Analysis of Casper PoW Reward Reduction
EIP 1011 - Hybrid Casper FFG proposes further reducing PoW block reward from 3 ETH to 0.6 ETH. The EIP briefly mentions that this is "because the security of the chain is greatly shifted from PoW difficulty to PoS finality and because rewards are now issued to both validators and miners." This document is to serve as an addendum to that statement, providing additional data, analysis, and arguments.
We aim to show that in Hybrid Casper FFG with an 80% reduction in block reward:
- a PoW attack on the finality enabled chain cannot do much in comparison to a pure PoW attack
- a pure PoW attack just as costly as other prominent PoW chains
- there are options in the event of an attack
- all of the above is a strong discouragement for an attack to be conducted in the meantime before full pos
What can a PoW attack do?
An attacker can do far less when attacking the Hybrid Casper Ethereum network than a standard PoW network because of economic finality from FFG. A successful PoW attack on Hybrid Casper chain can only revert blocks since the last finalized checkpoint which will normally be on the order of 50-100 blocks (10-20 minutes), whereas a 51% attacker on pure PoW chain can do much deeper chain reversions.
Cost of 51% attack compared to top PoW networks
The table below shows the hashrate and approximate cost to attack the top four PoW blockchains by marketcap/PoW security -- BTC, ETH, BCH, and LTC. "Casper ETH" is the post-Casper hybrid PoW/PoS chain with an assumed 80% reduction in hashrate.
To conduct a 51% attack through owning hardware, an attacker must either double the hashrate of the current network by doubling the hardware on the network (Hardware Cost) or they must buy more than half of the existing hardware of the current network (51% Attack Cost). There are theoretically cheaper alternatives than purchasing hardware such as bribe attacks, but the cost to purchase hardware provides an excellent base comparison of PoW protocols.
|Network||Hashrate||$ / hashrate||Hardware Cost||51% Attack Cost|
|ETH||250 Th/s||$15 / Mh/s||$3.8B||> $1.9B|
|Casper ETH||50 Th/s||$15 / Mh/s||$750M||> $375M|
|BTC||3e7 Th/s||$180 / Th/s||$5.4B||> $2.7B|
|BCH||3e6 Th/s||$180 / Th/s||$540M||> $270M|
|BTC 2017/4||3.5e6 Th/s||$180 / Th/s||$630M||> $315M|
|LTC||200 Th/s||$1.3 / Mh/s||$260M||> $130M|
"BTC 2017/4" represents the Bitcoin network/hashrate in April of 2017.
- Costs roughly the same to 51% attack Casper ETH as it would have to attack BTC one year ago.
- Costs roughly the same to 51% attack Casper ETH as current BCH network.
- Costs more to 51% attack Casper ETH than the current LTC network.
- Casper ETH is still in the top 3 most secure PoW chains without taking into account any of the security from staking.
BTC/BCH hardware cost based on Antminer S9:
- Cost: $2500
- Hashrate: 14 Th/s
- Cost per hash: ~$180 per 1 Th/s
ETH hardware cost based on Radeon R9 295X2 GPU rig:
- Cost: ~$4000 (6 cards + additional hardware)
- Cards: 6
- Hashrate: 270 Mh/s
- Hashrate per card: 45 Mh/s
- Cost per hash: ~$15 per 1 Mh/s ($15000 per 1 Gh/s)
LTC hardware cost based on Antminer L3+:
- Cost: $665
- Hashrate: 504Mh/s
- Cost per hash: ~$1.30 per 1 Mh/s ($1300 per 1 Gh/s)
Cost to 51% attack ETH assuming 100% Bitmain ASICs
|Network||Hashrate||$ / hashrate||Hardware Cost||51% Attack Cost|
|ETH||250 Th/s||$4.44 / Mh/s||$1.1B||> $550M|
|20% ETH||50 Th/s||$4.44 / Mh/s||$220M||> $110M|
Assuming the majority of the network is already ASICs and that it can be attacked by acquiring these ASICs, this bumps Casper ETH down to be roughly on par with LTC in terms of PoW security. Again, this is a very expensive attack and the bounds of the attack are severely constrained when operating in the context of the finality gadget.
ETH hardware cost based on proposed Antminer E3:
- Cost: $800
- Hasrate: 180 Mh/s
- Cost per hash: $4.44 per 1 Mh/s ($4.44e6 per 1 Th/s)
Resisting 51% Attacks
Due to the Ethereum network's stated goals to move to full PoS as soon as possible, the community would be open to a radical PoW hash algorithm fork in the event of an attack. The network could switch to an algorithm that is not IO bound at all, e.g. SHA3, which would mitigate the attack. This would also provide ~6-12 months before new ASIC hardware could be developed, buying time to complete the full PoS transition.
In the case of a majority coalition censoring Casper votes, a minority coalition of miners can begin to ignore these vote-less blocks, only building on top of blocks with votes. This would essentially fork out the vote censoring miners after finality occurs on this minority mining chain because finality has top preference in the forkchoice.
But what about block confirmations
Generally, when sending crypto transactions, we rely on "block confirmations" to be reasonably sure that the sent transaction is and will remain in the canonical chain. The idea is that the deeper a block is in a chain, it will increasingly less likely be orphaned due to normal network conditions. It does not say much about how likely the block is to remain in the chain in the context of a 51% attack.
Exchanges are likely where crypto users have had to deal with confirmations most explicity. Each exchange has standard acceptable block confirmations for each cryptocurrency depending on the security and particular features of each blockchain. Below is a compilation of a number of prominent exchanges and their associated ETH and BTC block confirmations for new deposits.
|Exchange||Eth Confs||BTC Confs|
Although lacking concrete historical data, personal experience demonstrates that these numbers have not fluctuated much (at all?) since June 2017 when the Ethereum network hashrate was about 20% of the current hashrate. From the perspective of the exchanges, 12 to 50 block confirmations was reasonable with 20% of today's PoW current security.
After Casper, if the hashrate drops 80%, the Ethereum network will have PoW block confirmations equal to the security of the chain from less than one year ago plus economic finality on the order of ~20 minutes which is on the low end of standard bitcoin confirmations.
We gain much more in FFG economic finality than we lose in an 80% reduction in hashrate. Conducting a 51% attack on the post Casper fork network is competively as costly as other PoW networks, but an attacker would be able to inflict far less damage. In the event of an attack, the network has effective strategies to resist and avoid the attacker. The costliness and ineffectiveness of such an attack serves as a major discouragement to a potentional attacker as their resources would be much more effective and better spent attacking a pure PoW chain.
Any PoW attack would only hasten Ethereum's switch to full PoS in which mining is forked out entirely.