WBD440 Audio Transcription
Why Proof of Stake is Flawed with Lane Rettig
Interview date: Monday 20th December
Note: the following is a transcription of my interview with Lane Rettig. I have reviewed the transcription but if you find any mistakes, please feel free to email me. You can listen to the original recording here.
In this interview, I talk to the former Ethereum Core Developer Lane Rettig, who now works as a core developer for Spacemesh. We discuss the history and logic behind PoW, the drivers for developing new consensus protocols, how PoS is set to work within Ethereum, and the significant flaws and risks this proposed change entails.
“When you make this change that we just talked about going from Proof of Work to Proof of Stake you break a lot of the really cool stuff…I don’t think any of us appreciated the complexity and how much fixing we’d have to do after breaking Nakamoto consensus.”
— Lane Rettig
Interview Transcription
Peter McCormack: Lane, how are you doing, man?
Lane Rettig: Doing well, Pete, how are you?
Peter McCormack: Good. Good to see you. I'm going to have to keep a little eye on the mixer here, because we don't have Danny sadly. But anyway, good to see you, you're my favourite Ethereum guy to talk to!
Lane Rettig: I didn't know you had a favourite Ethereum guy to talk to!
Peter McCormack: Well, listen, it's hard to do this show without talking about Ethereum sometimes; and just for context for you, and for anyone listening, because some people would be like, "Why would you do this?", there's two real reasons. I always want to help people understand Bitcoin, or understand myself why Bitcoin is designed and built in the way it is, and the way it works, so the arguments of proof of work versus proof of stake for me really is helping me understand why proof of work is so important to Bitcoin and why it's unique. So, that helps me understand. It isn't just a dump on Ethereum, because I don't really care about Ethereum existing, or anything like that.
But the second reason is, there are plenty of people who listen to the show who aren't Bitcoin maxis, plenty. I get lots of emails and it's a range. Some people say to me, "Why won't you consider altcoins, or why won't you consider Ethereum?" or saying they have questions. So, it does two jobs. It helps them understand if there's any inherent risks with Ethereum, but also helps me understand why Bitcoin is designed in the way it is. So, if that helps you understand why I want to do this.
Lane Rettig: Yeah, that totally makes sense. I like the thing you mentioned just now about understanding risks. I think we'll get into this today, I'm excited to get into it, but one of my issues with proof of stake, the way it's been presented and with the Ethereum roadmap, is that I think the risks are not fully discussed in a very open, intellectually honest way. So, yeah, that's something we can talk more about. Can I share a little bit about my motivation for having this conversation as well?
Peter McCormack: Well, one thing else let's just put in there, there's a brilliant piece recently done by Lyn Alden, which we've both read.
Lane Rettig: I know that.
Peter McCormack: I'm going to see Lyn soon, which is great, and I'm going to discuss that with her as well, but I've got a thing here from her. She's very neutral on investments. She's like, "Invest in whatever you want, but you need to understand what are the trade-offs"; that's what she mainly said. She said, "Overall, I conceptualise Bitcoin as a monetary asset and smart contract platform tokens as equity securities".
So, she was very neutral, I think because she didn't want people attacking her saying, "Well, you're just attacking Ethereum for the sake of it", she was trying to help people understand their investments, and I think that's a similar thing I want to do today. But yeah, tell me your motivation.
Lane Rettig: I want to do the same. I was very impressed by Lyn's piece, a fantastic take. I think one of the issues, inherent issues in this conversation, proof of work versus proof of stake, which has been going on for years -- I joined the Bitcoin and then later, the Ethereum community around 2016, 2017. It's almost like, this is a terrible comparison, but you know we have this abortion topic here, which is just perennial. It just keeps coming back, it's never solved, and actually in the same fashion, it becomes political, it becomes religious, and what I liked so much about Lyn's take was that it was very objective, and I really agreed strongly with a lot of the points she made. So, yeah, we should have that kind of conversation.
Then, just to add a tiny bit to my personal motivation to wanting to talk about this, as you know I'm working on R&D, blockchain protocol R&D, as part of my day job at Spacemesh, and we've been in the process now for a few years of attempting to develop, let's say a novel protocol, a novel consensus mechanism, so something that's not proof of work, something that's not proof of stake, something that's different in some interesting and meaningful ways. I won't say better, but different. And, now we're in the final thrust here of finishing this thing, putting the finishing touches on it, and always the last part is the hardest part.
Through this process, these past few weeks and months, I've really deeply developed a newfound appreciation for, and understanding of proof of work and Bitcoin and Nakamoto Consensus, deeply, deeply impressed by it in ways that I wasn't previously. Lyn's piece helped with that, and so I think it's a journey and I'm just now reaching a place, a high enough level, where I can look back and survey the landscape and hopefully, fingers crossed, speak intelligently about the landscape of proof of work, proof of stake and other stuff.
Peter McCormack: Well, listen, I'm always happy to talk to you, Lane. We've become friends over the last few months since we met and we chat regularly, so people should know that, and some people are going to be saying, "Why are you having a shitcoiner on for this?" But the point is, some people might not have listened to our previous interview, and they should because it was great, but you are actually a bitcoiner, which people should understand. You are somebody who was passionate about Ethereum and the idea of DAOs. I have questions over them, but we don't need to cover that today.
Lane Rettig: Future topic of conversation!
Peter McCormack: Yeah, but you are a bitcoiner, and you are a bitcoiner who understands Ethereum quite well. So, for you who is someone who is critical of proof of stake, I think you're a good person to come and talk to about this, because we do have this ongoing Bitcoin versus Ethereum war, it never ends, and when anyone criticises the other one's protocol, the other team jump on the defence, and it's very rare that you have someone who's impartial and sitting in the middle, and can just be completely honest this.
I feel like, as you're a bitcoiner and you're an ETH guy, you are about as impartial as they get on this topic. So, I could have talked to some Bitcoin guys and have them criticise proof of work, and maybe I will. I did reach out to Hugo. He's been covering this quite a bit, he's been writing threads about this.
Lane Rettig: That's right, the articles, yeah.
Peter McCormack: Yeah. His stuff's been interesting, I did reach out to him, but I'm just as happy to talk to you about it, so I appreciate you coming on and doing this. You'll probably get some people shit on you from both directions.
Lane Rettig: I'm sure I will. I did last time too, it's okay, I can handle it. No, thank you for having me. This is, as I said, a really interesting, important topic, and I think we can have a pretty objective conversation about it. Let's dive in!
Peter McCormack: Okay. Well, as you know, it's not the most technical audience, I like to keep things simple, especially just for me as well, but for the audience. So, as a starting point, I was going to ask you, let's define both protocols, let's talk about these consensus mechanisms and how they work. So, I wanted to say, let's talk about proof of work, what it is and how it works, but you mentioned a moment ago, "Let's take it in a different direction".
Lane Rettig: Well still, so I want to do that, I want to maybe zoom out even a tiny little bit further and really approach the topic from first principles. I think that that's been the journey I've been on, and the way I've been able to get my head around some of this stuff. So, I know you're always happy to go back to basics with all these new listeners, and even for those of us who've been in this space for a few years, it's always helpful to revisit some of the basics.
So, I think the first and most important question is, what is a blockchain, and what problem is Bitcoin trying to solve? If you'll indulge me here, I think it will be interesting to go back, actually, as far as the 1970s, and this field of computer science called "distributed systems". Back around that time was when the foundation work in this field was laid by folks like Leslie Lamport. And for folks who aren't familiar with Lamport, he was a professor, educator, computer scientist in this field. Read his papers and stuff he wrote, it's very accessible, and people he was working with. He first articulated this problem, he and his co-authors, as the "Byzantine Generals Problem". So, I think a lot of your listeners will be familiar with this concept.
So, what is the Byzantine Generals Problem? In a nutshell, it's the challenge of coming to agreement, otherwise known as reaching consensus, on something, the state of the world, or coin flip, or something like this, or the state of a transaction, in the presence of something called "Byzantine behaviour". Byzantine behaviour is unpredictable behaviour; it's like agents that you can't rely on. The reason this was called the Byzantine Generals Problem is, there was this metaphor put forth of generals trying to attack a city.
So, there's multiple generals, and each of them has these messengers that they can send to one another. But the problem is, some of the messengers might not make it from one camp to another, some of them might be corrupted along the way, or replaced, or something. So, in an adversarial environment, how do you exchange messages and achieve consensus, agreement, on the state of something. This is directly applicable in computer science, when you have a scenario like the internet, or like any major protocol or network, where you have multiple systems exchanging messages with one another over a medium like the internet, because the same things can happen. Messages can be corrupted, they can be delayed, they can be censored completely.
The reason this emerged around the 1970s is because up to that time, computers didn't really talk to each other very much. When you are only trying to run a programme on a single computer, you don't really have this issue of Byzantine behaviour. If the memory chip sends a message to the CPU, writes to the hard drive, it's very unlikely that message is going to get intercepted or corrupted, or something. It can happen, but it's very, very unlikely.
But when you introduce things like the internet or the proto-internet, the DARPA net, which emerged around this time, all of a sudden you're in this situation where systems are trying to agree on things and exchange messages in a very adversarial, hostile environment. Remember, back then, the internet was like -- I don't know if you're old enough to remember the physical couplers? The physical modems were the phone. The physical phone would sit in a thing that was this shape. Young people today don't know what this is anymore -- coupling in into the connections, which would get dropped when your mum would pick up the phone downstairs; so, these things are all still very relevant today. So, this is the background.
We can fast-forward now about 30 years, give or take. So, over the following 30 years, a lot of work was done in this field of distributed systems by a lot of very smart computer scientists, and they developed a couple of categories of algorithms, which tend to fall into the header, PBFT, which is Practical Byzantine Fault Tolerance; these are things like Raft and Paxos. And these are interesting background reading as well. I think any dyed-in-the-wool bitcoiner, the holidays are coming up, take a few days to sit down and read this stuff, because this is the foundational work, these are the enabling technologies that Satoshi and the other cypherpunks were working with when they developed Bitcoin, and the precursors to it.
So, the way that these PBFT-style protocols work is that there is a set of known actors, a relatively small set, and they're fairly complex. They're sort of these different rounds of messaging passing, where you have the different actors who submit proposals, then maybe you have a leader elected who co-links those proposals and puts together a master proposal and broadcasts it out to the group, then other actors will acknowledge they received it. Through this process of three or four rounds of communication, they are able to solve the Byzantine Generals Problem. So, solutions were proposed as far back as the 1970s.
There's a couple of issues with these algorithms. First, they're a bit slow and a bit complicated. As you can imagine, there's a lot of message passing going on. The second is, as I mentioned a moment ago, they require that all the participants be known ahead of time. What does that mean? It means they skin in the game in the form of reputation. So, if Alice and Bob and Charlie and Daniel are passing messages around, and Bob goes malicious and broadcasts a bad message, or doesn't broadcast a message, Alice, Charlie and Daniel know that it was Bob who did this, because he has a digital signature on it, they know who Bob is, and they can remove him in the future, or punish him out of protocol; they can punch him in the face or something, "You're an idiot". None of these protocols had the ability to do sanctions in the protocol; that's a really key important point.
So now, let's just fast-forward all the way up to 2008, to Satoshi Nakamoto's time. Let's set this consensus stuff aside just for a sec and focus on what Bitcoin is, and we'll tie the threads together in a sec. So, what I've understood over time about Bitcoin that I find so interesting, is that the enabling technologies that went into it were not themselves novel. This is a key thing to understand. And it's a lot like the iPhone in this respect. When Steve Jobs introduced in the iPhone in 2007, I think it was; actually, funnily enough around the same time, touch screens were not new, he didn't invent those; he didn't invent an "internet communicator", he didn't really invent the smartphone. There were phones that did these things already. Obviously, there were mobile phones.
What was so special about the iPhone was the packaging and the presentation around it, and I think that parallel, for me, is very helpful in understanding Bitcoin. Because, what Satoshi did was, he didn't invent proof of work, he didn't invent Merkle trees, he didn't invent peer-to-peer; all these things existed before.
Peter McCormack: He just brought them together.
Lane Rettig: Exactly, in a very compelling way. So, Merkel trees were worked on by Ralph Merkle. It had been used in Git previously; peer-to-peer, obviously we had Napster, BitTorrent, things like that; proof of work, I think was invented by Adam Back. There were only eight citations in the Bitcoin whitepaper, and one of them was Adam Back's work on proof of work, and it had been used previously in things like email to prevent spam, that kind of thing. So, he tied them together in a very compelling way.
Tying things back now to the consensus question, Satoshi did invent something completely novel, and the thing that he invented is called "Nakamoto Consensus", and we need to draw a slight distinction here. So, Nakamoto Consensus is the name given to the whole bundle of consensus mechanisms in Bitcoin, including proof of work, but it's not just proof of work; you can also break that apart a little bit. But proof of work is the biggest part of it. I'm coming to a conclusion here, I promise!
So, what is Nakamoto Consensus, and how does it solve the Byzantine Generals Problem in a more compelling way? So, I said before there were a couple of issues with the PBFT category of solutions. The first was that all actors have to be known ahead of time; and the second is that there's no in-protocol sanctions. So, I think that what Nakamoto Consensus did is for the first time, it solved these problems, and it just took this whole field of distributed computing, woke it up and just took it fast-forward an entire generation, because in the field there really hadn't been a whole lot of big innovation happening prior to Satoshi's work; and now, of course, it's exploded.
The way that it solves these problems is by introducing the idea really of proof of work and Nakamoto Consensus. As I'm sure listeners are familiar with, the way mining works in Bitcoin is that anyone anywhere in the world, permissionlessly, without registering, without being known, just purely pseudonymously, can just turn on a miner and participate in this cryptographic race that happens to produce new blocks. That's huge, because these PBFT algorithms didn't scale beyond tens, or maybe in the extreme, hundreds of participants. Obviously, Bitcoin scales into the tens of thousands, probably well beyond. I'm not sure there's really a limit; maybe limits in latency and things like that, but we haven't reached them yet.
The way it enables this is through the punishment mechanism, which is you have to spend a scarce resource in order to be eligible to mine. So really, the key insight here is the following: it replaces one entity, one person, one actor, one vote, which is how PBFT works, with, I think the way Satoshi described it is, one CPU, one computer, one vote, which really should be one unit of computational work, one vote. That's a very, very powerful idea, and that's the foundation for Nakamoto Consensus. I'll pause there and catch my breath, there's a lot to unpack.
Peter McCormack: Yeah. Well, let's just unpack it, let's talk about how it works, let's talk about what a bad actor might try and do, and how they're caught and how they're punished.
Lane Rettig: Right. So, the most obvious thing that a "Byzantine actor" might do in Bitcoin is something like trying to double-spend. So, that would look like, within the same block, trying to spend the same UTXO twice, something like that. Obviously, this is not allowed by the protocol. What would happen here --
Peter McCormack: You can try it.
Lane Rettig: You can try it, you can create these two incompatible transactions, put them into a block together if you're a miner, but that block will not be accepted by the network. There's other things you can do. You could attempt to spend more than you're allowed to in the coinbase transaction. I'm sure there's other forms of bad behaviour.
Peter McCormack: Well, let's break it down. So, a miner is competing to mine a block, they construct the block anyway, everyone constructs the blocks, and it's whether or not the one they've constructed is the one -- or do they construct the block after?
Lane Rettig: There's a little bit of sophistication here. I believe the more sophisticated miners now do a thing called "pre-consensus", where they actually agree, to some extent, on the contents of the block, before one of them actually successful finds the nonce and mines it and seals the block. But effectively, you can think of it as, all the miners are trying, trying, trying to mine a block, and then they receive a new block. This is the simple version of this.
The moment they receive the new block they quickly validate it, quickly check it. That's a very cheap process to do. Mining is expensive, but validation is very easy. This asymmetry is very key.
Peter McCormack: And the validation is against the consensus rules?
Lane Rettig: Correct. So, you're doing things like checking, is the block that it points a valid block? So, it's kind of recursive in that way. You run through all the transactions, you make sure each of the transaction is valid, so you're not trying to spend a UTXO that you don't know about, or you're not trying to double-spend a UTXO, things like that. There's a couple more rules, like the coinbase, which is the way the miners receive the block subsidy. It has to be --
Peter McCormack: 100 blocks?
Lane Rettig: Right, they have to wait 100 blocks to spend it; that's one thing. But also, they insert a transaction to pay themselves the coinbase in each block. So, if you tried to pay yourself 25 Bitcoin or something, you can't right now.
Peter McCormack: You can pay yourself less though, right?
Lane Rettig: I think you can pay yourself less. I think it's capped.
Peter McCormack: Yeah, it's capped, so whatever it is now --
Lane Rettig: But there's no reason you would ever do that.
Peter McCormack: No, but what I'm saying is, the rule of consensus isn't broken by paying yourself less --
Lane Rettig: I think that's true.
Peter McCormack: -- but it's broken if you pay more.
Lane Rettig: Yeah. So, they quickly validate the block, they make sure that it passes all these checks. This whole process takes in the order of milliseconds; it's very, very quick, I'm pretty sure. In Ethereum, and we'll come back to this, much longer.
Peter McCormack: So, I'm the miner, create the block --
Lane Rettig: Yeah, receive a block, validate it and then, once you've done that, then you know you have a new valid block upon which you can try to mine the next block. But that's important, because you need the hash of that block in order to mine the next one.
Peter McCormack: But say I mine the next block --
Lane Rettig: Which, by the way, let's just be very specific. So, what that means exactly in concrete terms is that you have a bunch of transactions sitting in the mempool. So, these are transactions that you've received from the network, from peers or maybe from people connected directly to you, and you're going to scoop up a bunch of them, and this is also part of the validation logic, the block size has to be less than a certain amount; you're going to scoop the highest-value transactions from the top of the mempool, and you're going to put them together.
If you have that and you have the previous block, you have all the information you need to mine a new block, and mining a new block simply means this proof of work, which is spinning your ASICs to find a nonce, which is just a simple number that is below the difficulty threshold. Again, this is another rule: if you mine a block with a nonce that is not below the difficulty threshold, it doesn't have a certain number of leading zeros in front of it, it would not be accepted by the network.
Peter McCormack: But I mine the block, and within there I've tried some jiggery-pokery, I've tried to double-spend a Bitcoin.
Lane Rettig: Any of the rules we just discussed, any of them. You could try to mine a block, as I said, with a difficulty that's not low enough, that kind of thing.
Peter McCormack: Yeah. And then when I broadcast that to the network, every other node will try and validate it and because I've tried to break the rules, they will reject that block.
Lane Rettig: Correct.
Peter McCormack: So, what happens at that point? Do other people still have the ability to mine that block?
Lane Rettig: Right, what happens is all the other nodes in the network that see this block are going to do the same thing we just discussed. They're going to run it through the validation rules and they're going to drop the block. They're not going to punish you explicitly; the punishment is implicit. We'll talk about that in one sec. But no, no one's going to mine on top of it. They're going to see it, they're going to discard it and they're going to keep doing what they're doing, they're going to keep trying to mine on the previous block.
Peter McCormack: Yeah, waiting for a valid block.
Lane Rettig: Well, no, if they're mining, they're going to continue looking for a nonce.
Peter McCormack: No, I mean the nodes are going to keep waiting for a valid block.
Lane Rettig: Correct, they'll just completely discard the block. So, what happens to you, as the miner who mined the invalid block, well again it's not an explicit punishment, it's an implicit punishment in the sense that you spent a lot of money to mine that block. I don't know the latest figures, but you spent many thousands of dollars.
Peter McCormack: Well, possibly tens of thousands, maybe hundreds of thousands.
Lane Rettig: Right. It should be less than the marginal revenue, the Bitcoin in the block.
Peter McCormack: Which is about $350,000 now?
Lane Rettig: Something like that, yeah.
Peter McCormack: So, you could spend $100,000 mining the block?
Lane Rettig: Yeah, for sure, and it should be profitable, if you follow the rules of the protocol. But this is Satoshi's genius, this is where the game theory comes in. You are simply never incentivised to attempt to mine a bad block, because you've effectively burned all those dollars, or whatever you're paying to pay for the electricity to run the miner to mine the block. That's how Nakamoto Consensus works in a nutshell.
Peter McCormack: And it's all instant, it's just all instant. So, you've instantly burned, you've missed the opportunity of receiving that coinbase, because you've burned it.
Lane Rettig: Right.
Peter McCormack: Yeah. Genius.
Lane Rettig: So, it's genius, and it's really, really simple. So, from this point forward in the conversation, you and I are going to take a journey down a really dark, twisted rabbit hole, which is trying to understand proof of stake.
Peter McCormack: Well, let's just try and break it for a second.
Lane Rettig: For sure.
Peter McCormack: So, for me as a solo miner, I'm very unlikely to mine a block, but imagine I had a small --
Lane Rettig: Unless you're in a pool, in which case…
Peter McCormack: Yeah, I'm in a pool. But imagine I had a small farm and I had enough that I would maybe mine a block a day; maybe I'd just mine one block a day.
Lane Rettig: A block a day is a lot, by the way!
Peter McCormack: I know, but just for this, maybe I mine one block a day. There is still no incentive for me to try and create invalid blocks, because all I'm doing is every day, I'm going to lose that amount of money. Where this becomes an existential threat to Bitcoin is if someone has enough hash power, say they had 51% of the hash power, which nobody has right now, but they could keep mining invalid blocks.
Lane Rettig: Okay, so let's talk about this, because this is another very important aspect of Bitcoin, and this is also something Lyn mentioned in her article, which we talked about earlier. In theory, what you're saying is true, however the bulwark, the defence mechanism in the governance of Bitcoin, is that we have so many home miners, ordinary people running nodes. All of those nodes would reject all of the blocks.
So, sure, if I have some substantial portion of the hash power in the Bitcoin Network, I can keep turning out invalid blocks, and your node and my node are going to rejecting them, unless someone hacked our computer and literally changed the software.
Peter McCormack: Okay. No, that's fair. You're right.
Lane Rettig: Meaning that you would still be getting nothing.
Peter McCormack: Burning money.
Lane Rettig: But the reason this is so important is because this is not necessarily the case in networks like Ethereum, because so few people run their own nodes, and this is a very important distinction between the two and it's something I'm still understanding.
Peter McCormack: Okay, so I understand it. Okay. So, the rules of consensus are fixed. If I send an invalid block, the nodes are going to reject it. There is no incentive for me to be sending invalid blocks. It's quite simple really.
Lane Rettig: It's really very simple.
Peter McCormack: Yeah, elegant.
Lane Rettig: Very elegant, yeah. It's a very, very elegant solution to a very thorny problem.
Peter McCormack: And the unique innovation was the fact that we have a token within the system which has value? Well, you said there were two.
Lane Rettig: Everything that we just talked about is the infrastructure that allowed the Bitcoin coin to be created. We talked earlier, what is the Byzantine Generals Problem? It's this problem of how a set of actors that don't trust each other can agree on something, the state of the world. The state of the world in the case of Bitcoin is exactly the set of UTXOs; it's the ledger, basically.
Now, there's other things about Nakamoto Consensus that are really brilliant, and this is now beginning to get into things that I didn't fully appreciate earlier, so I'll give you an example. It has a beautiful property of self-healing built into it, and this is not something people usually talk about when they talk about Bitcoin. But if you had certain clusters of attack, and by the way, when we use terminology like "attack", it's like a Byzantine-style fault. It doesn't necessarily mean that there's a malicious actor who is actively attacking the network.
It could mean that an undersea cable was accidentally cut, or that there's some fault in the network. Or actually, an even better example is a release of the software that has a bug in it. So some, let's say, 10% of people upgrade before they realise there's a bug, these are all classes of Byzantine faults, or "attacks" against the network.
If there's an attack and you get a fork in the network, in the case of Bitcoin, any time you have a disagreement about the consensus, for example let's say some percentage of the nodes, 10% of the nodes, believed that a UTXO is valid and 90% think it's not; what's going to happen? You're going to have a fork in the network. This is also what happens after a hard fork if it's contentious and not everyone chooses to upgrade.
Once the fault is resolved, the network heals itself and keeps going as if nothing happened. It doesn't require any intervention. So, if you imagine, for the sake of argument, let's say that there's 10% of the Bitcoin mining nodes in Fiji and some large ship accidentally bumps up against a cable, knocks it out and all the Fiji miners are separated from the rest of the network for an hour or something, or even a day, then later on the cable is restored, they come back online, so this is a partition and a rejoin, what will happen? You can think about it from both sides.
From the perspective of the Fiji side, they're going to see that 90% of the hash power's suddenly disappeared, and suddenly it's going to be very difficult for them to produce any blocks, because they would have to be waiting for a difficulty adjustment. This is not that different from what happened when the Chinese miners went offline. So, they're going to get stuck, they're not going to make much progress.
However, the rest of the world is going to keep producing blocks. It might take 10% longer, so the block time might go up from 10 minutes to 11 minutes, or something like that, on average. And then, once the rejoin happens, the Fiji miners -- I don't know why I'm picking on Fiji, it's a lovely country, it's an island!
Peter McCormack: I think they've just reopened to tourists.
Lane Rettig: Maybe we'll do an episode in Fiji in the future.
Peter McCormack: Yeah, maybe.
Lane Rettig: The Fiji miners will see the longest chain and obviously, with 99.999% likelihood, the longest chain will be the non-Fiji chain, because that's where all the miners are; and another aspect of Nakamoto Consensus, I mentioned before, it's not just proof of work. So, it also includes this thing called "a fork choice rule". What is a fork choice rule? Very, very simple. If you see two chains, it's a very simple algorithm you can use to determine which one is the canonical chain. The beautiful thing about Bitcoin and Nakamoto Consensus is the fork choice rule is dead simple.
Peter McCormack: Longest chain wins.
Lane Rettig: Technically, it's the chain with the greatest accumulated proof of work, which is more or less the same thing as the longest chain. So, the Fiji miners are going to see the global chain, and they're going to immediately do what's called a "re-org" and they're going to switch over to that chain, and then we proceed on as if nothing has happened.
The network has had a fault and healed itself, and that is a very, very, very powerful idea, and it's something that proof-of-stake networks really struggle to do. It's much more complicated, and in Spacemesh as well, proof of space time, we have a whole separate mechanism to do this, an explicit and very complicated piece of code that emulates this self-healing. So, this is another example of a really beautiful, unique property of Nakamoto Consensus, and this is why I love Nakamoto Consensus in Bitcoin so much, because it's so elegant and so simple in how it works.
Peter McCormack: So, if Nakamoto Consensus is so beautiful, elegant and works so perfectly, why is anyone working on an alternative consensus model; what is the incentive? Because, what it seems to me is that every other consensus mechanism that's worked on is far more complicated, less elegant, comes with more risks, more attack vectors and a much higher level of complexity. So, we'll come back to Ethereum, but just generally speaking, why?
Obviously, there's some people who want to use the energy FUD against Bitcoin as a reason to look at proof of stake, because it gives them an argument in the marketplace for people who are anti-proof of work; that one's an obvious one. But what other reason would people look at a different consensus mechanism?
Lane Rettig: That's a great question and it's a great transition into talking about things like proof of stake. So, I think there are a few reasons. So, the energy intensity is one of them. For the sake of argument, entertain this as a thought experiment.
Peter McCormack: Okay.
Lane Rettig: Imagine that we had something that did the same things as Nakamoto Consensus, but was less energy intensive, for the sake of argument. I think we'd all be onboard with it. It's not that bitcoiners are into killing trees. Obviously, we love Nakamoto Consensus, we love proof of work because it solves a very important set of problems.
Peter McCormack: Solves the problem in the same way, as elegant.
Lane Rettig: If it existed.
Peter McCormack: If it existed, provided the same level of security, okay, then of course.
Lane Rettig: So, that's one factor, okay. The second factor is scaling, okay. So, one of the downsides to proof of work and to Nakamoto Consensus is that it doesn't scale super well. There are fundamental limits to the mechanism, to how long that mining process takes, there's a certain amount of energy that must be expended to do that, and to how fast those blocks can be communicated across the network.
There have been some proposals to tweak Bitcoin proof of work. There's one called Bitcoin-NG; do you remember this at all? This was five or six years ago. I think it came from Emin Gün Sirer, his team at Cornell back in the day.
Peter McCormack: The Avalanche guy?
Lane Rettig: Yeah. So, the idea was something like you have consensus work the way it does, and one miner wins and produces a block. But instead of sending out a single block, they can keep rapidly generating blocks and firing them off every few seconds, until another miner wins, at which point they take over, and that would theoretically improve the scalability of Bitcoin.
Peter McCormack: Why was it rejected?
Lane Rettig: I should have reviewed this again before this conversation.
Peter McCormack: Yeah, it doesn't matter!
Lane Rettig: I don't remember, but I think there's a couple of reasons. I think one big one is that if you do this, then suddenly the Bitcoin blockchain bloats and gets really, really big with an order of magnitude more blocks, or something. Then things happen, like it becomes harder to run a node, it becomes harder to mine. Again, latency is an issue. These Bitcoin blocks are, I guess, 2 megabytes now with SegWit, and it takes a while for a message of that size to traverse the globe.
Peter McCormack: Isn't it 4 megabytes with SegWit? The block weight is 4 megabytes, I believe.
Lane Rettig: I thought it was 2, but I'll defer to you. I'm not like that, I'm not super deep in the technical details.
Peter McCormack: That's fine, yeah.
Lane Rettig: Well, it was always 1 megabyte. So, Satoshi introduced the 1-megabyte limit quite early on in the life of Bitcoin. I know SegWit increased it.
Peter McCormack: SegWit increased the block weight to, I think it's 4 megabytes. We can double-check that. I still don't know the difference between block size and block weight, it means nothing to me!
Lane Rettig: Let's not get into that. So, these blocks are relatively large. Ethereum blocks are an order of magnitude smaller; they have to be, because the block time in Ethereum is 14 seconds, so it's much faster. Anyway, so just closing the thread on this topic, one of the benefits of -- I don't know if you want to dive completely into proof of stake right now or not, but let's say --
Peter McCormack: Not yet.
Lane Rettig: -- one of the limitations of Nakamoto Consensus and proof of work is that it doesn't lend itself very well to scalability, and scalability's a hot topic right now.
Peter McCormack: If you think you want faster than ten-minute block times, and if you think you want larger blocks. But I think what bitcoiners would argue is that, we're okay with ten-minute block times. Ten minutes isn't too long; an hour to confirm a transaction, and the smaller transactions, you have Lightning.
Lane Rettig: You have Lightning and you have Liquid. Liquid gives you one-minute block times.
Peter McCormack: I would have thought that one of the most important things is protecting bloat at the blockchain, because we want people to be able to run their own nodes. The blockchain's going to increase in size, but we want to do it as a measured progress, so people can afford to run a node, and maybe the hard disk. We're not outcompeting the speed at which affordable hard disks become available. I mean, you can get a fairly cheap 1-terabyte hard disk now. So, I think it's just that we don't outpace that.
Lane Rettig: Let's stay on this for one second, because this is exactly a perfect example of one of these nuanced things about Bitcoin that I think I didn't fully appreciate. I think I was very much in the Ethereum camp and drinking that Kool-Aid saying, "Why is it an issue that Ethereum's blockchain is on the order of a few terabytes now, whereas Bitcoin is still just a few hundred gigabytes; why does it matter? It's still possible, barely possible, to run an Ethereum full node on an Apple laptop like yours".
But I think what I'm really understanding is that it's not just out of principle that bitcoiners want to run these nodes; it's actually very practical and very pragmatic, and what helped me understand it was probably Lyn's article, but also partly understanding the Blocksize Wars in 2017. I had just joined the Bitcoin community at that time, so the very first thing I saw was people on Twitter sending, "#No2X", and all this kind of stuff tied to the war here, but it's really truly remarkable how so much of the hash power, so many of the big companies, the miners, were all behind this idea, the SegWit2X idea, and it still failed.
Why did it fail? Because the plebs were against the idea, and that's only possible in a network where you have so many people running nodes at home and threatening to do a UASF, or something, if the change proceeds. I think realistically, that would be a very difficult thing for Ethereum to achieve right now, because not many people run the full nodes.
Peter McCormack: Well, it's a core pillar of Bitcoin's ethos, is to be maximally decentralised. I come across people on this argument quite often, and I really hate this, "Decentralisation is a spectrum", because I think it's gaslighting people. It's not about it being a spectrum; for me, it's about being maximally decentralised, I think I said to you last time, and directionally where you're heading. The constant conversation in Bitcoin, and it doesn't matter which aspect of Bitcoin, whether it's miners or nodes or developers, whatever, it's how do we maintain maximum decentralisation, always thinking of issues like that.
Lane Rettig: It's a slippery slope, because you take a couple of steps in that direction, and the next thing you know, you're Ethereum; the next thing you know after that, you're Solana.
Peter McCormack: And the next thing you know, you're just a single Oracle database. But the point is, Bitcoin has always, and everyone I've always spoken to, has ideas that we must be decentralised. We must be resistant to state attack, and the Allen Farrington paper was really useful for me to understanding that it's the risks that Ethereum, the trade-offs they've made, with regard to decentralisation. So, I always feel that, "Decentralisation is a spectrum" is gaslighting.
Lane Rettig: Yeah, the thing I would say about decentralisation is, it's one of these things that doesn't matter until you need it; and when you need it, you really, really need it. We're in this halcyon beautiful moment right now, hopefully still in the middle of a long bull market on the one hand; on the other hand, regulation hasn't really started to bite yet. I mean, we've seen stuff happen in China and FUD getting closer.
Peter McCormack: It's getting closer.
Lane Rettig: But it's not going to stay this way forever. And when it doesn't, what is that great quote from, I think it was Chuck Prince, the former CEO of Citigroup, or something, when the Financial Crisis happened back in 2007/2008, he said something like, "When the water goes out, you see who's been swimming without any pants on the whole time". When you really need decentralisation, you really need it, and this is why I definitely believe in Bitcoin long term.
There is a spectrum of decentralisation, and I think every application in the world needs this "sovereign-grade" censorship resistance that you get with a network like Bitcoin; you might get with a network like Ethereum, that's a question; you definitely don't have with less decentralised networks.
Peter McCormack: Well, if someone's going to say decentralisation is a spectrum, it's usually because they're working on a protocol that isn't Bitcoin, so will be less decentralised. So, my questions would be, "Okay, where on the spectrum are you; and where are you headed?"
Lane Rettig: So again, this goes back to something we said earlier about risks. My issue is not necessarily with the spectrum, it's that people are not honest about it, or they're just ignorant about it. If you go down the road to one of these Solana Meetups, and you talk to all the developers who are very excited about the project, you try to have a deep conversation with them about this, it's just not something that's been communicated clearly to them, and I don't think they understand that. Maybe they don't care.
Peter McCormack: I don't think they care, and I think that's one of the points. If you separate Bitcoin and crypto, Bitcoin generally cares about decentralisation; crypto, I think, generally doesn't. If you're an NFT trader or a shitcoin trader, you don't really care, you just don't.
Lane Rettig: You're not going to have state actors coming after your board or whatever!
Peter McCormack: Exactly, and I just don't think people care, or they don't understand it, but I also think they're working on different problems, which is why I'm less hostile to it. It's like, "Cool, you want to trade NFTs, you want to go to Basel in Miami and run around and talk about NFTs, that's cool, go and do it". You're not trying to separate money and state, you're not trying to rebuild the global financial infrastructure with something that's more trusted. That's fine, absolutely fine with that.
But when someone comes and says to me, "Ethereum is ultra-sound money", and they are trying to step in the air of Bitcoin and say, "Look, we are competing now with Bitcoin, we're going to make claims similar to Bitcoin, but we are missing the pillars that make Bitcoin sound money", that's when I have an issue. So, look, if you want to build a distributed protocol, which is marginally decentralised, but really the benefits are that it's permissionless, and trade your NFTs, cool. Just don't start competing with Bitcoin and say you're ultra-sound money, because it's fucking dishonest, and that's just the area that pisses me off.
Somebody might go, "I might invest in this", and it might be another country, like El Salvador, that goes, "Well, maybe we should consider Ethereum, Ethereum's growing faster. It's got EIP-1559 and it's going to become, like those Australian academics said recently, it's going to become deflationary, so it's going to be an even better form of money", that's just fucking dishonest.
Lane Rettig: They're kind of missing the point.
Peter McCormack: Yeah, they're missing a lot of points.
Lane Rettig: And this again goes back to this question of intellectual honesty. It applies to proof of stake, it applies to a lot of this stuff. Maybe Ethereum does become deflationary, maybe it stays that way, but what's the governance around that; who's involved in those decisions? And this again connects back to this question, who's running the nodes, and what happens if you get a cartel? If you get a colluding set of powerful actors, who decide to make a decision in their own interest and you don't have that critical mass of node operators who can push back, or refuse to upgrade, or something like that, those safety mechanisms might be missing.
Peter McCormack: And also, we're going down rabbit holes here, but how useful is a deflationary currency in a protocol that's designed to be a smart contract platform? If it's costing you $1,000 to execute a smart contract, it says to me that trying to be ultra-sound money is in conflict with that. Look, we're going down a different rabbit hole, a different argument, but the point is that I think people just really, back to what Lyn said, if you're making investments, you need to understand what you're investing in.
Lane Rettig: Exactly.
Peter McCormack: If you're buying Ethereum because you want number to go up, fine, you need to understand --
Lane Rettig: Especially, there's also a time preference here, right, and bitcoiners are famous for having a very long time preference, they're very patient. This is one of the things I love about this community. And so I think, if I remember correctly, one of Lyn's points is, "Sure, you might have a thesis that the Solanas and the Ethereums are going to do well in a bull market in the short term or something, but how are they going to do in the long term?"
Peter McCormack: Well again, this is why I think the bitcoiners are -- fighting shitcoins just for the sake of fighting shitcoins, I started to feel is a little bit pointless. But I think that separation of "Bitcoin, not blockchain" or, "Bitcoin, not crypto" is an important differentiator, because anyone coming in thinks, "Oh, this cryptocurrency sector", which Bitcoin is one of. But actually, these things are fundamentally different. Okay, they use cryptography, they use a blockchain.
Lane Rettig: That's where the similarities end basically, right?
Peter McCormack: Well, it comes down to using maxi as a pejorative, "Oh, these maxis, they don't understand it". What we should really separate is to say, "What are we trying to do here? We're trying to separate money and state; what are you trying to do? You're not trying to separate money and state. Okay, a car has wheels, and aeroplane has wheels; one is going to drive you down the road, one is going to take you on transatlantic flights.
Lane Rettig: That's a good metaphor.
Peter McCormack: They both have wheels, but they're actually fundamentally trying to do different things. And I think not only bitcoiners, but people who are behind smart contract platforms should actually be onboard with this, because that separation is useful for them, for investors, for the entire market, for regulators, for everyone.
Lane Rettig: Here's the issue. I think the issue from the Ethereum perspective is that, I mean this has always been true, but it's especially true in a proof-of-stake world, in order for the Ethereum network to be secure, Ether has to have value. If it has that monetary premium, then other things being equal, it has more value. In the world you're describing, what you'd want to do is store your assets in Bitcoin, because that's the safest, most sound form of money there is; and then, when you need to do something on Ethereum or another platform, you move it over, you do your thing and then you move it back.
If you think about this as gold and silver, you have some small hot wallet or something that's plugged into Ethereum or another platform, and you just use it to use applications. But basically, you store your money in Bitcoin, which I think is a very rational thing to do. But you see what I'm getting at here. This is the reason that there's so much pushback against this idea; or rather that Ethereum people are so noisy about Ether being money, because if Ether has that monetary premium, then it makes the network more secure.
Peter McCormack: But it's in conflict with making it as a usable network for what it wants to be, to execute smart contract platforms, which is another thing I think was covered in the Allen Farrington paper, where they talked about the token actually within Ethereum presenting this kind of contradiction.
Anyone, look, we've gone down a rabbit hole, but useful information. But let's bring it back. Okay, proof of stake. My understanding is that Ethereum always planned to move to proof of stake. That is true, right?
Lane Rettig: Yes.
Peter McCormack: But it launched with proof of work. How does Ethereum's proof of work differ from Bitcoin's; what are the differences?
Lane Rettig: First of all, they're very, very similar, there's not a huge difference. The main difference is that the actual hash function that the miners are running to find the nonce is different. In the case of Bitcoin, it's SHA-256; in the case of Ethereum, it's something called Ethash. It doesn't really matter what that is doing, the point is it's just your -- I mean, do you want to talk about hash functions? It's probably not relevant, right.
Peter McCormack: No, we don't need that.
Lane Rettig: But the key distinction is the following. So, SHA-256 is a very simple algorithm that very early on, was moved over to specialised hardware. So first, it used FPGA-type things, and then later to ASICs, Application-Specific Integrated Circuits. So, if you wanted to mine, I was going to say competitively, I think at all in Bitcoin today, you need specialised hardware, right. Your friends at Compass and other organisations can help with that.
Ethereum mining, on the other hand, this Ethash algorithm was designed in such a way, and I'm bumping up against the limits of my knowledge here, but I think it's memory hard, or something, as opposed to SHA-256, which relies primarily on the CPU. So, for that reason, the best device to mine Ethash is actually a GPU, a graphics card basically, an ordinary graphics card.
Early on, the idea was that this is a democratising thing, because anyone anywhere in the world who has a GPU in their system can used it to mine Ether, to mine in Ethereum profitably. But there's a couple of issues with it. The first is that it's become very hard, very expensive to buy GPUs.
Peter McCormack: Pissed off the gamers!
Lane Rettig: Pissed off the gamers massively. I think other networks besides Ethereum have also used GPU mining. That's number one. But number two, the really interesting thing here, if you get into the economics, there's actually a nice thing about ASICs, which is they require a large capital commitment upfront. I think a miner S19, or whatever the most modern one is, they're now selling for more than $10,000.
Peter McCormack: Dude, I think I heard one today, somebody told me, they'd got offered one for $19,000.
Lane Rettig: Yeah, they've gone through the roof recently, for two reasons. One is because Bitcoin's doing well; and two is because of the supply chain issues, and it's hard to produce them, and there are only one or two companies in the world that are able to produce them.
Peter McCormack: Bitmain and --
Lane Rettig: Whatsminer, I think, is the other one.
Peter McCormack: -- Whatsminer, yeah.
Lane Rettig: Yeah, that have a stranglehold on the supply chain. So, that's not super great, but it means that if you are going to mine Bitcoin, you have this big capital investment, which going back to the question of sanctions and things, if you were to attack the network, you could be, how do I put it? At the point where you have the ability to have hacked the network, you might as well have just mined and earned revenue for yourself honestly, because if you attack the network, there's a chance that the network changes the proof-of-work algorithm, or something, and you brick all your ASICs.
Peter McCormack: Yeah, the game theory still works out.
Lane Rettig: It's game theory, yeah. That's the main difference between the two.
Peter McCormack: And just very quickly, in terms of block times and block sizes, how does Ethereum differ?
Lane Rettig: So, Ethereum is designed so it's still very similar to Nakamoto Consensus. I don't know if technically it counts as Nakamoto Consensus. You can think of it as a fork of Nakamoto Consensus. So, the block times are much faster. They're about 14 seconds, as opposed to Bitcoin's 10 minutes. It's still a Poisson distribution; is that the right term?
Peter McCormack: You're asking me?!
Lane Rettig: The blocks come up on average every ten minutes. I'm not a mathematician, obviously, but not precisely; you might get blocks faster or slower. The main difference in Ethereum is that it has this concept of uncle blocks. I don't want to spend a lot of time on this topic, but because the block time is much faster, it's often the case that two miners produce a valid block at roughly the same time.
Just like in Bitcoin, one of them will ultimately win and be accepted by the network as the next canonical block in the canonical longest chain; but unlike in Bitcoin, the other valid blocks can be included into the chain as these things called uncle blocks, where the transactions in them are not valid, but the miner who produced it still gets some rewards.
So, if you go back to SupplyGate, this was a big source of confusion there.
Peter McCormack: Hold on, is it like a sympathy block?!
Lane Rettig: I guess you could call it that!
Peter McCormack: It's like, I don't know, it feels like an empathetic --
Lane Rettig: What's the word for this? Consolation prize.
Peter McCormack: What do they call it? A participation trophy.
Lane Rettig: Okay, yeah basically, "Thanks for trying. You lost, but we'll give you this anyway".
Peter McCormack: Yeah, interesting.
Lane Rettig: It's an interesting mechanism. It's quite clever. It's one of the things that allowed Ethereum to have a shorter block time. That's proof of work.
Peter McCormack: What are the block sizes for Ethereum?
Lane Rettig: It's not super meaningful to talk about them in terms of kilobytes. I think in Bitcoin, you talk about mass and satoshis per kilobyte and this kind of thing; that's how fees are calculated. Ethereum's quite a different approach. The real limit is gas. I think it's still 12.5 million gas, which just limits the amount of computation that can happen per block. Bitcoin, I think, handles something like 5 or 6, maybe 7 transactions per second. Ethereum is more like 10 or 12, but not all Ethereum transactions have the same gas; some take a lot more, some take a lot less. In some cases, you can have a transaction that fills the entire block, if it's a very complex transaction.
Peter McCormack: Wow, okay. And, are there issues with latency with Ethereum being every 14 seconds?
Lane Rettig: Not really. So, I guess higher latency can produce more of these uncle blocks. There's been some good research done on this that within half a second or a second, the vast majority of the nodes in the network have received the blocks.
Peter McCormack: Okay.
Lane Rettig: But what I would say is that it can't really get faster. So, whatever it's at right now, I know that Solana and other blockchains have sub-second block times, or 1- or 2-second block times. I'm not completely sure how they do that from a network latency perspective; I think it's the blocks are finalised later, or something like that, but let's not go down that rabbit hole either. They're very similar, by the way, really, Bitcoin and Ethereum, in the way that they produce blocks and run this consensus.
Peter McCormack: Okay. And before we get into proof of stake, can we just very quickly talk about blockchain bloat with Ethereum and nodes, because I think it might have been Hugo, I don't want to misquote him, but somebody talked about recently that I think the total blockchain of Ethereum is around 9 terabytes, which makes it very difficult for anyone like myself to run a node. But somebody else said, "No, it's not, you only need to run a pruned node". I think it was Cobe who had a pop at me.
Lane Rettig: This is another topic that pops up again and again. Maybe we can try to set the record straight once and for all. So, there are multiple classes of nodes in Ethereum; let's talk about three. There's light nodes, full nodes, and full archival nodes. And there's a separate, but related question about when you boot up a new node, how do you synchronise it; how do you get the snapshot of a state?
So, a light client works just like SPV in Bitcoin. Basically, you just receive the block headers, and you're trusting the full nodes to execute the transactions. So, you're still trusting someone else; it's not trustless. We have this in Ethereum as well. A full node downloads all the data, all the blocks and executes all the transactions, assuming you do a full sync, not a fast sync. I think this is the reason people get so confused, is you have these two orthogonal ideas. You can have a full node that you booted up using a fast sync, in which case you're getting a snapshot of a state from a trusted peer.
But assuming you do the full sync from scratch, a full node is a full participant and executes every transaction, every state transition, verifies every block; so, it is completely 100% trustless, just like running a Bitcoin full node. And that's sufficient to do whatever you need to do in the Ethereum network, with one exception, which I'll talk about in a second.
I run one of these. It's not 7 terabytes. I don't know the exact number, but it's less than 2, so it's maybe 1.5, 1.6 terabytes right, which is not small. I mean, that's almost an order of magnitude bigger than Bitcoin.
Peter McCormack: But you could do it with a new Mac and you can get to 4 terabytes.
Lane Rettig: Here's the challenge; it's not the size. You can, for sure. The challenge is not so much the storage size. So, one challenge is that storage needs to be SSD. You can't use a spinning hard drive, you have to use a solid-state drive, because you can't keep up, there's just too many transactions. So, that's one issue; but yes, a modern laptop would have an SSD in it, I'm sure this one does.
The real challenge is the initial sync process; that takes a very long time. Even with a fast sync, you're looking at a few days. I can't remember, I think I did this last year, it was something like two or three days of -- actually, that was a fast sync. A full sync is probably longer, it's probably something like a week or two. It takes a very long time.
Peter McCormack: That's still not terrible.
Lane Rettig: I just synced the Bitcoin full node this week and it took seven or eight hours, very easy.
Peter McCormack: But a week is not terminal. There may come a time in a decade where Bitcoin is a few days.
Lane Rettig: Let me think. If it took me seven hours to synchronise a full node and Bitcoin's been running for, what, 11-plus years; so, after 30 years or something, assuming growth remains constant.
Peter McCormack: Yeah, and internet speeds don't --
Lane Rettig: Yeah, but they will get faster. But this is part of the beauty of Bitcoin, is that yes, the requirements are growing; but as you said a moment ago, they're not growing faster than the hardware. Ethereum is growing faster than the hardware, so it will become unsustainable. It's arguably there, depending on where you draw the line, and there are plans to address some of this in the transition to ETH 2.0 that's going to happen next year.
Peter McCormack: Can you do it with a Raspberry Pi, like you can a Bitcoin node?
Lane Rettig: Bitcoin for sure, no question.
Peter McCormack: No, I mean Ethereum.
Lane Rettig: I think you could if you had a big SSD, a huge SSD drive attached to it; if you had a 2-, 3-terabyte SSD attached to it. But in terms of the actual memory and processor, you're pushing it. The biggest Raspberry Pis are 8 gigabytes of memory. That might not be enough.
Peter McCormack: And also, even with the SSDs, if I get a 1-terabyte SSD for my Bitcoin node, that might still last me another five or six years. You could get a 3-terabyte one for Ethereum and need another one next year, so that's the risk.
Lane Rettig: Exactly. But the point I want to make here is that this is also a slippery slope.
Peter McCormack: Yeah, of course.
Lane Rettig: Increasing the requirements by 10%, maybe Ethereum increases by 10% a year, can have an outsize effect where suddenly 90% of the people who would have done this can no longer do this, so it's not linear. And once you start going down that path, the reason I say slippery slope, is you say, "Well, it's already hard, so it's not a big deal if we make it a little bit harder", and this is why the thought of increasing the Bitcoin block size is so risky.
Peter McCormack: But this is the issue, going back to Farrington's paper, that I keep referring to, is that if this is the case, Ethereum becomes more centralised, because less people can, or are incentivised to run nodes. You end up with nodes being run more in data centres and the data centres are the point of centralisation risk, where you can go to somebody with a risk of prison time or a gun and say, "Switch that off".
Lane Rettig: And we have this issue today in Ethereum with Infura.
Peter McCormack: Yes, but let's talk about that, because other people have said to me that we're not relying upon Infura, you can run a pruned node and it suffice. It doesn't include the transactions --
Lane Rettig: Just to close the loop on the conversation before, I said that there's light clients, full clients and full archival node. The only difference between a full node and a full archival node in Ethereum, is the full archival node stores all the intermediate states. What does that mean? It means, if I want to know my balance, not today, but as of a year ago, or a million blocks ago, in a full archival node, I can pull that out almost immediately. In a regular node, I'd have to reconstruct it from blocks and transactions.
So, a full archival node, Infura is running full archival nodes for sure. Infrastructure providers will run them, application backends might need them to, when someone sends a token in ERC-20, the actual balance update, if you want to know that that happened a year ago or two years ago, you need the full archival node to extract that data efficiently. But you don't need it as an everyday user.
Peter McCormack: But does Ethereum require full archival nodes; does the network require full archival nodes?
Lane Rettig: No. If there were none, the network would be fine, but certain applications would be more inefficient. Because again, you can always reconstruct back data from a full node, but it might take a little bit of time.
Peter McCormack: Okay, so if all the full archival nodes are turned off?
Lane Rettig: Ethereum would be fine. Let's just be very, very emphatic about that point; it's important.
Peter McCormack: Yes, it is an important distinction, but the risk therefore is those nodes that sit in the middle, the -- what did you call them? Not light nodes? You called them full nodes. The slippery slope is that the bloat is growing quicker than perhaps outpacing the speed of technology advancement.
Lane Rettig: Yeah, correct.
Peter McCormack: And also, they're just a pain to set up.
Lane Rettig: They're a pain to set up. I mean, again, I just synced a Bitcoin full node and it was very, very easy. I downloaded a thing, I ran it and set it and forgot it. Ethereum, it's more complicated.
The point I wanted to make though is you said, "What would happen if the full archival nodes went away?" Well, this is a bit of an existential question. It's like, what is Ethereum? If you think of Ethereum as just this estate machine with transactions, that part of the network would be okay, but a lot of the applications would stop working. In fact, I think almost all of them would stop working. So, the network would be okay, but for all intents and purposes, the applications would stop working. So, what is Ethereum, what's left at that point, you know what I mean? So, this is important.
Peter McCormack: Okay, so you need full archival nodes for the application?
Lane Rettig: For some applications. But the point is, you need them to run a service like Etherscan or Infura, and almost everyone relies on Etherscan and Infura. So, if you take those two service providers away, Ethereum would survive, but it would be a bumpy few weeks and months until alternatives could be designed and built and funded and everything.
Peter McCormack: Okay, so alternatives would be required.
Lane Rettig: And there are, to be clear. There are open-source, even decentralised versions of these things, but they just don't work very well. They're kind of funky and they don't really scale very well. Infura and Etherscan work really well. Everyone uses them for a reason, because they work really well.
Peter McCormack: But it sounds to me that therefore, it is a Whack-a-Mole, because if you replace it, you've just got to replace it with something else that's also complicated and has its own issues. Okay, all right. Well, look, helpful to know, it helped me to understand. So, let's talk about proof of stake.
Lane Rettig: Yes, let's do it.
Peter McCormack: Do we know why Ethereum, and when I say Ethereum, I say collectively, it wants to move to proof of stake?
Lane Rettig: So, we began talking about this earlier. My understanding is this has always been on the Ethereum roadmap since the very beginning, since the 2015 days. The goals were number one, to reduce the energy intensity, we talked about that part; number two, scalability, so proof of stake makes it much easier to do things like sharding, which we should talk about, and actually I had some notes, I'm trying to remember. Oh, right, the big one is that the security is cheaper. So, other things being equal, you can reduce issuance and maintain the same level of security, or have a higher level of security, in theory. Those are the biggest benefits to proof of stake.
Peter McCormack: Because the cost of validating blocks is a lot lower.
Lane Rettig: It's much cheaper. So, the miners don't have that initial capital outlay that they need. So, the difference is, if you buy an ASIC, that ASIC is a physical piece of hardware, it's a physical capital expenditure that, what's the word for it? There's an accounting term for this, it basically degrades over time. You have to amortise the -- depreciation, it depreciates over time, over something like, I think the life used to be a year or two. Now, I think it's two or three years you can expect them to still be profitable. But the point is, it goes away over time, and miners have to be compensated for that.
In the case of proof of stake, yes you have a capital outlay, in the sense that the stake, you have to buy the stake itself and lock it; but at the point where you stop validating, it stops ticking, you can withdraw the full stake, plus rewards.
Peter McCormack: Or, you already have a huge stake, because you got that as part of the premine with the creation.
Lane Rettig: Exactly!
Peter McCormack: Yeah, I'm being a dick.
Lane Rettig: No, but that is one of the problems of proof of stake, and we'll talk about that. So, per unit of security, the jury is a little bit out, but the number I've heard Vitalik cite, and I trust his maths, is somewhere between 5 to 15 times as capital efficient. So, you pay 5 to 15 times, let's just call it 10 times. Let's say you pay one-tenth of the rewards per block to get the same level of security. Alternatively, you pay the same amount and you get ten times more security, which is the cost of attacking the network.
Peter McCormack: Okay, so let's talk about what proof of stake is and how it works.
Lane Rettig: Sure. So, let's talk about how it replaces proof of work. So, proof of work, as we talked about earlier, as a miner, you need to spend, or commit, a scarce resource in order to buy the lottery tickets that make you eligible to potentially mine a block. And in proof of work, the spending that you're doing, the scarce resource that you're committing, is the electricity that you're paying for to run the miners to mine the blocks; that's pretty straightforward.
In proof of stake, you still need this. This is what's called "a civil resistance mechanism" to make sure that you don't have random actors out there who are adversaries, who don't have any skin in the game. This goes back to our conversation about consensus mechanisms earlier, this is how they work. The way that we replace the reputation-based system of a PBFT consensus mechanism with something like Nakamoto Consensus is that we replace this notion of reputation, or identity, with the burning of a scarce resource.
In the case of proof of stake, the scarce resource is the, what's it called? The capital that you're locking up, the time value of the money. I'm blanking on the term.
Peter McCormack: No, I understand what you mean. You're locking away your Ether.
Lane Rettig: And, you could do something else with that Ether.
Peter McCormack: Opportunity cost.
Lane Rettig: Opportunity cost. Thank you, yes. It's the opportunity cost of the locked capital, because you could use that, you could go invest that somewhere else, lend it out, do something, invest it in something else. So, that is your scarce resource. And if you misbehave in proof of stake, there's a couple of ways you could do that, you are subject to something called "slashing" in the Ethereum world. What that means is that a portion, or in the extreme case, all of that stake gets burned.
So, this is like an analogue to the idea of mining a bad block in Bitcoin and then the block's not accepted by the network, and then you've wasted the electricity. In the case of proof of stake, it's explicit, as opposed to implicit.
Peter McCormack: Yeah, I was going to say, yeah. Okay.
Lane Rettig: The sanction, right. That's the high-level idea.
Peter McCormack: Interesting, yeah.
Lane Rettig: Now, it's a bit more complicated than that. So, this is where I've gotten to in this protocol research that I've been doing. Nakamoto Consensus is a thing that works, and it's an equilibrium. What that means is that every time you kind of -- I'm trying to think of a good metaphor here. Imagine you have some big, fancy robot you've built and you're like, "I'm going to tweak it, I'm going to make it a little bit stronger". So, I'm going to increase the energy into the arm muscle, so it can fight better. But the act of doing that, you break something else.
So, every time you take this Nakamoto Consensus robot and you try to tweak it and improve it in some way, "I'm going to make the eyes stronger", you break something else. So, you knock this whole thing out of alignment, or out of equilibrium. This is the mental model that I've been working with, and this is the journey that we've been on, developing this proof of space time thing.
So, when you make this change that we just talked about, going from proof of work to proof of stake, you break a lot of the really cool stuff that we talked about, that you have for free, in Nakamoto Consensus. So for example, the self-healing thing that we talked about, that goes away; and the fork choice that we talked about, that goes away. So, by the way, I think this is the short answer to the question, "Why has it taken Ethereum and other networks so long to do this? Why has it taken us so long to do something different at Spacemesh?" I don't think any of us appreciated the complexity and how much fixing we'd have to do, after breaking Nakamoto Consensus. Does that help at all, that mental model?
Peter McCormack: Yeah, it does. There's lot of sticky plasters.
Lane Rettig: The point I'm trying to make here is you can't just make a small change, it doesn't work that way.
Peter McCormack: So, with proof of stake, you lock up -- are there amounts, like is it 1 ETH, 1 vote; 5 ETH, 1 vote?
Lane Rettig: So, different networks do this differently. There have been networks prior to Ethereum that have done this. There was Steemit Network way back, I don't know if they were the first.
Peter McCormack: I remember Steemit. They had the blog.
Lane Rettig: Correct, yeah, the blogging platform. So, they introduced this delegated proof-of-stake mechanism. Cosmos launched around 2019, also with a delegated proof of stake. You've got a lot of blockchains that do this. And in a delegated proof of stake, there's now another class of user. So, there's people who run the validator nodes, then there are ordinary people like you and me who have a few of the coins, we can choose to delegate them to one of the validators; it's a bit like pooling in proof of work. So, the validators earn rewards proportionate to the total amount of stake they've got, which is their own stake plus the delegated stake. Then you and I, as delegates, earn slightly less rewards. So, that's one model.
The Ethereum model is different. In the Ethereum model, there is a single fixed amount. Every validator must commit precisely 32 ETH and there's no delegation; there is pooling, if you have less than 32 ETH, or if you just don't want to run the validator yourself.
Peter McCormack: Okay, so I have my 32 ETH --
Lane Rettig: Which, by the way, is a lot of money. I mean, this is over $100,000 today, so this is one of the issues of proof of stake, is that the barrier to entry is high, but it's also high with proof-of-work mining.
Peter McCormack: It is, but really it's one miner, and you have to join a pool.
Lane Rettig: Right. So you're talking about on the order of $10,000 of capital outlay in the case of proof of work.
Peter McCormack: Not exactly true. I mean, some people are still mining S9s.
Lane Rettig: You had a bunch of these, didn't you?
Peter McCormack: I did, and I sold them.
Lane Rettig: What did you sell them for again?
Peter McCormack: 1.5 Bitcoin, I sold 70 of them for. I ended up, interestingly, about breaking even dollar value, but I lost heavily if I'd have just had the Bitcoin. Don't want to talk about it, fuck!
Lane Rettig: Worst trade ever.
Peter McCormack: But you learn from this, you know.
Lane Rettig: We all have our rekt stories.
Peter McCormack: I accept every part of my life that's led to me being here, me being sat here right now!
Lane Rettig: It's the only possible healthy attitude.
Peter McCormack: Life is okay, it's fine. Okay, so yeah, look, realistically if you want to mine Bitcoin, you really want to be buying an S19 now, you can go via, like you say, Compass, who are my sponsor, but you can get onboard for about, I don't know what the price is; $15,000, $13,000, whatever the price is you can get onboard, and it all just runs itself and you join a pool. And I guess with ETH, you lock up your 32 ETH via a pool?
Lane Rettig: You can run the validator yourself.
Peter McCormack: You can. But is it like owning one ASIC and your chance of validating a block's very small?
Lane Rettig: No, it's very, very different. So, we should actually get into this. But it's actually, I think, the Ethereum design's pretty good here. This is one area in which I compliment them. So, I can give you very concrete numbers, because I run one of these and I've been running one since the very beginning. So, 32 ETH locked up, that's not a small amount of money, in the very beginning. So, this went live -- just for context, Ethereum is soon to transition, via this thing called the Merge.
Peter McCormack: Soon, soon.
Lane Rettig: SoonTM. The latest figure I've heard is Q2 of next year, but they're really close, they are really, really close.
Peter McCormack: Didn't Vitalik just say Q1?
Lane Rettig: The latest I heard was Q2; Q1, Q2. I would be very surprised if it didn't happen next year, and I can tell you why.
Peter McCormack: Let's come to the Merge, okay.
Lane Rettig: So, what happens when the Merge happens --
Peter McCormack: No, explain this thing where you lock up 32. How do you win?
Lane Rettig: So, Ethereum launched this thing called The Beacon Chain in December of last year, so almost exactly a year ago, and it's a proof of concept. So, you can't do anything with it, there's no transactions in it. But what you can do is you can take your ETH from mainnet Ethereum, send it to a smart contract, lock it or burn it in that smart contract, and then you unlock that same amount on ETH 2.0 Beacon Chain, so it's like a one-way bridge, okay.
Then, having done that, you can then use that 32-ETH stake to run a validator on the Beacon Chain which, as I said is, up to now and up to the Merge, just a proof of concept. It's not processing transactions, it's not doing anything, it's just turning out blocks, just proving that proof of stake works.
Peter McCormack: Is that a two-way bridge?
Lane Rettig: One way.
Peter McCormack: Oh, so once you're in --
Lane Rettig: Once you're in, you're in.
Peter McCormack: And you're fucking hopeful this thing works.
Lane Rettig: You can use financial derivatives to get out. So, you could sell your ETH 2.0 validator keys to someone else, but effectively yes, you're locked in.
Peter McCormack: Are they selling for the exact same price; is there a premium?
Lane Rettig: There's a premium, because you get paid yield. Yeah, so you now have ETH and BETH. BETH is Beacon Chain ETH that trades on some of the major exchanges, and it trades at a discount, I think, because the point is if you hold it, you earn interest on it.
Peter McCormack: And it Beacon centrally a kind of testnet, or are the applications working across both?
Lane Rettig: Nothing is running on it yet.
Peter McCormack: Oh, okay.
Lane Rettig: At this moment, I wouldn't strictly it a testnet, because it will become the mainnet after the merge, but it is a proof of concept as well.
Peter McCormack: Is it an Alpha?
Lane Rettig: You can call it a Canary network or an Alpha, yeah, that's a good word, an Alpha. So, in the early days, a year ago, you earned about 15% yield.
Peter McCormack: Per annum?
Lane Rettig: Yes, per annum, annual yield. It was 15%, then it fell to about 10%, now it's down to about 5%. The reason it falls is because more ETH is moving over. Last I checked, there was about 7 million, 7.5 million ETH.
Peter McCormack: So, is it essentially one giant pool?
Lane Rettig: I'm not sure how to parse that question.
Peter McCormack: Well, because what I'm saying is --
Lane Rettig: That's the total security of the network. So the point is, if you want to attack the network, you need more than 7.5 million ETH.
Peter McCormack: No, what I mean is, if I put my 32 ETH in and you put your 32 ETH in, and we're the only two people, does every block evenly reward us both?
Lane Rettig: Yes.
Peter McCormack: And if Jeremy joins, does it equally three-way, or do we all compete?
Lane Rettig: So, over time, you win exactly a proportion of the rewards relative to your stake. So, if you've got 1% of the rewards, it's the same as Bitcoin in this respect.
Peter McCormack: Well, it's like a pool then?
Lane Rettig: Sure, sure, if you think about it that way, yeah.
Peter McCormack: If I point my hash at a pool, everyone in the pool gets an equal share, proportionate share of the rewards.
Lane Rettig: Right, but there's two mechanisms by which this could happen; I want to drill this point home, because it's important. In the case of proof of work, it's probabilistic. I have a probability of winning the next block, that's my hash power contribution over the total hash power. So, if I have 1% of the hash power, I have a 1% chance of mining the next block. Because of the law of large numbers, over a long enough time, over the span of a year --
Peter McCormack: It evens out, right.
Lane Rettig: Roughly, right. Proof of stake is different; it's deterministic, it's not probabilistic. So, what this means is that the protocol dictates that if have -- how do I put this? All the validators are precisely the same size, they're all the same stake. So what this means is, if there's 1,000 validators and I'm running 1, then every 1,000 blocks, I'm going to get what's called "a slot" where I get to be the block proposer, I get to be the one who creates the block.
This is really, really interesting, actually. On all the other blocks, I still get paid rewards, but I get paid a very small sliver of rewards, and that's for doing what's called "attesting". So, I see the last block that was produced and, just like in Bitcoin, just like we talked about, I check if it's valid, etc, then I notarise it. I sign it and I say, "This block is valid". This is the process of validating.
So, if you actually look at the rewards function over time, you held literally 0.001 ETH, 0.001 ETH, and then once, every few days, you get a big jump, "Oh, I've got 0.01 ETH", or something, and that's because I produced a block there, my validator produced the block.
Peter McCormack: Okay, interesting.
Lane Rettig: But if you zoom out, as I said, over the span of the past year, it's been about 10% API. It won't stay that high. As I said, it's already fallen down to 5%, but it's pretty decent.
Peter McCormack: I want to ask about the Merge and I want to ask about criticisms, but is there anything else on proof of stake that I should be aware of?
Lane Rettig: I think there are just two final points I would make before we transition. So the first is, we're talking now about validation and we didn't really get to talk about sharding. This is a technology that Ethereum is planning to introduce. It's not going to happen as part of the Merge, it's going to happen down the road. It's a scalability thing, where it's no longer the case that every node needs to handle every transaction. Each node is only responsible for a subset of transactions. So, proof of stake enables this. It's very difficult, maybe impossible to do something like sharding using proof of work, so this is just one point, another benefit of it.
And, the final one I'd make, and just being objective here, I think it's important to talk about this; I think Lyn spoke about this and you've had other folks talk about this as well. Proof of stake doesn't have a physical footprint in mining. So, if you are that miner in a place like Venezuela, and you're running a bunch of proof-of-work miners, you're using a lot of electricity and that has a physical footprint in the energy grid and the government can find you. And actually, I'm remembering now, this was the conversation you had with Alex and Eric, where you also talked a bit about proof of stake.
Peter McCormack: It's an interesting point.
Lane Rettig: And I agree with this point. Again, I have my criticisms, which we'll get to, but this is actually a strong argument in favour of proof of stake; that you can run these things anywhere in the world, and there's little to no energy footprint. In that respect, it's a bit more censorship resistant, and I think that, maybe I'm cutting ahead here, maybe we'll do a summary at the end, but it's good that these systems both exist.
Peter McCormack: Hold on, it's more censorship resistant?
Lane Rettig: In the sense that a government, a state actor could censor miners, because they could fine them, because they have this big energy footprint. Whereas, in proof of stake, there's no energy footprint, so you're invisible, and you can pick it up and move it. I can take my VM, my virtual machine, that's running my validator and ship it across the world in a few seconds. I can't do that with the physical infrastructure required for proof-of-work mining. So, this is a valid argument in favour of proof of stake.
Peter McCormack: And, is there no way of analysing internet traffic to find you doing this?
Lane Rettig: Very difficult, because the traffic is so low, and you can obfuscate it in various ways. It's a key distinction, and it's worth having.
Peter McCormack: No, that's fair, that's interesting.
Lane Rettig: Okay, we can move on!
Peter McCormack: Before we go to criticisms, you might need a long way to answer this, but this Merge sounds huge.
Lane Rettig: Merge with a capital M.
Peter McCormack: Yeah, it sounds like a huge undertaking. Does this Merge present any massive risks to Ethereum that something could be inherently broken or wrong? Could this bring down the Ethereum blockchain? Is there a process to roll back if it's a huge fuckup? Most things are beyond my technical skills, this is way beyond any of my understanding, but I can recognise that this is a huge deal.
Lane Rettig: Yeah, this is the biggest change to the Ethereum Network ever, by an order of magnitude at least, in terms of complexity. And I think you could make the case it's the biggest change to any production blockchain network of any size, of any meaningful size, ever. So, it's a huge technical undertaking. It's something that's been worked on for years. There's been a workup to this for years. I'm not personally involved in this process so, for example, to your question about, "What's the plan if it goes wrong?" I have no idea what the answer to that would be. I've been watching this as you have, kind of eating my popcorn, very excited to see it happen, preparing for the fireworks.
What I'll say in defence of the folks doing this is a couple of things. First of all, the fact that they've had this Beacon Chain running now for a year without any hiccups, no issues. And if you look at networks, like Solana's had at least two major outages recently. Other proof-of-stake networks have had issues. The Beacon Chain has not ever gone down, as far as I'm aware.
Peter McCormack: Has it really been stress-tested?
Lane Rettig: Good question. It's not processing any value, so maybe not. And, the fact that there are -- so, a key difference here between Bitcoin and Ethereum, which is quite interesting, is that in Ethereum, especially ETH 2.0, you have many independent client implementations. There's something like four that are all viable, that are all running the Beacon Chain right now; totally independent, written from scratch, different languages, different frameworks, different teams, different geographies, different funding sources. It's very decentralised in that respect.
All these clients have been running now, not only have they been running testnets, not only have they been running the Beacon Chain, they've also built testnets specifically to test the transition that, as far as I know, have gone pretty well. It's a huge change, there's a lot of risk, no question, there's a lot of risk associated with it, but this gets right to the heart of the philosophical differences between Bitcoin and Ethereum; we talked about this last time. Ethereum is very much about maximising innovation, moving fast and breaking things. I can't see Bitcoin ever trying to do something like this.
Peter McCormack: No, never. So, anyone observing is going to go, "What the fuck? Where did they come from?"
Lane Rettig: "Where did those cups come from?"
Peter McCormack: We just took a coffee break, we went to get coffee! Okay, let's talk about risks. This is what people are really going to care about. I mean, it was you who reached out to me. You said you wanted to talk to me about why you're not a fan of proof of stake, why you don't think Ethereum should go to proof of stake; is that fair?
Lane Rettig: I'm not sure I agree with that statement, but why I definitely think Bitcoin shouldn't go to proof of stake.
Peter McCormack: Well Bitcoin never will go to proof of stake. Okay, talk to me about the risks, talk to me about the issues with proof of stake.
Lane Rettig: So, we talked about the history, we talked about the potential benefits; let's talk about the darker side. Okay, let's start simple. One of the things we love about Bitcoin is that it's permissionless, and this means a bunch of things. It means that no one can stop anyone from transacting on Bitcoin, but it's subtle. So, it also means that if you want to participate in Bitcoin, obviously if you want to make a transaction, or do whatever, you need some Bitcoin, you need to be able to pay fees in Bitcoin, same as in Ethereum.
In Bitcoin, you can mine permissionlessly. That means that anyone, anywhere, at any point in time, who has the software and the hardware, can just spin up a mining node and start earning Bitcoin for themselves permissionlessly, truly permissionlessly. All you need is electricity and internet access, that's it.
This is not the case in proof of stake, because if you want a stake, someone needs to sell you the coins to stake in the first place, and this is closely tied to another issue with proof of stake, which is that proof of work is great for getting the initial distribution in place. So, when Bitcoin started, there were no Bitcoin in existence, and every block that was mined, obviously Satoshi mined the first few blocks and some of the early folks; that had the effect, over many years, of getting lots of Bitcoin in the hands of lots of parties around the world, casual hobbyists at the beginning and then later on, more professionals. It's also been the case in Ethereum proof-of-work mining.
Proof of stake doesn't work that way. It doesn't solve the distribution problem. So, in practice, what most of these projects and protocols do is they have a set of investors early on, and they just hand a bunch of coins to those investors. And those investors have the coins and stake them, and continue to earn more coins against them. So, as I said, it's not permissionless and it doesn't solve the distribution problem. So, those are two pretty straightforward, but big flaws I think with proof of stake.
Peter McCormack: Let me put an idea to you. I haven't thought this through, because it's literally just come into my head. But there is a lens on, let's say, the cryptocurrency community from different regulatory bodies in the US, the SEC being one of them. Do you think that there's ever a risk that to stake with Ethereum, you would be compelled to KYC?
Lane Rettig: Absolutely. I mean, I think language to that effect was literally included in the most recent version of the Infrastructure Bill, the one that actually passed, and there was a huge uproar about this a few months ago, that basically the language around the definition of operators, or even I think brokerages, something like this, was so loose that it could even include people who were doing things like staking. So, yes, that risk exists.
Peter McCormack: Is that the same risk of requiring miners to KYC in the same jurisdiction?
Lane Rettig: No, there's a specific carve-out for proof-of-work mining, which is interesting, right?
Peter McCormack: Okay, good, yeah.
Lane Rettig: So, Bitcoin is safe.
Peter McCormack: Interesting, okay. All right, carry on.
Lane Rettig: So, that's the first bundle of risks. Okay, the next one, and I'll just asterisk this by saying that Ethereum is working around this, because they bootstrapped with proof of work and they're transitioning to proof of stake. Ethereum is in a relatively unique position of being able to do this. Other proof-of-stake networks have not done this and if you've not done this, I mean we could talk about the premine, I don't think we need to, we talked about that last time; but if you set that aside for the moment, then at least since the mining started in Ethereum, the distribution has been pretty broad. So, this is less of an issue for Ethereum than other proof-of-stake networks.
The next one gets to one of the core criticisms that bitcoiners tend to have of proof of stake, which is this question of subjectivity versus objectivity, and knowing that you're on the right chain. So, another elegant feature of proof of work and Nakamoto Consensus that we didn't talk about earlier, is the fact that any actor can look at the latest block, in fact they don't even need the whole block, just from the block header alone, so a light client can do this, they can pretty much figure out for themselves that they're on the longest chain. It's purely objective, it's thermodynamic, it's based on the amount of work that was expended. And if they're given multiple chain tips, multiple blocks basically, they can tell totally objectively which one is the longest, without a shadow of a doubt.
What this means in practice is that, once you have that initial software running, you can shut your node down for an arbitrary period of time and boot it up later; and assuming there haven't been hard forks, and in Bitcoin there really aren't hard forks, right, you can turn it on ten years later and still find the latest chain, the latest valid chain. That's a pretty powerful thing to be able to do.
This is a big issue in proof of stake. So, let's talk about why. So, I'm trying to think of the best way to describe this. We have this issue, it's called "costless simulation". In proof of work, if you want to go off and mine a long chain and try to convince the world that your chain is the longest, it's going to be very, very expensive. There's simply no way around that, you have to spend millions and millions of dollars in electricity to run these hash functions to mine the blocks. That is just set in stone, and that is another elegant feature of the protocol.
In proof of stake, the process of actually constructing a chain is costless, in and of itself, assuming you have the required keys, in other words that you're in the validator set. So, any validator, from any point in the history of a chain, or any set of validators, can construct an alternative chain basically for free; does that make sense?
Peter McCormack: Yeah.
Lane Rettig: So, the easiest way to think about this is that you're a majority, you're two-thirds of the validators from a year ago or something, and you can just go back in time and just reconstruct a new chain. But even a minority set of validators could theoretically do this; it would just take a little bit longer.
Peter McCormack: A new chain, and would that be considered a fork, or would that be considered a chain split, the difference being I consider a hard fork as an accidental split, or a purposeful split designed because there's new rules of consensus?
Lane Rettig: I'm talking now about a purposeful split. It's a form of attack, and so this particular form of attack is called "a long-range attack".
Peter McCormack: So, it just becomes a new token?
Lane Rettig: Totally new everything. In the case of Ethereum, it's a total state fork. So, everything on Ethereum would be on the system, both chains. But here's the problem. The problem is that, if you have been online the whole time, you're running your validator, you're on a strong internet connection, you're very responsible, you upgrade it, you keep it running, you're fine. If someone presents you an alternative chain, you're going to look at it and say, "Well, no, this is not. I know what the real chain is".
The problem is, let's go back to the example we said a moment ago. Let's say that you start your thing up and you turn it off for some period of time, who knows what that reason is? Maybe you're in a part of the world where you have metered access to electricity or something, right. You turn the thing back on, and now you have two peers who send you two competing chains. You can't determine, in the same objective fashion, which of those chains is the right chain or the longest chain, like you can with proof of work.
The Ethereum people call this "weak subjectivity". You have this certain degree of subjectivity. Trust is what it boils down to. You have to trust some peer, or some subset of peers. In the case of Ethereum, it means you're trusting someone like an Etherscan or something, right, to tell you, "This is the right chain", and bitcoiners hate this for obvious reasons.
Peter McCormack: Is it that big a problem? It sounds like the kind of compromise that Ethereum people would be okay with anyway.
Lane Rettig: That's exactly the type of thing it is. And I think the argument that's usually advanced here is that there's already some degree of social trust. So, any time there's any network upgrade, hard fork, soft fork, whatever it is, you're probably going to GitHub, you're probably downloading a new binary, or the new source code, and maybe it's signed by the developers maybe it isn't; maybe you're responsible enough to check the hash of the file you downloaded, maybe you're not. The point is, there's still some social out-of-bend trust here that's baked into this whole system anyway, and so this is no worse than that.
Peter McCormack: Is there any reason why someone might choose to split the chain for selfish purposes to do this?
Lane Rettig: So, this is an interesting aspect of proof of stake as well. In proof of work, if you want to split the chain, again you need a lot of miners, you need a lot of capital investment, or you need to convince a lot of miners to join you. In proof of stake, you can fork costlessly; the cost is zero. And I'm now not talking about a long-range attack. A long-range attack, you're going off in the corner, you're doing something privately for a while, and then you flood the network with blocks and you try to confuse people. This is not like that.
Just like we had the Bitcoin Blocksize Wars and things, right, if you want to have a contentious hard fork and say, "I'm going to double the block size", whatever change you want to make, that's a very hard thing to do in a proof-of-work world, for the reason we talked about, where you have to convince a bunch of miners to join you. In proof of stake, you can just go in and change two or three lines of code, you can insert yourself as a validator or something.
The point here, the cost of forks is very, very cheap in proof of stake. I think you asked the question, I'm not sure if I spoke to it directly, but I wanted to get to this point because it's valid.
Peter McCormack: No, I understand what you're saying. Okay.
Lane Rettig: If you make it that easy and cheap to fork, a lot of this we just don't know how this will play out in reality, because it hasn't been around very long. But I would argue that one of the reasons we've seen so few forks in Bitcoin and Ethereum to date is because doing it in a proof-of-work world is expensive.
Peter McCormack: Yeah. This is why the Beacon Chain is still a testnet to me until the Merge happens, because either way some people are going to try fucking around with it, right?
Lane Rettig: Yeah, I mean I would say that Bitcoin and Ethereum are honey pots and there's a lot of money on stake there for anyone who can kind of…
Peter McCormack: If someone does that split, at that point though, there are two tokens? Because, if you hard fork Bitcoin --
Lane Rettig: But in Bitcoin, again, you know intrinsically which one is really Bitcoin. And it's always been the case that the longest chain was Bitcoin. And other segments that came in when there were social disagreements around block size, or something else, they were able to fork off. This is obviously not true in Ethereum, because of the DAO hard fork.
Peter McCormack: We covered that before!
Lane Rettig: We did!
Peter McCormack: Okay, fine.
Lane Rettig: So, you're making forks cheaper, so that's another interesting thing, not necessarily bad. You could argue that it's good, because you want to encourage forks if you have, again, like a subgroup in a community that really, really, truly differs in a way that can't be reconciled, let them fork off and do their own thing. So, it kind of could go either way. To me, this is a neutral.
Peter McCormack: Okay.
Lane Rettig: So, this is about trust model, that we have this issue of subjectivity and these long-range attacks. Let me tell you one tiny further point about this. Ethereum has some interesting approaches to fixing this. So, one of the issues historically with proof of stake is the Nothing-at-Stake problem, and this goes back to what I said earlier about the fact that it's costless to create a second fork. And if you do that and you're a validator and you see both of them, then in theory, the way the game theory works out, in proof of work you have to pick one. If you split your hash power in two and you try to validate or mine on both of these chains, you're probably going to end up with nothing; you're hurting yourself in proof of work.
In proof of stake, you're incentivised to validate both chains, because the cost to you is basically nothing to do that in a naïve model. Does that part make sense?
Peter McCormack: Yeah.
Lane Rettig: Good. Again, you're not splitting your hash power, there's no work associated with the process of validating. So, what Ethereum has introduced to fix this is this idea of equivocation. So, if you're a validator and you approve two different blocks at the same block height on two different chains, then on each of those chains, you can take the notarisation, or whatever, that message that you broadcast as a validator and signed, and broadcast it on the other change as what's called a "fraud proof". So, it's proof that this validator has been validating multiple chains, and then they get slashed.
So, this is Ethereum's way to address this Nothing-at-Stake problem, however it's still the case that validators need to be able to stop validating if you say, "Peace out, I'm done, I want to withdraw my stake". There's a long period of time, you have to wait something like weeks, or maybe even months, to be able to withdraw your stake and stop validating. Once you've done that, once you've withdrawn and that period has expired, you can no longer be punished, because you've taken your stake out, and you can still do bad things. After the fact, many months later, you can sell your keys to a bad actor who wants to use them to carry out the sort of attack we just talked about, this long-range attack.
So, that's how these things can happen. There's some very complex, interesting game theory there. There's not really a solution for this, other than social coordination, which requires some trust.
Peter McCormack: A lot of unknowns for a $500 billion, whatever it is, $600 billion protocol.
Lane Rettig: All right, let's go to the next one, if you're ready. So now, this does tie into Ethereum economics and premine and things like this.
Peter McCormack: I know where you're going; rebuilding the Keynesian model?
Lane Rettig: I think we're going to get there, yeah.
Peter McCormack: So, Ethereum's Cantillon Effect?
Lane Rettig: That's the final; I have a little star next to that, I want to conclude with that one.
Peter McCormack: Okay!
Lane Rettig: This one leads into the other. So, a proof-of-stake chain is subject to invisible capture; what does that mean? Once an attacker, or forget the term "attacker". Once a coalition or a cartel of stakers, validators, controls more than half of the stake in the network, it's game over, really it's game over.
Peter McCormack: So, this is the proof-of-stake 51% attack?
Lane Rettig: Correct. But the different is, in Bitcoin or proof-of-work mining, it's not game over, because another miner can come along and turn on additional hash power and reduce the stake of the attacker to below 51%. Again, it has this nice healing kind of mechanism.
Peter McCormack: I also think Harry Sudock told me realistically, you'd need way more than 51% anyway.
Lane Rettig: Yeah, it's complicated. There's theoretical attacks of less than 51% in practice. You need way more, because as you're building -- you have exactly half, and if you're building a chain, the other chain is growing. So, if you want to get ahead, yeah. Proof of work is very resilient to this sort of attack; proof of stake is not.
Peter McCormack: But also, if you were to -- the game theory of issuing a 51% attack against Bitcoin is super expensive. We're talking in magnitude of billions of dollars, and you still would probably lose.
Lane Rettig: Right, I would agree with that.
Peter McCormack: The only people incentivised to do that feel like a state attacker.
Lane Rettig: So, this gets back to this question of ASICs versus GPUs, which we talked about earlier. With GPUs, with a network like Ethereum, where the mining happens using GPUs, GPUs are a commodity hardware, you can rent them on Amazon or Google Cloud. So, you could actually carry out an attack, even a 51% attack, against even a network like Ethereum for a brief period of time by renting that hash power.
You can't do that to Bitcoin because of the ASICs, because they're limited in supply and we always talk about state actors, and what if China or some other country wanted to come in and attack Bitcoin; I think a lot of the ASICs are manufactured in China, maybe China could. But the point is, it would take you so long to get that hardware, by the time you got it, the world would have moved on, the hash power would be higher. It's totally unrealistic.
Peter McCormack: And the attack would be obvious when it starts to happen, so the network can respond.
Lane Rettig: Yeah. So, okay, right. This is a good way to connect back to what I said about invisible capture. It's a little bit different, it's not exactly a form of attack. It's not necessarily the case that you could do things like double-spending or violating the rules of the protocol because again, anyone running a node, to the extent that they exist, would still notice that.
Peter McCormack: All six of them!
Lane Rettig: Yeah. So, another nice property of proof of stake is you can see the attacker's identity, because they have a stake associated with that wallet, address, or whatever it is, that identity. So, yes, you can do things like burning their stake or slashing them or just evicting them, and they can no longer attack. So, I'm not really talking about attacks in that sense, I'm talking more about economic, I think capture is the word I'm using here.
So, state capture is an idea in politics and you see this all over the world, in failing governments, and for that matter you probably see it in your government and my government as well, where certain organs of the state are captured by powerful economic interests and they fail to fulfil their mission and stand up for the rights of the people, because they have a small number of wealthy people controlling them. This happens all over the world.
So for me, the whole point of crypto in the first place, and of Bitcoin, is that it's the people's money and the people's network and it's completely protected from capture. But with proof of stake, again any time you have a coalition of actors who have more than half of the stake of the network, it's game over in the sense that they can never be diluted, period, full stop. Does that make sense?
Peter McCormack: Yeah.
Lane Rettig: Because they have the majority of the stake and they're earning the majority of the state. Lyn gave, I think it was Lyn, in that article, she gave a really funny example of this. She said, "Mary, the schoolteacher, earns $20,000 a year and is given 200 voting tokens by the government", because in proof of stake, the degree to which you're able to vote is directly proportional to your, I guess, wealth, let's say. So, she's got $20,000 in the bank, she gets handed 200 voting tokens, and then she gets paid for voting. So, she gets paid $200 to vote.
Jeff Bezos has $100 billion in the bank, so he receives 100 million voting tokens from the government and gets paid $100 million to vote. So, this now gets into this Cantillon effect question. But the point is, you have these wealthy actors, a small number of wealthy actors, who dominate the network and continue to get paid just simply for being wealthy.
Peter McCormack: And can never be caught.
Lane Rettig: It can happen invisibly, right, because in the case of Ethereum, all of the validators have exactly the same 32 ETH, so they're indistinguishable from one another. So, you could have a single wealthy actor, again this goes back to the Ethereum presale, so at this moment, 60% or something of the ETH that exists was issued in a single moment at the presale, so you have some very small number of actors who control a very outsized proportion of the stake of that network. You'll never know, you'll never be able to see it, because to you, each validator will just show up as another pseudonymous actor.
Peter McCormack: And they have a great way to earn a massive amount of yield on that now.
Lane Rettig: So the Cantillon Effect, by the way, super interesting, something I've begun to look into because of conversations on your show, it states that money is not neutral, money is political, and inflation does not impact everyone or every sector of the economy equally. And the way it's usually characterised is to say that the actors who are closest to the organs of power in the state are the ones who benefit the most from inflation issuance and things like that; they're close to the money spigot, so to speak.
So this is, I think, proof of stake is a perfect example of this. Those powerful, wealthy actors are highly incentivised to evolve the protocol in such a way that whether they intentionally do this or unintentionally, subconsciously sometimes we do things out of our own self-interest in a way that's not necessarily good for the overall health of the network, or the minnows as opposed to the whales.
Peter McCormack: But this goes back to my point why I think it's so important to distinguish between what Bitcoin is and its goals, and what Ethereum is and its goals. And if Ethereum's goals, if people within Ethereum say that the goal is that Ethereum is ultra-sound money and it's better money than Bitcoin, then it's fundamentally dishonest.
Lane Rettig: Right, because the thing is, when they say that, they're looking strictly at --
Peter McCormack: Number Go Up.
Lane Rettig: -- issuance and burn, minting and burning, that's it. But it's narrow, because they're leaving out all these nuanced aspects of the governance and the stuff we're talking about now.
Peter McCormack: Also, the ethics of what makes sound money, they're totally missing that. Because, one of the points, one of the big issues for bitcoiners with Bitcoin being sound money, is being in opposition to the Cantillon Effect. It's that we're not in this position where those closest to, as you say, the money spigot benefit most. It is a complete open, fair network.
Lane Rettig: I think there's a good way to express this, and this also comes from, and I keep mentioning this, the fantastic article from Lyn. Just put it in the show notes, read it --
Peter McCormack: It will be there.
Lane Rettig: -- excellent, excellent metaphor, and this is a metaphor of companies versus money, like stock equity versus money. So, proof of stake is a lot like equity, it's like the way companies work. Companies are not democratic, it's not one person, one vote; it's one share, one vote, and we're kind of okay with this. Why is it okay? Why do companies want to do this? They want to do it, because it's efficient. You can have a small number of actors, sitting in a room together around the board table, making decisions quickly. Democracy is slow and messy.
Why are we okay with it? We're okay with it, because companies, we can choose to transact with them or not. You chose to buy your laptop from Apple and we chose to buy these coffees at Starbuck's. We could have gone to Birch Coffee down the street if we don't like Starbuck's, in a healthy functioning market economy.
Now of course, the place where this starts to get messy is the question of the Facebooks and the Googles of the world, these platforms that are monopolies, to some degree. But at least in theory, we have the choice to transact with companies or not. So, sure, companies may be a little unfair, without a doubt the people who are close to the money spigot of these companies are the ones who are benefitting the most. But it's not democratic, and it's not egalitarian in the way that Bitcoin can be. Does that make sense?
Peter McCormack: Yeah, definitely.
Lane Rettig: I find this metaphor very helpful.
Peter McCormack: Okay, these are all interesting points, but they're points you can argue over, debate over, and Ethereum people will defend it whatever, which means they have a different idea and goal for Ethereum as maybe bitcoiners do for Bitcoin. Are there any existential threats to Ethereum with any of this, or is it just a different thing?
Lane Rettig: That's a great question. I love this question, by the way, "If something were to destroy Bitcoin, what would it be? If something were to destroy Ethereum what would it be?"
Peter McCormack: I mean, Bitcoin, what could destroy Bitcoin?
Lane Rettig: The list is getting shorter and shorter.
Peter McCormack: Good government with good monetary policy.
Lane Rettig: Yeah, what's the likelihood of that happening in our lifetime?!
Peter McCormack: Zero. I take that from Saifedean. The loss of all power on earth. I mean, they're very large events.
Lane Rettig: Like macro, political, global.
Peter McCormack: They're apocalypse-type events.
Lane Rettig: If they happen, we've got bigger problems to worry about than the loss of Bitcoin.
Peter McCormack: Maybe global coordination between major states, and minor states maybe. But like you say, they're getting smaller and smaller.
Lane Rettig: I think the list for Ethereum of course is longer. For me, the biggest threat to Ethereum is certainly not Bitcoin per se, it's not any particular threat vector; it's I guess obsolescence, is the word I would use. So, Ethereum is in this weird, middle position. We have Bitcoin on one hand that's absolute, like we talked about last time as well, slide the security level up to absolute maximum, maximum sovereign-grade censorship resistance, maximum decentralisation, these sorts of things. And then you have, in the opposite extreme, centralised databases and the Firebases, and Solana and these other projects are somewhere else.
But the point is, because Ethereum's in the middle, in this direction, the real risk is regulatory. The risk is that governments around the world coordinate, which is not super likely, but it could happen and it is happening right now around global tax regime; they're trying to establish a minimum tax base globally. So, there's some precedent for this. They coordinate to decide that they never shut things down completely, but they just make it harder, there's more KYC and this and that. And in parallel to that, it gets harder and harder to run a node, so there's fewer and fewer of them; so in practice, when the state comes knocking, there are only five or six actors globally, known actors, in countries like this one, that they could knock on the door and kind of make it expensive or difficult to transact. So, that's the risk in this direction.
The risk in this direction for Ethereum, because it's in the middle, is that it gets outperformed by Solana, or by more centralised projects.
Peter McCormack: Yeah, it's a really interesting thing, the situation with Solana right now.
Lane Rettig: Very interesting.
Peter McCormack: If you're an application builder, smart contract developer, if you're an NFT distributor, why would you choose Ethereum over Solana?
Lane Rettig: The short answer is standards. The short answer is that EVM is eating the world, and when I say EVM, this is of course the Ethereum Virtual Machine. This is the part of the Ethereum node that actually executes the smart contracts. In very concrete terms, EVM is a set of instructions that contracts can run to do things like moving money around and issuing tokens and changing state, and these sorts of things.
But what it really means is this whole ecosystem that's emerged around it. So, this is the tooling that the developers use to write the smart contracts, this is the language, Solidity, that compiles to it. There's other languages that are compiling to it. This is tools the developers use to do things like profiling and debugging their code, even just the ID, the editor integrations, the auto completion, little things like this that matter. This developer ergonomic stuff matters to us as developers.
It's also this ecosystem of auditors. This is a big one, it's a little underappreciated. It's taken years for this ecosystem of auditors to emerge and it still takes months and costs hundreds of thousands of dollars to get professional audits done. Good luck getting that done on Solana, or on any of the other dozen smart contract languages that are emerging.
I want to share, we're struggling in a very big way with this question in Spacemesh today, and I think a lot of projects have to be. We've been building our own VM and our own smart contract language. Should we throw them out the window and just recognise that the world has moved on, and the vast majority of projects want to just use existing code, use existing relationships with auditors and just do everything in Solidity and EVM? That's the short answer to your question. That's why a developer would choose Ethereum.
However, Solana and all these other platforms are responding to this, they're not dumb, by introducing EVN-compatibility modes, where you can take Solidity code that's been built and deployed on Ethereum and deploy it on Solana.
Peter McCormack: Well, listen, I mean I'm glad to hear about it from you. As you know, I'm just not a technical person. I'm very happy within the Bitcoin world, I'm very happy storing my money in Bitcoin, I'm very happy building a business which is backed by Bitcoin, or businesses. Do you know what the difference is? I know what Bitcoin is. I still don't know what Ethereum is.
Lane Rettig: I don't either, and I've been doing this for years.
Peter McCormack: It just seems like a big fucking mess of stuff, like all this stuff it can be, can do. And maybe people using it know what it is to them, and that's fine and that's cool for them. But for me, all you've done is you've revalidated why I care so much about Bitcoin, because I care about the mission about separating money from state and giving people sound money. It's really simple.
Lane Rettig: And by the way, I agree with that mission. It's the best mission out there. We're only 2% of the way. You've talked to Alex about this many times, and other folks who are doing this. We're only 2% along the road to executing on that mission as bitcoiners. We've got our work cut out for us, so it's not that there's not plenty of things for us to work on in Bitcoin with the tools that we have at our disposal.
Peter McCormack: But the thing is, the mission is simple, "What are you doing?" "Separating money and state". "What is it?" "The best form of money that ever existed". It's really easy to say what it is, what is Bitcoin, and it's a really easy mission to get behind. And then really, while Satoshi brought together all these complicated parts to create the system, actually the design is elegantly simple and beautiful, and I just think Ethereum's the exact opposite on everything, "What is it?" "I don't know. It's a smart contract platform, it's ultra-sound money, it's a platform --"
Lane Rettig: If you ask ten people, you'll get ten different answers.
Peter McCormack: Yeah, "What's the mission?" "I don't know what the mission is". "How does it do it?" "Well, it's all this fucking stuff!"
Lane Rettig: Again, ask ten people, get ten different answers. By the way, I've heard Vitalik and other stakeholders in Ethereum admit that this is one of Ethereum's issues, is that it's a big tent politically and it doesn't have a unifying mission, and this is a big part of my story, why I chose to stop contributing to that project two years ago.
Peter McCormack: Well, this is why it's so important to separate what they are, and I would just say to Ethereum people, they really need to figure out what they are, what they're going to be.
Lane Rettig: What do you want to be when you grow up?!
Peter McCormack: Well, it's almost an impossible mission, because you almost need that dictator to decide it, which would be Vitalik, or you let the community decide. But the community's so fractured in terms of what it has been and what it's going to be.
Lane Rettig: The community's also very busy chasing Number Go Up, and that's frustrating to see. I actually love a lot of the stuff that's happening with NFTs recently, because at least there's an element of creativity there. I shouldn't say there isn't in DeFi, there is as well. There's a lot of creativity happening there, but it's --
Peter McCormack: DeFi hacks, man, DeFi hacks. All I see is another $100 million here, another $100 million there, and I'm like, what the fuck is this?
Lane Rettig: Growing pains!
Peter McCormack: Mate, honestly. Listen, Lane, always like talking to you, consider you're a good friend now, and I appreciate you coming on and talking about this. We both will get some shit for various different reasons, but I learn so much from you and it just reinforces why I care about Bitcoin, the very simple mission we're on. But yeah, I learn a lot from you and thank you so much, and I wish you the best. We'll do another thing in another 6 to 12 months. We'll figure another topic where we can have your world and my world converge. But yeah, thanks, man, appreciate it.
Lane Rettig: Amazing. Great to be here. I look forward to it and I've learned a ton from you and the guests you've had on the show, so keep up the good word.
Peter McCormack: I think you've learned from the guests, not me!
Lane Rettig: Especially Lyn.
Peter McCormack: Especially Lyn, yeah. Going to be interviewing her this week in person, which I'm very excited about. We've done 12 or 13, never in person. I'm trying to think of the big topic to do with her, and I haven't fully figured that out, but I'll talk to you about it when we've finished.
Lane Rettig: I'm sure she could speak brilliantly to a ton of topics. I started reading all the other stuff she's written and it's great. Everything's better than the last.
Peter McCormack: Dude, if I tell her I've bought a football club, she'll probably tell me how to run it and she'll have the best solution! Listen, anyway, take care, man. Appreciate your time.
Lane Rettig: Thank you, you too, you're welcome.