It's been a while since I've gotten into any serious discussion about decentralized and robust consensus mechanisms in crypto. So far, I've been looking at the current trends, and it seems like 'Proof of Stake' (PoS) is starting to get hyped up as the new "solution" to the problems of Proof of Work (PoW) with its own issues either being overlooked or outright ignored. A million DeFi coins are coming into the market that are PoS instead of PoW, claiming to be the "next best thing".
I didn't do much commenting on the issue earlier of whether or not PoS is superior to PoW because I felt like I did not know enough about either one of them to have an educated opinion. I often saw people on r/btc dismiss PoS as a "ponzi scheme" or "economically unsustainable/flawed". At first, I thought it was merely an opinion held by some r/btc users because they would obviously be in favour of PoW (given that all the known versions of Bitcoin use PoW as their consensus system). In fact, I remember looking at people like u/ShadowOfHarbringer's (possibly one of the biggest PoS critics from what I've seen, but correct me if I'm wrong) comments and thinking that he has only dismissed PoS because it's not PoW, and Bitcoin (Cash), one of r/btc's favourite coins uses PoW.
After doing the research for myself, and thinking about it critically for a long time, I came to the same conclusion that Proof of Stake is fundamentally AND economically broken, and I can no longer take it seriously. It's surprising to me that many people who are knowledgeable in fields relevant to Bitcoin are still considering PoS despite this. It seems that rather than actually addressing any criticisms of PoS, PoS proponents just dismiss most concerns by saying that PoW has those same problems without elaborating any further, and then ending the discussion there. I'm here to discuss why Proof of Stake is fundamentally flawed, and why Proof of Work is the only consensus mechanism that works (at least so far). If you want to skip to certain sections in this article, I'll provide a 'table of contents' section, which you can navigate through using the links:
Contents:
Why Decentralization is Important
Often times, the word "decentralization" gets thrown around in the crypto space as a value proposition of cryptocurrency as a whole, and why cryptocurrency is good. At this point, so many people have just been convinced that "more decentralized" = better/important without ever thinking any more about the actual topic and why it is important.
Decentralization is NOT the value proposition, nor is it the purpose of the blockchain, Bitcoin, and cryptocurrency in general. This is a fundamental misunderstanding that many people (myself included) have had when it comes to this topic. Decentralization is the means by which the actual value propositions, censorship resistance and trustlessness are achieved. Satoshi writes about this in the Introduction section of the Bitcoin Whitepaper:
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads.
If there was a means by which we could have a centralized database (which would as a result, make a large trade-off in the 'blockchain' trilemma, but also be more scalable) that was as censorship resistant as the blockchain today, I would not see any value proposition in a decentralized blockchain. But the truth is we haven't figured out how to make such a system because the two ideas are inherently incompatible. It's not possible for an entity to have almost full control over a network, but at the same time not have control over it.
To add, this is why I have had a hard time trying to empathize with any view of keeping blocks small. Simply put, if fees are high, the nature of the network itself maybe trustless, but it fundamentally fails at being censorship resistant, which makes it self-defeating, but that's a topic for another time.
What is Integral to a Decentralized Network and Consensus Mechanism
As discussed previously, the reason decentralization itself is important and valuable is because it allows for censorship resistance and trustlessness. But how exactly do we achieve this through decentralization?
The first problem that Bitcoin had to solve as a currency was being able to be censorship resistant and trustless in nature. The only solution to this was making it a system that is decentralized, which means that no single entity issues or controls everyone's coins. This would mean that there would need to be a way for transactions to only be done by those who actually own the coins, and nobody else. The solution to this was implementing digital signatures, which make it impossible for any single entity or anyone for that matter to spend others' money.
The second problem was introducing scarcity in such a manner that coins couldn't be counterfeited or printed out of thin air. For example, if each coin was a file, nothing would stop me from copying that file to send out multiple coins, and given those incentives, there would be no purpose to such a system. Even if nobody can spend funds from my wallet, I can still give myself free money out of thin air.
This also means that such a currency would also have to have 'memory' properties, meaning that once someone spends coins, they can't be re-spent by the same person. The solution to this was a ledger, which keeps track of all the transactions, so if an account in question spends more coins than it has, that will contradict an entry within the ledger, and the user in question won't be able to send the funds. So far, this means we have a ledger of which coins cannot be printed out of thin air and sent. Since the ledger is supposed to be decentralized, that means lots of people/entities will have a copy of that ledger, which brings up another issue...
Given that there will be many people with a copy of the ledger, how do we decide which is the correct one and which isn't, since it's entirely possible for two alternate ledgers to have conflicting transactions? This is especially important since if it wasn't solved, someone could simply present one copy of the ledger to the recipient and the rest of the network, and once the transaction has gone through, present the other copy, and the transaction has been reversed without any cost, effectively making it trivial to re-spend the coins.
In order to solve this issue, some sort of voting/consensus mechanism had to be implemented so the network can come to an agreement on the legitimate version of the ledger itself. This had to be done in such a fashion that nobody would have to trust anyone (votes cannot be faked), and such a decision can be made quickly. Ideally, we would have 1 user = 1 vote, or anything as democratic as possible (given that it is the fastest decision-making mechanism which doesn't put power in the hands of a single entity), but it's impossible to define '1 user' in a network that is permissionless, where any accounts and wallets can belong to anyone. On top of this, voting would have to be time sensitive because a decision needs to be made. We can summarize our consensus/voting mechanism requirements in a few points:
does not trust or assume others will act in good faith
is decentralized
impossible to fake
makes decisions in a timely manner
the end result is a unanimous vote
Proof of Work vs Proof of Stake Incentives
As a re-cap, these are the requirements that we came up with for a decentralized consensus and/or voting mechanism:
does not trust or assume others will act in good faith
is decentralized
impossible (or at the very least, extremely difficult) to fake
makes decisions in a timely manner
the end result is a unanimous vote
Intuitively, someone who isn't experienced with cryptocurrencies might infer that we could make 1 wallet = 1 user = 1 vote, but that wouldn't work because any attacker on the network could just make a script to generate multiple wallets and use their voting power to either attack the network or stall it, ensuring that the network couldn't reach an agreement, effectively killing it. This means that this mechanism doesn't follow any of our criteria. In a trustless network, we absolutely have to assume there will be attackers and that we cannot assume everyone has good or altruistic intentions. Given this information, there does exist a possible solution to this problem...
Since coins cannot be printed out of thin air, and they cannot be counterfeited, copied, or spent by another user (as established previously), it might be tempting for one to say to say that we should make 1 coin = 1 vote, and it might seem at first glance that it would work, but we run into other problems, such as:
How do we make voting impossible/hard to fake?
If we are basing our mechanism on 1 coin = 1 vote, we need to make sure every coin that is voting is unique. After all, what stops someone from just sending coins to multiple wallets and just re-voting with the same coins? We can easily solve this by making a single vote equal to the quantity of coins multiplied by their age in days, and that will solve our issue of votes being easy to fake.
Where do the coins come from, and how do users vote with them?
The ONLY solution to this would be a single central party being given all of the coins ahead of time, and then distributing them to users so they can vote with them. In terms of the requirements for our voting mechanism, it is impossible to fake, meaning that votes are at the very least unique. This would essentially be 'Proof of Stake'. We can also hypothetically reward voters by giving them more coins by acting honestly, but more on that later...
If we were to use this as a voting mechanism, it would meet our requirement of being impossible/difficult to fake, but it would not be suitable for voting as outlined because it is an inherently centralized mechanism, on top of one that assumes others will act in good faith, and can result in a vote not being unanimous (and potentially tied votes). What do I mean by this? Well, to elaborate on this point-by-point...
It is an inherently centralized mechanism:
When a central party is the one distributing coins, they have all of the voting power in the beginning. They are the absolute gatekeepers of the network, and can choose who and who not to assign votes to. This is equivalent to a dictator owning a nation, and saying that they're switching to democracy, but they get to choose who can vote.
It assumes others will act in good faith:
We have already established that a central party starts with all of the voting power, so the next question one might ask is if coins are distributed fairly by the central entity, then shouldn't the voting mechanism meet all the requirements as stated previously? In theory, this would make sense, but in practice, it completely ignores the issue in the first place... How do we verify that the coins have been distributed fairly when nobody knows who is behind what wallet?
Anyone can generate wallets as they please, and just shuffle their coins to make it look like the distribution is fair when in reality, all of the shuffled coins belong to the same entity. There is no way of verifying whether or not coins are distributed fairly, which means that you are relying on the central stakeholder acting in good faith to keep the network working and secure.
It is not good at making unanimous decisions and reaching consensus
Often times, the consensus rules can and do get changed. In such a case, the network is also faced with a voting decision in which there are two different ledgers of coins. The coins themselves are also separate, but what is important to realize is that there needs to be some way of making a decision on which ledger to keep, and which to abandon. If votes are cast using coins, the incentive of stakeholders is not to stake only one chain, but both. They are rewarded for stalling the actual network itself, and making it harder to reach consensus. Incentives cannot be forced in the same way since staking is done on two separate forks. It's not a good set of incentives, and presents a fundamental flaw.
...So what is the solution?
Knowing all of this, there does seem to be one last solution to the governance system of our mentioned decentralized ledger, and that is using computing power to enforce rules. This consensus system is what is called Proof of Work, and to this day is the only consensus mechanism that actually checks off all the boxes, or at the very least, more than any other proposed "solution". If we iterate over all of our requirements, and compare:
Does not trust or assume others will act in good faith
Proof of Work doesn't have to trust that others will act in good faith, because mathematically speaking, everyone, good and bad, has no choice but to do so. If someone is transacting with you, and the computational power that has gone into embedding your transaction into the blockchain is more than the cost of the transaction itself, you can know with almost complete certainty that your transaction will not be reversed by an attacker. Furthermore, there is no central party that starts with all the voting power and can choose to keep it for the rest of eternity. For any one party to maintain power over the network, it requires constant reinvestment into securing the network itself. If more capital comes into the network, the entity's voting power automatically goes down, making it harder for them to have any control over the network.
Is decentralized
This one is somewhat debatable, but so far, PoW has much stronger decentralization when compared to PoS and other consensus mechanisms. In PoS, if one entity controls most of the coins, they have that power for the rest of eternity. Nothing can be done to prevent or change that. It is permanent as long as they choose not to sell their coins. In PoW, just because someone has a majority of the hashrate, it doesn't mean it is set in stone. If hashrate grows, then said entity has lesser voting power, and the network can eventually return to state where it is once again decentralized.
Impossible (or at the very least, extremely difficult) to fake
There is no way of faking votes in PoW at all. Every vote is done with computation, which can only be done by actually voting with computing power. This is what allows SPV in Bitcoin to work. Users don't need to see anyone else's transactions but their own (cryptographically, and irrefutably proven) to know that they are on the correct chain, and that their transaction has been backed with computing power.
Makes decisions in a timely manner
Any time the network has to reach an agreement, and the consensus rules change, resulting in two different ledgers, there is no incentive to try and divide hashrate between two chains, like there is to have equal staking in Proof of Stake. If a miner tries to divide hashrate, they will lose money doing so, as one chain becomes less and less profitable to mine. The incentives are directly to make a decision with their voting power.
The end result is a unanimous vote
This one is self-explanatory, but basically, the incentive of profit and the expenses incurred for actually attacking the network directly enforces decision making to be one-side only.
Single Points of Failure
One of the biggest differences between PoW and PoS, apart from the incentives laid out is how easy it is for the entire network to fail. In PoS, if one entity has majority stake in the network, the entire network has effectively failed, and permanently. Voting power for the majority staker remains the majority without any way out. With PoW, a miner with the majority of the hashrate has to constantly reinvest if they want to maintain their power over it, but them maintaining that power even after reinvesting capital is not a guarantee. This also benefits the network because it makes it more secure.
Trade-offs
So this might beg the question... Why even bother with PoS, and what does it do better than PoW? A lot of the answers revolve around vague words like "better scalability" and "much greener", but the truth is, I have yet to see an actual argument as to why PoS is more scalable. Hardware for seeing, keeping, and accepting transactions stays the same, so I don't see why there would be any magical capacity increase. As for the only good argument, PoS is less energy intensive. The question is whether or not that is worth it for the trade-off of inherently being much less decentralized, having poor incentives, or even being worse overall for decision-making.
Conclusion
While PoS has become more popular among crypto enthusiasts, and is being seen as an alternative to PoW, in my opinion, it is nothing more than a false promise. Intuitively, it would make sense to think about using coins for voting, as they're scarce, and can't be faked, and it seems like such a simple solution, which is why I personally believe Satoshi knew this well before actually releasing the Bitcoin whitepaper back in 2008. I don't think PoS is a radically new and unique idea that it only came around well after Bitcoin's conception. But I'm no fortune teller, so time will tell...
"In PoS, if one entity controls most of the coins, they have that power for the rest of eternity."
Perhaps one solution: if the community wish, they could fork the ledger and ban the address which owns the majority of the coins.