Formal Barriers to Longest-Chain Proof-of-Stake Protocols

The security of most existing cryptocurrencies is based on a concept called Proof-of-Work, in which users must solve a computationally hard cryptopuzzle to authorize transactions (one unit of computation, one vote'). This leads to enormous expenditure on hardware and electricity in order to collect the rewards associated with transaction authorization. Proof-of-Stake is an alternative concept that instead selects users to authorize transactions proportional to their wealth (one coin, one vote’). Some aspects of the two paradigms are the same. For instance, obtaining voting power in Proof-of-Stake has a monetary cost just as in Proof-of-Work: a coin cannot be freely duplicated any more easily than a unit of computation. However some aspects are fundamentally different. In particular, exactly because Proof-of-Stake is wasteless, there is no inherent resource cost to deviating (commonly referred to as the `Nothing-at-Stake’ problem). In contrast to prior work, we focus on incentive-driven deviations (any participant will deviate if doing so yields higher revenue) instead of adversarial corruption (an adversary may take over a significant fraction of the network, but the remaining players follow the protocol). The main results of this paper are several formal barriers to designing incentive-compatible proof-of-stake cryptocurrencies (that don’t apply to proof-of-work).

💡 Research Summary

The paper “Formal Barriers to Longest‑Chain Proof‑of‑Stake Protocols” investigates fundamental obstacles that any longest‑chain PoS cryptocurrency must face when participants act strategically to maximize their own rewards. Unlike Proof‑of‑Work (PoW), where deviating from the prescribed protocol incurs a tangible cost in electricity and hardware, Proof‑of‑Stake (PoS) is “wasteless”: a validator can copy old histories, sign multiple competing forks, or withhold messages without expending any additional resources. The authors therefore shift the security focus from an adversarial corruption model (a fraction of nodes are malicious) to an incentive‑driven model where all nodes are rational and will deviate whenever it yields a higher expected payoff.

Model.
A PoS protocol is abstracted as two deterministic functions: a validation function V that decides whether a block B is admissible given its timestamp and predecessor chain, and a slot‑selection function S that determines which coin (or stake holder) is eligible to propose a block at a given time. The model assumes two natural properties—Chain Dependence (the validity of a block depends only on its ancestors) and Monotonicity (once a block is valid it remains valid in any superset of the chain and at later times). These properties rule out pathological “Eclipse” attacks where a node is misled into believing an invalid block is valid.

Two Complementary Properties.
The authors prove that any longest‑chain PoS protocol satisfying the above model must satisfy one of two mutually exclusive structural properties:

1. External Randomness Dependence. The selection of the next proposer must rely on randomness that is independent of the current blockchain state (e.g., an external timestamp, an oracle, or a trusted hardware source). This prevents validators from influencing the randomness by manipulating the chain they are extending.

2. Internal Randomness with a “Pre‑emptive” Constraint. If the randomness is derived from the blockchain itself (e.g., hashes of previous blocks, signatures, VRFs), then the protocol must enforce a specific constraint on how that randomness can be used—essentially a “no‑pre‑emptive‑fork” rule that disallows a validator from simultaneously extending multiple competing histories with the same stake.

Attacks Exploiting Each Property.
For the first property, the paper describes an attack where an adversary controls or delays the external randomness source (e.g., manipulates timestamps or compromises an oracle). By doing so, the attacker can bias the slot‑selection function to make themselves the proposer with probability arbitrarily close to 1, gaining disproportionate rewards without any cost. Because the attack works even in an ideal network with zero latency, it demonstrates that reliance on external randomness is intrinsically fragile.

For the second property, the authors construct a “multi‑fork” or “nothing‑at‑stake” attack. The attacker prepares several valid forks in advance, each containing a block that they are eligible to propose (using the same stake). When the network reaches the slot where they are selected, they broadcast all competing blocks simultaneously. Since PoS does not penalize the validator for signing multiple blocks, the attacker can collect rewards on every fork, effectively multiplying their earnings. The attack exploits the fact that internal randomness can be predicted or pre‑computed from the existing chain, and without a mechanism that imposes a cost (e.g., slashing, bonding, or a delay before rewards are claimable), the protocol cannot prevent the attacker from reaping the extra reward.

Ideal Network Assumption and Its Implications.
The authors emphasize that even under an “ideal” network model—perfectly synchronized clocks, zero‑latency message delivery, and honest nodes—these attacks remain viable. This shows that the barriers are not merely artifacts of network imperfections but stem from the logical structure of PoS incentives. In realistic networks, where latency, message loss, and Sybil attacks are present, the vulnerabilities become even more pronounced.

Consequences for PoS Design.
The paper’s main contribution is a formal impossibility‑type result: a longest‑chain PoS protocol cannot simultaneously achieve (i) incentive compatibility (no rational validator can profit by deviating) and (ii) the two desirable properties of randomness without introducing additional costs or complexity. Designers must therefore either (a) accept external randomness and invest in robust, tamper‑proof sources (e.g., decentralized oracles, verifiable delay functions), (b) embed strong penalty mechanisms (slashing, bonding periods) that turn “free” deviations into costly actions, or (c) redesign the consensus rule away from a pure longest‑chain approach (e.g., using BFT‑style finality gadgets).

Relation to Prior Work.
The paper situates itself between two research streams: (1) the “network‑intrusion” model, which assumes a bounded fraction of malicious nodes and provides cryptographic security proofs, and (2) the “incentive‑driven” model, which has received less formal treatment. By proving that strategic deviations can be profitable even when the network is otherwise honest, the authors highlight a gap in existing security analyses. They also discuss how several commercial PoS proposals (e.g., Cardano, NEM, Tezos) implicitly rely on one of the two properties and thus inherit the corresponding vulnerability unless mitigated by ad‑hoc reward schemes.

Future Directions.
The authors suggest several avenues: (i) formalizing hybrid randomness sources that combine internal entropy with external verification, (ii) designing slashing mechanisms that are provably sufficient to offset the expected gain from multi‑fork attacks, and (iii) exploring consensus frameworks that do not rely on a single longest‑chain rule, thereby sidestepping the identified barriers.

In summary, the paper delivers a rigorous, model‑based argument that longest‑chain PoS protocols face unavoidable incentive‑compatibility barriers. Any protocol that wishes to be secure against rational, profit‑maximizing participants must either accept external randomness with strong integrity guarantees or enforce costly penalties for deviating behavior—both of which introduce substantial design complexity. This work therefore serves as a crucial checkpoint for researchers and practitioners aiming to build robust, economically sound PoS cryptocurrencies.