This week on The Defiant podcast we speak with Justin Drake, a researcher for the Ethereum Foundation. He’s at the forefront of the biggest change to happen in Ethereum’s history: The transition from Proof of Work to Proof of Stake, also known as The Merge. We go into what the next steps are before this change happens, how exactly it will be executed, and what the risks are. Last week, right after we recorded this interview, fellow researcher Tim Beiko suggested the switch would happen in September.
Justin dives into how the change to PoS will impact users. Justin argues The Merge will make Ethereum the most secure blockchain out there, while reducing ETH supply, putting Ethereum on its way to becoming the settlement layer of the internet. Still, The Merge will only bring marginal improvements in scalability. Justin discusses what the roadmap is for Ethereum to be able to support millions of transactions per second, from around just 10 today.
🎙Listen to the interview in this week’s podcast episode here:
📺 Watch the video here:
🙏 Thanking our podcast sponsors:
1inch is a DEX aggregator that finds the best rates across multiple networks. Why use a single DEX when you can use them all? Find your best deal at 1inch.
Web3 with a16z, a new podcast about the next internet, from a16z crypto
0x/Matcha makes sure you’re getting the best possible price by routing trades over various DEXs, without taking commissions. Head over to matcha.xyz/defiant.
👀 Only paid subscribers have access to the full interview transcript below.
Camila Russo: Okay, here we are with Justin Drake. Justin, welcome to The Defiant Podcast, it’s so great to have you here!
Justin Drake: Thanks for having me!
CR: Justin is a researcher at the Ethereum Foundation. He’s at the core of one of the most important changes that are about to happen in Ethereum’s history, probably ever. So, as everyone listening to the show probably knows, Ethereum is about to change from Proof of Work to Proof of Stake in a transition that is known as The Merge. Ethereum’s application layer will merge together with the Proof of Stake chain that’s already running, and this is a major engineering research challenge that’s about to go [live on] the most active blockchain on the planet, so it’s a big deal. I think Justin is one of the best-positioned people to walk us through exactly what this will mean. So Justin, super excited to talk about this, and if we can, just start with the basics so it [gives] a very broad overview of what The Merge is. If you can, just give a little bit more detailed explanation of what’s going to happen, and then we can get into why it matters.
Merging the Ethereum mainnet with the Beacon Chain
JD: Okay, sure. So as you said, The Merge is a protocol upgrade to the Ethereum blockchain. And it is the removal of Proof of Work for Proof of Stake. One thing that makes it very unique is that there’s two chains that are being merged into one, hence the name, The Merge. The way that we usually do upgrades is that we have a single chain where we decide on a certain block height, and at that block height, we move from an old set of rules to the upgraded set of rules.
Now, the reason why we have this second chain, which is really unprecedented, is because we wanted to really test this Proof of Stake before having all the activity on Ethereum be secured by it. So about a year and a half ago in December 2020, we launched a Proof of Stake chain. During this time, we’ve been able to do several things. One is that we’ve been able to observe the chain and make sure that it’s running properly, and it has been very smooth for the last year and a half. We’ve always also been able to fix a bunch of implementation bugs. We have this bug bounty program and people report bugs to us, which are [then] fixed.
Another very important thing that we’ve been able to do during this time is to improve so-called client diversity. So the way that the Proof of Stake upgrade is organized is that there is… a Python spec which is meant to be very readable, but not at all optimized for production-grade clients, and there’s client teams all over the world that are implementing this spec. And the reason why we want client diversity is partly to mitigate against bugs. So it’s a huge upgrade with a lot of new complexity, and if one of the clients or maybe two of the clients have bugs, that’s not necessarily a systemic risk for Ethereum. There are five different Proof of Stake clients, and now we’re in a position where no single client has more than 50% of the stake.
The final thing which is very important that has happened during this [past] one year and a half, is that the economic security — which is the total amount of ETH stake — has grown tremendously from basically zero ETH at the very beginning, all the way to 13M ETH today, which is roughly 15B. The reason why I call it economic security [is] it’s the amount of U.S. dollars an attacker would need as a budget to go attack this chain. So to perform a 51% attack, it would be the equivalent on Proof of Work to buy[ing] enough… mining rigs, connect[ing] them to the grid, and go attack Ethereum. And now one and a half years in, we’re confident that this new chain — which we call the Beacon Chain — is secure enough to secure the Ethereum transactions and states. So in a few months, we will be in a position where we can completely remove the Proof of Work component, and all the transactions — which are currently being secured by Proof of Work — will then be secured by Proof of Stake.
CR: Very cool. So why is this important? I understand… the huge complexity of this happening and how careful you guys are being in having run this chain for a year and a half to make sure there’s no bugs, client diversity, and making sure there’s enough ETH staked on this chain to secure it, and so on. But why is it so important to change from Proof of Work to Proof of Stake?
Enhancing the security and efficiency of Ethereum
JD: So the upgrade gives us two things. One is on the topic of security and the other one is on the topic of efficiency. So let’s go through security.
First, one thing that I mentioned is economic security, which is the amount of money that an attacker would need to perform a 51% attack. Right now, to go attack Ethereum, you need on the order of let’s say $5B to $10B. With the transition to Proof of Stake, this is going to grow to $15B, and it has a lot of room to grow well beyond that as more ETH is gonna be staked. And as maybe the price of ETH goes up, another big security upgrade is this notion of penalties.
So in Proof of Work, you can only reward the miners [and] it’s very difficult to penalize them. The reason is that there’s basically no way to either retract rewards that we’ve already given them or destroy that economic security — which is the mining rigs — it’s very difficult to do that. Whereas with Proof of Stake, we have a setup where every unit of stake is identified under a so-called ‘pub key’, and the stake can be reduced or completely removed. And one of the upsides for this is that if there is a 51% attack, then the chain can recover. So in the context of Proof of Work, if someone can 51% attack for a small period of time, they can 51% attack essentially inDeFinitely. Whereas with a Proof of Stake, we have a healing mechanism where the chain can basically identify the attackers and remove them from the system. And in the process of doing so, actually increased scarcity of Ether the asset, because some ETH has been destroyed.
One of the cool properties of this healing mechanism is that we can actually put a bound on the number of times a chain can be attacked. So… for example… if there is 10M ETH which is honest and staking, then in order to perform an attack, you need at least another 10M ETH. And when you do perform the attack, you’re gonna lose that 10M ETH. And so if there’s only 120M ETH out there, then an attack can only be performed 11 times. So that’s on the topic of security… this is important because the end goal for Ethereum is to become the settlement for the internet. So, really, we want to have ideally trillions of dollars of economic security and have a platform where people have enough trust to go build infrastructure on top of it.
The second big upgrade is in terms of efficiency. So one is power usage efficiency. Right now, Ethereum uses between 0.1% and 0.3% of all the electricity produced in the world. And after the move to Proof of Stake, that’s essentially going to almost zero… Roughly speaking [it’s] a 10,000x reduction in the electricity consumption. The other big efficiency improvement is related to issuance. So issuance is Ether that’s created out of thin air to fund and subsidize the security of the chain and incentivize consensus participants to show up. Now, one of the things you can look at is how much issuance do you need per unit of economic security? And it turns out that Proof of Stake needs roughly 30 times less issuance per unit of security than Proof of Work. So there’s this 30x increase in efficiency, which means that we can have drastically less issuance. To give you concrete numbers, right now, Proof of Work issues 13,500 ETH every single day. And at the point of The Merge, we’re going to be issuing roughly 1,600 ETH, so it’s roughly an 8x reduction in issuance — hence the name that is given to it, which is ‘the triple halvening’… Three Bitcoin halvenings is roughly a reduction of 8x in issuance, which is what Ethereum will enjoy in a single moment, as opposed to having to wait 12 years in the case of Bitcoin.
CR: Wow. Is this because of what you mentioned before, that there is this added kind of security measure… of punishing validators? Is that why you need less issuance?
JD: It’s slightly different. The reason why we need less issuance is because in an open and competitive market, the profits kind of tend [to go toward] zero. Now, in order for the profits to tend to zero, we need the income to match… the costs for consensus participants. Now, let’s compare the costs of Proof of Work versus the cost of Proof of Stake. In the context of Proof of Work, you need to buy mining rigs and you need to pay for electricity — these are huge costs for every unit of economic security. Whereas in the context of Proof of Stake, you have basically what’s called opportunity cost, which is the cost of money — which might be on the order of 3%, let’s say. And in the context of Proof of Work, what we’ve seen empirically is that for every $1 of economic security, you need to issue $1 every single year, and a 100% issuance to cover the cost is much [higher] than 3% per year of the total security.
Will The Merge bolster Ethereum’s decentralization?
CR: Got it, interesting. Is decentralization also part of… why Proof of Stake is meaningful? Because the way I understand it now, hopefully the barriers of entry to becoming a node operator are a lot lower. Like you said before, as a Proof of Work miner, you have to put up all this infrastructure and have all these expenses. But now, with Proof of Stake, all you need is capital — you need 32 ETH to stake, and that’s pretty much it. So do you think that increases Ethereum’s decentralization because you have more people who are able to become node operators?
JD: Right. So the barrier to entry to becoming a consensus participant is definitely reduced, and that could lead to more decentralization. For example, I was not previously and I’m currently not a Proof of Work content participant, but I am a Proof of Stake participant — and I can do that from my home on a very low-powered computer.
Now, there’s different flavors of Proof of Stake and the different ways to build Proof of Stake. I think Ethereum distinguishes itself in the sense that it supports many, many validators. So Ethereum today has over 400,000 validators, whereas other Proof of Stake mechanisms might only have hundreds or maybe a few thousand of validators. So having this capacity to have many validators is kind of one of the requirements for the barrier to entry to be so low.
One of the things that I do want to highlight is that it’s not necessarily sufficient to have a low barrier to entry for validators. One of the things that we’ve seen empirically is that a significant amount of the ETH that is staked is done actually through pools that could be in the context of exchanges or Lido. So one of the things that I think needs to be done is to do more education, first of all, to highlight how easy it is, or it could be to be a solo validator, but also to highlight a lot of the risks that come with delegating and going through a pool — risks around slashing and correlated failures.
So slashing… if these operators start misbehaving then it’s possible that there could be a case for the community to come together and slash that stake. There’s also the possibility of inside jobs — ‘not your keys, not your coins’ basically, and various other risks which you don’t have to bear when you’re a solo staker.
Justin Drake’s transition from Bitcoin to Ethereum
CR: I’d love to go deeper on that topic, but before we do, first, I want to learn more about you and how you got to this point. You become one of the main faces of Eth2.0, if you want to call it that… So what’s your background? I know you’ve been in crypto for a long time and that you started out in Bitcoin and then went to Ethereum. So yeah, I would love to hear your story.
JD: Sure. So I’ve always kind of been quite geeky. In my teenage years, I was fascinated with mathematics and eventually went on to study mathematics at university. When I came out of university, I started doing programming and around 2013, I discovered Bitcoin, as you said, and went down the rabbit hole and became obsessed with it. I started the Cambridge Bitcoin meetup group where I live in the U.K. I operated a Bitcoin ATM. I started a Bitcoin startup which was building on top of a decentralized peer-to-peer marketplace called OpenBazaar. Then eventually, in 2017, I joined the Ethereum Foundation, basically to work on what used to be called Ethereum 2.0 — which is a series of upgrades, which include the move to Proof of Stake, but also include other features like sharding.
When I joined in 2017, there were very few people doing research at the Ethereum Foundation on this topic. I was expecting for a protocol which was tens of billions of dollars large to have a whole team dedicated to this and be very professional. But it was a very ragtag team and it was very small. The fact that it was so small meant that there was an opportunity to have a very high impact during the early days of Ethereum. And yeah, now we’re in the position where we’ve done a lot of hiring, we’re much more professional, [and] it’s a much larger team — on the order of 25 people. 25 people is still quite small, but I think this is one of the things that we’ve learned in the blockchain space is that small teams can have a huge impact. You can look at the Uniswap success story, even the [client] implementers. So there’s five Proof of Stake clients, and there’s also four so-called ‘execution clients’ — basically clients that will execute Ethereum transactions, clients like Geth, for example. And all these teams combined, these nine teams are maybe less than 100 people, and they also have a massive impact.
CR: How small was the team back in 2017? How many of you were there?
JD: It was about five people, something like that.
CR: Wow, okay. Why did you decide to go from being so deep in the Bitcoin ecosystem, with a Bitcoin startup and running a Bitcoin ATM, and then just full-on Ethereum?
JD: So as a startup building on top of OpenBazaar, I got to observe the OpenBazaar team, which at the time, when I started, they were kind of Bitcoin maxis and they were trying to do everything on Bitcoin. I could see that they were really shoehorning everything into Bitcoin. There was this, this identity system built on top of Bitcoin, there was this escrow mechanism built on top of Bitcoin, and [it] was just so painful for the OpenBazaar team… I could just see that this was not the right approach. Back then Ethereum was very nascent, it didn’t have much credibility. I was trying to push them to move towards Ethereum, but they were pretty resistant.
So what happened is that I kind of had Ethereum as my side hobby, but my day job was effectively building on top of Bitcoin. As time grew on and on, I became more and more interested in Ethereum and more and more frustrated with Bitcoin. When my startup ran out of money in 2017, I decided ‘I’m gonna take some time off and focus on… my hobby, which was Ethereum. And I watched a talk by Vitalik discussing the data availability problem, and I spent a few weeks thinking about that. I had this new, potentially promising direction to solve the problem and emailed Vitalik. We had this conversation, and a few weeks later, he offered me to join the research team.
Executing The Merge
CR: Amazing, very cool. And then years later, here you are, about to execute this huge change. So what are the steps [from] now until The Merge, and then after, if you can walk us through that? I understand in the past couple of months, all the Ethereum testnets have been executed — or most except one, right? I think there’s one Testnet still missing? So yeah, if you can guide me through what’s missing for The Merge to happen, and then when it does, exactly how will it happen?
JD: So we’re kind of at the end of the quality assurance process. So as you said, we’ve gone through many different types of testnets — some devnets, some so-called shadow forks, as well as some of the persistent Testnets. The last persistent Testnet that we are going to merge is called Goerli, and what we’re hoping to do is for that to be kind of the final big rehearsal. We’re hoping for the client’s codebase to be at that point frozen so that the difference between the Goerli codebase and the mainnet codebase is as little as possible so that we reduce risk. Hopefully, the Goerli merge should happen in a few weeks, around early August maybe — but that’s going to be decided during the next… AllCoreDevs call… In terms of the long-tail of test suites, which is called ‘the hive test suite’, there’s over 100 tests that various teams need to pass. Maybe on average, each team is failing about 10 or 15 tests, so there’s still a little bit of work there to polish everything up. But once this has happened, I think we’ll be in the position to have this frozen code base for Goerli.
Now, in terms of once we’ve decided everything is ready, how do we actually merge on mainnet? So there’s two things that need to happen. One is that we need to hard fork the Beacon Chain, and that hard fork is called Bellatrix, and we also need to hard fork the current EVM chain, and that’s going to be called Paris. Now, once these two chains have been hard forked, they will be kind of merge ready, so they will be pending some sort of trigger in order to actually perform The Merge.
The trigger is rather unusual. Usually, the trigger, as I mentioned earlier, is that you have a certain block height, and at that block height, you trigger the upgrade. But for various technical reasons, we’ve decided to use the so-called total difficulty. So total difficulty is the sum of the difficulty of every single block. So this is a number that keeps on increasing, and then we’re going to have what’s called a ‘terminal total difficulty’, so some threshold after which once a total difficulty goes above this threshold, that’s when the two chains will merge.
CR: Why does… the Beacon Chain and the current Ethereum chain need to be forked in order to merge?
JD: The reason is that they both need to be aware of the notion of The Merge, and they both need to be looking at the other chain and kind of doing this dance, and then at some point kind of kissing — that’s when <laugh> The Merge happens.
CR: Okay. So the problem is that right now, these two chains are not aware of each other and that The Merge needs to happen. So that kind of piece of code needs to be implemented, and that’s why they will both be hard forked to include that change. Okay, that’s so interesting. And then they’re both hard forked when this difficulty… threshold is crossed. And then what happens practically, how are the two separate networks joined?
JD: So, practically, what will happen is that there will be a very last Ethereum block which will be secured by Proof of Work, and then the next one will be secured by Proof of Stake, and from the perspective of users and developers, almost nothing will change. One of the bigger changes is that the block times will change. Right now, block times are kind of this randomized process where Proof of Work averages around 13 seconds per block. With Proof of Stake, we have these fixed duration, 12-second slots, so we’ll have much more predictability and regularity in the production of blocks. That could also mean that The Merge will give us a very small scalability boost, because we’ll have roughly 10% more blocks than we had [before]. One of the common misconceptions around The Merge is that it gives us a huge scalability boost, but that’s not at all the case.
CR: So what happens with the old chain?
JD: Arguably, the most important part of Ethereum is the EVM state. And the EVM, which processes transactions, is where all the economic activity lies. This is where all the network effects are, and this is really preserved and kind of maintained throughout The Merge process. And so, as I said, from the point of view [of] a user, nothing changes — this is one of the big reasons why The Merge took a long time, because we really wanted it to be as [non]disruptive as possible for users and preserve everything. The only change really is behind the curtains or under the hood where we’re kind of changing the engines.
This engine metaphor might be a good one. If you imagine a car which is running, it started off with having a single engine, maybe a combustion engine, which is a Proof of Work security engine. And then at some point… while the car was running, we kind of put in a second engine which you can think of as an electric engine — but the second engine was not connected to the wheels. So during a year and a half, we tested this electric engine. We made sure it was working properly. And then at the point of The Merge, we’re basically shutting off the combustion engine and we’re removing it and we’re connecting the wheels to the electric engine, all while the car is still running. So from the perspective of the driver, you shouldn’t really observe any real differences.
CR: I love that metaphor. Is there a chance that [when] the Proof of Work chain is thrown away… kind of like what happened with The DAO fork, that Proof of Work miners just keep that chain alive and there’s another kind of Ethereum classic situation?
JD: So one thing I do want to highlight is that the past doesn’t change. We are still preserving the history of the Proof of Work chain, it’s just that the future of it goes away.
Now, as with any fork, anyone can permissionlessly extend both sides of the fork, and it’s quite likely that there will be someone, at least one person in the world, trying to extend the chain. What I expect will happen is that there will be almost no economic activity on the Proof of Work chain because there’s a very strong social buy-in for moving to Proof of Stake. There’s also reasons why having these contentious hard forks where both sides of the fork survive is no longer really viable in our day and age. The reason is, to a large extent, because of DeFi, and because of wrapped assets like USDC, USDT, or Wrapped Bitcoin… or even for DAI…
So in the context of these wrapped assets, they need to choose one of the chains, which is the canonical chain. And this choice is a forcing function for one of the sides to be preserved and have a healthy DeFi [ecosystem], and the other side of the fork to basically have a DeFi ecosystem which will completely collapse where everything will be liquidated and it’ll be total chaos for a period of time. And then, after this period of time, everything has to be rebuilt from scratch. So you’re not really preserving the network effects of today if you’re going to be building on top of the Proof of Work chain.
CR: Interesting, I can’t wait to see it play out, who knows what will happen to the old chain and the DeFi ecosystem there. [It’s] pretty surreal this other side kind of situation. So ETH itself, the asset will remain the same and functional in the new Proof of Stake chain, right? There won’t be two ETH tokens? How does that work?
JD: Yeah, that’s correct. There’s only one ETH token, and it will work the same as before. I mean, one major difference is the production of new ETH, the issuance is going to dramatically go down by roughly 8x. I guess another thing maybe worth highlighting is that the ETH supply will live in two places — so there’s going to be the balances within the EVM, but there’s also balances within the Beacon Chain, so there’s these two containers that each hold ETH. Right now there’s about 107M ETH on the EVM chain and 13M ETH on the Beacon Chain. And one of the things that I expect is that there’s going to be a rush of ETH from the EVM chain to the Beacon Chain shortly after The Merge. And that’s for a couple of reasons.
One is that if we can merge successfully, then a lot of the execution risk around The Merge will have disappeared. So some people that were kind of on the fence [regarding] stak[ing] because of the risk that maybe Proof of Stake will never happen and withdrawals won’t be enabled — that risk goes away to a large extent. And the other big reason is that after The Merge, all the transaction fees that currently accrue to the miners — that includes the tips, the portion of transaction fees which is not burnt as well as the MEV, this extra revenue for the consensus participants when it comes to ordering the transactions — all of that will go to the validators, and the rewards for the validators will roughly double. Right now, it’s only, let’s say, 4.5%, and that should roughly double to around 9% after The Merge. So because there’s gonna be this very big incentive for people to stake, we’re gonna see this migration of ETH from one container to another container.
CR: Interesting. So when you talk about ETH in the EVM chain, does that include ETH locked in DeFi [and] in smart contracts?
JD: Yeah, all the ETH. If you take the sum of all the balances on the EVM that will give you roughly 107M ETH.
CR: Okay, so what you’re saying is that investors will have a bigger incentive to deposit that ETH on the base layer and stake it instead of keeping it earning yield in DeFi because that risk will have disappeared, so now it’ll be worth it for investors.
JD: Mm-Hmm. I mean, another consequence is that the yield [offered] in the context of DeFi should roughly match the yield that you get on the Proof of Stake chain. One of the reasons is that if you could borrow at a rate which is significantly lower than what you can get on the Beacon Chain, then people will borrow the ETH in DeFi and then stake it, and then make a net return because they’re paying less than what they’re receiving as rewards on the Beacon Chain.
CR: Right. So that difference should arbitrage away so that it’s roughly equal. So speaking about issuance, yield, and staking and all of that, I’d love for you to talk about this concept of ‘ultrasound money’, which I believe you came up with and then the Bankless guys amplified. Can you go into what you mean by that exactly?
JD: Sure. Actually, Vitalik came up with the concept, but he called it something slightly different. He called it ‘supersonic money’. I only came up with the term ‘ultrasound money’, and basically it kind of started as a joke, making fun of Bitcoiners and gold bugs [who] believe that gold and Bitcoin is sound money because it can’t be artificially debased through issuance, and they’re very proud of their capped supply. There’s a finite amount of gold in the Earth’s crust, and there’s going to be a finite amount of Bitcoin which is going to be issued.
ETH is in a very unique position in the context of money because after The Merge, the amount of ETH that is being burnt through transaction fees through this mechanism called EIP-1559 is actually greater than the amount of ETH that is being issued on the Beacon Chain. Historically speaking , since the fee burn was activated, we’ve burnt 7,500 ETH every single day. When you compare that to an issuance of 1,600 ETH, it’s pretty clear that the supply will start going down. So what will happen is that at the point of The Merge, the ETH supply will peak around 120M ETH and then it will start going down and find a new equilibrium — maybe around a 100M ETH, 80M ETH, 60M ETH, this depends on various economic factors. But the reason why it’s called ‘ultrasound money’ is because it’s kind of trying to one-up, to kind of distinguish itself from other monies, and there’s this somewhat competitive and zero-sum dynamic in the context of money.
What is money? Money is an asset with monetary premium. And what is monetary premium? It’s kind of this social agreement, this illusion that, as a society, we’ve decided to endow this asset with value above and beyond the intrinsic value, the utilitarian value. So maybe one good example here is gold. Gold has intrinsic utilitarian value because gold is being used in iPhones and all sorts of electronics. It has this industrial use case, but if you try and model what should be the fair value of gold for its industrial use cases, you come up to roughly a market cap of $1T, but gold actually has a market cap around $12T. So where does this extra $11 trillion come from? It comes from people using gold as money, taking it and locking it underground in vaults and having this artificial specification on the asset, and this societal belief that it should have this monetary premium. The fact that ETH will have this unique supply curve where it peaked and then the supply goes down is a distinguishing factor for it to gain monetary premium.
But there’s other interesting distinguishing factors. One could be, for example, economic security. After The Merge, ETH will be the most secure blockchain on earth. And the reason is that the amount of economic security of Bitcoin today, which is the most secure blockchain, is on the order of $10B. Post-merge, [Ethereum] will have $15B of economic security. So [Ethereum will] combine the most security [and] the best scarcity… It is possible that Ether will distinguish itself as a monetary asset and could become the money for the internet of value.
CR: Very cool. When you say Ethereum is the most secure chain, is that measured by the amount of money that’s needed to do a 51% attack?
JD: Exactly, and that term is called economic security.
The risks of The Merge
CR: Okay. Going back to the stages of The Merge, just to get it clear. So [let’s say] the final test is done, all the teams check all the boxes they need to check, they pass all the tests. The Beacon Chain and Ethereum hard fork so they know about each other, this threshold difficulty threshold is met. The engines are changed in the car <laugh> and the next block that happens on Ethereum is now secured by Proof of Stake. And in all of that process, investors who have deposits in DeFi, users who are transferring Ethereum, making payments… people flipping NFTs… all of this economic activity… whatever people are doing on Ethereum… — all those thousands or millions of people, they won’t have to care about what’s going on under the hood? Is that right?
JD: Exactly, that’s correct. And that’s one of the reasons why we are moving away from this Eth1.0 and Eth2.0 terminology, because it kind of suggests that these are different systems, potentially with different tokens, potentially starting from scratch all of this economic activity — but actually, it’s one unified Ethereum. And so that’s why we’re actually calling these two layers of the stack the consensus layer — that’s the Proof of Stake — and the execution layer. The execution layer — which as you said, contains all the NFTs, all the DeFi, all the investments that people have made — this is untouched, and the only thing that’s changing is the Ethereum consensus layer.
CR: And then whatever is happening on the old Proof of Work chain, if people kind of want to keep running it, that’ll be like its own separate universe that won’t affect what’s going on on the new chain?
JD: Exactly right. It could be called ‘Ethereum Proof of Work’ or something like that.
CR: Right. So what are the risks? I mean, there has to be huge risks here. What are some of the things that keep you up at night [that] are still scary about all this?
JD: One of the risks is execution risk around the clients. Basically, there’s a lot of code which is pretty fresh and it has very little so-called Lindy [effect], it hasn’t lived for a long time. It hasn’t secured a lot of economic activity, so it hasn’t really been battle-tested. Our strategy [for] hedging against this execution risk is to have client diversity. If you go to clientdiversity.org, you’ll be able to see the share[s] of the various clients, and we’re in a position where client diversity is very strong. One of the things that will be really, really bad is if there is a single client which has more than 66% of all the ETH staked and they have a bug, because that would lead to a so-called ‘finalized checkpoint’ which finalizes this bad chain. That would require some sort of manual intervention to fix that, it involves a social layer, which would be extremely messy. So instead, we want to make sure that no single client has more than 66% of all the ETH staked so that this scenario doesn’t doesn’t happen. And actually, there’s various so-called in-protocol thresholds where things could become bad if a single client has more than this threshold. So 66% is enough to have finality.
One-half, 51%, is enough to control the fork choice rule. So what does that mean? It means that if a single client has more than 50% of the stake and they have a bug, then history could be rewritten. The recent history could be rewritten because they would have the dominant chain — everyone could follow them and then they would kind of suddenly roll back to the last finalized checkpoint. And then we’d start rebuilding with a correct chain. The good news here is that it doesn’t require any manual intervention, it’s kind of an automatic process. But the bad news is that there is this potentially fairly deep reorg that could happen, and that could lead to some double spends or some chaos in DeFi.
The next, less bad threshold is one-third. And one of the things that can happen if you have a bug with a client with at least one-third of the stake is that you disrupt finality. So we have this finality gadget, which requires at least two-thirds of the validators to be online. So if one of the clients has this liveness bug, meaning that all the validators go offline at the same point in time, then the finality gadget stops progressing, but that’s not too bad because in the grand scheme of things, the finality gadget is one of the improvements over Proof of Work.
Proof of Work has no concept of strong economic finality. The chain can always reorg people talk about the six confirmations because it’s very rare that reorgs of depth six could happen. But in theory, they could happen. With Proof of Stake, we have this notion of economic finality, which means that if we have two inconsistent finalized blocks, then we have the mathematical guarantee that at least one-third of the validators will get slashed, so it’s a very strong economic guarantee. So if it were to happen today on the Beacon Chain, at least 4M ETH would get slashed, which makes it rather unlikely that will happen.
CR: So, right now, do any of the clients meet these thresholds?
JD: No. So I think when we were in a position where the dominant client, Prysm, was just over 66%, we were in a very precarious position. Now, that has improved down to 40%.
CR: Okay. So they’re all below the 51% and the 66% thresholds, which are the more dangerous ones.
CR: Okay. So these risks around clients and how much ETH they’re holding, that’s something to watch. Is there anything else that you’re concerned about?
JD: Yes. So there’s also potential design issues, it’s just possible that Proof of Stake was not well designed. And one of the known vulnerabilities which I’m somewhat worried about is around the fact that every block proposal on the Beacon Chain is known in advance. So what an attacker can do is that they can observe the peer-to-peer network — the gossip player — and associate an IP address to every single validator. So when it’s the turn of a validator to propose a block, they can DDoS this IP address and basically prevent a beacon block, or the Ethereum block, from being produced. That could lead to somewhat severe disruptions on the Ethereum chain.
The other thing which is slightly worrisome is that it could be in the economic best interest for some validators to go and DDoS other validators that are fellow validators. The reason is because of MEV and these transaction fees that I was talking about. So consider this scenario, for example, where you’re a validator in slot N, and in the previous slot — slot N minus one — you go DDoS them so the validator just before you doesn’t produce a block. That means that all the transaction fees that they would have received instead go to you, which is bad. The good news here is that there’s some short-term fixes that validators can apply. They can have somewhat fancy networking setups and we’re expecting all the big staking pools to have that, and maybe some of the home validators to also have that eventually, if attacks do happen. And then there’s a more permanent kind of fix to the whole problem which is the so-called ‘secret leader election’. So secret leader election is a way to sample for the next block proposals in such a way that anyone observing the chain can’t see who will be the next proposers. The next proposal only reveal themselves when they’ve made a block and whoever has won the lottery — whoever will be the next proposer — can know when they are the next proposal.
CR: Is there something that would need to happen in another upgrade in the future? It seems like that would be kind of the longer-term fix that you’d want, right?
JD: So that would be an upgrade, that would be a hard fork. And that might happen, I don’t know, one to two years after The Merge. But if there are real attacks on home validators especially, which are the most vulnerable, then we could try and expedite that.
CR: So going back to the topic that we were discussing earlier in the conversation about ETH being concentrated in these pools — Lido is the biggest one, and there was a lot of concern early on about Coinbase and other centralized exchanges concentrating a lot of staked ETH as well — how does that risk play into all of this?
JD: So one piece of good news is that the system, even if it has malicious actors, is extremely robust. So one example, as I mentioned, if an attacker takes over one of these large pools and uses it to attack Ethereum, if they try to rewrite history, if they try to have these two inconsistent finalized points that will lead to mass slashing — that will lead to basically this one-time attack [where the network is] able to heal from this one-time attack. There’s another, what’s called a ‘safety attack’, and we’re very well hedged against those with this automatic slashing mechanism.
There’s another type of attack that someone can try and do, which is called a ‘liveness attack’, and basically it boils down to censorship. So if, for example, Coinbase has more than 50% of the stake and they decide that [they] don’t want certain transactions to go through, [they]’re gonna censor some types of transactions and because they control the full choice rule, they can actually go ahead and censor these transactions, very similar to Proof of Work. If you have more than 51% of the hash rates, you can censor transactions. Now, the good news is that with Proof of Stake, unlike Proof of Work, the social layer has the ability to identify the censorship and to go slash Coinbase. But this is a much more expensive process because it involves a social layer, so there’s a lot of governance and coordination that would need to happen in order to remediate this censorship.
Another thing that I do want to highlight as well is not just the actual security properties of the chain around safety and liveness, but it’s also around the perceived safety and liveness of the chain. And this is important when it comes to trying to become ultrasound money, it’s important for it to be maximally and credibly neutral. And at the end of the day, money is all about memes, right? You could say it’s kind of a confidence game. The fact that Lido has such a share kind of gives it this perceived centralization and this perceived weakness, even though in practice, the Ethereum chain can defend itself, even if there is an attack that happens.
Mechanisms to punish malicious validators after The Merge
CR: So many interesting concepts here I want to ask you about. On the fallback of the social layer, deciding to slash these centralized attackers would mean that anyone who deposited ETH or delegated ETH on Lido or on Coinbase, they would lose their funds too, right?
JD: Right. So it turns out that the governance layer has a whole suite of things that they could do. The most extreme thing that they could do is slash 100% of the funds. And as you said all the Coinbase users would lose their funds. And actually, that’s one of the risks of staking with Coinbase is that Coinbase kind of goes crazy or gets co-opted by regulators and then eventually gets slashed. But there is a spectrum. One of the least damaging things that could happen is a so-called forced ejection. So you can identify the ETH that is staking, and you can eject them from the Beacon Chain, from the validators, and put them back in the EVM. And then what you could even do is you could say ‘we’re gonna have a timeout of one year, we’re gonna take this ETH which has been misbehaving, and we’re gonna freeze them for one year’, that’s possible. Maybe you could also say ‘we’re gonna freeze it for one year and we’re going to slash 10% of it, and if you do it a second time, then we’ll slash 100%. So there’s a whole kind of spectrum of things that could be done.
One of the things that I’ve been thinking about is what are the most credibly neutral things that you could do? What are the Schelling points? Slashing one hundred percent is a natural Schelling point because it’s very simple. Ejecting is also very simple. The fact that there’s a time parameter, or there’s a decision to be made around how long are we gonna freeze these assets if we do eject and not slash, and how much do we slash — that could lead to a lot of coordination overhead because people suddenly need to agree on these parameters. So my two preferred options would be first forcefully eject, that’s kind of the least disruptive thing which is still credibly neutral. And then if there is a second attack, then slash 100% of all the ETH.
CR: Yeah, that does sound pretty fair, and at least [it] kind of prevents people losing their money immediately.
JD: Right. It gives people the option to withdraw from Coinbase when they realize ‘hey, the community is not happy with this behavior’. And we’re actually happy to go ahead and perform action at the social layer [too].
CR: The second follow-up question that I have on that is on this kind of social layer. Deciding to slash or punish bad actors, that can kind of go either way too — it seems like a double-edged sword. It seems like sure, maybe the social layer can work towards the common good, but what if the social layer, which sounds pretty ambiguous — is it kind of like Ethereum’s AllCoreDevs? Just people kind of participating in calls, governance, polls, and stuff like that? It’s just like pretty kind of soft and, and mushy, the definition — can that one day just turn against the rest of Ethereum participants and work against the majority? Can it become a source of censorship itself?
JD: So, one thing that I’ll mention is that anytime social governance intervenes, there’s now suddenly a fork. So there’s these two chains, and now the social layer — the actual users, or the investors, or whatever it is — they can choose one of the chains. So you always have optionality.
The other thing that I want to highlight is that I think the best-case scenario is that the social layer is never actually used. This might be a little similar to the powers of the queen, for example, in the U.K. She has these discretionary powers — I dunno exactly what they are, maybe she could dilute the parliament or something. In theory, she has those rights, but she will never use them in practice. And I think it’s a similar thing where [the social layer is] kind of a deterrent. The fact that it exists is fantastic, but it’s not actually meant to be used.
This is somewhat similar to optimistic rollups — which is a little bit of a tangent here. But basically, the way that optimistic rollups work is that you make these claims about the state of a chain, called a rollup. And you have a bond… a piece of collateral, whereby if you make an invalid claim, then you lose your collateral. And there’s a dispute process for challenging these bad claims. So the game theory would suggest that we would never see these invalid claims, it makes no rational sense for people to go do that. And the fact that there is this dispute mechanism is where the value lies, not in the actual usage of that dispute resolution process, which shouldn’t, in theory, be used.
CR: Yeah, it makes sense. The fact that… whatever decision or intervention would be a hard fork, so there’s still kind of that last resort of validators [and] investors choosing one chain or the other. And then speaking of optimistic rollups and starting to kind of wrap up, I want to talk about the future of Ethereum because, as you mentioned, one of the misconceptions [about] The Merge is that it’ll be a huge improvement in scalability, and that’s not the case. You said maybe it’ll be a marginal improvement because there’s an increase in the number of blocks, but [that] huge scalability will come from elsewhere in the roadmap. So I want to talk a bit about that, because I think that’s the main issue for most people using Ethereum. Maybe not now that things have cooled off, but at least in its long history, that’s been the issue holding it back from mass adoption.
JD: Okay, so what is the scalability story? It starts today with a chain which is extremely non-scalable — [Ethereum today] can process on the order of 10 transactions a second. Now, we want to be in a position where Ethereum can settle the internet of value, where every person on Earth can make, let’s say, a hundred transactions every single day. That would require on the order of 10M transactions a second. So we somehow need to grow 1,000,000x. It seems like an insurmountable problem, but it turns out we can do it. And it’s maybe… philosophically a similar scaling story to the internet, where… 20 years ago, it was maybe difficult to download the video or even an image. Nowadays, we have instant video chat.
So at a high level, there’s three 100x tech scaling technologies that compound on each other. The first 100x is rollups. So that will bring us from 10 transactions a second to 1,000 transactions a second. And the idea here is that we are only going to use Ethereum to settle the data of the transactions, not to… perform execution. Instead, the execution will happen off-chain, either with optimistic rollups and kind of these challenge games if there’s bad claims, or using very fancy mathematics called SNARKs… which are these succinct mathematical proofs that you can give the chain that all the execution that happened off-chain is actually valid. And it turns out that today, people are paying 1% of the gas costs for data and 99% of the gas costs for execution, so when you remove this 99% gas costs for execution, you get a 100x scalability boost with rollups.
Now, the second 100x improvement is sharding. The idea here is to provide more data for the rollups to go consume… and to grow that by roughly a factor of 100x. And the idea here is that, right now, we’re in a position where every consensus spot does this redundant work of downloading all the data — the whole Ethereum blockchain — before they can sign off on them and say ‘yeah, this is a valid Ethereum block’. So… instead, [sharding is] this clever mechanism where every validator only has to download a very small portion of the block. So that allows us to have much larger blocks, roughly on the order of 100xs larger… from a data perspective, and so that means that rollups can have 100x more throughput. So that brings us from 1,000 transactions per second with rollups to 100,000 transactions per second.
Now, what is the final 100x technology? Well, it turns out that we kind of get it for free, almost, and it’s basically the equivalent of Moore’s law, but for bandwidth. So the empirical observation is that consumer bandwidth improves roughly 50% every single year. So, if you compound that over, let’s say, 10 years or 12 years, that brings us to another 100x. Now, why do I highlight bandwidth? The reason is that if you take kind of a fundamentals approach to the scalability of blockchains, there’s various computational resources that are at play. There’s execution — like CPU cycles, there’s storage, there’s so-called disc IO — which is how fast you write and you read to disc, which is currently the bottleneck on Ethereum, and you have bandwidth. It turns out that the very first three can be removed with fancy technology… called statelessness, where basically clients no longer have to store the state and no longer have to read and write to it.
So you remove storage as a bottleneck, and you remove dis IO as a bottleneck, and you can also remove execution at the bottleneck with these SNARKs — where basically you do all the execution off-chain with potentially very powerful computers — and then [in] this very constrained environment, the consensus participants don’t have to do that execution. And so you’re left with the fundamental bottleneck for consensus, which is bandwidth. And the amazing thing is that bandwidth just keeps on growing every single year. One of the reasons why we expect bandwidth to continue growing exponentially, potentially for decades to come, is that bandwidth is a fundamentally paralyzable thing. There’s no sequential operations involved, and even a single strand of fiber which is the width of a hair can transport petabytes per second. So there’s a lot of room for scaling bandwidth, even with fiber, which is what the world is moving towards.
CR: Okay. So does that mean that first we’ll rely on rollups for a while for Ethereum scalability, and that’s a 100x improvement?
JD: Yes, that’s correct. So there’s kind of a naive way to do rollups, which gives us a 10x, and then there’s these fancy data compression mechanisms, which bring us all the way to a 100x. Right now, I dunno where we are exactly, but we’re maybe at 20x. So there’s, there’s a little bit more room with the rollups. In terms of the sharding, there’s kind of this two-step process. One is called proto danksharding, which will give us some relief relatively soon. And then there will be the full danksharding, which will bring us the full 100x
CR: What’s danksharding? I haven’t heard of that term.
JD: Let me explain. So the way that we used to have this increase in data on Ethereum is through these parallel shards, as synchronous parallel shards — kind of these different universes. That led to potentially quite a bit of complexity for the developers, because now you have various gas markets and you had to build these bridges, and it becomes a little complicated. Danksharding is this idea that we have the benefits of sharding without the developers realizing that there is sharding. So on the front-end, as a consumer of data, it’s all one unified blob of data. But on the back-end, the validators will be downloading small chunks of this very big block of data.
CR: Oh, wow, that’s a huge step forward. From what I remember, that used to be the biggest drawback of sharding, that it was kind of these separate mini blockchains on Ethereum and it was very hard to have the composable DeFi ecosystem that we have today. But now you’re saying that there’s a way to solve that so that there can be sharding and you don’t have to worry about building on different kind of mini blockchains.
JD: Exactly, and the inventor of danksharding is Dankrad [Feist], who is one of the researchers at Ethereum Foundation, hence the name.
CR: Wow, good job to him. When should we expect sharding?
JD: So danksharding might take, let’s say, two [to] three years. But proto danksharding, which is called EIP-4484, I believe — there’s even a whole website dedicated to it, it’s something that the various rollups [are] pushing for because that, that can really help rollups scale… — might happen, let’s say, maybe one or two years after The Merge.
CR: Okay, perfect. So we’ll rely on rollups for one or two years, then we’ll have proto danksharding, then we’ll have danksharding… in the next, who knows, five years or so. And then together with [bandwidth], then Ethereum will be able to scale like fully to support the internet, to the execution layer of the internet and become ultrasound money. So that’s the big picture?
JD: Exactly, and they’re all network effects to so-called shared security. So there’s various models for scaling. There’s the Cosmos model, for example, where you have this fractured security across many different sovereign chains. You have the Polkadot model, where you have these parachains all under shared security. And you have the Ethereum model. And one of the things that we are seeing convergence around is shared security. Even Cosmos, who are kind of the big believers in fractured security, are moving towards shared security with something called Celestia. And it turns out that there’s these network effects associated with it because if you have two chains with shared security, that means you basically have trustless bridging, for example, as one of the big massive benefits. And so that means that if you have a chain which is the most economically secure with the most economic security, and it can simultaneously scale to settle the whole internet of value, then it will settle most of the internet of value — it’s kind of this winner take most. So the big bull case for Ethereum is that yes, indeed it can preserve its lead in economic security and simultaneously scale to 10M transactions a second.
CR: Are you worried that in the time between Ethereum going to Proof of Stake, then relying on rollups gradually increasing scalability, and then in a few years adding sharding, that there’s a risk of all these other competitor Layer 1 chains trying to or starting to take market share away from Ethereum? It’s already arguably happening to some extent with a lot of the TVL in DeFi going over to other Layer 1s.
JD: You’re right, that has happened. There has been spillover to other chains. The good news is that a lot of the rollups are actually live today. So Optimism, even rollups like StarkNet have been live, and what we’ve observed is that there’s been a fairly slow transition from Ethereum L1 to Ethereum L2. This goes to show the power of network effects — even though you get significantly lower transaction fees in a rollup, people still prefer the base layer. And the reason is because they’re next to all their friends and all the interesting activities happening there.
So really, the challenge that we need to solve is how do we find a way to migrate network effects from one place to another? And what these other alternative chains have done is that they’ve had incentive programs. What we’ve seen basically is that one chain, I’ll pick on Avalanche, for example, has some sort of incentive program, and then there’s a huge transition of TVL to that chain. And then as soon as they stop the incentive program, all the liquidity flies back to Ethereum. So what I think needs to happen is for some of these chains to introduce a new token and have a very clever incentive program so that all the activity migrates, all the TVL migrates. And for the Ethereum users to feel at home, not feel like they’re on some sort of alien land and then have to come back to Ethereum. And we’ve had StarkNet announce a token today, I think, and we’ve had the Optimism token be announced, so I’m hopeful that at least one of the rollups will be able to crack that.
CR: Great. Yeah, I think incentives for sure. I also think there’s a lot of work to do… UX is very painful, I think, to crossover to rollups and Layer 2s in general at the moment. And yeah, having liquidity there, having all your dApps and assets there will be huge. So we’ll see how that progresses.
JD: Really, I think the current users are sophisticated enough to be able to bridge from L1 to a rollup, but all the new users, they’re not gonna go through this friction — it’s just too complicated. So what we basically need is for exchanges, which is the onboarding place for anyone really, to have direct withdrawals onto a rollup, and we are seeing various exchanges do that. As soon as that becomes the default option, which [it] will be because the transaction fees will be so much lower and all the network effects will be in these rollups, then we can really have the next wave of users come… to Ethereum.
CR: Right, it’s like this ‘chicken and egg’ situation where maybe application developers are still on Ethereum mainnet because users are there. But now, if you’re right, if centralized exchanges make it easier to bypass Ethereum entirely and go directly to rollups, then that’ll be a big incentive for developers to go there too. So yeah, I think that that’ll be one of the interesting trends to watch in the next few months.
We are way over time because this has been fascinating. It’s been so great diving deep into The Merge and Ethereum… I really want to ask you one more question because this is something that I ask all my guests. So Justin, what makes you defiant?
JD: What makes me defiant? Hmm, I guess I’m relentlessly optimistic, and so sometimes that makes me naive, but in a way defiant, and kind of defying reality. I guess people talk about Steve Jobs having this reality distortion field, and I really think big. I think that in 10 [to] 20 years, Ethereum will be the settlement value layer for the internet of value — it’ll be an extension of the internet. Right now, it’s very difficult to think that, and going back to this ultrasound money meme, if Ethereum could become a $100T asset — which sounds completely crazy today, it’ll have to grow 300x. But I think it is a definite possible future for Ethereum to become the money for the internet of value.
CR: Awesome, I love that big vision, and I don’t think it’s so far-fetched to think that, it is what I think as well. I think crypto and blockchains will become the underlying infrastructure for finance and for all industries. I mean, they’ll become one additional protocol layer on top of the internet, and so if you believe that this is a winner take most market, and that Ethereum has a big chance to be that winner, then it’s not so far-fetched. The question is will Ethereum retain its lead? You’re here kind of making sure that that happens. So, it’s been an absolute pleasure chatting, Justin, thank you so much for taking the time again!
JD: Thanks for having me, it was great.