Skip to content

Instantly share code, notes, and snippets.

Created April 24, 2018 02:18
Show Gist options
  • Save djrtwo/bc864c0d0a275170183803814b207b9a to your computer and use it in GitHub Desktop.
Save djrtwo/bc864c0d0a275170183803814b207b9a to your computer and use it in GitHub Desktop.
Analysis of Casper PoW Reward Reduction

Analysis of Casper PoW Reward Reduction

EIP 1011 - Hybrid Casper FFG proposes further reducing PoW block reward from 3 ETH to 0.6 ETH. The EIP briefly mentions that this is "because the security of the chain is greatly shifted from PoW difficulty to PoS finality and because rewards are now issued to both validators and miners." This document is to serve as an addendum to that statement, providing additional data, analysis, and arguments.

We aim to show that in Hybrid Casper FFG with an 80% reduction in block reward:

  • a PoW attack on the finality enabled chain cannot do much in comparison to a pure PoW attack
  • a pure PoW attack just as costly as other prominent PoW chains
  • there are options in the event of an attack
  • all of the above is a strong discouragement for an attack to be conducted in the meantime before full pos

What can a PoW attack do?

An attacker can do far less when attacking the Hybrid Casper Ethereum network than a standard PoW network because of economic finality from FFG. A successful PoW attack on Hybrid Casper chain can only revert blocks since the last finalized checkpoint which will normally be on the order of 50-100 blocks (10-20 minutes), whereas a 51% attacker on pure PoW chain can do much deeper chain reversions.

Cost of 51% attack compared to top PoW networks

The table below shows the hashrate and approximate cost to attack the top four PoW blockchains by marketcap/PoW security -- BTC, ETH, BCH, and LTC. "Casper ETH" is the post-Casper hybrid PoW/PoS chain with an assumed 80% reduction in hashrate.

To conduct a 51% attack through owning hardware, an attacker must either double the hashrate of the current network by doubling the hardware on the network (Hardware Cost) or they must buy more than half of the existing hardware of the current network (51% Attack Cost). There are theoretically cheaper alternatives than purchasing hardware such as bribe attacks, but the cost to purchase hardware provides an excellent base comparison of PoW protocols.

Network Hashrate $ / hashrate Hardware Cost 51% Attack Cost
ETH 250 Th/s $15 / Mh/s $3.8B > $1.9B
Casper ETH 50 Th/s $15 / Mh/s $750M > $375M
BTC 3e7 Th/s $180 / Th/s $5.4B > $2.7B
BCH 3e6 Th/s $180 / Th/s $540M > $270M
BTC 2017/4 3.5e6 Th/s $180 / Th/s $630M > $315M
LTC 200 Th/s $1.3 / Mh/s $260M > $130M

"BTC 2017/4" represents the Bitcoin network/hashrate in April of 2017.

Of note:

  • Costs roughly the same to 51% attack Casper ETH as it would have to attack BTC one year ago.
  • Costs roughly the same to 51% attack Casper ETH as current BCH network.
  • Costs more to 51% attack Casper ETH than the current LTC network.
  • Casper ETH is still in the top 3 most secure PoW chains without taking into account any of the security from staking.

Hardware Costs

BTC/BCH hardware cost based on Antminer S9:

  • Cost: $2500
  • Hashrate: 14 Th/s
  • Cost per hash: ~$180 per 1 Th/s

ETH hardware cost based on Radeon R9 295X2 GPU rig:

  • Cost: ~$4000 (6 cards + additional hardware)
  • Cards: 6
  • Hashrate: 270 Mh/s
  • Hashrate per card: 45 Mh/s
  • Cost per hash: ~$15 per 1 Mh/s ($15000 per 1 Gh/s)

LTC hardware cost based on Antminer L3+:

  • Cost: $665
  • Hashrate: 504Mh/s
  • Cost per hash: ~$1.30 per 1 Mh/s ($1300 per 1 Gh/s)

Cost to 51% attack ETH assuming 100% Bitmain ASICs

Network Hashrate $ / hashrate Hardware Cost 51% Attack Cost
ETH 250 Th/s $4.44 / Mh/s $1.1B > $550M
20% ETH 50 Th/s $4.44 / Mh/s $220M > $110M

Assuming the majority of the network is already ASICs and that it can be attacked by acquiring these ASICs, this bumps Casper ETH down to be roughly on par with LTC in terms of PoW security. Again, this is a very expensive attack and the bounds of the attack are severely constrained when operating in the context of the finality gadget.

ETH hardware cost based on proposed Antminer E3:

  • Cost: $800
  • Hasrate: 180 Mh/s
  • Cost per hash: $4.44 per 1 Mh/s ($4.44e6 per 1 Th/s)

Resisting 51% Attacks

Fork It

Due to the Ethereum network's stated goals to move to full PoS as soon as possible, the community would be open to a radical PoW hash algorithm fork in the event of an attack. The network could switch to an algorithm that is not IO bound at all, e.g. SHA3, which would mitigate the attack. This would also provide ~6-12 months before new ASIC hardware could be developed, buying time to complete the full PoS transition.

Resist Censorship

In the case of a majority coalition censoring Casper votes, a minority coalition of miners can begin to ignore these vote-less blocks, only building on top of blocks with votes. This would essentially fork out the vote censoring miners after finality occurs on this minority mining chain because finality has top preference in the forkchoice.

But what about block confirmations

Generally, when sending crypto transactions, we rely on "block confirmations" to be reasonably sure that the sent transaction is and will remain in the canonical chain. The idea is that the deeper a block is in a chain, it will increasingly less likely be orphaned due to normal network conditions. It does not say much about how likely the block is to remain in the chain in the context of a 51% attack.

Exchanges are likely where crypto users have had to deal with confirmations most explicity. Each exchange has standard acceptable block confirmations for each cryptocurrency depending on the security and particular features of each blockchain. Below is a compilation of a number of prominent exchanges and their associated ETH and BTC block confirmations for new deposits.

Exchange Eth Confs BTC Confs
Kraken 30 6
GDAX 50 3
Gemini 12 3
Bitfinex 25 3
Binance 30 2

Although lacking concrete historical data, personal experience demonstrates that these numbers have not fluctuated much (at all?) since June 2017 when the Ethereum network hashrate was about 20% of the current hashrate. From the perspective of the exchanges, 12 to 50 block confirmations was reasonable with 20% of today's PoW current security.

After Casper, if the hashrate drops 80%, the Ethereum network will have PoW block confirmations equal to the security of the chain from less than one year ago plus economic finality on the order of ~20 minutes which is on the low end of standard bitcoin confirmations.


We gain much more in FFG economic finality than we lose in an 80% reduction in hashrate. Conducting a 51% attack on the post Casper fork network is competively as costly as other PoW networks, but an attacker would be able to inflict far less damage. In the event of an attack, the network has effective strategies to resist and avoid the attacker. The costliness and ineffectiveness of such an attack serves as a major discouragement to a potentional attacker as their resources would be much more effective and better spent attacking a pure PoW chain.

Any PoW attack would only hasten Ethereum's switch to full PoS in which mining is forked out entirely.

Copy link

How would one quantify the "at risk" capital during a finality epoch? Meaning, how much could be gained from an attack.

Also remember that the cost of an attack isn't a burned asset, so one could continue attacking if they've amassed enough hashrate. That happens and the stability of the network is probably in question.

Spending 375mm to attack a 65b coin ecosystem doesn't seem that crazy.

The analysis also assumes that hardware costs stay constant, where if the reward structure is changed the physical market constraints will definitely shift as well.

Actually, interestingly, you don't need a new resource base to be built to attack the network. It will already exist under the FFG 80pct scenario. It's already been built and paid for and will now be looking for a use. That's a much different scenario than someone having to invest additional capital to garner the scale to attack.

Why not create a reward reduction schedule? Every 250k-500k blocks it steps down? The market will solve for that much better than a single 80pct step. That could even be launched in preparation of FFG.

Copy link

Is there empirical evidence that a 5x reduction in block reward will lead to a 5x reduction in hash rate?
My gut feeling is that the relationship is non-linear. Trying to put together a dataset to check.

Copy link

nherceg commented Apr 25, 2018

I think so. If the block reward doubles, doubling the hashpower will result in equal profits per average miner (which is the assumption). Linearity could be broken over time by various factors though, for example by prices of GPU depending on demand or ETH price volatility. But it is reasonable to assume that in a parallel universe where block reward is the only difference, hashrate will be proportional to it at a given point in time.

Copy link

veox commented Apr 25, 2018

there are options in the event of an attack

Needs clarification: options to do what?

The network could switch to an algorithm that is not IO bound at all, e.g. SHA3, which would mitigate the attack. This would also provide ~6-12 months before new ASIC hardware could be developed

I don't think this is a sensible approach for mitigation. The NIST SHA3 family (and friends) have seen non-zero research, and have had experimental hardware for a while. (EDIT: Note that the hardware is quite universal/unoptimised, implementing all hashing algorithms on the same die.)

The timeframe to develop and manufacture such chips is likely much lower, since it doesn't have to be done "from scratch".

Copy link

Thanks for the complete guide.

Copy link

If you increase the hash rate performance, it would be better. However, Nvidia and AMD both have limited the hash rate in the new graphics cards.

Copy link

The estimated cost for a 51% attack on the Ethereum network, assuming the majority of the network consists of Bitmain ASICs, could exceed $550 million, rendering it a costly endeavor even when factoring in the use of proposed Antminer E3 hardware. In addition, the mitigation efforts by Nvidia and AMD to limit hash rates could further increase the difficulty and cost of executing a successful 51% attack on the Ethereum network using GPUs.
check the origin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment