For those interested in understanding the tech rather than the typical bashing things as beneath them, I wrote up a detailed technical explainer of how Ethereum PoS works: https://0xfoobar.substack.com/p/ethereum-proof-of-stake
I find the complexity of that algorithm both impressive ( since they seem to have made it work), but also quite worrying. I'm really not sure how such a beast can't be filled with bugs, not in the implementation but rather in the protocol.
I know a lot of very smart people are working on this, but i'd rather have something conceptually simpler to work as the base layer for a whole new economy.
There is large areas in cryptography where if you don’t do it right the whole thing won’t work at all - in that sense there are large parts that are self verifying which collapses complexity. I’m not saying it’s all easy, just that experts can navigate through complexity because they know what to ignore by abstracting it and thinking about properties it holds, not keeping in mind all the guts underneath. Maybe good example is that you can use sha256 effectively in your code without knowing or focusing on how it works internally. You’re interfacing with it through relatively easy properties it has.
There are even larger areas in cryptography where if you don't do it right the whole thing will work, and after a few months someone will make $1B by crashing your currency into oblivion.
Edit: if you want to see how that can happen, I like to take apart weak cryptocurrencies and show what's wrong with them. Someone paid me to do a public review of a thing called Stratis a while back, and I went to town. Here's a highlight. https://twitter.com/PLT_cheater/status/1235036182284820481
I still accept commissions doing code review. It's just too much fun.
Except cryptography usually rely on mathematical proofs. I'm not aware of such possibility for distributed systems. I know Lamport did work on that subject, but i'm not sure if you can equate a TLA+ proof on some properties to a mathematical proof about the structure of numbers, nor do i know if ethereum even has a TLA+ proof or equivalent of anything regarding the PoS protocol (i honestly don't know, so i may be completely wrong).
But the main issue in provable security is that you're trying to prove real world things with math, and so far we're quite bad at it. The more mathematical the thing you want to prove is, the better.
I wouldn't rely on experts being able to navigate through complexity as it happens quite a bit that a major bug in a protocol obliterating it completely is found 15 years after its inception...
Formal? Computer assisted proof checkers? Building strong cryptosystems is notoriously hard, especially when you start composing different systems since some are only secure given certain preconditions which are on you to remember and ensure.
Proof checkers only check for invariants you knew to check for. They're not future proofing against exploits, they're merely a solidification of what you knew about your attack surface at a time.
Good cryptography should be auditable, that means it should be simple. It should not rely on experts knowing their way through the complexity but should rely on mathematical guarantees.
Yes the cryptography primitives should act like black boxes, no need to peak inside but when a number of these black boxes are used together to form a high level protocol allot of subtle things can go wrong for example see the history of SSL/TLS https://www.feistyduck.com/ssl-tls-and-pki-history/
Agreed that conceptual simplicity is always best, and the current Casper FFG + LMD-GHOST doesn't have provable guarantees yet (though seems to be working in practice). I'm excited to see slight modifications to the consensus/forkchoice algo that do have provable guarantees, like [Goldfish](https://www.paradigm.xyz/2022/09/goldfish) from Paradigm Research.
Cryptocurrencies impose some complex constraints on themselves that require complex solutions.
Conceptually banks and exchanges solved the consensus problem decades ago and they did it with a highly secured simple database and lots of crosschecks.
But if you trust nobody (except some developers somehwere) then things get tricky
Could you go into more detail or provide references on where I could read up more on how banks do this? I've always wondered why we hear a lot about crypto exchanges getting hacked, but seldom about banks. What is it that banks are doing right (or crypto exchanges doing wrong) in terms of security?
Banking systems do not require consensus. So, it is a single party that has to make a trust decision with a counterparty that it partially trusts, but may potentially be a fraudulent party masquerading as a trusted party.
Crypto requires consensus amongs millions of untrusted and possibly malicious parties i.e., no trust, all cryptography.
Both require cryptography to work (eg: online banking transaction vis-a-vis crypto currency transfer). But the former is well-known (Public Key Encryption and Symmetric Encryption) client and server with established trust relationships that can be cryptographically verified whereas the latter is a distributed system with untrusted nodes and has different dynamics.
The other issue is about correctness. If there is an error (system or human) in the banking system, there are compensatory transactions/procedures possible. Crypto has not evolved yet to accommodate these real world issues. It is also not proven that the crypto protocols are 100% correct. Therein lies the rub. The banking system is also not 100% correct, but has procedures to address the failures (complaint system, appeals, courts etc.,) but with crypto, there is no way to address the failure cases (hacks, lost wallets, corrupted drives, 51% attacks etc.,)
I'm not sure if you're half joking, but banks authentify every single tenant in the transaction (from account owners, to institutions) in the most rigid way. Fraud usually happens at the edge (credit card), but everything "inside" the system is a legally registered entity.
It is completely integrated with the legal system.
They do solve the consensus problem but don't have the same constraints crypto does.
The consensus (of who owns what and how did that happen) is whatever the banking says it is at the moment.
This works because society places a lot of trust in the actors and the checks and regulations surrounding them (e.g. liability regimes) as well as the ways to rectify mistakes (through the legal system).
Crypto adds the additional requirement that every participant of the system (even end users) can independently come up with the same state without a single entity being the arbitrator of truth. The tradeoff is added technical complexity and inefficiency (storage and computation)
This is all about ledgers, traditional banks have a centralized ledger that only they can edit. Blockchains the ledger is decentralized, anyone can edit the ledger (based on specific rules) this provides allot of avenues of attack.
Making PoS scale to hundreds of thousands of nodes with commodity hardware is not simple though. Few projects managed so far, and Ethereum wasn‘t designed for it from the outset, so it‘s even more difficult.
I'm a crypto skeptic, but I have to admit, one of the cool things about crypto-currencies is that they come with their own built-in bug bounty. If there's a bug, it will most certainly be found.
I'm not sure a criminal mind would advertize having found a bug in the algorithm. Instead it would probably try to capitalize on that bug for as long as possible while remaining quiet about it (assuming it's possible, of course).
It’s like… I can be fascinated by the creativity that goes into designing and making credit card skimmers that blend invisibly into an ATM, that doesn’t mean I like the theft…
Having read your article, I still don't understand one part. The claim that the honest validators in the face of a malicious superminority can eventually leak them out, but a malicious supermajority cannot do the same to an honest superminority. I figure there would need to be some other mechanism that would tip the balance in favor of the honest validators, otherwise it seems like majority should always win.
What are these rules? Say for instance 51% of validators decide to include a malicious transaction inside of a block, what rules would that be breaking?
Depends on what way the transaction is "malicious". If malicious means transferring funds that don't exists, it'll be noticed. If malicious means transfer funds out of an address it doesn't hold the key for, it'll be noticed, and so on.
> If malicious means transferring funds that don't exists, it'll be noticed.
who cares?
As far as I can tell, a majority that wants to block a vote can do so freely and the only resolution is a fork where people just assume that the honest fork will win out.
I also think it's not a majority but actually just a little more than a third to block a vote for eth
And in the case that the malicious supermajority isn't breaking the rules? In the stated instance where they're omitting certain transactions, what rule would they be breaking?
What mechanism is deciding who pays inactivity leaks?
It says that if a minority stop attesting then they will leak until eventually the attestors get to a supermajority.
That makes sense.
It also says that, if a dishonest minority start a soft fork, the fact that they stop attesting on the honest fork means that they eventually leak out until the honest fork gets a supermajority.
That implies that, unless some mechanism has decided which is the honest fork, then all attestors will leak assuming that they aren't trying to attest to both blocks (which is illegal). But if all attestors are leaking then that supermajority won't occur will it?
So something must be deciding which is honest. But it can't be using number of attestors/deniers because of USAF ie where the honest fork is the less attested one.
So how does that work? How is honesty determined given that both forks are legal wrt rules and failed attestation is penalised but cannot be shown to be malicious (according to the doc).
Also, as an aside, how are leaks actually transacted? They can't be using the main transaction or none of the above would work. Is there some sort of shadow transaction system for staked ETH? If so, what mechanism decides the validity of the leak transactions?
Very interesting mechanism. Clearly a lot of thought has been put into it.
In case anyone's interested, from what i can tell from reading other writeups, there is no "honest fork" check. Each fork will independently deal with inactivity until they're able to finalise.
If that's the case, the article is correct in saying that a minority honest fork will finalise as would an honest supermajority fork. What it didn't mention is that the respective dishonest forks would too. If I've understood correctly.
I don’t think that’s an obtuse comment. I understood the article to be talking about Point of Sale the entire time because I live off the blockchain hype.
I'm sure you can find a naughty word or phrase, or some other semantic collision, out of almost any 3-letter combination, in some language somewhere. Sure it's one of the more well known ones in a very common lingua franca, but we humans are smart and can context switch.
Edit: Actually not sure if you are talking about Point of Sale, Place of Service, Piece of $#!7, or something else. Case in point: context matters.
It'll be okay like Medium used to be until it isn't and the funders turn it into Medium while seeking that return on investment. You're still better off owning your own blog in the long run.
PoS validators have the power to propose new blocks and attest to the chain head. They cannot change the state transition function to allow false payments, just as BTC miners cannot use their block proposal power to mint arbitrary coin amounts.
If it's like BTC, then can't you spend coin, then attest that a different head was the correct chain, thereby undoing the transaction? (Assuming you have enough hashing power / staking power to get people to believe a different head)
Great question, PoS actually has stronger guarantees against double-spending than PoW does. For PoW you just need to temporarily rent enough hashpower to do a mild reorg.
PoS has a concept called "block finality", where once a block has been marked finalized it cannot be reorged without committing to getting slashed for 1/3 of total staked ether (several billion dollars). Blocks typically get finalized after 6 minutes. This is possible because you can explicitly check whether validators have voted (attested) for two separate blocks at the same chain height.
The tradeoffs between centralized control and permissionless primitives are better explored elsewhere, but the dangerously high costs of depending on a fickle intermediary for all transactions should be clear to any informed observer.
Consider a Russian citizen unable to flee Putin's wartorn regime because all personal life savings and assets have been frozen.
Just as private communications make some tradeoffs for not acquiescing to the surveillance state, so permissionless value transfer makes tradeoffs.
This is very well put. If you believe the trade-offs of permissionless and private communications (as granted by cryptography) are worth-it and you don't think similar trade-offs to value transfer are worth-it (as granted by cryptocurrencies) you have to be able to explain how you are tracing the risk-reward in both cases to arrive at different conclusions. I'm not claiming it's not possible but certainly some very fine-tuning of the weights involved is necessary to reach different conclusions.
The average opinion (as in, the most oft-repeated or most popularly represented through upvotes) in HN maintains opposite conclusions. Which is an interesting observation.
It's been explained countless times. The world has come together and numerous societies have agreed to not give money to North Korea. There is no comparable discussion or agreements about restricting communications among individuals. It's asinine to ignore all of the history and turmoil of North Korea, just about as asinine as creating a crypto currency for the espress purpose of funding the Kim regime.
Hello, I read your twitter thread. While privacy is absolutely important, your reasoning is fundamentally flawed. In the context of financial transactions, we know from a ridiculous amount of history with banking regulations that it's not ordinary people who benefit from having complete privacy and anonymity in all matters. It's criminals and fraudsters who lie and misrepresent themselves to conceal the source of their funds and their activities. They'll gladly continue to use their privacy as a weapon to disguise themselves and further rob and steal. There is no other group that benefits as much from being able to transfer large amounts of money secretly. This can be verified over and over again, ask any traditional company that processes international remittances.
It doesn't really matter what kind of political activism you believe you're engaging in: the reality is, these nasties are the main people that benefit. They absolutely love what you're doing. Anyone involved in cryptocurrency, even tangentially, is complicit in this fraud because it's the only way these currencies have any significant value to begin with. And it will continue to happen for the indefinite future, because even with this new move ETH will still have no capital controls to prevent any of the massive market manipulation that happened over the last few years, that drove tons more fraud and ransomware and also resulted in the recent crash.
A system that tries to give privacy but does nothing to stop fraud is just creating worse problems under the false guise of helping people. I ask that you please stop working on these things and please stop promoting them until you can dial the whole thing back to rectify this situation. Any kind of "censorship resistance" without fraud prevention is not going to work. If enough people put their heads together they can solve this, but it will not happen with any of the supposed "privacy solutions" you mentioned. Yes, I'm aware the traditional finance system also has many of the same problems. It's not helping to recreate the exact same system but with even more layers of technical debt around it, which is essentially all you'll be able to do with any of the suggested tools.
The system you have built specifically and explicitly provides much less cover to the Russian citizens than it does to Putin's regime, who will gladly adopt it and then turn around and use the proceeds to further oppress, murder and destroy. It is a net loss for privacy.
Supermajority attestations and block finalization, as well as withdrawal queues, prevent long-range attacks. To attempt to reorg a finalized block (blocks are generally finalized after 6 minutes) you have to commit to losing 1/3 of total staked ether, currently several billion dollars.
The only participants who can equivocate (vote for two blocks at the same height) are active validators so there is significant economic value at risk to pursue such an attack.
Theoretically, if somebody forked the Ethereum PoS blockchain and faked timestamps to catch up to the real chain’s height, would there be any way to know which was the original other than community agreement? Seems like PoW makes it impossible since duplicating the original chain is prohibitively expensive.
Not challenging the solution, just genuinely curious in how PoS works.
Great question, it's not timestamps but attestations (signed validator votes for pairs of checkpoint blocks) that determines the canonical chain head. This fork choice rule, known as LMD-GHOST, is different from PoW which has a "greatest difficulty" rule for determining the canonical chain.
Wasn’t there a recent attack on solana/ solend, where the attacker was willing to lose more than 30% for the chance to cash out and crash solend at the same time ?
The Solend drama was at the app-layer rather than the protocol-layer. Solana also runs PoS but its variant is a bit more handwavy and weaker imo, slashing rules are applied in a post-hoc human decision-making process rather than clear rules enshrined within the protocol.
Great questions, should have explored the randomness beacon more. Ethereum uses [RANDAO](https://github.com/randao/randao), which is a distributed commit-reveal scheme where participants in the generation post a hash of their data on the commit portion and then at a later timestamp reveal the data preimage, and get slashed if they do not reveal a correct preimage. Then all participant data is aggregated together. This means if there is at least one honest participant the generation will be random.
A supermajority (2/3rds) of validators is required to finalize a block, in case of a 50-50 network partition blocks would stop being finalized and attestation rewards would stop. Non-participating validators would slowly leak stake through the inactivity leak until online validators once again had a supermajority. This is the "self-healing" mechanism that allows both safety and liveness.
