I published an article in Coindesk last week where I argued that the economics of last year’s Ethereum Merge aren’t terribly well understood and that they’re not as straightforward or as overwhelmingly positive as some Ethereans believe. The article was written in a bit of a hurry, while on the road during a very intense trip, and on top of my usual writing for this newsletter. The space was limited and the editor was especially interested in focusing on the environmental angle. Nevertheless the topics are important and somewhat timeless so I think it would be appropriate to dedicate a bit more time and space than I could last week to the claims I made. I also got some critical feedback that I’d like to address here. Finally, I want to explore the same topic from the opposite perspective by asking, “What would have to be true for me to change my mind?”
To begin with, my biases are pretty clear and should be obvious to anyone who’s followed my writing for any period of time: I strongly dislike proof of stake, something I’ve spoken and written about many times, including in this newsletter. Also, I really like proof of work, and the vast majority of criticism of proof of work is misinformed FUD. Having said that, I do think the Merge is a major accomplishment for Ethereum and is arguably good for the network and maybe even for the world (time will tell). In other words, I see both sides of the story.
I also strongly dislike the tendency in the Ethereum community to unquestioningly accept received narratives, such as the plan for the transition to proof of stake. I questioned this idea almost from the time I joined Ethereum and the fact that it was considered a fait accompli and not even open for debate is a big part of the reason I left. It’s not that the arguments put forth in support of proof of stake by its proponents are lies or are untrue (more on this below); it’s that proof of stake too closely resembles the existing world order. A network governed by proof of stake is effectively a shareholder governed financial cooperative. I got into the blockchain and cryptocurrency space to build something different, novel, and promising, and proof of stake ain’t it. (I’ve been working on something better alongside an amazing team at Spacemesh for the past four years.)
My goal with the article, therefore, was to get people to pause and ask questions about the “party line”, such as it is. Also, I want people to see, understand, and consider how much of the narrative around the Merge reducing total global energy consumption by 0.2% is the Ethereum marketing machine on overdrive rather than being provably, objectively true in any meaningful sense.
Claim #1: The Merge is Really, Really Good for the Environment
Let’s start with the first order effects. Lots and lots of GPU and ASIC miners did stop mining Ethereum when the Merge happened. Other things equal, this is a good thing. If you could somehow measure the level of security that the proof of work miners provided to Ethereum before the Merge, and somehow switch to precisely the same level of security under proof of stake, and if it were truly the case that that security under proof of stake required a lot less energy expenditure, well, that would be great. But other things aren’t equal, and security is really difficult to measure (more on this in a moment).
The Ethereum Foundation claimed that the Merge reduced Ethereum’s energy footprint by 99.5%, and some went even further and claimed that it would reduce total worldwide energy consumption by 0.2%. This claim may be true on the face of it, factoring in only first order effects, but what we don’t know are the higher order effects.
How many of those GPUs and ASICs ended up in landfills? How do we calculate the economic impact of that relative to the reduction in energy consumption? Or do we ignore it completely on the grounds that those devices would’ve ended up in landfills eventually anyway?—in which case the Merge merely accelerated this process. How many are still running full throttle, consuming the same amount of energy? How many ended up mining other cryptocurrencies, or found their way to gamers, or to other industrial/high performance compute applications like training AI models? How efficiently did they perform at those tasks—and in particular, did they perform in a fashion more energy efficient than how those tasks would’ve been performed otherwise? In other words, what’s the counterfactual case? In order to perform a comprehensive economic and energy calculation you’d need enough data to answer all of these questions (and probably a few others that I’m missing here).
I really struggle to imagine that all or even a majority of those GPUs were suddenly shut off and never spun up again, and I also struggle to imagine that, whatever else they’ve been used for, they did so as efficiently as they mined Ethereum. But I don’t have hard evidence of these facts and I could be wrong.
What would need to be true for me to change my mind? I’d need to see a comprehensive analysis along the lines outlined above, involving the composition of proof of work mining prior to the Merge and the status of all of those devices today. It would have to include the energy impact of running the entire Ethereum network before and after the Merge, including not only mining but also validators and other classes of actors, and all of the other related infrastructure. In order to calculate the marginal impact it would have to include a counterfactual case of what would’ve happened if the Merge hadn’t occurred.
And even if all of this were done, and done well, it’s still only one side of the coin: cost, not performance. To be complete and useful it would also have to measure and consider the differences in security before and after the Merge (see next section).
That’s a big project and it’s not that useful today anyway since the Merge is ancient history. The scope is massive, it would take time and be expensive, and most of the data would be very difficult to come by. I don’t expect someone to actually do this. But if someone did it’d be fascinating, we might learn a lot, and I’d read such a report with bated breath.
Claim #2: Proof of Stake is More Secure
Measuring energy and environmental impact is hard enough. Security is even more complicated, nuanced, and hard to measure because most of the attacks contemplated under both proof of work and proof of stake are purely hypothetical.
Security in proof of work is guaranteed by energy, cryptography, economics, and thermodynamics: the only way to attack a proof of work-based network with a high likelihood of success is to have more hashpower than basically everyone else put together. Even temporarily attaining it, such as by renting, will cost you a lot, and sustaining it would be much harder. Cryptography dictates that there are no shortcuts and thermodynamics dictates that sustaining the energy required to attack a big network like Bitcoin would be devastatingly expensive. Proof of work has the additional nice property of probabilistic finality: with every passing moment and every additional block, the likelihood of being able to attack, alter, or remove a prior block or transaction rapidly approaches zero.
By contrast security in proof of stake is much more nuanced and subjective. Rather than energy or thermodynamics, security is guaranteed only through a property called economic finality. Proof of stake doesn’t make the sort of hard guarantees that proof of work does that attacks can’t or don’t happen. Instead it offers an economic guarantee: if an attack is successful, then at least two thirds of the validators in the network will have been slashed. In other words, an attack would be very costly (as denominated in the staked asset, i.e., assuming the staked asset is still valuable).
As I wrote last week, proponents of proof of stake claim it’s more secure than proof of work due to its ability to resist one particular kind of hypothetical attack, dubbed the spawn camp attack, wherein an attacker that controls a lot of the stake or hash power of a network continually attempts to 51% attack. For the reasons described above it shouldn’t be possible to carry out or especially to maintain such an attack against a large proof of work network like Bitcoin: it would be too costly and the required energy and computational power would be too difficult to obtain. (That’s why this sort of attack is theoretical, at least in the case of a large network.) If such an attack were to occur, the only way to resist it would be to change the proof of work hash algorithm, which hurts honest miners as well.
Such an attack should also be rare in proof of stake since it would require acquiring a huge amount of stake: tens of billions of dollars worth of ETH at today’s prices, although there are wealthy, powerful actors in the Ethereum ecosystem that already control a lot of stake and could plausibly attempt such an attack. If such an attack did occur, unlike proof of work, proof of stake allows coordination of a “social fork” (UASF) to ignore all of the attacker’s data or, additionally, a hard fork to actually delete the attacker’s funds. (It’s not possible to surgically target a single attacker in proof of work since all miners look the same.)
The wildcard in both proof of work and proof of stake is pools, of both the mining and staking variety, which are huge vectors of centralization. Before the Merge there were only four or five Eth mining pools that collectively controlled the vast majority of the hash power on the network—the same as on Bitcoin today. It’s important to point out that mining pools nearly always have a single, trusted, centralized operator that has a great deal of control including the ability to publish whichever transactions they want in whatever order they want, and individual miners in the pool have almost no control or even transparency into the pool’s operations.
Post-Merge there are over 700,000 validators (and rising, as of the time this was written). It’s still the case that validation is relatively centralized: the top handful of validators today control about a third of the total stake. But the situation may be improved somewhat. It’s hard to know for sure: we don’t know who controls the rest of those validators, and we don’t know how many are controlled by one entity or a cartel of entities.
In order for me to change my mind about proof of stake I’d need a few things. First off, I’d need evidence that the operators behind the validators are truly, meaningfully decentralized. Additionally, I’d have to see a “social fork” successfully thwart an actual attack, rather than this being purely hypothetical. I’d have to see the community rally behind such an event as it did in 2016 in the wake of the DAO attack. Note that the topic came up a few months ago when the question arose of Tornado Cash and large validators including Coinbase possibly needing to censor transactions that touch sanctioned addresses. Would the Ethereum community and network really be able to, say, delete the stake of a malevolent actor in this sort of scenario? And wouldn’t that violate the core “code is law” cypherpunk principle, just as the DAO hard fork did? How would the community and the world react? Ethereum was tiny and nascent in 2016; neither is true now.
By contrast, Bitcoin doesn’t need to rely on social coordination for its security. Quite the contrary, Bitcoin is money for enemies. The only things needed to keep Bitcoin secure are math and cryptography, thermodynamics, and greed. The network is most secure when everyone is acting in their own self-interest. That’s the brilliance of Bitcoin’s design, and of proof of work. Proof of stake introduces a lot of subjectivity and assumptions around the social layer that don’t sit well with me, and that are mostly theoretical and untested.
Many of the vulnerabilities of proof of stake also involve hypothetical attacks—costless simulation, weak subjectivity, etc.—and the response is to use yet more social coordination in the form of checkpoints in the code. Recall the reason I dislike proof of stake in the first place is that it too closely resembles the current system. I’m not saying that checkpoints can’t work or that they’re not useful, but a committee of privileged actors deciding when to bless a particular state via a checkpoint also feels too much like the way the world works today, and thus feels antithetical to the promises of blockchain (that anyone can objectively verify the current state for themselves).
By contrast the security guarantees of proof of work and its long track record of being unbreakable are unmatched. It offers a hard, objective form of security, unlike the soft, subjective security of proof of stake, a form of security that relies on social mechanisms like checkpoints. PoW works well for Bitcoin, and Bitcoin cares about security more than just about anything else, so I can’t imagine it ever changing. I find it very difficult to imagine a scenario where I’d change my mind and agree that proof of stake is more secure, and certainly not because of its ability to respond to one particular type of hypothetical attack vector.
Finally, analyzing security under proof of stake is even more complicated for two additional reasons, MEV and restaking, that I’ll discuss below.
Claim #3: The Merge Made Security Cheaper
Proponents of proof of stake claim that it’s not only more secure than proof of work, but in fact that its security is even cheaper than that of proof of work. We explored the first claim already; let’s take a look at the second.
As I outlined last week, the Merge is widely regarded as having improved the overall economics of Ethereum because the network is paying less per block in security than it used to. The steel man argument for why is that a network secured by proof of stake can afford to pay less for security because proof of stake simply costs less. Validators don’t entail the sort of ongoing operational cost that miners face because validators aren’t energy intensive. This is evidenced by the fact that Ethereum validators are willing to put up around $42B of stake on which they’re earning around 3.5% yield, even though there are plenty of ultra low risk opportunities that would pay more these days (albeit with less potential upside). In an objective sense Ethereum is paying relatively little for this level of economic security, around 2200 ETH per day based on the present number of validators, and certainly less than it was before the Merge when it was paying around 13.5k ETH per day to miners.
As Paul Sztorc argued, however, and as I described last week, it’s not that straightforward. You cannot simply pay less for the same level of security. In some sense you get precisely as much security as you pay for. Other things equal, if you just, say, cut the block subsidy in half, in “real” terms the reward earned by miners actually doesn’t change. Future issuance is reduced by half which means that each coin should be twice as valuable in real terms (see The Coinbase-Rot Paradox in Sztorc’s article). This may seem not to be the case for Ethereum today because the network has been around for a while and has already done most of its issuance so you’re not moving the needle on the total circulating supply very much. But if you imagine that Ethereum will continue to exist and will continue to issue coins to validators for a very long time to come then future issuance matters a lot more than past issuance. Over the very long run, other things being equal, halving validator rewards today would double the value of one ETH.
And then we have to factor in “obfuscated PoW” (as Sztorc dubs it), i.e., work that takes other forms. This is where MEV and restaking must be factored in. I’m not aware of serious academic research on this subject—I’d be fascinated to read it if it exists, so please share if you’re aware of any—but it seems fairly obvious to me that the network is paying for security through MEV as well as through block subsidies and outright fees. While the Flashbots estimate of realized MEV since the merge is only around 5% of the ETH that would’ve been paid to miners under proof of work, it’s impossible to know to what percentage of all MEV this accounts for.
While MEV happened to take off right around the time of the Merge, in theory they’re orthogonal: MEV was possible and profitable (and, indeed, did occur) before the Merge, and it’s still possible and profitable after the Merge. In a sense, MEV was easier before the Merge since searchers (the parties responsible for finding MEV opportunities and bundling transactions so as to take advantage of them) only had to communicate with and sell their bundles to a small number of mining pools. Today by contrast there are hundreds of thousands of validators, but as a result the MEV ecosystem has matured rapidly and a true marketplace has arisen, with many searchers competing via many relays to get their blocks included by validators (block proposers). I’d also be fascinated to read any real research on whether and to what extent the proliferation of MEV opportunities today are possible because of the Merge and wouldn’t have existed under proof of work.
Finally, it’s important to point out that unlike ordinary fees and subsidies which are borne equally by all users, MEV is especially pernicious because it’s a regressive tax in the sense that it’s borne disproportionately by unsophisticated, everyday users! Also, remember that the fully burdened cost of MEV should include the externalities borne by the entire network (i.e., not just those party to a transaction) including the computational power of the searchers and value lost due to alternative, non-public mempools. I don’t know how big this number is, but it’s substantial.
I want to briefly touch upon restaking as well. The situation involving restaking is more complicated since the phenomenon is more recent and less well understood, but in essence restaking allows actors who have already staked ETH as validators to use that stake to additionally participate in (and be rewarded by) extraprotocol schemes including layer two applications. This muddies the waters and distorts incentives, and even Vitalik Buterin has expressed concerns about the possible negative impacts on Ethereum security. I don’t claim to fully understand restaking and all of its implications and I haven’t made up my mind about it, but I cannot imagine that having your “security officers,” i.e., your validators doing double-duty elsewhere makes Ethereum any more secure. This is even further evidence that proof of stake is buying lower quality security for the price it’s paying. (Bitcoin miners definitely aren’t doing double duty.)
What would it take for me to change my mind about the cost of security? You’d have to prove to me, empirically or maybe from first principles, that Ethereum is indeed paying less and getting more. That analysis would have to factor in the big picture and all of the externalities: MEV, restaking, and the long-term, big picture economic consequences including the huge opportunity cost of the staked capital (which I mentioned last week but didn’t even have time to cover in this analysis). I’m not sure how you could convince me that the security Ethereum is buying today is better than the security it bought with proof of work but you’re welcome to try and I would read your argument.
But given what we know today, all things considered I think it’s intellectually dishonest to claim that Ethereum is spending less for security today than it was pre-Merge. And even if you think that it is, it seems to me that the quality of the security it’s buying isn’t as rock solid as the security afforded by proof of work. Not all security is created equal. The best thing we can say at this point is that it’s complicated and a lot more work needs to be done to understand all of the tradeoffs.