The censorship resistance of Bitcoin and Ethereum

Original Title: "Censorship resistance in Bitcoin and Ethereum"

Authors: Allen Zhao, Mustafa Yilham, Henry Ang & Jermaine Wong, Bixin Ventures

Original Compilation: Evan Gu, Wayne Zhang, Bixin Ventures

At the beginning of August, the news that the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) decided to add Tornado Cash to the sanctions list brought the issue of censorship resistance into the spotlight. To avoid related criminal liability, RPC service providers Alchemy and Infura restricted access to Tornado Cash smart contract data, and Circle (the issuer of USDC) also blacklisted wallet addresses on the sanctions list. Addresses on the blacklist were similarly banned by DeFi protocols like Aave, but users could still interact with some smart contracts, albeit with many extra steps and some technical expertise.

This leads us to consider a more general question: Can blockchains be censored at the protocol level? [Concerns about protocol-level censorship have emerged in the Ethereum community](https://twitter.com/TheEylon/status/1558911348255461378?refsrc=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1558911348255461378%7Ctwgr%5E7283fde77858f266dab132167519f0536378a374%7Ctwcon%5Es1&ref_url=https%3A%2F%2Fwww.coindesk.com%2Ftech%2F2022%2F08%2F17%2Ftornado-cash-fallout-can-ethereum-be-censored%2F, with 66% of beacon chain validators being sensitive to OFAC regulations after the merge. If more than 1/3 of validators (by stake weight) are censored in any form, the Ethereum chain will not function properly.

In this article, we will compare the censorship resistance of BTC (POW) and ETH (POS) through three key questions, and finally provide our thoughts.

Definition of "Censorship"

In a recent Bankless podcast, Justin Drake defined two different types of censorship: weak censorship and strong censorship.

1. Weak censorship: Weak censorship occurs when certain censored block producers do not include individual transactions in blocks, leading to a degraded user experience. For example, a compliant block producer may refuse transactions from blacklisted addresses, but the transaction may still be received by non-censoring block producers.
2. Strong censorship: Strong censorship occurs when an individual's transaction will never be included on the chain. Given that the individual has lost the ability to transact, this situation can be considered as the asset being effectively lost. This can happen when the network is taken over by a majority, also known as a 51% attack, which, if it occurs, may threaten the continued existence of the attacked blockchain.

In the following discussion, we will compare Bitcoin and Ethereum as representative networks of POW and POS systems. We will first identify the factors of censorship and then detail how Bitcoin and Ethereum achieve censorship resistance.

Question 1: Weak censorship may occur through jurisdictional regulation when miners/block validators are relatively centralized.

Both Bitcoin and Ethereum face the issue of centralization of mining pools and validating nodes. This could create a scenario where mining pools or validating nodes may be forced to comply with regulations and censor any transactions deemed illegal within their jurisdiction.

Ethereum

Since the merge, the top two staking service providers hold a combined 43.03% share, while the top three hold 51.63%. The risk here is that if Lido and Coinbase collude, they could halt the network; if Kraken joins in, the three could take over the Ethereum network.

Source: Related Network

Before examining how Ethereum addresses centralization threats, we first introduce why validators may ultimately become centralized. Under Ethereum's POS mechanism, block producers can choose which transactions to include in the next block and how they are ordered. This allows validators to participate in the process of MEV extraction, which Amber defined well in their recent article on the ETH merge.

"Maximum Extractable Value, or MEV, broadly refers to the residual value that miners or validators can obtain from a series of blocks given the available operations. These operations can include reordering transactions, censoring blocks, or even attempting to reorganize the blockchain. Common forms of MEV include sandwich attacks, arbitrage, and liquidation."

Source: Flashbots

As shown in the figure, once MEV is considered, validator rewards can significantly increase. Due to the economic incentives brought by MEV, larger participants operate more validating nodes, thereby eliminating individual and non-professional validating nodes. Consequently, ordinary holders are more inclined to join the validating node pool through staking services to obtain higher and more stable income, which increases the centralization of validating nodes.

Another consideration regarding the centralization of staking nodes is cryptocurrency exchanges. Exchanges remain the best place for users to acquire Ethereum tokens. Given their large user base, many tokens naturally accumulate at these exchanges, and the convenience of yield provided by their staking platforms further attracts token accumulation. We should educate users about the risks of staking on centralized platforms, such as the potential impacts if a centralized platform chooses to act maliciously due to judicial pressure.

Although the validating node pool is not the most ideal solution, it allows more ETH holders to participate, so staking pools still benefit Ethereum's decentralization.

So how does Ethereum address censorship concerns regarding centralization?

Solution 1: Separate block proposers and builders

One widely discussed solution is Proposer Builder Separation (PBS). PBS separates the roles of block proposers and block builders, allowing validators to earn MEV rewards without becoming complex operators, thereby mitigating centralization issues.

There are three key participants in the blockchain operation that can check and balance each other to mitigate and ultimately eliminate potential censorship.

Builders, who specialize in constructing blocks, extract the maximum MEV and transaction fees by ordering transactions. They then pay proposers a fee for proposing and place their blocks on-chain. Therefore, without the help of proposers, those builders with censorship intentions cannot publish transactions on-chain.

Proposers, also known as validators, either choose the most popular block or do not include a block at all. If they believe that block builders are censoring transactions, they have the ability to propose a censorship-resistant list (crList); as long as the block is not full, or they do not propose their block, builders must include these transactions. Since EIP-1559 has been implemented, over 80% of blocks contain a backup gas, meaning that as long as users pay a priority fee above the base fee, they should be able to have their transactions included in the block. In summary, proposers can achieve maximum profit by selecting blocks that can pay the highest amounts while still having the ability to utilize the crList to force through censorship.

Proposers will monitor the block building process and only validate it when the highest-paying block is included in the proposer’s block. This will prevent malicious proposers from censoring transactions.

Although the above methods greatly improve the decentralization of validators, they still do not solve the centralization issue of builders. How to decentralize builders is beyond the scope of this discussion, but you can read more here.

Solution 2: Encrypted mempool

Another solution under research is to adopt an encrypted mempool to address centralized censorship. Users encrypt their transactions before broadcasting them to the mempool, and they are only decrypted once the transactions are included in a block on the chain. This will prevent any potential censoring party from gaining access to the content of transactions during the block building process. Additionally, it helps prevent MEV abuse, such as front-running. Another benefit of an encrypted mempool is that it can actually address the centralization issue of builders in the future. In this case, proposers can build their blocks by selecting the highest-fee transactions from the encrypted mempool without needing to select blocks from complex builders.

Bitcoin

Bitcoin has long been hailed as "digital gold," a trait that is reflected not only in its role as a digital store of value but also in its censorship resistance. Although the programmability of the Bitcoin network is not as strong as that of Ethereum, its weaker programmability can minimize MEV, but it still faces the issue of miners becoming increasingly centralized geographically. Furthermore, operating mining machines requires specialized skills, and the hardware and energy are capital-intensive, leading the Bitcoin mining industry to move towards resource sharing, where miners pay service fees to mining farms based on unit computing power, thus reducing the cash flow pressure of investing in their own operations.

As shown in the figure, prior to China's ban on crypto mining in 2021, China's hash rate accounted for over 45% of the global total. However, the hash rate has now shifted to the United States, which accounted for 38% of the global hash rate as of January this year. Mining companies may refuse certain transactions due to local regulations, which poses a threat of censorship.

So how does Bitcoin address the censorship issues arising from mining pool centralization?

Solution 1: Switching mining pools

Once a mining pool operator is subject to censorship regulations and acts against the interests of miners, miners can easily switch to other mining pools (for example, moving away from the censored pool). Since they operate on a demand-based model for computing power, miners only need to change the mining pool address in their mining software to switch to a new pool. During the period when miners were banned by the Chinese government in 2021, miners were able to quickly migrate abroad and switch their addresses to offshore pools, and the hash rate has since recovered and is now higher than before the ban was announced.

While Ethereum can allow validators to withdraw or re-stake at their discretion, there is still a time lag due to cooling periods and queuing systems.

Solution 2: Allow miners more control over the block building process

Most Bitcoin miners direct their computing power to mining pools, where they communicate with these pools using a messaging protocol called Stratum v1, which organizes miners' creation and submission of hashes. If mining pools collude to censor transactions, the community has no recourse. However, if Stratum v2 is used, miners will be able to choose their own set of transactions, thus gaining more control over the block building process, which can counteract the censorship intentions of malicious mining pool operators.

If you are interested in learning about Stratum v2 and its functional upgrades to enhance miner security and income, please read here.

Solution 3: Free market competition

Bitcoin supporters argue that the economic incentives of proof-of-work mining are the best form of resistance against any transaction censorship. As block rewards decrease with each halving cycle, transaction fees will tend to make up 100% of miners' income. Therefore, even if any compliant mining pool or miner censors paid transactions, other miners/pools in different jurisdictions would be very willing to seize those transactions. Ultimately, these compliant pools or miners would be defeated in the free market, leading to a decline in their market share and profitability.

Conclusion 1: Bitcoin can handle censorship issues arising from centralization in the block creation process better than Ethereum.

Today's Bitcoin is more capable of addressing centralized censorship in the block building process. If there are mining pools censoring certain transactions, miners can now switch pools without delay, greatly enhancing their autonomy.

While Ethereum has viable solutions to address censorship issues, they are primarily in the research phase and have not yet been implemented, as other functional aspects need to be prioritized due to competition with other programmable blockchains.

Question 2: Strong censorship risks may occur if the network's security budget is low.

A low security budget can lead to the possibility of a 51% attack. When this occurs, attackers will be able to control the blockchain. They can block incoming transactions and reorder new transactions. More seriously, they can rewrite the blockchain's history and reverse their own transactions, leading to double spending.

Ethereum's Security Budget

Once a 51% attack is launched against Ethereum, all new deposits or withdrawals may be censored by the attackers, making it difficult for the network to recover. Therefore, the distribution of tokens within the network should be as decentralized as possible to prevent the required tokens from being obtained through coercive means and launching an attack. As of the writing of this article, 13.6 million ETH are staked on the beacon chain. The economic security of Ethereum can be calculated by multiplying 13.6 million ETH by the price and then by 51%, yielding the minimum amount needed for transaction censorship. At the current price of $1,700 per ETH, today's economic security is approximately $11.5 billion. In reality, given that prices will rise non-linearly with demand for ETH, the cost will be much higher.

Since obtaining these funds is not an issue for some organizations or countries, we still need to consider preventive solutions.

Solution 1: Encourage more users to stake

Compared to other POS networks, only 11% of ETH is currently staked (for example, Solana at 77%, Cosmos at 66%, Avalanche at 65%), indicating significant potential. As the amount staked increases, it will become very difficult for attackers to obtain 51% of the total staked amount.

However, one barrier to more people staking is the opportunity cost of DeFi yields for users. If users can achieve better yields in DeFi, they may prioritize financial incentives, thereby reducing the incentive effect of ETH staking yields. One solution to break down this barrier is liquid staking protocols, but this may also bring us back to the centralization issues seen with Lido. While we can see that Lido is distributing stakes to about 30 validators on its whitelist, this whitelist is still controlled and approved by Lido. Therefore, the criteria and ability to add and remove validators are crucial, meaning strong governance capabilities are needed within the decentralized autonomous organization.

Encouragingly, Lido has been exploring governance solutions using dual governance proposals, where key governance issues will be voted on by both stETH and LDO holders, thus maintaining consistency between the two token holders. Another key issue related to censorship resistance is the potential for governance to change the equity distribution among node operators in a possibly harmful or unintended way. In specific governance situations, once LDO holders pass the initial proposal, stETH holders will also be involved, and if all available negotiations fail, they can exit the protocol. Read here for a more detailed explanation of the voting mechanism and subsequent outcomes.

Solution 2: Diversify validators to prevent coercive governance acquisition

If ETH cannot be obtained on the market, another way to gain control over the network is to coerce 51% of validators. Therefore, increasing the diversity of validators in the following forms can achieve censorship resistance:

1. Enhance jurisdictional/geographical diversity to ensure that no single jurisdiction/country can take validators offline.
2. Enhance operator/stakeholder diversity to ensure that with a wide distribution of stakes, coercive censorship becomes extremely difficult.
3. Enhance client diversity to ensure that no single error in the validator client can take validators offline.
4. Lower hardware requirements for participation to ensure that anyone can start a validator as needed.
5. Increase the number of validators with complete copies of transactions.

Solution 3: Social layer intervention

If preventive measures fail, Ethereum will intervene at the social level. Specifically, this involves automatically executing a forking process upon detecting a censorship regime, while allowing sufficient time for consensus to be reached for the fork. Ideally, full online nodes will identify and recognize which blockchains have censorship intentions by checking the mempool, and once identified, a fork will occur, punishing the chain with censorship intentions, all without requiring intervention from the social layer.

However, forks are rarely completed directly and quickly, as censorship may sometimes be incidental, such as due to errors in validator clients. In such cases, it is crucial to be able to intervene and discern which are genuine censorship and which are accidental events. Additionally, there are considerations such as how to choose the new blockchain, which checkpoint to take to launch the new blockchain, how to punish attackers on the new blockchain, etc. Handling these issues will affect the economic value of the chain. All of this is to inform new users that if they wish to participate in a new uncensored blockchain, they must first be able to withdraw funds from the chain. While there are currently no rules or guidelines to help users understand how to respond to various policy interventions, it is crucial that the governance and decision-making processes of the chain are as decentralized as possible.

Bitcoin's Security Budget

If Bitcoin is subject to strong censorship, miners will be able to mine all rewards and reorganize the chain as they see fit. Given the current hash rate of 230m TH/s, assuming existing miners do not participate in the attack, attackers would need to possess more than 230m TH/s of computing power to control the network. Let's do the math: using the most efficient ASIC chip on the market today, the Antminer S19 PRO (110 TH/S), a total of 2.09 million ASIC chips (230,000,000 TH/s divided by 110 TH/s) would be needed to carry out the attack. At today's price of $4,400, the total cost of acquiring the hardware needed to attack the network, not including energy costs, would be $9 billion.

Solution 1: Bitcoin's network is more censorship-resistant due to the difficulty of acquiring ASIC chips.

While the cost may not be prohibitive for certain aggressive attackers, there is significant resistance in acquiring ASIC chips, as only a few companies can produce these chips. Moreover, due to the insufficient supply coming online each year, attackers cannot launch rapid attacks.

Solution 2: The low conversion of miners leads to decentralization of the Bitcoin network.

Acquiring the machines needed to control the network is very difficult, so attacks are likely to be carried out through coercion or control of existing mining pools. This issue can be addressed by the emergence of mining pools in different regions around the world, as their presence significantly lowers the conversion costs for miners, allowing for quick switching in the face of censorship, thus achieving censorship resistance.

Conclusion 2: Bitcoin is more resilient than Ethereum in preventing 51% strong censorship attacks. Ethereum's solution of using the social layer as a last line of defense gives more power to a few, but there are still many issues regarding social consensus.

On the surface, Ethereum's security budget appears to be higher than Bitcoin's. However, the resistance to acquiring hardware when taking over the Bitcoin network is greater than the resistance posed by the cost of obtaining a majority of tokens in Ethereum.

If attackers use alternative means to gain control of the network through centralized mining pools, Bitcoin's solutions are much simpler, as honest miners can help rebalance the hash rate by switching to non-attacking pools.

In the case of Ethereum being strongly censored, while the social layer can intervene, there are still many questions about how to transition to a user-activated soft fork. First, how do non-attacking participants reach social consensus? Can the majority of the new minority make decisions? Or is it up to the core team to decide? The decision-making process can be likened to "Ethereum DAO" voting to reach a majority decision. Should it be determined by a majority of voters or a majority of stakes? A common criticism of DAO voting is that a vast majority of holders can vote in favor of an outcome, but ultimately be vetoed by a single holder with more shares. This does not reflect the actual process of determining fork rules but highlights the issues of social governance that the Ethereum community has yet to implement. Ultimately, as Nic Carter has said, the social consensus layer inevitably leaves room for politicization, and Ethereum may suffer the same fate as expropriating national governments.

Therefore, we believe Bitcoin is more resilient. It is also worth noting that this may not be the case in the future. One potential scenario is that as block rewards approach zero, if Bitcoin's transaction activity fails to rebound, the lack of transactions will lead to miners lacking income, making it difficult for them to maintain solvency. This would lead to miners shutting down their machines and a decrease in hash rate, thereby weakening Bitcoin's security budget. Thus, the Bitcoin network needs to continue attracting new users to operate as a healthy network.

Question 3: External dependencies may pose censorship risks to the underlying network.

Stablecoins

The denomination of every cryptocurrency is anchored by stablecoins, and Bitcoin and Ethereum are no exceptions. A quick glance at the market capitalization of stablecoins reveals that the top three are backed by fiat collateral held by centralized custodians. This places them within the regulatory scope, raising the question: what if custodians prevent users from converting stablecoins to fiat currency simply due to government censorship or prohibition? Although these scenarios are unlikely, the chain reaction that could result is frightening. Recently, the USDC issuer Circle froze funds worth over 75,000 USDC associated with Tornado Cash addresses.

Potential Solution 1: Over-collateralized stablecoins

One can mint a token pegged to fiat currency in exchange for cryptocurrency collateral. MakerDAO's DAI is currently the largest decentralized stablecoin in the crypto space, and when asset prices begin to fall, they maintain the 1 DAI = 1 USD peg by liquidating the staked crypto collateral. Since 2017, it has experienced price fluctuations of Bitcoin and Ethereum and has proven to be robust. However, even they have over 30% exposure to USDC as part of their collateral. Following the recent USDC and Tornado Cash incident, they are currently having governance discussions on whether to implement negative interest rates to allow DAI to circulate more freely, in pursuit of the vision of becoming a public, neutral financial utility infrastructure.

Another option favored by Vitalik is Reflexer's RAI. In this protocol, users can deposit ETH and mint RAI, up to ⅔ of the value of the deposited ETH. The key difference here is that RAI does not maintain a fixed peg like the dollar, meaning that RAI's peg will fluctuate based on market volatility. They also allow for negative interest rates, which helps provide a balance where excessive growth can be curbed, thus reducing the volatility of the stablecoin. Read here for a more detailed explanation of how RAI works.

However, a fundamental issue with over-collateralized stablecoins is that they continuously extract liquidity from the market (which is not an ideal state if we expect financial activity to occur in cryptocurrencies). We also need to consider what collateral can be used as a base currency for collateralization.

Feasibility of Bitcoin: Bitcoin is arguably the best collateral available today. But even with ready-made solutions on the market, over-collateralization extracts liquidity from the market, which is not an ideal solution if we expect financial activity to occur on-chain.

Feasibility of Ethereum: Using ETH as collateral for stablecoins may not be the direction of development. If ETH faces censorship, these stablecoins will encounter redemption issues, as users may wish to exit their ETH positions. While using Bitcoin as collateral can mitigate this related risk, it still faces the issue of liquidity extraction.

Potential Solution 2: Algorithmic stablecoins

Despite the bad reputation of algorithmic stablecoins due to the Luna collapse, they are another option. The goal of algorithmic stablecoins is to create a pegged stablecoin that does not require collateral but instead uses some form of governance token for anchoring. The peg is then maintained through arbitrage opportunities between the governance token and the algorithmic stablecoin. However, this system design is very fragile, as it requires rational participants and strong confidence in the value of the governance token.

Once confidence is broken, a death spiral may occur: as the price of the governance token falls, market participants not only fail to stabilize the token price but further sell off their holdings of the governance token, exacerbating the price decline.

In theory, algorithmic stablecoins could serve the same function as our existing fractional banking system without extracting liquidity. However, there do not seem to be suitable candidate projects that can perfect the system design of algorithmic stablecoins, making them face smaller risks.

Feasibility of Bitcoin: Not applicable, as there are no viable candidate projects on the market.

Feasibility of Ethereum: Not applicable, as there are no viable candidate projects on the market.

Potential Solution 3: Bitcoin or Ethereum as decentralized stablecoins

Consider: what if Bitcoin became an uncensorable decentralized "stablecoin"? This seems to address the issues faced by both Bitcoin and Ethereum.

Feasibility of Bitcoin: It seems that all Bitcoin holders could join, as 1 BTC = 1 BTC. This could resolve the situation of declining security budgets due to a lack of transaction activity (recall: block rewards approaching zero = all miner income depends on transaction fees = sufficient transaction activity is needed to maintain solvency and high hash rate). If BTC is widely used on Ethereum (and any other programmable blockchain), transaction activity will stem from its role as a base layer currency for DeFi and many other applications, which can then maintain economic incentives for miners, further strengthening resistance to censorship from any attackers.

Feasibility of Ethereum: Imagine if a fork occurred due to censorship of USDC or USDT, and there were no stablecoins pegged to fiat on-chain; how many users would choose that "bubble and low-volume" stablecoin? If Ethereum were used as a decentralized stablecoin, it would eliminate reliance on fiat-pegged stablecoins, making forking in the face of strong censorship attacks a more realistic option. Users would not have to worry about the destruction of economic value, as Ethereum, as a base layer currency, has strong censorship resistance characteristics.

RPC Networks

RPC (Remote Procedure Call) networks are crucial for blockchains. They provide access to server nodes and allow users to communicate and interact with the blockchain while interacting with a standalone program. Given that running these RPC nodes requires specific hardware, most developers turn to centralized RPC networks like Infura and Alchemy to meet their dApp API needs. The downside is that these centralized RPC networks can restrict access to blockchain data in compliance with any jurisdictional laws and can also serve as central points of failure that are vulnerable to hacking. The end result is that users may face service interruptions, significantly degrading user experience.

Solution 1: Light clients

Ethereum has long hoped for more users to run their own light clients. Light clients do not store the complete historical state of the chain but rely on a sync committee to sync to the chain. They can also query the network state arbitrarily by asking other full nodes instead of going through centralized Infura or Alchemy.

Bitcoin has also encouraged users to run their own light clients. Light clients on Bitcoin can interact with the network without storing the blockchain and can query other nodes for blocks and transaction data of interest.

Solution 2: Decentralized RPC networks

Decentralized RPC network providers offer economic incentives for distributed RPC nodes to provide applications and users access to blockchain data. By using a set of decentralized RPC nodes, the underlying protocol layer can enhance its security and censorship resistance due to the absence of single points of failure. Existing solutions include Pocket Network, Ankr, and Solana's GenesysGo. Both Ethereum and Bitcoin would benefit from a decentralized RPC layer, considering the large number of applications using RPC networks, which would enhance Ethereum's censorship resistance.

Core developers and project teams

The arrest of Tornado Cash founder Alexey Pertsev has sparked discussions about whether developers or project teams can be held accountable for their open-source code. Should they remain anonymous? Easily identifiable identities may place individuals within jurisdictions, potentially making them susceptible to regulatory control. While there is no explicit requirement for founders or developers to be accountable for their code, ensuring that teams are geographically distributed to counter any potential censorship from a specific jurisdiction may be wise.

Conclusion 3: External dependencies have a significant impact on the censorship resistance of underlying layer protocols.

We believe the first issue to address is the choice of base layer currency, as the economic value of both Bitcoin and Ethereum is tied to USDC and USDT, which are susceptible to U.S. regulations. Other potential sources of censorship risk include the RPC layer and protocol developers, and we believe existing solutions can mitigate and ultimately eliminate these issues.

Conclusion

Although we have conducted an extensive comparison of Bitcoin and Ethereum, they each have their own characteristics and solutions regarding censorship resistance. For instance, Bitcoin's characteristics make it suitable as a base layer currency, but we still need the programmability of blockchains like Ethereum to have on-chain applications. Ultimately, the characteristics of decentralization, censorship resistance, and sovereign independence are goals that Bitcoin, Ethereum, and many other blockchains strive to achieve.