A brain dump on PoS vs PoW arguments

I just listened to the ultrasound money podcast by Justin Drake (https://www.youtube.com/watch?v=bWqhn1hXvVc) and the critique by ck_snarks ( http://povcryptopod.btc.libsynpro.com/debating-bitcoin-security-and-ultra-sound-money ). I found myself agreeing with Justin and disagreeing with the critique on most points, my two main disagreements with Justin being that (i) his concrete estimates on the cost to attack BTC really were a bit low, and (ii) the "Bitcoin is a battery" meme is dumb and we should let/help it die (see this excellent parody from deadalnix), though to his credit Justin did use the analogy in a different way. I also find that some of my disagreements with the critique are disagreements with deeper points that get brought up by the pro-PoW side regularly.

It really is relative security, and not absolute security, that matters

One criticism that was made to Justin's claim that the long-run economics of fixed-supply PoW are not good is that while the BTC-denominated block reward has been going down, the USD-denominated block reward has been going up, and the latter is what matters because it determines the actual level of security. This is wrong. The reason why it is wrong is that the security needs of a thing have to be proportional to the size of that thing, because as a thing gets bigger, its enemies become bigger and more well-motivated. If BTC were 100x as big as it is today, the value from destroying it would be 100x higher, and the kinds of actors that would want to care about destroying it would be much bigger and scarier. This is also why countries of all sizes have roughly similarly sized militaries as a percentage of GDP. Hence, cost of attack divided by market cap really is the correct statistic to measure, and in the long run issuance-free PoW really does look not that good.

Models really are good at seeing the long-term big picture here

I won't go into this in too much detail; instead I will link my own model from November: https://vitalik.ca/general/2020/11/06/pos2020.html

This gives the deep fundamental reasons why we should generally expect PoS to have a much higher security/cost ratio than PoW, which are independent of the specifics of any single algorithm or era. It's better to focus on that than to hinge the entire argument on (necessarily rough and low-information) calculations made with specific assumptions about manufacturers.

"Even if they can attack, why would they? It's not in their interests"

One common argument that gets made to assuage fears of a miner or pool getting 51% hashpower is: even if they do, why would they attack? That would destroy the golden goose that lays their eggs; it's not in their interests. But in reality, we cannot assume this; not only does it assume rationality, it assumes lack of outside incentives. The whole point of having high levels of security is to protect against attackers with outside incentives to break the chain. This is why my own approach to thinking about PoS security is "if they have $X billion, how many times can they break the chain before all their money gets slashed?". It's not about assuming rationality; it's only assuming limits on bad actors' economic resources.

"Trust a single actor because they have economic incentives" is a security model fit for centralized systems, not for blockchains.

Once you can do one type of 51% attack on a PoW chain, you really can do them all

A point made near the end of the critique podcast was that it's not correct to think of 51% attacks as being a single type of thing, because different kinds of attacks are different: censoring or reverting hours of activity requires hours of work, but censoring or reverting months of activity requires months of work, which is hundreds of times more. Once again, I disagree, and I actually think the approach of treating "51% attack capability" as a single thing is correct. This is because the bulk of the cost of an attack is hardware costs (last time I tried to estimate this, it was 2/3 hardware, 1/3 electricity). Hence, once you have the capability to attack for even a day, you're most of the way there to attacking as many times as you want until the community gives up and changes the PoW algo (or, better yet, moves to PoS).

The only exception I might grant is that one could hack into or shut down mining pools for a short period of time, but doing this for longer than a few hours is harder because the legitimate pool operators could respond, but it's worth remembering that the numbers of "$5 (or 10) billion to attack BTC" were already based on the attacker not being able to do this and having to get the hardware the hard way.

Miners contribute to non-greenness even if they are green

Energy is a semi-fungible market. Even if all BTC miners in the world were super-virtuous and made sure to only use very clean energy, the net effect of such a change would be that the cost of green energy for everyone else would go up (this is basic supply/demand mechanics) while the cost of non-green energy for everyone else would remain unchanged. Hence, the other businesses that care about the environment the least would use less green energy and more non-green energy.

Additionally, the environment is not the only negative externality; there are plenty of cases of mining farms using subsidized electricity (eg. see this one that got caught), so their use of electricity also adds a negative externality to local fiscal budgets.

Monetary premium really is a meme, and not "the basic properties of reality manifesting themselves"

An argument in the critique podcast has David arguing that monetary premium of an asset is a Schelling point (aka meme, aka legitimacy) that arises from implicit social coordination. CK says that this is false, and it's the inherent properties of the asset that make it win out.

I'm once again siding with David here; the world really does run on social coordination and memes, and cryptocurrency is arguably even entrenching that, not somehow getting away from it. The proof of this is simple: compare Bitcoin and any of the PoW fork coins that came after it. The only difference between them is that Bitcoin came first – a factor which has zero influence on its technical properties, but a lot of influence on meme value. One could argue that Bitcoin also has higher hashpower, but this is missing the fact that hashpower is itself caused by monetary premium. If some other PoW asset had a higher value and block reward tomorrow, the hashpower of the chain maintaining that asset would also be higher. Also, I just doubt that most people really understand or care about the difference between 15 exahashes and 150 exahashes.

What the pro-PoW arguments get right

Perhaps the best argument that was made or alluded to is that the physical hardware-driven nature of it adds friction even to very well-capitalized attackers: you need to wait a year for the hardware to get manufactured, the process necessarily involves many people, and there's a high risk that it gets detected while you're doing it. This is a genuine advantage of PoW. That said, it also has its flipsides: as Justin said in his podcast, it's very hard to mine at significant scales without being caught, whereas PoS is much more censorship-resistant.

Arguments about PoW as a distribution model are also fair and important; plenty of pure-PoS coins end up launching with very concentrated token supplies. That said, as Justin and others have mentioned Ethereum too benefits from that due to its ~6 years of mining, even though it is now switching to PoS.