In the wake of three high profile mining-related attacks on notable alt-coins, one can't help but wonder: is the window for bootstrapping a new proof-of-work cryptocurrency closed? If not, it must be getting close. (For reference, see attacks on: Verge, Bitcoin Gold, Monacoin).
The default failure mode for any new cryptocurrency in 2018 is the sound of silence. For a coin to be attacked, first someone has to care enough to try. It's likely no one will. For the sake of this discussion, we'll assume we're talking about a coin that's getting some traction: it's listed on some exchanges and has some notable trade volume.
Launching a new PoW cryptocurrency there are, broadly speaking, two choices when it comes to choosing a hashing algorithm:
- Choosing an existing hashing algorithm used by other coins
- Creating a novel hashing algorithm by tweaking or combining existing ones
There are lots of variations on these two themes. Verge, for example, got cute and allowed miners to use any one of five different algorithms to produce blocks- a "feature" exploited by its attacker. For the most part, though, a project will fall into one of these two buckets. Let's examine the issues with each.
Using An Existing Algorithm
The problem with choosing an existing hashing algorithm, one used by an established cryptocurrency, is obvious: your fledgling chain is immediately susceptible to a 51% attack from existing miners. Those miners likely have warehouses full of ASICs churning out hashes 24/7. Even a handful of those machines, if diverted toward your chain, could destroy your network. And, as Charlie Lee pointed out recently, there is no real incentive that prevents them from doing this.
Many miners will have no bones about extracting a quick profit while demolishing your chain, then pointing their hash power back to an established coin. So, using an existing algorithm seems to be off the table. But what about....
Using A Novel Algorithm
Creating a new hashing algorithm seems like an attractive alternative to being crushed by existing miners, but this path, too, is fraught with peril. For one, introducing a new hashing algorithm is nontrivial from a technical perspective and introduces a security risk for your network.
More importantly, any coin that gains real traction in the market will immediately trigger a race to develop and manufacture ASICs- a feat only a small handful of companies currently excel at. As the recent development of ASICs for Equishash and CryptoNight demonstrate, no algorithm is truly ASIC resistant.
Thus, it's only a matter of time before a new algorithm is being mined by stealth ASICs and your network is controlled by, at best, a few companies. (More likely, by just one company- and I do mean one in particular). You might be tempted to think said companies would sell the ASICs and distribute the hash power and all would be well, but as David Vorick recently pointed out in his must-read summary of The State of Crypto Mining, this is not the case:
At the end of the day, cryptocurrency miner manufacturers are selling money printing machines. A well-funded profit maximizing entity is only going to sell a money printing machine for more money than they expect they could get it to print themselves.
The best case, then, for a budding PoW coin is to find its hash rate controlled by stealth ASIC miners run by 1-3 entities, with only their goodwill preventing a 51% attack at any moment. Not exactly the decentralized future we were all hoping for.
So, What Now?
I'm honestly not sure we'll see a single new PoW coin launch and gain large scale traction again. Ever. If we do, then certainly that project's team will have to spend a disproportionate amount of time threading the bootstrapping needle to avoid the pitfalls described above.
As for existing coins, I'd go so far as to say that virtually all PoW alt-coins in the long tail are protected merely by obscurity¹. Existing large scale miners and/or ASIC manufactures could trivially attack them. They simply can't be bothered.
A handful of other coins, like Monero and Zcash, have signed up to play an eternal cat and mouse hardfork game with ASIC manufactures. This strikes me as ill-advised, but we'll see where it goes.
Finally there is a top tier of PoW coins that have clearly achieved escape velocity and are relatively safe from a 51% attack. Bitcoin, Litecoin, and Ethereum are the most obvious examples. These chains benefitted from the opportunity to bootstrap in (relative) obscurity and are now (relatively) protected by (relatively) distributed hash power and (relatively) commoditized ASICs. (Did I mention this is all relatively speaking?)
For those of us that care about decentralization and censorship resistance, this conclusion is alarming. To date, PoW is the only effective consensus algorithm that hasn't compromised on those two values. It seems our hopes for a decentralized future rest on the success of at least one of these small handful of projects- or on efforts to develop truly decentralized alternatives to proof-of-work.
¹ There's actually another class of coins I intentionally disregarded in this post: those that merge mine with much larger coins. Bootstrapping a merge-mined coin is basically as challenging as any other PoW mechanism, but there are a handful of coins that have crossed the chasm. Dogecoin, the primogenitor of meme-coins, is (hilariously) the best example of such a chain. Perhaps Doge deserves its market cap after all!