Last September, the long-awaited Ethereum “Merge” finally occurred and the Ethereum network successfully transitioned from proof-of-work (PoW) to proof-of-stake (PoS). Prior to the Merge the security of the Ethereum (ETH) network had been guaranteed by proof-of-work, i.e., the same mechanism that still powers Bitcoin (BTC). Since the Merge the security of the Ethereum network is now guaranteed by the collective stake of hundreds of thousands of validators who are punished, or “slashed,” if they go offline, double sign transactions or otherwise misbehave.
This story is part of CoinDesk’s 2023 Mining Week, sponsored by Foundry. Lane Rettig is a core developer at Spacemesh, and a former Ethereum core developer. He’s an advocate for open source software, open protocols, and open systems.
On the face of it this may seem like a massive accomplishment for Ethereum because it allowed the network to completely retire proof-of-work mining and, thus, to significantly reduce its energy consumption. Indeed, amidst ongoing mainstream FUD (fear, uncertainty and doubt) around the energy intensity of proof-of-work mining, the Ethereum Foundation marketing machine spun the upgrade as the “greenification” of Ethereum and institutional investors who won’t touch bitcoin are now holding ether as a result.
As a former Ethereum core developer who briefly worked on the technologies behind the Merge I have mixed feelings about the upgrade. I feel that it’s a major technical accomplishment and has certain advantages for Ethereum, but I strongly disagree with the economic arguments used to justify it: among them that staking is less wasteful, more secure and increases profitability. Let’s pick apart these claims one by one.
Claim #1: Proof-of-stake is less wasteful
This is the main and most important claim made about the Ethereum Merge: that it reduced Ethereum energy consumption by around 99.5%. This figure is shortsighted and misleading for several reasons. Strictly speaking it is true that Ethereum’s energy consumption fell after the Merge, but what matters to humanity is total energy consumption.
All of those GPUs, or graphics processing units, that were previously used to mine Ethereum didn’t disappear overnight. Many found uses in other applications, most obviously mining other PoW chains or AI applications. Those GPUs exist because of Ethereum, in a sense, they still exist post-Merge, and many are still consuming a lot of energy. Older GPU models that have few other uses and have been retired have mostly found their way to landfills, which also isn’t the greenest outcome.
In other words, claiming a 99.5% energy reduction is accounting sleight of hand.
What’s more, today there are nearly 700,000 validators running on the Ethereum proof-of-stake Beacon Chain. While it’s possible to run many validators on one system, a conservative estimate still yields on the order of 10,000-100,000 computers running Ethereum, each consuming bandwidth, energy and terabytes of disk storage. While these machines use less energy than Ethereum’s old miners, there’s almost certainly far more validators than there were miners due to lower resource requirements (read: you can easily run a validator at home without specialized hardware).
Finally, the market for maximal extractable value, or MEV, has exploded in the wake of the Merge. MEV, which allows sophisticated actors with powerful computers to calculate arbitrage opportunities and bribe block producers to prioritize their transactions in order to capitalize on them, thrives in an ecosystem of hundreds of thousands of bribable validators. I don’t know what percentage of miners were participating in MEV prior to the Merge, but today 90% of validators are doing so.
And all of those arbitrageurs are now consuming enormous amounts of computational power: some likely even using those same GPUs, which have applications in high frequency trading and statistical arbitrage.
In short, looking strictly at energy consumed by miners is short sighted. One must consider the total social cost of operating a network, including, now, the opportunity cost of $41 billion locked in Ethereum stake, which cannot be put to more productive social use, such as investing in high potential projects.
Claim #2: Proof-of-stake is more secure
This is another primary claim made by proof-of-stake proponents. By now the topic has been explored to death and the details are beyond the scope of this article but the argument in brief is as follows: Proof-of-stake is more secure because it’s possible to surgically target an adversary who attacks a proof-of-stake blockchain by coordinating a social fork (otherwise known as a user activated soft fork, aka, UASF) to remove the attacker’s staked capital.
By contrast adversaries of proof-of-work networks have the advantage that, to render a 51% attack ineffectual, the network must also render all honest mining hardware ineffectual by changing the proof-of-work algorithm. This is a “nuclear option” because, while it would stop an attack by an adversary with powerful, specialized mining hardware called ASICs (short for application specific integrated circuits), it would instantly destroy the entire capital stock of all honest miners as well.
This argument doesn’t hold water for several reasons. Firstly, unlike in PoW, a cartel controlling more than half of the stake can silently, invisibly, and permanently capture the entire network. Secondly, an attack on a PoW chain is in the first place less likely than an attack on a PoS chain. It’s easier to attack a PoS chain because doing so doesn’t require scarce assets like hardware or electricity. Actually, it doesn’t require staked assets either: the attacker only needs to acquire keys of former validators, or very briefly operate a huge number of validators (anyway a profitable enterprise). With these keys in hand an attacker can carry out a long range, costless simulation attack, which would produce a blockchain that for all practical purposes appears equally valid to the canonical chain.
This problem is known among Ethereum developers as “weak subjectivity”: subjective because it relies on social information rather than math and cryptography, and weak because that information is imperfect and can be controlled by an adversary. In Ethereum that social information takes the form of adding known good “checkpoints” to the code to prevent reorgs that are too long, i.e., to prevent an attacking longer chain from replacing the legitimate chain. By contrast, in Bitcoin, the objectively verifiable longest chain always wins. Social coordination is handy in many situations but it’s far from trustless or apolitical, and Bitcoin’s “longest chain wins” rule is much more credibly neutral.
It’s worth noting here that adversarial forks also become costless under PoS, whereas in PoW one must convince miners to switch and mine on a different chain. “Work” must still be done to defend against and respond to these attacks, but the “work” takes a different form – and, as mentioned, it’s much more subjective.
Claim #3: Proof-of-stake increases profitability
A popular meme, “Ultrasound Money,” began circulating in Ethereum circles around the time of the Merge. It refers to the fact that the overall block subsidy fell substantially after the Merge. This, combined with the burn mechanism introduced a year earlier in EIP-1559 that burns tokens as network activity increases, means that the Ethereum network is often deflationary: in times of relatively high demand, the portion of burnt fees exceeds issuance.
Nevermind the fact that “sound money” refers to something else entirely and the fact that Ethereum monetary policy has changed so often means it’s not sound money; this doesn’t seem to discourage Ethereans.
The thing is, as articulated so well by Bitcoin OG Paul Sztorc years ago, network security doesn’t come for free and attempts to circumvent this fact are just more creative accounting. In an efficient market paying miners or validators less can only have two possible effects: either they stop mining/validating and go elsewhere, making the network less secure, or they get compensated in other ways.
Sztorc refers to the latter as “Obscured PoW.” In the case of Ethereum today there are two major forms of Obscured PoW and associated cost. The first, already discussed above, is the enormous opportunity cost of the locked capital.
The second, also alluded to above, is MEV, which represents money captured from unsophisticated, everyday network users. When the network spends more on security, miners consolidate, MEV opportunities diminish and everyday users pay more in the form of inflation. By contrast, with lower spending under PoS, everyday users pay instead in the form of hidden transaction fees due to MEV. Over $1 billion worth of MEV is estimated to have been extracted on the Ethereum network alone over the past two to three years, to say nothing of the various side chains and layer 2s, and cross-domain MEV between and among them.
A major milestone, with flaws
Ethereum-flavor proof-of-stake represents a major milestone in the development of public, permissionless distributed systems and consensus mechanisms. It’s an improvement over permissioned, delegated proof-of-stake and I’m happy that it exists. It likely has socially valuable use cases that we’ll understand better over time. But let’s not fool ourselves into believing that it’s somehow inherently better – less wasteful, cheaper and more secure – than proof-of-work.