Ethereum Proof-of-Stake

Explaining Ethereum's consensus mechanism after The Merge

Jul 06, 2022

Welcome! In this article we’ll do a deep dive into

detailed description of Ethereum’s PoS consensus model
how Ethereum PoS can recover from malicious attacks
refuting common anti-PoS talking points
discuss the practicalities of liquid staking or running your own node

The current state of the beacon chain. Producing blocks every 12 seconds right on schedule. See live data at https://beaconcha.in

Consensus Mechanisms: PoS, PoW, PoA

A consensus mechanism defines how a distributed network of nodes decides on the current state of the network, which blocks are in the chain and in which order. Block production is a general term that describes who scans the mempool to pick up pending transactions, orders them into blocks, and attaches the new block to the existing blockchain. Three common classes of consensus mechanisms are proof-of-stake, proof-of-work, and proof-of-authority.

PoW (Bitcoin) gives block producing power to whoever uses the most computing power. The protocol defines a one-way computationally heavy hash function such as SHA-256, and then miners compete to find an input that hashes to an output with many leading zeros.
PoA (Binance Smart Chain) is a whitelisting mechanism that gives block producing power to a couple whitelisted nodes. It’s your typical permissioned blockchain, nothing more.
PoS (Ethereum, soon™) gives block producing power to whoever locks up their native tokens, proportional to how many they have staked.

Ethereum Implementation

Ethereum’s PoS implementation has been teased for the better half of a decade now, but with the beacon chain running for 18 months straight and successful live merges on multiple testnets the initial implementation is largely finalized. I’ll focus on the specifics of how the PoS chain runs in its steady state rather than get lost in the implementation details of the merge.

Another famous tradeoff triangle. Pick two, or find yourself somewhere in the middle.

There are ~400,000 validators on the beacon chain, you can track live stats and blocks here. A validator refers to a specific deposit of 32 eth into the beacon chain deposit contract on mainnet; one user can run multiple validators. Unstaking withdrawals are not enabled today, will not be enabled at merge time, but will be enabled in the Shanghai hardfork update afterwards. A slot occurs every 12 seconds, and exactly one validator is randomly chosen to submit a block within the slot. An epoch is composed of 32 slots, or 6.4 minutes. If a validator is offline and does not propose a block within its slot, that slot is left empty. So Ethereum blocktimes will move from a Poisson distribution with average blocktime of 13 seconds, to exactly 12 seconds with occasional empty slots. The first block within each epoch is treated as the checkpoint block.

If only one validator proposes a block in each slot, what do the rest of them do while waiting for their turn? They create attestations, which are signed votes describing what they believe the current head of the chain to be, and links to a parent checkpoint block. Because attestations are cryptographically signed from a specific validator, validators can be held accountable if they equivocate, or vote for two blocks at the same height. Communication and storage overhead for 400,000 attestations is enormously high, so within each epoch each validator is assigned to attest to only one slot. The validators for each slot are assigned to committees, which are further groupings with minimum size 128. Aggregators then combine signatures from multiple validators using BLS aggregation before storing only summary data into the block.

Randomness is generated through RANDAO, a randomness accumulation beacon where block proposers reveal a BLS signature of the current epoch number signed by their validator private key. This means there is very little choice over what randomness is generated; validators can either contribute a single verifiable value or have their block skipped altogether. The hash signature is mixed into the chain’s RANDAO using XOR, which offers an additional marginal security improvement through its commutativity. Ben Edgington has further details on the spec.

A supermajority (2/3rds) of validators is required to finalize a block, in case of a 50-50 network partition blocks would stop being finalized and attestation rewards would stop. Non-participating validators would slowly leak stake through the inactivity leak until online validators once again had a supermajority. This is the "self-healing" mechanism that allows both safety and liveness.

A technical overview of how validator attestations are aggregated and eventually included in blocks.

Epochs are groups of 32 slots, and they move through three stages: proposed, justified, finalized. Once a supermajority, or two-thirds of current validators, attests to an epoch it can advance. Attestations are linked to pairs of checkpoint blocks, one from a previous epoch and one from the current epoch. We denote this by a pair of the source block and the target block. A block is proposed by a single validator, and when a supermajority of attestations mark it as the head it is considered justified. When a supermajority of attestations mark a justified epoch as the prev it is considered finalized. So blocks in an epoch typically get finalized one epoch later, or 15 minutes total.

Transactions are finalized when they cannot be reorged without burning a significant amount of ETH. Because two-thirds of validators have attested to the finalized block, to create a distinct finalized epoch at the same height two-thirds of validators would also need to attest to a separate block at the same height. So at least one-third of validators would have provably equivocated. Equivocation is punished by slashing up to the validator’s entire stake, so the attacker must commit to destroying at least one-third of all staked ETH. The cost to reorg a finalized block is several billion dollars, even at today’s depressed prices.

A malicious actor could also prevent finalization by withholding attestations so a supermajority is never achieved. When the chain fails to finalize for 4 epochs or more, inactive validators are penalized with an inactivity leak. This slowly burns the balances of the offline validator set until the online validators once again have a supermajority and can restore liveness. The attestation reward is paused until the chain begins finalizing again, to make censorship and DoS attacks more expensive.

Staking Requires Active Effort

Many people have a warped impression of staking from the term’s generous usage across DeFi and NFTs. In many of these protocols “staking” means depositing tokens into an escrow contract, thereby reducing sell-side liquidity while the tokens sit passively. There is no downside risk and no active participation, just bribes for people with low time preference. See cobie’s amazing takedown on why these structures are ultimately meaningless.

To be absolutely clear, these games are not what we are discussing. True protocol-level staking means entering into a commitment with both upside and downside, that requires consistent active participation into proposing new blocks and attesting to blocks others create. It means you can be rewarded for participating honestly with high uptime, or that you can lose money for going offline or supporting a malicious fork. The rules are not applied capriciously by a centralized party; they are clearly defined in advance and built deeply into the decentralized protocol itself.

There are two key equivocation rules a validator must follow, taken from the Gasper paper:

Double vote - no validator makes two distinct attestations for the same target block
Surround vote - no validator makes an attestation that surrounds or is surrounded by a previous attestation

Slashing conditions taken directly from the Gasper paper

Honest consensus layer clients are programmed to explicitly never do this, so a normal honest user should not have to worry about these mechanisms kick in. Yet they provide significant protection against malicious validators and elegantly solve the nothing-at-stake problem.

While slashing is only applied to errors of commission, there are also lesser penalties called inactivity leaks for errors of omission. Honest users should pay particular attention to their validator uptime, because an offline validator is worse than none at all. If over 1/3rd of validators are offline then blocks cannot finalize, and it becomes plausible that these offline nodes are actually building their own shadow fork by pretending a network partition exists. Downtime penalties are important to avoid such situations.

Ethereum is Self-Healing Against Disruptive Minorities

The combination of equivocation slashing, inactivity leaks, and user-activated soft forks packs a powerful punch. Equivocation slashing handles safety errors, inactivity leaks handle liveness errors, and UASFs let even an honest minority recover from a malicious supermajority.

Equivocation is when a validator attests to two separate blocks at the same height, which has the potential to create parallel forks and eventual reorgs. This is a key element of the nothing-at-stake problem, where stakers build on all possible forks because it costs them nothing. By gathering signed attestations, network watchdogs can prove when this happens and slash the equivocator’s stake.

Inactivity leaks are when a validator fails to provide attestations. This cannot be proved malicious, as the validator could have accidentally fallen offline, but it is harmful to the network.

User-activated soft forks are when a subset of validators believes the main thread is ignoring them and their transactions, so they band together to form their own fork of block production.

Let’s walk through a couple theoretical scenarios where a subset of malicious validators wants to censor certain undesirable transactions. How would it play out at various ownership thresholds?

Whale cartels maliciously colluding. Image generated by DALLE-2

Subminority Lazy Censorship

A whale with 10% of staked ether wants to censor transactions. He refuses to include blacklisted transactions into the blocks he proposes. Those transactions get included in the other 90% of blocks. The whale makes slightly less money because he bypasses certain high-paying mempool transactions.

Subminority Aggressive Censorship

A whale with 10% of staked ether refuses to included blacklisted transactions in his block proposals, and also refuses to attest to other blocks that include those transactions. Blocks continue finalizing because a supermajority of attestations support honest blocks. The whale loses money on both lower transaction bribes and misses attestation rewards.

Minority Lazy Censorship

A whale cartel with 40% total stake wants to censor transactions, but attest to honest blocks others propose. Same as the subminority lazy censorship case.

Minority Aggressive Censorship

A whale cartel with 40% total stake wants to censor transactions, and refuses to attest to honest blocks. Blocks stop finalizing because there is no longer an honest supermajority. The chain would fork into two child chains, as if there had been a clean network partition. Honest validators see both forks but would built on the honest fork because it has greater weight in the LMD-GHOST fork choice rule. Censoring validators would also see both forks but manually override the LMD-GHOST fork choice rule and choose to continue on the censoring chain, pretending they are not aware of the honest chain.

On the honest chain, the inactivity leak would kick in once blocks stopped finalizing. This means all censoring validators would appear as offline because they refuse to attest to the honest blocks. Censoring validators have their stake slowly burned until their effective balances drop low enough that they’re removed from the validator set. At this time the honest validators now have a supermajority and blocks begin finalizing again.

Note that this did not require a hardfork. The existing slashing penalties & inactivity leaks gradually remove malicious or offline validators from the set, and the remainder can regain a supermajority without any chain downtime.

User-Activated Soft Fork from Malicious Supermajority

We’ve seen that even if honest validators don’t have a supermajority, by proposing honest blocks that censoring validators refuse to attest to, the censoring validators will be forced out of the validator set. What happens if honest validators have a subminority and censoring validators have a supermajority?

Interestingly, the mechanics are nearly identical! One key difference is that the honest validators would have to explicitly band together to recognize one another’s attestations and override the fork choice rule, but other than that they can form their own child chain and the malicious supermajority would slowly bleed stake out of the validator set until the honest subminority has once again regained a supermajority.

Again, it’s notable that no explicit protocol-level changes were made to explicitly hardfork coins away from specific users, as we saw in The DAO’s 2016 exploit. Rather it was the combination of equivocation slashing and inactivity leaks that mean validators who do not build on top of the same chain gradually lose their stake. It’s quite an elegant mechanism that allows an honest minority to recover from a malicious majority.

Possible Ethereum Improvements

Of course, Ethereum PoS has several areas for further improvement. For example,

Single-slot finality refers to reducing the time for finality from 2 epochs (64 blocks) to 1 block
Reducing the minimum amount needed to stake would make home staking more viable for users who don’t have 32 eth
Single secret leader election would minimize potential DoS attacks against block proposers when their address is known in advance
Proposer-builder separation when constructing blocks would make it easy for individual home stakers to achieve the same top yield as large operations

Top Misunderstandings

PoS = Onchain Governance

Ethereum has no onchain governance, even if a subset of PoS protocols do. Just as Bitcoin full nodes keep miners honest for producing valid blocks that conform to the state transition function, Ethereum full nodes keep validators honest for producing valid blocks that conform to the state transition function. Even a supermajority of malicious validators cannot fool a single honest full node.

Consensus mechanisms are a way to add new transactions to the chain, not the power to arbitrarily coerce blockchain state. The state transition rules are encoded into the protocol itself and inviolable unless the social layer hardforks. One of Bitcoin’s state transition invariants is that the sum of UTXO outputs must equal the inputs; one of Ethereum’s state transition invariants is that an account can only move its own Ether. Neither miners nor stakers can break these rules, even with a supermajority, as long as non-validators run their own nodes on the network to verify honest state transitions.

PoS = Central Banking

Unclear what people mean by this. My best guess is it’s a reference to central planning manipulation of macroeconomic factors like money supply and interest rates. As mentioned above, validators have no ability to change the state transition function and Ethereum’s mechanism changes are heavily discussed in public for months, if not years, in advance. Governance is offchain at the social layer, not onchain. Validators have no power here.

PoS = Scaling for Cheap Gas

This is false. Gas prices reflect supply and demand for blockspace. Changing the consensus mechanism does not increase blockspace supply, but sharding could. Sharding was originally a big part of Ethereum’s roadmap but has been deprioritized and will not be happening until quite a while after The Merge. See the proto-danksharding notes to track the current status of data availability sharding plans.

PoS = Rich Get Richer, PoW = Egalitarian

The idea of CPUs, GPUs, and ASICs churning away in a mathematical competition to find hash preimages the fastest has an egalitarian elegance to it. Sovereign individuals where individuals running home gaming computers can compete with nation-states for the right to earn 6.25 freshly minted BTC.

Unfortunately, ASIC supply chains are easily controlled by import/export regulations, not to mention a dangerous dependency on Taiwan. The need for cheap, abundant energy is another weak point that prohibits individuals from running discreet mining setups. And because we have not yet entered a post-scarcity utopia, you need upfront capital to purchase mining rigs. Worse, technological advances mean miners are constantly required to upgrade their setups to remain competitive, meaning the supply chain dependency is an ongoing weak point if things ever go south.

PoW can be thought of as a specific instantiation of PoS, where users stake capital to purchase mining rigs that then compete for the block proposal rights. Your staked principal can be withdrawn at any time, but its value follows a decay curve corresponding to the current market value of your computer chips. The need for upfront capital is identical in both PoW and PoS, the key difference being that the capital is forced through a computer chip supply chain in PoW while it can be purely staked in PoS.

PoS = Nothing-at-Stake

PoS solves the nothing-at-stake problem by adding slashing penalties to validators who build on two parent blocks at once.

PoS = No Forced Sellers

Many people point to the slim margins for PoW miners and compare it with what looks like fat yields being generated by stakers. However markets are efficient, and there’s no free lunch. What looks like free money for stakers is actually a significant opportunity cost of capital, choosing to place their money into ETH rather than thousands of other investment opportunities, and a real risk of principal depreciation. The same market dynamics that lead to slim margins relative to other investment opportunities in BTC mining, also apply to slim margins relative to other investment opportunities in ETH staking.

PoS = Central Banks will buy all the tokens

This tends to come from people who have never tried to move order books in significant size. Of course you can’t buy all the supply at current spot prices, any more than you can buy all the ASICs at current spot prices. As demand increases, price moves up in a highly convex fashion.

PoS = Trust a Centralized Server to get the Canonical Chain

Recommend Vitalik’s writeup on “weak subjectivity”, and the EF’s description. The first time a node comes online, it must have some frame of reference to know how to bootstrap itself. This is not a problem unique to PoS; even a bitcoin full node needs to know which client software is valid, which IPs to bootstrap its history from, etc. PoS adds only minor additional trust assumptions here.

PoS = No Real Resource Consumption

There's a fascinating mental divide between people who see "real-world" ties as the only attribute that can give legitimacy to a digital asset, and people who see "real-world" ties as dangerous dependencies to avoid when constructing self-sufficient systems.

PoS = Bad Complexity

Today’s implementations are certainly quite the adventure to understand, with a whirlwind of new vocabulary and distributed systems prerequisites to grok. Yet after a deep dive into all the moving pieces nothing feels unnecessary, and there is active work to simplify as much as possible. Modern society is built on a series of progressively more complex abstractions; throwing those away because of initial unapproachability would forgo massive innovation.

Realistic Concerns

Liquid (and Illiquid) Staking Custodian Cartels

While Ethereum doesn’t have delegated PoS at the protocol layer, app-layer replacements have sprung up. Lido leads staking share, followed by a handful of centralized exchanges. Rather than running their own validators, users send ETH to these staking providers and receive a tokenized staking derivative such as stETH. These staking providers then generally have full control over how validators are run. Custodians having outsized voting control is the most likely avenue for regulatory capture. At least lately they’ve all been blowing up gambling customer funds into leveraged plays, so the only people left with money at the end of it all will be those who practice self-custody.

Real-World-Asset Tokenization Makes Forking Difficult

When an asset holds its peg not because of onchain mechanisms, but because of off-chain 1:1 redeemability at a centralized issuer, the issuer chooses a canonical chain to honor redemptions and creations on. The best example today is a stablecoin such as USDC or USDT, but more tokenized RWAs will surely follow in coming years. MakerDAO is leading many exploratory efforts.

Proof-of-Any-Resource is Centralizing

Money and resources have a tendency to accrue into the hands of a select few, absent the occasional redistribution or revolution. The implicit personal leverage created by incredible technological foundations is empirically exacerbating power-law dynamics. So while PoS is a cleaner abstraction than PoW, both consensus mechanisms will block out large portions of the world from participating. With current horse blinders it’s difficult to imagine what alternative consensus mechanisms might arise with even fairer participation, but don’t rule it out.

What Does It Mean For Me?

A final section on practicalities. If you’re interested in staking your own ETH, annual yields are estimated to be between 5-15% depending on how many others join in and the extent of MEV bribes. There’s an interesting “hold to maturity” trade that can be made right now where many liquid staking derivatives are trading below their eventual redeemable value of 1 ETH. Why does this happen? Lots of people who hammered home a levered stETH/ETH trade hoping to juice their yields, but as withdrawals won’t be enabled until the Shanghai hardfork after the merge, liquidity needs came calling and there weren’t enough buyers. You should be aware that liquid staking derivatives are in no way “pegged” to the value of ETH, except that at maturity they should be redeemable 1:1. But brave buyers who are willing to take on unknown duration risk have the chance to be healthily rewarded.

The volatile stETH/ETH price over the past three months

It’s strange advice because the entire article has been hammering home the ability to avoid malicious collusion and now we describe how to direct money towards a custodial derivative. But it would be remiss to have people enter a lockup at 1:1 without knowing they can get paid for taking on duration + governance + smart contract risk and scooping up cheap coins from overlevered funds.

If you’re interested in running your own validator node, here’s a great walkthrough guide for solo staking.

Conclusion

Many PoS protocols exist already but Ethereum is setting a new quality standard. The focus on supporting an expansive validator set, explicit slashing penalties, a clear tradeoff between liveness and safety, and the agonizing upfront work of maintaining multiple software clients. The system isn’t perfect but it’s one of the most elegant innovations we have. Hopefully this explainer helps you appreciate how all the moving parts come together 🥩.

Appendix

Definitions

LMD-GHOST: latest message drive greediest heaviest observed subtree, the fork choice rule determining which block is viewed as the current chain head

Casper FFG: the finality gadget used in Ethereum PoS which moves blocks from the “proposed” to “justified” to “finalized” stage

Gasper: the name for Ethereum’s PoS implementation, a combination of the LMD-GHOST fork choice rule, Casper FFG, and the specific reward/penalty scheme

RANDAO: the random number generation scheme used to select block proposers, sort validators into committees, etc

BLS: the cryptographic signature scheme used for validator attestations

inactivity leak: validators which don’t submit attestations are penalized if the chain stops finalizing

slashing: validators which maliciously propose or attest to multiple blocks at the same height have their stake reduced

proposer boost: a modification to LMD-GHOST giving additional weight to blocks proposed earlier in the slot to defend against avalanche attacks, see an explanation of a 7-block reorg in the beacon chain while this update was being rolled out

The Variable

Discussion about this post