PoW is open-membership, because the means of coin production are not tied to owning coins already. All you need to contribute is computing power, and you can start earning coins at a profit.
PoS is closed-membership with a veneer of open-membership, because the means of coin production are tied to owning a coin already. What this means in practice is that no rational coin-owner is going to sell you coins at a fast enough rate that you'll be able to increase your means of coin production. Put another way, the price you'd pay for the increased means of coin production will meet or exceed the total expected revenue created by staking those coins over their lifetime. So unless you know something the seller doesn't, you won't be able to profit by buying your way into staking.
Overall, this makes PoS less resilient and less egalitarian than PoW. While both require an up-front capital expenditure, the expenditure for PoS coin-production will meet or exceed the total expected revenue of those coins at the point of sale. So, the system is only as resilient as the nodes run by the people who bought in initially, and the only way to join later is to buy coins from people who want to exit (which would only be viable if these folks believed the coins are worth less than what you're buying them for, which doesn't bode well for you as the buyer).
One important difference in favour of PoS that isn't brought up often is the financial cost to pull off an attack. Pulling off an attack in most PoS protocols results in coin slashing for the attacker ("deletion" of coins used in the attack) and on top of that can (and likely will) result in coin devaluation as well. This makes a successful attack against a PoS system very very expensive. The resource is spent and actually burned.
With PoW however the GPUs or ASICs don't disappear or lose value after the attack (caveat that the ASICs can lose value if networks switch away from the algorithm it is built for). The hardware can be used to attack "competitor" networks or used again in another attack against the network or other networks in the future.
In this sense, I suspect that PoS networks are able to properly recover from successful attacks far easier as well as dissuade attacks from the offset.
It's far easier to break a PoS chain -- you simply knock the coin-holding nodes offline. Knock enough offline, and you can no longer reach quorum. If offline nodes' coins get slashed in order to reach quorum and restart block production, and the system permits forking, then why would offline nodes rejoin the original fork? They're incentivized to only consider forks where they're not slashed. If the system does not permit forking, then the system breaks once the attackers (1) stake a nominal amount of coins, and (2) knock enough other nodes offline such that they are the majority staker.
This isn't really an attack unique to Proof of Stake. If a node goes offline they can lose rewards or even in rare cases have their coins slashed to some extent but that isn't inherent to a Proof of Stake overall. A decent number of Proof of Stake systems instead place reward penalties on pools/nodes that go offline. The idea being that it is a penalty for not maintaining sufficient infrastructure while also not being so severe that it could be leveraged in such an attack.
Most PoS algorithms I've seen instead reserve stake slashing as a penalty for malicious behaviour. Going offline isn't by any means inherently malicious. There are however plenty of actively malicious actions that can be detected and reacted against. Often for the more severe penalties it will require some level of community involvement in the recovery stage to limit opportunities for abuse.
Additionally, it shouldn't be easy to take a block producer offline and Stake Pool(or node) Operators should be preparing for these types of attacks. I've been watching some of the work being done in the Cardano Stake Pool Operator community and the various SPO guilds have decently sophisticated architectures. "Nodes"/"Pools" are broken up into Relays, Producers, and sometimes additionally Key Generators. Key Generators produce the periodically expiring KES keys and pass them to the Producers on a schedule (to minimise potential attack surfaces). The Producers actually engage in the consensus using the keys provided by the key generators and communicate through the relays. The Relays handle the throughput and communication. This allows the producers (and by extension the key generators if used) to be largely shielded from the open net. This also allows producers and relays to have a certain amount of redundancy/failover. An architecture like that may cost more (and eat into rewards a bit more) however they are far more difficult to DDoS or compromise.
Since the barrier for the hardware is so low, a 1x2x2 or 1x2x3 (keygen x producer x relay) architecture can still be more than profitable (retaining 25% to 75% of the SPO rewards as profit). Additionally this has the advantage that various other income streams can be integrated in (state channel operation, compute nodes, storage nodes, etc) over time and the operation can be scaled up without compromising security or requiring a significant re-architecture.
Proof of Stake can be just as secure as Proof of Work but it requires that the incentives be structured properly and sufficiently hedged against potential risks.
Okay, so instead of knocking your nodes offline, the attacker only has to commandeer them for just long enough to commit a slashable offense. That's usually easier anyway.
This is fundamentally a double-edged sword -- the harsher your penalties are for bad behavior, the easier it is for someone to use a zero-day and kill your staking coins. But the laxer your penalties are, the more damage a buggy or malicious node can do with impunity.
Either way, the resilience of PoS comes down to the resilience of the majority of its staking nodes, because once you lose that, the system is dead. Once you control majority stake, it doesn't matter how many other offline coins exist -- you, as the majority staker, simply never mine their transactions.
This isn't true for PoW systems. A PoW system can always be brought back to life, even after an arbitrarily long amount of inactivity, and even if all the previous miners cease mining. All you need is one miner, somewhere, that has a copy of the chainstate, and the system makes forward progress.
At least on Cardano, slashing is extraordinarily unlikely and only occurs during recovery from a successful attack. The idea being that the community forks from the moment before the attack and slashes the funds from the attacker. In the case of a zero-day or other attack where the stake pools are forced into being unwilling attackers due to circumstances excluding negligence, KES keys are invalidated/regenerated and the pools don't have their funds slashed. Additionally, delegators either end up taking a leap of faith with their existing pool or more likely move to uncompromised pools.
Recovery is an inherently manual process as either stake pools or miners must actively choose to switch to the new fork (at least initially). This doesn't return to an automated process until the ball actually starts rolling again. I say this is inherently manual as all 51% attacks violate the proof (of work, stake, or any other resource) that allows untrusted collaboration. Instead the community is required to cooperate momentarily based on the collective investment and trust that has been built parallel to the operation of the network.
The difference with PoS compared to PoW during this recovery process is that in a pure attack (i.e. one not due to a software bug/zero day), the resource is permanently burned (slashed) and the recovery can occur. With PoW however the resource doesn't disappear and can always either come back or come from another ecosystem for a second attack.
Outside of the bootstrap and the recovery phase, PoS and PoW are effectively equivalent in security. PoS is slightly weaker in the bootstrap phase and PoW is slightly weaker in the recovery phase. This isn't inherently bad for either system, it's just a matter of trade-offs. Arguably I'd say this is why transitions from PoW to PoS will be much safer than a clean bootstrap. The existing network strength from the PoW era is able to protect the PoS segment while it works through the bootstrap phase.
It seems like your contention is that PoS coins are priced based on discounted cash flow, correct? I think that's a reasonable model, but it's hardly unique to PoS coins, and it doesn't really seem problematic.
> the system is only as resilient as the nodes run by the people who bought in initially
This point applies to any assets that generate cash flow, like stocks, yet they seem to have plenty of trading volume. And looking at some numbers on CoinMarketCap, it doesn't seem like PoS coins have lower trading volume than PoW coins. As one example, XTZ seems to have ~double BTC's turnover in the past 24h.
> these folks believed the coins are worth less than what you're buying them for, which doesn't bode well for you as the buyer
This could be said about most assets, even ones without cash flow like PoW coins. In practice there are other reasons for selling, like wanting to offset gains/losses for tax purposes, or wanting to buy food.
> It seems like your contention is that PoS coins are priced based on discounted cash flow, correct? I think that's a reasonable model, but it's hardly unique to PoS coins, and it doesn't really seem problematic.
It's very problematic if the system's liveness is tied to owning a coin. If I can knock PoS nodes offline, I can not only cause a quorum failure, but also I can cause the offline nodes's coins to get slashed (which is usually how PoS chains deal with this problem). Moreover, there's no recovery from this -- the temporarily-offline nodes are forever slashed, even if they come online later. (EDIT: I'm not limited to knocking nodes offline -- if I can commandeer them through a zero-day, the effect is the same: I make your nodes commit a slashable offense).
Contrast this to PoW, where even if you manage to knock a majority of miners offline, you ultimately have to keep them offline in order to prevent them from later generating and broadcasting a better chain than the one you want to exist. Even if you can physically destroy the majority of miners, the chain still lives on, and new miners can be built and brought online elsewhere.
> This point applies to any assets that generate cash flow, like stocks, yet they seem to have plenty of trading volume
Trading volume is easily faked in crypto-land -- a whale just sends coins to themselves. I'd like to see some hard evidence that the volumes are not from wash-trading. Also, this isn't relevant at all to the system's resilience.
> In practice there are other reasons for selling, like wanting to offset gains/losses for tax purposes, or wanting to buy food.
I didn't say you don't sell coins. I said you don't sell enough of them that the buyer can use them to increase their rate of coin production.
Open membership is arguably a worse problem than stake requirements, as PoW participants do not have a vested interest in preserving the integrity of the chain. Ethereum 2 actually throttles validator entries and exits for exactly this reason.
As an example, any sufficiently powerful entity can temporarily and affordably commandeer computational resources with the intention of disrupting the chain.
Under PoS doing so would devalue your (presumably enormous) stake, so participants are at least incentivized to act in the interest of the chain.
Open membership means that the chain stays alive as long as anyone in the world wants it to. This isn't true for PoS chains -- you must to acquire tokens to keep the chain alive.
> As an example, any sufficiently powerful entity can temporarily and affordably commandeer computational resources with the intention of disrupting the chain.
A sufficiently powerful entity can DoS enough staked nodes that quorum can't be reached, and thereby force a PoS chain offline indefinitely for far less energy. If they're clever, they'll buy some PoS coins first, so that once the offline nodes all get slashed, they'll be the majority staker.
Staking rewards for new block generation is inflationary, so you are just not losing value by staking. Additional value is generated by fees and store of value.
With PoW coin you are constantly devaluing your share of the blockchain by paying some third parties operating giant gpu farms and hydroelectric dams.
My (possibly incorrect) understanding is that POW is computationally expensive because that large investment of computation is what creates a chain of successive blocks (the blockchain). This prevents someone from rewriting history of transactions on the public chain (which would allow them to 'double-spend' or to take their money back).
POW currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51%. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like BTC) are harder to do a hostile take over of because it's harder to get that much compute (though mining centralization is a risk).
POS relies on some variant individuals 'staking' coins to enable transactions, this means putting them up in escrow sort of in the network (they are paid small fees for this based on how much they stake) and if abuse is attempted, the system takes those staked coins away. There are no mathematical guarantees outside of this incentive.
POS is not as standardized across different currencies so I may be missing important bits in my understanding.
> POW currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51%. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like BTC) are harder to do a hostile take over of because it's harder to get that much compute (though mining centralization is a risk).
Couldn't this be re-written as:
> POS currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51% of the staked currency. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like ETH) are harder to do a hostile take over of because it's harder to get that much stake (though validator centralization is a risk).
My (non-expert) interpretation is that staking is just an abstraction of mining, and they are secured by the same incentive system
> PoS is closed-membership with a veneer of open-membership, because the means of coin production are tied to owning a coin already. What this means in practice is that no rational coin-owner is going to sell you coins at a fast enough rate that you'll be able to increase your means of coin production
It seems to me like they're arguing that PoW is more egalitarian/decentralized, which may be a fair point. But using the same argument, attackers being forced to buy stake in the open market should make PoS even more secure against 51% attacks than PoW.
Why would they need to buy 51% stake? Just buy x% and then knock the remaining staking nodes offline so that less than 2x% stake remains participating. That's often much cheaper.
PoW is anchored in some real-world value, the cost of electricity. PoS is not. Most of PoW’s security and tamper-resistance advantages derive from that characteristic.
Ultimately, proof of stake has the same property. The value of the network that the stake protects is rooted in some kind of real world value. The tokens from the network can be traded for fiat money that is worth something. So, unless the value of the network being protected falls to zero, the stakes themselves are worth something. An attack on a proof of stake network still requires the resources to procure the attacking stakes. So, you still have a direct relationship between the item being protected and the cost of the protection.
I would add - by focusing on using the economic value of electricity and stacks of special semiconductors to secure your network, you actually are making the network vulnerable to folks that can effectively create arbitrage on those specific narrow resources. In contrast, proof of stake can leverage a much broader range of economic resources that have far fewer arbitrage opportunities.
PoS is closed-membership with a veneer of open-membership, because the means of coin production are tied to owning a coin already. What this means in practice is that no rational coin-owner is going to sell you coins at a fast enough rate that you'll be able to increase your means of coin production. Put another way, the price you'd pay for the increased means of coin production will meet or exceed the total expected revenue created by staking those coins over their lifetime. So unless you know something the seller doesn't, you won't be able to profit by buying your way into staking.
Overall, this makes PoS less resilient and less egalitarian than PoW. While both require an up-front capital expenditure, the expenditure for PoS coin-production will meet or exceed the total expected revenue of those coins at the point of sale. So, the system is only as resilient as the nodes run by the people who bought in initially, and the only way to join later is to buy coins from people who want to exit (which would only be viable if these folks believed the coins are worth less than what you're buying them for, which doesn't bode well for you as the buyer).