Original title: Censorship resistance in Bitcoin and Ethereum
Original article by Allen Zhao, Mustafa Yilham, Henry Ang Jermaine Wong, Bixin Ventures
Original translation: Evan Gu, Wayne Zhang, Bixin Ventures
In early August, the news that the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) decided to add Tornado Cash to its sanctions list put the issue of censorship resistance in the spotlight. To avoid criminal liability, RPC service providers Alchemy and Infura restricted access to Tornado Cash smart contract data, and Circle (USDC issuer) also blacklisted wallet addresses on the sanctions list. Blacklisted addresses are also banned from DeFi protocols such as Aave, but users can still interact with some smart contracts, but it requires many additional steps and some technical expertise.
This brings us to a more general question: Can blockchains be censored at the protocol level? Concerns about protocol-level censorship have already emerged in the Ethereum community, with 66% of beacon chain validators expressing sensitivity to OFAC regulations after the merger. If more than 1/3 of validators (by stake weight) are censored in any form, the Ethereum chain will not be able to function properly.
In this article, we will compare the censorship resistance of BTC (POW) and ETH (POS) through three key issues, and finally give our thoughts.
Definition of “censorship”
In a recent Bankless podcast, Justin Drake defined two different types of censorship: weak censorship and strong censorship.
Weak censorship: Weak censorship occurs when certain censored block producers do not include individual transactions in blocks, resulting in a degraded user experience. For example, a compliant block producer rejects a transaction from a blacklisted address, but the transaction is still eventually received by a non-censored block producer.
Strong censorship: Strong censorship occurs when an individual’s transactions are never included on-chain. This situation can be considered as a loss of assets, given that the individual has lost the ability to transact. This situation can occur when a network is taken over by a majority, also known as a 51% attack, which can threaten the continued existence of the attacked blockchain.
In the following discussion, we will compare Bitcoin and Ethereum as representative networks of the POW and POS systems, respectively. We will first identify the elements of censorship and then go into detail about how Bitcoin and Ethereum achieve censorship resistance.
Problem 1: When miners/block validators are concentrated, weak censorship through jurisdictional regulation may occur
Both Bitcoin and Ethereum face the problem of centralization of mining pools and validator nodes respectively. This could create a way for mining pools or validator nodes to be forced to comply with regulations and censor any transactions that are deemed illegal in their jurisdiction.
Ethereum
Since the merger, the top two staking services have a combined 43.03% share, and the top three hold 51.63%. The risk here is that if Lido and Coinbase join forces, they can bring the network to a halt; if Kraken also joins, then the three will be able to take over the Ethereum network.
Source: Related Network
Before looking at how Ethereum deals with the threat of centralization, let’s first cover why validators eventually become centralized. Under Ethereum’s POS mechanism, block producers can choose which transactions to include in the next block and how they are subsequently ordered. This allows validators to participate in the process of MEV extraction, which Amber defines very well in their recent article on ETH mergers.
“Maximum Extractable Value, or MEV, broadly refers to the residual value a miner or validator can earn over a series of blocks given available actions. These actions can include reordering transactions, censoring blocks, or even attempting to reorganize the blockchain. Some common forms of MEV include sandwich attacks, arbitrage, and liquidations.”
Source: Flashbots
As shown in the figure, validator rewards increase significantly once MEV is taken into account. Due to the economic incentives brought by MEV, larger participants run more verification nodes, thus eliminating individual and non-professional verification nodes. Therefore, ordinary holders are more inclined to join the verification node pool through staking services to obtain higher and more stable income, thereby increasing the centralization of verification nodes.
Another consideration regarding the centralization of staking nodes is cryptocurrency exchanges. Exchanges remain the best place for users to currently acquire Ethereum tokens. Given the sheer number of users they have, many tokens will naturally cluster on these exchanges, and exchanges offer convenient returns through their staking platforms, which will attract tokens. Users should be educated about the risks of using centralized platforms for staking, such as the possible impact if centralized platforms may choose to act maliciously due to legal pressure.
Although the validator node pool is not the ideal solution, it allows more ETH holders to participate, so the stake pool is still beneficial to the decentralization of Ethereum.
So, how does Ethereum deal with scrutiny over centralization?
Solution 1: Separate block proposers and block builders
One solution that is currently receiving widespread attention is Proposer Builder Separation (PBS). PBS separates the roles of block proposer and block builder, so that validators can obtain MEV rewards without becoming complex operators, thereby reducing the centralization problem.
There are three key players in the operation of a blockchain that can check and balance each other to mitigate and ultimately eliminate potential censorship.
Builders, who specialize in building blocks, extract the maximum MEV and transaction fees by sorting transactions. After that, they will pay the proposal fee to Proposers and put their blocks on the chain. Therefore, without the help of Proposers, builders with censorship purposes will not be able to publish transactions on the chain.
Proposers, also known as validators, either choose the hottest blocks or they won't include a block at all. If they believe that block builders are censoring transactions, they have the ability to propose a censorship-resistant list (crList) that builders are required to include as long as the block is not full, or their block is not proposed. Since EIP-1559 has been implemented, over 80% of blocks include spare gas, which means that as long as the user pays a priority fee above the base fee, they should be able to have their transaction included in the block. In summary, Proposers can achieve the most benefit by choosing blocks that pay the most amount, but still have the ability to force censorship by utilizing the crList.
The attestor will monitor the block building process and attest only if the proposer’s block contains the highest payment block. This will prevent malicious proposers from censoring transactions.
While the above approach greatly improves decentralization of validators, it still does not solve the problem of builder centralization. How to decentralize builders is beyond the scope of this discussion, but you can read more about it here.
Solution 2: Encrypt the memory pool
Another solution under research is to use encrypted memory pools to deal with centralized censorship. Users encrypt transactions before broadcasting them to the memory pool, and they are only decrypted after the transaction is included in the block on the chain. This will prevent any potential censors from obtaining the content of the transaction during the block construction process. In addition, it helps prevent MEV abuse, such as front-running. Another benefit of encrypted memory pools is that it can actually solve the problem of builder centralization in the future. In this case, proposers can build their own blocks by picking the highest fee transactions from the encrypted memory pool, without having to pick blocks from complex builders.
Bitcoin
Bitcoin has long been hailed as "digital gold", a quality that is reflected not only in its use as a digital means of storing value, but also in its censorship resistance. Although the Bitcoin network is less programmable than Ethereum, and weaker programmability can minimize MEV, it still faces the problem of increasing geographical concentration of miners. In addition, operating mining machines requires professional skills, and hardware and energy are also capital-intensive. The Bitcoin mining industry has developed in the direction of resource sharing, with miners paying service fees to mining farms based on unit computing power, thereby reducing the cash flow pressure that would be brought about by investing on their own.
Source: Cambridge Bitcoin Electricity Consumption Index
As shown in the chart above, before China banned crypto mining in 2021, China’s computing power accounted for more than 45% of the world’s computing power. But computing power has now shifted to the United States, which accounted for 38% of the world’s computing power as of January this year. Mining companies may be forced by local regulations to refuse certain transactions, which poses a threat of censorship.
So, how does Bitcoin deal with the censorship issues brought about by mining pool centralization?
Solution 1: Switch mining pool
Once a pool operator becomes subject to censorship regulations that are contrary to the interests of miners, it is easy for miners to switch to other pools (for example, move to a location far away from the censored pool). Since the model of purchasing computing power on demand is adopted, miners can switch to a new pool by simply changing the mining pool address in the mining software. During the period of 2021 when miners were banned by the Chinese government, miners were able to quickly migrate abroad and switch addresses to offshore mining pools, and the computing power has now recovered and is higher than before the ban was announced.
While Ethereum can allow validators to unstake and re-stake at their will, there is still a time lag due to cool-down periods and queuing systems.
Solution 2: Give miners more control over the block construction process
Most Bitcoin miners direct their hashing power to mining pools, where they communicate with those pools using a messaging protocol called Stratum v1, which organizes the creation and submission of hashes by miners. If mining pools collude to censor transactions, the community has no recourse. But with Stratum v2, miners will be able to choose their own set of transactions, giving them more control over the block-building process, which could counter censorship attempts by malicious pool operators.
If you are interested in learning more about Stratum v2 and its feature upgrades to improve miner security and revenue, read here.
Solution 3: Free market competition
Bitcoin proponents believe that the proof-of-work mining economic incentives are the best form of resistance to any transaction censorship. As the block reward drops with each halving cycle, transaction fees will trend towards 100% of miner revenue. Therefore, even if any regulatory compliant mining pool or miner censors a paid transaction, other miners/pools in different jurisdictions will be more than happy to take advantage of this and snatch the transaction away. Eventually, these compliant mining pools or miners will be outcompeted in the free market, causing their market share and profitability to decline.
Conclusion 1: Bitcoin can handle censorship issues caused by centralization in the block creation process better than Ethereum.
Today’s Bitcoin is more resilient to centralized censorship during the block construction process. If there is a mining pool that censors certain transactions, miners can now switch mining pools without delay, greatly improving miner autonomy.
While Ethereum has a viable solution to the censorship problem, it is primarily in the research phase and has not yet been implemented because competition with other programmable blockchains requires other features to take priority.
Problem 2: If the network has a small security budget, strong censorship risk may occur
The impact of a low security budget is that it can lead to a 51% attack. When this happens, the attacker will be able to take control of the blockchain. They will be able to block incoming transactions and will be able to reorder new transactions. Even more serious is the ability to rewrite the history of the blockchain and undo their own transactions, resulting in double spends.
Ethereum’s Security Budget
In the event of a 51% attack on Ethereum, all new deposits or withdrawals could be censored by the attacker, making it difficult for the network to recover. Therefore, the distribution of tokens within the network is as decentralized as possible to prevent the acquisition of required tokens by force and the attack. At the time of writing, there are 13.6 million ETH staked on the beacon chain. The economic security of Ethereum can be calculated by multiplying 13.6 million ETH times the price times 51% to get the minimum amount required to censor a transaction. At the current price of $1,700 per ETH, the economic security today is approximately $11.5 billion. In reality, the cost would be much higher, given that the price increases non-linearly with the demand for ETH.
While coming up with these funds is not a problem for some organizations or countries, we still need to consider preventive solutions.
Solution 1: Encourage more users to stake
Compared to other POS networks, only 11% of ETH is currently staked (e.g. 77% for Solana, 66% for Cosmos, 65% for Avalanche), which means there is a lot of potential. As the amount of stake increases, it will become very difficult for an attacker to obtain 51% of the total stake.
However, one barrier to more people staking is the opportunity cost of DeFi returns for users. If users can earn better returns in DeFi, then users may prioritize financial incentives, and the incentive effect generated by ETH staking returns will be reduced. One solution to break down this barrier is a liquid staking protocol, but this may also bring us back to the centralization problem we saw in Lido. While we can see that Lido is distributing stake to about 30 validators on its whitelist, this list of whitelists is still approved by Lido. Therefore, the selection criteria and ability to add and remove validators are critical, which means strong governance capabilities are needed within the decentralized autonomous organization.
Encouragingly, Lido has been exploring a governance solution using dual governance proposals, where voting on key governance issues would be conducted by both stETH and LDO holders, which would maintain consistency between holders of both tokens. There is also a key issue related to censorship resistance, which has the potential to change the way stake is distributed among node operators in a way that could be harmful or unexpected. In the specific case of governance, once LDO holders pass the initial proposal, stETH holders will also be involved, and they can also exit the protocol if all available negotiations fail. Read here for a more detailed explanation of the voting mechanism and subsequent results.
Solution 2: Diversify validators to prevent coercion to gain governance
If ETH cannot be obtained on the market, then another way to gain control of the network is to forcibly win over 51% of the validators. Therefore, increasing the diversity of validators to achieve anti-censorship effect is achieved through the following forms:
Improve jurisdictional/geographic diversity to ensure no single jurisdiction/country can take a validator offline
Improve diversity of operators/stakeholders to ensure that mandatory audits are extremely difficult when stakes are widely distributed
Improve client diversity to ensure no single bug in a validator client can take a validator offline
Lowering hardware requirements for participation to ensure that everyone can launch a validator if they wish
Increase the number of validators with a full copy of transactions
Solution 3: Social-level intervention
If preventive measures fail, Ethereum will intervene at the social level. Specifically, the fork process will be automatically executed after censorship is detected, and the system will reserve enough time to reach a fork consensus. Ideally, the complete online nodes will identify and recognize which blockchains have censorship purposes by checking the memory pool. Once found, they will fork and punish the chain with censorship purposes. These actions do not require social intervention.
However, forks are rarely straightforward, as censorship can sometimes be accidental, such as due to bugs in validator clients. In such cases, it is important to be able to intervene and discern what is real censorship and what is accidental. In addition, there are considerations such as how to choose a new blockchain, which checkpoint should be taken to start a new blockchain, how to punish attackers on the new blockchain, etc., which will affect the economic value of the chain. The above content is to let new users know that if they want to participate in a new uncensored blockchain, they must first be able to withdraw funds on the chain. Although there are currently no rules and guidance for users to understand how to deal with various policy interventions, it is important that the governance and decision-making process of the chain should be as decentralized as possible.
Bitcoin's Security Budget
If Bitcoin were to be strongly censored, miners would be able to mine out all rewards and reorganize the chain as they see fit. Given the current hash rate of 230m TH/s, an attacker would need more than 230m TH/s to take control of the network, assuming existing miners do not participate in the attack. Let’s do the math. Using the most efficient ASIC chip on the market today, the Antminer S 19 PRO (110 TH/S), a total of 2.09 million ASIC chips (230,000,000 TH/s divided by 110 TH/s) would be required to carry out the attack. At today’s price of $4,400, the total cost of acquiring the hardware to attack the network would be $9 billion, not taking into account energy costs.
Solution 1: Bitcoin is more censorship-resistant due to the difficulty in obtaining ASIC chips
While the cost is affordable for some serious attackers, there is a huge barrier to acquiring ASIC chips because only a few companies can produce them. And because the supply coming online each year is not enough, attackers cannot launch a fast attack.
Solution 2: Low conversion rate among miners leads to decentralization of the Bitcoin network
It is very difficult to obtain the machines needed to control the network, so the attack is likely to be achieved by forcing or controlling existing mining pools. We can solve this problem by relying on mining pools that have emerged in different regions of the world, because their emergence has greatly reduced the switching costs of miners, allowing them to switch quickly in the face of censorship, thereby achieving censorship resistance.
Conclusion 2: Bitcoin is more resilient than Ethereum in preventing 51% strong censorship attacks. Ethereum’s solution of using the social layer as the last line of defense gives more power to the minority, but there are still many problems with social consensus.
On paper, Ethereum has a higher security budget than Bitcoin. However, the friction of acquiring hardware to take over the Bitcoin network is greater than the cost of acquiring a majority of Ethereum tokens.
If an attacker takes the alternative route of strongly censoring centralized mining pools to gain control of the network, Bitcoin has a much simpler solution as honest miners can help rebalance the hash rate by switching to non-aggressive mining pools.
While the social layer can intervene in the case of strong censorship of Ethereum, there are still many questions about how to transition to a user-activated soft fork. First, how is social consensus reached between non-attacking actors? Can the majority of the new minority make the decision? Or is it up to the core team? The decision-making process can be likened to the "Ethereum DAO" vote to reach a majority decision. So should it be decided by a majority of voters or a majority of stake? A common criticism of DAO votes is that a supermajority of holders can vote for an outcome, but it is ultimately vetoed by a single holder with more shares. This is not meant to reflect the actual process of deciding the fork rules, but to highlight the problematic aspects of social governance that the Ethereum community has not yet implemented. Ultimately, it may be that as Nic Carter said, the social consensus layer inevitably leaves room for politicization, and Ethereum may suffer the same fate as an expropriating national government.
Therefore, we believe that Bitcoin is more resilient. It is also worth noting that this may not be the case in the future. One potential scenario is that as the block reward approaches zero, if Bitcoin's transaction activity fails to pick up, the lack of transactions will lead to a lack of income for miners, and they may have difficulty staying solvent. This will cause miners to shut down their mining machines and cause the hash rate to drop, thus weakening Bitcoin's security budget. Therefore, the Bitcoin network needs to continue to attract new users, only then can it operate as a healthy network.
Problem 3: External dependencies may create censorship risks for the underlying network
Stablecoins
Every cryptocurrency’s denomination is anchored using a stablecoin, and Bitcoin and Ethereum are no exception. A quick look at the stablecoin market cap shows that the top 3 are all backed by fiat collateral held by centralized custodians. This puts them within the realm of regulation, which begs the question: what if a custodian makes it impossible for users to convert stablecoins into fiat currency simply because of government censorship or prohibition? While these are unlikely to happen, the chain reaction they would have if they did is dire. Not long ago, USDC issuer Circle froze funds worth more than 75,000 USDC associated with a Tornado Cash address in accordance with the OFAC sanctions list.
Potential Solution 1: Overcollateralized Stablecoins
One can mint a token pegged to a fiat currency in exchange for crypto collateral. MakerDAO’s DAI is currently the largest decentralized stablecoin in crypto, and they maintain the 1 DAI = 1 USD peg by liquidating the staked crypto collateral when asset prices start to fall. They have proven to be robust through the price fluctuations of Bitcoin and Ethereum since 2017. However, even they have over 30% exposure to USDC as part of their collateral. After the recent USDC and Tornado cash incidents, they are currently in a governance discussion on whether they need to make DAI more freely circulated by implementing negative interest rates to achieve their vision of becoming a public, neutral financial utility infrastructure.
Another option favored by Vitalik is Reflexer’s RAI. In this protocol, users can deposit ETH and mint RAI up to ⅔ of the value of the deposited ETH. The main difference here is that RAI does not adhere to a fixed peg like the US dollar, which means that RAI’s peg will change depending on market volatility. They also allow for negative interest rates, which helps provide a balance where excessive growth can be curbed, making the stablecoin less volatile. Read here for a more detailed explanation of how RAI works.
However, a fundamental problem with overcollateralized stablecoins is that they continually extract liquidity from the market (which is not ideal if we expect financial activity to occur in cryptocurrencies). We also need to consider what kind of collateral can be used as collateral for the base currency.
Feasibility of Bitcoin: Bitcoin is almost the best collateral currently. But even if there are ready-made solutions on the market, since over-collateralization will extract liquidity from the market, this is not an ideal solution if we expect financial activities to occur on the chain.
Ethereum Viability: Stablecoins using ETH as collateral may not be the way forward. If ETH faces censorship, these stablecoins will face redemption issues as users may want to exit their ETH positions. While using Bitcoin as collateral can mitigate this associated risk, it still faces the issue of liquidity extraction.
Potential Solution 2: Algorithmic Stablecoins
Although algorithmic stablecoins are somewhat notorious due to the Luna debacle, algorithmic stablecoins are another option. The goal of algorithmic stablecoins is to create a pegged stablecoin that does not require collateral, but uses some form of governance token for anchoring. Then the peg is made through arbitrage opportunities between governance tokens and algorithmic stablecoins. But this system design is very fragile because it requires rational participants and firm confidence in the value of governance tokens.
Once confidence is broken, a death spiral may occur: when the price of governance tokens falls, market participants, instead of maintaining the stability of token prices, further sell off the governance tokens they hold, exacerbating the price decline.
In theory, algorithmic stablecoins could play the same role as parts of our existing banking system without extracting liquidity. But there doesn’t seem to be a suitable candidate project that can perfect the system design of algorithmic stablecoins and make them less risky.
Feasibility of Bitcoin: Not applicable, there are no viable candidate projects on the market.
Feasibility of Ethereum: Not applicable, there are no viable candidate projects on the market.
Potential Solution 3: Bitcoin or Ethereum as a Decentralized Stablecoin
Think: What if Bitcoin became a decentralized “stablecoin” that is censorship-resistant? This would seem to solve the problems facing Bitcoin and Ethereum.
Bitcoin’s Feasibility: It seems like any Bitcoin holder could join in, since 1 BTC = 1 BTC. This could potentially solve the situation where the security budget is declining due to lack of transaction activity (recall: block rewards trending towards zero = all miner income depends on transaction fees = sufficient transaction activity is needed to remain solvent and keep the hash rate high). If BTC is widely used on Ethereum (and any other programmable blockchain), transaction activity will come from it being the base layer currency for DeFi and many other applications, which can then maintain economic incentives for miners, further strengthening censorship resistance against any attacker.
Feasibility of Ethereum: Imagine if USDC or USDT is censored and the chain splits, and there is no stablecoin pegged to a fiat currency on the chain, how many users will choose the "bubble and low transaction volume" stablecoin? If Ethereum is used as a decentralized stablecoin, it will eliminate the reliance on stablecoins pegged to fiat, making chain forks a more realistic option in the face of strong censorship attacks. Users will not have to worry about the destruction of economic value because Ethereum has strong anti-censorship properties as a base layer currency.
RPC Network
The RPC (Remote Procedure Call) network is critical to blockchain. It provides access to server nodes and allows users to communicate and interact with the blockchain while interacting with a standalone program. Given the specific hardware required to run these RPC nodes, most developers turn to centralized RPC networks such as Infura and Alchemy for their dApp API needs. The downside is that these centralized RPC networks can restrict access to blockchain data where necessary to comply with any jurisdictional laws, and can also serve as a central point of failure that is vulnerable to hacker attacks. The end result is that users may face service interruptions, greatly reducing the user experience.
Solution 1: Light Client
Ethereum has been hoping that more users will run their own light clients. Light clients do not store the full state history of the chain, but instead rely on the sync committee to sync to the chain. They can also make arbitrary queries about the state of the network by asking other full nodes rather than going through a centralized Infura or Alchemy.
Bitcoin has also been encouraging users to run their own light clients. Light clients on Bitcoin can interact with the network but do not store the blockchain, and can query other nodes for blocks and transaction data of interest.
Solution 2: Decentralized RPC Network
Decentralized RPC network providers provide economic incentives for distributed RPC nodes to provide applications and users with access to blockchain data. By using a decentralized set of RPC nodes, the base protocol layer can enhance its security and censorship resistance because there is no single point of failure. Existing solutions include Pocket Network, Ankr, and Solana's GenesysGo. Both Ethereum and Bitcoin will benefit from a decentralized RPC layer, which will increase Ethereum's censorship resistance given the large number of applications using the RPC network.
Core developers and project team
The arrest of Tornado Cash founder Alexey Pertsev has raised the topic of whether developers or project teams can be held accountable for their open source code. Should they remain anonymous? Easily identifiable identities place individuals within jurisdictions, which could mean they are vulnerable to regulatory control. While there is no explicit requirement that founders or developers be held accountable for their code, it may be wise to ensure that the team is geographically distributed to counter any potential scrutiny from a particular jurisdiction.
Conclusion 3: External dependencies have a significant impact on the censorship resistance of base layer protocols.
We believe the first issue to be addressed is the choice of base layer currency, with the economic value of both Bitcoin and Ethereum pegged to USDC and USDT, which are vulnerable to US regulations. Other possible sources of censorship risk include the RPC layer and protocol developers, and we believe existing solutions can mitigate and eventually eliminate these issues.
Conclusion
Although we have made extensive comparisons between Bitcoin and Ethereum, they also have their own characteristics and solutions in terms of censorship resistance, such as Bitcoin's characteristics that make it suitable for base layer currency, but we still need the programmability of blockchains like Ethereum to have on-chain applications. Ultimately, the characteristics of decentralization, censorship resistance, and sovereign independence are what Bitcoin, Ethereum, and many other blockchains are striving to achieve.
