Author: Richard Red, Decred contributor.
A blockchain’s consensus mechanism serves to ensure that there is agreement among participants on the current state of the blockchain. The consensus mechanism determines who is able to add new blocks of transactions, and one of its primary aims is to ensure that the chain is not re-written.
Proof of Work consensus
Blockchains with pure Proof of Work consensus (like Bitcoin) can only have new blocks added by miners, who deploy hardware that efficiently guesses the answer to a mathematical problem. Each time a miner makes a valid guess, they can construct a block that the network accepts. While miners can choose to mine any chain, the network will only accept the chain with the most accumulated Proof of Work (i.e., the most hashes, or guesses) as the legitimate chain. This means that miners are incentivized to mine on the longest chain, and when they see a valid new block, they will try to find the solution for the next block that allows them to build on top of the previous one.
The difficulty of re-writing the blockchain is what allows it to function as a ledger for financial transactions. When a transaction appears in a block that sends coins to a wallet, and several blocks have been built on top of that block (confirmations), it becomes unlikely that the block (and transaction) will be re-written.
If an entity controls enough hashing power to surpass the “honest chain,” it can re-write (or reorganize) the blockchain by mining on an “old” block instead of on the latest block. Here’s a simplified account of this kind of attack, also known as a 51% attack: The attacker spends in block X by sending to an exchange, then starts mining a parallel chain in private (blocks are not broadcast to the network). Once the required number of confirmations have passed, the attacker trades the coins for something else and withdraws that from the exchange. When the withdrawal clears, they release the parallel chain, and if it has more PoW (blocks) than the original chain, the network will accept it as the legitimate chain and the version of history represented by the original chain (including the attacker’s deposit) will disappear. The attacker is then free to spend these coins again.
As miners are the only entities that can directly add blocks to the chain in pure PoW cryptocurrencies, this grants them a strong role in governance. For any change to the network’s consensus rules to be adopted, it must have the support of a majority of hash power. “Soft forks” require enough miners to recognize a new rule set so users can transact and expect their transactions to be properly processed and included in blocks. “Hard forks” would split the network into two components, and by the commonly accepted rule of “the chain with most PoW is the right chain to follow,” miners would decide which one is accepted as legitimate.
Proof of Stake consensus
Proof of Stake consensus is an alternative method of deciding who can add new blocks and verify the current state of the blockchain. Instead of miners competing to solve a problem, with proof of stake, the next block producer is determined by some process based on the number of coins held in wallets (or “staked”). This process trusts that those with the most stake will make responsible decisions for the entirety of the network.
Proof of Stake consensus eliminates the need for energy-intensive mining, but the lack of significant energy expenditure creates another problem, sometimes referred to as “nothing at stake.” In the case of a forked chain, PoS forgers (“forging” is generally used instead of “mining”) are incentivized to validate blocks on both chains because it costs them very little to work on an extra chain and they can collect rewards on both chains. This is a problem for the network because there is only supposed to be one chain and agreeing on the state of that single chain is the whole purpose of the consensus mechanism.
Proof of Stake has an additional problem with regard to the distribution of tokens. PoW miners have significant costs (hardware, electricity) and must typically sell a significant portion of their mined coins to meet those costs. As a result, many mined coins are available to purchase on the market, rather than being hoarded by miners. Proof of Stake forgers have very low operational costs, so do not have the same pressure to sell the coins they receive for maintaining the network. Large holders who engage in Proof of Stake tend to increase their share of the circulating coins as they collect block rewards and transaction fees from users of the network. This has been likened to feudalism, whereby the network is effectively owned and operated by coin holders, and users pay them a kind of rent for using it. There is usually some cut-off beneath which it is not possible to participate directly in Proof of Stake.
The objective of hybrid Proof of Work and Proof of Stake systems is to capture the benefits of the respective approaches and use them to balance each other’s weaknesses. Decred is among the few cryptocurrencies to utilize both PoW and PoS in recognizable forms and merge them together to produce a multi-factor or hybrid consensus mechanism.
“Masternode coins” are, in some senses, also hybrids, in that they have a recognizable Proof of Work component that performs a similar role as in Bitcoin, and an additional role for special nodes. There is typically a requirement that these special nodes hold a certain amount of the currency as collateral, to demonstrate that they can be trusted to act in the network’s best interests, which is similar to the rationale for Proof of Stake. Dash is the original masternode coin and refers to this model as Proof of Service. This article focuses on hybrids with a Proof of Stake component, and will not consider the array of coins which emulate masternodes or Proof of Service.
Decred’s PoW component works similar to other PoW-based projects and uses the Blake-256 hash function. Decred’s PoS component, and the way it is woven into the chain, is quite unique and worthy of further explanation.
To participate in Decred’s Proof of Stake, holders must time-lock their DCR to buy “tickets.” The price for an individual ticket is set by a market-like mechanism whereby the system is aiming for a set number of live tickets (40,960) - if there are more than the target number the price goes up, if there are less it goes down. When someone buys a ticket, the DCR they used is locked (i.e., they cannot spend it) until their ticket is pseudorandomly called to vote, or until it expires after around 142 days. This introduces an opportunity cost for PoS, intended to ensure that PoS voters have skin in the game and act in the network’s best interests.
PoS participants (also referred to as voters or stakeholders) have three distinct roles to play: block voting, voting on changes to the consensus rules, and voting on project level management using the Politeia Proposal System. The first of these, “block voting,” is the way in which PoS voters engage most directly in maintaining consensus.
Voting on blocks
When a PoW miner finds a valid block, they broadcast it on the network, but in order for that block to be considered valid, it must include votes by at least 3 of 5 randomly selected tickets. PoS voters keep wallets open and ready to respond with votes when their tickets are called (or they engage Voting Service Providers to do this on their behalf). When a PoS ticket is called to vote and responds, its owner receives a reward.
When tickets are called, they vote to accept or reject the regular transactions of the previous block. Nodes on the network will not recognize a new block as valid until it includes at least 3 votes. If a majority of the tickets called to vote reject the previous block’s transactions, then they are returned to the mempool. These regular transactions include the PoW miner’s reward, but not the PoS voters’ reward.
Therefore, PoS voters have the power to strip rewards from miners without affecting their own rewards. This limits the power of PoW miners to veto changes to the network’s consensus rules, which are voted by the stakeholders. In fact, PoS voters can reject any kind of miner behavior that they dislike by adopting a policy of voting “no” when malicious or inefficient behavior is detected - preventing bad PoW miners from writing transactions and receiving rewards.
This PoS verification layer significantly boosts the network’s security and resistance to majority attacks. The common method of conducting a majority double spend attack is to rewrite the blockchain by mining an alternative chain in secret then releasing it after a certain period of time and taking advantage of the nullification of transactions in the “old” chain (i.e., by double spending their inputs). As Decred blocks require input from randomly selected tickets to be considered valid and cannot be built on by PoW miners until they have received this input, it is not possible for PoW miners to mine in secret unless they also control a significant proportion of the live tickets (see these articles).
The hybrid PoW/PoS design significantly increases the costs of attacking the network because there are two distinct systems which must be circumvented by an attacker. The PoS component, in particular, is configured such that tickets can only be acquired quite slowly. A limited number of tickets can be bought in each block/interval, and buying the maximum number causes the price to increase sharply. Additionally, once these tickets have been purchased, the funds used to buy them will be time-locked, leaving an attacker exposed to any devaluation of their locked coins that occurred as a result of an attack.
The requirement that each block is voted on by randomly selected stakeholders means that the blockchain must be shared with all participants as it is mined, enhancing the network’s security. Decred’s hybrid system has been designed to also grant stakeholders power over the PoW miners.
Consensus change voting
Decred decided at its outset to make PoS stakeholders the dominant decision-making force in the blockchain’s governance. Written into the consensus rules is an upgrade ratification procedure through which any change to the network’s consensus rules can only be deployed once it has passed through a voting process. Changes can only be made if approved by at least 75% of the voting tickets. This process begins once a certain proportion of miners (95%) and voters (75%) are running upgraded software with latent changes to the rules. If the proposal has 75% support after a 4 week voting period it is accepted, otherwise, it is rejected, and if it does not have either supermajority, a re-vote begins. If a proposal is accepted the rule change activates one month later.
Project management: Politeia
Decred’s block rewards are split between PoW miners (60%), PoS voters (30%), and a Treasury (10%) to fund development of open source software that furthers the project’s aims. Ticket holders have sovereignty to vote on how this fund should be spent what features should be added, and to determine policy through the Politeia platform.
As PoS voters receive 30% of the block reward, they cannot maintain their relative share of circulating DCR simply by staking. The majority of newly minted DCR goes to PoW miners in exchange for the role they play in securing the network and mitigating the “nothing at stake” problem of pure PoS systems. Miners would typically have to sell a significant portion of the rewards they receive to meet their operational costs, ensuring that a fair supply of DCR is available in the market.
Decred’s blockchain presents unique architecture and is one of the most notable examples of a hybrid PoW/PoS system. In the same way that projects with PoS consensus are a general grouping with significant variations within, future projects which deploy hybrid PoW/PoS approaches will also be unique and will not necessarily follow the Decred framework.