Skip to main content

Competitive Equilibria Between Staking and On-chain Lending

Published onNov 18, 2020
Competitive Equilibria Between Staking and On-chain Lending


Proof of Stake (PoS) is a burgeoning Sybil resistance mechanism that aims to have a digital asset (“token”) serve as security collateral in crypto networks. However, PoS has so far eluded a comprehensive threat model that encompasses both Byzantine attacks from distributed systems and financial attacks that arise from the dual usage of the token as a means of payment and a Sybil resistance mechanism. In particular, the existence of derivatives markets makes malicious coordination among validators easier to execute than in Proof of Work systems. We demonstrate that it is also possible for on-chain lending smart contracts to cannibalize network security in PoS systems. When the yield provided by these contracts is more attractive than the inflation rate provided from staking, stakers will tend to remove their staked tokens and lend them out, thus reducing network security. In this paper, we provide a simple stochastic model that describes how rational validators with varying risk preferences react to changes in staking and lending returns. For a particular configuration of this model, we provide a formal proof of a phase transition between equilibria in which tokens are predominantly staked and those in which they are predominantly lent. We further validate this emergent adversarial behavior (e.g. reduced staked token supply) with agent-based simulations that sample transitions under more realistic conditions. Our results illustrate that rational, non-adversarial actors can dramatically reduce PoS network security if block rewards are not calibrated appropriately above the expected yields of on-chain lending.

1. Introduction

There is currently an intense effort to improve the scalability of blockchains and other decentralized value systems known as crypto networks. These networks use cryptographic proofs and game theoretic constructions to provide tamper-resistant updates to a global ledger. While there are a variety of research and engineering challenges in setting up these systems, one of the major bottlenecks to network throughput is the cost of Sybil resistance mechanisms within a decentralized consensus protocol. Proof of Work (PoW) networks achieve Sybil resistance by requiring consensus-participating nodes to provably burn energy to compute many iterations of a particular cryptographic hash function. PoW, while effective and permissionless, expends a large amount of natural resources and has resulted in concentrated ownership of the underlying digital assets (e.g., Bitcoin). Proof of Stake (PoS) was first introduced as an alternative in a 2012 BitcoinTalk post [1] that showed the equivalence between a PoW miner who could immediately reinvest her block rewards into hash power within the network and a PoS validator who can reinvest their validation earnings into network security. PoS works by instead allowing users to lock a digital asset, known as a token, into a smart contract that provides them with token-denominated returns in exchange for validating transactions and providing network security. Using shared, verifiable randomness, all network participants can use a multi-party computation protocol to sample the distribution of asset ownership locked into the contract and choose participant(s) who receive the block reward emitted by the network. This is analogous to how PoW can be thought of as a protocol that samples the distribution of hash power to choose the next block producer [2]. One of the main benefits of PoS is that one does not have to commit a costly natural resource to participate in the network. Instead, a purely digital asset is used as collateral for the network and the network can control its supply to provide the desired properties. For an introductory background on PoS protocols and their complex security models, please see [3][4][5][6][7].

In this paper, we show that these purported benefits do not come for free. As PoS algorithms inherently connect a decentralized network’s security with the capital cost of a digital asset, PoS protocols tie their security to the cost of capital rather than to the cost of a natural resource. Volatility in the cost of capital, which is usually higher than that of natural resources [8], can have adverse effects on capital commitments to PoS networks. The main result we show is that alternative sources of yield can drive staking token capital allocators to collectively drain a network’s security, akin to a bank run. In particular, we find that PoS in deflationary systems is unstable and unlikely to work and that for more reasonable inflation rates, the effectiveness of PoS depends on the relationship between staking and lending rates. This relationship should inform the further design of PoS systems, especially as a large number of networks are launching in 2020.

Transitioning Security from PoW to PoS

The move from PoW to PoS presents a plethora of challenges. In a PoS system, the network relies on participants who are staked in the system to stay online in order to achieve liveness. In practice, this is implemented by slashing participants—redistributing or burning a participant’s stake that is committed for validation rewards when they perform a malicious act—who go offline or miss a block that they are supposed to produce. Moreover, there are attacks that are unique to PoS such as the nothing-at-stake and long-range attacks [9][10]. These attacks are impossible in PoW, as resource costs of digital assets are practically zero, especially when compared to costs of natural resources [11]. Lastly, as the asset used for staking is also the medium of exchange, a malicious validator needs to only aggregate 33% of the token to perform a Byzantine attack.1

However, if there exist physically settled futures contracts on PoS tokens, then it is possible for an attacker to buy futures that allow for staking participants to sell their staked token in the future. This attacker can aggregate this stake and upon reaching an attack threshold, begin to perform a double spend or other malicious attack [12]. As these derivatives can be settled off-chain (e.g., using a centralized exchange like BitMEX or Deribit), monitoring of this type of attack can be difficult. In PoW, one would need to aggregate the hash power needed to produce 50% of the network’s hashrate, which is a much harder task that relies on aggregating data centers, specialized hardware, cheap electricity, and a favorable country of residence. Moreover, PoS systems are vulnerable to financial attacks, or attacks that utilize the fact that PoS tokes serve as both the instrument of security and as the medium of exchange. Such attacks are often feasible due to emergent and unexpected coordination between participants in a PoS network and an external market.

Given the vulnerability of PoS to cartel-like behavior that can be coordinated via an external market, one might naturally ask if there are also any endogenous financial risks on PoS protocols that support smart contracts. Recently, there has been an uptick in interest in Decentralized Finance (DeFi), which uses smart contracts to implement standard financial primitives in a purely on-chain manner [13]. These primitives, such as exchanges [14], lending [15], and stable reserve currencies [16][17][18], decentralize banking functions by creating incentives that encourage rational participants to receive arbitrage profits for maintaining the system’s security, while also meting out financial punishments for misbehavior. Instead of explicitly punishing fraud via legal recourse, these protocols use purely financial modes of recourse to encourage network participation and growth. One of the biggest sectors within DeFi is the on-chain lending market, in which the largest single platform is Compound [15], an Ethereum smart contract that allows users to lend and borrow assets that conform to the ERC-20 token standard. The Compound smart contract has held up to $175 million of assets, has had over 40% of the float of the Dai stablecoin [18], and saw double digit asset growth during 2019. Given that Ethereum is likely to transition to PoS soon, one must evaluate: are there any financial attacks against chain security that result from an on-chain lending system? A simple gedanken experiment for answering this question from the view of on-chain lending might be of the form:

Suppose that we assume that validators are rational financial agents. Would they not simply move their assets between staking and on-chain lending, depending on which has a higher yield?

In particular, it is clear that there is a relationship between the price of capital availability and participant’s willingness to stake, as stakers have to earn more than a risk-adjusted market rate on their staked capital. However, unlike Proof of Work, there are no physical limits that prevent validators in staking networks from rapidly moving their assets into higher yielding activities. On-chain lending, such as Compound, makes this particularly efficient, as validators simply have to post a single Ethereum transaction to unbond their tokens and begin earning yield within a single block time. High lending yields would likely lead to a reduction in network security (e.g., a financial attack) as these yields would encourage rational actors to unexpectedly coordinate and reduce network security by optimizing for financial gain.

We answer these questions with a stochastic model that can be theoretically solved in certain situations and is easily simulated via Monte Carlo methods. Our aim is not to model realistic networks parameters perfectly, but rather to show that even in the most simplified model of agents optimizing portfolios composed of staked and lent tokens, on-chain lending can cause dramatic volatility in network security. In particular, we construct an agent-based model, where each network participant is represented via an agent with a utility and decision function. Agent-based modeling has been previously used for modeling censorship properties in sharded PoW chains [19] and can serve as a conduit for comparing theoretical results to empirical data in a statistically rigorous manner. Our model for rational network agents involves having each participant view their total token wealth as a two component portfolio of tokens staked and lent. We assume that the agents have different risk preferences and locally optimize their token portfolios using mean-variance optimization [20], which allows for agents to adjust their portfolios based on observed returns and risk preferences. Figure 2 illustrates that there is a phase transition in inflation rate that leads to tokens going from being predominantly lent in deflationary regimes to predominantly staked in inflationary regimes. Moreover, Figure 3 shows that the spread between borrowing and lending rates is significantly worse for deflationary PoS assets, further confirming the existence of a phase transition. We explicitly state our simplifying assumptions in Section 2 and note that agent-based modeling allows one to relax these assumptions and analyze how these results carry over to real PoS protocols, such as Cosmos [21] and Tezos [22]. In Section 4, we prove properties of this model that match the observed phase transition from Figure 2 and Figure 5. A single sample path is depicted in Figure 1, which visually show that agents participating in on-chain lending and staking can cause a “flippening," where there are more assets lent out than staked. The observed volatility in the amount of assets staked is tantamount to dramatically reducing the cost of taking over a staking network, which implies that the security model of PoS networks needs to account for attacks on the network that stem from reduced cost of capital. The combination of theoretical and simulation-based results demonstrate that the threat model for PoS networks needs to be expanded to include financial attacks that result from yield competition with on-chain financial products.

For provenance, note that the mathematical notation used in this paper is documented in Appendix A.

Figure 1: Staking and lending with Compound’s smart contract parameters (left) and more aggressive parameters with yields of up to 75%. The y-axis in both figures is the percentage of the total outstanding token supply that is allocated to staking versus that which is allocated to lending. This simulation had 512 agents whose parameters were sampled as in Equation 3 and Equation 4. Note that the two figures have different time-scales to illustrate how the parameters of the model (see Section 3.2.1) affect the oscillations between staked and lent supply.

Figure 2: Plots of relative amount of staking to lending, with inflation increasing in a clockwise manner. When these plots are negative, there is, on average, more lending than staking and vice-versa, when positive. When we are deflationary (top two rows), we see that regardless of the lending rate parameters (the x-axis is β0\beta_0 and the y-axis is β1\beta_1 from Equation 1), tokens on average lent. This empirically demonstrates that there is a phase transition from a lending-dominated regime (which is deflationary) to one that is staking-dominated and inflationary. This simulation also uses 512 agents and the titles state the inflation rate (which is deflationary if it is less than 1), block reward, half-life, and borrow threshold (see Section 5.3) and each sample involves an average over a hundred random seeds.

Figure 3: Plots of the relative spread between borrowing and lending rates. If the value is higher, then borrowing costs more than lending. Note that in the deflationary regime, as the lending rates increase (e.g. as β0,β1\beta_0, \: \beta_1 from Equation 1 increase), the spread also increases, whereas this effect is far more muted. The simulation parameters are the same as Figure 2.

2. Protocol Assumptions

In order to simplify our model, we will make some simplifying assumptions. These assumptions hold for all models analyzed in this paper and they focus on properties of the underlying distributed ledger rather than properties about the economic behavior of participants, which is described in the proceeding section.

Assumption 1 (Cryptographic)

All sampling processes use true randomness and not pseudorandomness.

This differs from many standard cryptographic threat models that assume pseudorandomness and provide an ϵ\epsilon-approximation to true random sampling [23]. In the Appendix, we use this property to ensure that our PoS algorithm is non-anticipating (e.g. adapted to a suitably chosen filtration), allowing for conditional probabilities to be computed without having to aggregate the ϵ\epsilon error terms. One can remove this assumption, in a similar manner to [24], with a significant increase in proof complexity.

Assumption 2 (Distributed Systems)

All communication between participants is synchronous.

This can be relaxed to partial synchrony, with an increase in complexity in the proofs and simulations described in the following section.

Assumption 3 (Identity)

All pseudonymous identities are known by all participants and the number of participants (measured by unique addresses), n,n, is fixed.

Assumption 4 (Time)

The entire system will update at discrete time intervals, with each tick to be thought of as a block update.

While participants will likely execute strategies in continuous time, assuming discrete time evolution ensures that participants only respond to event updates that are received on-chain. One can also remove this assumption at the cost of increased variance using Poissonization techniques [25] and sleepy consensus assumptions [26].

Assumption 5 (No External Markets)

Only on-chain lending, borrowing, and staking will be considered.

We are ignoring off-chain lending (e.g., OTC desks or lending businesses, such as Galaxy and Tagomi) and are assuming that there always exists block space for any participant’s action to succeed. We are omitting this to reduce the complexity of our model, as off-chain lending has varied pricing models and term structures.

Assumption 6 (Money Supply is Deterministic)

The block reward at time t,Rtt, R_t and the money supply at time t,St=s=0tRtt, S_t = \sum_{s=0}^{t} R_t are deterministic and known to all participants.

In particular, we avoid assuming that there exist governance mechanisms for changing the block reward, which have been proposed for protocols such as Algorand [27] and Celo [16].

Assumption 7 (No Transaction Fee Revenue)

The only revenue that validators receive from staking comes from the block reward.

This is a model assumption that removes the complexity of modeling crypto network fee markets, which currently have unstable dynamics and are poorly understood.

Assumption 8 (PoS)

The following properties hold for our idealized PoS algorithm:

  • No compounding: PoS mechanism uses epoch-based sampling and does not immediately reinvest block rewards. This is to avoid the concentration behavior described in [28]. One can relax our model to handle Pólya urn processes, at the cost of significantly worse variance.

  • Single validator per block: To simplify the model, we avoid using committees [27][29][16][22][21][30][31][7] and verifiers [32][33] as they add more variance and make both formal and simulation methods more difficult.

  • Constant slashing probability: We assume that each validator has a fixed probability pslashp_{\text{slash}} of being slashed on a block that they produce. This is simplistic as it assumes that all validators have the same chance of being slashed, regardless of stake and validation history. However, in practice, we have seen very few live slashes and this model encourages simpler formal and simulation analysis.

  • Sharded state is synchronously traversed: Any sharded state in our PoS blockchain is read synchronously and we assume linearizability in our blockchain. This can be relaxed to non-linearizable protocols like Avalanche [29], but will depend on the scoring function used for each branch.

  • No unbonding period: We do not assume that the PoS protocol has an unbonding period like that of Cosmos [21] or Tezos [22].

3. Model

3.1 PoS Model

Let StS_t be the total outstanding token supply of a PoS protocol at time tt and let St=ζt+tS_t = \zeta_t + \ell_t, where ζt\zeta_t is the number of staked tokens and t\ell_t is the number of lent tokens. We use a simple model of a PoS system that samples a single block producer from a discrete time-series of stake distributions, denoted by πstake(t)ζtΔn\pi_{\text{stake}}(t) \in \zeta_t \Delta^n, where Δn\Delta^n is the nn-dimensional probability simplex (see Appendix A). The main input parameters are:

  • πstake(0)\pi_{\text{stake}}(0): Initial asset distribution

  • RtR_t: Staking block reward at block height tt

  • S(i,πstake)S(i, \pi_{\text{stake}}): Slash that validator ii receives if the staking distribution is πstake\pi_{\text{stake}}

The formal specification of the algorithm can be found in Algorithm 1 in Appendix B. The algorithm state includes the current stake distribution, the current epoch’s reward set, the current epoch’s slash set, and the current block time. At a high-level, for each block, we select a validator who should receive a block reward and decide if they are to be slashed by flipping a coin with probability pslash.p_{\text{slash}}. If they are slashed, we add their id and the amount that they are to be slashed to the current epoch’s slash set. Otherwise, we add them to the block reward set. The algorithm updates the stake distribution on a per epoch basis.

3.2 Lending Model

We will study two models for lending, one involving an explicit model for borrowing demand and one that is implicit. The implicit model, which is simpler, provides a prototype for constant borrowing demand and is amenable to theoretical results. On the other hand, the model involving an explicit description of borrowing demand is more realistic and amenable to being fit by historical data.

3.2.1 Two-State Lending Model

In the two-state lending model, we track the time evolution of two token distributions, πstake(t),πlend(t)StΔn,\pi_{\text{stake}}(t), \pi_{\text{lend}}(t) \in S_t \Delta^n, which respectively represent the distribution of staked tokens and those locked in a lending contract. The iith component of the stake distribution, πstake(t)i,\pi_{\text{stake}}(t)_i, corresponds to the amount of tokens that the iith agent has staked. Each agent has a wealth Wi(t)W_i(t) at time tt that is equal to the sum of their portfolio of staked and lent tokens, i.e., Wi(t)=πstake(t)i+πlend(t)i.W_i(t) = \pi_{\text{stake}}(t)_i + \pi_{\text{lend}}(t)_i. By definition, the total lending supply is equal to the sum of all lent portfolios, i.e. t=πlend(t)1,\ell_t = \Vert \pi_{\text{lend}}(t) \Vert_1, and the total money supply is equal to the sum of all portfolios, i.e., St=πstake(t)1+πlend(t)1.S_t = \Vert \pi_{\text{stake}}(t)\Vert_1 + \Vert \pi_{\text{lend}}(t) \Vert_1. At each time step, agents update their portfolios based on returns accrued from the previous time step and after portfolios are updated, the lending rate, γt,\gamma_t, is updated based on the total amount lent. This means that we are making two implicit assumptions:

  1. Constant relative borrowing demand: We are assuming that ratio of borrowing demand (represented via a quantity of tokens) to the total token supply stays constant, as the rate only depends on the lending and staking supplies. Formally, this means that the demand at time tt is equal to kStkS_t

  2. Flows are the only determining factor: Participants who move tokens from staking to lending or vice versa are the only causes for changes to the lending rate

Ut=kStt+kStU_t = \frac{kS_t}{\ell_t+kS_t}

We draw inspiration from Compound [15], which provides a simple formula for the borrow lending rate, βt,\beta_t, and the lending rate, γt.\gamma_t. The Compound model computes a utilization rate UtU_t at block height t.t. which is the ratio of the borrowing demand to the token supply locked in the contract, and uses that to update formulas for βt,γt.\beta_t, \gamma_t. Mathematically, they define the utilization rate as

Ut=kStt+kStU_t = \frac{kS_t}{\ell_t+kS_t}

We compute the borrow and lend rates using the following formulas, where β0,β1(0,1)\beta_0, \beta_1 \in (0,1) are interest-rate parameters and γ0(0,1)\gamma_0 \in (0,1) is a measure of the spread between lending and borrowing (i.e., 1γ01-\gamma_0 is the relative spread).

βt=Ut(β0+β1Ut)\beta_t = U_t(\beta_0+\beta_1U_t)(1)
γt=(1γ0)βt\gamma_t = (1-\gamma_0)\beta_t(2)

For reference, the Compound V2 contract uses the values β0=5%\beta_0 = 5\% and β1=45%.\beta_1 = 45\%. As depicted in Figure 2, there can be an enormous amount of volatility in the fraction of the token supply that is lent, tSt.\frac{\ell_t}{S_t}. In Section 4, we prove tail bounds on the inflows and outflows of lent tokens over a time step, e.g., Pr[tt1>ϵSt],\mathsf{Pr}[|\ell_t - \ell_{t-1}|> \epsilon S_t], that explicitly depend on the block reward, RtR_t and the interest rate parameters. These bounds suggest that even for the overly simplistic setting of the two-state model, PoS protocols need to carefully choose their block rewards if they desire to have a large fraction of the outstanding token supply staked at all times.2

3.2.2 Three-State Model

Instead of assuming that there is constant relative borrowing demand, we can relax this by specifying an additional distribution, πborrow(t),\pi_{\text{borrow}}(t), such that πtoken=πstake+πlend+πborrow\pi_{\text{token}}= \pi_{\text{stake}}+ \pi_{\text{lend}}+ \pi_{\text{borrow}} and St=ζt+t+ξt,S_t = \zeta_t + \ell_t + \xi_t, where ξt=πborrow(t)1\xi_t = \Vert \pi_{\text{borrow}}(t)\Vert_1 is the total amount borrowed at time t.t. In this world, the utilization ratio is now defined as:

Ut=ξtt+ξtU_t = \frac{\xi_t}{\ell_t + \xi_t}

Formally analyzing this model has a variety of difficulties that stem from that fact that we have to explicitly model the borrow demand distribution and disentangle how it couples to each participant’s local model of risk, which is defined in the next section. In Section 5, we simulate this model with a variety of different borrowing demand distributions, but all formal proofs that follow only analyze the two-state lending model. Since the pool of borrowers (e.g., arbitrageurs) is often disjoint from the pool of stakers and lenders, we will make the following assumption:

Assumption 9 (Borrowing demand is independent of staking and lending)

The borrowing demand distribution πborrow\pi_{\text{borrow}} is probabilistically independent of the lending and staking distributions.

3.3 State Transition

The final task needed to completely specify this model is to define the state transition rule that sends πlend(t),πborrow(t),\pi_{\text{lend}}(t), \pi_{\text{borrow}}(t), πtoken(t)\pi_{\text{token}}(t) to πlend(t+1),πborrow(t+1),πtoken(t+1).\pi_{\text{lend}}(t+1), \pi_{\text{borrow}}(t+1), \pi_{\text{token}}(t+1). As per Assumption 9, the evolution of πborrow(t)\pi_{\text{borrow}}(t) is independent of staking and lending, and will be specified separately in Section 5. We therefore need to specify state transition rules on a per agent basis, where each agent’s state is their token portfolio (πstake(t)i,πlend(t)i).(\pi_{\text{stake}}(t)_i, \pi_{\text{lend}}(t)_i). Traditionally, the strategy space of rational actors is described via an expected utility function that an agent aims to maximize by taking various allowable actions. Before specifying the strategy space that we will sample, let’s consider a few examples to motivate the need for agents who have varying risk preferences. If at time t,t, staking is returning more than lending and every agent moves their entire portfolio from lending to staking, then we will observe a correlated spike in lending rates t\ell_t will go to zero and Ut=1.U_t = 1. Moreover, the relative staking reward to any agent will decrease as StS_t will increase by the amount of tokens that flow from lending to staking as the expected return on an epoch for an agent is their staked tokens divided by the token supply, πstake(t)iStt.\frac{\pi_{\text{stake}}(t)_i}{S_t - \ell_t}. Thus the greedy strategy of moving all of one’s assets to the higher yielding activity and causes drastic swings in the relative yields of staking and lending is unstable and doesn’t accurately represent reality, where token holders have differing risk preferences and will not immediately move their entire portfolio from staking to lending (or vice-versa). Furthermore, cryptocurrency holders are often looking for returns that are multiples of their initial investment and have a long time-preference [34]. In our evolution of each agent’s portfolio, we also assume that an agent making a decision at time tt can only use the information about all portfolios up to time t,t, {πi(t):i[n]},\{\pi_i(t) : i \in [n]\}, and the implied rate γt.\gamma_t. Since we are dealing with on-chain lending only, this assumption says that players cannot use strategies that look into the future and that all agent portfolios are public. In order to capture strategies that are independent of front-running and latency arbitrage, we will make the following assumption:

Assumption 10 (Martingale Ordering)

There exists an [n][n]-valued martingale ZtZ_t that chooses the ordering in which participants are allowed to update their portfolios at time tt to those at time t+1.t+1.

Under this assumption, agents receive no advantage in expected returns by trying to predict when their strategy is executed (e.g., is agent 1’s strategy executed before agent 2’s strategy because agent 1 has more staked than agent 2?). This assumption is reasonable as our goal is to figure out if rational, but non-Byzantine, agents will cause PoS network security to decrease when on-chain lending activity is sizeable.

3.3.1 Optimal Portfolio Construction

Mean-variance methods, pioneered by Markowitz’s Nobel Prize winning work on portfolio theory [20], provide a way for rational traders of risky assets to construct portfolios that trade-off individual preferences for maximizing returns with those of risk minimization. These methods, which are the backbone of the majority of trillions of dollars of passive portfolios and statistical arbitrage strategies, provide a simple, easy-to-solve model that involves two parameters for constructing portfolios of nn assets: an expected return vector μRn\mu \in \mathbb{R}^n and a positive-definite covariance matrix ΣS+n×n.\Sigma \in S_+^{n\times n}. Given these parameters, one solves a strongly convex program that aims to compute the fraction of an agent’s wealth that should be allocated to each asset while ensuring that the sum of the allocations is one and each entry is positive. In particular, the seminal work of Markowitz aimed to optimize the quadratic form f:Rn×Rn×R×S+n×nR,  f(w,μ,λ,Σ)=wTΣwλμ,f : \mathbb{R}^n \times \mathbb{R}^n \times \mathbb{R}\times S_+^{n\times n} \rightarrow \mathbb{R},\; f(w, \mu, \lambda, \Sigma) = w^T \Sigma w - \lambda \mu, where λ\lambda is a parameter that controls the riskiness of the output portfolio and ww is the portfolio allocation. As λ\lambda is varied, the efficient frontier of admissible portfolios is defined as the surface S(μ,Σ)={wRn:λ such that wargminf(w,μ,Σ,λ)}.S(\mu, \Sigma) = \{w \in \mathbb{R}^n : \exists \lambda \text{ such that } w \in \mathop{\mathrm{arg\,min}}\, f(w, \mu, \Sigma, \lambda)\}. The original work of Markowitz [20] focused on the single period allocation problem, where an investor aims to find the optimal portfolio over a single time-period, which corresponds to assuming that μ\mu and Σ\Sigma do not change over time. Further work on multiple period [35] and continuous-time methods [36] for mean-variance optimization allow for μ\mu and Σ\Sigma to vary as functions of time, with the continuous-time methodology drawing μ\mu from an Îto process, such as a solution to the Black-Scholes equation for options pricing. As blockchain systems have incremental updates with independent games per update (e.g., transaction fee markets can differ wildly from block to block), we will necessarily have to consider the multiple period model and define how each agent’s mean vector and risk-preferences evolve over time. Finally, we note that our methodology is directly comparable to that of multistrategy backtesting in quantitative trading [37].

We will assume that each agent treats their token wealth, (πlend(t)i,πstake(t)i)(\pi_{\text{lend}}(t)_i, \pi_{\text{stake}}(t)_i) as a Markowitz portfolio and updates, on receiving tokens from staking and lending, an estimate for a time-dependent return vector μi(t)R2.\mu_i(t) \in \mathbb{R}^2. We also assume that each agent has a different, time-independent covariance matrix Σi\Sigma_i that is drawn from a random matrix ensemble3. In other words, the expected return vector adjusts with time (it depends on the staked and lent quantities), while the covariance stays fixed in time. As long as there is some variance in the chosen random matrix ensemble (e.g., i,j[n]\exists i, j \in [n] such that Pr[ΣiΣj]>0,\mathsf{Pr}[\Sigma_i \neq \Sigma_j] > 0,) then the dynamics will not deadlock into a state where all participants end up with the same portfolio (e.g., all outstanding tokens are 100% allocated to staking or lending). If agents simply move all of their assets from one pool to another, as opposed to some risk-adjusted proportion, then the system can deadlock quickly when borrowing demand is constant. Using the notation of the prequel, we define μi(t)=μi(πstake(t),πlend(t))\mu_i(t) = \mu_i(\pi_{\text{stake}}(t), \pi_{\text{lend}}(t)) as:

μi(t)=[μstake(t)iμlend(t)i]=[πstake(t)iSttγt]=[πstake(t)iζtγt]%\label{eq:mu} \mu_i(t) = \left[\begin{array}{c} \mu_{\text{stake}}(t)_i \\ \mu_{\text{lend}}(t)_i \end{array}\right] = \left[\begin{array}{c} \frac{\pi_{\text{stake}}(t)_i}{S_t - \ell_t} \\ \gamma_t \end{array}\right] = \left[\begin{array}{c} \frac{\pi_{\text{stake}}(t)_i}{\zeta_t} \\ \gamma_t \end{array}\right](3)

Let us motivate this choice of expected return vector. Recall that the return vector is supposed to represent the relative rate of return (usually referred to as an alpha in the quantitative finance literature) over a riskless asset. In this situation, the riskless asset is holding our tokens (as bearer instruments) and we expect to earn yields4 of RtStt\frac{R_t}{S_t-\ell_t} and γt\gamma_t for staking and lending, respectively. However, note that the former yield can be greater than 1 ((when Stt<Rt),S_t - \ell_t < R_t), whereas the latter yield cannot as per Equation 1. In order for Markowitz optimization to be well-defined, we need to choose yields that are directly comparable (e.g., have the same range). Moreover, we note that the naïvely calculated staking yield loses the dependence on the iith party’s current wealth. Since our system allows for slashing and each validator incurs a variance in reward proportional to the inverse square root of the epoch length, it is preferable to find a yield that depends on the iith parties wealth to reflect this variance. The simplest estimator for a staking validator’s yield that is in [0,1][0,1] (comparable to lending yield) and has a component of the variance is the probability of winning the block reward, πstake(t)iStt,\frac{\pi_{\text{stake}}(t)_i}{S_t - \ell_t}, which is exactly what Equation 3 describes.

In order to describe the covariance matrix, we will first state an assumption that aims to connect the variances in the system with the expected staked and lent times:

Assumption 11

The iith agent’s covariance matrix Σi\Sigma_i will be static (e.g. does not vary with block height), diagonal, and will have variances connected to the expected stake time τstake\tau_{\text{stake}} and expected lent time τlend\tau_{\text{lend}}

Formally we use the following model for the covariance matrix:

Σi1=[αi00βi] \Sigma^{-1}_i = \left[\begin{array}{cc} \alpha_i & 0 \\ 0 & \beta_i \end{array}\right](4)
αiExp(τstake) \alpha_i \sim \mathsf{Exp}\left(\tau_{\text{stake}}\right) \\(5)
βiExp(τlend)\begin{aligned} %\label{eq:cov} \beta_i &\sim \mathsf{Exp}\left(\tau_{\text{lend}}\right)\end{aligned}(6)

One can interpret τstake\tau_{\text{stake}} as the expected epoch length (see Algorithm 1), while τlend\tau_{\text{lend}} represents the withdrawal window under which a lender can remove their tokens from the lent pool.5 By connecting the covariance matrix to these quantities, we encode the connection between a validator’s expected risk preference and the time that capital is locked into either staking or lending. Equation 4 represents the fact that risk and time preferences are, to first-order, inversely correlated (e.g., you are willing to lock up capital for the longest duration in the least risky assets) [38]. To explain these choices of random variables, first recall that the Markowitz objective function is of the form f(μ,Σ,w,λ)=wTΣwλμ,f(\mu, \Sigma, w, \lambda) = w^{T} \Sigma w - \lambda \mu, where λ\lambda parametrizes the agent’s preference for return maximization over risk minimization. If we divide this objective function by λ,\lambda, provided that λ>0,\lambda > 0, we get an equivalent optimization problem for λ1f.\lambda^{-1}f. Note that λ\lambda can be thought of as encoding ’collective’ risk-preferences for all agents (e.g., a bull market when λ\lambda is large, a bear market when λ\lambda is small). As such we need a methodology for choosing λ\lambda that depends on the network size and/or number of agents. We make λχ2(n)\lambda \sim \chi^2(n) in order to capture the fact that as the number of participants increases, so should the expected number that are risk seeking. Once we do this, we can directly interpret the variables αi,βi\alpha_i, \beta_i as encoding both this risk preference and the inherent duration difference between lending risk and staking risk. The static nature of the covariance matrix in Assumption 11 implies that each agent has an equilibrium risk-preference. Moreover, this implies that the distribution of risk-preferences amongst changes is not changing—which one can expect in the limit as the number of agents goes to infinity.6 Making this assumption allows for significantly faster simulation (e.g., less compute needed to reduce the variance of the estimator below an error threshold ϵ\epsilon).

To summarize, we evolve the system by having each agent update their Markowitz estimate at each time step, which changes the lending and staking distributions for the next time step. In simulation, agents will only be able to migrate their staking tokens at times kτstake,kN.k\tau_{\text{stake}}, k \in \mathbb{N}. Explicitly, we evolve the system via the following loop:

  • Initialize distributions {πstake(0)i}i[n],{πlend(0)i}i[n]\{\pi_{\text{stake}}(0)_i\}_{i\in[n]}, \{\pi_{\text{lend}}(0)_i\}_{i \in [n]}.

  • Initialize empirical distributions {π^stake(0)i}i[n],{π^lend(0)i}i[n]\{\hat{\pi}_{\text{stake}}(0)_i\}_{i\in[n]}, \{\hat{\pi}_{\text{lend}}(0)_i\}_{i \in [n]}

  • For t=1,2,3,t = 1, 2, 3, \ldots

    • Observe empirical distributions π^stake(t)i,π^lend(t)i\hat{\pi}_{\text{stake}}(t)_i, \hat{\pi}_{\text{lend}}(t)_i
      (generated via actual staking / lending rewards accrued in the epoch)

    • Compute Markowitz weights wi,t=(p,1p),p=p(π^stake(t)i,π^lend(t)i,αi,βi)[0,1]w_{i,t} = (p, 1-p), p = p(\hat{\pi}_{\text{stake}}(t)_i, \hat{\pi}_{\text{lend}}(t)_i, \alpha_i, \beta_i) \in [0, 1]

    • Define new portfolio as pi(t)=p(pi(t1)+i(t1))p_i(t) = p(p_i(t-1) + \ell_i(t-1)), i(t)=(1p)(pi(t1)+i(t1))\ell_i(t) = (1-p)(p_i(t-1) + \ell_i(t-1))

4. Formal Properties

We will describe a few formal properties (proved in the Appendix) of the two-state model, as it is feasible to analytically analyze this model. Our goal in this section is to bound the amount of turnover in the stake distribution that is caused by on-chain lending becoming more attractive than staking rewards to rational stakers. A secondary goal is to understand what properties of the stochastic processes that represent the evolution of the lending and staking distributions are necessary and/or sufficient for ensuring that we do not have a lot of volatility in agent token portfolios. This is important as volatility in these portfolios implies that PoS networks have volatile security, which is a distinct defect when compared to PoW. We will make a few additional assumptions that are necessary to provide analytical results:

Assumption 12 (Bounded Size)

There is a minimum fraction δ>0\delta > 0 of the money supply that needs to be staked, e.g. Stt>δStS_t - \ell_t > \delta S_t

If no one is staking then the on-chain lending contract has no value (as it doesn’t have any security), so this is a realistic assumption that matches the practical parameters chosen in live networks such as Tezos [22] and Cosmos [21]. Note that one can directly interpret δ\delta as the fraction of altruistic validators who will never reallocate or rebalance their assets.

Assumption 13 (Number of Agents)

The number of agents nn is larger than a constant multiple of the product of the exponential parameters, e.g. n=Ω(τstakeτlend)n = \Omega(\tau_{\text{stake}}\tau_{\text{lend}})

This assumption is required for purely technical reasons that are explained in the proofs in the appendix.7 If we solve the unconstrained problem8 for the Markowitz objective function, f(μ,Σ,w,λ)=wTΣwλμ,f(\mu, \Sigma, w, \lambda) = w^{T} \Sigma w - \lambda \mu, then ww needs to satisfy the first-order condition, wf(μ,Σ,w,λ)=0.\nabla_w f(\mu, \Sigma, w, \lambda) = 0. This yields,

w=λΣ1μ%\label{eq:markowitz_update_rule} w = \lambda\Sigma^{-1} \mu(7)

Given that we are in the multi-period Markowitz setting, this means that we can estimate the iith participant’s portfolio weights via wi(t)=λΣi1μi(t).w_i(t) = \lambda \Sigma_i^{-1}\mu_i(t). As a measure of volatility in the security of the underlying staking mechanism, we will first look at how wi(t)w_i(t) changes in time. Intuitively, this change corresponds to how large rebalancing events (e.g., moving tokens from staking to lending, or vice-versa) are between subsequent blocks. If this rebalancing is large, then the network could dramatically reduce it’s security as holders move their assets from staking to lending. On the other hand, if this rebalancing is small and decreases over time, then we know that the staked token supply is stable. Using the Markowitz update rule (Equation 7), we have the following bound.

wi(t+1)wi(t)1=Σ1(μi(t+1)μi(t))1Σ111μi(t+1)μi(t)1\Vert w_i(t+1) - w_i(t) \Vert_1 = \Vert \Sigma^{-1} (\mu_i(t+1) - \mu_i(t)) \Vert_1 \leq \Vert \Sigma^{-1}\Vert_{1\rightarrow 1} \Vert \mu_i(t+1) - \mu_i(t) \Vert_1(8)

where A11=maxvRn,v1=1Av1\Vert A \Vert_{1\rightarrow 1} = \max_{v\in\mathbb{R}^n, \Vert v\Vert_1 = 1} \Vert Av\Vert_1 is the L1L^1 operator norm. This simple inequality implies that the volatility in portfolio weights, represented by the single block difference in weights, is controlled by the difference in the mean vector, as E[Σ111]=E[αβ]τstakeτlend.\mathsf{E}[\Vert \Sigma^{-1}\Vert_{1\rightarrow 1}] = \mathsf{E}[\alpha \vee \beta] \leq \tau_{\text{stake}}\vee \tau_{\text{lend}}. Therefore, we focus on trying to bound the difference in expected returns as a function of the block reward at time t,t, Rt,R_t, the total token supply St,S_t, the lent supply t,\ell_t, and the Compound lending curve parameters β0,β1.\beta_0, \beta_1.

Let πstake(t+1)iπstake(t)i=Δistake(t)\pi_{\text{stake}}(t+1)_i - \pi_{\text{stake}}(t)_i = \Delta^{\text{stake}}_{i}(t) and t+1t=Δlend(t).\ell_{t+1} - \ell_t = \Delta_{\text{lend}}(t). Since the PoS algorithm is adapted to a filtration Ft\mathcal{F}_t on StΔnS_t \Delta^n and the covariance matrices are constant as time evolves,9 πstake(t),πlend(t)\pi_{\text{stake}}(t), \pi_{\text{lend}}(t) are also Ft\mathcal{F}_t-adapted random variables. Note that by definition, Δistake(t)St\Delta^{\text{stake}}_{i}(t) \leq S_t and Δlend(t)St,\Delta_{\text{lend}}(t) \leq S_t, since we cannot change the amount staked or lent by more than the outstanding money supply. We will first bound the difference in expected returns as a function of Δistake(t),Δlend(t),\Delta^{\text{stake}}_{i}(t), \Delta_{\text{lend}}(t), and StS_t:

Claim 1

There exist constants C,C>0C, C' > 0 such that

μi(t+1)μi(t)1<CΔistake(t)St+1+CΔlend2(t)\Vert \mu_i(t+1) - \mu_i(t)\Vert_1 < \frac{C|\Delta^{\text{stake}}_{i}(t)|}{S_{t+1}} + C'\Delta_{\text{lend}}^2(t)

Note that these constants are allowed to depend on δ\delta from Assumption 12. If we have an compounding and inflationary rewards schedule, e.g., St=eλt,S_t = e^{\lambda t}, then this claim implies the following:

Claim 2

If there exists λ>τstake\lambda > \tau_{\text{stake}} such that St=Ω(eλt)S_t = \Omega(e^{\lambda t}) and miniWi(t)>0,\min_i W_i(t) > 0, then as t,t \rightarrow \infty, the maximum change in stake is bounded above by the lending volatility, Δlend2(t),\Delta_{\text{lend}}^2(t), w.h.p.

This claim implies that if there is not much variance in the lending rate, either due to choosing small parameters β0,β1\beta_0, \beta_1 or because borrowing demand is minimal, then we should not expect portfolios to rebalance regularly and rational stakers will tend to keep their tokens locked in a staking contract. Another natural quantity to look at is the variance of the lent assets. We show that the money supply and time-preference for lending, τlend,\tau_{\text{lend}}, control the variance of lent assets.

Claim 3

Let Ft\mathcal{F}_t be the filtration such that the lending process t\ell_t is adapted. Then we have:

Var[t+1Ft]=γtτlend2W(t)22\mathsf{Var}[\ell_{t+1} \vert \mathcal{F}_t] = \frac{\gamma_t}{\tau_{\text{lend}}^2} \Vert W(t) \Vert_2^2

Moreover, we have the following bounds:

γt2St2τlend2nVar[t+1Ft]γt2St2τlend2\frac{\gamma_t^2 S_t^2}{\tau_{\text{lend}}^2 \sqrt{n}} \leq \mathsf{Var}[\ell_{t+1} \vert \mathcal{F}_t] \leq \frac{\gamma_t^2 S_t^2}{\tau_{\text{lend}}^2}

Note that if kk is the constant representing the ratio of borrowing demand to StS_t (cf. Section 3.2.1), there exists a constant10 \aleph that depends on kk such that γt\gamma_t \geq \aleph. As such, Claim 3 implies that as long as St=Ω(n14),S_t = \Omega(n^{\frac{1}{4}}), we have reallocation from staking to lending. Thus, any monetary policy that grows sufficiently quickly with the number of users of the network will always have assets moving into and out of lending. If we place constraints on the demand k,k, we can strengthen this result into a bound on how much Δlend2\Delta_{\text{lend}}^2 oscillates:

Claim 4

Let ηt=1+W(t)22St21+1n\eta_t = 1 + \frac{\Vert W(t)\Vert_2^2}{S_t^2} \geq 1 + \frac{1}{\sqrt{n}} and αt=tτlendStηt\alpha_t = \frac{\ell_t \tau_{\text{lend}}}{S_t \eta_t} If for all tt, kαt1αtk \geq \frac{\alpha_t}{1 - \alpha_t} where and the hypotheses of Claim 2 hold, then Δlend2(t)\Delta_{\text{lend}}^2(t) is a submartingale and we have

Pr[maxtΔlend2(t)>λ]<1λ2Var[Δlend2(t)]\mathsf{Pr}\left[\max_t \Delta_{\text{lend}}^2(t) > \lambda\right] < \frac{1}{\lambda^2}\mathsf{Var}[\Delta_{\text{lend}}^2(t)]

and subsequently,

Pr[maxtμi(t+1)μi(t)1>λ]<1λ2Var[Δlend2(t)]%\label{eq:tailb} \mathsf{Pr}\left[\max_t\Vert \mu_i(t+1) - \mu_i(t)\Vert_1 > \lambda\right] < \frac{1}{\lambda^2}\mathsf{Var}[\Delta_{\text{lend}}^2(t)](9)

In words, this claim says that as long as we have inflation and there is enough borrowing demand, then we can be sure that the worst-case rebalancing is bounded by the variance of lending volatility. If we add another constraint on the behavior of the increments Δlend2(t),\Delta_{\text{lend}}^2(t), then we can strengthen this claim to get a phase transition that resembles the Galton-Watson phase transition [39].

Claim 5

Suppose that for all t>0,Δlend(t)<t22t1ηtt > 0, \Delta_{\text{lend}}(t) < \frac{\ell_t^2}{2 \ell_{t-1} \eta_t}, E[Δlend(t)]>0,\mathsf{E}[\Delta_{\text{lend}}(t)] > 0, and let ηt\eta_t be as in Claim 4. Define r±r_{\pm} as follows:

r±=tτlendStηt(1±1+ηtt1(t12t)t2)r_{\pm} = \frac{\ell_t \tau_{\text{lend}}}{S_t \eta_t} \left(1 \pm \sqrt{1 + \frac{\eta_t \ell_{t-1}(\ell_{t-1}-2\ell_t)}{\ell_t^2}}\right)

Then t2\ell_t^2 is a supermartingale when γt(r,r+),\gamma_t \in (r_-, r_+), a submartingale when γt[0,r)(r+,1],\gamma_t \in [0, r_-) \cup (r_+, 1], and a martingale when γt{r,r+}.\gamma_t \in \{r_{-}, r_{+}\}.

The intuition for this is as follows:

  • When there is either too little or too much borrowing demand (e.g., γt<r\gamma_t < r_- or γt>r+\gamma_t > r_+), then the expected lent supply either increases (on average) to one or decreases to zero. This is analogous to a gambler’s wealth after playing a game with probability p<1/2p < 1/2 for nn rounds—the wealth concentrates into either the house (staked supply) or the gambler (lent supply).

  • When there is a moderate amount of borrowing demand, γt[r,r+],\gamma_t \in [r_-, r_+], then we have stable, potentially oscillatory behavior. Doob’s Supermartingale Convergence Theorem [40] intimates that the distribution is stationary as t.t\rightarrow \infty. This corresponds to a gambler playing a game in which their chance of winning is p>1/2.p > 1/2.

These results for the simpler two-level model suggest that our simulated phase transition results convey the existence of a deeper phase transition.

Agent-level Behavior

In order to get a stronger understanding of what is going on at the agent level and for different monetary policies, one needs an understanding of the probability that a single agent has a large rebalancing event that affects the staked portion of their portfolio. This involves studying how the staking components of μi(t)\mu_i(t) changes over time. Let μstake(t)i\mu_{\text{stake}}(t)_i be the different in the staking component of μi(t)\mu_i(t) between times tt and t+1.t+1. We can bound the probability that an agent rebalances their portfolio by an ϵ\epsilon fraction via the following claim:

Claim 6

Let μstake(t)i=πstake(t+1)iSt+1t+1πstake(t)iStt.\mu_{\text{stake}}(t)_i = \frac{\pi_{\text{stake}}(t+1)_i}{S_{t+1} - \ell_{t+1}} - \frac{\pi_{\text{stake}}(t)_i}{S_t - \ell_t}. Then for all t>0.t > 0. we have

Pr[μstake(t)i<ϵFt1]=Ω(1((ϵSt+1γt)neτstakeτlendϵSt+1γt))%\label{eq:claim2} \mathsf{Pr}\left[|\mu_{\text{stake}}(t)_i| < \epsilon\right | \mathcal{F}_{t-1}] = \Omega\left(1 - \left( \left(\frac{\epsilon S_{t+1}}{\gamma_t}\right)^n e^{-\tau_{\text{stake}}\tau_{\text{lend}}\frac{\epsilon S_{t+1}}{\gamma_t}}\right)\right)(10)

Bounds like Claim 6 are of the form Pr[Xt<ϵ]=Yt.\mathsf{Pr}[X_t < \epsilon] = Y_t. which imply that the extrema of YtY_t provide a guaranteed bound of how large XtX_t can be when YtY_t is minimized. This means that we can try to bound the first hitting time tt^* for the maxima of μstake(t)i|\mu_{\text{stake}}(t)_i| by analyzing the minima of the right-hand side of Equation 10. Note that the function 1(kx)nekkx1-(kx)^n e^{-k'kx} has a minima at x=nkn2k,x = \frac{n k^{n-2}}{k'}, which means that we can estimate when, as a function of St,γt,ϵ,S_t, \gamma_t, \epsilon, we have maximal deviations in stake. In the following section, we examine this claim for different monetary policies St.S_t.

4.1 Deflationary Monetary Policy

In this case, Rt=krt,r<1R_t = k r^{-t}, r < 1 and St=k(1rt1)1r=CCrt1,S_t = \frac{k(1-r^{-t-1})}{1-r} = C_{\infty} - C'r^{-t-1}, where CC_{\infty} is the final money supply (e.g., 21 million, for Bitcoin). Letting ϵ=δSt+1\epsilon = \delta S_{t+1} and plugging this into the right hand side of Equation 10 and optimizing for tt using the chain rule gives the condition t=log(Cnδγtτstakeτlend).t^* = -\log\left(C- \sqrt{\frac{n\delta}{\gamma_t \tau_{\text{stake}}\tau_{\text{lend}}}}\right). Requiring that t>0t^* > 0 gives the condition Cnδγtτstakeτlend(0,1)C - \sqrt{n\delta}{\gamma_t \tau_{\text{stake}}\tau_{\text{lend}}} \in (0,1) or

δ>(C1)γtτstakeτlendn\delta > \frac{(C_{\infty} -1)\gamma_t \tau_{\text{stake}}\tau_{\text{lend}}}{n}

The above condition implies that at the time with the highest expected amount of removed stake, we expect that quantity to at be on the order of Cn.\frac{C_{\infty}}{n}. If there are fewer terminal coins than participants, Cn,C_{\infty} \ll n, then we should expect large rebalances for every staker. This formalizes the intuition that totally deflationary currencies are vulnerable to large rebalances that depend strongly on the number of coins in the system. It also confirms the intuition that if there are fewer coins than participants, then borrowing demand will be high and we should again expect large rebalances.

4.2 Inflationary Monetary Policy

Next, we consider what Claim 6 implies about inflationary monetary policies. We will consider two types of inflationary policies: Polynomial (St=Ω(tk)S_t = \Omega(t^k)) and Exponential (St=Ω(eλt)S_t = \Omega(e^{\lambda t})).

4.2.1 Polynomial Inflation

For polynomial inflation, we have Rt=ctk1R_t = c t^{k-1} and St=Ω(tk)S_t = \Omega(t^k). Optimizing Equation 10 with this form of StS_t gives t=(nδγtτstakeτlend)1/k.t^* = \left(\frac{n\delta}{\gamma_t \tau_{\text{stake}}\tau_{\text{lend}}}\right)^{1/k}. Plugging this into the right-hand side of Equation 10 gives a lower bound of

1δ2nγtτstakeτlendeτstakeτlendδ2n/γt1 - \frac{\delta^2 n}{\gamma_t \tau_{\text{stake}}\tau_{\text{lend}}} e^{-\tau_{\text{stake}}\tau_{\text{lend}}\delta^2 n / \gamma_t}

which means that if δ=O(n1/2),\delta = O(n^{-1/2}), individual agents will not have rebalances of size δSt\delta S_t with high probability. These guarantees do not depend on the polynomial degree k,k, which means that even simple linear policies (k=1)(k=1) are sufficient to get low stake turnover.

4.2.2 Exponential Inflation

In the case of exponential inflation, St=C0eλtS_t = C_0 e^{\lambda t} for some λ>0\lambda > 0 and initial token distribution C0.C_0. Following the logic of Section 4.1, we arrive at a conclusion of,

δ>C0γtτstakeτlendn\delta > \frac{C_0\gamma_t \tau_{\text{stake}}\tau_{\text{lend}}}{n}

This states that the worst-case rebalancing is bounded by the initial token distribution as opposed to the final token distribution. Given that most networks assume that there will be more users than the initial distribution, C0,C_0, this implies that large rebalancing events should become rarer once the network achieves a scale of nC0.n \gg C_0.

4.3 Conclusions

The results of this section show that the model of Section 3.3 has a volatility that is mainly dependent on lending volatility. This volatility, if demand is sufficiently shallow, is small enough to help bound the worst-case portfolio rebalancing for any validator in the system. However, the turnover in staked quantity, measured by how each agent’s expected reward changes over each epoch period, is sensitive to the precise nature of the monetary policy, St.S_t. In particular, deflationary policies cannot support on-chain lending, as the worst-case rebalancing rate depends on the terminal money supply, whereas the rebalancing rate for exponentially inflationary monetary policies only depends on the initial money supply (e.g., Ethereum’s pre-mine). Finally, we note that polynomial inflation provides particularly good rebalancing guarantees that are independent of the rate of growth of the money supply. Many of these results rely on asymptotic behavior of agents in this system and all of these results depend on simple models for borrowing demand. The remainder of the paper will focus on using simulation to provide a more realistic picture of Section 3.3.

5. Agent-Based Simulations

In order to test the three-state model in a quantitatively rigorous and realistic fashion, we turn to agent-based simulations. One of the main reasons to use agent-based simulation over formal methods is that it hard to formally prove what block reward growth rate is ideal for mitigating volatility in portfolio allocation. For instance, it is difficult to evaluate whether Rt=Ω(t2)R_t = \Omega(t^2) or Rt=Ω(t)R_t = \Omega(t) provide ideal mitigation for on-chain lending with parameters β0,β1.\beta_0, \beta_1. Moreover, we can test various realistic demand distributions, including ones that are atomic and do not have a probability density. Prior work on agent-based simulations of blockchain systems [19] has focused on analyzing consensus protocols via event-based simulation. We follow a similar event-based framework for simulating staking and lending, albeit ignoring the details of peer-to-peer networking and consensus. Our goal is to sample as many trajectories XtFt=(πstake(t),πlend(t),γt)X_t \vert \mathcal{F}_t = (\pi_{\text{stake}}(t), \pi_{\text{lend}}(t), \gamma_t) as possible for different combinations of parameters β0,β1,\beta_0, \beta_1, and block reward schedules Rt.R_t.

5.1 Initialization

In order to generate sample paths Xt,X_t, we need to specify the following variables:

  • Initial distributions: πstake(0),πlend(0)\pi_{\text{stake}}(0), \pi_{\text{lend}}(0)

  • Initial interest rate: γ0(0,1)\gamma_0 \in (0,1)

  • Interest rate parameters: β0,β1(0,1)\beta_0, \beta_1 \in (0, 1)

  • Demand-generating distribution parameters (vary depending on the demand generating distributions chosen): Pξ\mathcal{P}_{\xi}

  • Staking and lending time scale: τstake,τlend\tau_{\text{stake}}, \tau_{\text{lend}}

  • Slashing probability: pslashp_{\text{slash}}

  • PRNG seed: sZ264s \in \mathbb{Z}_{2^{64}}

We chose to model πstake(0)iExp(λstake)\pi_{\text{stake}}(0)_i \sim \mathsf{Exp}(\lambda_{\text{stake}}) and πlend(0)iExp(λlend),\pi_{\text{lend}}(0)_i \sim \mathsf{Exp}(\lambda_{\text{lend}}), as these distributions exemplify the extreme concentration of wealth that accompanies most token distributions. Exponential distributions are also useful in that the order statistics are also exponential11, which represents the idea that the kkth entrant to a network should have a decaying fraction (in this case 1k\frac{1}{k}) of the total token supply. We note that we do not use power law distributions as there are conflicting reports of the wealth distribution in Bitcoin actually following a power law [41][42]. Given the statistical difficulty of discerning if one has a power law versus an exponential decay [43][44] and the extra parameter in a power law (e.g., p(x=t)xmintap(x = t) \propto x_{\min} t^{-a}), we decided to use exponential initial distributions.

In our simulations, we kept the initial interest rate at 10%, as we saw very little sensitivity to the initial choice. In particular, agents quickly rebalance their portfolio into lending, if the rate is high enough and this appeared to equilibrate within a small number of time steps. We swept the other parameters, β0,β1,τstake,τlend,pslash,\beta_0, \beta_1, \tau_{\text{stake}}, \tau_{\text{lend}}, p_{\text{slash}}, over realistic ranges and for each choice of parameter, we sampled trajectories for a variety of seeds ss to get an ensemble average.

5.2 Simulation Loop

The main simulation loop follows that as described at the end of Section 3.3. We exactly evaluate the Markowitz update rule, with constraints, via the exact solution for optimal portfolios [37]. Given that we are solving nn independent, two-dimensional Markowitz problems, we evaluated the constraints analytically (as opposed to using a convex solver like Gurobi or CVX). The main event loop has the following causal ordering:

  1. If t=kτstaket = k \tau_{\text{stake}} for some kN,k\in\mathbb{N}, allow agents to update their Markowitz portfolios12

  2. Sample the borrowing demand distribution

  3. Update γt\gamma_t as a function of the new borrowing demand

  4. Run Algorithm 1 to determine who wins the reward RtR_t and/or if they get slashed

5.3 Borrowing Demand Distributions

We sampled a variety of borrowing demand distributions for deflationary and inflationary block rewards, as illustrated via the sample paths in Figure 4. These stochastic borrowing demand paths each have four parameters: mean, variance, maximum, and minimum demand. We define the maximum and minimum demand parameters as multipliers of the token supply, so that the minimum is (1η0)St(1-\eta_0)S_t and the maximum is (1+η1)St(1+\eta_1)S_t (illustrated via the lower and upper bounds in Figure 4, respectively).

Figure 4: Borrowing demand sample paths, ξt,\xi_t, juxtaposed with the money supply St.S_t. The sample paths in the upper left (linear, Rt=cR_t = c), upper right (deflationary, Rt=krt,r<1R_t = kr^t, \: r < 1), and lower left (inflationary, Rt=krt,r>1R_t = kr^t , \: r > 1) use simple random walks, whereas the figure in the lower right samples a geometric Brownian motion path with reflecting boundary conditions at (1η0)St(1 − \eta_0 )S_t, (1+η1)St.(1 + \eta_1 )S_t.

5.4 Results

In order to evaluate a variety of realistic conditions, we swept through many parameters illustrated above. The most interesting results come from looking at individual trajectories, such as Figure 1, and heatmaps of how certain scalar functions behave as we vary the lending rate parameters β0,β1.\beta_0, \beta_1. We generated heatmaps for number of random seeds and took averages over these random instantiations to generate Figure 6 and Figure 7. The two main measurements that we looked at were f(β0,β1)=Et[SttSt+tβ0,β1,τ]f(\beta_0, \beta_1) = \mathsf{E}_t\left[\frac{S_t - \ell_t}{S_t+\ell_t} \Bigg| \beta_0, \beta_1, \tau\right] and g(β0,β1)=Et[γtβtβ0,β1,τ],g(\beta_0, \beta_1) = \mathsf{E}_t[\gamma_t - \beta_t | \beta_0, \beta_1, \tau], where given a non-anticipating stochastic process XtX_t and a function stopped at time τ,\tau, Et[f(Xt)τ]=0τf(Xt)dXt,\mathsf{E}_t[f(X_t) | \tau] = \int_0^{\tau} f(X_t) dX_t, for the stochastic measure dXt.dX_t. We ran all trajectories for τ=250000\tau=250\:000 blocks and approximate Et[f(Xt)τ]i=0τ/Δf(Xi)ξi,\mathsf{E}_t[f(X_t) | \tau] \approx \sum_{i=0}^{\tau / \Delta} f(X_i) \xi_i, where ξi\xi_i is sampled from dXt+ΔdXt.dX_{t+\Delta} - dX_t. The first quantity, f(β0,β1),f(\beta_0, \beta_1), is the normalized difference between the staked supply and the lent supply and when it is greater than zero, there is more quantity staked, on average. It is normalized relative to the total money supply St+tS_t + \ell_t so that t,SttSt+t(0,1)\forall t, \frac{S_t - \ell_t}{S_t+\ell_t}\in (0,1) and thus we can compare the relative staking to lending proportions at different times. The second quantity, g(β0,β1)g(\beta_0, \beta_1) measures the linear spread between borrowing and lending rates, which varies over time even though 1γ0=βtγtβt1-\gamma_0 = \frac{\beta_t-\gamma_t}{\beta_t} is constant. If the market for borrowing is efficient and there is less churn, we should expect that this rate should be quite low. Note that in all simulations used, we set the relative spread, 1γ0,1-\gamma_0, to be 0.5%.

In Figure 5, we see plots of f(β0,β1)f(\beta_0, \beta_1) for different inflation rates r{0.25,0.5,1.0}.r \in \{0.25, 0.5, 1.0\}. Note that when r=1.0,r = 1.0, then we have a linear polynomial inflation rate. This figure demonstrates that even though the dependence on β0,β1\beta_0, \beta_1 appears to be random, it is clear that the deflationary figures tend to have significantly more lending than staking. On the other hand, the linearly inflating component enjoys a significant advantage with regards to staked supply. Note that the dependence on β0,β1\beta_0, \beta_1 appears mostly random because of the use of a common scale to plot them. The usage of a common scale dampens the correct scale to plot the figures at (which should be on the order of Var(f(β0,β1)\mathsf{Var}(f(\beta_0, \beta_1)), which varies dramatically as a function of the other parameters that we sample, such as the block reward. In some of the other plots that we will look at, we use independent color scales for each plot to emphasize the variation as a function of β0\beta_0 and β1\beta_1

Figure 5: Heat maps of f(β0,β1)=Et[SttSt+tβ0,β1]f(\beta_0,\beta_1) = \Epsilon_t[\frac{S_t - \ell_t}{S_t + \ell_t}|\beta_0,\beta_1] for different deflation schedules at a half-life equal to 0.25% of the total simulation time (400 Bitcoin-style halvenings occur). Each pixel is the average of 100 random initializations with the other parameters fixed. On the left, we have a very high deflationary rate and we can see that the values are negative, implying that t>St,\ell_t > S_t, whereas on the far right picture, which is non-deflationary, we see that St>t.S_t > \ell_t.

On the other hand, in Figure 6, we see an array of plots that show how the borrowing spread, g(β0,β1g(\beta_0, \beta_1 changes as a function of inflation rate and borrowing threshold. The third column, which is the linearly increasing block rewards regime, demonstrates very tight spreads, suggesting that even changing the borrowing demand threshold causes little variation in spreads. On the other hand, the deflationary regime is much more sensitive to shocks in borrowing demand, as illustrated by the plots in the upper left hand corner of Figure 6. These empirical results validate Claim 2 and Claim 3, as we directly see that lending volatility has a much more muted effect on inflationary systems.

Figure 6: Plots of g(β0,β1)=E[γtβtβ0,β1].g(\beta_0,\beta_1) = \Epsilon[\gamma_t −\beta_t|\beta_0,\beta_1]. As you go from left to right, we increase the inflation rate rr (recall that when r<1,r < 1, we are deflationary) and as we go from top to bottom, the borrow threshold increased. Recall that the borrow threshold is the lower bound line from Figure 4. We see that when the system has linearly increasing block rewards, we receive very tight spreads and a smooth, almost linear g(β0,β1).g(\beta_0,\beta_1). On the other hand, as we have increasing deflationary policies, we see that we cause the expected spread to become more random and larger.

Finally, in Figure 7, we see heatmaps of f(β0,β1)f(\beta_0, \beta_1) for different borrowing thresholds and inflation rates. Note that these plots have different scales, unlike Figure 5, and that the deflationary figures are all mainly negative. From the first two columns, it becomes clear that as borrowing demand increases, g(β0,β1)g(\beta_0, \beta_1) becomes increasingly monotonically decreasing in β0,β1.\beta_0, \beta_1. This means that as borrowing demand increases, the system’s loss of security to lending increases in a more predictable manner. On the other hand, the linearly inflating regime does not have this issue and continues to have relatively random and non-monotonic dependence on β0,β0\beta_0, \beta_0 as we adjust the borrowing threshold.

Figure 7: Plots of f(β0,β1)f(\beta_0, \beta_1) for differing inflation rates and borrowing thresholds. Note that the color bars vary for each figure. We see that when the policy is deflationary, f(β0,β1)<0.f(\beta_0 , \beta_1 ) < 0. Moreover, when the borrowing threshold is high, we cause the plots to become less random and have a more clear dependence on β0,β1.\beta_0, \beta_1.

6. Conclusions and Future Work

This paper has explored how on-chain lending affects network security in PoS networks by studying how rational multiple period Markowitz optimizing agents optimize their token portfolios. In particular, we find that bank runs can occur when many agents collectively move their tokens from staking contracts to lending contracts even when agents have independently drawn risk preferences. These attacks, which are coordinated only by rational optimization, show that the strictly Byzantine threat model is insufficient to describe security in PoS networks. Our theoretical and empirical findings show that deflationary PoS tokens are susceptible to attack by non-Byzantine, but rational participants who constantly turnover and rebalance their staking and lending portfolios to chase yield. Moreover, these findings show that one needs to choose a block reward schedule that increases relative to the yield that these on-chain contracts provide. Our theoretical results give explicit probabilities for the constant relative borrowing demand regime and show that there is a clear and strong dependence on the lending rate γt\gamma_t in these probabilities. We buffet these results with agent-based simulations to confirm that these properties hold in more realistic borrowing scenarios. In the future, we aim to look at how unbonding times and transaction fees (e.g., gas costs) affect these protocols and how different lending curves will affect staking security. We also aim to provide more precise theoretical results by relaxing a number of the assumptions that are utilized in this paper.


The author would like to thank Yi Sun, Rei Chiang, Hasu, Haseeb Qureshi, Ivan Bogatyy, Georgios Konstantopoulos, John Morrow, Tony Salvatore, Wei Wang, Hsien-Tang Kao, Jonathan Reem, Josh Chen, Tina Zhen, Nader Al-Naji, Michael Jordan, Tim Roughgarden, and Matteo Leibowitz for comments and feedback. The author would also like to thank Barnabé Monnot and Ariah Klages-Mundt for correcting an earlier error in Claim 1 and for helpful expository comments. Finally, the author would like to acknowledge the helpful input from the reviewers of both the Stanford Blockchain Conference and the MIT Cryptoeconomics Systems journal.


A. Notation

  • Δn\Delta^n is n-dimensional probability simplex, Δn={(x1,,xn)Rn:i=1nxi=1,i,xi0}\Delta^n = \{ (x_1, \ldots, x_n) \in \mathbb{R}^n : \sum_{i=1}^n x_i = 1, \forall i, x_i \geq 0\}

  • For any xRnx \in \mathbb{R}^n, we define the pp-norm as xp=(i=1nxip)1/p.\Vert x \Vert_p = \left(\sum_{i=1}^n |x_i|^p\right)^{1/p}.

  • We turn any nonzero vector xRnx \in \mathbb{R}^n with x0x \ge 0 into a probability distribution by defining x^=xx1Δn.\hat{x} = \frac{x}{\Vert x \Vert_1} \in \Delta^n.

  • S+nRn×nS_+^{n} \subset \mathbb{R}^{n\times n} is the cone of positive definite, symmetric matrices

  • ,\vee, \wedge are the standard join and meet of two elements of a lattice. For example if a,bRa, b \in \mathbb{R}, ab=max(a,b),ab=min(a,b)a\vee b = \max(a,b), a\wedge b = \min(a,b)

  • We use standard Landau notation [45] on totally ordered sets DD: Given functions f:DR,g:DR,f : D \rightarrow \mathbb{R}, g : D \rightarrow \mathbb{R}, we use the following asymptotic notations:

    • fO(g)    C>0,dD,f(d)Cg(d)f \in O(g) \iff \exists C > 0, \forall d \in D,\, f(d) \leq C g(d)

    • fΩ(g)    c>0,dD,f(d)cg(d)f \in \Omega(g) \iff \exists c > 0, \forall d \in D,\, f(d) \geq c g(d)

    • fo(g)    limdsupDf(d)g(d)=0f \in o(g) \iff \lim_{d \rightarrow \sup D} \frac{f(d)}{g(d)} = 0

    • fΘ(g)    fO(g)f \in \Theta(g) \iff f \in O(g) and fΩ(g)f \in \Omega(g)

B. PoS Algorithm

Algorithm 1

C. Proof of Claim 1

In Assumption 12, we assert that for all t,St