To slash or not to slash: that is the blockchain question

Blockchain systems operate at the intersection of cryptography and economic incentives, combining security mechanisms with game-theoretic principles to safeguard digital assets worth billions of dollars. At the heart of this security lie cryptographic techniques and, crucially, consensus algorithms that maintain a globally consistent ledger by receiving, sequencing, and settling transactions. This security is not unconditional, however. The integrity of the ledger holds only as long as adversarial entities control no more than a limited fraction of the total resources (computation, stake, and storage space) underlying the system.

Validator behavior and security mechanisms are critical topics when examining blockchain systems—particularly whether rewarding compliance or penalizing misbehavior (through slashing) is the most effective strategy. This raises a critical question. Why should we assume that the majority of the resources follow the protocol faithfully? What mechanisms ensure that validators adhere to the protocol’s instructions, rather than deviating? Should compliance be encouraged through rewards, or must we rely on penalties to deter bad behavior?

There are significant differences between blockchain protocols in how they approach this challenge. For instance, Ethereum adopts a slashing-based model, whereas Cardano relies on a non-slashing approach rooted in formal verification, stake-weighted incentives, and probabilistic finality.

In this blog post, we explore the underlying principles governing validator behavior and examine the economic and technical safeguards that keep blockchain networks secure. Understanding these mechanisms is crucial for anyone involved in or relying on blockchain technology, as they directly impact the security, stability, and decentralization of these systems and the valuable assets they protect. Cardano, notably, does not require slashing—and it’s important to understand why.

The promise of blockchains

At its core, a blockchain is a protocol that enables a globally distributed network of mutually distrustful and transiently present nodes—some of which may be malicious—to reach agreement on an ever-growing, ordered ledger of transactions. And fundamentally, that’s all it does!

But why is this so powerful? Because it allows us to implement virtually any kind of system in a decentralized way. The most common example is a payment system. A blockchain can facilitate this by establishing a universally accepted starting point—a genesis state—and then processing transactions such as ‘Alice sends 100 ada to Bob.’ When arranged in a strict sequence, these transactions enable us to determine, at any moment, exactly who owns what, by simply replaying all transactions in the order they appear in the ledger.

A key property of blockchain systems is immutability—the guarantee that once a transaction is ‘settled’ or ‘finalized,’ it is permanently recorded exactly where it was placed in the ledger. This is essential for security because if transactions could be reversed or reordered, attackers could exploit the system, e.g., through double-spending. In a double-spend attack, a malicious actor could first send funds to a merchant to complete a purchase and then, if the transaction were later erased from the ledger, reuse the same funds elsewhere—leaving the merchant empty-handed, with neither their payment nor the goods they sold. Ensuring that transactions are final and irreversible is therefore critical to maintaining trust and security in blockchain systems.

The honest majority condition

Blockchains such as Bitcoin and Cardano follow a longest-chain type consensus protocol to construct their blockchain. Block production is governed by a private lottery to elect the next participant that is allowed to extend the longest chain. In Bitcoin, this lottery is realized by a proof-of-work mechanism based on solving hash puzzles. In Cardano, the lottery is implemented cryptographically using verifiable random functions via the Ouroboros protocol, thereby avoiding Bitcoin’s computation-intensive puzzles.

Both protocols share a set of important robustness features. They tolerate an attacker possessing almost 50% of the resources active in the system, be it computing power in the case of Bitcoin, or active stake in Cardano, and they both enjoy a certain degree of self-healing, meaning that even if the attacker gains control of the network after a sudden drop in honest participation, the protocol can return to a stable execution state once full participation is restored.

But what does it mean to be secure?

Bitcoin and Cardano achieve a settlement notion known as probabilistic settlement. The more confirmations a transaction receives (think of a number of blocks appended to the block containing the transaction) the less likely it is that this transaction will ever be reverted. Furthermore, for the sake of a risk assessment, one can quantify the likelihood of a settlement as a function of the number of the confirmations as well as the relative strength of the attacker. On a high level, the likelihood of a settlement error decays exponentially with the number of confirmations. The influence of the attacker’s strength is important too. The larger the attacker's relative resources, the slower this exponential decay in settlement error is.

We thus observe that blockchains like Bitcoin or Cardano come with a user-defined finality feature. For any choice k of the number of confirmations a business user makes, one can perform a risk assessment considering the likelihood and impact of the event that settlement of a transaction that is k-deep into the chain does not hold. This can be made adaptive for various valuations of the business process.

The crypto-economic viewpoint

We have so far only discussed settlement from a security perspective, capturing it as a probability that an attacker of a certain strength can revoke transactions that have already reached a given level of confirmations. However, the economic perspective remains missing. Attacks often incur substantial costs, which must be compensated by potential gains. Having such a concrete lower bound to quantify the cost of provoking a settlement error helps assess the practicality and likelihood of an attack from a financial perspective. Here, a whole palette of mechanism design techniques can help drive up the costs. Prominent examples include mechanisms to steer the system toward a good degree of decentralization and a large fraction of active stake securing the system, which Cardano emphasizes. On the other hand, locking and slashing are mechanisms that aim to achieve a commitment by having validators lock a certain amount of stake in the system, which can get slashed when digital evidence of misbehavior surfaces. Ethereum uses this method.

On the rationality of attacks

The assumption that only a limited fraction of the stake controlling block production is in the hands of adversarial parties ultimately stems from economic considerations. Acquiring this amount of stake means investing large amounts of money, which is either (i) impossible for the attacker or (ii) economically -and thus rationally- unviable, as the attack’s cost is greater than its potential gains. Stronger attacks are more expensive but can also result in higher degree of compromise, and they can be divided into the following two categories:

Attacker gains a majority of the active stake

These are the most severe (and expensive) attacks for proof-of-stake systems. Clearly, the attacker’s cost increases the more active stake is participating in block production. An important observation here is that slashing provides no defense against majority attacks. This is because enforcing slashing requires the majority of active stake to ensure that evidence of misbehavior is recorded on the blockchain. Indeed, recent research [BLR24] has shown that any ‘targeted’ punishment of attackers is impossible in this scenario—see below for a detailed discussion. In fact, slashing can actually be detrimental in this scenario. Because slashing introduces an economic risk for the validators, it may discourage honest and rational actors to actively stake, thus reducing the amount of active stake. This can become problematic, since a lower staking level makes these attacks less costly.

Attacker is below majority

As outlined above, in Nakamoto-style consensus (such as in Bitcoin or Cardano), users can set their own security level by waiting for confirmations, while the system as a whole is always operational against what we call minority attacks. This means that, as long as we are confronted with an attacker that has not gained a majority of the stake, there is always a confirmation rule that protects against attacks of any ‘strength’ up to 50% of stake (which is of course slower) the more powerful the attacker is. Turned around, if a merchant or a cryptocurrency exchange has set its security level of, say, 30 confirmations, attacking it amounts to acquiring enough stake to be able to revert a transaction that is already 30 blocks deep in the blockchain. We note that, even if successful, this does not mean that the blockchain itself is broken or in an unsafe state. It just means the actual common prefix achieved by Nakamoto consensus is shorter than what the merchant believed. By simply waiting for more confirmations, the merchant would even have the possibility to make the attack cost almost as much as taking full control of the blockchain.

The above feature of user-defined finality is not present in other consensus designs. For example, in the class of iterated BFT finalization strategies, an attacker with more than ⅓ of the active stake could already successfully fork the blockchain into two branches containing conflicting finalized blocks. This not only leaves a merchant vulnerable to a double-spend attack, but also puts the entire system in an inconsistent state until the situation is resolved by the validators that need to agree which of the two finalizations to ignore, an intricate and lengthy task that involves social consensus. Therefore, unlike Nakamoto consensus, additional mechanisms are usually employed in iterated BFT finalization strategies. For example, Ethereum implements a ‘dual layer’ approach together with a slashing mechanism to secure their ‘finality layer’ against attacks above ⅓ of the stake. As indicated in Figure 1 below, Cardano and Ethereum use different mechanisms to secure against attacks in the (⅓, ½) range, with slashing being one key difference.

Mechanisms against attackers with less than 50% of the stake

It is not surprising that the approaches to make minority attacks more costly are quite different depending on the underlying consensus algorithm.

Nakamoto consensus and Cardano

In Cardano, the staking and reward mechanism implements an incentive scheme that leads to a high level of active stake in the system distributed across many stake pool operators (SPOs) with a leveraged incentive for pledging stake. This is achieved by a fully liquid on-chain delegation mechanism to pools and by a suitable cap and margin reward scheme that incentivizes multiple stake pools with skin in the game. While this so-called pledge is not locked, rewards are only paid to a pool if the pledge is maintained and not moved. This leads to a situation that increases the cost of minority attacks as mentioned above. Attaining a substantial fraction of the active stake in a highly staked system is expensive, and the focus on multiple SPOs with larger pledges makes it hard to become powerful enough in the consensus algorithm with little stake.

Importantly, there is no active slashing in place. Delegators do have the power to ‘punish’ misbehavior of a pool in the long run though. They can cease their delegation to misbehaving SPOs facing a reduction in future rewards and relative power, and choose to delegate to other, better performing pools. The only way for misbehaving SPOs to launch future attacks of the same strength is to restore their previous percentage of stake. This requires re-acquiring an amount of stake at least equal to—or possibly even greater than—before, since the lost delegation likely increases the honest active stake.

Iterated BFT and Ethereum

In Ethereum, the minority attacks are more critical to deal with, since the system is at risk once an attacker attains ⅓ of the active stake. Thus, any attempt toward disrupting the system’s operation by equivocating attestations or preventing finalization is designed to lead to a massive amount of slashable stake of the misbehaving validators. This number is central when performing a risk assessment of the operational security of the system as a whole. In comparison, in Nakamoto blockchains, the equivalent to this number is the cost of attaining about 50% of the system’s underlying resource (after which slashing is no longer effective anyway).

In the context of Ethereum, slashing as a mechanism can effectively increase the security threshold up to 50% against rational attackers as depicted in Figure 1. In a recent work [BLR24], the notion of a protocol being expensive to attack in the absence of collapse (EAAC) is introduced. In a nutshell, a protocol is EAAC if it ensures that any would-be attacker must incur a direct, targeted financial penalty rather than creating widespread, ‘scorched earth’ harm affecting also honest participants. This notion is meant to model the potential benefits brought forth by the penalties imposed on the attackers by slashing-like mechanisms. Notice that EAAC does not speak to a protocol’s security when operating within its standard operation. Rather, it is a complementary notion that provides guarantees even when the protocol is attacked by an adversary outside of its security model. As Figure 1 illustrates, Ethereum is secure (i.e., it provides safety and liveness) against adversaries controlling a minority (<½) of total stake, and hence they also trivially provide EAAC. Furthermore, adversaries controlling between ⅓ and ½ of all stake could temporarily prevent finalization (by mere inactivity), but a specific form of slashing called inactivity leak will eventually lead to a decrease in their stake share so that finalization is restored. Cardano on the other hand does not need slashing to be operationally secure up to 50%. It is worth noting that [BLR24] proves that no protocol allowing for fluctuating participation of parties, which both Cardano and Ethereum do, can provide EAAC guarantees for >50% attackers, completing the picture.

Wouldn’t slashing improve Cardano’s security?

Whether locking and slashing helps as a mechanism is largely dependent on the use case. The positive effect of slashing cannot be disputed for systems that, by choice of their consensus algorithm, do not provide security above ⅓. This does not apply to Cardano, which is secure below the 50% bound.

The approach to have parties lock stake and conduct punishments when a proof of misbehavior is detected can help beyond the use case discussed in this blog post. The approach appears useful when trying to ensure a lower bound on the cost of concrete forms of misbehavior for which the system otherwise fails to provide such a lower bound . Examples include external bribery attacks on the system or misbehavior in re-staking protocols, where the leverage -and thus, the financial feasibility of an attack- depends on external factors [E24,KKZ24].

However, it is also known that slashing comes with noticeable downsides, which are highly relevant to blockchain security:

1. Loss of custody: it introduces additional cybersecurity concerns, as the locked stake must remain outside the custody of the original stakeholder for the duration of the lock period, exposing the stakeholder to loss of funds due to underperformance of operators. This further leads to centralization effects, as professional large-scale operators have an advantage offering reliable staking solutions.
2. Lower staking participation: the inability to freely access and utilize locked assets may discourage participation, as stakeholders with other preferred uses for their capital—together with those wary of ceding custody—may be deterred from staking altogether.

Historically, the proportion of staked ETH out of the total circulating supply has been underwhelming. In fact, even ETH holders like Vitalik Buterin prefer not to stake most of their ETH. As of September 2024, about 28% of Ethereum was staked [C24]; this compares with about 58% in Cardano. Moreover, it is plausible that the recent increase in staked ETH is a consequence of the availability of liquid staking providers such as LIDO (the dominant staking choice with 28% of total staked ETH [C24]), which introduces a form of liquid staking to Ethereum, reminiscent of Cardano.

Therefore, introducing slashing for Nakamoto-style blockchains such as Cardano, which already achieves optimal resilience, might turn out to be detrimental to security. The disadvantages of slashing might undermine the most important aspects of distributed ledgers: participation and decentralization.

References

• [BLR24] Budish, E., Lewis-Pye, A., & Roughgarden, T. (2024). The economic limits of permissionless consensus. arXiv preprint arXiv:2405.09173.
• [C24] Coingecko 2024 Q3 Crypto Industry Report
• [E24] Team, EigenLayer. Eigenlayer: The restaking collective. White paper (2024): 1-19.
• [KKZ24] Karakostas D., Kiayias A. , & Zacharias T. (2024). Blockchain Bribing Attacks and the Efficacy of Counterincentives arXiv preprint arXiv:2402.06352.