Ethereum’s security model changes when moving from proof of work to proof of stake. Consequently the incentives and monetary policy required also change.
Both models assume nodes exist as the last line of defence (social coordination), and block producers produce blocks with transactions - this is miners in PoW and validators in PoS.
Why are incentives needed?
Here are possible ways ethereum can be attacked
Bug - resolving a protocol-level bug necessarily requires a hard fork that needs to be accepted by everyone who is running a node. Typically, developers of one of the clients will work on a fix, publish a hard fork, and then everyone who runs nodes needs to come to consensus on the fact this is the chain they’ll use, not the one with the bug. Incentives are not relevant here. Chances of this situation should be minimised as much as possible by writing correct code from the very beginning.
Invalid state transition - For instance, minting an arbitrary amount of ETH in someone’s pocket, or moving coins from one person’s pocket to another without a signed transaction for it. Blocks that contain such transactions will automatically get rejected by nodes. Incentives are not relevant here. Nodes are anyway not paid anything for this work of validating blocks or for social coordination on forks. The assumption is that they will do it because they’re altruistic or because they money on the chain which they will otherwise lose if malicious block producers try to steal.
Double-spend - A double-spend involves first producing a block that contains a signed transaction from A to B. Then instead of continuing on top of that chain, the block producer goes back to an older block and produces a block on top with the same coins being sent from A to C instead. This is profitable because B might have already paid A some other off-chain resource (say a house or dollars or cryptocurrency on a different chain) in return for the coins. A now gets to keep both the offchain resource and the on-chain coins. Incentives are relevant here. Block producers should have some incentive to not do this.
Time-bandit attacks - In the vein of double-spends, there are various other benefits from being able to revert other people’s transactions. A significant amount of MEV could be extracted. For instance if someone sold XYZ on Uniswap, you could now sell your XYZ before they do. You could delay or block oracle updates, which in turn could allow you to profit from liquidations or derivatives. If someone successfully hacked a DeFi protocol, you could revert their transaction, and then create the hack transaction as if you were the hacker. Currently, this ability only exists within a block, but being able to revert multiple blocks significantly exceeds the profit available. Incentives are relevant here.
Censorship - Block producers may simply refuse to add certain people’s transactions to the chain. The incentive to include everyone’s transactions is primarily their transaction fees, but there could exist off-chain incentives or penalties for censoring. For instance a government may have demanded that you censor certain transactions, with threat of prison or additional rewards. Decentralising block producers helps ensure no critical mass of validators (typically 25% or 33%) is interested in censoring transactions in response to off-chain pressures. Incentives are relevant here.
All the attacks above requires a significant fraction of block producers (25% or 33% or 51% or 66%) coordinating to perform the attack and split profits from it.
All attacks can be paired with the block producer shorting ETH, potentially with leverage and with time value (buying puts), so that they can come out net profitable after the attack. This requires an exchange that will recognise such gains as legitimate, as well as sufficiently liquid markets.
Nodes as backstop for block reorgs
In attacks that revert transactions (double-spend and time-bandit), nodes can still help act as the final backstop. For instance if a block producer attempts a time-bandit attack over 2 weeks, nodes can come to consensus to simply reject this new chain and continue with the old one, even though it’s shorter (in proof of work) or is less validated now (in proof of stake).
With proof of work chains, this relies on loose social consensus and can be a point of much division. Several bitcoin proponents would prefer the longest chain even if it reverts months or years of previous transactions. Such a chain remaining dominant in price and activity would likely make a double-spend attack profitable. Others however would take the sane route of rejecting the deep reorg and continuing on the older but shorter chain. Such a chain retaining price and activity will make the double-spend unprofitable.
With proof of stake (eth2’s Casper FFG to be specific), this social convention to reject deep block reorganisations in baked into the protocol. Under normal operation, blocks are finalised after 2 epochs, where each epoch is 6.4 minutes. This very significantly reduces the value that can be obtained double-spending, censorship or time-bandit attacks. Some value can still be extracted by reverting transactions within the 2 epochs. More importantly it is possible for > 33% of validators to force the chain into a non-finalised state, from which recovering can take more than 12.8 minutes.
While nodes can help recover from a non-finalised state, this cannot be consistently relied on. Perhaps once or twice they will help with recovery, but ultimately incentives need to be finetuned such that non-finalised state is never reached and the protocol is stable.
Nodes as backstop for censorship
There is yet to be consensus on what, if anything, nodes will do if they observe a block producer involved in censorship. There are some ideological considerations here because censorship can only be said to exist with reference to a mempool, and reaching consensus over who a censoring actor is requires reaching consensus on a single mempool.
Under proof of work, transactors will likely increase the fees they pay to avoid censorship, this increases the opportunity cost of miners. Non-censoring miners will increase the difficulty of the chain while still remaining in profit, this will force censoring miners to operate at a loss. If censoring miners are in majority hashpower, they have complete control over censorship because they can orphan any blocks produced by other miners. Nodes could help come to consensus on one chain, again, this will be a focal point of division in proof of work chains such as bitcoin.
Under ethereum’s proof of stake, validators will miss out on fees if they censor transactions, however they may still operate at a net profit (it depends). Nodes could come to consensus to slash validators involved in such behaviour, whether they should and how is again an open question.
Why staking rewards?
More specifically, the following are what need to be incentivised. With some caveats, my personal opinion is that their importance is in decreasing order of this list.
Chain is secure - Block reorgs (be it due to double-spends or time bandit attacks) should not consistently occur. Ideally they should never occur or be profitable.
Validator’s computation and maintenance costs are compensated - Validators need to ideally be compensated for computation and maintenance costs.
Delegation is minimised - Delegation occurs when one user (or exchange or pool) stakes ETH on behalf of another user. Delegation is bad because it relies on off-chain incentives to be secure. If Stakefish (or Binance or any other such provider) stakes ETH on their users’ behalf and attempts an attack with it, they have less to lose because the ETH does not belong to them. This actor may still have more to lose because of off-chain incentives and penalties such as the fact they may end up in prison. However, blockchains currently attempt to minimise reliance on such incentives - that is one of the primary reasons blockchains exist in the first place. If it is impossible to avoid delegation altogether, delegation should preferably be decentralised. This could be peer-to-peer or through a DAO.
Monteray policy is ideal for ETH holders - ETH holders may have a preference for an inflationary policy, a deflationary one or a fixed supply one. A “store of value” asset can belong to any of the three categories, depending on one’s long-term goal for it (does it replace fiat or not?) and their opinion on what monetary policy is good for the ethereum ecosystem and the broader economy. A revenue-generating asset will likely be deflationary because buying and burning ETH is the easiest way to distribute revenue to holders. Current sentiment seems to be in favour of a deflationary asset as it satisfies multiple ideologies.
Current monetary policy
Current ethereum in circulation is roughly 116 million.
Annual issuance as a percentage of supply is increased when more validators join, presumably under the assumption that more validators is always better for the network.
Assuming 100 million ETH (almost the entire circulating supply) is staked we get a maximum issuance of 1.81% annual, leading to a 1.7% annual yield for validators.
ETH is being issued for validators on the PoS chain (as per above policy) and for miners on the PoW chain (currently set at 2 ETH per block and 1.75 ETH per uncle). Transaction fees and MEV are also extracted primarily by miners.
ETH is being issued for validator on the PoS chain and miners on the PoW chain. A significant fraction of transaction fees will be burned as per EIP1559, benefitting ETH holders. The remaining transaction fees are captured by miners, so is all MEV.
ETH will be issued for validators on the PoS chain. Transaction fees burned as per EIP1559 benefit ETH holders. The remaining transaction fees and MEV go to validators.
How to set monetary policy
Monetary policy must be set so that it is optimal for this final state (post-merge), and try to ensure a smooth transition to reach this phase.
Profit obtainable from attacking the network is somewhat measurable. Issuance needs to be sufficient so that the ETH staked significantly exceeds this. It is important to note that security of the network primarily comes from the total ETH staked, and not just from the rewards obtained by validators, because it is the ETH that will be slashed for malicious behaviour. High percentage of ETH supply being solo staked but earning a low yield is good for network security, because all this ETH will be slashed in-protocol if an attack if attempted.
However we do need to increase rewards if we want to increase the amount of ETH being staked, in equilibrium. Many actors will be yield-sensitive. Yield in equilbrium will dictate how much ETH is staked, for a given amount of staking rewards.
Compare to PoW
Let’s compare this to the current scenario under proof of work. Currently about 13500 ETH per day is being issued, amounting to an annual issuance of 5% (5 million ETH annual). Miners have both capital expenses (hardware) and operational expenses (electricity). GPUs last for 3-5 years, whereas operational expenses are paid on the go, or pre-paid for short durations such as 3-6 months.
Assuming miners are not too profitable, we can assume they spent some fraction of 20 million ETH 3 years ago to earn this 5 million ETH annually for the 3-5 years their hardware is expected to last. This is ofcourse a very imprecise estimate.
What we do know is that combination of the following factors was a sufficient deterrent against any attacks.
Loss of block rewards (5 million ETH annual rewards, a lot of which is burnt via hardware and electricity)
Threat of hashing algorithm change (which essentially burns the hardware, unless the GPUs can also be used for other purposes).
In proof of stake, the most significant threat is not loss of rewards, but the burn via slashing of staked ETH.
Is more ETH staked always good?
This is a complex question. Here I offer my personal opinion.
Assuming all ETH that is staked is solo staked (staked by individuals who own the assets and control all keys), the graph for network security looks as follows. If amount staked is much lesser than the total value that can be stolen (via time-bandit and double-spend), then security is very low. On the other hand, if the amount staked is higher than this amount, then the security is very high. Hence we get a critical point.
Looking at miners for the PoW chain we could assume 10% of supply being staked as sufficient. There is ofcourse a possibility that situations change and new analyses need to be done. MEV obtainable from time-bandits is growing rapidly as DeFi activity grows.
We now also need to contend with delegation. If more ETH staked leads to a higher fraction of that staked ETH being delegated, then more ETH staked isn’t always good. Instead there is a maxima for the percentage of supply we should aim to have staked, above which the protocol suffers from excessive delegation. If more ETH staked does not lead to a higher fraction of that staked ETH being delegated, then more ETH staked is always better.
I am personally of the opinion, albeit weak, that increasing staked ETH beyond a point increases the fraction that is delegated due to the ETH of more lazy and non-technical actors getting involved. And that therefore we should aim for total stake somewhere around 5-10% of the ETH supply. How much staking rewards are needed to maintain this is an open question.
Political actors (non-delegated)
There will be a certain group of ETH holders who are technically inclined and politically motivated who will always prefer not delegating if they can earn the same yield via solo staking. I feel the existence this group is largely invariant to whatever the yield actually is, however this is where I’m quite unsure. Whether such a group owns anywhere close to 10% of the ETH supply is also an open question.
Non-political but technical actors (non-delegated)
Non-political actors will still prefer solo staking if the inconvenience of learning how to do so is less than the counterparty risk incurred via delegation. This fraction of users is likely small, but could still include institutions and whales owning ETH.
Non-political, non-technical actors (delegated)
This group will prefer delegation if the yield exceeds counterparty risk. If it doesn’t, they simply won’t stake. We hence get an equilbrium of yield reaching quite close to counterparty risk.
Counterparty risk for centralised exchanges is estimated at around 5-30% annually depending on the counterparty. It is possible that tighter legal agreements and backing can get the counterparty risk to below even 5% annually. Hence equilbrium yield for staking should near this value of say 5%.
Also one must note that the amounts of ETH being stake are huge, and therefore it’s unlikely that insurance will fully cover even a fraction of it, even at a premium.
Hedged actors (non-delegated)
It is likely that some portion of ETH staked will be hedged. More specifically, users will use non-ETH collateral (likely stablecoins and fiat) to borrow ETH against, and stake that. USD will be the dominant collateral for such operations. Risk-free USD yields currently near 0%. DeFi yields on USD may not scale to tens (or hundreds) of billions of dollars, making such borrow and stake operations the primary way to earn yield on USD.
USD is available in near-infinite supply, and it is possible stablecoins will be minted to meet this demand. However, such operations still require upfront capital to borrow against. Hence this group of actors too is non-delegated. It might still be a significant group in comparison to those who stake their own ETH directly. ETH lenders indirectly get yield, though they are detached from the staking process. If that ETH gets slashed, lenders are still safe assuming USD can be liquidated for ETH.
There is no way to block such lending or hedging in the protocol.
Transaction fees and MEV
A large fraction of transaction fees will be burned, post EIP1559. The remaining will go to validators. This remaining amount could help maintain a certain fraction of the ETH supply as staked, while reducing the staking rewards needed. Transaction fees are rapidly increasing and are now comparable to even the block rewards.
MEV too goes to validators, however, this is undesirable. Long-term we should aim to reduce MEV if possible. To the extent that it is not possible, MEV too could help pay validators and reduce staking rewards needed. If DeFi activity moves to L2 scaling solutions, it is possible that MEV is captured primarily by L2 block producers, instead of L1.
Transaction fees and MEV are both unstable, and it would be ideal not to rely on them too much. One could however, set an algorithmic policy for staking rewards that depends on transactions fees burnt over a long duration of time. This could enable the chain to remain net deflationary.
If we need to accept that some level of delegation is inevitable, we need to decentralise this delegation as much as possible. Delegating to Binance, or to 5 top staking providers is not an ideal solution. However, the current distribution indicated Kraken and Binance in the lead. Coinbase is popular too but missing from this chart.
Reasonable solutions include peer-to-peer delegation and peer-to-pool delegation.
Peer-to-peer delegation may arguably be safest for those who can afford it, while maintaining some level of political decentralisation. A legal contract between you and your staker friend might be as enforceable as your legal contract with Coinbase, however you are also protected by some trust you may place in your friend. How much capital can enter such peer-to-peer delegation arrangements is unknown.
Lido is the pioneering peer-to-pool staking solution, where all ETH staked goes through a pool, which in turn goes to multiple independent staking providers. Currently Lido interfaces with 9 different staking providers, it is possible for this set to be increased.
Right to withdraw for existing deposits is managed by a threshold signature (the eth2 equivalent of a multisig) by the staking providers. There is a plan to enable “trustless withdrawal” for newer deposits (described later).
Various other staking pools also exist, a list could be found here. Some pools have attempted insurance, however it is unlikely this insurance scales to any significant fraction of the ETH supply.
Rocketpool is aiming for a solution where validators too need to provide some ETH, instead of being trusted purely due to off-chain incentives such as the legal system. This scales by a constant factor in terms of capital consumed. For instance if politically and technically motivated solo stakers own only 1% of the ETH supply, they can additionally accept delegation for another 1% of the ETH supply. Each validator essentially stakes 16 ETH of their own as well as 16 ETH of the pool. Deposits will have trustless withdrawal.
Withdrawal key ownership
Staking ETH is done using a signing key for each validator, and withdrawal credentials. The owner of the ETH should ideally retain the withdrawal credentials, while the validator delegated to uses the signing keys. Pools such as Stakefish, Stakewise and Bloxstaking allow users to keep their withdrawal keys. However, this only works when users provide 32 ETH. If multiple users want pool their ETH and provide it to the validator, this model no longer works.
In this case the withdrawals can be controlled via the individual validators, via a threshold signature that represents majority vote of all the validators, or via trustless withdrawals as explained below.
Trustless withdrawals have been committed to, as per 0x01. This allows validators to specify a withdrawal address, and then withdrawals to only this address are possible. This prevents delegatees from stealing the ETH by directly withdrawing to their own address.
Ransom attacks may still be possible, where a validator threatens to get the ETH slashed unless some amount of those assets are returned. This is a war of attrition. It could still be trustless since a smart contract can be written to check whether the ransom has been paid, and release assets accordingly. It is possible that DAOs will be good negotiators and simply refuse to concede to any such demands made by individual validators belonging to the DAO. This in turn disincentivises validators from demanding such ransoms in the first place.
Vitalik has made a post to enable some level of in-protocol delegation. This provides a narrow window of time where a user can revoke delegation to someone else acting maliciously with their ETH, before the validator gets it all slashed.
There exists significant capital lockup until the Merge as assets cannot be withdrawn for technical reasons. This is a significant centralisation pressure because it means popular pools can create tokenised positions that represent staked ETH. Liquidity will be provided, allowing users to prematurely exist their positions. Solo stakers or smaller delegation arrangements will not get such liquidity.
The existence of a validator activation queue could mean lockup for entry and exit even after the Merge. Ryan Berckmans has a great tweet thread on this. Changes to this queue may be made after the Merge to reduce capital lockup. A lockup in excees of 2 weeks (the weak subjectivity period, when checkpoints are made) is unnecessary for the protocol as any accountability that needs to be maintained beyond 2 weeks anyway requires a hard fork.
Optimal monetary policy for eth2 is complex and depends on various incentives that are hard to control for - such as MEV obtainable from time-bandits, and liquid ETH derivative markets. There is also a careful balance to be made between having a sufficient security budget, and attempting to minimise delegation to a few centralised institutions. Centralisation is naturally bad firstly because it is not trustless, but perhaps just as importantly because it could lead to regulatory capture of the chain by for-profit institutions and state-level actors.
ETH 2.0 has so far not done a sufficient job analysing these incentives, but it will soon have to.