PoW vs PoS: Comparison of the economic costs of attacks

Abstract: This paper compares the economic costs of attacking a PoW (Proof of Work) network and attacking a PoS (Proof of Stake) network. We analyze the costs of renting and purchasing computing power/staking stake separately. We correct a common misconception that the cost of attacking a PoS network is necessarily higher due to the need to purchase tokens. We conclude that the theoretical difference in the cost of attacking these two types of networks is smaller than many people think.

Overview

This article aims to analyze the most economical way to attack a PoW system and a PoS system, specifically to make the most appropriate one-to-one comparison of the costs of an attack. We wrote this article because others have done some comparisons, generally concluding that PoS systems are more difficult to attack, but we believe that these comparisons are not based on a fair one-to-one comparison. In this article, we focus on the distinction between renting and buying computing power/staking stake. We believe that when comparing the economic costs of an attack, we need to first decide whether to consider renting or buying, and then attempt a one-to-one comparison.

Thought Experiment

Let's start with a thought experiment. While this may not be realistic, let’s assume that Kamala Harris appoints Elizabeth Warren as her vice presidential candidate, and Kamala Harris wins the 2024 U.S. presidential election in a landslide. This would be a nightmare scenario for the cryptocurrency ecosystem. In addition to her regular duties as vice president, let’s assume that Elizabeth Warren is in charge of cryptocurrency affairs. So, she assembles an anti-cryptocurrency army with a multi-billion dollar budget to try to shut down cryptocurrency networks.

This thought experiment makes sense because cryptocurrency networks are designed to be as difficult to shut down as possible. So, let’s think about how Elizabeth Warren would conduct these expensive and potentially futile attacks, and how much would they cost? Next, we’ll compare the cost of attacking Bitcoin to the cost of attacking Ethereum.

Full Nodes and Consensus Rules

Many people believe that a core advantage of Bitcoin over Ethereum is its large number of full nodes. These nodes, while not involved in block production, play a key role in enforcing the consensus rules. Importantly, these nodes are cheap to run. Many Bitcoin users run these nodes, connect them to their wallets, and have developed a culture of not upgrading these clients for changes to the consensus rules unless there is an overwhelming consensus across the community. This is not the case with Ethereum.

In this article, we will try to temporarily ignore this apparent advantage of Bitcoin and focus on the theoretical cost of attacking PoW and PoS networks. In theory, Ethereum could also cultivate a similar culture and network for enforcing consensus rules as Bitcoin. PoS itself does not prevent this, it is just that running a fully validating Ethereum full node is more expensive due to the need to verify the signatures associated with the staking process. In a way, ignoring this weakness, this is Ethereum made of steel.

Another issue that needs to be addressed is that in response to some of the basic attacks we will outline below, many in the Ethereum community have stated that the community will sever the attacker's stake through consensus rule changes. For the purposes of this article, we will assume that neither Bitcoin nor Ethereum can effectively do this. Another consideration is that an attacker may succeed in forcing coordination and centralization, which some people may want to avoid. Perhaps we are thinking about the future when both protocols have become ossified and cannot coordinate rule changes to the protocol without causing a major split.

Attack Cost

Assuming a Bitcoin price of $60,000, a block reward of 3.125 BTC, and modest transaction fees, this implies an annual revenue of about $10 billion for Bitcoin miners. We believe this is the key security metric and the single most important security metric. Bitcoin miners spend close to $10 billion per year, and if you want to attack Bitcoin, you probably need to match that. But what exactly does matching that mean? In this article, we will analyze between renting and buying.

Renting

The cheapest way to attack a PoW network is to rent computing power. In theory, if miners earn $10 billion per year, then economically rational miners would be willing to rent you hashrate as long as you offer them slightly more than $10 billion per year. This assumption is perhaps unrealistic, so let's assume you need to pay a 20% premium to attract miners, or $12 billion per year. Of course, you don't actually need to spend $12 billion per year, because you can earn $10 billion per year by renting the hashrate. So, arguably, the net cost of renting the entire Bitcoin hashrate is only $2 billion per year.

Now, if you were Elizabeth Warren, you would of course only need 51% of the hashrate to launch an attack that would fill the chain with empty blocks. On the other hand, when such an attack is successfully carried out, we can assume that the price of Bitcoin would fall sharply. So the net cost of such an attack might be $6 billion per year, renting half the hashrate at a 20% premium.

The same logic applies to staked interest. If total staked interest on Ethereum would generate $3 billion per year in revenue, then an economically rational staker should be willing to give up direct staking in exchange for $3 billion per year in revenue. Again, as with PoW, we need to assume a 20% premium, or $3.6 billion per year. This means the net cost of renting all staked interest is $600 million per year. Alternatively, perhaps only a third of the staked interest is needed to attack, so only $1.2 billion per year would be needed to bring the PoS network to a complete halt.

Therefore, we believe that a key comparable metric when considering the economic cost of an attack is $5 billion per year for Bitcoin vs. $1.2 billion per year for Ethereum. If you normalize for market cap, the cost of an attack is roughly the same, with Bitcoin being about three times that of Ethereum. This is certainly not a perfect comparison, but in our opinion, it is the best comparison when trying to make an apples-to-apples comparison. Of course, there are many moving parts here, including the sustainability of Bitcoin mining revenue, in contrast to Ethereum's perpetual issuance. However, this is not necessarily an inherent feature of PoW vs. PoS, and in theory, PoW coins could also have perpetual issuance, or PoS coins could attempt to generate staking income entirely from transaction fees.

As for the feasibility of this type of attack using rented hashrate/staking stake, Bitcoiners and Ethereum players don't have to worry too much about Elizabeth Warren. Such an attack is somewhat unrealistic.In fact, if an attack begins, asset owners can withdraw their hashrate or stake. Asset owners may be concerned that the value of their assets may decline if the network is attacked. Of course, at this point, Ethereum and staked stake seem to have the upper hand. Staked ETH is worth $100 billion, which exceeds the value of Bitcoin mining assets. However, while this $100 billion figure is important, it is not the key metric for comparison with Bitcoin in our opinion, and annual revenue is more critical. On the other hand, the current market cap of the top-ranked and already public Bitcoin miners is about $28 billion. These miners control about a third of Bitcoin’s hashrate, so are actually very close to the $100 billion valuation of staked ETH. On the other hand, these already public Bitcoin miners may be overvalued because of the “pivot to AI” narrative. Also keep in mind that Bitcoin’s market cap is over three times that of Ethereum. So even with these already public miners included in the calculation, Ethereum still wins on this asset value metric by at least a factor of three, as a percentage. Ethereum stakers do have more at stake, which is important, and perhaps the second most important metric after annual revenue.

One ​​minor problem with the above analysis is that non-custodial hashrate leasing is relatively simple. Miners can offer some form of control of the hardware (with limitations) to a lessee over the internet, and then remove the lessee’s access in the event of an attack. Leasing your stake in a completely non-custodial manner is not necessarily possible, and this can be an advantage because it makes stakers more reluctant to lease their stake because the risk is greater. On the other hand, this is not much of an advantage for PoS systems, if the way miners rent out hashpower can be easily revoked, then there is no need to worry about the risk of sustained attacks. Of course, there are also great benefits to non-custodial staking services, and people would like to build such services (Ethereum competitors claim that they have already built them), making staking systems more resilient in general, but we believe that there must always be a large amount of risk because the risk of slashing must be large enough for staking to make sense.

Buying and Building

The next type of attack involves actual buying and building, which involves buying mining hardware, facilities, and electricity, or buying stake. We consider buying stake first.

If Elizabeth Warren's anti-cryptocurrency division wanted to attack Ethereum, she could try to buy a third of ETH's stake and then shut down the network. Currently, one-third of ETH staked is worth $33 billion. Of course, if someone tried to buy that much ETH, especially the US government, then the price would explode, so the cost of the purchase would be far more than $33 billion. Therefore, this would be a very expensive attack, and in our opinion, the cost could be as high as $100 billion. If the attack succeeds, Ethereum may of course fail, but some Ethereum users will become rich in the process. The impact of such an attack on the ecosystem would be huge, and the prices of Ethereum's competing tokens would rebound sharply. Now that Ethereum has been destroyed, speculators will try to determine which coin will replace Ethereum. Even more interesting is that speculators will try to predict which PoS coin Elizabeth Warren will invest in next. Therefore, this attack will be counterproductive and may not achieve Elizabeth Warren's goal.

The next thing to consider is that the adversary attempts to purchase hash power in the PoW coin and reach 51% to produce empty blocks. To reach 51% is likely to be very expensive and take a considerable amount of time, perhaps years. This would involve purchasing mining hardware, purchasing mining facilities, purchasing electricity, and hiring people to operate these facilities and maintain the mining hardware. It is important to remember that new technologies are constantly being developed, new facilities are coming online, new ASICs are being manufactured, and new mining chips are being developed. In order for an adversary to reach 51%, it may also be necessary to participate in and fund chip development and ASIC manufacturing. Many of the above processes are extremely risky, and the execution risk is considerable. Governments are likely to be far less effective and efficient in managing these risks and execution than the private sector. As a result, governments may need to spend significantly more than the private sector to achieve 51% with any certainty. Due to the complexity and risks involved, governments may need to spend at least twice as much as the private sector, if not more. In our view, this could result in costs approaching $100 billion over a few years, which is about the same or slightly less than the cost of purchasing one-third of the staked interest in Ethereum, but the execution risk may be much greater than purchasing staked interest. This is extremely expensive. Similarly, doing so would be counterproductive, as it would create a large amount of energy waste, which is not necessarily consistent with Elizabeth Warren's ostensible goals. Of course, one advantage for the government is that if the private sector finds out about the government’s plans, the private sector may reduce spending due to a lower expected return on investment, making the attack cheaper.

Here, a key factor for PoW systems is that the attacker may need to continue to spend money to maintain and sustain the attack over a long period of time, while for PoS systems this is mainly a one-time cost.Bitcoin maximalists can patiently wait out any attack. The attacker may eventually lose control of the hashing power and the network may recover. On the other hand, in a PoS system, once the attacker has a third of the staked interest, perhaps they can kill the chain forever. Of course, there may also be a hard fork to confiscate the attacker’s funds, just as PoW systems can hard fork to change the hashing algorithm. But assuming there is no change in the consensus rules, the advantage of PoW systems is that the attacker must continue to pay costs to maintain the attack, perhaps indefinitely. This is somewhat related to what PoW supporters see as a key weakness of PoS systems, which is the lack of anchoring to the real world.

Risk of Seizure

Elizabeth Warren A more feasible attack path that could be taken is to attempt to seize one-third of the staked interest or half of the hashrate by force or legal means. This approach is beyond the scope of this article, which focuses on the economic costs of more typical forms of attack. Still, it is worth considering what is more susceptible to seizure. In terms of risk, it is easy to confiscate staked interest from small self-custodial stakers who use their own physical hardware. Transferring staked interest is as simple as transferring private keys, and can be easily transferred across borders without being detected. This is in stark contrast to mining hardware, which can be detected and seized in transit. On the other hand, if staking is done through a regulated custody service, this seems easier than confiscating mining assets. It is not difficult to understand, therefore, that fundamentally, the security of mining depends on whether mining assets are distributed across multiple jurisdictions and whether mining farms are as small as possible. Similarly, the security of staking depends on whether users stake autonomously using their own hardware.

Of course, if Elizabeth Warren did seize most of the computing power, these mining assets might degrade and deteriorate over time, while others could build infrastructure so that the network could one day recover. In contrast, if an adversary obtained 33% of the staked interest, the PoS chain might be doomed forever. In a PoW system, you at least have the opportunity to wait out the attack, get rid of the burden of the past, and recover the network.

Conclusion

It is generally believed that if a basic calculation of the cost of attacking PoW networks and PoS networks is performed, the cost of attacking PoS networks is much higher. In fact, when the costs are not completely compared like for like, the difference between the two is smaller than many people expect, and the attack cost of staking systems is only slightly higher. In general, our logic is based on the following assumptions: to organize a PoS network, you need a third of the stake, rather than 50% of the PoW network; and there is more execution risk in building and maintaining computing power than in building stake. Combined, these factors mitigate the higher cost of buying a large number of tokens on the market.

Whatever one thinks about the resistance of PoS or PoW systems to classical economic attacks, in order for these networks to survive attacks by well-resourced states, the distribution of mining assets and staking agents is key. Unfortunately, both Ethereum and Bitcoin have room for improvement in this regard. In the long run, censorship resistance may depend on the economic incentives of staking service providers, and the distribution of cheap, reliable energy around the world.