Distributed & Decentralized Systems Curriculum
Decentralized Systems Β· Proof of Stake

Key Question

What fundamental problem prevents proof-of-stake from working with a simple longest-chain rule?

Deep Dive

Proof-of-Stake (PoS) replaces energy expenditure with financial commitment. Instead of buying ASICs and burning electricity, validators lock up (β€œstake”) their own coins as collateral. In return, they get the right to propose and vote on blocks. If they misbehave, their stake gets slashed (destroyed). The promise: security backed by money, not megawatts.

The nothing-at-stake problem is the reason PoS took decades to get right. In Proof-of-Work, if a miner sees two competing forks, they must choose one. Mining both would split their hashpower and waste resources β€” it’s physically impossible to mine two forks at full efficiency simultaneously. This natural cost makes forks eventually converge: rational miners rally behind the heaviest chain.

Proof-of-Work Fork Resolution:

   β”Œβ”€β”€β”€β”     β”Œβ”€β”€β”€β”     β”Œβ”€β”€β”€β”
   β”‚ A │────►│ B │────►│ C β”‚ ← Miners pick this fork
   β””β”€β”€β”€β”˜     β””β”€β”€β”€β”˜     β””β”€β”€β”€β”˜
                              (abandoned)
                    β”Œβ”€β”€β”€β”
                    β”‚ B'β”‚ ← Too expensive to mine both
                    β””β”€β”€β”€β”˜

Proof-of-Stake Nothing-at-Stake:

   β”Œβ”€β”€β”€β”     β”Œβ”€β”€β”€β”     β”Œβ”€β”€β”€β”
   β”‚ A │────►│ B │────►│ C β”‚ ← Validator signs here
   β””β”€β”€β”€β”˜     β””β”€β”€β”€β”˜     β””β”€β”€β”€β”˜
                         
                    β”Œβ”€β”€β”€β”     β”Œβ”€β”€β”€β”
                    β”‚ B'│────►│ C'β”‚ ← And also signs here
                    β””β”€β”€β”€β”˜     β””β”€β”€β”€β”˜
    Cost to sign both: β‰ˆ zero. Both forks survive forever.

In PoS, creating a block is just signing a message β€” it costs virtually nothing. A rational validator who sees two forks can sign blocks on both, collecting rewards from whichever wins later. There’s no penalty and no split resource. This means forks never naturally resolve; the chain can oscillate forever.

The long-range attack is an even scarier variant. An attacker who once held a large stake (say, 40% of all coins), then sold it, can go back to a point in history when they controlled those coins and fork the chain from there. Since their old keys still work for blocks they were eligible to create back then, they can build an alternate history that looks perfectly valid β€” and β€œcatch up” to the present. New entrants who weren’t around at that time can’t tell which chain is real.

These problems killed early PoS proposals (Peercoin, 2012). Solutions came in three flavors:

  1. Slashing: Put conditions in the protocol that detect equivocation (signing two different blocks at the same height). If caught, the validator’s entire stake is destroyed. Now signing both forks has a massive cost.

  2. Checkpointing / Finality Gadgets: Periodically, a supermajority of validators β€œfinalizes” a block. Once finalized, it cannot be reverted β€” even if an attacker builds a longer chain from before the checkpoint.

  3. Minimum Fork Choice Rule: Don’t just take the longest chain. Take the chain that doesn’t violate certain rules (e.g., must include the latest finalized checkpoint). This defeats long-range attacks because the fork choice rule rejects chains that fork before the last checkpoint.

Check Your Understanding

  1. Why can a PoW miner not profitably mine two competing forks simultaneously?
  2. What makes a long-range attack possible in naive PoS implementations?
  3. How does slashing disincentivize validators from signing multiple forks?

The β€œSo What?”

Nothing-at-stake was the single biggest obstacle to practical proof-of-stake. Understanding it explains why modern PoS systems (Ethereum, Cosmos, Algorand) all use slashing, finality, or committee-based randomness β€” features that seem overcomplicated until you realize they’re solving this fundamental problem.

✏️ Exercises

Proof of Stake & Modern Consensus: Exercises

Exercise 1: Nothing-at-Stake and Slashing

Consider a proof-of-stake system with 10 validators, each with 10% of the total stake. At block height 100, a network partition occurs: 5 validators see fork A, and 5 see fork B. Under a naive (no slashing) PoS design, explain:

  • What each validator would do
  • What happens to the two forks over time
  • How adding a slashing condition that punishes double-signing changes the outcome

Exercise 2: Ethereum Committee Calculation

The Ethereum Beacon Chain uses a fixed committee size of 128 validators per slot. A validator is assigned to exactly one committee per epoch. Given:

  • Total active validators: 100,000
  • Slots per epoch: 32
  • Committee size: 128

Calculate:

  1. How many validators are actively attesting in each slot?
  2. How many committees exist per slot?
  3. How often does each validator attest per epoch (on average)?
  4. What fraction of total validators attests per slot?

Exercise 3: Comparing Committee Selection

Consider three protocols:

  • Ethereum: Committees selected via RANDAO (public randomness, all validators partitioned into fixed-size committees each epoch)
  • Tendermint: No committees β€” every validator votes on every block
  • Algorand: Committees selected via VRF (private randomness, each user independently computes their eligibility)

Answer:

  1. Which protocol has the lowest communication overhead for selecting a committee? Why?
  2. Which protocol is most vulnerable to adaptive corruption (attacker can corrupt validators mid-consensus)? Why?
  3. For each protocol, estimate the fraction of total validators that participate in each block’s consensus. Is it all validators, a random subset, or a fixed subset?
πŸ‘οΈ View Solutions

Proof of Stake & Modern Consensus: Solutions

Exercise 1 Solution

Without slashing:

  • Each validator would sign blocks on whichever fork they see. The 5 on fork A sign A’s blocks; the 5 on fork B sign B’s blocks.
  • Both forks grow at the same rate (5 validators each). Neither fork outpaces the other. When the partition heals, all 10 validators see both forks. Since there’s no cost to signing both, each validator could sign on both forks, collecting rewards from whichever one ultimately wins. The forks never naturally resolve β€” the system is deadlocked.
  • Additionally, if validators can β€œhedge” by signing both, they have no incentive to pick one fork over the other.

With slashing (penalty for signing conflicting blocks at the same height):

  • During the partition, validators on fork A sign A’s blocks. Validators on fork B sign B’s blocks.
  • When the partition heals, each validator sees both forks. They MUST pick one. If they sign a block on both forks at the same height, they get caught (the two signatures prove equivocation) and lose their entire stake.
  • Since each validator will only sign one fork, the fork with more validators (or more accumulated stake-weight) will pull ahead. The smaller fork is abandoned, and consensus is restored.

Exercise 2 Solution

Given:

  • Total validators: 100,000
  • Slots per epoch: 32
  • Committee size: 128

Step 1 β€” Validators attesting per slot: Each slot has multiple committees of 128 validators. The total validators attesting per slot is: Total validators / Slots per epoch = 100,000 / 32 = 3,125 validators per slot

Step 2 β€” Committees per slot: Validators per slot / Committee size = 3,125 / 128 = 24.4

So there are approximately 24-25 committees per slot, each with 128 validators.

Since committees must be whole numbers: Ethereum assigns exactly 24 or 25 committees per slot depending on the epoch. Some validators may not be assigned every epoch (they β€œskip” a slot).

Step 3 β€” Attestation frequency per validator: Each validator attests exactly once per epoch (they’re assigned to one specific slot and one committee). Average: 1 attestation per epoch = 1 per 32 slots

Step 4 β€” Fraction attesting per slot: 3,125 / 100,000 = 3.125% of all validators attest each slot

Exercise 3 Solution

1. Lowest communication overhead for committee selection:

Algorand has the lowest overhead. Committee selection is done locally via VRF β€” each user computes a VRF with their secret key and the seed. No messages are exchanged to form the committee. The user simply knows they’re selected and includes their VRF proof in their first message.

Ethereum requires a distributed random beacon (RANDAO) which involves all validators contributing randomness over an entire epoch. Tendermint doesn’t select committees (everyone votes), so the overhead is zero for selection but maximal for voting.

2. Most vulnerable to adaptive corruption:

Tendermint is most vulnerable. Since the validator set is fixed for a long period, an attacker can observe who the validators are and corrupt them between rounds. In Algorand, each committee is freshly selected by VRF, so an attacker cannot predict who will be on the next committee until they reveal themselves. Ethereum is intermediate: committees rotate per epoch, giving a window for corruption.

3. Fraction of validators participating per block:

ProtocolFraction participatingType
Tendermint100%All validators, every block
Ethereum~3.125% (see Ex 2)Fixed-size committee per slot
Algorand~0.1-1% (adjustable via threshold)Random VRF-selected subset

Tendermint uses all validators for maximum security at the cost of O(nΒ²) communication. Ethereum uses fixed-size committees to scale to 500K+ validators. Algorand uses VRF-based random subsets to get the best of both worlds: scalable but unpredictably selected.