Criticisms of Proof of Stake

TLDR: If proof of stake is the route forward that we wish to pave, we must be aware of what we are signing up for and the potentially unavoidable side effects that may crop up. Merging governance capability to the network adds another layer of complexity and adds a whole new array of attack vectors for unwanted behavior and power creep. While IOG should be commended for publishing their work on Cardano, some of the underlying assumptions in their reward models invalidate any “proof” or guarantee of certain behavior in the on-chain network that underpins the formal specification and verification process. To quantify decentralization, it is suggested to use an existing economics metric, the Gini coefficient.

Part I: Proof of Stake and Governance

The largest issue, in my mind, is that Cardano is trying to merge governance with a proof of stake protocol. In a way, proof of stake is an admission that money and power are, in many ways, synonymous. Proof of stake doubles down on this concept by dictating that one’s ability to influence the network (as well as rewards received from the network) is tied to the amount of the underlying native asset they control (i.e. “money”). In the case of Cardano, this takes the form of stake pool operators (SPOs) who run the network nodes along with ADA holders who delegate their stake. Tying voting power to the amount of native asset owned or controlled, as Catalyst has functioned thus far, introduces a number of problems and creates opportunities for foul play.

1. It builds upon the already great economic disparities that exist and increases the risk of an oligarchy forming, an existing criticism of PoS even without a formal governance structure.
2. It detracts from voter participation due to voter apathy. There is little incentive to vote if one wealthy individual’s vote has the same weight as tens of thousands of “average” voters.
3. It disproportionately benefits the voice of SPOs who have borrowed pledge.

Along with these, I would add
1a. currently, voting rewards are distributed proportionally to voting power. While this distribution is ‘proportional’ in a sense, it disproportionately rewards those whose votes already carry the highest weight (i.e. already have plenty of incentive to vote). A real world analog is Covid related subsidies for farmers in the US where, despite best intentions, relief has primarily benefitted large farming operations.

Additionally,
3a. Charles’ suggestion to allow the option for SPOs to vote on their delegators behalf gives them extremely outsized power especially if it is the default option. Doing this ties money, political influence, and network security all to SPOs. It makes it extremely difficult to optimize the network as a whole when all three are coupled together within a single group. I believe that there should be a way to allow for some form of representative voting but, at the current stage, there are no checks or balances in place to counteract a party abusing their privileged position.

…and yes, while I agree that governance is a critical step to utility and adoption, the irony of governance on a cryptocurrency platform is not lost on me.

“You wanted to be safe from the government so you became a stupid government.” - Rick Sanchez

Part II: Proof of Stake, Decentralization, and the RSS

A second issue, specific to Cardano, that I see (that has justifiably been a point of contention recently) is the reward sharing scheme (RSS). For details, I will be referencing the 2020 paper published by Brujnes et al. My primary concern is one shared by others in that proof of stake networks can lead to oligopolies. The IOG publication referenced is intended to reinforce the idea that the RSS has been run through the hoops for formal specification and verification that Cardano aspires to live up to. It’s a rather long technical document and is perhaps easy to get lost in the details, so I’ve outlined a few key areas that I see as misleading or altogether problematic.

Starting from the beginning, “A reward scheme determines the way by which the reward R is distributed to the pools and pool members, and the central issue of this work is to determine reward schemes with desired properties” (pg. 6). This is technically not true in that the reward is nearly always less than R, and not by an inconsequential amount. They do clarify this later in the document, “Note that we don’t have to distribute the whole amount R” (pg. 8). This is by no fault of the pool operators, it is merely a consequence of a₀ (or α in the document). A knock-on effect of this is that the monetary expansion parameter no longer accurately describes monetary expansion on the network. Currently, approximately only 70% of the intended rewards are being distributed as is evidenced here.

A recurring complaint that I have is that some of the equations and text are confusing and/or misleading. One example is the myopic utility that a player i gets from their own pool
u_i,i = (m_i+(1-m_i)a_i,i/σ_i) * (r-c)
seems nonintuitive at first glance, but if you expand the first part of the right hand term in margin, m_i, instead of relative player pledge, a_i,i/σ_i, it becomes much easier to see that
u_i,i = (a_i,i/σ_i+(1-a_i,i/σ_i)m_i) * (r-c)
this is just the reward of the operator’s own pledge + the reward from margin on the remaining stake delegated to the pool (after the fixed pool cost has been deducted).

More importantly, the paper discusses Sybil resistance and Nash equilibrium, but in different contexts within separate models. The impression that is given to the Cardano community is that the RSS proposed provides both, however, it is not the RSS that leads to the Nash equilibrium but rather the explicit mathematical boundary condition dictating that a pool leader can create at most one pool. Throughout all models, with the exception of the few paragraphs in section 4.3, “we have assumed that each player can create at most one pool…” “…hence explicitly excluding Sybil attacks and whale stakeholders” (pg. 21, 19). Therefore, any conclusions made in regard to a Nash equilibrium (k pools of equal size) are only valid if SPOs are somehow limited to only creating a single pool. Formal specification and verification are of little value if the underlying assumptions are false.

Why does their model approach a Nash equilibrium? Because their model forces players to optimize for single pool returns rather than total possible returns . If their model had allowed for a single player to operate multiple pools then we would no longer expect to see the Nash equilibrium as there is no longer an artificial boundary (determined by k ) preventing growth. This is why the comparison between the “naïve” reward function, R/σ, and their RSS is a bit unfair. You would expect to see the same equilibrium in the “naïve” reward function as well if you placed the same simple saturation limitation on pools.

A final note on the article, the sum of rewards for each of the pools in tables 1-7 (pg. 29-32, 36-37) is greater than 1 in every case, suggesting that there is an error either in these simulations or in the table. Further supporting that this is an error, they state “…we observe the maximum rewards obtained by each pool at each epoch are in the range [R/((1+α)k), R/k]” (pg. 24) implying that with 10 pools the maximum reward should be ≤ 0.1, while the tables show that every pool has reward > 0.1.

Now, let’s suppose that Cardano implements an identity solution to allow these players (at least any that desire to be a SPO) to be identifiable. We could then strictly enforce that a single person or entity only be able to operate a single pool. The problem with this is that there are always workarounds. If I’m a wealthy SPO, I can simply start a second pool under the name of a family member. Or I can set up multiple business that are technically competitors, but choose to play nice with one another. There will always be work-arounds in the real world that are outside the realm of enforceablility by the protocol. As a side note, IOG in fact uses the Pareto distribution or “80-20” rule in determining the initial stake distribution, thereby acknowledging this pre-existing centralization of wealth in their own model .

So perhaps there is no way to enforce or adequately incentivize decentralization in a PoS network. Even so, since this appears to be the path that the industry is choosing to forge ahead on, it would be beneficial to know how decentralized the network is. This at least enables us to determine if the actions we take are truly aiding decentralization or not. While often confused as a metric for decentralization, the “optimum number of stake pools” k and even the current number of stake pools is a rather poor indicator. Slightly better, is IOG’s decentralization parameter, d , which is (oddly directly) proportional to the percentage of blocks minted by the old Byron nodes. I say slightly better because it focuses on the number of blocks produced rather than the number of pools, however, it is not as simple as saying that we will be “100% decentralized” once all nodes are producing Shelley blocks.

If we acknowledge block production as a source of income we can draw from existing economic metrics and use the Gini coefficient as a decentralization metric. The Gini coefficient is a means of measuring income or wealth inequality (taken by adding the normalized income or wealth discrepancy between each of the members). A Gini coefficient of 0 is perfect equality (each person has the same income) while a Gini coefficient of 1 is maximum inequality (one person has all of the income). If used as a decentralization metric for Cardano, one would instead add the normalized discrepancy in blocks produced between stake pools.

Here n is the number of stake pools, b_i is the number of blocks produced by the ith pool over some specified interval, and b_avg is the average number of blocks produced by all pools during that interval.

Of course, there will always be issues when one attempts to boil down a complex concept, such as decentralization, to a single number. One problem with using the Gini coefficient, as with any metric in our case, is the previous issue of pool splitting. Pools are assumed unique, whereas a single stake pool operator can run multiple stake pools so, ideally, an identity solution should be in place to correctly lump pools with their proper owners. Another thing to consider is how to define the number of pool operators . Do we count the pool operators that have never produced a block? What about pools with so little stake that they wouldn’t be expected to produce a block within 100 years? The easiest starting point is to just consider all pools with at least 1 lovelace staked and come to terms with the fact that this Gini coefficient would be skewed more towards inequality than it would be otherwise.

Finally, it may also be informative to consider two separate Gini coefficients. One would be the Gini coefficient for the wealth in the network (ADA pledged/owned) while the second would be the Gini coefficient for the income in the network (rewards received). These could be examined on a SPO basis or a global basis to draw a better picture of how decentralized the network is and if it is becoming more or less centralized over time.

Interesting article with some good thoughts, but pls try being aware of biases.

Thanks, though I’m not sure which biases you’re alluding to.

“A core criticism of proof-of-stake revolves around it being less egalitarian by making the rich richer, as opposed to proof-of-work in which everyone can contribute equally according to their computational power. In this paper, we give the first quantitative definition of a cryptocurrency’s egalitarianism. Based on our definition, we measure the egalitarianism of popular cryptocurrencies that (may or may not) employ ASIC-resistance, among them Bitcoin, Ethereum, Litecoin, and Monero. Our simulations show, as expected, that ASIC-resistance increases a cryptocurrency’s egalitarianism. We also measure the egalitarianism of a stake-based protocol, Ouroboros, and a hybrid proof-of-stake/proof-of-work cryptocurrency, Decred. We show that stake-based cryptocurrencies, under correctly selected parameters, can be perfectly egalitarian, perhaps contradicting folklore belief.”

“1. We define an exact measure of cryptocurrency egalitarianism; to do
this, we first define the egalitarian curve of a cryptocurrency from
which we extract the measure.
2. We measure and compare the egalitarian curve and egalitarianism
of four indicative proof-of-work cryptocurrencies (Bitcoin, Ethereum,
Litecoin, Monero), one representative proof-of-stake protocol (Ouroboros), and a hybrid cryptocurrency (Decred), using current market
data.
3. We show that proof-of-stake, when correctly parameterized, is, perhaps unexpectedly, perfectly egalitarian.”

"Conclusion
In this work we explore the notion of egalitarianism of cryptocurrencies.
Although this notion has long been discussed, we are the first to give a
definition, which allows us to concretely argue about the egalitarianism
of various existing systems.
The results of our experimental simulations are very optimistic in
terms of usability of our metric, as they provide concrete figures which
measure the egalitarianism of several popular cryptocurrencies. The most
unexpected result arises from the comparison between the proof-of-work
11 Litecoin may appear to have better egalitarianism compared to Monero due to limited availability of mining machines. More data are needed to economically compare
scrypt and CryptoNight mining.
18
and proof-of-stake mechanisms. Although blockchain folklore argued in
favour of proof-of-work systems in terms of egalitarianism, our results
show that, in fact, it is proof-of-stake systems which are more egalitarian
in our model.
Our work provides the first step towards establishing a concrete framework of egalitarianism evaluation in the cryptocurrency ecosystem. Future
work will focus in evaluating more existing cryptocurrencies and investigating variations of consensus mechanisms such as delegated proof-ofstake. Additionally, we leave for future work the treatment of more complex economical models of the mining game such as dynamic systems and
adversarial strategies, as well as economies of scale in the multitude of
parameters we have ignored, such as electricity bulk pricing. We conjecture the consideration of such parameters will exacerbate the gap between
proof-of-work and proof-of-stake which we have illustrated in this work.
Finally, we remark that neither proof-of-work nor proof-of-stake blockchains are politically egalitarian systems, in which the ideal of one human
one vote is attained. Instead, at best, one coin one vote is attained in the
case of well-parameterized proof-of-stake systems. Thus, as illustrated
in this paper, blockchain systems are, for the time being, plutocratic.
Whether decentralized decision making in which each human is allocated
one vote is possible remains an open question. In such a system, the egalitarian curve would be strictly decreasing; however, our results, especially
Lemma 1, hint towards our conjecture that such systems are impossible
in a Sybil-resilient setting"

Unfortunately, this paper only refers to pure proof of stake and they have left delegated proof of stake to future work. I’d be interested to see where this metric falls once delegation and the rewards function are considered as well. It’s part of why I proposed An Alternative to a0 and k, because its egalitarian curve is much more of a straight line than with the current rewards function.

Exactly, which mirrors my view that bringing governance to PoS in an egalitarian way will be exceedingly difficult, if not, impossible.

It will probably require the atala system… I agree it will be difficult, and who would be better than then IOHK and the cardano foundation to figure it out? Perfection in your mind may be impossible, but we only need improvement over the existing system to justify it’s development. https://www.atalaprism.io/

Agreed. I know that everything is running in parallel, but I think that (at least a dumbed down version of) Prism needs to be a top priority after Goguen. The more I look into things the more problems that I find where a solution involves needing to identify individuals or groups on the blockchain. Of course, with this comes number of privacy concerns and discussions that need to be had. I think Prism is the perfect opportunity to utilize zero-knowledge proofs to be able to identify individuals while at the same time protecting their identity (though I still have to dive into the theory a bit more to know if it is indeed possible, at first glance, I don’t see why it shouldn’t be).

Yeah, I’m looking forward to seeing what solutions IOHK and the cardano foundation come up with regarding privacy and KYC, regulations, Identity etc. I know they are aiming for the best of both worlds, but I’m also struggling to understand how that’s all going to work. It’s a fascinating philosophical debate. They’ve also done some research work with Horizen (Zen) around privacy

Great write up.

Nice post(ed) from all.

this may be of interest:

The curved pledge benefit (CIP 7) is not my preferred path as it complicates the reward function and still doesn’t address the coupling between a₀ and the monetary expansion parameter ρ (see the edit in my comment An Alternative to a0 and k - #4 by Serotonin), but overall I think it’s a move in the right direction.

Proof-of-stake is a huge improvement over the current proof-of-waste based security. But proof-of-stake isn’t something new at all. Banks have huge stake. Imagine a big company like US Bank decides to take all your money and wire all the money to some dictator in Nigeria. Could they do that? Yes. What prevents them from doing that? They have a lot at stake: the multi-billion dollar reputation they built over half a century. So, proof-of-stake is being presented as something novel the world has never seen before. It’s not new and it’s not ingenious, and it’s disingenuous to present it as if it is something brand new that the world has never seen before.

Sure, if you want to boil it down to the underlying concept there’s nothing inherently ‘new’ about PoS, albeit its use as a security mechanism in blockchain is fairly new (in the sense that blockchain itself in its current form is fairly new also, even though the concept itself isn’t). I’m not sure who is saying that it’s new or ingenious. I personally I would describe it as a pretty clever solution. Many people might find it obvious, but that’s in hindsight after already seeing the answer. That being said, I also apparently don’t think it’s a perfect solution as solves some problems but creates others.

I just feel like trolling this post with these links…

I’m glad to hear that PoS isn’t the end all be all plan for Cardano. I don’t want to go too far out on a ledge to suggest that the attached video implies an acknowledgement of their incorrect assumptions in the PoS model they published, but I’ll take it that way.

I wonder about a Proof of Merit system being used. I read an interesting article a while back (that I can’t be bothered to search around for) by a corporate lawyer suggesting that America used to be something a meritocracy until a slew of legislation was passed (in the 70s?) by those who had built their way to the top of this meritocracy to essentially throw up road blocks for everyone else (via patents/copyrights/corporate law etc.) and maintain their position at the top. I can’t vouch for how accurate this portrayal is, but it certainly seems like a potentially real threat vector that would need to be considered.

I do like the idea of being compensated to store network data and speed up relays, as well as the idea of drawing from a hat of N different resources to determine who can make a block.

Kia ora Sero, thanks so much for taking the time to write this up. I don’t understand the math – at all – but I understand your points and concerns about concentration of political power, governance and egalitarianism. I’ve been thinking a lot about it lately too. It’s good that we can discuss these things in an open and level-headed way, even if it’s difficult to criticise things we might be passionate about. I was thinking of that exact video as I was reading this, interesting stuff…

If we consider that utility and value are first principles of a currency then by reason, a political body will seek to maximize utility and value for the citizen because unlike my country, I can just leave a blockchain economy should I get fed up with the politics. There’s a big difference between jurisdiction and virtual jurisdiction. In a virtual jurisdiction there is only soft power not hard power. Every single node, every single participant in a blockchain economy is subject to the sovereign of their real-world jurisdiction. Of course, more regulation will be coming, the sooner the better in my view.

If indeed blockchain DLT economies do come to be liberators of people’s financial lives, perhaps it’s not the specific implementation of, but rather the technology itself that is the liberator. That is – so long as the technology exists, a new, more secure, more egalitarian version can always emerge. This is not something that can happen in a real-world jurisdiction without a bid for independence from a breakaway group or some other kind of serious (potentially deadly) political event.

For Cardano, now would be a good time to be laying the foundations of governance for governance. I’m not referring to the technical mechanisms to allow it, but rather the constitutional elements. It seems like Charles has a great vision for what Cardano could be. Why don’t we write a constitution? Not something that’s set in stone forever but something to give Cardano a good sure-footing from the get go.

Those are a few thoughts. I’m sure I’ve overlooked many things and maybe entirely mistaken on others.

Ngā mihi
Rhys
from Aotearoa

It’s good to hear that you’re thinking about these things as well! There’s a lot to unpack here.

I assume that here, you’re alluding to ‘political bodies’ within crypto wanting to optimize their governance structures to maximize utility and value and thereby drive adoption. I think that this is somewhat the case, but I feel like (perhaps pessimistically) this may only hold in the early days. If a crypto/DAO gets big enough, then perhaps there a point where you can’t ‘just leave a blockchain economy’ should you get fed up, similar to how you can’t just leave your current country/economy/ecosystem (without great difficulty).

I’m perhaps a bit more optimistic here, in that I don’t think that a bid for independence is strictly a requirement for change. Much in the same way that laws, such as the GDPR, in the EU can have a knock on effect in the US, there may be a way for the ubiquity of DLT in the future to force the hand (somewhat) of leaders in countries who are more reluctant to relinquish power. In other words, if they don’t allow DLT then they become at risk of falling behind.
The flip side to this, is that I also don’t see the technology itself as the liberator, but merely a tool. In the same way that atomic energy can be used to power homes or make bombs, the effect of DLT will be a mixed bag dependent on how it is used.
As for laying the foundations of governance for governance, I feel like this is what Catalyst is all about. I think any ‘constitutional elements’ need to be, in part, informed by the governance design itself and so would need to be developed alongside the governance structure, rather than preceding it. You could put forward a Catalyst proposal to test the waters for the communities desire for such a document. I’d be interested to see if a decentralized community sees merit in defining a common moral code for operating, what it would mean, and how it would be enforced.

This in itself explains why any form of PoS can never claim to be superior to PoW. Its alike comparing apples and oranges. PoW is an actual cryptocurrency. PoS is just another corporation selling you their “Product” as the next best thing. Just that the selling point now is “being crypto”.

PoS coins should basically stop calling themselves cryptocurrencies. Something like “Corporate Blockchain solutions” would be more honest. Ethereum is gradually moving to PoS for its Smart-contracts. If Cardano and Charles were honest with their intentions (being a corporate smart-contract platform rather than pretending to be a Bitcoin alternative), it’d be so much more beneficial for the Cardano community as well as crypto in general.

Trying to play this game about being a greener alternative to Bitcoin is really just intellectual dishonesty that can only fool the most naive of players. If you ask institutions to put Mulit-Billions of dollars of value similar to Bitcoin, they’d have to actually trust the system for being what it claims to be. Unfortunately, Cardano is just turning into an “Also-ran” by these claims vis-a-vis Bitcoin. Just a very wrong direction that the community has taken.

Like I said, just be honest on trying to be a high throughput PoS chain. Stop positioning as a Bitcoin replacement. The average Joe interested in passive income through staking and trying to shill his bags may not get it, but those intelligent VCs and institutional investors can see right through the intellectual dishonesty.