Why I dread the Merge, and why you should too

When Ethereum debuted I was a fan. I put money in The DAO expecting to lose (after all, more things could fail than succeed!) and was fascinated to watch the unfolding hack and fork.

While that fork was low risk and only contentious on philosophical grounds, it sparked a schism in the community. We survived it and the ecosystem is flourishing. Now, as we near another serious fork that is not sparked by necessity, I am not excited. The upcoming fork is motivated with two assumptions: that PoW is inefficient, and that it is slow, and so must be replaced with something that provides cheaper security and is faster. You might say, “Surely, you don’t mean to say it’s an assumption? How can something so energy hungry and with 15s block times (not fast enough for payments) not be improved??”

Over the past few years I have convinced myself of two things:

1. That PoW is the most secure consensus protocol possible, because it introduces a measure of security that is fundamental to the concept of security itself. When the situation is considered in the context of reality, there is no simple mechanism in nature that would require less energy to defend than to attack, which suggests that any proposal that makes such a claim is not likely to be correct.
2. That PoW is the fastest consensus protocol possible, because it does not require voting or any form of chatter around the agreement. Any limitation on speed stems purely from physical limitations of latency and the community’s appetite for storing the transaction history.

For point 1 I have even asked Vitalik to weigh in, and he has. He proposed that hide and seek is a simple game where it costs less to defend than to attack. This is not true, since a hider must also be active and activity (communication or physical) reveals position. An inactive hider is a dead hider. To put it in more base terms, in the realm of security the map is the territory and no trickery or violence is off the table.

For point 2 I hope the argument is easier to understand. See point 2 below.

Both points are explained in two articles:

1. On security: https://medium.com/coinmonks/blockchain-myth-5-proof-of-work-wastes-energy-a848000aea9a
   Read just the TLDR to get the picture.
2. On speed: https://medium.com/@brrabski/blockchain-myth-6-proof-of-work-is-slow-8f0a4e0bca2b

I was encouraged to post this by someone. I do not expect to be able to change the minds of everyone here… Most of you are probably staking, which puts you at a conflict of interest in taking an objective look. This post is to warn of the inevitable and perhaps help explain, when things inevitably will not turn out as expected.

Feel free to challenge the propositions on their merits. Many have tried.

Interesting points. I hope to hear some rebuttals. Do you think blockchains can scale to 500k tps with sharding and starks? If not why?

Thanks for replying. It’s an uphill battle to get engagement on this, because so many people have effectively painted themselves into a corner by depositing large sums into the staking contract. This essentially guarantees that they puke if the merge doesn’t move forward.

Blockchains will scale via L2, because that’s the only possibility.

One aspect of ZK that is a dirty little secret that no one seems to like to mention is that it is computationally difficult to generate proofs, and so to do anything complex you’ll need a small cpu farm to construct the proof (transaction) in reasonable time.

Read myth 2 in the series on how blockchains complement (but not replace) other computing architectures.

Have you tried zk tech out and generated some proofs? You can for example try zcash or tornado cash to see how you can generate proofs with just your laptop. You can also write your own circuits with Circom to see how fast you can prove them. The runtimes are not insane.

I have tried zcash at launch and I appreciate there are now faster implementations, but it’s not so much that they’re faster now, it’s that creating transactions (proofs) is slow in principle, and so if someone wants to run lots of them it will necessarily cost a lot in CPU power. Transactions will always fill all available space and applications need to be built with that in mind.

It will work fine. Two more testnets ? excellent. What is the stress about… on PoW

smh… cling on to it like Bitcoin maxis and see what happens. Bitcoin needs PoW but doesn’t need to send a lot on L1. Bitcoin will be fine.

ETH will get FSS from ChainLink later in the year and could stay PoW but traffic will simply follow the rule of free market capitalism. ETH1 is already obsolete by so far. Are you actually serious…

Blockchains can already scale infinitely wake tf up pls… its just the team have no options while stuck on POW at the mercy of angry miners.

I suspect you just want to keep mining now that I am about to say…

sayonara

What about keeping a private key private? Once you’ve created your private key and announced the public key the cost of attack is vastly superior than the cost of defense, wouldn’t you say?

And if this doesn’t fall in the category of simple mechanism, I’d be interested in the arguments you make to say that PoS is a simple mechanism.

Otherwise, great points, always nice to confront ideas.

Thanks for posting this, it is always good to have all the point of views and discuss them openly. Honestly, I believe the merge will be absolutely amazing and POS and POW will coexist in the future, so either would be smhw fine. However, in a crowded market, where people don’t care about the chain, and only about the UX, they will be channeled towards more efficient, maybe less decentralized systems, AUTOMATICALLY!

I hate to see supporters of the merge post aggressive comments against your post, it kind of makes me affraid and doubt about the merge being a good thing ;)… But anyway, imagine the future “online banking” app, connected to all L1 and routing automatically all orders through the fastes, most efficient, most stable and secure “network (eth, avax, cosmos, dot etc…)” - The algo won’t care about POW being the most secure etc… If POW doesn’t provide the best user experience…

So even with POW, ETH may stay competitive, for a certain tranche of the users, however without being selfish, ETH should go to the merge and increase their user experience for everyone, to continue in its original spirit of inclusion, decentralization and innovation.

All the best.

Private keys are subject to the $5 wrench attack. Very low energy to get at it unless it’s guarded with substantial force (private or state-supplied).
The key insight is that actual security cannot be modelled, because it’s based in reality itself. A model assumes that no tricks can be played. Not so in reality, where no holds are barred.

I hate to see supporters of the merge post aggressive comments against your post, it kind of makes me affraid and doubt about the merge being a good thing

This is worth considering. If every pro-merge believer put their ETH in a smart contract that has no withdraw function, how could they be expected to objectively evaluate if the merge might be unnecessary or harmful? Wouldn’t they be incentivised to protect their “deposit,” even if it hurts the space as a whole?

I would prefer the OP approach to prevail in the future. Theoretically it’s infeasible for ZK approach to scale for general purpose computation. However, Optimistic team itself might not be able to.

I agree with many of your points. Sort of disagree that scaling is only feasible via L2s. We’re building Quai Network (https://quai.network) via sharded merged mined chains and the research done in the BlockReduce paper https://arxiv.org/pdf/2112.11072.pdf

Ultimately many PoS systems will succumb to KYC and AML restrictions at the block production level which will hinder the true use cases of cryptocurrencies / a lot of the ethos it is meant to represent.

Really? What has lead you to this conclusion that KYC will be inevitable?

I don’t think this is correct – the attacker is also revealing their position while actively searching, this aspect of the game provides no benefit to either the attacker or the defender if one assumes no holds are barred, which just leaves the fact that the attacker must search all available hiding spaces (i.e. anything not in view) while the defender merely needs to find one new hiding space periodically. If you want a real life example of this playing out, read about Carlos Hathcock sniping an NVA General: Carlos Hathcock | Military Wiki | Fandom

I think this needs to be clarified a little more, as the article cited later in your post posits that the block must be difficult enough to find that only a few competing blocks at most can be found per cycle which leads to multiple block confirmation times, i.e. delayed consensus of the state of the chain. “Chatter” about block validity is certainly faster than waiting for multiple difficult to find blocks.