On Proof-of-Work and "Consensus"

in ethereum •  8 years ago 

On Proof-of-Work Consensus Mechanisms

Or: how "consensus" became more centralized.

Forward

So, just some context, because sometimes it needs to be said.

I'm fairly new to the whole crypto-currency space, so there are a lot of nuances and such that I'm sure I miss out on. My experience with cryptocurrencies is mostly limited to Bitcoin and Ethereum, with some dabbling in day-trading on the side (Full disclosure: I suck at it).

Given that I follow Ethereum pretty closely, I've actually become fairly involved in the whole hard-fork debate. I'm very strongly anti-fork, and am really not very happy about the fact that the hard-fork was not only accepted by the majority, but how that came about. Watching the debate evolve over the last few weeks--and looking back on the history of similar debates in the Bitcoin space--I started to come up with some musings about PoW and what we call "consensus".

More importantly, this is my attempt at articulating why what we know as "consensus" isn't really consensus anymore, at all.

On Proof-of-Work as Security

The entire point of Proof-of-Work as a security mechanism hinges on its ability to adequately deter attempts to rewrite or control history. The illustrious "51% attack", as the term goes, refers to the concept of obtaining so much hashpower as to be able to (on average) control the writing of the blockchain. The amount of hashpower required to "rewrite history" goes up the further back in time you wish to rewrite. Thus, a "51% attack" merely refers to the minimum amount of hashpower required to, on average, control which blocks get added to the blockchain, and serves as a minimum threshold for anyone who wants to control the blockchain (and potentially rewrite its history). Proof-of-Work, in theory, is designed such that miners, acting in accordance with their own selfish interests, prevent these sorts of damaging attacks from being economically viable.

In other words, it pays better to be honest.

Even if many miners were to collude to control the chain, the idea is that it should cost them more to do so than they could make by doing so.

Attacks such as these are further mitigated by the presence of nodes, which enforce the rules of consensus, refusing to relay blocks that don't follow the agreed-upon protocol. The simplest attack that this prevents is the attack where the miners collude to pay themselves more per block. If the nodes don't also agree to this change, the miners will be wasting their time mining blocks that are then rejected by the network.

Again, it should pay more to be honest.

Note that there are some assumptions at play here. The first is that miners are acting as individual actors, acting in their own individual best interests. This creates a large population of individual, (assumedly) rational actors, leading to an overall more secure consensus among them. The second is that miners are incentivized to maintain the health of the chain, meaning they won't act in such a way as to destroy the value of the chain they're mining.

Another note: "consensus", as used within the context of PoW, refers to agreement among all miners, as individuals. This implies that miners who refuse or fail to act upon a vote that requires their input are implicit votes for the status quo. The idea behind the concept of "a non-vote is a vote for the status quo" is to impart inertia upon the network. If a change is desired by some miners, it needs to be compelling enough that it's in the economic best interest of the majority of them to make the change. If a majority of miners cannot be incentivized to vote, the vote should fail.

This prevents a highly-incentivized minority from seizing control of the chain before the apathetic majority can act. In fact, the idea is that there is never such thing as a "no" vote--just votes for change, and votes for the status quo. This ensures that changes can only be made when there's sufficient incentive for the majority to vote at all.

These concepts--that attacks should be economically infeasible, that miners act in defense of the chain through their own economic self-interest, and that highly-incentivized minorities cannot control the chain--are what govern the security of a PoW blockchain.

On Mining Pools and Altcoins

Since the original implementation of PoW in Bitcoin, many other coins have been created that leverage the same scheme for security. Most of them differ in terms of what algorithm is used to provide the proof of work, and most of the generally rely on the same assumptions and mechanics to guarantee the security of their own chains.

Mining pools (as far as I can tell) originally started out as a measure of convenience, and a way to minimize the variability of getting paid. By joining a pool, the randomness of mining blocks can be smoothed across the entire pool, leading to more regular payouts for everyone in the pool. The pool operator is incentivized to run a pool by skimming a little bit off the top of every block mined, presumably to cover their own expenses.

Altcoins come in many flavors, some of them created as scams, others to fill in perceived gaps in another coin's functionality. It's widely regarded that most are (ultimately) scams, but a few important ones have been created along the way. Ethereum, after all, is one of these altcoins.

The creation of many altcoins, the advent of pools, and the fact that most altcoins can be mined on the same GPUs has led to changes that affect the assumptions of PoW.

One of the more interesting ones is the advent of GPU mining. This allows anyone with a GPU to mine a coin, greatly expanding the set of miners. In the one-chain scenario, this would be a very good thing. However, since that same GPU can mine nearly any other altcoin, it represents a shift in the incentives for that miner. No longer are they only incentivized to see the value of the coin they're mining increase--they're incentivized to see the value of any mineable coin increase. If the one they're currently mining depreciates in value, they can easily switch to another, more profitable coin. If another coin comes along and surpasses the coin they're mining in value, they can easily switch to that one.

This has led to the commoditization of mining power. People can rent their miners out to whomever is willing to pay them the most. People can configure their miners to automatically switch to whichever coin is the most profitable right now. By pointing these miners at mining pools with consistent payout schemes, their losses in the event of needing to switch coins are even futher reduced. Consistent payout schemes reduce the time a miner has to wait until their next "paycheck".

This shift in incentive for miners leads to a very large population of "apathetic" miners--miners who are completely on auto-pilot, and often aren't even in control of which blockchain they're contributing their hashpower towards. All that matters to them is that they're getting paid the most they could be paid right now--regardless of which coin that is.

This breaks the assumption that miners' economic self-interest is aligned with the economic interests of the coin they're mining. This also breaks the assumption that miners are interested in the long-term health of the chain they're mining--since it's now in their best interest to just mine whichever coin is worth most right now.

In essense, miners see mining more like investing in an index fund rather than in an individual company.

On Pool Operators

With miners' investments in mining no longer tied to a single coin, but rather to a large set of coins, we end up in a scenario where the majority of hashpower is entirely apathetic to any single coin's current status. Combined with the fact that the vast majority of hashpower on any given chain belongs to a pool for that coin, the number of economic actors for any given coin has been reduced. Instead of consensus of miners being consensus within the population of all individual miners, it has now been reduced to consensus among pool operators for that coin.

Many pools even service multiple coins, meaning their relative investment in any one coin is reduced.

It also continues to be in a pool operators' best interests--economically, again--to align their hashpower with the will of the other pools. This further shrinks the number of individual actors controlling the hashpower to the few largest pools. Where they go, the smaller pools follow.

On the Modern Hashpower "Consensus"

All this leads to an outcome that mining was supposed to defend against: the centralization of the security of the blockchain among a small group of actors. The original concept of PoW security was partially predicated by an increase in the number of economic actors--the more there are, the harder it is for any subset of them to control the network. However, with the majority of hashpower for most coins belonging to 2-5 pools, the number of actors controlling the hashpower of the network has dramatically shrunk, not increased.

This is further compounded by reducing the likelihood that any split be "contentious", at least from a hashpower perspective. Even when the users of a coin are strongly divided on its future, the outcome will be that the majority of miners are on one side or the other. Some would argue that this is good for the coin--but others argue that it reduces the mindshare of the community by distilling it to one group or another. The other problem is that this is largely divorced from the actual control over the blockchain.

Pool operators, in general, don't care which side of a fork wins. They just care that they all agree, since being in agreement is what's economically rational for them to do. Less important is the how and why a particular side of an argument wins.

This defeats one of the final assumptions that PoW rests upon: the inertia of miners. No longer does an apathetic majority of hashpower lend a dampening effect to the direction of a chain--now it can be used as leverage by pool operators to encourage the agreement of other operators.

Again, given that pool operators will be largely unconcerned about which side of a contentious fork wins, this makes them especially susceptible to manipulation--both social and economic.

On Nodes and Exchanges

Which brings us back to nodes. The only mechanism still in place to prevent collusion among pool operators is the consensus of the nodes that relay their blocks. Among these nodes, however, are a few important actors: exchanges. Given that exchanges are the entrypoints into a coin (from another currency, usually), whichever side of a fork they pick will most likely be the one that retains its value. If a coin is no longer listed on an exchange, it becomes extremely difficult to gain more users, and thus more value.

It's worth examining the incentives of exchanges at this point. Most will, like pool operators, be apathetic to the actual reasons for a fork. This is because their incentives mostly revolve around volume of trades, and less around the relative value of any given coin. Like an index fund, their profitability is "smoothed" across the value of all coins they offer. They can offer one side of the fork, or both, and suffer little in the way of losses.

Like pool operators, that leaves them more susceptible to influence--again, both economic and social. If they can be convinced that it's in their economic best interests to support one side of the fork or the other, they'll support that side. It's also in their best interests to be aligned with the pools on which side of the fork they pick... They only risk losing out if they pick the opposite choice as the pools.

The reverse holds true about the mining pools: they only risk losing money if they pick differently than the exchanges.

So all things being equal, it's in both the exchanges' and pools' best interests to be aligned on the outcome of a fork.

Which leaves us with the rest of the nodes.

On Defaults

With nodes, same as miners, on decisions that are unrelated to the protocol, the default vote is a vote for the status quo. Nodes that do not upgrade should continue to be on the same chain as nodes that do--unless there is a required change in the protocol. The design here is the same as with miners--the inertia of the implicit vote for the status quo protects the network from a highly-incentivized minority taking control.

This is where the concept of defaults becomes a little tricky. For changes to the protocol like bug fixes, it should be assumed that the default would be to support the fix, with nodes that fail to upgrade becoming orphaned. For changes to the protocol along the lines of upgrades, the same story should apply.

However, for forks involving things other than changes to the protocol, it's assumed that the default vote is a vote for the status quo. Again, the assumption is that this for the protection of the entire network, and that nodes should be apathetic to anything other than the nature of the protocol itself.

Where this gets sticky is when the change is a matter of opinion. Here, whichever setting is chosen to be the default exerts extreme control over the outcome of the vote. This, again, is because it leverages the "apathetic" nodes to sway the vote. Instead of them being a "vote for the status quo", they can become an implicit vote for change.

The control over the default is also in the hands of a very small number of actors, even when there are multiple implementations--like exchanges and pools, they're highly incentivized to align on the default. In fact, they're also highly incentivized to align with pools and exchanges, for the same reasons pools and exchanges are incentivized to align.

On "Consensus" and "Trustless Networks."

What this boils down to is this: in the event of a contentious hard-fork--one that is neither a protocol upgrade nor a bug fix--the outcome is likely not determined by individual nodes, individual miners, or individual users. Consensus among miners is likely impossible, due to the lack of involvement--and consensus among users or nodes is mostly predicated by the defaults set within the code they're using.

This reduces "consensus" from "consensus among individual miners, users, and node operators" to "consensus among pools, exchanges, and developers."

Rather than the network securing itself in a "trustless" (trust-minimized) fashion, it now depends on the opinions of a very small set of actors.

Conclusion

The security of Proof-of-Work is still sound in some ways, but it's based on outdated assumptions. The assumption that the number of individual actors mining the chain grows over time is no longer true, as that responsibility has been centralized among the pool operators, whose largest incentive is to be aligned, not pick a side. The assumption that miners' interests are aligned with the blockchain's goals is broken by the ability to switch coins based on current profitability, rather than future profitability.

Which, of course, begs the question... What do we do about this? This should be a question on everyone's minds, especially in the Ethereum ecosystem. Ethereum, in particular, is at risk of forking again, this time over the upcoming "difficulty bomb." It's in pool operators' best interests to fork the difficulty bomb away, since it drastically reduces the profitability of mining Ethereum. This would lead to an exodus of mining hashpower, as Ethereum loses its place as the "most profitable coin to mine."

This, in turn, means it's in the users' best interests to fork the bomb away, as well, since no one wants to be using a blockchain whose security is decreasing over time.

Which leads to the biggest question of all: how does the switch to Proof-of-Stake play out in this world? It's decidedly against any miners' best interests to support a switch to Proof-of-Stake, so how do we prevent them from creating a fork in which Proof-of-Work continues to be supported? Exchanges, on the other hand, might be highly incentivized to see Proof-of-Stake become a reality--because they currently hold the largest reserves of Ethereum, and have the most to gain from staking some portion of it.

The only way I see the switch happening is a clean break, with the nodes defaulting to the switch, and with the exchanges on board.

But the "interest rate" of PoS is small, meaning miners could bribe exchanges into not supporting the PoS coin.

This means the decision might ultimately fall to the users of Ethereum--the same users who just recently revealed they were fine with giving up on some of its core values under extenuating circumstances. This carries the potential of it dividing the community, yet again. With those who feel the mostly strongly about Ethereum's core values--those who opposed the hard-fork and are still on the minority chain--already having left the community, it will be interesting to see how it plays out.

After all, when it comes to manipulating consensus, the cheapest way to do it is with politics.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Great disclosure. ;). I tell people IANAT -- I am not a trader.

This deserves more upvotes. Thanks for putting it together.

I'm fairly new to the whole crypto-currency space, so there are a lot of nuances and such that I'm sure I miss out on. My experience with cryptocurrencies is mostly limited to Bitcoin and Ethereum, with some dabbling in day-trading on the side (Full disclosure: I suck at it).

Given that I follow Ethereum pretty closely, I've actually become fairly involved in the whole hard-fork debate. I'm very strongly anti-fork, and am really not very happy about the fact that the hard-fork was not only accepted by the majority, but how that came about. Watching the debate evolve over the last few weeks--and looking back on the history of similar debates in the Bitcoin space--I started to come up with some musings about PoW and what we call "consensus".

It's interesting to me that you are fairly new to the space but you are so confident in your posture on these issues. Maybe it's your style on reddit and I am misreading you, but in my experience, such overconfidence is a hindrance. At best it's just remarkably unprofitable. Food for thought. I am running on empty 350 posts but good to have you on Steem and I look forward to your musings as they evolve.

Thanks m8!

Honestly, the overconfidence is a bit of a problem. It comes from turning a problem over and over a little obsessively, until I see how all the pieces (can) fit together. Then it becomes hard to see them fitting together any other way--until more pieces get added, that is.

I like complicated systems like this. I like them less so when they get political like this, but regardless of whether or not I like them, they're utterly fascinating.

I do hope someone will come along and tell me where I'm wrong in some of my assumptions, or perhaps point out some additional information that would force me to rethink the model I've come up with. I'd especially like to hear from someone involved in Ethereum's development, but I don't think they're too fond of me over in their subreddit these days :(

C'est la vie.