[gonehome]

I'm skeptical of proof-of-stake, proof-of-work seems like the main innovation of cryptocurrencies that differentiates them from the standard financial industry?

If you swap out POW for POS (or worse clearing house type trust orgs like Stellar) then aren't you just putting trust into some incentive based system no different than existing financial systems? Just instead a government you're trusting some other entity. You get faster throughput and less energy waste, but you lose the mathematical guarantee that was kind of the entire point?

I think climate change is a serious issue that would lead to change (likely bad), but I'm not sure it's a true e-risk or that cryptocurrency POW changes the tide that much. Feels like an irrelevant (somewhat identity-ish/political) side debate to me? (see Matt Yglesias' comments in this: http://rationallyspeakingpodcast.org/show/episode-251-the-ca...)

Happy to think about arguments that would change my mind.

[stormbeta]

And this is exactly why I'm so skeptical of cryptocurrencies in general. There doesn't appear any viable way to make them work as currencies that doesn't either have horrendous externalities, simply replicate what existing currencies already do (often poorly and with many downsides), or often both.

I don't think it's a coincidence that even a decade plus later, the primary use cases for crypto still seem to be grey/black market deals, speculative investments, and pyramid schemes.

[abecedarius]

> way ... that doesn't either have horrendous externalities

The CO2 emission externality need have nothing to do with Bitcoin or any other proof-of-work chain. Tax carbon at whatever level makes sense and Bitcoin will adjust. (As I understand it, even currently Bitcoin mining mainly uses renewable energy, because it's cheaper; and it's trending cheaper still.)

The externality is at the power plant, not the use. Banning a use is like basing your server's security on client-side Javascript.

[jsiepkes]

> Tax carbon at whatever level makes sense and Bitcoin will adjust.

> The externality is at the power plant, not the use. Banning a use is like basing your server's security on client-side Javascript.

How would that work? Applying the same carbon tax on farming as on bitcoin? You always need to differentiate on use. Otherwise we could also just have a single income tax and be done with it. However taxing food as much as a Ferrari doesn't really make sense.

[abecedarius]

The whole purpose of taxing carbon is to reduce carbon emission to the efficient level and shift energy consumers away from uses that are not worth the cost in carbon emission.

Say you're a bitcoin miner powered by a coal plant. A carbon tax is imposed. The price of your power goes up. Your competitors, powered by solar, are unaffected. Maybe you keep going at the higher price; more likely, if the tax was set at anything like the genuine externality, you shut down. Possibly you keep going for a while, winding down your ops at this location but moving any new ones to find affordable power. Sucks to be you if you didn't anticipate the tax (which seems implausible, they won't announce it effective next Monday), but Bitcoin itself will hardly notice.

Say you're a farmer also in coal-plant-land. Aren't farmers powered more by internal-combustion engines than grid power? That should be carbon-taxed too in this world, and that's good: you want farming, where it's climatically most expensive, to shift to less-CO2-costly methods and crops. Farming spends energy on a much wider set of tasks, some of them more essential to the output than others, and some outputs more inelastically demanded than others. For some of them you adjust, for some you continue and pay the higher price. The ones you adjust were not worth the carbon cost; the ones you don't were. You have to charge your customers some amount more, depending on how essential the coal turns out to be in your case. Maybe, like the bitcoin miner, you stop farming, or shift to some sort of less-intensive organic farming; maybe you don't. Either way, it's more likely the right decision for the planet! We stopped pretending that dumping carbon is side-effect free.

You don't "differentiate on use" by politicians and bureaucrats deciding what's naughty or nice. They don't even know! It's an incredibly complicated problem! They further have no real incentive to do it even vaguely right, rather the opposite: any competent politician can look to the public like they're public-spirited while favoring concentrated interests. Was the FDA just stupid for banning the J&J vaccine the other day? No, they're fundamentally misaligned with the public interest.

Re painting cryptocurrency as a nobody-needs-it Ferrari, see https://news.ycombinator.com/item?id=26654767

[Moodles]

Not to even mention the even more useless buzzword application of blockchains to business to pump up stock prices. I'd go as far to say that cryptocurrency is the most "useful" application of blockchain to date. And even then, it appears only truly useful for dark web transactions and pyramid schemes. Why else would we use a wildly fluctuating currency that takes 20 minutes to send a payment?

[cwkoss]

Dollar hegemony has many horrendous externalities as well.

[danimal88]

While that -might- be true, the question is whether the dollar, the RMB, the CAD, and every other currency have anything like the -direct- pollution cost of bitcoin, which my understanding is that they do not

[cwkoss]

I think the dollar undoubtedly has several orders of magnitude lower direct pollution costs, but also have several orders of magnitude higher indirect costs.

It's a pretty tangly web, so hard to know what to lump in as a comparison but in the superlative case consider: the federal reserve, many bank/FI departments tasked with securing and transferring money safely, auditing (public ledger has many benefits for transparency and reporting), money transfer industry, international relations, lobbyism, US military dominance, etc.

Bitcoin has zero employees, probably only thousands of people working on Bitcoin-interfaced systems. The network uses a large amount of electricity, but that's kind of it - there are few other costs to account for. All of those industries above collectively employ millions of people - should we account for only organizational energy consumption or do we also account for salaries and thus private energy consumption of all of the individuals necessary to support dollar hegemony?

I think it would be really interesting to find a number for "for each dollar in existence, how much is spent per year preserving the dollar's position as the global reserve currency?" How does this number compare to inflation? If it is greater than inflation, does that mean that dollar hegemony is unstable and its fall is inevitable?

[meowkit]

Can you share how Bitcoin has a direct pollution cost?

Last I checked BTC primarily uses excess electricity in the cheapest regions of the world. What if BTC only ran on solar power?

[cwkoss]

Of the estimates I've read, it seems like BTC uses about 60% green energy. Which is about double the 'green-ness' of the broader energy economy, but it's still a significant amount of 'direct pollution' from carbon sources.

[gonehome]

I remain cautiously optimistic about the underlying idea and core technology (even if there's a lot of pyramid scheme snake oil surrounding it).

Interesting applications do exist: https://news.ycombinator.com/item?id=24242005

Its applications are more interesting in countries that have unreliable governments and inflationary currencies (for now).

It also does provide something new (one way 'cash' transfers across a decentralized network).

[greg7mdp]

I don't see any reason to be skeptical of proof-of-stake. The ethereum beacon network has been up and running fine for months. And POS negates the power usage objection to POW.

[cwkoss]

I don't think anyone debates that POS is more power efficient than POW. The controversy over POS is whether the game theory incentives of POS will be sufficient deterrent for bad actors at scale.

[mikkel]

The biggest argument is the other coin networks that have been running for years in production without proof of work. Nano and EOS have interesting consensus models. Nano manages to remove all inflation and transaction fees and is just a base level currency. EOS has an account fee and you have to rent resources but can do code execution on transactions (smart contracts). They both rely on accounts voting for representatives and have had similar problems with spam. Nano has been running for > 4 years and EOS for > 1 years.

[jtsiskin]

For the uninformed, what mathematical guarantees does POW have that POS doesn’t?

[jude-]

PoW is open-membership, because the means of coin production are not tied to owning coins already. All you need to contribute is computing power, and you can start earning coins at a profit.

PoS is closed-membership with a veneer of open-membership, because the means of coin production are tied to owning a coin already. What this means in practice is that no rational coin-owner is going to sell you coins at a fast enough rate that you'll be able to increase your means of coin production. Put another way, the price you'd pay for the increased means of coin production will meet or exceed the total expected revenue created by staking those coins over their lifetime. So unless you know something the seller doesn't, you won't be able to profit by buying your way into staking.

Overall, this makes PoS less resilient and less egalitarian than PoW. While both require an up-front capital expenditure, the expenditure for PoS coin-production will meet or exceed the total expected revenue of those coins at the point of sale. So, the system is only as resilient as the nodes run by the people who bought in initially, and the only way to join later is to buy coins from people who want to exit (which would only be viable if these folks believed the coins are worth less than what you're buying them for, which doesn't bode well for you as the buyer).

[CuriousCosmic]

One important difference in favour of PoS that isn't brought up often is the financial cost to pull off an attack. Pulling off an attack in most PoS protocols results in coin slashing for the attacker ("deletion" of coins used in the attack) and on top of that can (and likely will) result in coin devaluation as well. This makes a successful attack against a PoS system very very expensive. The resource is spent and actually burned.

With PoW however the GPUs or ASICs don't disappear or lose value after the attack (caveat that the ASICs can lose value if networks switch away from the algorithm it is built for). The hardware can be used to attack "competitor" networks or used again in another attack against the network or other networks in the future.

In this sense, I suspect that PoS networks are able to properly recover from successful attacks far easier as well as dissuade attacks from the offset.

[jude-]

It's far easier to break a PoS chain -- you simply knock the coin-holding nodes offline. Knock enough offline, and you can no longer reach quorum. If offline nodes' coins get slashed in order to reach quorum and restart block production, and the system permits forking, then why would offline nodes rejoin the original fork? They're incentivized to only consider forks where they're not slashed. If the system does not permit forking, then the system breaks once the attackers (1) stake a nominal amount of coins, and (2) knock enough other nodes offline such that they are the majority staker.

[CuriousCosmic]

This isn't really an attack unique to Proof of Stake. If a node goes offline they can lose rewards or even in rare cases have their coins slashed to some extent but that isn't inherent to a Proof of Stake overall. A decent number of Proof of Stake systems instead place reward penalties on pools/nodes that go offline. The idea being that it is a penalty for not maintaining sufficient infrastructure while also not being so severe that it could be leveraged in such an attack.

Most PoS algorithms I've seen instead reserve stake slashing as a penalty for malicious behaviour. Going offline isn't by any means inherently malicious. There are however plenty of actively malicious actions that can be detected and reacted against. Often for the more severe penalties it will require some level of community involvement in the recovery stage to limit opportunities for abuse.

Additionally, it shouldn't be easy to take a block producer offline and Stake Pool(or node) Operators should be preparing for these types of attacks. I've been watching some of the work being done in the Cardano Stake Pool Operator community and the various SPO guilds have decently sophisticated architectures. "Nodes"/"Pools" are broken up into Relays, Producers, and sometimes additionally Key Generators. Key Generators produce the periodically expiring KES keys and pass them to the Producers on a schedule (to minimise potential attack surfaces). The Producers actually engage in the consensus using the keys provided by the key generators and communicate through the relays. The Relays handle the throughput and communication. This allows the producers (and by extension the key generators if used) to be largely shielded from the open net. This also allows producers and relays to have a certain amount of redundancy/failover. An architecture like that may cost more (and eat into rewards a bit more) however they are far more difficult to DDoS or compromise.

Since the barrier for the hardware is so low, a 1x2x2 or 1x2x3 (keygen x producer x relay) architecture can still be more than profitable (retaining 25% to 75% of the SPO rewards as profit). Additionally this has the advantage that various other income streams can be integrated in (state channel operation, compute nodes, storage nodes, etc) over time and the operation can be scaled up without compromising security or requiring a significant re-architecture.

Proof of Stake can be just as secure as Proof of Work but it requires that the incentives be structured properly and sufficiently hedged against potential risks.

[jude-]

Okay, so instead of knocking your nodes offline, the attacker only has to commandeer them for just long enough to commit a slashable offense. That's usually easier anyway.

This is fundamentally a double-edged sword -- the harsher your penalties are for bad behavior, the easier it is for someone to use a zero-day and kill your staking coins. But the laxer your penalties are, the more damage a buggy or malicious node can do with impunity.

Either way, the resilience of PoS comes down to the resilience of the majority of its staking nodes, because once you lose that, the system is dead. Once you control majority stake, it doesn't matter how many other offline coins exist -- you, as the majority staker, simply never mine their transactions.

This isn't true for PoW systems. A PoW system can always be brought back to life, even after an arbitrarily long amount of inactivity, and even if all the previous miners cease mining. All you need is one miner, somewhere, that has a copy of the chainstate, and the system makes forward progress.

[dlubarov]

It seems like your contention is that PoS coins are priced based on discounted cash flow, correct? I think that's a reasonable model, but it's hardly unique to PoS coins, and it doesn't really seem problematic.

> the system is only as resilient as the nodes run by the people who bought in initially

This point applies to any assets that generate cash flow, like stocks, yet they seem to have plenty of trading volume. And looking at some numbers on CoinMarketCap, it doesn't seem like PoS coins have lower trading volume than PoW coins. As one example, XTZ seems to have ~double BTC's turnover in the past 24h.

> these folks believed the coins are worth less than what you're buying them for, which doesn't bode well for you as the buyer

This could be said about most assets, even ones without cash flow like PoW coins. In practice there are other reasons for selling, like wanting to offset gains/losses for tax purposes, or wanting to buy food.

[jude-]

> It seems like your contention is that PoS coins are priced based on discounted cash flow, correct? I think that's a reasonable model, but it's hardly unique to PoS coins, and it doesn't really seem problematic.

It's very problematic if the system's liveness is tied to owning a coin. If I can knock PoS nodes offline, I can not only cause a quorum failure, but also I can cause the offline nodes's coins to get slashed (which is usually how PoS chains deal with this problem). Moreover, there's no recovery from this -- the temporarily-offline nodes are forever slashed, even if they come online later. (EDIT: I'm not limited to knocking nodes offline -- if I can commandeer them through a zero-day, the effect is the same: I make your nodes commit a slashable offense).

Contrast this to PoW, where even if you manage to knock a majority of miners offline, you ultimately have to keep them offline in order to prevent them from later generating and broadcasting a better chain than the one you want to exist. Even if you can physically destroy the majority of miners, the chain still lives on, and new miners can be built and brought online elsewhere.

> This point applies to any assets that generate cash flow, like stocks, yet they seem to have plenty of trading volume

Trading volume is easily faked in crypto-land -- a whale just sends coins to themselves. I'd like to see some hard evidence that the volumes are not from wash-trading. Also, this isn't relevant at all to the system's resilience.

> In practice there are other reasons for selling, like wanting to offset gains/losses for tax purposes, or wanting to buy food.

I didn't say you don't sell coins. I said you don't sell enough of them that the buyer can use them to increase their rate of coin production.

[melolife]

Open membership is arguably a worse problem than stake requirements, as PoW participants do not have a vested interest in preserving the integrity of the chain. Ethereum 2 actually throttles validator entries and exits for exactly this reason.

As an example, any sufficiently powerful entity can temporarily and affordably commandeer computational resources with the intention of disrupting the chain.

Under PoS doing so would devalue your (presumably enormous) stake, so participants are at least incentivized to act in the interest of the chain.

[jude-]

Open membership means that the chain stays alive as long as anyone in the world wants it to. This isn't true for PoS chains -- you must to acquire tokens to keep the chain alive.

> As an example, any sufficiently powerful entity can temporarily and affordably commandeer computational resources with the intention of disrupting the chain.

A sufficiently powerful entity can DoS enough staked nodes that quorum can't be reached, and thereby force a PoS chain offline indefinitely for far less energy. If they're clever, they'll buy some PoS coins first, so that once the offline nodes all get slashed, they'll be the majority staker.

[sibeliuss]

It's worth investigating Algorand's Pure Proof-of-Stake model and seeing how it compares to other POS implementations: https://algorand.foundation/algorand-protocol/about-algorand...

[jude-]

If the means of coin production require owning coins, you have these problems that PoW does not have. Definitely true for Algorand.

[sibeliuss]

Owning coins is a means of validating the network and appending to the blockchain, not producing new coins.

[jude-]

Try reading the paper: https://people.csail.mit.edu/nickolai/papers/gilad-algorand-...

You have to own coins to produce blocks.

[Paradigma11]

Staking rewards for new block generation is inflationary, so you are just not losing value by staking. Additional value is generated by fees and store of value.

With PoW coin you are constantly devaluing your share of the blockchain by paying some third parties operating giant gpu farms and hydroelectric dams.

[jude-]

> block generation is inflationary > store of value.

I stopped reading at this point.

[Paradigma11]

Good to know.

[RhodoGSA]

Thanks for this little tangent, it was pretty informative. what's your opinions on nominated proof of stake?

[gonehome]

This is the best (and also approachable well-written) book on the topic that I've found: https://bitcoinbook.cs.princeton.edu/

My (possibly incorrect) understanding is that POW is computationally expensive because that large investment of computation is what creates a chain of successive blocks (the blockchain). This prevents someone from rewriting history of transactions on the public chain (which would allow them to 'double-spend' or to take their money back).

POW currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51%. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like BTC) are harder to do a hostile take over of because it's harder to get that much compute (though mining centralization is a risk).

POS relies on some variant individuals 'staking' coins to enable transactions, this means putting them up in escrow sort of in the network (they are paid small fees for this based on how much they stake) and if abuse is attempted, the system takes those staked coins away. There are no mathematical guarantees outside of this incentive.

POS is not as standardized across different currencies so I may be missing important bits in my understanding.

[plokiju]

> POW currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51%. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like BTC) are harder to do a hostile take over of because it's harder to get that much compute (though mining centralization is a risk).

Couldn't this be re-written as:

> POS currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51% of the staked currency. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like ETH) are harder to do a hostile take over of because it's harder to get that much stake (though validator centralization is a risk).

My (non-expert) interpretation is that staking is just an abstraction of mining, and they are secured by the same incentive system

[gonehome]

This comment above does a better job than I did at explaining why the staking incentive is somewhat flawed: https://news.ycombinator.com/item?id=26810686

[plokiju]

> PoS is closed-membership with a veneer of open-membership, because the means of coin production are tied to owning a coin already. What this means in practice is that no rational coin-owner is going to sell you coins at a fast enough rate that you'll be able to increase your means of coin production

It seems to me like they're arguing that PoW is more egalitarian/decentralized, which may be a fair point. But using the same argument, attackers being forced to buy stake in the open market should make PoS even more secure against 51% attacks than PoW.

I think this is a good post explaining the tradeoffs: https://vitalik.ca/general/2020/11/06/pos2020.html

[jude-]

Why would they need to buy 51% stake? Just buy x% and then knock the remaining staking nodes offline so that less than 2x% stake remains participating. That's often much cheaper.

[SkyMarshal]

PoW is anchored in some real-world value, the cost of electricity. PoS is not. Most of PoW’s security and tamper-resistance advantages derive from that characteristic.

[yokem55]

Ultimately, proof of stake has the same property. The value of the network that the stake protects is rooted in some kind of real world value. The tokens from the network can be traded for fiat money that is worth something. So, unless the value of the network being protected falls to zero, the stakes themselves are worth something. An attack on a proof of stake network still requires the resources to procure the attacking stakes. So, you still have a direct relationship between the item being protected and the cost of the protection.

[yokem55]

I would add - by focusing on using the economic value of electricity and stacks of special semiconductors to secure your network, you actually are making the network vulnerable to folks that can effectively create arbitrage on those specific narrow resources. In contrast, proof of stake can leverage a much broader range of economic resources that have far fewer arbitrage opportunities.

[sireat]

I am surprised a workable IPv4 based POS coin has not been produced. The consensus protocols are already using IPv4

That is one IPv4 address -> one unit of vote

Difficulty adjusts based on how many IPv4 addresses participate

Sure, it gives advantage to Apple, MIT or anyone with /8 block and disadvantages citizens from some countries with very small allocations but otherwise it could be scaled to whole world while staying truly green.

I suppose the hard part is figuring out the stake when multiple people on the same IP address want to participate.

[Paradigma11]

The staking rewards for block generation are inflationary. So you are penalized by not staking and it does not matter how long how stake your tokens your share of the blockchain does not increase. You also have to pay taxes for staking rewards in most countries so you have to sell at least that much. In the context of a bc with smart contracts you are basically owning and operating a share of a cloud for financial services. Those customers pay fees which get distributed with the staking rewards.

This does sound a lot saner to me than having some cabals operating giant computer farms and hydroelectric dams to generate new blocks. Their interests are different than those of token holders and having to pay for all those gpus and electricity is just stupid.

What mathematical properties are you losing?