Ethereum is the world’s second largest cryptocurrency by market cap and the leading platform for decentralized applications. It has grown to extraordinary levels of usership and success since its official launch in 2015. Thousands of dapps run on Ethereum every day and countless crypto tokens rely on the platform’s smart contracts. Additionally, dozens of Fortune 500 clients are exploring the possibilities of Ethereum for private blockchain applications. Vitalik Buterin’s brainchild is on its way toward its goal of becoming “the world’s computer.”
However, the current implementation of Ethereum has its limitations. Scalability to handle many transactions is one major issue. Ethereum’s network has slowed in times of high usage over the past year. Additionally, Ethereum’s current reliance on proof of work consensus means that network security relies on millions of dollars of hardware and the same amount of electricity as a small nation.
To address these and other concerns, Ethereum is undergoing an evolution. Known as Ethereum Casper, this group of projects will eventually lead to the creation of Ethereum 2.0, powered by a new proof of stake consensus mechanism. The goal is a more scalable, environmentally friendly, and secure network. Casper is still under active development and is actually an umbrella term for multiple projects that Ethereum engineers are researching simultaneously. This article aims to give a comprehensive overview of Casper, its history, and potential impact.
- 1. What is Proof of Stake?
- 2. Energy Efficiency
- 3. Rich Getting Richer
- 4. Incentives & Punishment: Driving Economic Finality
- 5. Proof of Stake’s Complexity & Vulnerabilities
- 6. Weak Subjectivity & Long-Range Attacks
- 7. Long-Range Revert Limit
- 8. Nothing at Stake
- 8.1 Penalize nodes that vote on multiple chains at the same time
- 8.2 Penalize wrong votes, full stop
- 9. 51% Attacks
- 10. Kickstarting Scalability
- 10.1 Decrease the block interval so new blocks get confirmed faster
- 10.2 Increase the block size so more transactions get confirmed with every block
- 10.3 Conduct some transactions in off-chain side channels
- 10.4 Divide the mining network into smaller sub-networks that each confirm a part of the new block
- 11. FFG vs. CBC
- 12. Launching Casper
What is Proof of Stake
Before we dive into the specifics of Ethereum Casper’s implementation, it’s important to understand the context for the change. Casper’s main objective is changing Ethereum from its current proof of work (PoW) consensus to proof of stake (PoS) consensus that uses far less energy and opens the door for new ways of scaling the network. Blockchain researchers have discussed the flaws of proof of work consensus and imagined proof of stake solutions for several years now. However, proof of stake is inherently more complex, making implementation a challenge that requires a significant understanding of economics, game theory, and incentive structures.
In a proof of work system, miners compete to solve a challenging puzzle in order to add a new block to the ledger. The only way to solve this puzzle is by guessing and checking billions or trillions of possible answers until you find one that works.
PoW miners use high-powered computers to run these computations, guzzling electricity with every wrong answer they find. Ultimately, it’s a race, and only the first computer to find the answer will win the reward. All the other wrong answers from every other mining computer in the world are wasted effort.
Proof of stake fundamentally changes consensus. Instead of presenting a challenging puzzle, proof of stake simply selects someone at random to assemble and verify a block’s contents. However, to prevent that random person from creating false transactions or attacking the network, the algorithm requires the verifier to put up their own personal funds as collateral. If the network accepts the verifier’s transactions, then the verifier receives a reward. If the transactions are found to be false, the verifier loses their collateral.
As we’ll see, the potential benefits of proof of stake are numerous, but PoS consensus requires a well-written algorithm and planning for every contingency. When you introduce the idea of collateral, reward, and punishment, predicting behavior becomes more complicated. Additionally, miners who have invested heavily in hardware for PoW mining will lose the value of their hardware investments. For this reason, Ethereum Casper proposes a gradual shift from PoW to PoS over the course of years and many iterations to ensure security and transparency.
Proof of stake’s most obvious benefit is energy efficiency. In proof of work, many computers compete to compute a solution, and every wrong computation is electricity wasted. In proof of stake, only one verifier is working at a given time, and the only electricity used is what’s necessary to compile and add transactions to the blockchain.
Proponents of proof of work say that the electricity costs are simply the price that the community must pay for network security. However, these costs are significant. One Ethereum transaction under the current PoW consensus uses 83 Kilowatt-hours of energy, enough to power two and a half households for an entire day. Daily, Ethereum uses between 50 and 60 million Kilowatt-hours of electricity. With the carbon footprint of electricity from fossil fuels, it’s increasingly clear that burning so much energy is irresponsible in the long term.
Rich Getting Richer
There’s also an argument to be made that hardware and electricity costs mean the rich get richer. Proof of work mining enjoys an economy of scale where large mining operations that can pool their resources can grow their influence faster. It becomes marginally less expensive for a big mining warehouse to add one more computer than for a small enterprise to buy and outfit their first few machines. This economy of scale contributes to the centralization of power where the largest mining operations receive the most rewards, allowing them to expand their operations at marginal cost and reap a disproportionate return on investment.
In a proof of stake system, such economies of scale don’t exist. Staking more money proportionately increases your potential of earning a reward, and whether it’s your first dollar staked or your millionth, the increase in earnings potential is the same. In fact, preliminary staking structures from the Casper team indicate the possibility of a regressive rewards structure, where individuals who stake tens or hundreds of millions of dollars in value will see diminishing returns. The goal of such a structure is to disincentivize centralization.
While no system will be perfectly decentralized, proof of stake is far more egalitarian than proof of work in its distribution of rewards. Still, rewards structure and vesting are important topics that the Casper research team will have to determine over the coming years. Expect this process to involve a lot of tweaking in order to balance good incentives with strong security.
Incentives & Punishment: Driving Economic Finality
Proof of stake closes the door on a serious vulnerability of PoW systems, especially in the current climate of mining centralization. PoS consensus allows a network to punish bad actors, whereas proof of work only allows for rewards.
In Ethereum Casper, the penalties for bad behavior as a verifier will depend on the severity of the fault. The penalty can reach up to 100% of the amount staked. Additionally, verifiers can be fined for absenteeism as well, staking large amounts of money but being offline when selected as the validator for a block. Punishing wrong choices against the network’s interests strongly incentivizes finality, or the substantiation of “one true chain.”
Finality is especially important in enterprise application where major financial transactions or sensitive smart contracts must be confirmed and unalterable in the ledger beyond a doubt. Once a transaction reaches a certain depth with a high confidence from verifiers, the Casper protocol will lock that block, effectively stopping any other chains that stretch farther back than the locked block.
Proof of Stake’s Complexity & Vulnerabilities
There are major advantages to proof of stake, but it’s far from a perfect system. Bringing incentives and punishment inside the blockchain via contract managed consensus creates all kinds of challenges for developers. The algorithm must make provisions for all possible scenarios, including mistakes and attacks that can either be immediate or long-term.
At its core, every consensus mechanism strives to solve the Byzantine Generals Problem. This is an old computer science and game theory challenge that looks for a way to gain consensus between nodes where there is an economic incentive to act dishonestly. Until the invention of proof of work, many computer scientists thought the Byzantine problem was impossible to solve. Indeed, proof of work relies on outside economics (the cost of hardware and electricity) to solve the problem, and is therefore not a purely computer-driven consensus model. Proof of stake, when done correctly, can solve these problems completely within the blockchain system. However, the challenges are numerous:
Weak Subjectivity & Long-Range Attacks
Throughout history, humans have actually been quite good at establishing consensus. However, this consensus is often social and takes a long time to settle. For instance, as a species, we’re not likely to forget about World War Two or the existence of the Han Dynasty. Therefore, we’ve reached a type of social consensus where everyone agrees on a shared history. However, not everyone knows the same details about our shared history, and we all have different states of knowledge about these events. Our social subjective consensus is also slow and error-prone. For example, it might take me a long time to find a given piece of information about the Han Dynasty, or you could easily give me false information about World War Two that I would believe.
In fact, humans have used this weak, subjective social consensus to power currency systems before. On islands in the Pacific, natives use 3500-kilogram rai stones to trade value. Being so heavy, these stones never move. Instead, oral history maintains a record of who owns what at any given time. This consensus requires that you trust the oral history, specifically choosing historians to listen to. However, there is no central rai stones bank that maintains a ledger. With a little bit of added technology, social consensus blockchains like Ripple or Stellar function similarly. You simply need to decide which nodes in your network to trust.
Of course, finality and objectivity are good characteristics in a digital currency, so subjective consensus isn’t exactly ideal. This is the main selling point of proof of work. It provides a definitive state of the blockchain at any time based on the rules of the protocol alone. You don’t need to trust anyone in order to believe in the truth of a proof of work ledger. That trustless truth, however, comes at a high resource cost.
Ethereum Casper also suffers from subjectivity. New nodes in the network need to trust other nodes to give them the correct state. Once they have the correct state, a new node can operate independently, but that initial state must come from a trusted source. As a result, proof of stake is not trustless. Instead, it’s subjective. This is because proof of work incentivizes working on the longest chain, whereas chain length doesn’t matter in proof of stake. As soon as a PoW miner discovers a longer chain, the incentive is to switch, thus preserving one true chain and finality. In proof of stake, there’s no such incentive, just confusion. That’s why a trusted recent state must be established upon joining, so that new nodes can verify validators on all new transactions for themselves.
Opponents of proof of stake claim that this is a very big deal. The whole point of a blockchain is non-reliance on a third party. Nevertheless, for many users, acquiring the state from existing nodes is trivial. Since you only need to acquire the state if you’ve been offline for some period, the thinking goes you can trust the rest of the network to maintain security and act honestly.
Long-Range Revert Limit
Of course, Casper puts some measures in place to mitigate this subjectivity, and Vitalik Buterin and the research team describe it as weakly subjective. The main problem with subjectivity is attackers creating a false chain and broadcasting it as legitimate. Normally, Casper would punish false chains by forcing the bad actors to surrender the collateral that they staked. However, if bad actors publish a chain well after they’ve withdrawn their collateral, then there’s no way to punish them.
As such, Casper implements a revert limit on how far back nodes can accept changes to the chain, based on the length of a node’s deposit. For example, a node with a deposit length of four months could not accept a change that extends six months into the past. Under these conditions, the subjectivity of the chain is very weak. A node is only vulnerable to receiving wrong information if they’re a brand new node or have been offline for a significant period of time. In that case, Casper places the onus on the new node to check multiple sources for the blockchain state, including friends, block explorers, and businesses they interact with.
It’s also important to realize that a subjectivity attack is only possible when a large cartel of previous verifiers conspire together to create an invalid chain. The chances of such an attack occurring are very low, and typically there should only be one chain to choose from. Once a node is on the right chain, it can watch for and easily detect fake chains.
Nothing at Stake
Early on in the development of proof of stake protocols, there were only rewards for correct blocks and no penalties. This creates an imbalanced system where the validators on the network have nothing to lose. In this scenario, it makes sense to validate every single chain, no matter the likelihood of it becoming the canonical chain. Validators would say yes to everything, knowing they would eventually receive an award, no matter which chain won out. As a result, early proof of stake blockchains became highly fragmented, with many orphan blocks and high inefficiency.
It also left proof of stake open to attacks. Altruistic actors will always vote for the main chain. However, rational actors will always vote on multiple chains, because it maximizes their chance of earning a reward. In such a system, rational nodes will automatically vote for malicious chains. A bad actor needs only overwhelm the number of altruistic nodes, not the whole network, in order to carry out an attack. Additionally, it becomes cheaper to bribe nodes into joining your attack when there’s nothing to lose from participating.
There are two potential solutions to solving the nothing at stake problem:
Penalize nodes that vote on multiple chains at the same time
Known as Slasher, this provision only penalizes nodes that split their vote. As long as they choose only one chain (even if it’s the wrong chain), they won’t lose anything. As soon as they choose multiple chains, however, they’re immediately penalized. For example, if there are two options for the next block, A and B, a validator should choose either A or B, but not both. This mitigates the nothing at stake problem because multiple concurrent votes are punished, leading to greater agreement and finality.
The challenge with this approach is the blocks on multiple chains must line up to see who double voted. If the blocks aren’t synchronized–or in other words, if the list of validators isn’t published well before the fork–then it becomes difficult to determine who is double voting. Publishing the list of validators early has its own drawbacks, since it requires nodes stay constantly up to date on the state of the network. It also opens the door for collusion between upcoming validators if they know well ahead of time and can orchestrate an attack.
Penalize wrong votes, full stop
Whereas Slasher only penalized multiple votes, Casper’s solution will penalize any and all wrong votes for false chains. Votes from false chains can be incorporated into the block header of the main chain so that any outside vote yields a net negative for the validator. Only a vote on the true chain results in a positive benefit.
Aside from its simplicity, punishing wrong votes is valuable because it emulates the existing economics of proof of work. Vitalik Buterin has noted on the Ethereum blog that all forms of consensus are essentially placing bets on which outcome will win. In the case of proof of work, miners bet their hardware and electricity costs, and they waste those bets if they work on the wrong chain. There is a high incentive for finality–the creation of one true chain.
By penalizing wrong votes, Casper reintroduces the idea of betting, but it also raises the stakes. Validators stand to lose a lot more from wrong votes than they do to gain from correct votes. The incentives are strongly stacked in favor of finality. In addition, penalizing wrong votes doesn’t require the Casper protocol to publish upcoming validators ahead of time, avoiding collusion attacks and the need for all nodes to stay up to date on the network.
Like proof of work, proof of stake is still vulnerable to 51% attacks. However, the character of these attacks would be much different. First, coordinating such an attack would not be a matter of processing power, as in proof of work, but of the amount of wealth staked. If an actor or cohort amassed 51% of all the ether staked, then they would have a 51% chance of being chosen as the block validator, opening the door for a few key types of attacks:
- Finalize and accept block B, even after block A had previously been accepted
- Finalize an invalid block
- Stop validating blocks altogether, bringing the blockchain to a halt
- Censor certain transactions from entering the blockchain
Despite its remaining vulnerability to 51% attacks, there are opportunities for the network to resolve such issues even in the face of an attack. These include social coordination between honest nodes on outside channels about which block to favor, using fraud and validity proofs to detect and reject invalid blocks, and decreasing a node’s chances of being chosen as a validator if they fail to participate in consensus over time.
Ultimately, though, censorship is the biggest challenge for Casper, and for blockchains generally. Even in a proof of work context, miners who control a large percentage of mining capacity have a major say over which transactions get included in blocks. This challenge is difficult to resolve on a protocol level, because the blockchain itself has no way of judging whether a transaction got rejected for fair reasons. Under such circumstances, the minority’s best option is to create a new fork and stop contributing to the censoring majority’s chain.
If Ethereum’s researchers can overcome the complexities of creating a proof of stake protocol, moving to proof of stake opens the door for new options to grow Ethereum’s transaction capacity. With any blockchain, there are essentially four ways to increase potential transaction volume:
Decrease the block interval so new blocks get confirmed faster
In Ethereum’s current PoW implementation, decreasing the block time would mean more orphaned blocks where two miners discover a block at or near the same time. Eventually, one of those blocks will go unused, but both miners will receive some reward for discovering a valid block. The more orphans the network has, the more expensive the overall security of the blockchain.
However, with proof of stake, we can easily decrease block time because the next verifier is already known to the network. There’s no racing and no possibility of orphan blocks. PoS is deterministic, meaning there’s only one (or a group) authorized verifier at a time.
Increase the block size so more transactions get confirmed with every block
In Ethereum, we would accomplish this by raising the gas limit per block so that more and more complicated transactions could verify on the blockchain with each new block. Under the current PoW protocol, however, this would also result in more orphaned blocks. A higher gas limit encourages more miners to enter the system, throwing off the economics of the Ethereum network. A deterministic PoS consensus, on the other hand, remedies this situation as well since verifiers are pre-selected. We can increase the block size and decrease block time simultaneously, leading to massive gains in transaction throughput.
Conduct some transactions in off-chain side channels
Bitcoin is all-in on this scaling solution with its implementation of the Lightning Network, and Ethereum is also working on it, though not as a part of the Casper update. Ethereum’s off-chain/side chain solution is known as the Plasma project. It has independent development goals and a longer timeline, but it aims at creating side channels for off-chain transactions, smart contract execution, and even independent side chains that can ultimately settle on the main blockchain when participants are done using them. The blockchain itself doesn’t need to bear the transaction burden, but smart contracts insure that off-chain transactions can be predictably reconciled on-chain at any time. Hence, those transactions hold the same validity as ones on chain.
Divide the mining network into smaller sub-networks that each confirm a part of the new block
Popularly known as sharding, the division of labor among multiple smaller mining groups enables transaction throughput to scale as the network grows. Sharding is the ultimate scaling solution since as a few nodes join the network, they can form a new verifier group and confirm a certain number of transactions. This cycle of network growth and transaction growth continues indefinitely, with no theoretical limit.
Ultimately, Casper will incorporate sharding. Vitalik Buterin has described it as Ethereum but “split into thousands of islands.” Each island works on it’s own problems and can even specialize with its own features. A sharding protocol will eventually connect all the islands together in an integrated network. This solution is ambitious and comes with many major technical challenges. The greatest challenge is how to manage smart contracts that need a single source of truth and state across multiple shards (or islands). Vitalik has promised that Casper will deliver state sharding in the long term.
FFG vs. CBC
Currently, the Casper name applies to two separate but associated projects at Ethereum:
- Casper the Friendly Finality Gadget (FFG) introduces proof of stake as a layer atop Ethereum’s current proof of work system. This PoS layer will not confirm blocks or add transactions yet. Instead, it will verify the current block every 50 to 100 blocks and provide transaction finality via PoS. When implemented, Ethereum will be a hybrid system with PoW consensus and PoS checkpoints.
- Casper the Friendly GHOST: Correct-by-Construction (CBC) is a longer-term project with a theoretical focus. It uses formal logic and first principles to research, model, and eventually create a comprehensive proof of stake consensus mechanism with sharding.
FFG will be implemented first and includes practical proposals for things to change in the near future. In fact version 0.1.0 of FFG is already available on GitHub for review. CBC, by contrast, is a longer-term play at testing an agile methodology toward consensus mechanism development.
Casper will take years to fully launch, but its implementation will take Ethereum into a new phase of scalability and usefulness. It’s important to keep in mind, however, that the early versions of PoS will not be decentralized. As Ethereum tests staking mechanisms, only a few participants will be allowed to join. The earliest version anticipates wallets with over $1 million in ETH will be able to participate. Over time, that number will decrease, but it will take time and a lot of work on the underlying protocols.
This is by no means a short-term project. The Ethereum team has shown that they’re being thorough and cautious with their development. Considering the Ethereum network is a multi-billion dollar entity with enormous enterprise clients watching closely, caution and a slow transition is the safest bet. Ultimately, the move to implement Casper will take years to fully realize, but if they can pull it off it will be worth the effort.