The Economic Limits of Permissionless Consensus

A recent paper on The Economic Limits of Permissionless Consensus (2024) by Eric Budish, Andrew Lewis-Pye and Tim Roughgarden makes incorrect claims about cost-of-attack limits in permissionless consensus mechanisms.

This post assumes readers understand how routing work (10 minute read) functions. It explains how this approach imposes asymmetrical losses on attackers who control at least 50% of network resources, achieving the “economically-expensive in the absence of collapse” (EAAC) property the above authors incorrectly claim is theoretically unattainable.

Cost-of-Attack comes from ATR Payout

Consider the case of two block producers who each control 50% of network resources. As required by routing work, both X and Y burn tokens to produce blocks and then burn hashpower to unburn their tokens and distribute them to network participants.

Because 25% of every solved block flows into a treasury that funds the “ATR payout”, and because this payout flows to holders of the oldest unspent UTXO, it follows that any block producer creating a stealth fork using their own tokens will push the balance of all future ATR payouts asymmetrically away from itself in perpetuity.

No Consistency Violation Without Payment

This tax is not symmetrical to non-attackers, because it only bites in the event of a successful consistency violation and that depends on who produced the last pre-fork block. If Y produced this block, no honest participant or observer is disturbed from their preference for the honest chain. If X produced this block, then Y will trigger a consistency violation when it releases its chain and assume its asymmetrical losses at the same time.

The only situation in which Y can trigger a consistency violation otherwise is if it spends its own money to speed-up the pace of its stealth-chain by creating “fake transactions” which nonetheless pay real fees. But including these self-generated transactions necessarily adds more asymmetrical losses for Y since a greater portion of Y’s wallet is now distributed to X via the ATR mechanism.

Can’t Y include the same transactions as X?

It is true that Y can theoretically avoid the ATR Penalty by including in its blocks the same transactions that X is using to extend its chain. This tactic keeps the balance of unspent UTXO between X and Y symmetrical and prevents Y ceding asymmetrical claims on future ATR payouts to X.

There are problems here that become self-evident as one gains an understanding of routing work. The first is that honest nodes maximize their income by not sharing transactions to which they have exclusive access with peers. So X cannot be expected to give free routing work to Y if they have equal access to transaction inflows. And Y cannot extract these transactions from X’s blocks without the cryptographic signatures X needs to provide to authorize the transfer.

Making matters worse for the attacker, even if X irrationally feeds its transactions to Y, as soon as Y adds these second-hop transactions to its blocks their inclusion makes X eligible to win the routing payout on Y’s chain. This creates a second cost-sink for Y unless it finds more hashpower to brute-force the payout lottery, which also requires majority control of network resources and a willingness to hash at a loss.

We also remind readers that the consensus layer has the informational ability to penalize attackers irregardless, since the fall in the efficiency of fee-inclusion created by disappearance of X or Y is visible to the consensus layer. This efficiency-drop becomes observable because unless Y controls 100% of first-hop routing work, its fork must either lower fee-throughput or increase routing-path length to generate a competitive chain. And consensus can punish this loss of efficiency by throttling payouts (adding a discretionary burn) which targets the routing and mining payouts and harms the block producer.

Closing Thoughts:

It is unclear if the failure of these authors to correctly characterize this problem space or its limits is a result of their being uninformed about modern techniques in distributed consensus or if they are simply constrained by the belief that these issues are unsolvable and focused on trying to universalize the limitations of proof-of-stake.

Whatever the reason, the conclusions of the paper are incorrect – the real limits of economic security are much higher than its authors imagine for reasons and through mechanisms they do not consider.