Abstract: In this piece we compare the economic costs of attacking a Proof of Work network and a Proof of Stake network. We break down the analysis between the cost to rent the hashrate/stake and the cost to buy the hashrate/stake. We address the misconception than Proof of Stake networks are inherently much more expensive to attack due to the need to purchase the coins. We conclude by arguing that in theory, the costs to attack each type of network is more similar than many may think.
Overview
The purpose of this article is to analyse the most appropriate way to compare the economic costs to attack a Proof of Work (PoW) system to that of a Proof of Stake (PoS) system. In particular, we want to achieve the most appropriate like for like comparison for the cost of the attack. We were inspired to write this article, as others have made some comparisons, typically concluding that PoS systems are much more expensive to attack, however, we do not think this is based on a fair like for like comparison. In this piece, we aim to make a key distinction, that of renting the hashrate or stake, and actually buying the hashrate or stake. In our view, when comparing the economic costs to attack, one needs to decide whether one is considering renting or buying and then try to make a like for like comparison.
Thought Exercise
Let us conduct a thought experiment. However unrealistic it might be, let’s assume Kamala Harris appoints Elizabeth Warren as Vice Presidential (VP) candidate and that Kamala wins the 2024 American presidential election in a landslide. A nightmare scenario for the cryptocurrency ecosystem. In addition to her normal role as VP, let us assume that Warren also has the additional responsibility for cryptocurrency. Warren therefore builds her anti-crypto army, with a multi billion dollar budget, in an attempt to shut down cryptocurrency networks. This is probably a useful thought exercise, as the point of these cryptocurrency networks is to make them as hard to shut down as possible. Therefore, let us consider how Warren would conduct these naive and expensive attacks and how much would they cost? Then let’s compare the costs for Bitcoin and Ethereum.
Full nodes and The Consensus Rules
Many consider a key strength of Bitcoin, when compared to Ethereum, is that Bitcoin has full nodes, which have nothing to do with block production, but play a key role in enforcing the consensus rules. Critically, these nodes have low running costs. Many Bitcoin users run these nodes, connect them to their wallets and have a culture of not upgrading these clients for consensus rule changes, unless there is overwhelming consensus across the entire community. The same does not exist in Ethereum, to the same extent. In this piece, we will try to ignore this apparent strength of Bitcoin and instead focus on the theoretical costs of attacking PoW and PoS networks. The argument is that Ethereum could in theory develop the same culture and network of enforcing the consensus rules as Bitcoin. PoS does not prevent this, except perhaps for weakness that running a fully validating Ethereum node is more expensive, due to the need to verify the signatures associated with the staking process. In a way, ignoring this weakness this is steel manning Ethereum.
The other point to address, is that in response to some of the basic attacks we will outline below, many in the Ethereum space indicate that the community would conduct a consensus rule change and confiscate the stake of the attacker. For the purposes of this piece, we will assume that neither Bitcoin nor Ethereum could effectively do that. Another way of thinking about this is that the attacker would have succeeded in forcing coordination and centralisation, which some may want to avoid. We are perhaps thinking way out into the future, when both protocols have ossified and there is no way to coordinate a protocol rule change without significant fragmentation.
The Cost To Attack
With a Bitcoin price of US$60,000 and a block subsidy of 3.125 BTC, assuming moderate fees, this implies the total annual revenue for the Bitcoin miners is around US$10 billion per annum. In our view, this is the key security metric and the single most important security metric. Bitcoin miners should spend up to US$10 billion per annum and if you want to attack Bitcoin, you may need to match that. But what exactly does it mean to match that? In this piece we break this down, between renting and buying.
Renting
The cheapest way to attack a PoW network would be to rent or lease the hashrate. In theory, if miner revenue is US$10 billion per annum, economically rational miners would be willing to lease the hashrate to you, if you offered them a little more than US$10 billion per annum. It is perhaps unrealistic to assume this, therefore, let’s assume you need to pay a 20% premium, to entice the miners, which is US$12 billion per annum. Of course, you do not actually need to spend $12 billion per annum, since after leasing the hashrate, you could earn the $10 billion per annum in revenue. Therefore, one can argue, the net costs of leasing the entire Bitcoin hashrate, would only be $2 billion per annum.
Now, if you are Elizabeth Warren, you of course only need 51% of the hashrate to attack and fill the chain with empty blocks. On the other hand, when conducting this attack successfully, one could assume extreme Bitcoin price declines. Therefore, the net cost of this attack could be US$6 billion per annum, the gross cost of renting half the hashrate with a 20% premium.
The same logic can be applied to staking. If total staking income is US$3 billion per annum in Ethereum, then economically rational stakers should be willing to forgo direct staking for US$3 billion per annum in payments. Again, as with PoW, maybe we need to assume a 20% premium, so $3.6 billion per annum. This is a net cost of US$0.6 billion per annum to rent all the stake. Alternatively, if one wants to attack, perhaps one needs only a third of the stake, so just $1.2 billion per annum to bring the PoS network to a complete halt.
Therefore, we argue that one key comparable, when considering the economic costs to attack, is US$5 billion per year for Bitcoin vs US$1.2 billion per year for Ethereum. When normalising for the market capitalisations, the cost to attack is about the same, with Bitcoin around three times larger. This is of course not a perfect comparison, but in our view, it is about as good as one can do when trying to make a like for like comparison. Of course there are many moving parts, including the sustainability of Bitcoin mining revenue, in contrast to Ethereum’s perpetual emission. However, this is not necessarily a feature of PoW vs PoS, in theory a PoW coin could have a perpetual emission or a PoS coin could attempt to finance staking income entirely from fees.
As for the viability of this renting attack, Bitcoiners and Ethereans do not need to worry about Warren here too much. This attack is somewhat unrealistic. Indeed, if the attack started, asset owners could call their hashing power or stake back. The asset owners may be worried that the value of their assets could decline if the network was attacked. Here, of course, Ethereum and staking seems stronger. The US$100 billion valuation of the staked Ethereum exceeds the value of the Bitcoin mining assets. However, while this US$100 billion number is important, in our view, it’s not the key metric to compare with Bitcoin, it is the annual revenue that is more critical. On the other hand, the market value of the top listed Bitcoin miners is currently around US$28 billion. These miners control around a third of the Bitcoin hashrate, therefore you actually do get pretty close to the US$100 billion valuation of staked Ethereum. On the other hand, these listed Bitcoin miners could be overvalued due to a premium in their valuation due to the “pivot to AI” narrative. Also remember, Bitcoin’s market capitalisation is over three times as large as Ethereum. Therefore, even using these listed miners in the calculation, Ethereum still wins on this asset value metric by a factor of at least three, in percentage terms anyway. Ethereum stakers do indeed have more at stake, and this is important, just perhaps the second most important metric behind annual revenue.
One minor issue with the above analysis is that non-custodial hashrate leasing is reasonably simple. The miner could just give some form of control of their hardware over the internet, with limits, to the lessee and then revoke this access if an attack occurs. Renting out your stake in a totally non-custodial way is not necessarily possible, which could be a strength here, as it could make stakers more reluctant to rent out their stake, as there is more risk. On the other hand, this isn’t much of a strength for PoS systems, if miners rent out hashrate in a way that is easily revocable, then there isn’t really much risk here of a sustained attack to worry about. There are of course significant benefits of non-custodial stakings services and people are hoping to build these (alternative coins to Ethereum claim they are already built), which would make staking systems more resilient in general, however there must always be a large amount of risk, since slashing risk must be significant for staking to be meaningful, in our view.
Buying and Building
The next type of attack involves actually buying and building, buying mining hardware, facilities and power, or purchasing the stake. Firstly let’s consider buying up the stake.
If Elizabeth Warren’s anti-crypto department wanted to attack Ethereum, she could try to buy one third of the staked Ethereum and then shut down the network. One third of the stacked Ethereum currently has a value of US$33 billion. It would of course cost a lot more than US$33 billion to buy up, since if someone tried to buy that much Ethereum, not least the US government, the price would skyrocket. This would therefore be a very expensive attack, costing perhaps up to US$100 billion in our view. And if this was pulled off, sure Ethereum may fail, but some Ethereans would have become wealthy in the process. The impact of such an attack on the ecosystem would be tremendous and a huge rally would occur in the price of alternative coins. Now that Ethereum is destroyed, speculators would try to determine which coin would replace Ethereum. Better yet, speculators would try to determine which PoS coin Warren would pile into next. This attack is therefore counterproductive and may not achieve what Warren wants.
The next thing to consider is an adversary trying to buy up the hashrate in a PoW coin and reach 51%, to produce empty blocks. Reaching 51% is likely to be very expensive and take a considerable amount of time, perhaps a number of years. This would involve buying up mining hardware, purchasing mining facilities, purchasing power contracts and hiring people to run these facilities and maintain the mining hardware. It is important to remember that new technology is being developed all the time, new facilities are coming online, new ASIC’s are being manufactured and new mining chips are being developed. In order for an adversary to reach 51%, one may also need to get involved in and finance chip research and development and ASIC manufacturing. Many of the above processes are extremely risky and have considerable execution risk. The government is likely to be far less effective and efficient at managing these risks and executing than the private sector. Therefore, the government may need to significantly outspend the private sector to be reasonably confident of achieving 51%. Due to the complexity and risk involved, the government may need to spend at least double what the private sector would spend or perhaps even more. This could result in costs approaching US$100 billion over several years, in our view, around the same or a little less than the costs of buying up a third of the stake in Ethereum, perhaps with much more execution risk than buying up stake. This is extremely expensive. And again, this would be counter-productive in that it would cause a massive amount of environmental waste, not necessarily consistent with Warren’s apparent objectives. Of course, one advantage the government has is that if the private sector finds out about the government’s plan, the private sector could reduce expenditure due to the lower expected returns on investment, making the attack cheaper.
One critical factor of PoW systems here, is that the attacker may need to continue spending funds into the long term to maintain and sustain the attack, while for PoS systems it’s mostly a one off cost. Bitcoin maximalists could just patiently wait out any attack. The attacker may eventually lose control of the hashrate and the network could recover. On the other hand, in PoS systems, once the attacker has a third of the stake, perhaps they can kill the chain forever. Of course there could be a hardfork to confiscate the attackers fund’s, just as a PoW system could hardfork to change the hashing algorithm. But assuming there is no consensus rule change, the advantage for PoW systems is that the attacker must pay to sustain the attack, perhaps indefinitely. This is somewhat related to what PoW advocates consider a key weakness in PoS systems, the lack of an anchor to the real world.
Confiscation risk
A more feasible attack that Warren could engage in is attempting to confiscate a third of the stake or to confiscate half the hashrate, with force or using the law. This is mostly outside the scope of this article, which is focusing on the economic costs of a more classic form of attack. However, it is still worth considering what would be more easy to confiscate. In terms of risk, confiscation of the stake from a small self custodial staker, using their own physical hardware, is about as hard as it gets. Transporting the stake is as easy as moving a private key and it’s very easy to move it across borders undetected. This is in stark contrast to mining hardware, which can be detected and seized in transportation. On the other hand, if staking is conducted using regulated custodial services, this seems even easier to confiscate than confiscating mining assets. Therefore, unsurprisingly, fundamentally the security of mining depends on the mining assets being distributed in many jurisdictions with mines being as small as possible. Likewise, staking security depends on users self staking, using their own hardware.
Of course if Warren does confiscate the majority of the hashing power, these mining assets could degrade and deteriorate over time, while others can build out infrastructure, such that the network could recover one day. In contrast, if an adversary obtains 33% of the stake, the chain is potentially doomed forever. In a PoW system, you at least have the chance to wait it out and return, hopefully unburdened by what has been.
Conclusion
The common view is that if you perform basic calculations on the cost to attack a PoW network and a PoS network, PoS networks are far more expensive to attack. In reality, when doing an imperfect like for like comparison of the costs, the values are more similar than many expect, with staking systems only slightly more expensive to attack. In summary our logic relies on the assumption that to halt a PoS network you need a third of the stake, rather than 50% for a PoW network; and that building up and maintaining hashrate has far more execution risks than building up stake. Combined, the impact of these mitigate the higher costs of buying up loads of coins in the market.
Whatever one thinks of the resilience of PoS or PoW systems to a classic economic attack, for these networks to survive a well resourced state attack, distribution of the mining assets and staking agents is key. Unfortunately, both Ethereum and Bitcoin could do a lot better here. In the long term censorship resistance may depend on the financial incentives of staking service providers and then distribution of cheap reliable energy across the globe.