Delegated Does Not Mean Centralized or Less Secure

An oft-touted rule of thumb is that delegated consensus mechanisms trade decentralization for speed. While seemingly plausible, it is actually false. In reality, delegation and decentralization are two orthogonal traits: a non-delegated network can be centralized, while a heavily delegated network can be highly decentralized.

In this article, we will clarify this misconception and explore what it really means to be decentralized.

Defining Decentralization

The biggest hangup most people have is understanding what decentralization really means. The “delegated = centralized” argument effectively equates the degree of decentralization to the number of validators or the hurdle to becoming a validator. But this is the shallowest way of looking at things.

As an example, take two networks: network A uses delegated proof-of-stake with 10 validators, while network B uses vanilla proof-of-stake with 1,000 validators. At first blush, network B appears to be more decentralized. But if just 4 validators control a super-majority of voting power in network B, then the remaining 996 validators are not contributing meaningfully to B’s decentralization. If voting power is evenly distributed amongst the validators in A, then it is substantially more decentralized than B.

Alternatively, let’s assume that network A has a strict rewards system that incentivizes validators to behave correctly, while network B lacks any such structure. Then network B is much more susceptible to the influence of a single validator or group of validators working together!

These examples should make it clear that the number of validators has very little to do with decentralization in reality, despite prevailing wisdom that suggests the contrary.

In an article on the Scalability Trilemma, I defined decentralization much more generally:

“Any network that sufficiently guarantees that no single user or cartel of users can control the network can be said to be decentralized, while an architecture that fails to provide this distribution of power is centralized.”

I believe this gets at the heart of decentralization. As much as we would like to have an easy litmus test that we can use to say a particular network is decentralized, it’s not that simple! It doesn’t boil down to a single pithy statement like the Scalability Trilemma, or the ability to run a full node on your laptop, or the number of validators. Rather, decentralization is a complex continuum that is influenced by many factors, and whether consensus involves delegation has little to no influence on this determination.

Delegation is not the same as DPoS

It is important to make a distinction — when I talk about delegated consensus, I am NOT referring to DPoS, the specific consensus used by EOS, BitShares, and Steem. While DPoS is a type of delegated consensus, it is not the same as all delegated consensus algorithms. Logos, for instance, uses a very different delegated consensus model. Unfortunately, it seems that much of the confusion around delegation and decentralization stems from the misconception that DPoS is equivalent to delegated consensus.

In many ways, DPoS networks are more centralized than alternatives. They are not Byzantine fault tolerant (and make no effort to mathematically prove any fault tolerance), which means that a small number of validators could compromise the security of the system. The networks, as implemented, also lack any robust incentive structure to ensure validator compliance beyond the very weak threat of potentially losing a future election. While this property is independent of consensus, it makes the network very susceptible to attack.

However, DPoS networks are hardly representative of all delegated consensus networks, and delegated networks, if designed correctly, can actually be more decentralized than alternatives.

Delegation Can Increase Decentralization

Share of total validator power of top validators for Bitcoin, Ethereum, and Logos.

How can that be? While, in theory, an open validator set would seemingly increase decentralization, if a small number of validators control most of the voting power, as we saw in the first example above, then the network will be effectively at the mercy of those few validators.

For a number of reasons, vanilla proof-of-stake or proof-of-work networks would concentrate power in fewer hands in expectation. Any secure, open, trustless network must have some mechanism of assigning votes that reflects an economic investment, such as computers in proof-of-work or tokens in proof-of-stake. Regardless of mechanism, there is inevitably an economies of scale, where larger validators are disproportionately advantaged compared to smaller validators. This is particularly exacerbated in proof-of-work, where large ASIC mining operations inevitably dominate the retail miners. However, it is also true in proof-of-stake, as there are unavoidable fixed costs in validation, such as setting up and maintaining a secure and performant node. Even in the absence of any economies of scale, we’d expect some natural Pareto distribution of economic power at equilibrium that results in a few major validators and many smaller validators. Combined, these two effects mean that any network that is profitable to validate will tend towards consolidation of power in a small number of hands, and vanilla PoS and PoW both lack any explicit mitigation.

This outcome is readily observable empirically. The chart above shows the actual distribution of validator power for Bitcoin and Ethereum compared to the distribution for Logos’ delegated model with 50 delegates. The top three validators for both Bitcoin and Ethereum control a critical majority of mining power (over 50%), while 33 validators would need to work together to control Logos’ consensus provided sufficient connectivity.

Admittedly, we are abstracting some details here. A PoS proponent may argue that features like staking pools could decrease the impact of economies of scale. Even assuming optimal design, on an apples-to-apples basis, a delegated network should not be any less centralized than a vanilla PoS.

Under a fair, well-designed, Byzantine fault tolerant election system, a node with 10% of the voting power should be able to elect 10% of delegates, and thus have 10% of the total representation in consensus. By comparison, a 10% validator in a good PoS system should also control 10% of consensus. Any other outcome would be poor design!

Of course, designing such an election system is non-trivial (so too is designing a good vanilla PoS), and many prominent networks like EOS fall short. But provided that care is taken, there is no technological, economic, or practical reason why delegation is necessarily less decentralized than alternatives.

What Actually Matters — Incentive Alignment

We’ve established that delegation, in practice, has little to do with decentralization. While there are a number of factors, including several foundational like Byzantine fault tolerance, what matters perhaps more than any other is the network’s incentive system.

What many people latch on to when they equate delegation with centralization is the potential for a single validator to abuse their position and act against the interests of the users that elected it. However, this is not much different than a huge mining pool acting maliciously. In fact, regular elections and greater distribution of power likely make the former less risky than the latter!

But this isn’t really getting at the heart of the issue, which is why a validator would act maliciously in the first place. This is fundamentally a game theory question.

In order for a network to be robustly decentralized, the validators of the network — whether delegates, mining pools, or staking pools — must be held strictly accountable to the rest of the network via a game theoretically secure incentive system.

In Logos, for example, there are a number of mechanisms to keep delegated validators honest. These include regular elections and loss of future income (rather weak), a wholesale recall that replaces the entire validator set (somewhat stronger), and slashing conditions (strongest).

Without delving too deeply into the game theory behind these mechanisms, the key result is that a validator cannot attack the network without directly forfeiting a large amount of money. This result can be extended to directly calculate the total dollar cost to pull off any attack on the network, which means that the network has a strong, quantitative, economic security. Note that this high-level feature is completely orthogonal to consensus and delegation.

This means that a delegated system like Logos has a significantly higher security level (and a correspondingly high level of decentralization) than all proof-of-work networks and any proof-of-stake network without slashing.

In a proof-of-work network like Bitcoin, for example, there are numerous attack vectors beyond the more famous 51% attack that result from a poor incentive structure. The 51% attack itself is surprisingly cheap to pull off (by renting rather than buying hash power) and has occurred on several occasions. This is possible because PoW incentives are grossly misaligned — the value of hardware has very little correlation with the value of the underlying network tokens, and there is no ability for the network to slash attackers’ mining power.

Bitcoin is surprisingly centralized for a network that is often touted as the gold standard in decentralization. Conversely, delegated consensus networks, while often maligned and mischaracterized, can have drastically higher security and decentralization at the equivalent network value. However, this has much more to do with the network’s incentive system than with the consensus itself. So while reductionist heuristics like “Delegated consensus is more centralized” are enticing, they are usually far from the truth.