has deterred large-scale ASIC mining so far, but this isn’t sustainable over the long term. As the network grows more valuable, large miners will have more incentives to develop specialized chips.

Further, a 51% attack wouldn’t necessarily come from miners. Imagine that a country like China, Russia, or the US declared cryptocurrency a security threat, and seized all the mining hardware operating in the country. They’d have the resources and authority to launch a full-scale attack on the network. This wouldn’t come cheap — at 7.5 TWh at 10 cents /KWh, it would cost $700 million. While launching a 51% attack on a proof-of-work chain like Ethereum would be difficult, it’s a far cry from impossible or infeasible.

How decentralized is proof of stake?

Proof-of-work relies on miners to secure the network, which means that decentralization depends on the miners and decreases as ASIC manufacturing becomes more specialized and efficient. With proof-of-work, decentralization is in the hands of the miners.

Proof-of-stake relies on validator nodes to stake coins to propose new blocks and add them to the chain. Block rewards are delivered in proportion to how much Eth is staked. The only way to get more rewards is to increase your stake and deposit more Eth.

Casper advocates believe that with proof-of-stake, decentralization is a policy that’s written into the code of the protocol.The idea is that code can be adjusted to create economic incentives that discourage and penalize the formation of cartels (although it remains to be seen if this holds up in practice).

 Casper Pic 3

In Casper proof-of-stake, new blocks are finalized once two-thirds of staking validator nodes vote on it. Thus, to launch the equivalent of a 51% attack under proof-of-stake, you would need 67% of the stake to launch the attack.

Assuming 100% participation from the Ethereum network with all available Eth staked, the top 1720 accounts would need to collude to launch a 67% attack. This is a good deal more decentralized than PoW, where the top 3 mining pools control > 51% of hashing power. Of course, it’s highly unlikely that all Eth on the network would be staked.

Assuming various levels of participation:

  • 100% participation: the top 1720 accounts control enough Eth to launch a 67% attack

  • 50%participation: the top 77 accounts control enough Eth to launch a 67% attack

  • 30% participation: the top 27 accounts control enough Eth to launch a 67% attack

Looking at the 50% and 30% participation, it’s clear that proof-of-stake isn’t a silver bullet for decentralization.

Further, under a PoS dynamic, exchanges would be able to wield outsized influence. The top three exchanges on Ethereum control over 15% of all Eth. Exchanges wouldn’t be able to stake all their Eth as they still need to be able to permit withdrawals, but they have the ability to contribute a sizable amount to the stake.

The amount of Eth in individual addresses also doesn’t give us a completely accurate picture of decentralization — individuals and companies can control multiple accounts. Under 30% staking participation, it doesn’t seem impossible 27 accounts could collude to launch an attack, but it’s still less centralized than three mining pools controlling over 51% of hashing power under proof-of-work.

And while 27 wallets might be able to launch a 67% attack, it would be extremely costly for them to do so. Remember that under PoS, validators that misbehave are economically penalized by forfeiting their stake. If attackers attempt to subvert the network and fail, their behavior would be detected on the chain. In the process, they would lose their stake and the only way they could relaunch an attack would be by acquiring new Eth.

With PoW, anyone who amasses enough ASIC chips and farms to control a large amount of hashing power can use those resources to continue attacking the network even after a failed attempt. This wouldn’t be easy or cheap — you’d have to buy ASIC chips, pay electricity, and set up mining farms. But once you have them you could use them to repeatedly attack the network.

With proof-of-stake, this is much harder. As Ethereum researcher Vlad Zamfir says, when you try to participate in a 51% attack, “it’s as though your ASIC farm burned down.”

Asymmetrical Defense

Vitalik Buterin

The promise of cryptocurrencies like Bitcoin and Ethereum is to create new networks free from the intervention of centralized third-parties such as banks and governments. To this end, they’re built around innovations in cryptography such as SHA-256 and public-private keys that are open-source and that anyone can use — but are secure even against governments.

With proof-of-work blockchains like Bitcoin and Ethereum, we’ve seen a growing level of mining centralization in recent years, as specialized ASIC chips reward those who are able to scale up bigger and bigger mining operations.

Proof-of-stake promises the network greater decentralization through an asymmetrical defense. It makes the network much more expensive to attack and subvert than it is to maintain. While Casper proof-of-stake is still in development and has yet to be stress-tested on the mainet, it looks like it’s moving the Ethereum network forward in the right direction. 

About the author

Akbar Thobhani is the CEO of SFOX — a broker-dealer for institutional cryptocurrency trading. He started his career as a software engineer at JPL / NASA, and began mining bitcoins while attending MIT. Akbar was head of growth and business development at Airbnb.  Specializing in trading and payments platforms, he has developed solutions for ITG, Boku, and Stamps.com.