Vitalik: The Design Philosophy of Proof of Stake
TechFlow Selected TechFlow Selected
Vitalik: The Design Philosophy of Proof of Stake
Cypherpunk spirit is not just about idealism; making system defense easier than launching attacks is also sound engineering.
Navigating Web3 tides with focused insightsAuthor: Vitalik Buterin
Systems like Ethereum (as well as Bitcoin, NXT and Bitshares) represent a new kind of entity within cryptoeconomic systems—decentralized, unregulated entities that exist entirely on the internet and are maintained through cryptography, economics, and social consensus.
They are somewhat like BitTorrent—a peer-to-peer consensus protocol—but not quite, because BitTorrent has no concept of state; this distinction ultimately becomes crucial.
They are sometimes described as decentralized autonomous corporations, but they're not really like corporations—for example, you can't hard fork Microsoft. They are somewhat like open-source software projects, but not quite—while you can fork a blockchain, it's not as easy as forking OpenOffice.
There are many types of cryptoeconomic networks—ASIC-based PoW (proof-of-work), GPU-based PoW, PoS (proof-of-stake), DPoS (delegated proof-of-stake), and upcoming Casper PoS (the consensus mechanism Ethereum will adopt).
Each undoubtedly carries its own philosophy.
A well-known example is the maximalist vision of proof-of-work, where the correct blockchain is defined as the one created by miners who have expended large amounts of capital. Originally just a fork-choice rule in the protocol, this mechanism has been elevated in many cases to a sacred doctrine—take, for example, my Twitter discussion with Chris DeRose (where DeRose argued that any fork with over 50% total hashpower would become the longest, new main chain). Some people go to great lengths to uphold this idea in pure form, even in the face of a hard fork changing the hashing algorithm.
Bitshares' delegated proof-of-stake offers another philosophy—one that stems from a single creed, but can be more plainly described as a shareholder voting mechanism.
Every philosophy: Nakamoto consensus, social consensus, shareholder voting consensus—has its own conclusions, making their value systems quite meaningful when viewed from within, though they are certainly subject to criticism when compared against each other. Casper consensus also has theoretical foundations, though these have not yet been clearly articulated.
Myself, Vlad, Dominic, Jae, and others each have our own views on why PoS protocols can exist and how they should be designed, but here I want to explain my personal perspective.
I will lay out the results and then go straight to the conclusion.
Cryptography is very special in the 21st century because cryptography is one of the few fields that continues to greatly favor defenders in adversarial conflict. It’s easier to destroy a castle than build one; islands can be defended, yet still attacked, but an ordinary person’s ECC (elliptic curve cryptography) key is secure enough even against nation-state actors. Cypherpunk theory fundamentally leverages this valuable asymmetry to create a world that better preserves individual autonomy, and to some extent, cryptoeconomics extends cypherpunk ideals beyond just privacy and confidentiality to also include securing complex collaborative systems. Systems that see themselves as inheriting the cypherpunk ideological spirit should preserve this fundamental property, ensuring that the cost of destruction/disruption is much higher than the cost of use/maintenance.
The cypherpunk spirit isn’t just about idealism—making systems easier to defend than attack is also sound engineering.
On medium to long time scales, humans are quite good at reaching consensus. Even if an adversary gains unlimited hashpower and recovers from any 51% attack on the main chain during the last month of history, convincing the community that this chain is legitimate is far harder than merely surpassing the main chain's hashpower. They would need to overturn block researchers, every trusted member in the community, The New York Times, archive.org, and many other online authorities; in short, getting the entire world to believe the new attacking chain was the original chain in this information-intensive 21st century is as difficult as convincing the world that the U.S. moon landing never happened. Regardless of whether a blockchain community acknowledges it, in the long run, these social factors are ultimately what protect any blockchain (note that Bitcoin Core does acknowledge this primacy of the social layer).
However, blockchains protected only by social consensus are too inefficient, too slow, and prone to endless schisms (though various difficulties have already occurred); therefore, economic consensus plays an extremely important role in protecting liveness and security in the short term.
Because proof-of-work security mechanisms can only come from block rewards (as Dominic Williams puts it, it lacks existence cost and exit penalty, having only entry cost), miner incentives can only stem from the risk of losing future block rewards. Proof-of-work must therefore operate under the logic that large block rewards incentivize massive computational power. Recovery from a PoW attack is very difficult: the first time an attack occurs, you can hard fork to change the PoW, rendering the attacker’s ASICs useless. But if attackers attack again, you can’t keep changing it, and attackers can repeat attacks indefinitely. Therefore, the mining network must be large enough that an attack becomes unimaginable. Since the network continuously spends X per day, attackers smaller than X are discouraged from appearing. I reject this entire logic because:
(i) This mechanism kills trees (implying excessive waste of resources);
(ii) This mechanism fails to recognize the cypherpunk ethos—the cost ratio of attack versus defense is 1:1, giving defense no advantage.
Proof-of-stake breaks this 1:1 symmetry by abandoning proof-of-work security and instead using penalty mechanisms. Validators put money (“deposits”) at stake and receive small rewards to compensate for locking up deposits, running nodes, and taking extra precautions to secure private keys. However, the bulk of the cost of reverting transactions comes from penalties, which could be hundreds or thousands of times larger than the rewards earned during that period. Thus, the “one-sentence theory” of proof-of-stake is not “security from energy consumption,” but “security from economically enforced loss of value.” A given block or state has X security if you can prove it’s impossible for any conflicting block or state to achieve the same level of finality without malicious actors risking equivalent in-protocol penalties.
In theory, a majority of validators could collude to take over proof-of-stake and begin acting maliciously. However,
(i) Through clever protocol design, the additional profits they could extract from such actions can be minimized, and more importantly,
(ii) If they attempt to prevent new validators from joining or launch a 51% attack, the community can simply coordinate a hard fork to remove the assets of the offending validators.
A successful attack might cost $50 million, but cleaning up afterward wouldn’t be more complicated than the Geth/Parity client consensus failure that occurred on November 25, 2016. Two days later, the blockchain and community were back on track, the attacker lost $50 million, and due to the resulting token supply contraction increasing prices, the rest of the community appeared richer. This is the asymmetry we need.
The above should not be interpreted as suggesting irregular hard forks will happen frequently. If needed, the cost of a single 51% attack on proof-of-stake can be set as high as the permanent 51% attack cost on proof-of-work, and the full expense and futility of such an attack should ensure it almost never gets attempted.
Economics isn’t everything. Individuals may be driven by extraneous motives—they could be hacked, kidnapped, or simply drunk and decide to disrupt the blockchain at great personal cost. On the bright side, individual moral tolerance and communication inefficiencies often raise the cost of attacks far above the standard definition of protocol-level value loss. This is both an advantage we cannot rely on, but also one we should not unnecessarily discard.
Therefore, the best protocols are those that function well across multiple models and assumptions—coordinated choice, individual economic rationality, simple fault tolerance, Byzantine fault tolerance (ideally adaptive and non-adaptive adversary variants), behavioral economic models inspired by Ariely/Kahneman ("we all cheat"), and any other realistic models deemed desirable. Two layers of defense are important: economic incentives preventing centralized entities from anti-social behavior, and decentralization incentives preventing such entities from forming in the first place.
Consensus protocols that operate very quickly carry risks and should be handled with great care if implemented. Because the possibility of extreme speed combined with incentives creates high rewards and systemic risks of network centralization (e.g., all validators running on the same hosting provider). Consensus protocols shouldn’t overly care how fast validators send messages, as long as they do so within acceptable time intervals (e.g., 4–8 seconds—we empirically know Ethereum latency is typically between 500ms and 1s). A possible middle ground is creating protocols that can work very quickly but, using a mechanism similar to Ethereum’s uncle blocks, ensure marginal rewards for nodes increase only slightly beyond an easily attainable threshold of network connectivity.
From here, there are of course many details and many ways to disagree on them, but the above at least represents the core principles behind my version of Casper. From here, we can of course debate tradeoffs among competing values.
Should we give ETH a 1% annual issuance rate and spend $50 million enforcing a corrective hard fork, or have zero additional ETH issuance and spend $5 million enforcing a corrective hard fork?
When do we increase protocol security under economic models at the expense of reducing security under fault-tolerance models?
Do we prefer predictable security, or predictable token issuance? These are different versions of the same questions, and achieving various compromises among these values is the task ahead. But we will get there.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@VitalikButerin
