Why choose proof of stake?
Author: Vitalik Buterin
Original Title: "Why Proof of Stake (Nov 2020)"
Published on: November 6, 2020
Three key reasons why PoS is a superior blockchain security mechanism compared to PoW.
PoS provides higher security at the same cost
The simplest way to see this is to place proof of stake and proof of work side by side and look at the cost of attacking the network for every $1 of block reward per day.
GPU-based Proof of Work
You can rent GPUs cheaply, so the cost of attacking the network is just the cost of renting enough GPU power to surpass the existing miners. For every $1 of block reward, existing miners should spend close to $1 (if they spend more, miners will exit due to unprofitability; if they spend less, new miners can join and earn high profits). Therefore, attacking the network only requires temporarily spending over $1 per day, and it only takes a few hours.
Total attack cost: approximately $0.26 (assuming an attack duration of 6 hours), which may drop to zero as the attacker receives block rewards.
ASIC-based Proof of Work
ASICs are a capital cost: you buy an ASIC once, and you can expect it to last about 2 years before wearing out and/or being replaced by better hardware. If a chain is subjected to a 51% attack, the community may respond by changing the PoW algorithm, and your ASIC will lose its value. On average, mining consists of about 1/3 ongoing costs and about 2/3 capital costs (see some sources here). Therefore, for every $1 reward per day, miners will spend about $0.33 on electricity + maintenance and about $0.67 on their ASICs. Assuming ASICs last about 2 years, miners need to spend $486.67 on that amount of ASIC hardware.
Total attack cost: $486.67 (ASIC) + $0.08 (electricity + maintenance) = $486.75
It is worth noting that ASICs provide this higher level of security at a high centralization cost, as the barrier to entry becomes very high.
Proof of Stake
Proof of stake is almost entirely a capital cost (the cryptocurrency deposited); the only operational cost is the cost of running nodes. Now, how much capital are people willing to lock up to earn a $1 reward per day? Unlike ASICs, the deposited tokens do not depreciate, and after you finish staking, you will get your tokens back after a short delay. Therefore, participants should be willing to pay a higher capital cost for the same amount of rewards.
Assuming a return rate of about 15% is sufficient to incentivize staking (i.e., the expected Eth2 return rate). Then, a $1 reward per day will attract a deposit return of 6.667 years, or $2433. The hardware and electricity costs for one node are minimal; a $1000 computer can stake hundreds of thousands of dollars, and about $100 per month for electricity and internet is sufficient. But conservatively, we can say these ongoing costs account for about 10% of the total staking cost, so we only have $0.90 of rewards corresponding to capital costs, meaning we do need to reduce the above figure by about 10%.
Total attack cost: $0.90/day * 6.667 years = $2189
In the long run, as staking becomes more efficient, people will be satisfied with lower returns, and this cost is expected to be higher. I personally expect this figure will eventually rise to around $10,000.
Note that the only "cost" of achieving this high level of security is the inconvenience of not being able to freely move your cryptocurrency while you are staking. It may even be the case that the public knowing all these tokens are locked leads to an increase in the value of the tokens, thus keeping the total amount in circulation, ready for productive investments, etc., unchanged! In PoW, the "cost" of maintaining consensus is the massive consumption of real electricity.
Higher security or lower cost?
Note that there are two ways to utilize this 5-20 times security cost benefit. One is to keep the block rewards the same while benefiting from increased security. The other is to significantly reduce block rewards (and thus the "waste" of the consensus mechanism) while maintaining the same level of security.
Either way is fine. Personally, I prefer the latter, because as we will see below, in PoS, even successful attacks are less harmful than attacks on proof of work and easier to recover from!
In Proof of Stake, recovery from attacks is easier
In a proof of work system, what do you do if your chain is subjected to a 51% attack? So far, the only practical response has been to "wait until the attacker gets bored." But this overlooks the possibility of a more dangerous attack known as a spawn camping attack, where the attacker repeatedly attacks the chain with the explicit goal of rendering it useless.
In GPU-based systems, there are no defenses, and a persistent attacker can easily make the chain permanently useless (or more realistically, switch to proof of stake or proof of authority). In fact, after the initial few days, the cost for the attacker may become very low, as honest miners exit due to not being able to earn rewards during the attack.
In ASIC-based systems, the community can respond to the first attack, but continuing the attack from there becomes trivial again. The community will respond to the first attack by changing the PoW algorithm through a hard fork, thereby "destroying" all ASICs (both the attacker's and honest miners'!). However, if the attacker is willing to bear the initial costs, the situation will revert to that of GPUs afterward (as there is not enough time to build and distribute ASICs for the new algorithm), allowing the attacker to continue generating camps cheaply.
However, in the case of PoS, the situation is much better. For certain types of 51% attacks (especially reverting final blocks), there is an inherent "slashing" mechanism in proof of stake consensus, through which most of the attacker's stake (and others' stakes) can be automatically destroyed. For other harder-to-detect attacks (especially 51% coalition censorship of everyone else), the community can coordinate a soft fork activated by a minority of users (UASF), where the attacker's funds are again largely destroyed (in Ethereum, this is done through the "inactive leak mechanism"). There is no need for an explicit "hard fork to delete cryptocurrency"; everything else is automated, and it only requires following the execution of protocol rules, aside from needing to coordinate on UASF to select a minority of blocks.
Thus, the first attack on the chain will cost the attacker millions of dollars, and the community will be back on its feet within days. A second attack on the chain will still cost the attacker millions of dollars, as they need to purchase new coins to replace the burned old coins. A third will… cost even more millions of dollars. The game is highly asymmetric and unfavorable to the attacker.
Proof of Stake is more decentralized than ASIC
GPU-based proof of work is reasonably decentralized; obtaining GPUs is not difficult. However, GPU mining largely fails on the "security defense attack" standard mentioned above. On the other hand, ASIC mining requires millions of dollars in funding to enter (if you buy ASICs from others, in most cases, the manufacturing company gets better deals).
This is also the correct answer to the common argument that "proof of stake means the rich get richer": ASIC mining also means the rich get richer, and this game tends to favor the wealthy. At least in PoS, the minimum staking amount required is very low and within the reach of many ordinary people.
Moreover, proof of stake is more resistant to censorship. GPU mining and ASIC mining are very easy to detect: they require significant electricity consumption, expensive hardware procurement, and large warehouses. On the other hand, PoS staking can be done on inconspicuous laptops and even through VPNs.
Possible advantages of Proof of Work
I see two main real advantages of PoW, although I think these advantages are quite limited.
Proof of Stake is more like a "closed system," leading to higher wealth concentration over the long term
In proof of stake, if you have some cryptocurrency, you can stake that cryptocurrency and earn more of that cryptocurrency. In proof of work, you can always earn more cryptocurrency, but you need some external resources to do so. Therefore, one might argue that the proof of stake token distribution risk becomes increasingly concentrated over the long term.
The main response I see to this is that in PoS, the general rewards (and thus the income of validators) will be very low; in Eth2, we expect annual validator rewards to be equivalent to 0.5-2% of the total supply of ETH. The more validators there are, the lower the interest rate. Therefore, doubling concentration may take over a century, and over such a time scale, other pressures (people wanting to spend money, allocate money to charities, or give it to their children, etc.) may dominate.
Proof of Stake requires "weak subjectivity," while Proof of Work does not
For the original introduction to the concept of "weak subjectivity," see here. Essentially, when a node comes online for the first time, and when a node comes back online after being offline for a long time (i.e., several months), that node must find some third-party source to determine the correct chain head. This could be their friends, exchanges, block explorer sites, client developers themselves, or many other participants. PoW does not have this requirement.
However, it can be argued that this is a very weak requirement; in fact, users need to trust client developers and/or the "community" to this extent. At the very least, users need to trust someone (usually client developers) to tell them what the protocol is and any updates to the protocol. This is inevitable in any software application. Therefore, the marginal additional trust requirement imposed by PoS is still low.
But even if these risks are indeed serious, in my view, they seem to be far outweighed by the significant benefits that PoS systems gain from higher efficiency and better handling of attacks and recovery from attacks.
