VoxEU Column Financial Regulation and Banking Monetary Policy

More (or less) economic limits of the blockchain

Cryptocurrencies such as Bitcoin rely on a ‘proof of work’ scheme to allow nodes in the network to ‘agree’ to append a block of transactions to the blockchain, but this scheme requires real resources (a cost) from the node. This column examines an alternative consensus mechanism in the form of proof-of-stake protocols. It finds that an economically sustainable network will involve the same cost, regardless of whether it is proof of work or proof of stake. It also suggests that permissioned networks will not be able to economise on costs relative to permissionless networks.

The blockchain itself is typically associated with the innovations of Satoshi Nakamoto (2008). The history, however, begins much earlier, with distributed ledger technologies. Haber and Stornetta (1990) tackled the question of how to timestamp a digital document. They argued that there was no need for a central authority to verify the timestamp. Instead, at the time the stamp is created, it is recorded on a ledger that is distributed amongst (what we will refer to here as ‘nodes’). When someone wants to verify the timestamp of a particular digital document, they can communicate with one or more of the nodes for that verification. 

Haber and Stornetta went on to demonstrate the practicality of their solution by publishing a hash of their ledger each week in The New York Times. The hash is a unique ID that can only be recreated if you have the original records. With the hash published in it, every New York Times edition still in existence is a distributed record of the ledger. Changing the ledger after it is recorded requires all copies of the Times to be changed. 

Significantly, Haber and Stornetta did not just publish a hash of the entries that they had received that week in the Times. Instead, each group – or as we call them now, ‘block’ – of entries was hashed along with the hash of the previous block of entries. This formed a chain. In other words, in order to change an entry from 1992, you would not only have to change the record from that time but from all future times. Suffice it to say, tampering with the blockchain would be seemingly impossible. The Haber and Stornetta blockchain has been operating for almost three decades. 

The proposal for Bitcoin outlined by Nakamoto (2008) took this basic idea and scaled it in a way that would allow it to handle the speed and transaction volume required for a network of digital payments. Bitcoin would be a ledger that recorded the ownership of digital assets (called ‘bitcoins’), the supply of which would be regulated by the protocol. At any given time, the ledger would identify the ownership (or technically, the public key) associated with each bitcoin (or fraction of a bitcoin). Thus, if someone wanted to offer the transfer of ownership of a bitcoin as payment for some other service, they would only need to verify their ownership and then send a message to the network to transfer that ownership to another user. These messages would then be bundled into blocks of transactions. 

This led to the second new element in the Bitcoin blockchain – the consensus mechanism. How do nodes in the network ‘agree’ to append a block of transactions to the blockchain as part of the immutable record? Nakamoto outlined what is now termed a ‘proof of work’ scheme. 

The proof of work concept had actually been developed much earlier by Cynthia Dwork and Moni Naor (1993). They proposed it as a way to deter spam email. In cryptocurrency blockchains using proof of work, nodes compete in a game to solve a computational puzzle and the winner earns both a reward and the right to propose the next block to the chain. 

The rewards to node operators not only cover the costs of processing records. It is critical that they also ensure the incentives of ‘bad’ actors are muted. In order to prevent attacks by bad actors, some cost must be placed on becoming a node in the network; there must be a cost in proposing a block to be added to the chain.

At present, the main consensus mechanisms are based on proof of work, which involves a cost to being a proposer (node) in terms of real resources. In the Bitcoin protocol, for example, being a proposer requires winning a computational game. The prize for winning is a block reward and transaction fee. The former is set by protocol and, if it is in cryptocurrency, the value of the currency. The latter is often set by users of the network. The cost of the contest is performing the computational task – i.e. having computer hardware and energy resources. Bitcoin is a ‘permissionless’ blockchain in which anyone can be a node (i.e. there is free entry).  

Using the properties of the Bitcoin blockchain, Budish (2018) formally examines when Bitcoin and other cryptocurrencies using proof of work would be vulnerable to being hijacked. He develops an equilibrium model that includes the (i) mining game (the supply side) and (ii) incentive compatibility (the demand side), i.e. ensuring that it will be too costly for attackers to highjack the blockchain. 

Realistically, Budish (2018) considers two limiting factors on a simple majority attack. 

  1. Some activities from dishonest miners may require more than a simple majority to implement. 
  2. For some activities that involve interaction outside the blockchain (such as a multi-spend attack), control of the blockchain cannot be confined to just the block in question but may require a time period to elapse. Thus, the dishonest node may have to control the network for a time, which translates into adding a certain amount of blocks. 

Budish includes these elements in his model, which shows that that Bitcoin ‘would be majority attacked if it became sufficiently economically important’ (Budish 2018). 

‘Proof of stake’ protocols are an attempt to allow for consensus mechanisms without relying on real resources (as in proof of work). This is achieved by requiring nodes to stake a sufficient quantity of tokens in order to be considered as a validator for a new block of transactions. There are different ways in which validator nodes are selected. 

One class of methods is chain-based. In that method, a validator is chosen at random from nodes that hold the requisite stake. This means that validators have a probability of proposing a block (and receiving a block reward) based on the amount they have staked to the network. Like proof of work, it typically takes some time (in terms of t blocks) before a block is treated as final and relied upon. 

What about protection against attacks by dishonest nodes? With proof of stake, there is no such resource cost. The main challenge is that new nodes or nodes that were offline cannot tell which is the legitimate chain. Thus, for an attack to be successful, the dishonest node needs to take actions that would shift the share of online versus other nodes. 

Such attacks rely on the attacker building on both the main chain and their alternative at the same time. Networks have implemented various methods to guard against this. One such method is called ‘slashing’. This involves the stake of a node being reduced or destroyed if it is found that they have worked on multiple chains. This is something that can be algorithmically detected. In some newer networks, slashing can automatically arise if blocks appear to be altered, and it may involve the attacker losing part or all of the stake itself – which would make the attack more costly. Nevertheless, such attacks are still possible.

In a recent paper (Gans and Gandal 2019), we extend the blockchain sustainability framework of Budish (2018) to consider proof-of-stake consensus mechanisms. We show that, perhaps surprisingly, an economically sustainable network will involve the same cost regardless of whether it is proof of work or proof of stake. In the latter, the cost will take the form of illiquid financial resources.

We then examine permissioned networks where the number of nodes is fixed. We show that regulating the number of nodes (a permissioned network) does not lead to additional cost savings that cannot otherwise be achieved via setting block rewards in a permissionless (i.e. free entry) network. This suggests that permissioned networks will not be able to economise on costs relative to permissionless networks.


Budish, E (2018), “The economic limits of Bitcoin and the blockchain”, working paper. 

Dwork, C, and M Naor (1993), “Pricing via processing, or, combatting junk mail”, in E F Brickell (ed.), Advances in Cryptology – CRYPTO’92, Lecture Notes in Computer Science vol. 740, Berlin, Heidelberg: Springer. 

Gans, J S, and N Gandal (2019), “More (or less) economic limits of the blockchain”, CEPR Discussion Paper 14154.

Haber, S, and W S Stornetta (1990), “How to time-stamp a digital document”, in A J Menezes and S A Vanstone (eds.), Advances in Cryptology – CRYPTO’90, Lecture Notes in Computer Science, Vol. 537, Springer.

Nakamoto, S (2019), “Bitcoin: A peer-to-peer electronic cash system”, Manubot.

1,470 Reads