Special gratitude to Tim Swanson for his review, and for additional conversations regarding the arguments presented in his initial paper on settlement finality.
Recently, a prominent conflict in the ongoing discussion between advocates of public blockchains and supporters of permissioned blockchains revolves around the matter of settlement finality. One of the basic characteristics that a centralized system seems to possess is a concept of “finality”: once an action is performed, that action is finalized permanently, and there is no mechanism by which the system can “undo” that action. Decentralized systems, based on their specific design characteristics, may offer that feature, or they may present it probabilistically, within certain economic constraints, or not at all. Naturally, public and permissioned blockchains behave very differently in this context.
This idea of finality holds significant relevance in the financial sector, where organizations require a rapid assurance concerning whether certain assets are legally “theirs”. If their assets are considered to belong to them, then it should not be feasible for an unforeseen blockchain anomaly to casually determine that the action that secured those assets is now undone, resulting in their ownership claim being invalidated.
In one of his recent publications, Tim Swanson asserts:
Entrepreneurs, investors, and enthusiasts maintain that public blockchains serve as a feasible settlement mechanism and layer for financial instruments. However, by their very design, public blockchains cannot reliably ensure settlement finality, making them currently an unreliable choice for the clearing and settling of financial instruments.
Is this accurate? Are public blockchains entirely incapable of providing any sense of settlement finality? Is it true, as some proof-of-work purists suggest, that solely proof-of-work mechanisms can achieve genuine finality while permissioned chains are illusory? Or is the actuality more intricate and multifaceted? To thoroughly grasp the distinctions between the finality characteristics provided by various blockchain architectures, we must delve into the realms of mathematics, computer science, and game theory—essentially, cryptoeconomics.
Finality is inherently probabilistic
First and foremost, a crucial philosophical assertion is that there exists no system in the world that can provide absolute 100% settlement finality in the strictest interpretation of the term. If share ownership is noted in a physical registry, there always exists the possibility for that registry to be destroyed, or for a vandal to infiltrate the registry, alter a “1” into a “9” by adding a “c” in front, and flee. Even in the absence of any hostile actors, it’s conceivable that one day all individuals aware of the registry’s location could be struck by lightning and perish simultaneously. Centralized digital registries face similar vulnerabilities, and arguably, executing an attack may be even simpler, especially if the security of the central bank of Bangladesh serves as a benchmark.
In scenarios involving entirely on-chain “digital bearer assets” where ownership exists solely through the blockchain itself, the only recourse available is a community-driven hard fork. Conversely, when utilizing blockchains (whether permissioned or public) as registries for the ownership of legally recognized assets (like land, shares, fiat currency, etc.), the judicial system ultimately holds the decision-making authority regarding ownership. Should the registry fail, the courts may pursue one of two options. Firstly, attackers could potentially devise a method to extract their assets from the system before a response is initiated. In such an instance, the overall quantity of assets recorded on the ledger and the total number of assets in reality would become misaligned; hence, it becomes a mathematical certainty that someone with a finalized balance of x will ultimately have to settle for an actual balance of y .
Nonetheless, the courts have another option available to them. They are not obligated to regard the registry in its conventional form and interpret the outcomes at face value; it is the duty of physical courts to assess intent, determining that the appropriate action in response to the “c” placed before the “1” is to utilize an eraser, rather than acquiescing to the notion that uncle Billy is now wealthy. Once again, finality is not truly final, although this particular instance of finality reversal may serve the greater good of society. These considerations extend to all other mechanisms utilized for maintaining registries and the attacks inflicted upon them, including 51% assaults on both public and consortium blockchains.
The practical significance of the philosophical argument asserting that all registries are vulnerable is bolstered by historical evidence provided by Bitcoin’s experiences. In Bitcoin, there have been three notable occasions where a transaction was reverted after a significant duration:
- In 2010, an assailant was able to generate 186 billion BTC by exploiting an integer overflow vulnerability. This was addressed, but it necessitated the reversal of half a day’s worth of transactions.
- In 2013, the blockchain experienced a fork due to a bug that existed in one version of the software but not in another, resulting in a portion of the network rejecting a chain accepted as dominant by the other part. The division was resolved after six hours.
- In 2015, approximately six blocks were reversed because a Bitcoin mining pool was mining invalid blocks without proper verification
Among these three events, only in the case of the third does the underlying issue stem specifically from the consensus of a public chain. The reason for the mining pool’s erroneous actions was directly related to a breakdown in the economic incentive structure (essentially, a variation of the verifier’s dilemma challenge). In the other two incidents, the failure resulted from asoftware malfunction – an occurrence that could have transpired in a consortium chain as well. One might contend that a consensus algorithm that prioritizes consistency, such as PBFT, would have averted the second occurrence; however, even that would have faltered when confronted with the initial incident, where every node was executing code with the overflow flaw.
Consequently, one can present a fairly compelling argument that if an individual is genuinely focused on reducing failure frequencies, there exists a suggestion that may be even more beneficial than “transition from a public chain to a consortium chain”: operate multiple versions of the consensus code, and only deem a transaction as confirmed if all of the implementations endorse it (it is important to note that this is already standard guidance we provide to exchanges and other high-value entities utilizing the Ethereum platform). Nevertheless, this represents a false dichotomy: if one desires true resilience, and concurs with the claims advanced by consortium chain advocates that the consortium trust framework is more secure, then one should assuredly pursue both options.
Finality in Proof of Work
From a technical perspective, a proof of work blockchain never permits a transaction to be conclusively “finalized”; for any specific block, there exists the chance that someone will construct a longer chain beginning from a block prior to that block and omitting it. In practical terms, however, financial intermediaries operating on public blockchains have developed a highly effective method for assessing when a transaction is sufficiently near to being final for them to base decisions upon it: awaiting six confirmations.
The probabilistic reasoning here is straightforward: if an aggressor possesses less than 25% of the network’s hashpower, we can conceptualize an attempted double spend as a random walk starting at -6 (indicating “the attacker’s double-spend chain is six blocks shorter than the original chain”), with each step having a 25% probability of adding 1 (for example, the attacker creates a block and progresses forward) and a 75% probability of decreasing by 1 (the original chain creates a block). We can ascertain the likelihood that this process will ever reach zero (i.e., the attacker’s chain surpassing the original) mathematically, using the formula (0.25 / 0.75)^6 ~= 0.00137 – lower than the transaction fee that virtually all exchanges impose. If you seek even greater certainty, you could wait for 13 confirmations for a one-in-a-million chance of the attacker succeeding, and 162 confirmations for a likelihood so diminutive that the attacker is literally more likely to guess your private key in a single try. Hence, some concept of de-facto finality even on proof-of-work blockchains does indeed exist.
However, this probabilistic reasoning presupposes that 75% of nodes act honestly (at lower levels such as 60%, a similar argument can be made, but more confirmations are necessary). An economic discussion also emerges: is that assumption likely to hold true? There are claims that miners can be incentivized, for example, through a P + epsilon attack, to all adhere to an attacking chain (a practical method of executing such a bribe might involve operating a negative-fee mining pool, possibly promoting a zero fee while discreetly offering even greater profits to evade suspicion). Attackers may also attempt to breach or disrupt the infrastructure of mining pools, an assault that could potentially be executed very inexpensively since the incentive for security in proof of work is limited (if a miner is compromised, they only lose their rewards for a brief period; their principal remains secure). Last but not least, there exists what Swanson has referred to as the “Maginot Line” attack: investing a massive sum into the issue and simply introducing more miners than the entire remaining network combined.
Finality in Casper
The Casper protocol is designed to provide more robust finality assurances than proof of work. First, there is a standard definition of “total economic finality”: it occurs when 2/3 of all validators make maximum-odds wagers that a specific block or state will be finalized. This condition creates very strong incentives for validators to refrain from colluding to revert the block: once validators place such maximum-odds wagers, in any blockchain where that block or state is absent, the validators forfeit their entire deposits. As Vlad Zamfir articulated, envision a version of proof of work where participating in a 51% attack results in your mining hardware being destroyed.
Secondly, the pre-registration of validators implies there is no possibility that other validators elsewhere are forming the equivalent of a longer chain. If you observe 2/3 of validators committing their full stakes to a claim, and simultaneously witness 2/3 of validators committing their full stakes to a conflicting claim, that inherently suggests that the overlap (i.e., at least 1/3 of validators) will now forfeit their entire deposits regardless of the outcome. This is what we refer to as “economic finality”: we cannot guarantee that “X will never be reverted”, but we can assure the slightly weaker assertion that “either X will never be reverted or a large group of validators will willingly destroy millions of dollars of their own assets.”
Lastly, even in the event of a double-finality occurrence, users are not compelled to accept the claim with the greater stake behind it; on the contrary, users will have the freedom to manually select which fork to follow, and certainly can simply opt for “the one that occurred first.” A successful attack in Casper resembles more a hard-fork than a reversion, and the user community surrounding an on-chain asset is quite free to apply common sense to ascertain which fork was not the result of an attack and genuinely reflects the outcome of the transactions originally agreed upon as finalized.
Law and Economics
Nevertheless, these enhanced safeguards are still economic in nature. This leads us to the subsequent component of Swanson’s argument:
Therefore, if the market valuation of a native token (such as bitcoin or ether) rises or falls, so too does the volume of work produced by miners who vie to acquire the network’s seigniorage and expend or reduce capital investments in correlation to the token’s marginal value. This opens up the distinct possibility that, under specific economic circumstances, Byzantine actors can and will effectively execute block reorganization without any legal recourse.
There are two variations of this argument. The first represents a sort of “law maximalist” perspective that “mere economic assurances” are without value and fundamentally in some philosophical context legal assurances.are the only type of assurances that matter. This enhanced version is clearly incorrect: in numerous instances, the primary or sole type of penalty that the law dispenses for wrongdoing is monetary fines, and fines are in essence merely a “simple economic motivation”. If such economic motivations suffice for the law, at least in some scenarios, then they should also be adequate for settlement frameworks, at least in certain situations.
The second iteration of the argument is considerably more straightforward and pragmatic. Imagine that, in the present context where the total worth of all existing ether is $700 million, you ascertain that you require $30 million of mining capability to effectively execute a 51% attack, and once Casper is activated you forecast that there will be a staking participation rate of 30%, leading to finality reversion incurring a minimum cost of $700 million * 30% * 1/3 = $70 million (if you’re prepared to lessen your tolerance for validators going offline to 1/4, then you can elevate the finality threshold to 3/4, thus enlarging the intersection to 1/2 and resulting in an even greater security margin at $105 million). If you are dealing with $10 million worth of shares, and plan to do this for merely two months, then this is most likely acceptable; the economic incentives of the public blockchain will effectively discourage misconduct, making any assault hardly worth the hassle.
Now, suppose you aim to trade $10 million worth of shares, but you are committing to using the Ethereum public blockchain as the foundational infrastructure for five years. In this scenario, your level of certainty is significantly reduced. The value of ether could remain the same or increase, or it might plummet to near-zero. The participation rate in Casper might rise to 50%, or it could fall to 10%. Thus, it is entirely feasible that the expense associated with a 51% attack could decrease, potentially dropping below $1 million. At that juncture, executing a 51% assault to gain profits through some form of market manipulation becomes entirely plausible.
A third scenario is even more apparent: what if you wish to trade $100 billion worth of shares? Now, the expenses associated with attacking the public blockchain are trivial compared to the possible profits from a market manipulation scheme; therefore, the public blockchain is wholly inappropriate for such an endeavor.
It is noteworthy that estimating the cost of an attack isn’t as straightforward as demonstrated previously. If you incentivize existing validators to execute an attack, then the calculations hold. However, a more realistic scenario would involve acquiring coins and utilizing those deposits to carry out the attack; this would incur a cost of either $105 million or $210 million depending on the finality threshold. The act of purchasing coins may also impact the price. An attack, if not carefully orchestrated, will almost certainly lead to even greater losses than the theoretical minimum of 1/3 or 1/2, and the potential revenue from an attack is likely to be significantly lower than the total worth of the assets. Nonetheless, the overarching principle remains unchanged.
Some advocates of certain cryptocurrencies contend that these apprehensions are temporary, and that in five years the market capitalization of their chosen cryptocurrency will evidently approach $1 trillion, within an order of magnitude of gold, rendering these arguments insubstantial. This stance is, at present, arguably indefensible: if a bank genuinely believes this narrative to be true, then it should abandon its blockchain-based securitization efforts and simply invest in as many units of that cryptocurrency as it can. If, in the future, some cryptocurrency does achieve a level of establishment sufficient for such confidence, it would certainly be worthwhile to revisit the security discussions.
Consequently, overall, the weaker argument, that for high-value assets the economic security margin of public blockchains is insufficient, is entirely valid and is a perfectly reasonable justification for financial entities to investigate private and consortium chains.
Censorship Resistance, and additional Practical Issues
Another issue that arises is the fact that public blockchains are resistant to censorship, enabling anyone to initiate transactions, while financial institutions are obligated to regulate which participants engage in which systems and sometimes the manner of that participation. This is entirely accurate. A counterargument that could be made is that public blockchains, particularly those that are highly generalizable such as Ethereum, can function as foundational layers for systems that impose these restrictions: for instance, one can establish a token contract that permits transactions only to and from accounts that are included in a specific list or are authorized by an entity represented by a designated address on the blockchain. The rebuttal to this counterargument presented elsewhere is that such an arrangement is unnecessarily convoluted, and one might as well develop the mechanism on a permissioned chain from the outset – otherwise one incurs the costs associated with censorship-resistance and autonomy from the traditional legal framework that public chains provide without reaping the benefits. This contention is reasonable, albeit it is critical to underscore that it is an argument surrounding efficiency rather than fundamental feasibility, so if the advantages of public chains unrelated to censorship resistance (e.g., reduced coordination costs, network effects) prove to prevail, it won’t constitute an absolute disqualification.
There are further efficiency concerns. Public blockchains must uphold a high level of decentralization, and the node software must be operable on standard consumer laptops; this creates strains on transaction throughput that are not as pronounced within a permissioned network, where all nodes can simply be required to operate on 64-core servers with exceedingly rapid internet connections. In the future, the expectation is certainly for advancements in sharding to address these issues on the public chain, and if implementation proceeds as anticipated, then in five years’ time there will be no ceiling to the scaling throughput of public chains as long as sufficient parallelization and node addition occur in the network; nevertheless, there will inevitably remain at least some efficiency and thus cost disparity between public and permissioned chains.
The final technical issue is latency. Public chains operate across thousands of consumer laptops on the public internet, whereas permissioned chains function between a considerably smaller number of nodes with high-speed internet connections, which might even be situated physically near one another. Thus, the latency, and therefore the time-to-finality, of permissioned chains will intrinsically be lower than that of public chains. Unlike concerns about efficiency, this is a challenge that can never be rendered negligible due to technological advancements: despite our hopes, Moore’s law does not enable the speed of light to double every two years, and regardless of the optimizations implemented, there will perpetually be a distinction between networks composed of numerous randomly placed nodes and networks formed by a possibly co-located few nodes, and this contrast will always be easily perceptible to the human eye.
Simultaneously, public blockchains undoubtedly possess numerous advantages in their own regard, and it is likely that there are many scenarios where the legal, business development, and trust expenses of establishing a consortium chain for a particular application are so considerable that it makes far more sense to simply utilize the public chain. A major aspect that contributes to the value of the public chain is indeed its capability to permit users to develop applications, irrespective of their social connections: even a 14-year-old can program a decentralized exchange, publish it on the blockchain, and allow others to assess and utilize the application based purely on its own merits. Some developers lack the connections necessary to create a consortium, and public chains play a vital role in supporting these developers. The cross-application synergies that can naturally arise in public chains are another significant advantage. Ultimately, we may witness the two ecosystems maturing to serve different constituencies over time, although they still confront numerous challenges in scalability, security, and privacy, and can greatly benefit by collaborating.
