Criticisms of Proof of Stake

TLDR: If proof of stake is the route forward that we wish to pave, we must be aware of what we are signing up for and the potentially unavoidable side effects that may crop up. Merging governance capability to the network adds another layer of complexity and adds a whole new array of attack vectors for unwanted behavior and power creep. While IOG should be commended for publishing their work on Cardano, some of the underlying assumptions in their reward models invalidate any “proof” or guarantee of certain behavior in the on-chain network that underpins the formal specification and verification process. To quantify decentralization, it is suggested to use an existing economics metric, the Gini coefficient.

Part I: Proof of Stake and Governance

The largest issue, in my mind, is that Cardano is trying to merge governance with a proof of stake protocol. In a way, proof of stake is an admission that money and power are, in many ways, synonymous. Proof of stake doubles down on this concept by dictating that one’s ability to influence the network (as well as rewards received from the network) is tied to the amount of the underlying native asset they control (i.e. “money”). In the case of Cardano, this takes the form of stake pool operators (SPOs) who run the network nodes along with ADA holders who delegate their stake. Tying voting power to the amount of native asset owned or controlled, as Catalyst has functioned thus far, introduces a number of problems and creates opportunities for foul play.

  1. It builds upon the already great economic disparities that exist and increases the risk of an oligarchy forming, an existing criticism of PoS even without a formal governance structure.
  2. It detracts from voter participation due to voter apathy. There is little incentive to vote if one wealthy individual’s vote has the same weight as tens of thousands of “average” voters.
  3. It disproportionately benefits the voice of SPOs who have borrowed pledge.

Along with these, I would add
1a. currently, voting rewards are distributed proportionally to voting power. While this distribution is ‘proportional’ in a sense, it disproportionately rewards those whose votes already carry the highest weight (i.e. already have plenty of incentive to vote). A real world analog is Covid related subsidies for farmers in the US where, despite best intentions, relief has primarily benefitted large farming operations.

Additionally,
3a. Charles’ suggestion to allow the option for SPOs to vote on their delegators behalf gives them extremely outsized power especially if it is the default option. Doing this ties money, political influence, and network security all to SPOs. It makes it extremely difficult to optimize the network as a whole when all three are coupled together within a single group. I believe that there should be a way to allow for some form of representative voting but, at the current stage, there are no checks or balances in place to counteract a party abusing their privileged position.

…and yes, while I agree that governance is a critical step to utility and adoption, the irony of governance on a cryptocurrency platform is not lost on me.

“You wanted to be safe from the government so you became a stupid government.” - Rick Sanchez

Part II: Proof of Stake, Decentralization, and the RSS

A second issue, specific to Cardano, that I see (that has justifiably been a point of contention recently) is the reward sharing scheme (RSS). For details, I will be referencing the 2020 paper published by Brujnes et al. My primary concern is one shared by others in that proof of stake networks can lead to oligopolies. The IOG publication referenced is intended to reinforce the idea that the RSS has been run through the hoops for formal specification and verification that Cardano aspires to live up to. It’s a rather long technical document and is perhaps easy to get lost in the details, so I’ve outlined a few key areas that I see as misleading or altogether problematic.

Starting from the beginning, “A reward scheme determines the way by which the reward R is distributed to the pools and pool members, and the central issue of this work is to determine reward schemes with desired properties” (pg. 6). This is technically not true in that the reward is nearly always less than R, and not by an inconsequential amount. They do clarify this later in the document, “Note that we don’t have to distribute the whole amount R” (pg. 8). This is by no fault of the pool operators, it is merely a consequence of a0 (or α in the document). A knock-on effect of this is that the monetary expansion parameter no longer accurately describes monetary expansion on the network. Currently, approximately only 70% of the intended rewards are being distributed as is evidenced here.

A recurring complaint that I have is that some of the equations and text are confusing and/or misleading. One example is the myopic utility that a player i gets from their own pool
ui,i = (mi+(1-mi)ai,ii) * (r-c)
seems nonintuitive at first glance, but if you expand the first part of the right hand term in margin, mi, instead of relative player pledge, ai,ii, it becomes much easier to see that
ui,i = (ai,ii+(1-ai,ii)mi) * (r-c)
this is just the reward of the operator’s own pledge + the reward from margin on the remaining stake delegated to the pool (after the fixed pool cost has been deducted).

More importantly, the paper discusses Sybil resistance and Nash equilibrium, but in different contexts within separate models. The impression that is given to the Cardano community is that the RSS proposed provides both, however, it is not the RSS that leads to the Nash equilibrium but rather the explicit mathematical boundary condition dictating that a pool leader can create at most one pool. Throughout all models, with the exception of the few paragraphs in section 4.3, “we have assumed that each player can create at most one pool…” “…hence explicitly excluding Sybil attacks and whale stakeholders” (pg. 21, 19). Therefore, any conclusions made in regard to a Nash equilibrium (k pools of equal size) are only valid if SPOs are somehow limited to only creating a single pool. Formal specification and verification are of little value if the underlying assumptions are false.

Why does their model approach a Nash equilibrium? Because their model forces players to optimize for single pool returns rather than total possible returns . If their model had allowed for a single player to operate multiple pools then we would no longer expect to see the Nash equilibrium as there is no longer an artificial boundary (determined by k ) preventing growth. This is why the comparison between the “naïve” reward function, R/σ, and their RSS is a bit unfair. You would expect to see the same equilibrium in the “naïve” reward function as well if you placed the same simple saturation limitation on pools.

A final note on the article, the sum of rewards for each of the pools in tables 1-7 (pg. 29-32, 36-37) is greater than 1 in every case, suggesting that there is an error either in these simulations or in the table. Further supporting that this is an error, they state “…we observe the maximum rewards obtained by each pool at each epoch are in the range [R/((1+α)k), R/k]” (pg. 24) implying that with 10 pools the maximum reward should be ≤ 0.1, while the tables show that every pool has reward > 0.1.

Now, let’s suppose that Cardano implements an identity solution to allow these players (at least any that desire to be a SPO) to be identifiable. We could then strictly enforce that a single person or entity only be able to operate a single pool. The problem with this is that there are always workarounds. If I’m a wealthy SPO, I can simply start a second pool under the name of a family member. Or I can set up multiple business that are technically competitors, but choose to play nice with one another. There will always be work-arounds in the real world that are outside the realm of enforceablility by the protocol. As a side note, IOG in fact uses the Pareto distribution or “80-20” rule in determining the initial stake distribution, thereby acknowledging this pre-existing centralization of wealth in their own model .

So perhaps there is no way to enforce or adequately incentivize decentralization in a PoS network. Even so, since this appears to be the path that the industry is choosing to forge ahead on, it would be beneficial to know how decentralized the network is. This at least enables us to determine if the actions we take are truly aiding decentralization or not. While often confused as a metric for decentralization, the “optimum number of stake pools” k and even the current number of stake pools is a rather poor indicator. Slightly better, is IOG’s decentralization parameter, d , which is (oddly directly) proportional to the percentage of blocks minted by the old Byron nodes. I say slightly better because it focuses on the number of blocks produced rather than the number of pools, however, it is not as simple as saying that we will be “100% decentralized” once all nodes are producing Shelley blocks.

If we acknowledge block production as a source of income we can draw from existing economic metrics and use the Gini coefficient as a decentralization metric. The Gini coefficient is a means of measuring income or wealth inequality (taken by adding the normalized income or wealth discrepancy between each of the members). A Gini coefficient of 0 is perfect equality (each person has the same income) while a Gini coefficient of 1 is maximum inequality (one person has all of the income). If used as a decentralization metric for Cardano, one would instead add the normalized discrepancy in blocks produced between stake pools.
Gini
Here n is the number of stake pools, bi is the number of blocks produced by the ith pool over some specified interval, and bavg is the average number of blocks produced by all pools during that interval.

Of course, there will always be issues when one attempts to boil down a complex concept, such as decentralization, to a single number. One problem with using the Gini coefficient, as with any metric in our case, is the previous issue of pool splitting. Pools are assumed unique, whereas a single stake pool operator can run multiple stake pools so, ideally, an identity solution should be in place to correctly lump pools with their proper owners. Another thing to consider is how to define the number of pool operators . Do we count the pool operators that have never produced a block? What about pools with so little stake that they wouldn’t be expected to produce a block within 100 years? The easiest starting point is to just consider all pools with at least 1 lovelace staked and come to terms with the fact that this Gini coefficient would be skewed more towards inequality than it would be otherwise.

Finally, it may also be informative to consider two separate Gini coefficients. One would be the Gini coefficient for the wealth in the network (ADA pledged/owned) while the second would be the Gini coefficient for the income in the network (rewards received). These could be examined on a SPO basis or a global basis to draw a better picture of how decentralized the network is and if it is becoming more or less centralized over time.

3 Likes

Interesting article with some good thoughts, but pls try being aware of biases.

Thanks, though I’m not sure which biases you’re alluding to.

“A core criticism of proof-of-stake revolves around it being less egalitarian by making the rich richer, as opposed to proof-of-work in which everyone can contribute equally according to their computational power. In this paper, we give the first quantitative definition of a cryptocurrency’s egalitarianism. Based on our definition, we measure the egalitarianism of popular cryptocurrencies that (may or may not) employ ASIC-resistance, among them Bitcoin, Ethereum, Litecoin, and Monero. Our simulations show, as expected, that ASIC-resistance increases a cryptocurrency’s egalitarianism. We also measure the egalitarianism of a stake-based protocol, Ouroboros, and a hybrid proof-of-stake/proof-of-work cryptocurrency, Decred. We show that stake-based cryptocurrencies, under correctly selected parameters, can be perfectly egalitarian, perhaps contradicting folklore belief.”

“1. We define an exact measure of cryptocurrency egalitarianism; to do
this, we first define the egalitarian curve of a cryptocurrency from
which we extract the measure.
2. We measure and compare the egalitarian curve and egalitarianism
of four indicative proof-of-work cryptocurrencies (Bitcoin, Ethereum,
Litecoin, Monero), one representative proof-of-stake protocol (Ouroboros), and a hybrid cryptocurrency (Decred), using current market
data.
3. We show that proof-of-stake, when correctly parameterized, is, perhaps unexpectedly, perfectly egalitarian.”

1 Like

"Conclusion
In this work we explore the notion of egalitarianism of cryptocurrencies.
Although this notion has long been discussed, we are the first to give a
definition, which allows us to concretely argue about the egalitarianism
of various existing systems.
The results of our experimental simulations are very optimistic in
terms of usability of our metric, as they provide concrete figures which
measure the egalitarianism of several popular cryptocurrencies. The most
unexpected result arises from the comparison between the proof-of-work
11 Litecoin may appear to have better egalitarianism compared to Monero due to limited availability of mining machines. More data are needed to economically compare
scrypt and CryptoNight mining.
18
and proof-of-stake mechanisms. Although blockchain folklore argued in
favour of proof-of-work systems in terms of egalitarianism, our results
show that, in fact, it is proof-of-stake systems which are more egalitarian
in our model.
Our work provides the first step towards establishing a concrete framework of egalitarianism evaluation in the cryptocurrency ecosystem. Future
work will focus in evaluating more existing cryptocurrencies and investigating variations of consensus mechanisms such as delegated proof-ofstake. Additionally, we leave for future work the treatment of more complex economical models of the mining game such as dynamic systems and
adversarial strategies, as well as economies of scale in the multitude of
parameters we have ignored, such as electricity bulk pricing. We conjecture the consideration of such parameters will exacerbate the gap between
proof-of-work and proof-of-stake which we have illustrated in this work.
Finally, we remark that neither proof-of-work nor proof-of-stake blockchains are politically egalitarian systems, in which the ideal of one human
one vote is attained. Instead, at best, one coin one vote is attained in the
case of well-parameterized proof-of-stake systems. Thus, as illustrated
in this paper, blockchain systems are, for the time being, plutocratic.
Whether decentralized decision making in which each human is allocated
one vote is possible remains an open question. In such a system, the egalitarian curve would be strictly decreasing; however, our results, especially
Lemma 1, hint towards our conjecture that such systems are impossible
in a Sybil-resilient setting"

1 Like

Unfortunately, this paper only refers to pure proof of stake and they have left delegated proof of stake to future work. I’d be interested to see where this metric falls once delegation and the rewards function are considered as well. It’s part of why I proposed An Alternative to a0 and k, because its egalitarian curve is much more of a straight line than with the current rewards function.

Exactly, which mirrors my view that bringing governance to PoS in an egalitarian way will be exceedingly difficult, if not, impossible.

It will probably require the atala system… I agree it will be difficult, and who would be better than then IOHK and the cardano foundation to figure it out? Perfection in your mind may be impossible, but we only need improvement over the existing system to justify it’s development. https://www.atalaprism.io/

Agreed. I know that everything is running in parallel, but I think that (at least a dumbed down version of) Prism needs to be a top priority after Goguen. The more I look into things the more problems that I find where a solution involves needing to identify individuals or groups on the blockchain. Of course, with this comes number of privacy concerns and discussions that need to be had. I think Prism is the perfect opportunity to utilize zero-knowledge proofs to be able to identify individuals while at the same time protecting their identity (though I still have to dive into the theory a bit more to know if it is indeed possible, at first glance, I don’t see why it shouldn’t be).

Yeah, I’m looking forward to seeing what solutions IOHK and the cardano foundation come up with regarding privacy and KYC, regulations, Identity etc. I know they are aiming for the best of both worlds, but I’m also struggling to understand how that’s all going to work. It’s a fascinating philosophical debate. They’ve also done some research work with Horizen (Zen) around privacy