Censorship Resistance in Bitcoin & Ethereum
The Backdrop
Earlier this August, the decision by the US treasury department’s Office of Foreign Assets Control (OFAC) to add Tornado Cash to its sanction list has put the question of censorship resistance firmly into the spotlight. To remove themselves from any criminal liability, RPC service providers Alchemy and Infura restricted access to data on Tornado Cash smart contracts, while Circle (USDC) blacklisted wallet addresses that were on the sanctioned lists. Other DeFi protocols such as Aave also disabled their front-end access for the blacklisted addresses. However, the smart contracts are still live, and users can still interact with them, albeit with many additional steps and some technical expertise.
This leads us to a wider question: Can blockchains be censored at the protocol level? The Ethereum community has voiced its concerns over protocol censorship, with 66% of the beacon chain validators post-merge susceptible to OFAC regulations. If over ⅓ of the validators (by stake weight) engage in any form of censorship, the blockchain will be unable to advance.
In this article, we will compare POW BTC against POS ETH on how they fare in terms of censorship resistance, through the lens of three key problems we have identified, before offering our closing thoughts.
Defining Censorship
What is censorship? In a recent Bankless podcast, Ethereum foundation researcher Justin Drake defined two different types of censorship in weak and strong censorship.
Weak censorship happens when an individual’s transaction does not get included within blocks by certain censoring block producers, resulting in UX degradation. An example could be a regulatory compliant block producer that refuses transactions from blacklisted addresses. However, the transaction should still eventually be picked up by non-censoring block producers.
Strong censorship happens when an individual’s transaction never gets included on chain. Given the individual has lost the ability to transact, it can be seen as an effective loss of assets. This scenario can happen when an economic majority takes over, also known as a 51% attack, which also threatens the liveness of the blockchain.
In the following discussion, we will be referring to Bitcoin and Ethereum as representative networks for POW and POS systems respectively. We will first identify the censorship vector, before going into specifics about how Bitcoin and Ethereum can defend against it.
Problem 1: Weak censorship through jurisdictional regulation can happen when the block building process is centralised
Both Bitcoin and Ethereum face problems of centralisation over mining pool and validator sets respectively. This presents an attack vector where mining pools or validator sets could be forced to comply with regulations, thereby censoring any transactions deemed illegal within their jurisdiction.
Ethereum
Since the merge, the top two validators hold a collective stake of 43.03% and the top three hold 51.63%. This presents a risk where between Lido and Coinbase, they could collectively halt the network, and with the inclusion of Kraken, take over the network.
Before we look into the solutions that Ethereum has at its disposal to counteract this centralisation threat, we will start off by understanding why validators end up in centralised pools. Under POS ETH, block proposers have the ability to choose which transactions to be included in the next block and their subsequent ordering. This allows validators to engage in something called MEV extraction, very well defined by Amber in their recent article on the ETH merge.
“Maximal Extractable Value, or MEV, broadly refers to the total amount a miner or validator can increase their balance across a series of blocks given the actions available to them. These actions can include the ability to reorder transactions, censor blocks, and even attempt to reorg the chain. Some common forms of MEV include sandwich attacks, arbitrage, and liquidations.”
As seen above, there is a stark contrast in validator rewards once MEV is considered. Given the economic incentives involved, this has led to highly sophisticated players running multiple validators, beating out the average home validator. Therefore, the single home validator is more inclined to join validator pools to have more stability and predictability of income, which adds on to the stake centralisation problem.
Another consideration regarding stake centralisation is that crypto exchanges remain the best place for users to acquire Ethereum. As a result, stake will naturally congregate with these exchanges who offer convenient yields via their staking platform, given the sheer amount of users they have. However, users should be educated on the risks of staking with centralised platforms, e.g. getting slashed should centralised platforms choose to act maliciously as a result of jurisdictional pressure.
So how can Ethereum counteract censorship related to this centralisation problem?
Solution 1: Proposer Builder Separation
One existing solution being researched heavily right now is the Proposer Builder Separation (PBS). PBS separates the roles of block building and block proposing to allow validators to share in the rewards of MEV without being sophisticated operators, which should reduce centralisation of stake.
There are three key actors in the block building process which provides checks and balances to mitigate and eventually eliminate potential censorship.
Builders specialise in block building by ordering transactions to extract the maximum MEV and transaction fees. They will then put in a proposing fee for Proposers to propose and include their block onchain. Therefore, a censoring builder would not be able post transactions on-chain without the help of a Proposer.
Proposers, also known as validators, either select the top playing block, or they will not get to include a block at all. If they think that builders are censoring transactions, they have the ability to put forward a censorship resistant list (crList) where Builders will have to include these transactions as long as the block is not full, or not have their block proposed. Since EIP-1559 has been implemented, more than 80% of blocks contain spare gas which means that as long as a user pays a priority fee above the base fee, they should be able to get their transaction included in the block. In summary, Proposers can achieve maximum income by selecting the top paying block but still possess the ability to push through censored transactions through the crList.
Attestors will monitor the block building process and only attest to a Proposer’s block if it includes the top paying block. This will prevent malicious proposers from censoring transactions.
While the above greatly improves validator decentralisation, it still does not resolve the issues of centralised builders. While the solutions to decentralise builders is beyond the scope of this discussion, you can read here for more information.
Solution 2: Encrypted Mempools
Another solution that is being worked on is the idea of an encrypted mempool. What this means is that users will encrypt their transactions before broadcasting it to the mempool, which only gets decrypted after the transaction gets included in a block that is posted on chain. This will prevent any potential censoring party from knowing the contents of the transaction during the block building process. Moreover, it can help prevent toxic MEV such as front-running. Another benefit of encrypted mempools that it could actually solve for builder centralisation in the future, where proposers can build their own blocks by just picking the highest fees from the encrypted mempool without picking blocks from sophisticated builders.
Bitcoin
Bitcoin has always been heralded as the gold standard, not just as a digital store of value, but also in terms of its censorship resistance. While Bitcoin is less programmable than Ethereum, which minimises the likelihood of MEV, it still faces a problem where miners are getting more geographically concentrated. In addition, given the technical expertise required for operating a mining machine, plus the capital-intensive nature of the hardware and energy costs, bitcoin mining has moved towards pooling of resources in return for reduced volatility in payouts, with miners paying a service fee to the pool in return for rewards relative to the hash they provide.
As we can see above, China used to account for more than 45% of the global hash rate before the country’s ban on crypto mining in June 2021. The concentration of hash power has now moved towards the United States, which accounts for 38% of the global hash rate as of January this year. This poses a censorship threat where mining companies could comply with local regulations to exclude certain transactions.
So how can Bitcoin counteract censorship related to this centralisation problem?
Solution 1: Switch mining pools
Miners can easily switch mining pools if mining pool operators’ incentives do not align with their beliefs (e.g. moving away from censoring pools). Given payouts happen daily, miners can switch to new mining pools by just replacing the pool address within the mining software. During the mining ban in China in 2021, miners were able to quickly migrate abroad and switch their hash rate to offshore mining pools. Hash rate has now recovered and is higher than before the ban was announced.
While it can be said that Ethereum can do the same with users unstaking and re-staking to validators that align with their beliefs, there is still a time lag considering a cooling period and queue system.
Solution 2: Give miners more control over block building process
Most bitcoin miners direct their hashpower towards mining pools, where they communicate with these pools using a messaging protocol called Stratum v1, which organises the creation of bocks and the submission of hashes by the miners. If mining pools were to collude to censor transactions, there is no recourse that community can take. With Stratum v2, the miners will have the ability to select their own transaction set and hence have more control over the block building process, which can counter any malicious pool operators attempting censorship.
Read here if you are interested to learn more about Stratum v2 and its other feature upgrades to provide greater miner security and revenue.
Solution 3: Free market competition
Proponents of Bitcoin believe that the economic incentives of proof-of-work mining provides the best form of defence against any transaction censorship. As block rewards decline with each halving cycle, transaction fees will tend towards 100% of a miner’s revenue. Therefore, even if any regulatory compliant pool or miner engages in censoring of a fee-paying transaction, there will be other miners/pools in different jurisdictions that will be more than happy to capitalise. Eventually, these regulatory compliant pools or miners will be outcompeted in a free market, which leads to falling market share and profitability.
Conclusion 1: Bitcoin can handle problems of weak censorship that stems from centralised block building better than Ethereum.
Bitcoin today is more equipped to deal with censorship that can come with centralisation in the block building process. If there are mining pools that are censoring certain transactions, being able to switch mining pools with little to no delay provides huge autonomy for the honest miner.
While Ethereum has feasible solutions that can address the censorship issue, it is mainly in the research phase and is not implemented yet, given the need to prioritise other features to compete against other programmable blockchains.
Problem 2: Strong censorship can happen if the security budget of the network is weak
The implications of a weak security budget lends itself to the potential for a 51% attack. When this happens, the attacker will be able to take control of the blockchain. They will be able to block incoming transactions, order all new transactions, or even rewrite the history of the blockchain and reverse their own transaction, leading to a double spend.
Ethereum
In the case of Ethereum, once a 51% attack is underway, all new deposits or unstakes can be censored by the attackers, which makes it difficult to rebalance the network. Therefore, it is extremely important that the stake within the network is as decentralised as possible to prevent situations where stake can be acquired or through coercion.
At the time of writing, there are c. 13.6m ETH staked on the beacon chain. Ethereum’s economic security can be calculated as 13.6m ETH multiplied by the price of ETH multiplied by c. 51%, the minimum amount required for an attacker to begin censoring transactions. At a price of $1,700 per ETH, this works out to be around $11.56b of economic security today. In reality, the acquisition cost will be much higher given prices will rise non-linearly with increased demand for ETH.
Given this is not insurmountable by nation states, what preventative solutions can be taken?
Solution 1: Encourage more users to stake
Only c. 11% of ETH is staked at present as compared to other POS networks (e.g. Solana at 77%, Cosmos at 66% and Avalanche at 65%), which means there is definitely more room to grow. With a higher amount staked, the amount required for an attacker to acquire 51% of the total stake will be immensely harder.
However, an obstacle in encouraging more people to stake is the opportunity cost of DeFi yields on a user’s ETH. If users are able to achieve better yields in DeFi, there is less incentive to stake, if users are expected to prioritise financial incentives. The solution to this is then liquid staking protocols which then brings us back to the centralisation problem we see in Lido. While we recognise that stake is being distributed over a whitelisted group of ~29 validators, this list of approved validators remains in the control of Lido. As such, the selection criteria and ability to add or remove validators will be critical, which translates to the need for strong governance within the Decentralised Autonomous Organisation.
Encouragingly, Lido has been exploring the use of a Dual Governance proposal to vote on critical governance issues with participation from both stETH and LDO holders, such that alignment between both sets of holders can be maintained. One such critical issue relevant to censorship resistance would be the ability to change how stake is distributed between node operators in a potentially harmful or unexpected way. Governance in this particular instance will involve stETH holders once the initial proposal has been passed by the LDO holders, who can have the ability to exit the protocol if all available negotiation fails. Read here for a more detailed explanation on the voting mechanism and subsequent outcomes.
Solution 2: Diversification of validators to prevent stake acquisition through coercion
If the route of acquiring ETH on the market is infeasible, the other alternative to gain control of the network would be to coerce the largest validators comprising 51%.
Therefore, the solution would be to increase diversification of validators in the form of:
- Jurisdictional/geographical diversity, to ensure there is no single jurisdiction/country that can take validators offline
- Operator/stake diversity, to ensure that coercion will be extremely difficult if stake is widely distributed
- Client diversity, to ensure that no single bug within the validator client can take validators offline
- Low hardware requirements for participation, to ensure that everyone can spin up a validator if they want to
- High number of validators with full transaction replicas
Solution 3: Social layer intervention
In the event that the preventive measures have failed, Ethereum will depend on the social layer to intervene. The design goal is to automate a forking process once censorship is detected, while giving it ample lead time for social consensus over the choice of fork. In an ideal world, full nodes that are online will detect censorship by observing the mempool, identify a non-censoring minority chain and automatically fork off to punish the censoring parties, all without the need for social intervention.
However, forking away is rarely straightforward as censorship may sometimes be accidental, e.g. due to a bug within the validator client. In such situations, the ability for the social layer to intervene and discern between actual and accidental censorship is very important.
Moreover, there are other considerations such as how a new chain should be selected, which checkpoint should be taken to start the new chain, how the attackers should be punished/slashed on the new chain etc, all of which can affect the economic value on the new chain. These are all required to allow users to be fully informed when it comes to selecting a new chain while being able to unwind any positions on the censored chain should they wish to participate in the new uncensored chain. While there are no rules and guidelines currently in place should a social intervention is needed, it is critical that the decision making process be as decentralised as possible, to prevent a situation similar to how policies are decided within government bodies today.
Bitcoin
In the event of a strong censorship attack on Bitcoin, the miner will be able to mine all the rewards and reorganise the chain they see fit. Given the current hashrate of 230m TH/s, an attacker will have to amass more than that amount of hashrate to control the network, assuming the existing miners do not participate in the attack. Using the most efficient ASIC on the market today, the Antminer S19 PRO (110 TH/S), a total of 2.09m ASICs (230,000,000 TH/s divided by 110 TH/s) is needed to conduct the attack. At a price of $4,400 today, the total cost required to acquire the hardware to attack the network is at c. 9 billion, without factoring for energy costs.
Solution 1: Inherent friction to acquire ASICs
While the costs are not out of reach for motivated attackers, there is significant friction when it comes to acquisition of ASICs as only a few companies produce these ASICs. There is insufficient supply coming online every year for attackers to mount a swift attack.
Solution 2: Low switching costs for miners
Given the fact that it is highly prohibitive to acquire the sufficient machinery required to gain control of the network, the attack will most likely come through coercion or control over the existing mining pools. This brings us back to the low switching costs for miners to redirect their hash rate in order to rebalance the system again.
Conclusion 2: Bitcoin is more resilient than Ethereum in terms of preventing a 51% strong censorship attack. Ethereum’s solution of the social layer as the last line of defence provides more power for the minority, but many issues over social consensus remain.
On face value, Ethereum has a stronger security budget than Bitcoin. However, the friction when it comes to acquiring machinery to take over the Bitcoin network is a stronger preventative measure than the cost of acquiring a majority stake in Ethereum.
If attackers were to take the alternative route to coerce centralised pools to gain control of the network, Bitcoin’s solution is much simpler in that honest miners can help rebalance the hashrate by switching to a non-attacking pool.
In the case of Ethereum, while the social layer could intervene, there remains many questions about how the transition to a user activated soft fork would work. First, how can social consensus be achieved among the non-attacking participants? Do the majority of the new minority get to decide? Or does the core team get to decide? The decision making process could be likened to an “Ethereum DAO’’ voting to reach a majority decision. Should it then be decided by the majority of voters or majority of stake? A common criticism in DAO voting is when an overwhelming majority of holders could vote for an outcome, but eventually be overruled by a singular holder with more stake. This is not meant to reflect the actual process to decide the rules for forking but rather to highlight the problematic aspects of social governance that the Ethereum community has yet to implement. Ultimately, the social consensus layer inevitably leaves room for politicisation which could mean Ethereum suffers the same fate as an expropriating national government, as argued by Nic Carter.
As such, we believe Bitcoin is more resilient as of today. It is also worth noting that this may not be the case in the future. One potential scenario to look out for is what if Bitcoin’s transaction activity fails to pick up as block rewards trend towards zero? The lack of activity leads to lack of fee revenue for miners who could then face difficulty to remain solvent. This would then lead to miners shutting down and hash rate falling as a result, weakening the security budget of Bitcoin. Therefore, it is equally important that Bitcoin continues onboard new users, for it to function as a healthy network.
Problem 3: External dependencies can be censorship vectors for the underlying network
Stablecoins
A common external dependency shared by both Bitcoin and Ethereum is the use of stablecoins when it comes to denomination of each cryptocurrency. A quick scan across the market capitalisation of stablecoins and the top 3 are backed by fiat collateral held with centralised custodians. This puts them under the purview of regulation, which begs the question: what if you are unable to off-ramp your stablecoins into fiat just because these custodians are told by the government not to? While these might be an unlikely scenario, the knock on effects can be dire. It does not help that USDC issuer Circle complied with the OFAC sanctions, freezing over 75,000 USDC worth of funds linked to the Tornado Cash addresses.
So what other options are available to us?
Potential Solution 1: Overcollateralised stablecoins
One popular option available is the overcollateralised stablecoin, where one can mint a fiat pegged token in exchange for crypto collateral. DAI by MakerDAO is the largest decentralised stablecoin within crypto right now, and they maintain a peg of 1 DAI = 1 USD by liquidating the pledged crypto collateral when asset prices begin to fall. They have proven to be robust having been through the price volatility of Bitcoin and Ethereum since 2017. However, even they have over 30% exposure to USDC as part of their collateral. After the recent episode with USDC and Tornado cash, they are currently undergoing governance discussion over whether to free float Dai with the implementation of negative interest rates, in order to move towards their vision to be a public, neutral financial utility.
Another option favoured by Vitalik is RAI by Reflexer. In this protocol, users can deposit ETH and mint RAI up to ⅔ of the value of ETH deposited. The key difference here is that RAI does not adhere to a fixed peg like the US Dollar, which means that RAI’s peg moves according to the volatility within the market. They also allow for negative interest rates which can help provide an equilibrium where excessive growth can be tampered in exchange for reduced volatility for the stablecoin. Read here for a more detailed explanation on how RAI works.
However, one fundamental issue with overcollateralised stablecoins is that they inherently extract liquidity from the market (not exactly ideal if we expect financial activity to happen on crypto). There is also the consideration of what forms of collateral are considered “hard” enough to be base money.
Feasibility for Bitcoin: Almost definitely not if it’s backed by collateral anything other than Bitcoin. Even if there is an existing solution in the market right now, the nature of overcollateralisation extracts liquidity from the market — not exactly ideal if we expect financial activity to happen on chain.
Feasibility for Ethereum: Stablecoins that use ETH as collateral may not be the way forward. In the event of a censorship attack on ETH, these stablecoins will suffer from a redemption issue as users may look to exit their ETH position. While usage of Bitcoin as collateral could mitigate this correlation risk, it still faces the problem of liquidity extraction.
Potential Solution 2: Algorithmic Stablecoins
An alternate option, albeit slightly infamous now as a result of the Luna debacle, is the Algorithmic stablecoin. The goal is to create a pegged stablecoin without the need of hard collateral, instead using some form of governance token. The peg is then supported through arbitrage opportunities between the governance token and algo-stablecoin. However, the system design is extremely fragile given it requires rational participants and confidence that the governance token is credible and hence valuable.
Once confidence is broken, it can lead to a death spiral where the peg breaks, leading to loss in value in the governance token, and rather than restoring the peg, market participants further dump their holdings of governance tokens, exacerbating the fall in price of the governance tokens.
Theoretically, algo-stablecoins can perform the same role as our existing fractional banking system without extracting liquidity. However, there seems to be no suitable candidates that have perfected the system design and execution required.
Feasibility for Bitcoin: N/A, no viable candidates on the market.
Feasibility for Ethereum: N/A, no viable candidates on the market.
Potential Solution 3: Bitcoin as THE decentralised stablecoin
A food for thought: What if Bitcoin became the decentralised “stablecoin” free from censorship? This seems to solve issues both Bitcoin and Ethereum faces.
Feasibility for Bitcoin: Seems like something Bitcoiners can get onboard since 1 BTC = 1 BTC. This could potentially solve the situation of a declining security budget issue due to a lack of transaction activity (recap: block rewards trend to zero = all miners revenue depend on transaction fees = need sufficient transaction activity to remain solvent and keep hash rate high). If BTC was used widely on Ethereum (and any other programmable blockchain), transaction activity would come from it being the base layer money for DeFi and many other applications. Economic incentives can then be sustained for miners, further strengthening censorship resistance against any attackers.
Feasibility for Ethereum: Imagine a situation where USDC or USDT is censored, resulting in a chain fork where there is neither fiat pegged stablecoin. How many users would choose to live within that “minority bubble”? If Bitcoin were used as the decentralised stablecoin, it would remove the reliance on fiat pegged stablecoins, making chain forks a more realistic alternative when faced with strong censorship attacks. Users will then not have to worry about a destruction of economic value, knowing Bitcoin as the base layer money have strong censorship resistance properties.
RPC Networks
Remote Procedure Call (RPC) networks are critical to blockchains. It provides access to a server node and allows the user to communicate and interact with the blockchain while interacting with programs in a separate location. Given that specific hardware is required to run these RPC nodes, most developers turn to centralised RPC networks such as Infura and Alchemy for their dApp API needs. The drawback is that these centralised RPC networks can restrict access to blockchain data in the event that they need to comply with any jurisdictional laws, and also serve as a central point of failure that can be susceptible to hackers. The end result is that users may face service disruptions that provide poor user experience.
Solution 1: Light Clients
Ethereum has been pushing for more users to run their own light clients. Light clients do not store the full state history of the chain, instead relying on Sync committees to sync up to the chain. They are also able to make arbitrary queries on the state of the network by asking other full nodes rather than going through the centralised Infura or Alchemy.
Bitcoin has always encouraged users to run their own light clients. Light clients on Bitcoin can interact with the network but do not store the blockchain, and can query other nodes for data on interested blocks and transactions.
Solution 2: Decentralised RPC Networks
Decentralised RPC network providers give out economic incentives for distributed RPC nodes to provide applications and users access to blockchain data. By using a decentralised set of RPC nodes, the base protocol layer can enhance its security and censorship resistance given there is no single point of failure. Existing solutions include Pocket Network, Ankr, and also GenesysGo from Solana.
While both Ethereum and Bitcoin will benefit from a decentralised RPC layer, it will be a greater censorship resistance improvement for Ethereum given the multiple applications that utilise RPC networks.
Core developers and project teams
Given the arrest of Alexey Pertsev, founder of Tornado Cash, it has sparked the topic of whether developers or project teams could be held accountable for their open source code. Should they then be anonymous? Being easily identifiable puts individuals within jurisdictions which could mean they are susceptible to regulatory control. While there is no definite proof that founders or developers can be held accountable for their code, it may be wise to ensure that teams are also geographically distributed to counter any potential for censorship from one particular jurisdiction.
Conclusion 3: External dependencies are clear threats towards censorship resistance of the base layer protocol
The biggest issue to address in our opinion is the choice of base layer money, failing which, both economic value of Bitcoin and Ethereum is tied to USDC and USDT which are susceptible to US regulations. Other issues that could threaten censorship resistance include the RPC layer and protocol developers, but we believe existing solutions are available to mitigate and eventually eliminate those issues.
Closing Thoughts
While we put both Bitcoin and Ethereum up against each other extensively in this exercise, we firmly believe that there is no reason why we should pick one over the other. Bitcoin’s properties make it suitable for base layer money but the programmability of blockchains like Ethereum is paramount for us to enjoy on-chain applications.
At the end of the day, our main goal should be to fight for the properties of decentralisation, censorship resistance and self-sovereignty, something both Bitcoin, Ethereum and many other blockchains continue to strive to achieve.
If you found this discussion interesting and would like to participate, feel free to engage with us :)
Written By Henry Ang, Mustafa Yilham, Allen Zhao & Jermaine Wong