Proof Of Stake Wears No Clothes
In the early 1990s, I periodically drove between San Luis Obispo and Los Angeles to visit my parents. In the era before podcasts and Pandora, I would sometimes listen to radio preachers out of sheer boredom. I distinctly remember one, speaking with the gravelly voice of an old vicar, answering listener questions. “How do we know that the Bible is true?” Without even a momentary pause for irony, he deadpanned “Well, we know that the Bible is true... because the Bible tells us so.”
There's much handwringing over the economic and environmental cost of proof-of-work cryptocurrencies. Some propose to eliminate most of that cost by moving to proof-of-stake. This makes the same mistake the old preacher did.
Boiled down to its bare essence, a cryptocurrency is a list of transactions, and a protocol for deciding which transactions are allowed to be added to that list.
Similarly reduced, proof-of-stake systems work like this:
- The list of valid transactions determines who has coin.
<complexity>- People with coin decide which transactions are valid.
You don't need to know any more detail about proof-of-stake systems to be instantly suspicious. Complicated details should make you more suspicious: The history of perpetual motion machines is the process of making step #2 opaque enough that investors forget the connection between #1 and #3.
Sure, for a while. Possibly a long while. It is easy to reach consensus when everyone agrees. But on a sufficiently long time scale, difficult conflicts will occur. The wise and respected leader will be dead and gone in some decades, sooner if he/she is careless or unlucky.
Proof-of-stake is inherently self-referential. It is possible to have two perfectly consistent, equally valid chains - perhaps with different stakers. Since “stake” is defined within a blockchain, it cannot be used to pick between two blockchains. Under the right kind of stress, the real, unwritten meta-consensus protocol that determines "which blockchain do we pay attention to?" will be revealed. Exactly what that is will depend on the nature of the fork.
One risk is a relatively balanced fork, following a long and contentious fight in the community. Perhaps it will be about adjusting stake rewards. Perhaps it will be about “fixing” a broken/hacked contract. Perhaps it will be about staked stolen currency.
I don't have an opinion on the ETH/ETC split. But the rift “healed” because miners picked one over the other; ETC is now significantly less secure than ETH and has suffered multiple 51% hacks. Concentration of hashpower (a finite resource) creates a positive feedback loop which encourages the remaining hashpower to abandon smaller forks.
Forking a proof-of-stake chain can create two chains, each of which is endorsed by a majority of stakers in that chain. This split can repeat ad infinitum. Which will be the “real” one?
I think Matt Levine is close to the mark with “The night watchman controls the company, sort of”.[1][2][3] Whoever has the key to the front door is in control. The exchanges pick which fork gets which ticker symbol, but there's no reason to assume that all exchanges will agree. It will be messy and unpredictable.
Describe it in terms that don't reduce to “You have influence over the blockchain… because the blockchain says so”.
