Proof of Stake (PoS) is a burgeoning Sybil resistance mechanism that aims to have a digital asset (“token”) serve as security collateral in crypto networks. However, PoS has so far eluded a comprehensive threat model that encompasses both Byzantine attacks from distributed systems and financial attacks that arise from the dual usage of the token as a means of payment and a Sybil resistance mechanism. In particular, the existence of derivatives markets makes malicious coordination among validators easier to execute than in Proof of Work systems. We demonstrate that it is also possible for on-chain lending smart contracts to cannibalize network security in PoS systems. When the yield provided by these contracts is more attractive than the inflation rate provided from staking, stakers will tend to remove their staked tokens and lend them out, thus reducing network security. In this paper, we provide a simple stochastic model that describes how rational validators with varying risk preferences react to changes in staking and lending returns. For a particular configuration of this model, we provide a formal proof of a phase transition between equilibria in which tokens are predominantly staked and those in which they are predominantly lent. We further validate this emergent adversarial behavior (e.g. reduced staked token supply) with agent-based simulations that sample transitions under more realistic conditions. Our results illustrate that rational, non-adversarial actors can dramatically reduce PoS network security if block rewards are not calibrated appropriately above the expected yields of on-chain lending.
There is currently an intense effort to improve the scalability of blockchains and other decentralized value systems known as crypto networks. These networks use cryptographic proofs and game theoretic constructions to provide tamper-resistant updates to a global ledger. While there are a variety of research and engineering challenges in setting up these systems, one of the major bottlenecks to network throughput is the cost of Sybil resistance mechanisms within a decentralized consensus protocol. Proof of Work (PoW) networks achieve Sybil resistance by requiring consensus-participating nodes to provably burn energy to compute many iterations of a particular cryptographic hash function. PoW, while effective and permissionless, expends a large amount of natural resources and has resulted in concentrated ownership of the underlying digital assets (e.g., Bitcoin). Proof of Stake (PoS) was first introduced as an alternative in a 2012 BitcoinTalk post  that showed the equivalence between a PoW miner who could immediately reinvest her block rewards into hash power within the network and a PoS validator who can reinvest their validation earnings into network security. PoS works by instead allowing users to lock a digital asset, known as a token, into a smart contract that provides them with token-denominated returns in exchange for validating transactions and providing network security. Using shared, verifiable randomness, all network participants can use a multi-party computation protocol to sample the distribution of asset ownership locked into the contract and choose participant(s) who receive the block reward emitted by the network. This is analogous to how PoW can be thought of as a protocol that samples the distribution of hash power to choose the next block producer . One of the main benefits of PoS is that one does not have to commit a costly natural resource to participate in the network. Instead, a purely digital asset is used as collateral for the network and the network can control its supply to provide the desired properties. For an introductory background on PoS protocols and their complex security models, please see .
In this paper, we show that these purported benefits do not come for free. As PoS algorithms inherently connect a decentralized network’s security with the capital cost of a digital asset, PoS protocols tie their security to the cost of capital rather than to the cost of a natural resource. Volatility in the cost of capital, which is usually higher than that of natural resources , can have adverse effects on capital commitments to PoS networks. The main result we show is that alternative sources of yield can drive staking token capital allocators to collectively drain a network’s security, akin to a bank run. In particular, we find that PoS in deflationary systems is unstable and unlikely to work and that for more reasonable inflation rates, the effectiveness of PoS depends on the relationship between staking and lending rates. This relationship should inform the further design of PoS systems, especially as a large number of networks are launching in 2020.
The move from PoW to PoS presents a plethora of challenges. In a PoS system, the network relies on participants who are staked in the system to stay online in order to achieve liveness. In practice, this is implemented by slashing participants—redistributing or burning a participant’s stake that is committed for validation rewards when they perform a malicious act—who go offline or miss a block that they are supposed to produce. Moreover, there are attacks that are unique to PoS such as the nothing-at-stake and long-range attacks . These attacks are impossible in PoW, as resource costs of digital assets are practically zero, especially when compared to costs of natural resources . Lastly, as the asset used for staking is also the medium of exchange, a malicious validator needs to only aggregate 33% of the token to perform a Byzantine attack.1
However, if there exist physically settled futures contracts on PoS tokens, then it is possible for an attacker to buy futures that allow for staking participants to sell their staked token in the future. This attacker can aggregate this stake and upon reaching an attack threshold, begin to perform a double spend or other malicious attack . As these derivatives can be settled off-chain (e.g., using a centralized exchange like BitMEX or Deribit), monitoring of this type of attack can be difficult. In PoW, one would need to aggregate the hash power needed to produce 50% of the network’s hashrate, which is a much harder task that relies on aggregating data centers, specialized hardware, cheap electricity, and a favorable country of residence. Moreover, PoS systems are vulnerable to financial attacks, or attacks that utilize the fact that PoS tokes serve as both the instrument of security and as the medium of exchange. Such attacks are often feasible due to emergent and unexpected coordination between participants in a PoS network and an external market.
Given the vulnerability of PoS to cartel-like behavior that can be coordinated via an external market, one might naturally ask if there are also any endogenous financial risks on PoS protocols that support smart contracts. Recently, there has been an uptick in interest in Decentralized Finance (DeFi), which uses smart contracts to implement standard financial primitives in a purely on-chain manner . These primitives, such as exchanges , lending , and stable reserve currencies , decentralize banking functions by creating incentives that encourage rational participants to receive arbitrage profits for maintaining the system’s security, while also meting out financial punishments for misbehavior. Instead of explicitly punishing fraud via legal recourse, these protocols use purely financial modes of recourse to encourage network participation and growth. One of the biggest sectors within DeFi is the on-chain lending market, in which the largest single platform is Compound , an Ethereum smart contract that allows users to lend and borrow assets that conform to the ERC-20 token standard. The Compound smart contract has held up to $175 million of assets, has had over 40% of the float of the Dai stablecoin , and saw double digit asset growth during 2019. Given that Ethereum is likely to transition to PoS soon, one must evaluate: are there any financial attacks against chain security that result from an on-chain lending system? A simple gedanken experiment for answering this question from the view of on-chain lending might be of the form:
Suppose that we assume that validators are rational financial agents. Would they not simply move their assets between staking and on-chain lending, depending on which has a higher yield?
In particular, it is clear that there is a relationship between the price of capital availability and participant’s willingness to stake, as stakers have to earn more than a risk-adjusted market rate on their staked capital. However, unlike Proof of Work, there are no physical limits that prevent validators in staking networks from rapidly moving their assets into higher yielding activities. On-chain lending, such as Compound, makes this particularly efficient, as validators simply have to post a single Ethereum transaction to unbond their tokens and begin earning yield within a single block time. High lending yields would likely lead to a reduction in network security (e.g., a financial attack) as these yields would encourage rational actors to unexpectedly coordinate and reduce network security by optimizing for financial gain.
We answer these questions with a stochastic model that can be theoretically solved in certain situations and is easily simulated via Monte Carlo methods. Our aim is not to model realistic networks parameters perfectly, but rather to show that even in the most simplified model of agents optimizing portfolios composed of staked and lent tokens, on-chain lending can cause dramatic volatility in network security. In particular, we construct an agent-based model, where each network participant is represented via an agent with a utility and decision function. Agent-based modeling has been previously used for modeling censorship properties in sharded PoW chains  and can serve as a conduit for comparing theoretical results to empirical data in a statistically rigorous manner. Our model for rational network agents involves having each participant view their total token wealth as a two component portfolio of tokens staked and lent. We assume that the agents have different risk preferences and locally optimize their token portfolios using mean-variance optimization , which allows for agents to adjust their portfolios based on observed returns and risk preferences. Figure 2 illustrates that there is a phase transition in inflation rate that leads to tokens going from being predominantly lent in deflationary regimes to predominantly staked in inflationary regimes. Moreover, Figure 3 shows that the spread between borrowing and lending rates is significantly worse for deflationary PoS assets, further confirming the existence of a phase transition. We explicitly state our simplifying assumptions in Section 2 and note that agent-based modeling allows one to relax these assumptions and analyze how these results carry over to real PoS protocols, such as Cosmos  and Tezos . In Section 4, we prove properties of this model that match the observed phase transition from Figure 2 and Figure 5. A single sample path is depicted in Figure 1, which visually show that agents participating in on-chain lending and staking can cause a “flippening," where there are more assets lent out than staked. The observed volatility in the amount of assets staked is tantamount to dramatically reducing the cost of taking over a staking network, which implies that the security model of PoS networks needs to account for attacks on the network that stem from reduced cost of capital. The combination of theoretical and simulation-based results demonstrate that the threat model for PoS networks needs to be expanded to include financial attacks that result from yield competition with on-chain financial products.
For provenance, note that the mathematical notation used in this paper is documented in Appendix A.
In order to simplify our model, we will make some simplifying assumptions. These assumptions hold for all models analyzed in this paper and they focus on properties of the underlying distributed ledger rather than properties about the economic behavior of participants, which is described in the proceeding section.
All sampling processes use true randomness and not pseudorandomness.
This differs from many standard cryptographic threat models that assume pseudorandomness and provide an -approximation to true random sampling . In the Appendix, we use this property to ensure that our PoS algorithm is non-anticipating (e.g. adapted to a suitably chosen filtration), allowing for conditional probabilities to be computed without having to aggregate the error terms. One can remove this assumption, in a similar manner to , with a significant increase in proof complexity.
All communication between participants is synchronous.
This can be relaxed to partial synchrony, with an increase in complexity in the proofs and simulations described in the following section.
All pseudonymous identities are known by all participants and the number of participants (measured by unique addresses), is fixed.
The entire system will update at discrete time intervals, with each tick to be thought of as a block update.
While participants will likely execute strategies in continuous time, assuming discrete time evolution ensures that participants only respond to event updates that are received on-chain. One can also remove this assumption at the cost of increased variance using Poissonization techniques  and sleepy consensus assumptions .
Only on-chain lending, borrowing, and staking will be considered.
We are ignoring off-chain lending (e.g., OTC desks or lending businesses, such as Galaxy and Tagomi) and are assuming that there always exists block space for any participant’s action to succeed. We are omitting this to reduce the complexity of our model, as off-chain lending has varied pricing models and term structures.
The block reward at time and the money supply at time are deterministic and known to all participants.
In particular, we avoid assuming that there exist governance mechanisms for changing the block reward, which have been proposed for protocols such as Algorand  and Celo .
The only revenue that validators receive from staking comes from the block reward.
This is a model assumption that removes the complexity of modeling crypto network fee markets, which currently have unstable dynamics and are poorly understood.
The following properties hold for our idealized PoS algorithm:
No compounding: PoS mechanism uses epoch-based sampling and does not immediately reinvest block rewards. This is to avoid the concentration behavior described in . One can relax our model to handle Pólya urn processes, at the cost of significantly worse variance.
Single validator per block: To simplify the model, we avoid using committees  and verifiers  as they add more variance and make both formal and simulation methods more difficult.
Constant slashing probability: We assume that each validator has a fixed probability of being slashed on a block that they produce. This is simplistic as it assumes that all validators have the same chance of being slashed, regardless of stake and validation history. However, in practice, we have seen very few live slashes and this model encourages simpler formal and simulation analysis.
Sharded state is synchronously traversed: Any sharded state in our PoS blockchain is read synchronously and we assume linearizability in our blockchain. This can be relaxed to non-linearizable protocols like Avalanche , but will depend on the scoring function used for each branch.
No unbonding period: We do not assume that the PoS protocol has an unbonding period like that of Cosmos  or Tezos .
Let be the total outstanding token supply of a PoS protocol at time and let , where is the number of staked tokens and is the number of lent tokens. We use a simple model of a PoS system that samples a single block producer from a discrete time-series of stake distributions, denoted by , where is the -dimensional probability simplex (see Appendix A). The main input parameters are:
: Initial asset distribution
: Staking block reward at block height
: Slash that validator receives if the staking distribution is
The formal specification of the algorithm can be found in Algorithm 1 in Appendix B. The algorithm state includes the current stake distribution, the current epoch’s reward set, the current epoch’s slash set, and the current block time. At a high-level, for each block, we select a validator who should receive a block reward and decide if they are to be slashed by flipping a coin with probability If they are slashed, we add their id and the amount that they are to be slashed to the current epoch’s slash set. Otherwise, we add them to the block reward set. The algorithm updates the stake distribution on a per epoch basis.
We will study two models for lending, one involving an explicit model for borrowing demand and one that is implicit. The implicit model, which is simpler, provides a prototype for constant borrowing demand and is amenable to theoretical results. On the other hand, the model involving an explicit description of borrowing demand is more realistic and amenable to being fit by historical data.
In the two-state lending model, we track the time evolution of two token distributions, which respectively represent the distribution of staked tokens and those locked in a lending contract. The th component of the stake distribution, corresponds to the amount of tokens that the th agent has staked. Each agent has a wealth at time that is equal to the sum of their portfolio of staked and lent tokens, i.e., By definition, the total lending supply is equal to the sum of all lent portfolios, i.e. and the total money supply is equal to the sum of all portfolios, i.e., At each time step, agents update their portfolios based on returns accrued from the previous time step and after portfolios are updated, the lending rate, is updated based on the total amount lent. This means that we are making two implicit assumptions:
Constant relative borrowing demand: We are assuming that ratio of borrowing demand (represented via a quantity of tokens) to the total token supply stays constant, as the rate only depends on the lending and staking supplies. Formally, this means that the demand at time is equal to
Flows are the only determining factor: Participants who move tokens from staking to lending or vice versa are the only causes for changes to the lending rate
We draw inspiration from Compound , which provides a simple formula for the borrow lending rate, and the lending rate, The Compound model computes a utilization rate at block height which is the ratio of the borrowing demand to the token supply locked in the contract, and uses that to update formulas for Mathematically, they define the utilization rate as
We compute the borrow and lend rates using the following formulas, where are interest-rate parameters and is a measure of the spread between lending and borrowing (i.e., is the relative spread).
For reference, the Compound V2 contract uses the values and As depicted in Figure 2, there can be an enormous amount of volatility in the fraction of the token supply that is lent, In Section 4, we prove tail bounds on the inflows and outflows of lent tokens over a time step, e.g., that explicitly depend on the block reward, and the interest rate parameters. These bounds suggest that even for the overly simplistic setting of the two-state model, PoS protocols need to carefully choose their block rewards if they desire to have a large fraction of the outstanding token supply staked at all times.2
Instead of assuming that there is constant relative borrowing demand, we can relax this by specifying an additional distribution, such that and where is the total amount borrowed at time In this world, the utilization ratio is now defined as:
Formally analyzing this model has a variety of difficulties that stem from that fact that we have to explicitly model the borrow demand distribution and disentangle how it couples to each participant’s local model of risk, which is defined in the next section. In Section 5, we simulate this model with a variety of different borrowing demand distributions, but all formal proofs that follow only analyze the two-state lending model. Since the pool of borrowers (e.g., arbitrageurs) is often disjoint from the pool of stakers and lenders, we will make the following assumption:
The borrowing demand distribution is probabilistically independent of the lending and staking distributions.
The final task needed to completely specify this model is to define the state transition rule that sends to As per Assumption 9, the evolution of is independent of staking and lending, and will be specified separately in Section 5. We therefore need to specify state transition rules on a per agent basis, where each agent’s state is their token portfolio Traditionally, the strategy space of rational actors is described via an expected utility function that an agent aims to maximize by taking various allowable actions. Before specifying the strategy space that we will sample, let’s consider a few examples to motivate the need for agents who have varying risk preferences. If at time staking is returning more than lending and every agent moves their entire portfolio from lending to staking, then we will observe a correlated spike in lending rates will go to zero and Moreover, the relative staking reward to any agent will decrease as will increase by the amount of tokens that flow from lending to staking as the expected return on an epoch for an agent is their staked tokens divided by the token supply, Thus the greedy strategy of moving all of one’s assets to the higher yielding activity and causes drastic swings in the relative yields of staking and lending is unstable and doesn’t accurately represent reality, where token holders have differing risk preferences and will not immediately move their entire portfolio from staking to lending (or vice-versa). Furthermore, cryptocurrency holders are often looking for returns that are multiples of their initial investment and have a long time-preference . In our evolution of each agent’s portfolio, we also assume that an agent making a decision at time can only use the information about all portfolios up to time and the implied rate Since we are dealing with on-chain lending only, this assumption says that players cannot use strategies that look into the future and that all agent portfolios are public. In order to capture strategies that are independent of front-running and latency arbitrage, we will make the following assumption:
There exists an -valued martingale that chooses the ordering in which participants are allowed to update their portfolios at time to those at time
Under this assumption, agents receive no advantage in expected returns by trying to predict when their strategy is executed (e.g., is agent 1’s strategy executed before agent 2’s strategy because agent 1 has more staked than agent 2?). This assumption is reasonable as our goal is to figure out if rational, but non-Byzantine, agents will cause PoS network security to decrease when on-chain lending activity is sizeable.
Mean-variance methods, pioneered by Markowitz’s Nobel Prize winning work on portfolio theory , provide a way for rational traders of risky assets to construct portfolios that trade-off individual preferences for maximizing returns with those of risk minimization. These methods, which are the backbone of the majority of trillions of dollars of passive portfolios and statistical arbitrage strategies, provide a simple, easy-to-solve model that involves two parameters for constructing portfolios of assets: an expected return vector and a positive-definite covariance matrix Given these parameters, one solves a strongly convex program that aims to compute the fraction of an agent’s wealth that should be allocated to each asset while ensuring that the sum of the allocations is one and each entry is positive. In particular, the seminal work of Markowitz aimed to optimize the quadratic form where is a parameter that controls the riskiness of the output portfolio and is the portfolio allocation. As is varied, the efficient frontier of admissible portfolios is defined as the surface The original work of Markowitz  focused on the single period allocation problem, where an investor aims to find the optimal portfolio over a single time-period, which corresponds to assuming that and do not change over time. Further work on multiple period  and continuous-time methods  for mean-variance optimization allow for and to vary as functions of time, with the continuous-time methodology drawing from an Îto process, such as a solution to the Black-Scholes equation for options pricing. As blockchain systems have incremental updates with independent games per update (e.g., transaction fee markets can differ wildly from block to block), we will necessarily have to consider the multiple period model and define how each agent’s mean vector and risk-preferences evolve over time. Finally, we note that our methodology is directly comparable to that of multistrategy backtesting in quantitative trading .
We will assume that each agent treats their token wealth, as a Markowitz portfolio and updates, on receiving tokens from staking and lending, an estimate for a time-dependent return vector We also assume that each agent has a different, time-independent covariance matrix that is drawn from a random matrix ensemble3. In other words, the expected return vector adjusts with time (it depends on the staked and lent quantities), while the covariance stays fixed in time. As long as there is some variance in the chosen random matrix ensemble (e.g., such that ) then the dynamics will not deadlock into a state where all participants end up with the same portfolio (e.g., all outstanding tokens are 100% allocated to staking or lending). If agents simply move all of their assets from one pool to another, as opposed to some risk-adjusted proportion, then the system can deadlock quickly when borrowing demand is constant. Using the notation of the prequel, we define as:
Let us motivate this choice of expected return vector. Recall that the return vector is supposed to represent the relative rate of return (usually referred to as an alpha in the quantitative finance literature) over a riskless asset. In this situation, the riskless asset is holding our tokens (as bearer instruments) and we expect to earn yields4 of and for staking and lending, respectively. However, note that the former yield can be greater than 1 when whereas the latter yield cannot as per Equation 1. In order for Markowitz optimization to be well-defined, we need to choose yields that are directly comparable (e.g., have the same range). Moreover, we note that the naïvely calculated staking yield loses the dependence on the th party’s current wealth. Since our system allows for slashing and each validator incurs a variance in reward proportional to the inverse square root of the epoch length, it is preferable to find a yield that depends on the th parties wealth to reflect this variance. The simplest estimator for a staking validator’s yield that is in (comparable to lending yield) and has a component of the variance is the probability of winning the block reward, which is exactly what Equation 3 describes.
In order to describe the covariance matrix, we will first state an assumption that aims to connect the variances in the system with the expected staked and lent times:
The th agent’s covariance matrix will be static (e.g. does not vary with block height), diagonal, and will have variances connected to the expected stake time and expected lent time
Formally we use the following model for the covariance matrix:
One can interpret as the expected epoch length (see Algorithm 1), while represents the withdrawal window under which a lender can remove their tokens from the lent pool.5 By connecting the covariance matrix to these quantities, we encode the connection between a validator’s expected risk preference and the time that capital is locked into either staking or lending. Equation 4 represents the fact that risk and time preferences are, to first-order, inversely correlated (e.g., you are willing to lock up capital for the longest duration in the least risky assets) . To explain these choices of random variables, first recall that the Markowitz objective function is of the form where parametrizes the agent’s preference for return maximization over risk minimization. If we divide this objective function by provided that we get an equivalent optimization problem for Note that can be thought of as encoding ’collective’ risk-preferences for all agents (e.g., a bull market when is large, a bear market when is small). As such we need a methodology for choosing that depends on the network size and/or number of agents. We make in order to capture the fact that as the number of participants increases, so should the expected number that are risk seeking. Once we do this, we can directly interpret the variables as encoding both this risk preference and the inherent duration difference between lending risk and staking risk. The static nature of the covariance matrix in Assumption 11 implies that each agent has an equilibrium risk-preference. Moreover, this implies that the distribution of risk-preferences amongst changes is not changing—which one can expect in the limit as the number of agents goes to infinity.6 Making this assumption allows for significantly faster simulation (e.g., less compute needed to reduce the variance of the estimator below an error threshold ).
To summarize, we evolve the system by having each agent update their Markowitz estimate at each time step, which changes the lending and staking distributions for the next time step. In simulation, agents will only be able to migrate their staking tokens at times Explicitly, we evolve the system via the following loop:
Initialize distributions .
Initialize empirical distributions
Observe empirical distributions
(generated via actual staking / lending rewards accrued in the epoch)
Compute Markowitz weights
Define new portfolio as ,
We will describe a few formal properties (proved in the Appendix) of the two-state model, as it is feasible to analytically analyze this model. Our goal in this section is to bound the amount of turnover in the stake distribution that is caused by on-chain lending becoming more attractive than staking rewards to rational stakers. A secondary goal is to understand what properties of the stochastic processes that represent the evolution of the lending and staking distributions are necessary and/or sufficient for ensuring that we do not have a lot of volatility in agent token portfolios. This is important as volatility in these portfolios implies that PoS networks have volatile security, which is a distinct defect when compared to PoW. We will make a few additional assumptions that are necessary to provide analytical results:
There is a minimum fraction of the money supply that needs to be staked, e.g.
If no one is staking then the on-chain lending contract has no value (as it doesn’t have any security), so this is a realistic assumption that matches the practical parameters chosen in live networks such as Tezos  and Cosmos . Note that one can directly interpret as the fraction of altruistic validators who will never reallocate or rebalance their assets.
The number of agents is larger than a constant multiple of the product of the exponential parameters, e.g.
This assumption is required for purely technical reasons that are explained in the proofs in the appendix.7 If we solve the unconstrained problem8 for the Markowitz objective function, then needs to satisfy the first-order condition, This yields,
Given that we are in the multi-period Markowitz setting, this means that we can estimate the th participant’s portfolio weights via As a measure of volatility in the security of the underlying staking mechanism, we will first look at how changes in time. Intuitively, this change corresponds to how large rebalancing events (e.g., moving tokens from staking to lending, or vice-versa) are between subsequent blocks. If this rebalancing is large, then the network could dramatically reduce it’s security as holders move their assets from staking to lending. On the other hand, if this rebalancing is small and decreases over time, then we know that the staked token supply is stable. Using the Markowitz update rule (Equation 7), we have the following bound.
where is the operator norm. This simple inequality implies that the volatility in portfolio weights, represented by the single block difference in weights, is controlled by the difference in the mean vector, as Therefore, we focus on trying to bound the difference in expected returns as a function of the block reward at time the total token supply the lent supply and the Compound lending curve parameters
Let and Since the PoS algorithm is adapted to a filtration on and the covariance matrices are constant as time evolves,9 are also -adapted random variables. Note that by definition, and since we cannot change the amount staked or lent by more than the outstanding money supply. We will first bound the difference in expected returns as a function of and :
There exist constants such that
Note that these constants are allowed to depend on from Assumption 12. If we have an compounding and inflationary rewards schedule, e.g., then this claim implies the following:
If there exists such that and then as the maximum change in stake is bounded above by the lending volatility, w.h.p.
This claim implies that if there is not much variance in the lending rate, either due to choosing small parameters or because borrowing demand is minimal, then we should not expect portfolios to rebalance regularly and rational stakers will tend to keep their tokens locked in a staking contract. Another natural quantity to look at is the variance of the lent assets. We show that the money supply and time-preference for lending, control the variance of lent assets.
Let be the filtration such that the lending process is adapted. Then we have:
Moreover, we have the following bounds:
Note that if is the constant representing the ratio of borrowing demand to (cf. Section 3.2.1), there exists a constant10 that depends on such that . As such, Claim 3 implies that as long as we have reallocation from staking to lending. Thus, any monetary policy that grows sufficiently quickly with the number of users of the network will always have assets moving into and out of lending. If we place constraints on the demand we can strengthen this result into a bound on how much oscillates:
Let and If for all , where and the hypotheses of Claim 2 hold, then is a submartingale and we have
In words, this claim says that as long as we have inflation and there is enough borrowing demand, then we can be sure that the worst-case rebalancing is bounded by the variance of lending volatility. If we add another constraint on the behavior of the increments then we can strengthen this claim to get a phase transition that resembles the Galton-Watson phase transition .
Suppose that for all , and let be as in Claim 4. Define as follows:
Then is a supermartingale when a submartingale when and a martingale when
The intuition for this is as follows:
When there is either too little or too much borrowing demand (e.g., or ), then the expected lent supply either increases (on average) to one or decreases to zero. This is analogous to a gambler’s wealth after playing a game with probability for rounds—the wealth concentrates into either the house (staked supply) or the gambler (lent supply).
When there is a moderate amount of borrowing demand, then we have stable, potentially oscillatory behavior. Doob’s Supermartingale Convergence Theorem  intimates that the distribution is stationary as This corresponds to a gambler playing a game in which their chance of winning is
These results for the simpler two-level model suggest that our simulated phase transition results convey the existence of a deeper phase transition.
In order to get a stronger understanding of what is going on at the agent level and for different monetary policies, one needs an understanding of the probability that a single agent has a large rebalancing event that affects the staked portion of their portfolio. This involves studying how the staking components of changes over time. Let be the different in the staking component of between times and We can bound the probability that an agent rebalances their portfolio by an fraction via the following claim:
Let Then for all we have
Bounds like Claim 6 are of the form which imply that the extrema of provide a guaranteed bound of how large can be when is minimized. This means that we can try to bound the first hitting time for the maxima of by analyzing the minima of the right-hand side of Equation 10. Note that the function has a minima at which means that we can estimate when, as a function of we have maximal deviations in stake. In the following section, we examine this claim for different monetary policies
In this case, and where is the final money supply (e.g., 21 million, for Bitcoin). Letting and plugging this into the right hand side of Equation 10 and optimizing for using the chain rule gives the condition Requiring that gives the condition or
The above condition implies that at the time with the highest expected amount of removed stake, we expect that quantity to at be on the order of If there are fewer terminal coins than participants, then we should expect large rebalances for every staker. This formalizes the intuition that totally deflationary currencies are vulnerable to large rebalances that depend strongly on the number of coins in the system. It also confirms the intuition that if there are fewer coins than participants, then borrowing demand will be high and we should again expect large rebalances.
Next, we consider what Claim 6 implies about inflationary monetary policies. We will consider two types of inflationary policies: Polynomial () and Exponential ().
which means that if individual agents will not have rebalances of size with high probability. These guarantees do not depend on the polynomial degree which means that even simple linear policies are sufficient to get low stake turnover.
In the case of exponential inflation, for some and initial token distribution Following the logic of Section 4.1, we arrive at a conclusion of,
This states that the worst-case rebalancing is bounded by the initial token distribution as opposed to the final token distribution. Given that most networks assume that there will be more users than the initial distribution, this implies that large rebalancing events should become rarer once the network achieves a scale of
The results of this section show that the model of Section 3.3 has a volatility that is mainly dependent on lending volatility. This volatility, if demand is sufficiently shallow, is small enough to help bound the worst-case portfolio rebalancing for any validator in the system. However, the turnover in staked quantity, measured by how each agent’s expected reward changes over each epoch period, is sensitive to the precise nature of the monetary policy, In particular, deflationary policies cannot support on-chain lending, as the worst-case rebalancing rate depends on the terminal money supply, whereas the rebalancing rate for exponentially inflationary monetary policies only depends on the initial money supply (e.g., Ethereum’s pre-mine). Finally, we note that polynomial inflation provides particularly good rebalancing guarantees that are independent of the rate of growth of the money supply. Many of these results rely on asymptotic behavior of agents in this system and all of these results depend on simple models for borrowing demand. The remainder of the paper will focus on using simulation to provide a more realistic picture of Section 3.3.
In order to test the three-state model in a quantitatively rigorous and realistic fashion, we turn to agent-based simulations. One of the main reasons to use agent-based simulation over formal methods is that it hard to formally prove what block reward growth rate is ideal for mitigating volatility in portfolio allocation. For instance, it is difficult to evaluate whether or provide ideal mitigation for on-chain lending with parameters Moreover, we can test various realistic demand distributions, including ones that are atomic and do not have a probability density. Prior work on agent-based simulations of blockchain systems  has focused on analyzing consensus protocols via event-based simulation. We follow a similar event-based framework for simulating staking and lending, albeit ignoring the details of peer-to-peer networking and consensus. Our goal is to sample as many trajectories as possible for different combinations of parameters and block reward schedules
In order to generate sample paths we need to specify the following variables:
Initial interest rate:
Interest rate parameters:
Demand-generating distribution parameters (vary depending on the demand generating distributions chosen):
Staking and lending time scale:
We chose to model and as these distributions exemplify the extreme concentration of wealth that accompanies most token distributions. Exponential distributions are also useful in that the order statistics are also exponential11, which represents the idea that the th entrant to a network should have a decaying fraction (in this case ) of the total token supply. We note that we do not use power law distributions as there are conflicting reports of the wealth distribution in Bitcoin actually following a power law . Given the statistical difficulty of discerning if one has a power law versus an exponential decay  and the extra parameter in a power law (e.g., ), we decided to use exponential initial distributions.
In our simulations, we kept the initial interest rate at 10%, as we saw very little sensitivity to the initial choice. In particular, agents quickly rebalance their portfolio into lending, if the rate is high enough and this appeared to equilibrate within a small number of time steps. We swept the other parameters, over realistic ranges and for each choice of parameter, we sampled trajectories for a variety of seeds to get an ensemble average.
The main simulation loop follows that as described at the end of Section 3.3. We exactly evaluate the Markowitz update rule, with constraints, via the exact solution for optimal portfolios . Given that we are solving independent, two-dimensional Markowitz problems, we evaluated the constraints analytically (as opposed to using a convex solver like Gurobi or CVX). The main event loop has the following causal ordering:
If for some allow agents to update their Markowitz portfolios12
Sample the borrowing demand distribution
Update as a function of the new borrowing demand
Run Algorithm 1 to determine who wins the reward and/or if they get slashed
We sampled a variety of borrowing demand distributions for deflationary and inflationary block rewards, as illustrated via the sample paths in Figure 4. These stochastic borrowing demand paths each have four parameters: mean, variance, maximum, and minimum demand. We define the maximum and minimum demand parameters as multipliers of the token supply, so that the minimum is and the maximum is (illustrated via the lower and upper bounds in Figure 4, respectively).
In order to evaluate a variety of realistic conditions, we swept through many parameters illustrated above. The most interesting results come from looking at individual trajectories, such as Figure 1, and heatmaps of how certain scalar functions behave as we vary the lending rate parameters We generated heatmaps for number of random seeds and took averages over these random instantiations to generate Figure 6 and Figure 7. The two main measurements that we looked at were and where given a non-anticipating stochastic process and a function stopped at time for the stochastic measure We ran all trajectories for blocks and approximate where is sampled from The first quantity, is the normalized difference between the staked supply and the lent supply and when it is greater than zero, there is more quantity staked, on average. It is normalized relative to the total money supply so that and thus we can compare the relative staking to lending proportions at different times. The second quantity, measures the linear spread between borrowing and lending rates, which varies over time even though is constant. If the market for borrowing is efficient and there is less churn, we should expect that this rate should be quite low. Note that in all simulations used, we set the relative spread, to be 0.5%.
In Figure 5, we see plots of for different inflation rates Note that when then we have a linear polynomial inflation rate. This figure demonstrates that even though the dependence on appears to be random, it is clear that the deflationary figures tend to have significantly more lending than staking. On the other hand, the linearly inflating component enjoys a significant advantage with regards to staked supply. Note that the dependence on appears mostly random because of the use of a common scale to plot them. The usage of a common scale dampens the correct scale to plot the figures at (which should be on the order of ), which varies dramatically as a function of the other parameters that we sample, such as the block reward. In some of the other plots that we will look at, we use independent color scales for each plot to emphasize the variation as a function of and
On the other hand, in Figure 6, we see an array of plots that show how the borrowing spread, changes as a function of inflation rate and borrowing threshold. The third column, which is the linearly increasing block rewards regime, demonstrates very tight spreads, suggesting that even changing the borrowing demand threshold causes little variation in spreads. On the other hand, the deflationary regime is much more sensitive to shocks in borrowing demand, as illustrated by the plots in the upper left hand corner of Figure 6. These empirical results validate Claim 2 and Claim 3, as we directly see that lending volatility has a much more muted effect on inflationary systems.
Finally, in Figure 7, we see heatmaps of for different borrowing thresholds and inflation rates. Note that these plots have different scales, unlike Figure 5, and that the deflationary figures are all mainly negative. From the first two columns, it becomes clear that as borrowing demand increases, becomes increasingly monotonically decreasing in This means that as borrowing demand increases, the system’s loss of security to lending increases in a more predictable manner. On the other hand, the linearly inflating regime does not have this issue and continues to have relatively random and non-monotonic dependence on as we adjust the borrowing threshold.
This paper has explored how on-chain lending affects network security in PoS networks by studying how rational multiple period Markowitz optimizing agents optimize their token portfolios. In particular, we find that bank runs can occur when many agents collectively move their tokens from staking contracts to lending contracts even when agents have independently drawn risk preferences. These attacks, which are coordinated only by rational optimization, show that the strictly Byzantine threat model is insufficient to describe security in PoS networks. Our theoretical and empirical findings show that deflationary PoS tokens are susceptible to attack by non-Byzantine, but rational participants who constantly turnover and rebalance their staking and lending portfolios to chase yield. Moreover, these findings show that one needs to choose a block reward schedule that increases relative to the yield that these on-chain contracts provide. Our theoretical results give explicit probabilities for the constant relative borrowing demand regime and show that there is a clear and strong dependence on the lending rate in these probabilities. We buffet these results with agent-based simulations to confirm that these properties hold in more realistic borrowing scenarios. In the future, we aim to look at how unbonding times and transaction fees (e.g., gas costs) affect these protocols and how different lending curves will affect staking security. We also aim to provide more precise theoretical results by relaxing a number of the assumptions that are utilized in this paper.
The author would like to thank Yi Sun, Rei Chiang, Hasu, Haseeb Qureshi, Ivan Bogatyy, Georgios Konstantopoulos, John Morrow, Tony Salvatore, Wei Wang, Hsien-Tang Kao, Jonathan Reem, Josh Chen, Tina Zhen, Nader Al-Naji, Michael Jordan, Tim Roughgarden, and Matteo Leibowitz for comments and feedback. The author would also like to thank Barnabé Monnot and Ariah Klages-Mundt for correcting an earlier error in Claim 1 and for helpful expository comments. Finally, the author would like to acknowledge the helpful input from the reviewers of both the Stanford Blockchain Conference and the MIT Cryptoeconomics Systems journal.
is n-dimensional probability simplex,
For any , we define the -norm as
We turn any nonzero vector with into a probability distribution by defining
is the cone of positive definite, symmetric matrices
are the standard join and meet of two elements of a lattice. For example if ,
We use standard Landau notation  on totally ordered sets : Given functions we use the following asymptotic notations:
In Assumption 12, we assert that for all