Categories
All Posts Posts

Nothing at stake in Proof of Stake (PoS)

Definition: Nothing at stake means that in a proof of stake (PoS) consensus algorithm rational validators (block producer) risk nothing (have nothing at stake) if they create blocks on different chains. As a consequence, the whole blockchain network won’t reach consensus on the longest chain.

This problem was addressed by Vitalik Buterin in this article about the Ethereum blockchain moving to Proof of Stake: https://blog.ethereum.org/2014/07/05/stake/

Explanation of Nothing at Stake

Let us assume that we have a pure proof of stake blockchain where validators get selected according to their amount of funds. The more funds they have, the higher is the probability to get selected. They also receive a certain amount of coins as reward for their work. Furthermore validating (or producing) blocks is not hardware or energy intense. A consumer grade computer has more than enough capacity to work on many blockchains simultaneously.

Now, let us assume that there is a fork into chain A and B. Block producers have three choices.

  1. work only on chain A
  2. work only on chain B
  3. work on both chains A and B

We furthermore assume that a validator thinks chain A will become the longest chain with a probability of 0.1 and chain B will become the longest blockchain with probability of 1-0.1=0.9.

rivaling chains. For a validator staking on both chains is beneficial.
Rivaling chains. For a validator staking on both chains is beneficial.

If the reward for a block is 5, then our validator would have in those three situations an expected reward of:

  1. 5*0.1=0.5
  2. 5*0.9=4.5
  3. 5*0.1+5*0.9 = 5

Hence, a rational validator would always decide to work on both chains, since its reward here is higher (5) than in situation 1 (0.5) and 2 (4.5).

Validating on both chains at the same time is possible because all validators have their coins on both chains. They don’t need to split their coins like miners would have to in a PoW blockchain.

Compared to a proof of work blockchain, working on both chains costs nothing. As we said a consumer grade computer has sufficient capacity to serve multiple chains. Also, electricity costs don’t rise significantly in this case.

The same rational holds with more than two rivaling chains. A rational validator would sign on every fork causing the network to fail on consensus on the longest chain.

The basic problem is that there is literally “nothing at stake”.

Solution of the nothing at stake problem

The solution to the nothing at stake problem in PoS is to introduce punishments. Validators need to deposit a certain amount in a smart contract on the blockchain. And if they behave “wrong” they loose their deposit.

There are basically tow methods possible

  1. Punish if found on validating on both chains at the same time
  2. Punish if found on validating on the wrong chain

Punishment, if found on validating on both chains

And if a block producer is found to validate blocks on two chains this deposit is taken away from him.

Considering the example from above where chain A has 0.1 success chance and chain B a 0.9 success chance the rewards, the punishment on each chain is 20, and the reward is 5 would look like that:

  1. Validating on chain A only: 0.1*5 = 0.5
  2. Validating on chain B only: 0.9*5 = 4.5
  3. Validating on both chains: 0.1*5 + 0.9*5 – (0.1*20 + 0.9*20) = -15

In this example the validator needs to be determined well ahead of time, since a punishment is only possible, if the validator signs tow blocks with the same block height. This means that the validator selection must be done before the fork happened. If the validator order is determined after the fork, validators have a low risk of getting the signing privilege on the same block height in every chain.

The following example clarifies this.

Suppose a validator has a 1 % chance of being selected as a validator. The chance of being selected at the same block height on both chains is 0.01*0.01 = 0.0001. In this rare case the validator can skip the right to validate on one of the chains to prevent punishment. This means this validator can in 99 % of all cases if he was selected validate. (0.01-0.0001 = 0.0099 = 0.99 % And with 1 % selection chance this is 99 % of the cases where the validator got seletcted)

Punishment when validating on the wrong chain

Telling what the wrong chain is, is in a decentralized network difficult. Here, we assume that all other chains than the one we look at are wrong chains.

The incentives will look like this

  1. Validating on chain A only: 0.1*5 – 0.9*20 = -17.5 (loss on chain B)
  2. Validating on chain B only: -0.1*20 + 0.9*5 = 2.5 (loss on chain A)
  3. Validating on both chains: 0.1*5 + 0.9*5 – (0.1*20 + 0.9*20) = -15 (loss on both chains)

A validator would choose the chain with the highest net reward. In this case chain B. However, it can be problematic if the punishment is too high and all options yield a negative reward. In this case it would be advantageous to not stake at all, if a fork occurs.

Long range attack in PoS

In the previous section we introduced a punishment to misbehaving validators. The amount taken as penalty needs to be locked up beforehand by the validator as a deposit. After a while the validator wants this deposit back.

As soon as the validator got its deposit back it can start forking. At that point the network can still detect the fork but cannot punish the validator anymore.

This is called a long range attack.

Such attacks can be avoided by implementing check points. Every fork starting before a checkpoint is considered as invalid. The deposit period needs to be longer than the checkpoint periods.

The problem with such long range attacks in nothing at stake is that nodes joining the blockchain network for the first time or having been long time offline need to decide which chain is the right one. This is called weak subjectivity. Constantly online nodes cannot be fooled into a wrong chain, since they know the checkpoints. But for new nodes all branches look the same. New nodes then need to figure out what the longest (or heaviest) chain is. In a PoS system this would be the chain with the most stake.

A solution to that is finding a trusted source for a recent block header of the valid blockchain. This could be a block explorer or an organization which has a high reputation. This block header could be used as a check point.

Further readings