One of the founding missions of Ethereum was to replace proof of work with proof of stake while retaining many of its desirable characteristics of being open, permissionless, and trustless.

The Ethereum community perceive proof of work mining as an environment hazard due to its exceedingly high and wasteful electricity consumption. By the time proof of stake was deployed, Ethereum represented around ~0.2% of global electricity consumption. Interestingly, Hal Finney was the first to identify the issue of potential CO2 emissions from a widespread Bitcoin implementation within the first 30 days of Bitcoin’s deployment.

In the Bitcoin community, there are several arguments that proof of work is good for the environment.

One of the most convincing arguments is that proof of work acts as a bidder of last resort to purchase electricity that is easily transportable to any remote location. It can help stabilise the energy grid by buying electricity when there is reduced (or no) demand. In fact, due to the economics of mining, miners should seek cheap (and free) energy when it is available, and long term should converge towards renewable energy sources.

We do not have a strong opinion on arguments for or against proof of work’s environmental impact. The best reason to pursue proof of stake is to simply remove the debate around electricity consumption and environmental impact altogether as opposed to trying to justify its use. By removing the debate, it is one less barrier to entry for people who may be interested in the space but put off by its perceived environmental impact.

Initial skepticism

It took the Ethereum community more than 8 years to replace proof of work and reduce its energy usage by 99.9%. On hindsight, it is not surprising the eventual deployment of proof of stake took so long.

In the early days of ~2014, many in the nascent crypto community called Ethereum a scam for attempting to design a proof of stake protocol around the concept of a world computer. In fact, the skepticism even deemed the pursuit impossible and fundamentally flawed — so no attempt by any serious engineer or researcher should be necessary.

The naysayers were not wrong to be skeptical. Some of the early arguments like the nothing at stake problem are meaningful contributions, but there is a line between being curiously skeptical and discouraging the entire pursuit by calling those who tried a scammer. It is remarkable how a disgusting attitude was (and is) allowed to proliferate as it represents the fiat world which the crypto sphere is trying to replace

Not to digress — the reason why proof of stake took so long to deploy is not due to a lack of trying. It is very easy to conjure up a new consensus protocol that can immediately reduce the network’s energy consumption. However — simply reducing energy consumption — is not a good enough reason to replace it. In fact, back in 2015, we already had some implementations like Peercoin that could be deployed fairly quickly.

It was, and is, critically important that any consensus protocol to replace proof of work must attempt to replicate its openness, permissionless, and trustless nature — as much as it can — to fend against nation state actors. There was no proof of stake protocol that was ready to act as a stand-in replacement for proof of work.

We take this opportunity to:

• Evaluate whether Ethereum’s proof of stake protocol is a good replacement for proof of work.

We have put together a list of protocol goals, inspired by proof of work, to help with the comparison and discussion. The list was not defined, known, or used by the ETH2 protocol designers.

Before we dive in — the phrase miners refers to participants in proof of work and Validators for participants in proof of stake.

Protocol Goals

We have put together a list of goals that a proof of stake protocol should try and achieve. They are separated into sections for Validator membership, the block production process, and finally rewards/penalties.

Goals for Validator membership:

• Open-membership. Anyone can stake funds and participate as a Validator.

• Block production relative to stake. The frequency of blocks proposed by a Validator should be relative to their stake in the system.

• Active participation. A Validator should continuously have an opportunity to participate relative to their staked assets.

Goals for block production and how Validators will converge on a single canonical chain:

• Block finality. All participants should gain confidence that a block will not be reversed or replaced as it achieves greater depth in the blockchain.

• Forced to pick one parent block. A block proposer should be forced to pick one blockchain fork to extend when proposing their new block.

• Unpredictable block proposer. It should be difficult, or not possible, to predict which Validator will produce the next block.

• Publicly verifiable transcript. A network participant can independently verify that they have received the canonical blockchain (“the one true blockchain”) and the consensus protocol was run correctly.

• Gracefully handle outages. The blockchain can continue to make progress, albeit more slowly, if a significant portion of consensus participants are temporarily offline.

An overarching goal is to ensure Validators are financially aligned with the long-term health of the system and guaranteeing a revenue stream. We need to consider the goals for rewards and penalties of the system:

• Forced distribution. A block proposer should eventually be forced to sell their coins, perhaps to cover operational costs, to help distribute newly issued coins across the community (and to new buyers).

• Evenly distributed yield. All Validators should get approximately the same income relative to their stake in the system.

• Rewards for uptime only. A validator can only earn rewards for actively participating.

• Frequency of payments. How often a Validator may receive a payout for active participation.

A keen reader will notice that enforced and automated penalties is not a protocol goal. If we are evaluating proof of stake to proof of work, then it is simply an additional feature. This is because proof of work has no penalties and mining hardware is never at risk. The only “penalty” is a loss of income for not participating.

Discussion and interesting takeaways

Table 1 provides an overview of the discussion on proof of work vs Ethereum’s proof of stake based on the above protocol goals. As we can see — proof of stake gets close to the protocol goals, but it is not exactly the same. Let’s dive into the differences for each protocol goal.

Open membership

One of the defining features of a cryptocurrency is the process for new participants to join the consensus protocol without a centralised gate-keeper.

• Proof of work → out-of-band. The registration process is in meat space. Anyone with the financial resources can purchase the hardware, set up the mining warehouse, and participate in the consensus protocol. In fact, this entire process can happen without any knowledge to the existing miners and be turned on at any time.

• Proof of stake → in-band. The registration process is inside the proof of stake protocol. A user needs to deposit 32 ETH into the deposit contract. This requires a user generated transaction to be processed by the blockchain. All registrations can be viewed by the existing set of Validators and it requires an honest majority (>51%) to guarantee a deposit transaction will be included in the blockchain.

In both cases, registration eligibility relies on an upfront financial investment for hardware or simply explicitly locked up. If we consider the ability to exclude a new entrant, then it may appear that proof of work has an advantage as a miner’s registration may not be known until it is turned on.

However, proof of work and proof of stake rely on the same honest majority (>51%) assumption and they must assume there is no collusion to filter the blocks from unknown participants.

We hypothetically consider how a dishonest majority can prevent new entrants:

• Miners → allow list. They can require miners to include a digital signature in their blocks and selective approve miners. This is slightly awkward for mining pools as solo miners can undermine the entire approach. There is no strong notion of identity to simply exclude any miner.

• Validators → exclude list. to target individual Validators as all Validators can be identified by their staked ETH.

The slight advantage for proof of work is the difficulty to single out new entrants as it requires a catch-all allow list as opposed to an exclude list.

Verdict: Both protocols rely on the same honest majority assumption to guarantee new entrants into the consensus protocol. Proof work is advantageous only in the sense that registrations remain private and it is difficult (in practical sense) to enforce an allow list.

Active participation, rewards and payments

All participants in a consensus protocol should actively participate and only be rewarded for their uptime.

• Proof of work → solve puzzle. Miners must continuously solve a computationally difficult puzzle that on average, for the entire network of miners, takes ~10 minutes. A miner cannot produce a new block without trying to solve the puzzle.

• Proof of stake → cast votes. All Validators have an opportunity to propose a block or cast an attestation every epoch (~6 minutes). They are rewarded for participating during their allocated slot.

In both cases, miners and validators need to actively participate in the protocol, but how the rewards are issued for their participation is different:

• Type of rewards.

  • Proof of work. A fixed block reward alongside any fees collected in the block.

  • Proof of stake. There is no fixed block reward. A Validator is rewarded for casting their vote or including votes in their beacon block alongside any collected tips.

• Frequency of payments.

  • Proof of stake. Post-shanghai, any balance >32 ETH will be periodically swept and automatically sent via the execution layer.

  • Proof of work. Only if the miner produces a new beacon block.

The takeaway is that proof of stake enables frequent payments and only if the Validator is actively participating in the process. It is in stark contrast to proof of work as a solo miner may never be paid even if they are actively participating in the protocol. The lack of potential payment ultimately forces smaller miners to joining mining pools and give up their autonomy as block builders (in most cases).

Finally — we consider whether participants are paid according to their relative influence on the network — and without going into details, it is the same for both. The issuance of new coins guarantees a minimum payment that is evenly distributed and all participants (on expectation) should produce a block based on their relative issuance. For example, a miner/validator with 10% of hashrate/stake will produce around 10% of blocks.

One aspect of evenly distributed rewards to consider is the impact of MEV as historical data highlights how some block proposers may get outsized rewards due to sheer luck. MEV is out of scope for the comparison because it relates to a smart contract platform and not how the consensus protocol works. For example, if Bitcoin implemented the same proof of stake protocol, then it will not magically be victim to MEV.

Verdict: Both proof of work and stake checks for active participation, but proof of stake has an advantage. Validators earn frequent payouts for casting attestations and can maintain their independent. Small miners are forced to join a mining pool to receive frequent payouts.

Confidence in block finality

One of the quirks for Nakamoto Consensus is that network participants gain confidence over time that a confirmed block will eventually be considered final and it will not be reversed. Remarkably, proof of stake Ethereum can provide a stronger guarantee for block finality:

• Proof of work → weight-based finality. A block gains confidence that it will not be replaced by the accumulative weight of subsequent blocks that extend it. As more blocks are appended to the same fork, it becomes increasingly difficult for an attacker to repeat the same work and replace it with a competing fork.

• Proof of stake → absolute finality. It has a similar weight-based finality approach as a block will accumulate weight based on future attestations for blocks that extend it. This is only relevant for a short period of time (~12 minutes) until a new checkpoint is agreed by a supermajority of Validators — guaranteeing that all blocks prior to the checkpoint are final and can never be replaced (without a mega slashing event occurring).

What makes proof of stake Ethereum interesting is its attempt to replicate the weight-based finality approach and empower network participants to gain confidence in the short-term that a block will not be replaced. In a short period of time (~12 minutes) — it can achieve absolute finality.

The lack of absolute finality in proof of work has already led to several attacks for less significant chains. Put another way, finality in proof of work is only possible if a supermajority of all potential hashrate is actively online and participating. If some hashrate is offline, for whatever reason, then it may very well be leveraged to perform a block re-organisation attack.

Verdict: Proof of stake provides a guarantee around block finality via a supermajority voting protocol, whereas proof of work is based on an adversary’s willingness and capability to repeat the work.

Handling outages

One of the core characteristics of Nakamoto consensus is its ability to gracefully handle an outage of participants.

It is designed to allow miners to continue making decisions even if 99% of consensus participants are offline at the cost of confidence in finality. This versatility to gracefully handle outages is what separates Nakamoto consensus from 40+ years of classical consensus research and how something like Bitcoin can fend against nation state actors.

In this case — we are assuming that a supermajority of miners or validators are OFFLINE — they are not actively performing a 51% attack by proposing empty blocks.

• Proof of work → 1 miner. As long as there is one miner online, the blockchain will continue to make progress, albeit more slowly. In Bitcoin, the puzzle difficulty resets every 2016 blocks (~2 weeks). If 50% of miners goes offline, then it’ll take ~4 weeks to mine 2016 blocks, but the difficulty will spiral downwards to ensure blocks are mined every 10 minutes on average.

• Proof of stake → 1 Validator. As long as there is one Validator online, the blockchain will continue to make progress, albeit more slowly. They need to wait until they are allocated a block proposer slot before a new block is proposed. The inactivity leak will be triggered and all non-cooperative Validators (offline) will suffer penalties until they are ejected from the proof of stake protocol — a period of ~3-4 weeks.

In both cases, the consensus protocols will continue to produce blocks and make decisions, but the ability to achieve any confidence in the finality of a block is disabled, especially for proof of stake as a checkpoint cannot be agreed until the inactivity leak has finished.

An interesting research project is to compute the time it takes until the blockchain returns to normal during a major outage. For example, if we assume 1% of miners/validators are online, then how long will it take for the block production to return to normal? I suspect proof of stake will be significantly faster due to the inactivity leak and due to the proof of work configuration in Bitcoin we may be waiting several months.

There is also an interesting debate on a desirable outcome for the offline participants:

• Should they be ejected from the protocol and never allowed to return? To guarantee the blockchain will not be re-organised after a length of time?

• Should they be allowed to return online? But at the threat they may propose an alternative blockchain and reverse months of work?

We do not have a strong opinion on what is a desirable outcome, but it is worth a discussion amongst the community.

Verdict: Both can gracefully handle outages — although the desirable outcome for offline consensus participants is debatable and very different in both systems.

Objectivity vs subjectivity

The entire purpose of a blockchain is to allow anyone to compute a copy of the database and have confidence that they have a copy of the same database as everyone else — the one true canonical chain.

• Proof of work → objective. As long as the participant has a copy of the genesis block, they can download the all competing blockchains, check the proof of work, and be convinced that the blockchain with the most accumulated work is the one true canonical chain.

• Proof of stake → subjective. A participant must receive a copy of the latest agreed checkpoint from a trusted source.

The reason that proof of work is objective is due to the physical work required to produce the transcript and the difficulty in re-producing it. For example, if we assume the adversary controls 100% of today’s hash rate and they are willing to forego the electricity cost, it still takes ~800 days to produce a competing blockchain fork of equal weight.

On the other hand, if we assume some of the early staking keys are stolen, then it is possible to compute two protocol transcripts with equal voting weight — at zero cost. A network participant who is joining the network cannot distinguish between the two protocol transcripts and only online participants can fend against this type of attack as it will conflict with the already globally agreed checkpoint.

Verdict: Proof of work is superior for empowering participants to independently identify the canonical chain, but weak subjectivity is still a practical outcome for proof of stake.

Unpredictable block proposer

We need to consider when, and for how long, it is known that a miner or validator is allocated the opportunity to propose a block. If it is known ahead of time, then this can enable multi-block MEV alongside a being the target for denial of service attacks.

• Proof of work → unpredictable block. It resembles a private lottery and the winner is only declared when someone wins the lottery.

• Proof of stake → 2 epochs in advance. A random beacon allocates Validators to slots and all allocations are known two epochs in advance.

A core characteristic for proof of work is the inability to predict who will complete the puzzle first and ultimately win the private lottery. This is not the case in Ethereum’s proof of stake as the order of block proposal appointments are known 2 epochs (~12 minutes) in advance. There is research to solve this problem for Ethereum, but it is still in the early stages.

Verdict: Proof of work is superior. It is not predictable which miner will be picked to produce the next block. Whereas in proof of stake, all block proposers are known ~12 minutes in advance.

Forced distribution of newly issued coins

We consider whether miners or validators are forced to eventually sell newly earned coins which includes network issuance and transaction fees.

Many in the Bitcoin community argue this characteristic is desirable. There must be a forcing function that forces miners/Validators to eventually sell their coins and help distribute coins to buyers of the network. Otherwise, they can hoard the earned coins and gradually gain a significant portion of all coins on the network.

• Proof of work → forced to sell. The sheer operational cost of mining and its ever-increasing difficulty has to date forced miners to sell their newly earned coins.

• Proof of stake → not forced to sell. The operational cost is minimal to run a Validator and there is arguably little pressure to sell the earned coins.

At first glance, the immediate takeaway is that proof of work does force miners to sell newly issued coins and distribute it to willing buyers — helping decentralization as coins are forced to spread on the secondary market. On the other hand, in proof of stake, it is possible for Validators to hoard all earned coins.

In spite of that, the argument is not that simple. We need to consider:

• Financial cost to sustain the protocol,

• Profit by the consensus participant.

In proof of work, the total rewards earned by miners must subsidise the cost of mining while still allowing miners to make a profit. Whereas, in proof of stake, the operational costs are arguably so insignificant for Validators — the focus is only to provide a reasonable profit to encourage their participation.

Table 1 provides an overview of the network issuance in Bitcoin, proof of work Ethereum and proof of stake Ethereum.

As we can see, in both proof of work networks, the issuance of new coins is a magnitude greater than what is needed to sustain a proof of stake system. All Validators can take home the $800m in issuance whereas Bitcoin has issued over~$7bn in block rewards and several miners are still going bankrupt. We suspect the issuance of new coins is still high in Ethereum — 4% relative to the staked ETH and NOT the total supply) — it could be reduced further.

So, while proof of work does force miners to sell their coins, the sheer operational costs places considerable pressure to do it successfully and acts as potential centralising force on who can participate in the consensus protocol.

It is still debatable whether the coin distribution problem is needed for proof of stake Ethereum. A solution to the problem may only be needed during the early years of a network to help distribute the coins. We will see if a continued solution is required in the coming years.

Verdict: Both proof of work and proof of stake must be profitable to participate in. If we want a mechanism that forces an excess subsidy to be sold-off and distributed to potential buyers, then proof of work has an advantage — at the cost of all existing coin holders and as a potential centralising force.

Security proof and assurances

We consider the robustness of the consensus protocol and whether there is any evidence that it is indeed secure against a range of known attacks on blockchain protocols.

• Proof of work → time of test. Satoshi Nakamoto only provided a simple simulation to illustrate the security of proof of work. It was the research community, over many years, who put together a threat model alongside extensive analysis on how secure it is against certain attacks. A classic example was the discovery of selfish mining as the community was initially outraged and called it wrong — but now we know it is indeed fundamental to blockchain protocols.

• Proof of stake → too early to say. There are papers [1,2] that describe how it works, but there is still no proof of security. The process of trying to create such a proof led to the discovery of several attacks [3,4] and patches to the protocol. It will take time for the research community to continue attacking and fixing it alongside inspiring new protocols like Goldfish.

Proof of work has survived the test of time and the mountain of research behind it provides confidence in its robustness. It will take a very long time for Ethereum’s proof of stake to provide the same level of confidence — especially given the complexity of its protocol relative to proof of work.

This article, like many that will come after it, is a step in the direction of better understand the proof of stake protocol and hopefully helping researchers get started on trying to break it.

As a final note.

Never be afraid to openly debate the strengths or weaknesses of any protocol.

All debate is evidence that a community is still alive and willing to make progress towards an ideal system. It is OK to be wrong in your opinion and be open to fixing your understanding.

When debate is shutdown, perhaps due to fear of being seen as “wrong” or the repercussions of a community that will disown you, then progress will oscillate and the curiously minded will move on without you.

This is why I published this article — it can be updated over time as feedback and more insights emerge — if you disagree with any of it then comment below or contact me directly.

Until then, up only my frens.