The Security Aspects of Proof-of-Work and Proof-of-Stake
Proof-οf-Work and Proof-of-Stake are the most common and widely deployed blockchain protocols, adopted by Bitcoin and Ethereum, respectively. In this note, we compare how much it costs to attack each protocol and how secure they are.
One of the most important issues in blockchains is how consensus on the correct state of a blockchain is achieved among the many participants who maintain and update it. The primary requirement is for an effective anti ‘double spending’ (counterfeiting) mechanism. Since participants do not know the identity of others, how can they communicate and agree on what information is to be written and by whom?
The easiest way of choosing the writer of the next block of transactions in a blockchain is to randomly pick one participant.1 However, this opens the possibility of a “Sybil attack”, where a participant creates multiple selves (e.g. multiple IP addresses) in order to increase their probability of selection and the payoff that they will receive. If a participant greatly increases their probability of selection, they can control the ledger for their own benefit and to the detriment of everyone else. The Proof-of-Work and Proof-of-Stake protocols are solutions to this problem and are therefore classed as “Sybil resistance mechanisms”.2 They require costly resources, making it increasingly difficult and expensive for a participant to create multiple selves. The Proof-of-Work mechanism achieves resistance by selecting the participant (miner) who can first solve a difficult (costly in terms of computation) problem. Proof-of-Stake specifies that the probability of selection is proportional to the miner’s stake of coins, which are by construction scarce and cannot be replicated.
A connected problem is that of fair currency distribution without creating a counterparty or any kind of central authority. In this context, fairness is the measure of pay in proportion to contribution to the network (and indirectly the ecosystem) which, pertinently for Proof-of-Stake, includes avoiding the creation of a majority authority within an intended decentralised system.
Proof-of-Work mining is used in Bitcoin as a bootstrapping mechanism to simultaneously fund the workers who provide transaction confirmation services and fairly issue and distribute the currency. The workers have bills to pay and so make good conduits for expanding circulation through an economy.
Proof-of-Stake has no bootstrapping ability as initially there are no coins for staking. Traditionally, projects have solved this problem by using Proof-of-Work instead in the early years of the network (e.g. Peercoin and Ethereum) or by accepting a central authority as issuer (e.g. EOS and Tezos). It is possible in some cases to rely on a pre-existing blockchain to either snapshot and replicate its holdings (an ‘airdrop’) or to demonstrate ‘proofs of burn’ (of some pre-existing asset) which can be verified by the new chain’s nodes and used to distribute issuances proportionally. Aside from Proof-of-Work, these mechanisms either outsource or worsen the problems of a decentralised bootstrap and verifiably fair distribution rather than solve them, and don’t have the benefits of bringing usable capital or services into the new chain.
The Proof-of-Work protocol achieves resistance to Sybil attacks by selecting the participant (miner) who can first solve a difficult (and costly in terms of computation) mathematical problem. Each miner attempts to be the first to solve a difficult cryptographic puzzle. Its solution is a number which, when combined with the content of the previous and new block of transactions, produces a “hash”, which must be lower than a given numerical threshold level. There is no analytic solution to this problem, hence the only way of solving it is by trying many different combinations of numbers. The more (and quicker) computers a miner has at their disposal, the higher the probability is that they will find an acceptable solution first.2 Crucially, when a miner finds a solution, they create a new block of transactions, allocate the reward (newly minted coins and miner fees) to themselves and broadcast the new block along with their solution to the wider network of miners. Other miners can instantly verify the solution, and thus confirm that the miner has done the required work and incurred the associated cost to solve the problem.
Proof-of-Stake specifies that the probability of selection is proportional to the miner’s stake of coins, which are by construction scarce and cannot be replicated. Effectively, the blockchain first records a set of validators. A validator can be anyone who locks their coins in a deposit. With Proof-of-Work, miners commit their computational power, whereas with Proof-of-Stake, validators commit their coins. As a result, staked coins are assets that can yield interest.
What do Blockchain Attackers Want?
Before discussing the cost of attack and the security aspects of a blockchain, we need to first understand their aims and objectives in attacking a blockchain.
The most common aim is to profit directly by reorganising the order of blocks of transactions in the blockchain, together with adding or removing some blocks from the blockchain.3 For instance, an attacker can ‘double spend’, by invalidating the block which contained their original transaction, in order to use the same tokens for a new transaction. A ‘front running’ attack can delay the inclusion of a transaction in the blockchain. For instance, an attacker can see a pending transaction to buy a token, buy the tokens first and then sell them to the initial buyer. This change in the order of transactions nets the attacker a sure profit, raising the price for the initial buyer, potentially making their trade unprofitable.
The second key aim is to degrade the security of the blockchain and therefore its value. An attacker can therefore profit indirectly by short selling the token. Moreover, attackers can try and prevent a blockchain from being attractive for other users and curtail its growth and adoption. In a Proof-of-Stake ‘double finality’ attack, two forks are established simultaneously, therefore creating a permanent schism in the blockchain. In a ‘finality delay’ attack, the network is prevented from achieving consensus on which transactions are finalised. If some transactions are prohibited from ever being included, the blockchain ceases to be censorship-resistant, a key characteristic of public blockchains.
It is important to note that an attack on the blockchain cannot result in ‘stealing’ someone’s tokens or issuing new tokens. Stealing someone’s token can happen only when a user’s seed phrase (password) is stolen, or if they are locked in a compromised or badly designed smart contract that is drained or hacked. However, this is unrelated to the consensus security of the blockchain.
One of the main security risks in both Proof-of-Work and Proof-of-Stake networks is that a validator leverages their profits to gradually become the dominant participant, resulting in a centralised network. This risk is more pronounced in Proof-of-Stake because rewards are proportional to the amount of the staked token. A validator who joins at the beginning of the network can hoard a large amount of the circulating tokens and build an unfair advantage over new entrants. In Proof-of-Work, controlling the network requires computing power which is externally sourced and unrelated to the circulating tokens, hence an early adopter does not have an unfair advantage and competition is levelled. However, this advantage of Proof-of-Work becomes a vulnerability in terms of fending off attacks in the early stages of the network. An outsider can easily attack a Proof-of-Work network at the beginning, when the value of the token and the difficulty of the cryptographic puzzle are low. With Proof-of-Stake, the initial validators can withstand this type of an attack if they agree not to sell their tokens, so that they cannot be bought and staked by an attacker.
Many different types of attacks on blockchain consensus rely on the attacker being able to have enough ‘votes’, either to replace an existing block of transactions or to block or delay a transaction’s acceptance into the blockchain. However, the consensus security considerations for the Proof-of-Work and the Proof-of-Stake protocols differ in terms of how consensus between everyone is reached. In a Proof-of-Work protocol, one’s influence of the consensus outcome is proportional to one’s hashrate, which is external to the blockchain. In a Proof-of-Stake protocol, one’s influence of the consensus outcome is proportional to one’s staked (locked) native tokens, hence internal to the blockchain. In both protocols, the cost of obtaining more influence over consensus is proportional to the value of the blockchain. In a Proof-of-Work protocol, as the value of tokens with which miners are paid increases, the competition from miners also increases, so the mathematical problem becomes more difficult, and the computing power needed to solve it increases as well. In a Proof-of-Stake protocol, the value of the blockchain is directly linked to the price of the tokens that an attacker needs to buy and stake.
Another security dimension that is often overlooked is token distribution. If tokens in a Proof-of-Stake blockchain are distributed unevenly, so very few entities control the majority of the tokens, security may be easier to compromise. The reason is that it can be easier for a small number of entities to collude, or to sell their tokens to an attacker with a few over-the-counter transactions, without increasing the market price. If the tokens are evenly distributed among entities, then coordinating an attack is more difficult, because buying a large share of the tokens on the open market can become prohibitively expensive as liquid supply dwindles. In a Proof-of-Work protocol, the token distribution does not matter, as staging an attack only requires computing power. However, this advantage is also a vulnerability, because even if all token holders are benevolent, they cannot be sure that the Proof-of-Work blockchain will not suffer external attacks. This is especially relevant for smaller Proof-of-Work blockchains which do not require chain specific ASICs to mine. In this scenario, entities with large general computing power, for example other Proof-of-Work blockchains miners, can quickly switch their hardware to a small Proof-of-Work blockchain and attack it. This has happened frequently to small Proof-of-Work blockchains where one can use Bitcoin mining equipment to attack. In contrast, to attack the Bitcoin blockchain, one needs to spend years (due to global prefabricated microchip manufacturing capacity constraints) and billions to accumulate enough hastrate (computing power) to successfully attack it. Proof-of-Stake blockchains can be secure on a protocol level, even when their value is low, provided the main token holders act benevolently. This is also dependent on the controls around the turnover of staked tokens and the proportion of overall tokens used to stake.
Another advantage of Proof-of-Stake is the possibility to destroy the attacker’s tokens if they have proven to act maliciously. For example, an attacker with at least 34% of the staked tokens can achieve double finality if they vote to validate two competing blocks. However, if the attack fails and one fork is abandoned, then their tokens in the prevailing fork can be slashed.4 This implies that the cost of a failed attack in a Proof-of-Stake blockchain can be higher than in a Proof-of-Work blockchain, where the honest nodes cannot punish the attacker by easily confiscating their computing power. In a Proof-of-Work blockchain, the hashing algorithm would need to be changed, which requires everyone to get new mining hardware. This is slow and costly to do.
Nevertheless, an absolute majority attack in Proof-of-Stake necessitates a socially coordinated hard fork to resolve, while the same in Proof-of-Work only requires at least one single actor (and ideally more) to compete with the attacker and dilute their influence back to minority level. The lower complexity of defence in Proof-of-Work and lack of coordination needed makes the prospect of financing an attack less desirable in the first place. Even if within a Proof-of-Stake system there are enough unstaked coins in circulation to mount a unilateral dilution against the attackers, they may have significant control of the chain and may be able to prevent those coins entering the staking pool.5 Socially coordinated hard forks are risky and complex operations involving political posturing, as well as the need to deploy a breaking change to all software instances keeping everyone in sync. The larger a system gets the harder both tasks become.
Censorship resistance is a desirable property of these systems and it is ultimately achieved by means of transaction fees which are an inducement to validators to include them. This inducement is most powerful whn there is a cost to validation. Proof-of-Work mining requires electricity which consumes capital. The fees are essential in a competitive mining landscape to reimburse the electrical costs, especially when the new coin issuance subsidy gradually diminishes. Miners will do everything they can to include as many paying transactions as possible per block. The ASICs themselves devalue quite fast and so to breakeven on them alone is challenging, further incentivising miners to include transactions. Proof-of-Stake staking requires an upfront capital expenditure but only insignificant ongoing costs. There is an opportunity cost associated with staking but no depreciation of capital. The staked coins are retained and can be sold at market value.
Cost of Attack for Proof-of-Work Blockchains
In this section, we calculate the cost of attacking a Proof-of-Work blockchain, using the 51% attack, which means that the attacker gains control of 51% of the total hashrate.6 Total hashrate is the (estimated) measure of the total computing power of the active network mining nodes (entities) that compete against each other to validate the next block of transactions to earn transaction fees and the new coin issuance. Assuming that all other nodes are honest and will not join in on the attack, the attacker needs to control a hashrate which is higher than the total hashrate of the other honest nodes.
The current estimated hashrate for Bitcoin, in February 2023, was around 315,000,000 TH/S (Terahashes per second), so an attacker needs to match this computing power. There are two ways of achieving this. The first is by buying specialised ASIC processors, computer hardware which is specialised for bitcoin mining and useless for other computer tasks. An Antminer S19 Pro processor has a capacity of 110 TH/S and consumes 3250W units of electricity. Dividing 315,000,000 with 110, we need 2.73 million ASIC processors. At around $3,000 for each one, the lower limit of the total capital cost is 3,000*2,730,000 = $8.2 billion. This assumes that 1) the price of ASICs will not rise given the excess demand; 2) there is enough prefabricated manufacturing capacity to meet this demand; and 3) Bitcoins hashrate remains constant in the meantime. All three are unlikely, hence the real cost is going to be much higher. The total electricity per unit of time is 3,250*2,730,000 = 8.87GW. If the attacker uses the ASICs only for one hour to conduct the attack, and at around $130 per MWh, the total electricity cost of 8.87 GWh is $1.15 million.
The total cost of around $8.2 billion is huge, but the total market cap for Bitcoin in February 2023 was around $580 billion. The total cost is also influenced by what the attacker will do with the ASIC processors after the attack. If the attacker continues to try and attack the bitcoin network, and no one is willing to outcompete the attacker, the honest nodes will be forced to change the specification of the hashing algorithm so that existing bitcoin mining hardware will not work on the upgraded network. This will materially depreciate the value of all existing Bitcoin mining equipment given 1) the low value of the other blockchains that the old, specialised bitcoin mining equipment can be used for; and 2) this computer hardware cannot easily be used elsewhere. However, the honest nodes cannot confiscate or destroy the attacker’s mining equipment, hence the attackers’ punishment cannot be as severe and efficient as it can be on a Proof-of-Stake blockchain, where the tokens can be slashed, without slashing the tokens of the honest nodes.
To calculate the cost of attack, we can also add the mining rewards that the attacker would earn within the hour of the attack. For Bitcoin, at the current Bitcoin block reward of 6.25 BTC every 10 minutes, owning 51% of the hashrate would pay in expectation 31.25 BTC per hour, which is around $1 million, at the February 2023 price of $30,000 per bitcoin. The bitcoin price would be greatly reduced if the attack was successful, however. The attacker could however earn far more revenue by double spending larger amounts of bitcoin, before people stopped using the Bitcoin network.
An alternative way of attacking is to rent the hashrate, instead of buying it. This is much cheaper, but it can only work for smaller blockchains. For a blockchain like Bitcoin, there is simply not enough available hashrate to rent for a 51% attack. The website https://www.crypto51.app/ calculates the theoretical cost of conducting a 1-hour, 51% attack, for most Proof-of-Work blockchains.
Nation states, with sufficient autonomy, are capable of seizing control of ASIC farms and even individual personal machines, as they can be located due to their discernible energy consumption and heating fingerprint. The cost to attack would be in mobilising troops to undertake the seizure of facilities and then running them, which is significantly less than the cost of the above scenario. If they successfully devalue bitcoin in the process, then the loss of tax revenue from miners can be considered a cost for the country. Bitcoin holders do not have to worry about this attack unless or until more than 50% of total hashrate is concentrated within a single nation state or at least in a group of allied states. It is estimated that China has been in such a position in the past and while they did not choose to seize facilities, they did enact a prohibition resulting in a massive emigration of operations.
Cost of Attack for Proof-of-Stake Blockchains
For a 51% attack on a Proof-of-Stake blockchain, one needs to control 51% of the staked tokens. Currently, around 15% of the coins are staked in the biggest Proof-of-Stake blockchain, Ethereum. Assuming again that all of the existing stakers are honest and will not join in on the attack, the attacker needs to buy 15% of the total coins. The total circulation of Ether is around 120 million, so at the February 2023 price of $1,900, the lower bound of the total capital cost was 120,000,000*0.15*1900 = $34 billion. We see that this is a much higher cost than for a Proof-of-Work blockchain, like Bitcoin, even though the market cap of Bitcoin is more than double the market cap of Ethereum. If Ethereum had the same market cap as Bitcoin in February 2023, at around $580 billion, but the staking remained at 15%, then the Proof-of-Stake cost of attack would be 580*0.15 = $87 billion, so roughly 10 times higher than attacking Bitcoin.
These calculations do not take into consideration that the price of Ether would increase if someone tried to buy 15% of the circulation, hence increasing the cost of attack further. We also ignore the staking rewards, which in February 2023 were at 5%, minus the cost of capital, which can vary widely, but as an indication the FED interest rate was at 4.75-5%. After a successful attack, the price of Ether would drop significantly, thus reducing the value of the attacker’s coins. More importantly, the honest nodes can in principle vote to destroy the attacker’s coins completely. This creates a huge disincentive for staging a 51% attack, making a Proof-of-Stake blockchain potentially more secure than a Proof-of-Work blockchain of a similar market cap.
To apply the nation state attacker special case, we must consider that enough coins belong to subjects of that state and that the state has the means to identify and compel the owners to hand over these intangible assets. This would only really be feasible if the coins are under the control of centralised asset management services. At the time of writing in Q2 2023, more than 22% of the staked Ether are held by asset managers (Coinbase, Kraken and Binance) with more than 16% being accessible to the US jurisdiction, so currently there is no cause for concern.
Although the Proof-of-Work and Proof-of-Stake protocols are similar in many respects, they differ in terms of their strengths and weaknesses when it comes to base layer security. Proof-of-Work is robust because the value of the blockchain is the most important determinant for securing it. This is also a vulnerability, especially for low value blockchains. On the contrary, the security of a Proof-of-Stake blockchain is very much dependant on either a fair distribution of tokens, or on the benevolence of the main token holders. The cost of attack for a Proof-of-Stake blockchain, like Ethereum, is much higher than that for a Proof-of-Work blockchain, like Bitcoin, ceteris paribus. Moreover, a Proof-of-Stake attacker can be severely punished by the honest nodes, who can agree to slash his tokens, thus making an attack even costlier. In a Proof-of-Work blockchain, the honest nodes cannot confiscate the attacker’s computing power, which can be used in other blockchains.
1 In contrast, Practical Byzantine Fault Tolerance algorithms [https://pmg.csail.mit.edu/papers/osdi99.pdf] require far more channels of communications between participants. This quickly limits the number of participants that can be practically involved in the decision-making process.
2 A comprehensive overview of the Proof-of-Work and Proof-of-Stake protocols is provided in the paper, “An Introduction to Distributed Ledger Technology”, available at https://en.aaro.capital/Download.aspx?ID=b82c52e7-b8e5-42a3-a771-9fd27f8cfb4d&inline=true.
3 See https://en.aaro.capital/Article?ID=9e672d5b-4b62-42c1-bbfd-853970dbf4ad for a detailed description of two popular attacks, the 51% attack and the selfish mining.
4 See https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/attack-and-defense/ for a summary of the attacks and defences that are available on a PoS blockchain.
5 This can be achieved using strategies like selfish mining, although this depends on the specific Proof-of-Stake protocol design.
6 For a detailed explanation of the cost of 51% attack, see https://braiins.com/blog/how-much-would-it-cost-to-51-attack-bitcoin.