We propose a modern implementation of proof-of-burn for use as a work-free fork resolution (“consensus”) system that is resistant to 51% attacks without the need for slashing conditions while also mitigating the “exchange attack.” The end result of our implementation is a consensus system more decentralized than proof-of-work and more efficient than proof-of-stake. We conceive of this consensus system implemented as a set of in-band upgradeable modular smart contracts with system level privileges (“system contract”). This means that any parameter or component of the consensus system can be modified without a hard fork.
The mental model at the core of Bitcoin is the idea of the “electronic coin” secured by digital signatures stored on a public ledger along with a decentralized timestamp implemented using a proof-of-work system doubling as a governance system.
Satoshi did not invent the idea of the “electronic coin.” Satoshi created an elegant system for combining cryptography with economics to use electronic coins (now called “tokens” and “cryptocurrencies”) as incentives to solve computer networking problems that algorithms alone cannot solve. In other words, the innovation was token economic in nature.
Satoshi’s design forced people to sacrifice capital as proven by the evidence of meaningless computational work (proof-of-work) in order to produce blocks of transactions and alter the database.
The real innovation in Bitcoin (and all proof-of-work blockchains) is an elegant system that forces people who produce blocks (or “block producers”) to provably spend money up front on hardware and then continue spending money to run that hardware just so they can earn enough rewards over time to recoup their costs.
Satoshi wanted people to mine Bitcoins with spare cycles on PC’s they already used for other purposes, rather than buying dedicated mining equipment. But that equipment still must have been purchased at some point with the ongoing consumption of surplus computation resources constituting an ongoing commitment of skin-in-the-game. The more important point being that the original intent behind Bitcoin was far more focused on accessibility than the current narrative would indicate.
This approach makes mounting a 51% attack on the network prohibitively expensive because the attacker would need to acquire more hardware than is being non-maliciously used to run the network and run that hardware. In other words, the level of security is proportionate to the computational cost of running the network. Inefficiency is a feature not a bug, which is not ideal if you’re trying to build an efficient decentralized computer.
Proof-of-stake was first proposed in 2011 by Bitcointalk forum member QuantumMechanic as a less costly (for the miner) alternative to proof-of-work.
“I’m wondering if as bitcoins become more widely distributed, whether a transition from a proof-of-work based system to a proof-of-stake one might happen. What I mean by proof-of-stake is that instead of your “vote” on the accepted transaction history being weighted by the share of computing resources you bring to the network, it’s weighted by the number of bitcoins you can prove you own, using your private keys.”
The appeal of proof-of-stake is not difficult to understand. Proof-of-work is a great way to bootstrap a pseudonymous digital currency in a provably fair and open way, but once the bootstrapping phase is complete, the holders of this valuable currency find themselves having to exchange the fruits of their labor–that valuable currency–for an external currency to purchase capital equipment and energy just to maintain their system.
Proof-of-stake (PoS) is an effective means of increasing the profit margins of miners while allowing them to maintain control of the network, but it decreases network security because the malicious actor no longer needs to “burn” their money to acquire and run a large amount of hardware to mount an attack. The attacker need only acquire 51% of the base currency of the platform and stake it to take control of the network.
To thwart this attack, PoS systems must implement additional systems to take back, or “slash,” the block rewards of a validator who is found to have produced irreversible blocks on a “losing” chain (“slashing conditions”). If someone acquires 49% of the token supply (<51%) and uses that stake to produce blocks on a losing fork, they will lose their staked tokens on the main chain.
These are complicated systems designed to “claw back” block rewards from user accounts which adds to the computational overhead of the network while raising legitimate ethical concerns (“Is it my money if it can be slashed?”). They also only work if the attacker fails to acquire 51% of the token supply. This is especially problematic in a world with centralized exchanges that feature custodial staking. This means it is entirely possible for a small number of exchanges to find themselves in control of over 51% of a given token supply without having incurred any risk, making the cost of an attack deminimus. In fact, this has already happened in recent history on one of the most used blockchains in the world, at one time valued at nearly $2 billion: Steem.
An excellent history of that event was written by Tim Copeland and can be found here. The important details for our purposes, according to that account, are that the funds held by 3 exchanges were successfully used to acquire 51% control of a major blockchain.
Taking the most charitable perspective of all participants, it simply cost all of these entities very little to take control of the chain because they had acquired large stakes at very low cost. In fact, centralized exchanges are literally paid to accumulate large stakes because their purpose is to function as centralized custodians of tokens. While it might be tempting to think that slashing disincentivizes exchanges from operating in this manner, if they were able to collude and control 51% of a blockchain, then there is no slashing force able to stop them. Perhaps minority (yet legitimate) block producers could choose to disregard a majority chain for external reasons, but it seems far more likely to lead to an Ethereum Classic style fork than an actual punishment to the exchanges for taking control of a blockchain.
Delegated Proof-of-Stake (DPoS)
Steem is admittedly a specific “flavor” of PoS (a similar implementation exists in EOS) that leverages stake-weighted voting on a limited set of block producers to remove the need for a cryptographically secure RNG (a very hard problem in deterministic systems like blockchains) and slashing conditions as the “elected” block producers determine the correct chain. This particular design exacerbated intrinsic weaknesses with PoS, allowing attackers to gain control of the chain by using their stake to vote in a relatively small number of “sock puppet” accounts, but the attack vector remains in “vanilla” PoS implementations.
To sum up, proof-of-work is good for bootstrapping decentralization but it is inefficient. Proof-of-stake is good for lowering the operating costs of a decentralized network relative to proof-of-work, but it further entrenches miners, requires complex and ethically questionable slashing conditions, and fails to prevent “exchange attacks.”
What we are seeking is a “best-of-both-worlds” solution that delivers the decentralization and security of proof-of-work, with the efficiency of proof-of-stake. In this paper we outline a modern design of proof-of-burn that can be implemented on any general purpose blockchain to achieve the “best-of-both-worlds” solution we desire.
Iain Stewart proposed proof-of-burn in 2012, a year after proof-of-stake, as a thought experiment designed to contrast the differences between proof-of-work and proof-of-stake. We believe that he unwittingly discovered the “holy grail” of consensus algorithms that got lost to the sands of time due largely to historical accident.
… I thought it would be interesting to invent a task that is absolutely, nakedly, unambiguously an example of the contrast between the two viewpoints. And yes, there is one: burning the currency! – Iain Stewart
The Exchange Attack
As the former core development team behind the Steem blockchain, mitigating the exchange attack vector was of the utmost importance and inspired blockchain architect Steve Gerbino to explore alternative consensus algorithms in search of a solution that would still give us the performance and efficiency necessary for a high performance world computer.
Proof-of-burn as a consensus algorithm is remarkably simple and its unique value is easy to understand. Like proof-of-work it requires that the cost of attacking the network be paid “up front.” Like proof-of-stake, no actual hardware has to be purchased and run, aside from the hardware required to produce blocks. Like proof-of-work the exchange attack is thwarted because the block producer has already lost their money, they are simply trying to get it back by maintaining a correct ledger.
In order to mount a 51% attack, the malicious actor doesn’t just need to acquire 51% of the token supply, they need to provably dispose of it by acquiring virtual mining hardware. The only way to recoup that loss is by producing blocks on the chain that ultimately wins. It’s a remarkably simple and elegant solution to the problem.
Exchange B wants to take over the Koinos blockchain. It has within its custody 51% of the KOIN which belong to their customers. B burns all of the tokens belonging to its customers to acquire virtual hash power. B now has 0 KOIN and must produce blocks over time on the right chain just to earn back its burn.
In short, there is no need for slashing conditions because the block producer effectively slashed their own stake at the very beginning! For this reason we propose thinking of proof-of-burn as implementing “pre-slashing.” Instead of distributing rewards and then slashing malicious actors, everyone is assumed to be malicious (like in Bitcoin) and is required to “pre-slash” their capital.
Koinos Proof-of-Burn (KPoB)
Iain Stewart proposed proof-of-burn in the Bitcoin context a year before a general purpose blockchain was even conceived of by Vitalik Buterin. Ironically, general purpose blockchains are a much better use case for proof-of-burn as a consensus algorithm because they place such a high premium on efficiency while allowing for token economic designs without max supply caps, a requirement for proof-of-burn implementations. General purpose blockchains also provide a more powerful toolset (like non-fungible tokens and market maker contracts) for implementing the algorithm, as we demonstrate below.
It is important to bear in mind our goal which is to effectively replicate the user experience of proof-of-work without the inefficiency. We want the block producer to have the same skin-in-the-game that they do in a proof-of-work system without requiring that they actually do the work. In other words, our goal is to virtualize the mining process, and the more true-to-life the virtual implementation, the better.
As in the original proposal of proof-of-burn, in KPoB a user who wants to earn block rewards sends the base currency (e.g. KOIN) to an unspendable address, thereby “burning” it. Unlike in the original PoB proposal, after presenting a proof of this burn to the blockchain, the blockchain will distribute an NFT to the user. By holding this NFT and producing valid blocks, the user will become eligible to receive block rewards distributed using a random process. The end result being an NFT that effectively functions as a virtual miner. For this reason we refer to these NFTs as “miner NFTs.”
We conceive of two potential implementations each of which have their pluses and minuses, but both of which instantiate miners as system-owned non-fungible tokens. The first potential implementation leverages an xyk market maker to establish a free market for miners. In that case the miner NFT could contain both the date of acquisition and the size of the burn which the blockchain could then use to inform the distribution of token rewards.
This approach would create a more dynamic pricing mechanism and conserve state by enabling block producers to acquire a small number of highly productive miners through large burns. When network activity is low and demand for miners is low, miner NFTs could be incredibly accessible thanks to this market-based pricing mechanism. When network activity is high along with interest in participating in block production, users can still acquire a large amount of virtual hash power without consuming any more state by simply putting larger burns behind a small number of miner NFTs. This would also simplify technical administration of miners for block producers relative to the alternative. The problem with this implementation is that it reduces the fungibility of miner NFTs, which would limit the liquidity of secondary miner markets. It also makes it difficult to ensure that miners remain accessible.
The alternate implementation would increase the fungibility of miner NFTs by fixing their cost, a consequence of which would be more liquid secondary markets. This implementation would be functionally equivalent to fixing the hash power of all mining hardware and would reduce the amount of data stored in a given NFT by eliminating the need to store the size of the burn in the NFT. Since the cost would be fixed, some degree of accessibility could be guaranteed, though nothing could prevent individuals from accumulating a large number of miners. On the other hand, pricing the NFTs at a low level to maximize accessibility would increase the likelihood that a large number of miner NFTs would be created and this would consume more blockchain state than the alternative.
For this implementation, the price of miner NFTs can be chosen by balancing accessibility and computational efficiency. The lower the cost of miner NFTs the more of them will be produced given a constant level of demand, consuming more blockchain state. There should be no limit to the number of miners that can be produced because this provides the community with a powerful tool for responding to an attack, which we discuss below. Thanks to the upgradeability of Koinos, this number can be changed without a hard fork.
Regardless of the implementation, there are two options for how to implement the distribution of rewards. Either the payback amount can be guaranteed or payback time can be guaranteed, but both cannot be guaranteed.
Proof-of-burn’s improved security over proof-of-stake stems from the increased risk that block producers are taking. This makes it all the more important that block producers are able to have confidence that they will be able to earn back their burn plus some additional tokens as long as they produce blocks for a long enough period of time.
Therefore it is our recommendation that Koinos proof-of-burn (KPoB) be implemented such that block producers can be guaranteed a return on capital, but over an indefinite period. Instead there should be a target payback period that would migrate based on the level of demand for miners. The more demand there is for miners, the longer the payback period. The less demand, the shorter the payback period. This also ensures that as the number of active block producers decreases, the incentive to produce blocks increases thereby incentivizing ongoing decentralization. This guaranteed return on capital over an indefinite period follows more closely the metaphor of purchasing and operating mining hardware because when an individual participates in a PoW system they assume the risk that their activities could result in a loss at the end of a fixed period. This additional risk is a critical component of the security of PoW.
In this way, the algorithm incentivizes securing the blockchain by replicating the user experience of PoW while still allowing for its intended use-case; efficiently powering decentralized applications.
Proof-of-burn mitigates hardware centralization by internalizing the mining hardware; making it native to the platform. No one can leverage hardware expertise or low cost access to enterprise-grade hardware to gain an unfair advantage. Everyone has equal access to the exact same “hardware.” It is virtual hardware which means that it is infinitely customizable by the system designers to maximize performance of the network. If a more optimal design is discovered, the modular upgradability of Koinos allows the consensus system to be improved without disrupting network performance or increasing the operational overhead for node operators.
KPoB also has interesting economic properties that separate it from both PoW and PoS. Of particular note is that while it requires the absence of a max cap on the token supply, at any given moment in time the total token supply can be either increasing (inflation) or decreasing (deflation) depending on the level of interest in (and activity on) the blockchain in a manner that maximizes decentralization and therefore security.
If the demand for miners is increasing linearly (with a corresponding increase in the amount of KOIN being burned) and there is some targeted upper bound on inflation, then at a certain point the rate at which KOIN is being burned will outpace the rate at which new KOIN is being produced. The result would be a decreasing token supply despite the new token creation (i.e. “deflation”).
With KPoB, the “mining rigs” are controlled by the system, so the rate at which block rewards are paid out is entirely algorithmic which not only makes it infinitely customizable, but also totally resistant to hardware centralization. GPUs, ASICs, and CPU farms provide no advantage. It is for this reason that we believe PoB is the first consensus algorithm which delivers the economics of PoW and is provably egalitarian.
People who happen to already possess mining hardware or who live somewhere with cheaper energy costs have far less of an advantage over anyone else within this paradigm, thereby opening up block production to more people and increasing decentralization. In this way we are able to deliver on Satoshi’s original vision of a truly peer-to-peer electronic cash that utilizes spare computational resources and does not require dedicated hardware.
By virtualizing the miner in this way we also free up significant engineering resources relative to both PoW and PoS because blockchain engineers no longer need to concern themselves with resisting hardware centralization (e.g. Monero) or developing complicated and technically challenging slashing conditions (e.g. Solana).
To mitigate 51% attacks block producers need only increase their miner burns, thereby pushing the payback window out into the future indefinitely. Because an attacker has already sacrificed their capital, they risk never recouping it while the network continues to perform perfectly. In short, the attacker is only helping the network.
To mitigate block producer apathy and entrenchment, miner NFTs should have a limited lifespan just like real-world miners as suggested by Stewart in his original proposal. Again, the benefit of virtual miners is that they can be upgraded at any time to improve network security, performance, decentralization, etc. An added benefit of the implementation is that this leads to virtually no e-waste, especially if the resource requirements of a node remain accessible enough to run on a user’s existing hardware.
“So there you have it! With this formula, life as a miner is spookily similar to the real proof-of-work case. You “buy a mining rig” – you burn coins, and that hits you in exactly the way sending off money to a chip supplier would have hit you, even though over the whole economy, no real resources have been expended – and you then hope that, by submitting lucky hashes to the network in the form of blocks, you can make more back in fees over time than you spent initially.” – Iain Stewart
Koinos is all about accessibility and that philosophy extends to block production. Any sub-system that can be monopolized by a small group of people represents a centralization vector that can undermine the decentralization of the system as a whole. Instead, we want a system which ensures that small miners and large miners recoup their burn at the same rate. In order to achieve this we need a system for randomly distributing rewards amongst accounts holding virtual miners.
With respect to randomness, proof-of-burn is close enough to many proof-of-stake implementations which can provide useful reference implementations. Unlike most PoS systems, in the case of Koinos such a solution would live in an upgradeable system-owned smart contract, the consequence being that it can always be upgraded, or fully replaced, if a better solution emerges and without the need for a hard fork.
One challenge of PoB is the initial distribution of tokens. To overcome this challenge one could do as we did and launch their token on an existing general purpose blockchain and have users mine the token by submitting proofs of work to an xyk market maker contract. You can read more about our implementation here: koinos.io/koin-whitepaper/.
Of course, the fees inherent to these platforms can become a major barrier to entry. Koinos addresses this problem by eliminating fees through its mana system (koinos.io/mana-whitepaper) thereby giving blockchain developers an accessible “fat protocol” on which they can launch their token with proof-of-work mining. They can then spin up their own PoB blockchain (e.g. using the Koinos Blockchain Framework), all while maintaining maximum accessibility and decentralization!
In this paper we have outlined a modern implementation of proof-of-burn for use as a work-free fork resolution (“consensus”) system in a general purpose blockchain that is resistant to 51% attacks without the need for slashing conditions and which mitigates the exchange attack. We have explained that as a result of its hardware resistant features and accessibility it can achieve greater decentralization than proof-of-work and by eliminating slashing conditions can achieve greater efficiency than proof-of-stake. By implementing this system as an upgradeable smart contract module we preserve the flexibility to upgrade either the system as a whole, or individual components like RNG, whenever superior solutions emerge without the need to wait for a planned hard fork. This also makes the implementation more accessible to other blockchain developers who wish to understand it or implement it themselves.