Você está na página 1de 39

Quão segura é a Cardano?

Recentemente, ataques de 51% em criptomoedas tem sido um tópico quente.

Particularmente o ataque recente no Ethereum Classic deixou as

comunidades de outras criptomoedas refletindo se seus blockchains são de

fato seguros. Estas leitura longa visa apresentar um panorama completo do

modelo de segurança da Camada de Liquidação (settlement layer) da

Cardano. Este artigo então prossegue descrevendo como mecanismo de

consenso de PoS (Ouroboros) da Cardano funciona, a distribuição inicial e

atual da moeda, como a distribuição de incentivo às stakepools é organizada

e finaliza com algumas considerações finais.

Por que o Bitcoin é seguro?

Para compreender incialmente o que faz o blockchain seguro, primeiro

precisamos olhar o Bitcoin, a criptomoedas que deu início a tudo. As duas


seguintes propriedades são características chave de qualquer Registro

Distribuído (distributed ledger), incluindo o Bitcoin:

 Persistência: transações passadas no registro serão imutáveis.

 Vivacidade (liveness): Novas transações devem ser incluídas

sem um atraso indevido.

No Bitcoin, persistência é essencialmente alcançada combinando duas

técnicas.
 Proof-of-Work (PoW): Nodes usam poder computacional

(poder de hash) para resolver um algoritmo criptografado. O

nome que primeiro o fizer irá construir um novo bloco (desde que

seja feito antes que outro node resolva o algoritmo e o processe

mais rapidamente). A chance do node “vencer” depende do seu

poder de hash e de alguma sorte. PoW então cria aleatoriedade,

em que as chances do node “ganhar” são proporcionais a quanto

hash power aquela (uma pool de) node contribui à rede.

 A regra da corrente mais longa & a regra da corrente

mais pesada: quando múltiplas correntes existe, por exemplo

devido a ataques visando quebrar a imutabilidade do livro razão

(ledger), a corrente com a maior linha de blocos foi originalmente

selecionada como “a verdadeira versão” em Bitcoin. Visto que

blocos podem ser criados apenas por meio de PoW (prova de

trabalho), a maior versão foi considerada a mais difícil de ser

criada e pode deve maneira ser a única “verdadeira versão” do

livro de razão. Mais recentemente, isso foi ajustado para “a

corrente mais pesada”, em que a corrente que recebeu mais hashs

é selecionada, tornando essa suposição ainda mais explícita.

Quando um nó “vence” e com sucesso gera um novo bloco, ele recebe novos

Bitcoins (BTC) minerados, e as taxas que são pagas por cada transação

incluída. Isto cria um incentivo para cada transação com taxas suficientes para

serem incluídas na blockchain sem um atraso indevido, assegurando

vivacidade.

Bitcoin tem sobrevivido há mais de dez anos om 99.98% de uptime (tempo de

atividade) e nenhuma falha de segurança. Bitcoin tem funcionado bem na


prática, porém em 2015 seu modelo de segurança também foi

matematicamente provado a ser correto. Bitcoin pode então ser considerado

seguro – sob a suposição de que a maioria do poder de hashing do sistema é

controlado por partes honestas.

O que é o ataque de 51%?

Com a suposição mencionada acima não se sustenta, e uma única pessoa ou

um grupo controla da metade do poder de hash da rede, um ataque bem

sucedido de 51% pode ser executado. Para moedas Proof-of-Work (PoW) como

o Bitcoin, isto significaria que quem executa o ataque está apto a solucionar os

algoritmos criptografados mais rapidamente que o restante da rede, e dessa

maneira criar novos blocos mais rapidamente que o restante da rede

combinado.

Esta vantagem permite a quem faz o ataque criar uma versão alternativa do

ledger que consiste uma corrente de blocos mais longa e desta maneira

reescrever a históra das transações. Como resultado, o blockchain perde sua

persistência (imutabilidade) e vivacidade (resistência à censura)

[Se alguém pode criar blocos mais rapidamente que todo o resto, ele pode reescrever a
história da corrente.]

Enquanto o atacante não pode reescrever saldos de conta ou executar

transações que nunca existiram, transações prévias podem ser desfeitas, de

forma que quanto mais domínio de hash power o atacante tiver, mais ele

conseguirá “voltar no tempo”. Isto significa que o atacante pode gastar moedas

que ele já possui (por exemplo por algum ativo off-line como ouro ou dinheiro

fiat em alguma corretora) e posterior desfazer essa transação no ledger. O


hacker desta maneira possui tanto o ativo que ele trocou e as moedas originais

que ele gastou nele. Isto é chamado de ‘gasto duplo’ (double-spending).

No caso recente de ataque de 51% no Ethereum Classic, houve duas razões

pelas quais ele foi um alvo relativamente fácil. Primeiramente, ele utiliza o

mesmo algoritmo de sua “corrente paterna” Ethereum, porém com um hash

rate que é menor em proporção de magnitudes. Embora desconheçamos quem

tenha executado o ataque, é possível que um grande minerador de Ethereum

tenha apenas mudado o seu hash power de minerar Ethereum e começou a

minerar Ethereum Classic. Uma segunda vulnerabilidade do Ethereum Classic

é que o seu hash rate é tão pequeno que ele custa aproximadamente apenas

$4.106 por hora em gastos de energia para executar um ataque de 51%

(considerando 15/01/2019) . O poder de hash requerido poderia então ser

integralmente alugar em um serviço como NiceHash, o que significa que quem

o quisesse atacar não precisaria ao menos de adquirir um hardware.

A maioria dos ataques de 51% são portanto direcionadas a criptomoedas

seguras, ou correntes com uma dominância minoritária nos seus algoritmos


respectivos. Quando o assunto é Bitcoin, a distribuição de seu hashrate sobre

as pools de mineração é frequentemente um tópico de discussão. Por exemplo,

em Julho de 2014, a pool de mineração GHash.io controlava mais de 51% do

poder total de hash do Bitcoin, criando um ponto único de falha naquela única

instância (sem quaisquer consequências). A razão provável para isto é que

quando os participantes quando os participantes tentam maximizar sua

remuneração, simulações mostram que a distribuição da pool de mineração

tende em direção ao uso de uma pool única, criando centralização. Isto é

conhecido como ‘a tragédia dos comuns’: muito embora os participantes

valorizem a descentralização enquanto um conceito, nenhum deles

individualmente quer sustentar o peso disso. Entretanto, os ideias e a


moralidade dos mineradores pode mesmo assim os motivar a comportarem

diferentemente.

No dia 20 de Junho, eu publiquei um artigo em que mencionei que as três

maiores pools de mineração de Bitcoin controlavam 52.3% do hashrate

naquele tempo. No entanto, devido ao resultado do bear makert e na queda do

preço do Bitcoin, as fazendas mineradoras fecharam suas portas visto que o

Bitcoin ficou menos rentável. Um exemplo convincente é a crise recente na

Bitmain, um dos maiores desenvolvedores de hardware de mineração. Este

mês, mineradores “desconhecidos” tornaram-se o maior grupo na distribuição

de hashrate de Bitcoin, uma moda que parece estar continuando, de acordo

com esta publicação da equipe Coin Metrics de Nic Carter. Enquanto isto pode

demonstrar um sinal de que a distribuição hashrate de Bitcoin está se tornando

mais descentralizado, deve-se notar que estes minerados podem ainda

participar de uma pool porém simplesmente decidiram não compartilhar esta

informação.

How do Proof-of-Stake systems differ?

De que maneira se diferenciam os sistemas Proof-Of-Stake?

Desde que atraia participantes honestos o suficientes para tornar difícil para

agressores controlarem a maioria do poder de hash, Proof-Of-Work (PoW)

provou ser seguro. No entanto, há (potenciais) lados negativos do PoW, por

exemplo:

 O uso intensivo de poder computacional consomo muita energia.

No entanto, a eficiência do equipamento de mineração continua a

melhorar, mineradores tender a procurar fontes de energia mais


baratas (geralmente renováveis) e pode-se argumentar que o

valor adicionado pelo Bitcoin à sociedade justifica seu alto

consumo de energia. De toda maneira, um sistema que possa

adquirir uma segurança similar com menor consumo de energia

seria mais favorável em uma perspectiva ambiental.

 Em criptomoedas de modelo PoW com um estoque limitado (e.x:

Bitcoin), o número de novas moedas que pode ser minerado

diminui com o tempo, e em certo ponto apenas taxas estão

disponíveis como recompensa para blocos. Ainda é incerto e

recompensa de blocos baseados em taxas será lucrativo o

suficiente para cobrir os custos dos minerados e continuar

incentivando-os a participar em um futuro (distante).

 Na prova-de-trabalho (PoW), portadores de moedas sem um

nodo (de mineração) não podem diretamente participar da

governança de rede (além “votar com seus pés” enquanto

escolhendo qual fork irão apoiar ou optar por sair ao vender suas

moedas), enquanto seus interesses não necessariamente se

alinham com aqueles dos desenvolvedores e mineradores.

PoS systems attempt to improve these aspects. In PoW, participants in the

consensus mechanism essentially put fiat money ‘at stake’ by converting it into

the hardware and electricity needed to participate. In PoS, participants use the

blockchain’s native currency itself to prove they have ‘skin in the game’. As a

result, no intensive computations are needed, lowering energy consumption

and in some cases participate in the network’s governance through voting.

Sistemas de Proof-of-Stake visam melhorar estes aspectos. No Proof-of-Work,

participantes no mecanismo de consenso colocam essencialmente dinheiro fiat


“em risco” ao convertê-lo ao hardware e eletricidade necessários para

participar. No Proof-of-Stake, participantes usam a moeda nativa do

blockchain para provarem que têm “a pele em jogo”. Como resultado, não são

necessárias computações intensas, abaixando o consumo de energia e em

alguns casos participam na governança da rede por meio da votação.

Isto pode soar como um ‘home-run’, porém sistema em PoS também têm seus

problemas.

Primeiramente, há o problema da simulação sem custo, que é relacionado ao

problema do nada a perder. Já que nenhum recurso físico é necessário para

produzir blocos, é possível criar uma historia alternativa no blockchain e desta

maneira criar múltiplas correntes competidoras sem custo algum, não como no

PoW em que os custos de energia necessitam ser feitos para cada corrente em

competição. De alguma maneira relacionado a isto está o problema de ataques

de grinding, que se os blocos eles mesmo são fonte de aleatoriedade usados

para eleger os criadores dos blocos, um atacante pode manipular esta

aleatoriedade e selecionar a si mais para “vencer” infinitamente.

Some systems (e.g. in Casper, Ethereum’s suggested PoS protocol) have

proposed that this problem might be solved by freezing the staked coins and

punishing nodes by slashing their coins if malicious behavior is observed.

While this may dis-incentivize nodes from acting maliciously, it also limits

honest participators’ ability to spend their coins and potentially even puts

honest participators’ coins at risk of slashing (e.g. in case of a 51% attack,

which in Ethereum Casper’s case would be a 34% attack).

As a result, the longest chain rule is not directly applicable in PoS in the same

way it is used in PoW. Nodes that (re)join the network for the first time or after
being offline for a while therefore need to trust the information that they

receive from other nodes. This is known as the bootstrapping problem,

which increases the network’s vulnerability for long range attacks. In a long

range attack, a node is offered an alternative version of the blockchain and the

node has limited or no recent information available to distinguish whether this

is the correct version.

PoS is not a new concept, but no PoS system to date has overcome all of these

design challenges in order to reach the same level of security as Bitcoin.

Como a Cardano tenta resolver essas coisas?

Quando o whitepaper do Bitcoin foi lançado em 31 de Outubro de 2008, e a

rede foi lançada em 3 de Janeiro de 2009, ele essencialmente iniciou como um

experimento. Enquanto o conceito foi claramente muito, muito bem pensada,

as afirmações de segurança não eram matematicamente provas corretas num

espaço acadêmico até 2015. O conceito de prova de trabalho (Proof-Of-Work)

foi inventado em 1997 por Adam Back (agora CEO do Blockstream)

para Hashcash, um sistema que visava prevenir o Ataque de Negação de

Serviço (Denial of Service DoS) e e-mails de spam. No entanto, somente

quando ele foi combinado com a estrtura de incentivo do Bitcoin que isto se

tornou um sucesso.

Similarmente, a Cardano espera usar o conceito de Proof-of-Stake (PoS) e

solucionar os seus defeitos. Diferente do Bitcoin, onde a prática precedeu a

teoria formal, ela visa fazer isso de forma que a teoria formal preceda a prática,

e provar que cada afirmação de segurança seja matematicamente correta antes

de implementá-la.
A Cardano constitui em duas camas; uma camada de acompanhamento em que

transações financeiras são desenvolvidas, e uma camada computacional que é

usada para contratos inteligentes. Enquanto discutindo a segurança da

Cardano, obviamente ambos aspectos devem ser considerados. Este artigo foca

estritamente na segurança da Camada de Acompanhamento da

Cardano, enquanto a segurança da camada de contratos inteligentes (e.x.:

comparado ao Ethereum) será discutido em um artigo futuro.

Enquanto a Cardano como um ecossistema foi lançado pelo Input Output

Hong Kong (IOHK), Emurgo e a Cardano Foundation, é da responsabilidade

da IOHK desenvolver a tecnologia de Blockcahin. Desde o seu lançamento em

2015, mais de 40 artigos acadêmicos relacionados à Cardano foram publicados,

alguns deles disponíveis na biblioteca de pesquisa do site da IOHK. O

programa de pesquisa do mecanismo de consenso da camada de

comprometimento foi intitulado “Ouroboros”.

Ouroboros (Classic)

A primeira versão da Ouroboros (que é agora referida como Ouroboros Classic)

focou em ficar segura no espaço síncrono; a situação onde nodos estão sempre

online e prontos para produzir blocos quando necessário, enquanto todos seus

relógios estão funcionando em sincronia.

In Ouroboros, a time period called an ‘epoch’ is divided in 21,600 time ‘slots’

that last 20 seconds each, which means each epoch is exactly 5 days. Each slot

represents a 20-second time window in which the ‘slot leader’ (a selected node)

can create a block. Before an epoch begins, all slot leaders for this epoch are

randomly elected.
To do so, in Ouroboros Classic a method called “Follow-the-Satoshi” is used,

which was invented by Litecoin creator Charlie Lee in 2012. In a nutshell, every

Lovelace (0.000001 ADA, similar to how 1 Satoshi is 0.00000001 BTC) that is

staked represents a lottery ticket to win the rights to create a block. This means

that anyone can participate with any amount of stake (even with 1 Lovelace)

and that the chances of winning are proportional to the number of staked coins

— the more stake, the higher the chance of being elected.

However, a lottery needs more than just lottery tickets— it also needs a method

to randomly select the winner. To do so, in Cardano’s genesis block (the first

block ever generated), a seed of random numbers was posted that determined

the slot leaders during the first epoch. In Ouroboros Classic, the randomness

seed for the next epoch is generated using a cryptographic scheme

called publicly verifiable secret sharing (PVSS). In essence, each time a block is

created, the nodes play a coin flipping game in order to generate a random

number, and use PVSS to encrypt the outcomes onto the blockchain (a more

detailed description can be found here), making them publicly verifiable. At

the end of the epoch, these numbers are combined (using a method
called XOR) to produce a final random number that all participants use to elect

slot leaders for the next epoch. Since the randomness data created during the

epoch feeds into the next, a closed loop is formed. This is why the protocol was

named Ouroboros, after a mythical serpent biting it’s own tail.


Ouroboros (source)

Ouroboros Classic was the first PoS protocol that was mathematically proven

to guarantee persistence and liveness in a synchronous setting, under the

assumption that an honest majority is participating. However, nodes can go

offline both accidentally (e.g. power outage or computer crash) or intentionally


(e.g. node holder just stops), and clocks on the internet are usually not all

synced, which means that the ‘real world use’ of the protocol is usually not a

synchronous setting. Furthermore, the slot leader selection is fully transparent

in Ouroboros Classic and slot leaders are known ahead of time, which isn’t

ideal from a security perspective. This is why the second version of the

protocol, Ouroboros Praos, focused on also being secure in a semi-synchronous

setting and concealing the slot leader selection process.

Ouroboros Praos

Praos is ancient Greek for ‘relax’, which refers to the characteristic of the

protocol that participants don’t need to stress about being continuously online

with a synchronized clock. To achieve this, a few techniques are combined.

First, the PVSS method was replaced by a cryptographic function

called Verifiable Random Function (VRF). VRF’s were originally invented by

Turing Award winner Silvio Micali, who is currently a professor at MIT and is

working on a cryptocurrency called Algorand. During each epoch, participating

nodes use three things in the slot leader election:

 the stake distribution snapshot for the epoch that is created

before it starts,

 the randomness seed that is calculated based on the previous

epoch,

 and the VRF itself that is specified in the protocol as being a part

of each node’s code base.

The snapshot of the stake distribution is quite straightforward. Before a new

epoch begins, a snapshot of all the Lovelaces that are being staked and which
nodes control their stake rights at that point in time is made. Since this

snapshot is used throughout the slot leader election, the actual staked coins

themselves are never frozen and thus remain spendable at all times.

During the epoch, nodes use the stake distribution snapshot and randomness

seed that was calculated during the previous epoch as inputs for their VRF to

create a pseudo-random number that determines if it has won the election. The

node that wins the election creates the block and encrypts this number into the

block header. All other nodes use their own VRF to validate if the number that

was encrypted into the block was indeed the node that won the election based

on the randomness seed. Nodes therefore don’t find out who won the slot

leader election until the block is signed (or if they won themselves). This also

means that if a node is up to create a block but is offline at that time, the

opportunity to do so just passes along and the other nodes never find out who

was supposed to create this block. The block can’t be created by another node

(e.g. an attacker), since it would be recognized as invalid by the rest.

Once every epoch, (at ~3/4,) all the numbers that were encrypted into the
block headers are combined (also using XOR, just like in Ouroboros Classic).

All nodes use this as input to locally calculate the randomness seed for the next

epoch. Since all nodes are taking the same numbers from the same blockchain

and use the same method to combine them, all outcomes match, even though

nodes calculate them locally. This newly created randomness seed and the new

snapshot of the stake distribution are then used in the next epoch, creating an

endless cycle that repeats throughout every epoch.

In Ouroboros Praos, mathematical proofs illustrated that persistence and

liveness can be guaranteed even in a semi-synchronous setting, again under

the assumption that an honest majority is participating. However, the


bootstrapping problem hadn’t been addressed yet, which thus became the

focus of the third version of protocol— Ouroboros Genesis.


Ouroboros Genesis (source)

Ouroboros Genesis

As described earlier, when a new node or a node that has been offline for a

while (re)joins the network, it needs to be able to trust the information given to

it by other nodes regarding which version of the blockchain represents the

truth. In PoW, this can be done using the longest chain rule, since the most

work went into creating it and thus it being considered the ‘true version’ of the

ledger — under the assumption that the majority of the miners are honest. PoS

protocols use alternative methods (e.g. local moving checkpoints or Byzantine

Fault Tolerance), but these only work in a synchronous setting where nodes are

always online, which is an assumption that is pretty much impossible to hold in

a real-world setting. In the Ouroboros Genesis paper, the authors even

conclude that none of the currently existing PoS systems can realize full ledger

functionality in the same way that Bitcoin does in such a setting.

To solve the bootstrapping problem, a new chain selection rule called the

‘Plenitude Rule’ is proposed in Ouroboros Genesis. While the mathematical


proofs that are described in the 64-paged paper are difficult to grasp for non-

cryptographers (although this video by Aggelos Kiayias, one of the authors,

might help), the authors show that adversarial blockchains in Ouroboros

exhibit a less dense block distribution after the point where they diverge from

other versions of the chain. Simply put; the attacker’s chain will contain less

blocks in the time period shortly after the divergence point, despite it

potentially containing more blocks altogether and being the longest chain.

Therefore, when multiple chains of similar length are available, the Plenitude

Rule looks for the point at which the chains diverge and ‘went their own ways’

regarding their block distribution. It then divides the most recent past from the
history of the chain into periods and determines for which version the block

distribution after the divergence point is the most dense — which is the chain

that will be selected. Due to this rule, nodes that are new to the network or

have been offline for a while can (re)join and be guaranteed to download the

correct version of the chain, as long as there are enough honest parties. This

solves the bootstrapping problem and helps prevent long range attacks.

It should be noted that the Plenitude Rule will only work in a protocol like

Ouroboros, where time is divided into slots and slot-leaders for the whole

epoch are being elected in advance and nodes can verify if each block was

created by the correct node. This combination of features make it possible to

guarantee that no one can counterfeit their way into creating a block during

someone else’s slot. As a result, it is impossible for a single node to create a

fake chain unless it has lots and lots of empty slots — and thus automatically

gets discarded due to the Plenitude Rule, as it is less dense.

Since the ‘update’ of the protocol to the Genesis version, Ouroboros is the

first PoS protocol that is mathematically proven to guarantee


persistence and liveness in both a synchronous and semi-

synchronous setting — under the assumption that a honest majority

participating, just like Bitcoin. Hence, it is more secure than other PoS

protocols that require at least 2/3 honest participants (e.g. Ethereum Casper,

Algorand) and equally secure as Bitcoin, but with a much lower energy

expenditure and better performance.

While Cardano is similarly secure as Bitcoin to prevent 51% attacks, Bitcoin

has an advantage over Cardano after a 51% attack is executed. In Bitcoin, the

honest minority could just add extra hash power to regain control over the

network by adding new miners to the network. In Cardano, once an attacker


owns 51% of the staked or even circulating supply (the latter would also

guarantee the attacker to have the majority of the staked supply), control over

the network can only be regained if the attacker sells his coins or by forking the

blockchain. However, is it likely that someone would be able to

control that large a stake? Let’s have a look.

How was ADA originally distributed?

In a PoS protocol, staking coins is necessary to participate in the consensus

mechanism. Since the existence of coins is required to execute the protocol, a

certain initial coin distribution was required. At the time (2015), the concept of

Initial Coin Offerings (ICO’s) was becoming popular, but there were concerns

that holding an ICO by minting virtual assets and selling them to the general

public might fall under security regulations. IOHK, Emurgo and the Cardano

Foundation therefore chose to sell 25,927,070,538 ADA ‘vouchers’ in a private

sale in Japan and a few other Asian countries that were redeemable for ADA

after the main-net was launched in September 2017.

Particularly Bitcoin purists, that believe only Bitcoin had a fair launch, tend to

react adversely to the idea of a new form of money being created and sold. At

Bitcoins’ launch, Satoshi Nakamoto first shared the code to run a Bitcoin node

publicly, allowing anyone to participate in network consensus from the start.

While Nakamoto clearly had an advantage since just a few people knew of

Bitcoin’s existence, the fact that anyone could have participated and that it was

all but a given that Bitcoin would be a success arguably made it fair. However,

the recent launch of the Grin privacy coin illustrates that a similar ‘fair

launch’ is perhaps no longer possible, as ~$100 million in venture capital

money was rumored to be invested in mining Grin. In essence, the choice for

Cardano’s private sale was a trade-off between geographical distribution and

regulatory certainty, where the latter was chosen as a priority.


In total, 25,927,070,538 ADA were sold for $63 million (= $0.0024 per ADA)

to over 10.000 people during voucher sale that was held between September

2015 and January 2017. According to the distribution audit that was held on

behalf of the Cardano Foundation, 94.45% of the ADA was sold to Japanese

citizens, 2.56% to Koreans, 2.39% to Chinese and the remaining 0.61% to

citizens of 5 other Asian countries.

The other 5,185,414,108 ADA (20% of the amount of ADA sold during the

voucher sale and 16.7% of ADA’s 31,112,484,646 ADA total supply), were

distributed over IOHK, Emurgo and the Cardano Foundation. IOHK has

publicly shared its ADA address and that one third of the 2,463,071,701 ADA

they received (of which ~97.5% is still there) is available immediately, one

third is made available on June 1st, 2018 and the final third on June 1st, 2019.

While the Cardano Foundation and Emurgo haven’t publicly shared their ADA

address, it is believed that Emurgo originally held 2,074,165,643 ADA

in this address and the Cardano Foundation originally held 648,176,763 ADA

in this address, as the sum of these amounts adds up exactly to the original

total. Finally, the remaining 13,887,515,354 ADA of the 45 billion ADA that will
ever exist (maximum supply) will be minted as block rewards.

What is the current ADA distribution like?

Since the voucher sale had a very limited geographical reach and in a PoS

system stake equals power, distributing the coins over more people is very

important for network decentralization and thus security.

The principle on how this is achieved is quite simple; coin holders need to sell

their coins to people that don’t own any coins yet. In Cardano’s case, the

voucher sale was held in the beginning of a bull market, between September

2015 and January 2017. When Cardano’s main-net was launched in September
2017 the voucher sale participants received their ADA, the coins had already

greatly appreciated in value. As a result, when the coins became tradeable on

exchanges, voucher sale investors sold (some of) their coins.

The following graphic was derived from a webpage that was made by a

Cardano Forum member called Markus (forum handle “Werkof”) and gives a

visual representation of the coin distribution (although technically; UTxO

distribution) over time. The colors represent categories of addresses holding a

certain number of coins. The higher layers represent addresses holding large

amounts of ADA. For instance; (i) purple = 10M-100M ADA, (ii) pink = 1M-

10M ADA, (iii) dark brown = 100k-1M ADA, (iv) light brown = 10k-100k ADA,

(v) darkest blue = 1k-10k ADA, (vi) second darkest blue 100–1k ADA, (vii)

second lightest blue 10–100 ADA, (viii) lightest blue = 1–10 ADA and the green

categories representing ‘dust’, addresses with a balance that is lower than the

fees needed to use them in a transaction.


Cardano’s UTxO distribution over time (source)

Particularly in December 2017, as Bitcoin was soaring to a new all time high

and other cryptocurrencies became very popular, the graphic shows a large

shift from the largest addresses to smaller addresses. Throughout the 2018

bear market, a small decrease in the top two layers can be observed, although

the general trend can be best described as consolidating, since there are no

significant (relevant) shifts in distribution visible. A tentative hypothesis

can therefore be formed that repeated market cycles may further

improve coin distribution, since bull cycles incentivize coin holders to sell

(some of) their coins and new people become may be attracted due to the hype

cycle.

One important thing to realize when analyzing the coin (/UTxO) distribution

based on addresses is that a wallet can manage multiple addresses, and

a single person can manage multiple wallets. While this would suggest

that the number of addresses overestimate the number of people owning coins,

the fact that exchange addresses can also contain coins of many


people as well means that we really just don’t know. Although it doesn’t

necessarily prove anything, analyzing how much ADA the top addresses are

holding may be helpful to gain some insight in the coin

distribution. AdaScan and Clio.1 are good resources for this, e.g. by using

the ‘Rich List’.
The top-10 addresses on AdaScan’s ‘Rich List’, 21–1–2019 (source)

On 21–1–2019, Binance is the largest ADA holder, despite only one of its

addresses being listed here. The ADA addresses of IOHK and the Cardano

Foundation are also labelled and visible in the top-5. Based on the number of

transactions, it is likely the #4 and #7 listed addresses are also exchanges. On

this day, these top-10 ADA holders hold 30% of Cardano’s current supply.

If we zoom out using the next two chart-pies, we see that on 21–1–2019, the

top 1.34% of all ADA addresses (although keep in mind that this total includes

a large number of ‘dust’ addresses as well) hold 22,434,630,873 ADA, which is

72.1% of the current supply.


ADA distribution, 21–1–2019 (source)

Drawing any conclusions about the likelihood of a 51% attack on Cardano

happening based on these numbers is arbitrary at best. However, seeing the

coin distribution and number of active addresses grow over time will be

necessary to increase confidence in the assumption that enough people are

using Cardano to make it unlikely that a single person or collaborating group

will be able to control 51% of the stake. Let’s have a look at how acquiring 51%

of the stake would work.

How would acquiring 51% of the stake work?

At the time of writing, staking is not possible yet on Cardano. It is therefore

unknown how much of the current circulating supply of ADA will be staked

once this is possible. However, if a single person or entity were to control 51%

of the current circulating supply (25.927.070.538 ADA), controlling 51% of the

stake is guaranteed. According to CoinMarketCap, one ADA is worth

$0,042971 at the time of writing (21–1–2019), which means Cardano’s current

market cap is $1.114.118.098. At current prices, an attacker would

therefore need to own at least $557.059.050 worth of ADA to be


sure a 51% attack can be executed on Cardano. Based on the all time

high price, this amount of ADA would be even be worth $17+ billion.

While this already illustrates that the attacker would literally put a lot of

money ‘at stake’ in attacking the network, acquiring it might be even more

expensive since the resulting buy pressure would likely cause a large increase

of ADA’s price. Besides the price itself, acquiring that much ADA will be

difficult, as it requires the market to be highly liquid. Due to the limited

options to currently buy ADA over the counter (OTC), having enough exchange

volume would be important for the attacker in this scenario.


At the time of writing (21–1–2019), Cardano has a 24-hour trade volume of

$16.367.168 in all markets combined based on CoinMarketCap. To be very

conservative, let’s assume that this doesn’t include back-and-forth trading and

represents the unique number of ADA being traded. Despite this being the

most favorable situation possible for the attacker, acquiring 50% of all ADA via

exchanges would still take over 34 days at similar volume and unique coins

being sold on the market every day, without anyone else buying.

However, if you zoom in, this turns out to be a huge underestimation. Based

on CoinMarketCap, Binance’s ADA/USDT and ADA/BTC markets are the two

most liquid ADA markets and are good for 35% of all ADA trading. However, at

the time of writing, ‘just’ 16.12 million ADA are available in these two markets

at the time of writing. Under the conservative assumption that this amount of

unique ADA will be available every day, it would take over 1,608 days to

market buy up 50% of the circulating supply. However, market buying all

available ADA on a daily basis would make the price shoot through the roof,

likely attracting new sellers (though perhaps also new buyers?). Either

way, these (albeit over-simplistic) examples illustrate that acquiring


a majority of the stake will be both time-consuming and expensive.

Since attackers aren’t ‘honest participants’ to begin with, acquiring a large part

of the stake through phishing attacks, malware attacks and other

forms of hacks seems to be another logical possibility. Furthermore, it

is possible that the attacker doesn’t focus on acquiring the actual coins, but

on hacking the nodes in the network or running multiple stake-

pools himself (a sybil attack). After all, if the attacker gains control over

the nodes that own the stake rights to a lot of coins that were delegated to the

pool, he can execute adversary behavior without actually owning the coins.
Besides coin distribution, having a large distributed network of nodes in which

all these coins are staked is also important for network security.

How is stake pool distribution incentivized in Cardano?

Just like in the development of Ouroboros, a lot of academic research in the

field of game theory went into creating an incentive structure that incentivizes

stake pools not to grow too large. In IOHK’s July 2018 publication on the topic,

the researchers give mathematical proof that as a result of their incentive

structure, the desired number of stake pools is a Nash equilibrium (a game

theoretic concept that was names after Nobel prize winner John Nash, a name

some people might also recall from the hit movie “A Beautiful Mind” about his

life that won 4 Oscar’s). As a result, the financial interest of both the people

participating in the system and ‘doing what is right’ for the system are aligned.

This means that as long as the participants make decisions that are

best for them financially, they are automatically also ‘doing what is

right’ for the protocol. So how does this optimize stake pool distribution?

As mentioned earlier, the chances of winning slot leader elections are

proportional to the amount of stake. This means that a stake pool that holds a

lot of ADA is more likely to win slot leader elections, essentially giving it more

power. This means that stake pools should be incentivized to distribute the

stake over as many stake pools as possible. The incentive structure therefore is

based on a formula that describes that the maximum proportion of the total

rewards pool that a stake pool can receive is limited to 1/k, where k is the

number of desired stake pools. To get a grasp of what could be a realistic

expectation regarding k, in May 2018, IOHK asked people that were interested

in running a stake pool on test-net to register. They initially expected that ~100

stake pools would join, but they received well over a thousand applications.
While no formal announcements have been made on this, it is been rumored

that 1,000 will be used as parameter k.

Let’s look at an example. Two stake pools, A and B, respectively control 0.03%

and 0.12% of the total network stake. Stake pool A will receive 0.03% of the

rewards pool, but B will receive 0.10%, since the maximum reward it can

receive is 1/1,000 = 0.10%. Since the stake pool rewards are also distributed

proportional to their participants’ stake in that pool, the participants in stake

pool B receive relatively less stake rewards than they would have had they

delegated their stake to stake pool A, creating a financial incentive for them to

do so and create a more optimal stake pool distribution as a result. To help

Cardano stakeholders determine which pool would give the most favorable

results, a pool-sorting mechanism that will provide visual representation of the

best choices available will be built into Cardano’s wallets.

However, we’re not done yet. How do we prevent an attacker from creating

hundreds of small stake pools (a sybil attack), enticing stake holders to

delegate to these pools using very favorable conditions and gaining control
over the majority of the stake?

While an obvious solution would be to make stake pool registration very

expensive, this would prevent honest people from creating stake pools, which

would actually be bad for decentralization. In IOHK’s October 2018 article on

the topic, the authors introduce a solution where stake pool creators can

increase the potential rewards of the pool by ‘pledging’ some of their personal

stake to it. As a result, it is financially more attractive for stake holders to

delegate their stake to pools in which stake pool holders have pledged a lot of

their own stake to their own pool. This means that in order to execute a

sybil attack, the attacker still needs a lot of ADA to be able to create
enough pools that are profitable enough to compete with honest

stake pools in enticing other stake holders to join them.

As a final note, IOHK’s researchers are also considering to replace the

dependency of rewards on the pool leader’s stake with a reputation system in

future versions of Cardano. Such a system would allow people with little stake

to make their pools more attractive by running their pools reliably and

efficiently over a long period of time, but needs to be studied further.

How can the chances of a 51% attack on Cardano be limited?

As just discussed, a higher ADA price will result in higher costs to collect 51%

of the stake. ADA price appreciation will also create an incentive for large ADA

holders to sell (some of) their stake and likely attract new people to the

network, potentially allowing for an improved coin distribution. If ADA were

to follow a similar path as Bitcoin and go through multiple market

cycles over the next few years, coin distribution may improve.

In Cardano, exchanges will get special enterprise exchange addresses that

cannot participate in network consensus and governance. Although there is no

technical way to enforce exchanges to use these, social pressure by the

exchanges’ customers could push them to do so. Regardless of whether you

believe exchanges might actually participate in a 51% attack, it is important not

to store your ADA on an exchange unless you’re actively trading. Of course

owning your own private keys is very important by itself (“not your keys — not

your coins!”), but by participating in network consensus and

governance yourself, you’re increasing the chance there will be an

honest majority participating. This off course is especially true if you own

a lot of ADA, as this means you are in a good position to run a profitable stake
pool yourself. You can do so by running your own node or, if not, by delegating

your stake to a stake pool that you know you can trust.

Conclusions

Cardano’s consensus mechanism has been mathematically proven to be secure

under the assumption that the majority (>50%) of its participants are honest.

The fact that it relies on this assumption means that it’s not resistant against

51% attacks by definition. This may sound threatening but is in fact no

different than any other cryptocurrency on the market, as emphasized by

Litecoin founder Charlie Lee after the 51% attack on Ethereum Classic.

“By definition, a decentralized cryptocurrency must be susceptible to 51%

attacks whether by hashrate, stake, and/or other permissionlessly-acquirable

resources. If a crypto can’t be 51% attacked, it is permissioned and centralized.”

— Charlie Lee

A successful 51% attack on Cardano would have major implications for the

system. Unlike in Proof-of-Work currencies, where the control over the

network can be regained by adding more hash power to the network, the

attackers’ majority stake position cannot be taken away from him/her unless

the attacker sells his/her coins or the blockchain is forked.

On the other hand, since a successful 51% attack on Cardano would require the

attacker to hold a majority (>50%) of all staked coins (which would be

guaranteed if >50% of the circulating supply is held; ~13 billion ADA), such an

attack would require the attacker to literally put an enormous amount of


money ‘at stake’. Malicious behavior would potentially depreciate the value of

the coins that the attacker is using as stake. At current prices, would anyone

invest hundreds of millions of dollars in a cryptocurrency to then attack the

system, potentially crashing the value of the investment itself?

While this is a non-zero chance, it appears to be unlikely that the relatively

straightforward type of 51% attack that we’ve described earlier will happen in

Cardano. If a single entity were to go through all the trouble of acquiring 51%

of the staked or even circulating supply, using the acquired power to influence

decision-making through the planned on-chain governance is arguably more

likely. For instance, by enforcing the acceptance of self-submitted funding

proposals in the planned treasury model or enforce decisions that are in the

best interest of the entity controlling the stake. Therefore, distributing ADA’s

supply over many individuals through free market dynamics is very important,

regardless of how the risk of a 51% attack is assessed.

Ultimately, it is up to the market to decide how the pro’s and con’s of the

characteristics of Cardano weigh against that of other cryptocurrencies like


Bitcoin and to what degree multiple systems will share the capitalization of the

total cryptocurrencies market. In essence, it’s not the technology itself that

determines the product’s value, but the social phenomena that surround it. For

instance, it is possible that the market values the fact that in Bitcoin’s, the

honest majority’s hash power dominance can always be ‘re-captured’ after a

successful 51% attack as a very important aspect. In this scenario, it could

mean that the market considers Bitcoin to be a superior store of value, giving

its native asset (BTC) a higher price than Cardano’s native asset (ADA).

Nonetheless, it could still mean that Cardano will be utilized for being a more

efficient and cheap way to interact between systems and use smart contracts in
a secure way. In this intentionally high-contrasted scenario, it means that

Cardano would basically function as a side-chain to Bitcoin. However, the

more intensively Cardano’s system is used, the more fees will be available as

stake rewards. This incentivizes staking and lowers sell pressure. If the

demand for coins stays consistent (owning ADA is necessary to pay for fees),

the coin price increases, making a 51% attack more expensive and thus less

likely. This improves the system’s security, making it a better Store of Value

and thus more competitive as a currency, creating a positive feedback loop.

Those that are familiar with the Lindy effect, which is often linked to Bitcoin’s

monetary evolution, will recognize this process. The Lindy effect states that a

technology’s remaining life expectancy is proportional to its current age,

meaning that the longer it exists, the more its trusted to continue to exist. This

means it’ll take time for Cardano’s young system to be trusted — particularly in

comparison to Bitcoin that already abides resiliently for over 10 years

with 99.98% up-time and zero known immutability breaches. The rigorous

academic basis of Cardano is arguably the best possible foundation to build on,

but it still needs to prove it is resilient against attacks ‘in the wild’ and thus
undergo the test of time to earn the trust of investors. To justify an increasing

ADA price that is important in Cardano’s security proposition, it is essential

that the system will actually be used. It is therefore no coincidence that this is

exactly what IOHK, Emurgo and the Cardano Foundation are focusing on, as

illustrated by a recent tweet by IOHK CEO Charles Hoskinson:


Tweet by Charles Hoskinson, 18–1–2019 (source)

Many thanks go out to Ruslan Dudin and Nicolás Arqueros for their

thorough reviews of the draft of the article and answering technical

questions.
This article is also available in Russian, French (part 1, part 2), Spanish

(part 1, part 2) and Chinese.

Liked this story? You can follow me on Medium and Twitter.

Disclaimer: This article was written for informational and educational

purposes only and should not be treated as investment advice.


1.3K
Thanks to Nicolas Arqueros. 

Você também pode gostar