StakeDag: Stake-based Consensus For Scalable Trustless Systems

07/05/2019 ∙ by Quan Nguyen, et al. ∙ 0

Trustless systems, such as those blockchain enpowered, provide trust in the system regardless of the trust of its participants, who may be honest or malicious. Proof-of-stake (PoS) protocols and DAG-based approaches have emerged as a better alternative than the proof of work (PoW) for consensus. This paper introduces a new model, so-called , which aims for PoS consensus in a DAG-based trustless system. We address a general model of trustless system in which participants are distinguished by their stake or trust: users and validators. Users are normal participants with a no assumed trust and validators are high profile participants with an established trust. We then propose a new family of stake-based consensus protocols S, operating on the DAG as in the Lachesis protocol lachesis01. Specifically, we propose a stake-based protocol S_ϕ that leverages participants' stake as validating weights to achieve more secure distributed systems with practical Byzantine fault tolerance (pBFT) in leaderless asynchronous Directed Acyclic Graph (DAG). We then present a general model of staking for asynchronous DAG-based distributed systems.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Trustless systems provide trust in the system regardless of the trust of its participants. In trustless systems, the participants’ trusts are not assumed, but rather they may be honest or malicious. After the success over cryptocurrency, blockchains have emerged as a technology platform for secure decentralized transaction ledgers. They have been applied in numerous domains including financial, logistics as well as health care sectors. Blockchains provide immutability and transparency of blocks and are emerging as a promising solution for building trustless systems including distributed ledgers.

The concept of Byzantine fault tolerance (BFT) [2] guaratees the reliability of a distributed database system when one-third of the participants may be compromised. Consensus algorithms [3] ensure the integrity of transactions over the distributed network [2] and is equivalent to the proof of BFT in distributed database systems [4, 5]. Deterministic, completely asynchronous system does not guarantee Byzantine consensus with unbounded delays [6], but it is completely feasible for nondeterministic system. All nodes in practical Byzantine fault tolerance (pBFT) can reach a consensus for a block in the presence of a Byzantine node [7]. Consensus in pBFT is reached once a created block is shared with other participants and the share information is further shared with others [8, 9].

Bitcoin and blockchain technologies have shown a phenomenal success that has enabled numerous opportunities for business and innovation. These protocols facilitate highly trustworthy, append-only, transparent public distributed ledgers. The underlying technologies have brought a huge promise to shape up the future of financial transactions, and potentially to redefine how people and companies compute, work and collaborate. Despite of the great success, the current blockchain-based systems are still facing some challenges, which attracted a lot of research in consensus algorithms [10, 11, 12].

Proof of Work (PoW) [10] is the most used model since introduced in the original Nakamoto consensus protocol in Bitcoin. Under PoW, validators are randomly selected based on the computation power they use. This process costs electricity that prevents attackers to change transaction records. PoW protocol requires exhausive computational work from participants for block generation, and also needs quite a long time for transaction confirmation. Since then, there have been an extensive amount of work to address these limitations.

Recent technological and innovative advances have led to new consensus algorithms [11, 13, 12, 14, 15, 16] to improve the consensus confirmation time and power consumption over blockchain-powered distributed ledgers.

Proof Of Stake (PoS) [11, 13] uses participants’ stakes for generating blocks. Stake

is an amount of the cryptocurrency that a participant possesses and can prove it. Under PoS, the network achieves distributed consensus on a blockchain by randomly selecting the creator of the next block with a probability based on their stake. In PoS, validators vote on the authentic transactions based on their stake, an amount of tokens that they deposit into an account, which is frozen for a certain period of time. PoS brings environmental advantage with much less power consumption than PoW. If a participant is dishonest and compromised, its stake is voided and burnt. The penalty of losing its stake has proved an effective prevention of attack, since the stake loss will outweight the potential gain of an attack for any attacker. Thus, PoS is safer than proof-of-work (PoW), especially due to the scarcity of stakes in PoS compared to the easy-to-get computing power required in PoW.

The concept of a DAG (directed acyclic graph) cryptocurrency was first introduced in 2015 in DagCoin paper [12]. DAG technology becomes a promising alternative that allows cryptocurrencies to function similarly to those that utilize blockchain technology without the need for blocks and miners. DAG-based approaches have recently emerged as a promising alternative than the proof of work (PoW) for consensus. These approaches utilize directed acyclic graphs (DAG) [12, 15, 16, 17, 18] to facilitate consensus. Examples of DAG-based consensus algorithms include Tangle [19], Byteball [20], and Hashgraph [21].

1.1 Motivation

Lachesis protocol [1] presents a general model of DAG-based consensus protocols. The Lachesis consensus protocols create a directed acyclic graph for distributed systems. We introduced a Lachesis consensus protocols[1, 22], which are DAG-based asynchronous non-deterministic to achieve pBFT. The protocols generate each block asynchronously and uses the OPERA chain (DAG) for faster consensus by confirming how many nodes share the blocks. Recently, we introduced an ONLAY framework [23] that achieves scalable, reliable consensus in a leaderless aBFT DAG. This framework uses the concepts of graph layering and hierarchical graphs on the DAGs. Then assigned layers are used to achieve deterministic topological ordering of finalized event blocks in an asynchronous leaderless DAG-based system.

There is only a few research work studying Proof-of-Stake in DAG-based consensus protocols; one example is  [21]. Hence, we are interested in investigating to use participants’ stakes to improve DAG-based consensus protocol. We aim to see whether such a Proof of Stake model, which associates each participant with their stake or trust can guarantee a more reliable and robust consensus in trustless systems.

1.2 StakeDag Protocols

In this paper, we propose a new family of consensus protocols, denoted by the StakeDag protocols, that aims for PoS based consensus in a DAG-based trustless system. We introduce a general model of trustless system in which participants are distinguished by their stake or trust: users and validators. Users are participants with a default low score of trust and validators are high profile with a high trust score.

A synchronous approach in BFT systems broadcasts the voting and asks each node for a vote on the validity of each block. Instead, our StakeDag protocol aims for an asynchronous leaderless system. StakeDag protocol uses the concept of distributed common knowledge together with network broadcasting to reach a consistent global view with high probability from its local view. Each node batches client transactions into a new event block and stores in its own DAG. The new event block is then shared with other nodes through asynchronous event transmission. Each node shares its own blocks as well as the ones it received from other nodes. This asynchronous step will spread all information through the network, and thus it can increase throughput near linearly as the number of nodes participating the network.

Our general model of stake-based consensus protocols , which is based on the Lachesis protocol [1]. In protocol, each event block has one self-parent reference to the top event block of the same creator, and -1 other-parent references to the top blocks of other nodes. Specifically, protocol leverages participants’ stake as validating power to achieve practical Byzantine fault tolerance (pBFT) in leaderless asynchronous Directed Acyclic Graph (DAG). We then present a general model of staking for asynchronous DAG-based distributed systems.

Figure 1: A General Framework of StakeDag Protocols

Figure 1 shows a general framework of our StakeDag protocols. Each node contains a DAG consisting of event blocks. In each node, the information of accounts and their stakes are stored. The main steps in a PoS DAG-based consensus protocol include (a) block creation, (b) updating flagtable, (c) selecting roots and updating the root sets, (d) assigning frames, (e) selecting Clothos/Atropos, and (f) ordering the final blocks. For a StakeDag protocol, the major steps are highlighted in blue. These steps are (1) updating flagtable; (2) computing validation score of a block, and (3) assigning weights to new roots. Remarkably, the Check of whether a block is a root in StakeDag protocol is different from that Check in Lachesis protocol: StakeDag protocol requires more than 2/3 of validating power (of total stake) while Lachesis requires more than 2/3 of the total number of nodes.

(a) DAG with = 2
(b) DAG with = 3
Figure 2: Examples of DAG with users and validators

Figure 2 depicts an example of an S-OPERA chain, which is a weighted acyclic directed graph stored as the local view of each node. There are five nodes in the example, three of which are normal users with validating power of 1, and the rest are validators whose validating power are set to 2. In this example, each event block has two references: self-parent and other-parent references. The event blocks created by the validators are highlighted in red.

StakeDag protocol leverages asynchronous event transmission for practical Byzantine fault tolerance (pBFT). The core idea of StakeDag is to create a leaderless, scalable, asynchronous DAG. By computing asynchronous partially ordered sets with logical time ordering instead of blockchains, StakeDag offers a new practical alternative framework for distributed ledgers.

The main concepts of StakeDag are given as follows:

Event block

An immutable set of transactions created by a node and is then transported to other nodes. Event block includes signature, timestamp, transaction records and referencing hashes to previous (parent) blocks.


a family of StakeDag protocols.


a specific protocol of the family, which sets the rules for event creation, communication and reaching consensus in StakeDag.


This corresponds to the amount of tokens each node posesses in their deposit. This value decides the validating power a node can have.

User node

A user node has a small amount stake (e.g., containing 1 token).

Validator node

A validator node has large amount of stakes ( 2 tokens).

Validation score

Each event block has a validation score, which is the sum of the weights of the roots that are reachable from the block.

S-OPERA chain

is the local view of the weighted Directed Acyclic Graph (DAG) held by each node. This local view is used to determine consensus.


An event block is called a root if either (1) it is the first event block of a node, or (2) it can reach more than of the network’s validating power from other roots. A root set contains all the roots of a frame. A frame is a natural number assigned to Root sets and its dependent event blocks.

Root graph

Root graph contains roots as vertices and reachability between roots as edges.


A Clotho is a root at layer that is known by a root of a higher frame ( + 1), and which in turns is known by another root in a higher frame ( +2).


An Atropos is a Clotho that is assigned with a consensus time.

Main chain

StakeDag’s Main chain is a list of Atropos blocks and the the subgraphs reachable from those Atropos blocks.

We then introduce a specific protocol of the family. protocol uses the concept of layering, similar to its use in our ONLAY protocol [23]. protocol integrates online layering algorithms with stake-based validation to achieve practical Byzantine fault tolerance (pBFT) in leaderless DAG. The protocol achieves reliable, scalable consensus in asynchronous pBFT by using assigned layers and asynchronous partially ordered sets with logical time ordering instead of blockchains. The partial ordering produced by is flexible but consistent across the distributed system of nodes.

We then present a formal model for the protocol. The formalization can be applied to abstract asynchronous Proof of Stake DAG-based distributed system. The formal model is built upon the model of current common knowledge (CCK) [24].

1.3 StakeDag Staking Model

In this paper, we present a staking model, which can be applied to a general model of stake-based PoS consensus protocols. In particular, our staking model can be integrated nicely with our StakeDag protocols.

We introduce the mechanics, mathematical reasoning and formulae for calculating various aspects of StakeDag system. We then present our system design with multiple incentive mechanisms to achieve high throughput, scalability, security and decentralisation.

1.4 Contributions

In summary, this paper makes the following contributions:

  • We propose a new scalable framework, so-called StakeDag, aiming for practical more secure DAG-based trustless systems.

  • We present a family of PoS DAG-based consensus protocols to achieve more reliable consensus in asynchronous leaderless trustless systems.

  • We present a staking model that can be applied to any PoS DAG-based protocols.

  • We introduce a novel consensus protocol , which uses layer algorithm and root graphs, for faster root selection. protocol uses layer assignment on the DAG to achieve quick consensus with a more reliable ordering of final event blocks.

  • A formal model and proof of BFT of our StakeDag protocol are defined using CCK model [24]. We formalize our proofs into any generic aBFT Proof of Stake DAG system. StakeDag protocol achieves global consistent view via layer assignment with probability one in pBFT condition.

1.5 Paper structure

The rest of this paper is organised as follows. Section 2 gives the related work. Section 3 presents our general model of Proof of Stake DAG-based consensus protocols. Section 4 introduces a staking model that is used for our StakeDag consensus protocol. Section 5 describes a specific protocol, namely protocol, that uses layering algorithms to achieve a more reliable and scalable solution to the consensus problem in BFT systems. Section 6 discusses about several important aspects of Proof of Stake DAG-based protocols, such as fairness and security. Section 7 concludes. Further details about our StakeDag framework and the protocol are given in the Appendix. It covers details about background plus Proof of Byzantine fault tolerance of the protocols.

2 Related work

2.1 An overview of Blockchains

A blockchain is a type of distributed ledger technology (DLT) to build record-keeping system in which its users possess a copy of the ledger. The system stores transactions into blocks that are linked together. The blocks and the resulting chain are immutable and therefore serving as a proof of existence of a transaction. In recent years, the blockchain technologies have seen a widespread interest, with applications across many sectors such as finance, energy, public services and sharing platforms.

For a public or permissionless blockchain, it has no central authority. Instead, consensus among users is paramount to guarantee the security and the sustainability of the system. For private, permissioned or consortium blockchains, one entity or a group of entities can control who sees, writes and modifies the data on it. We are interested in the decentralisation of BCT and hence only public blockchains are considered in this section.

In order to reach a global consensus on the blockchain, users must follow the rules set by the consensus protocol of the system.

Proof of Work Bitcoin was the first and most used BCT application. Proof of Work (PoW) is the consensus protocol introduced by the Bitcoin in 2008 [10]. In PoW protocol, it relies on user’s computational power to solve a cryptographic puzzle that creates consensus and ensures the integrity of data stored in the chain. Nodes validate transactions in blocks (i.e. verify if sender has sufficient funds and is not double-spending) and competes with each other to solve the puzzle set by the protocol. The incentive for miners to join this mining process is two-fold: the first miner, who finds a solution, is rewarded (block reward) and gains all the transaction fees associated to the transactions.

The key component in Bitcoin protocol and its successors is the PoW puzzle solving. The miner that finds it first can issue the next block and her work is rewarded in cryptocurrency. PoW comes together with an enormous energy demand.

From an abstract view, there are two properties of PoW blockchain:

  • Randomized leader election: The puzzle contest winner is elected to be the leader and hence has the right to issue the next block. The more computational power a miner has, the more likely it can be elected.

  • Incentive structure: that keeps miners behaving honestly and extending the blockchain. In Bitcoin this is achieved by miners getting a block discovery reward and transaction fees from users. In contrast, subverting the protocol would reduce the trust of the currency and would lead to price loss. Hence, a miner would end up undermining the currency that she itself collects.

Based on those two charateristics, several alternatives to Proof-of-Work have been proposed.

2.2 Proof of Stake

Proof of Stake(PoS) is an alternative to PoW for blockchains. Instead of using puzzle solving, PoS is more of a lottery system. Each node has a certain amount of stake in a blockchain. Stake can be the amount of currency, or the age of the coin that a miner holds. In PoS, the leader or block submitter is randomly elected with a probability proportional to the amount of stake it owns in the system. For each block, a randomly elected participant can issue the next block. The more stake a party has, the more likely it can be elected as a leader. Similarly to PoW, block issuing is rewarded with transaction fees from participants whose data are included.

There are two major types of PoS. The first type is chain-based PoS [25], which uses chain of blocks like in PoW, but stakeholders are randomly selected based on their stake to create new blocks. This includes Peercoin [26], Blackcoin [27], and Iddo Bentov’s work [28], just to name a few. The second type is BFT-based PoS that is based on BFT consensus algorithms such as pBFT [7]. Proof of stake using BFT was first introduced by Tendermint [29], and has attracted more research [30]. Ethereum had a plan to move from a PoW to a PoS blockchain [31].

PoS has a clear benefit (over PoW) since any node can join the network with even on cheap hardware such as a $35 Raspberry Pi. Every validator can submit blocks and the likelihood of acceptance is proportional to the % of network weight (i.e., total amount of tokens being staked) they possess. Thus, to secure the blockchain, nodes need the actual native token of that blockchain. To acquire the native tokens, one has to purchase or earn them with staking rewards. Generally, gaining 51% of a network’s stake is much harder than renting computation.

Security Although PoS approach reduces the energy demand, new issues arise that were not present in PoW-based blockchains. These issues are shown as follows:

  • Grinding attack: Malicious nodes can play their bias in the election process to gain more rewards or to double spend their money.

  • Nothing at stake attack: In PoS, constructing alternative chains becomes easier. A node in PoS seemingly does not lose anything by also mining on an alternative chain, whereas it would lose CPU time if working on an alternative chain in PoW.

Delegated Proof of Stake To tackle the above issues in PoS, Delegated Proof of Stake (DPoS) consensus protocols are introduced, such as Lisk, EOS [32], Steem [33], BitShares [34] and Ark [35]. DPoS uses voting to reach consensus among nodes more efficiently by speeding up transactions and block creation. Users have different roles and have a incentive to behave honestly in their role.

In DPoS systems, users can vote to select witnesses, to whom they trust, to validate transactions. For top tier witnesses that have earned most of the votes, they earn the right to validate transactions. Further, users can also delegate their voting power to other users, whom they trust, to vote for witnesses on their behalf. In DPoS, votes are weighted based on the stake of each voter. A user with a small stake can become a top tier witness, if it receives votes from users with large stakes.

Top witnesses are responsible for validating transactions and creating blocks, and then get fee rewards. Witnesses in the top tier can exclude certain transactions into the next block. But they cannot change the details of any transaction. There are a limited number of witnesses in the system. A user can replace a top tier witness if s/he gets more votes or is more trusted. Users can also vote to remove a top tier witness who has lost their trust. Thus, the potential loss of income and reputation is the main incentive against malicious behavior in DPoS.

Users in DPoS systems also vote for a group of delegates, who are trusted parties responsible for maintaining the network. The delegates are in charge of the governance and performance of the entire blockchain protocol. But the delegates cannot do transaction validation and block generation. For example, they can propose to change block size, or the reward a witness can earn from validating a block. The proposed changes will be voted by the system’s users.

DPoS brings various benefits: (1) faster than traditional PoW and PoS Stake systems; (2) enhance security and integrity of the blockchains as each user has an incentive to perform their role honestly. (3) normal hardware is sufficient to join the network and become a user, witness, or delegate. (4) more energy efficient than PoW.

Leasing Proof Of Stake Another type of widely known PoS is Leasing Proof Of Stake (LPoS). Like DPoS, LPoS allows users to vote for a delegate that will maintain the integrity of the system. Further, users in a LPoS system can lease out their coins and share the rewards gained by validating a block.

There are a number of surveys that give comprehensive details of PoW and PoS, such as [36, 37]. There are other successors of PoS, such as Proof of Authority (PoA). In PoA, the reputation of the validator acts as the stake [38]. PoA system is a permissioned system, which is controlled by a set of validators. Higher throughput can be achieved by reducing the number of messages sent between the validators. Reputation is difficult to regain once lost and thus is a better choice for “stake”.

2.3 DAG-based approaches

DAG-based approaches have currently emerged as a promising alternative to the PoW and PoS blockchains. The notion of a DAG (directed acyclic graph) was first coined in 2015 by DagCoin [12]. Since then, DAG technology has been adopted in numerous systems, for example,  [12, 15, 16, 17, 18]. Unlike a blockchain, DAG-based system facilitate consensus while achieving horizontal scalability. This section will present the popular DAG-based approaches.

Tangle is a DAG-based approach proposed by IOTA [19]. Tangle uses PoW to defend against sybil and spam attacks. Good actors need to spend a considerable amount of computational power, but a bad actor has to spend increasing amounts of power for diminishing returns. Tips based on transaction weights are used to address the double spending and parasite attack.

Byteball [20] introduces an internal pay system called Bytes used in distributed database. Each storage unit is linked to previous earlier storage units. The consensus ordering is computed from a single main chain consisting of roots. Double spends are detected by a majority of roots in the chain.

Hashgraph [21] introduces an asynchronous DAG-based approach in which each block is connected with its own ancestor. Nodes randomly communicate with each other about their known events. Famous blocks are computed by using see and strong see relationship at each round. Block consensus is achieved with the quorum of more than 2/3 of the nodes.

RaiBlocks [39] was proposed to improve high fees and slow transaction processing. Consensus is obtained through the balance weighted vote on conflicting transactions. Each participating node manages its local data history. Block generation is carried similarly as the anti-spam tool of PoW. The protocol requires verification of the entire history of transactions when a new block is added.

Phantom [16] is a PoW based permissionless protocol that generalizes Nakamoto’s blockchain to a DAG. A parameter is used to adjust the tolerance level of the protocol to blocks that were created concurrently. The adjustment can accommodate higher throughput; thus avoids the security-scalability tradeoff as in Satoshi’s protocol. A greedy algorithm is used on the DAG to distinguish between blocks by honest nodes and the others. It allows a robust total order of the blocks that is eventually agreed upon by all honest nodes.

Like PHANTOM, the GHOSTDAG protocol selects a -cluster, which induces a colouring of the blocks as Blues (blocks in the selected cluster) and Reds (blocks outside the cluster). GHOSTDAG finds a cluster using a greedy algorithm, rather than looking for the largest -cluster.

Spectre [15] uses DAG in a PoW-based protocol to tolerate from attacks with up to 50% of the computational power. The protocol gives a high throughput and fast confirmation time. Sprectre protocol satisfies weaker properties in which the order between any two transactions can be decided from the transactions by honest users; whilst conventionally the order must be decided by all non-corrupt nodes.

Conflux [18] is a DAG-based Nakamoto consensus protocol. It optimistically processes concurrent blocks without discarding any forks. The protocol achieves consensus on a total order of the blocks, which is decided by all participants. Conflux can tolerate up to half of the network as malicious while the BFT-based approaches can only tolerate up to one third of malicious nodes.

Parsec [17] proposes a consensus algorithm in a randomly synchronous BFT network. It has no leaders, no round robin, no PoW and reaches eventual consensus with probability one. Parsec can reach consensus quicker than Hashgraph [21]. The algorithm reaches 1/3-BFT consensus with very weak synchrony assumptions. Messages are delivered with random delays, with a finite delay in average.

Blockmania [40] achieves consensus with several advantages over the traditional pBFT protocol. In Blockmania, nodes in a quorum only emit blocks linking to other blocks, irrespective of the consensus state machine. The resulting DAG of blocks is used to ensure consensus safety, finality and liveliness. It reduces the communication complexity to even in the worse case, as compared to pBFT’s complexity of .

In this paper, our StakeDag protocol is different from the previous work. We propose a general model of DAG-based consensus protocols, which uses Proof of Stake for asynchronous permissionless BFT systems. StakeDag protocol is based on our previous DAG-based protocols[1, 22] to achieve asynchronous non-deterministic pBFT. The new protocol, which is based on our ONLAY framework [23], uses graph layering to achieve scalable, reliable consensus in a leaderless aBFT DAG.

3 A General Model of StakeDag Protocols

In this section, we present a general model of StakeDag protocols that are Proof of Stake DAG-based for trustless systems. In this general model of a stake-based consensus protocol, the stakes of the participants are paramount to a trust indicator.

A stake-based consensus protocol consists of nodes that vary in their amount of stakes. Presumingly, any participant can join the network. Participants can increase their impact as well as their contributions over the Fantom network by the amount of stakes or FTM tokens they possess. For those who obtain more FTM tokens, they have more validating power to check for the validity of blocks and the underlying DAG.

We then introduce the key concepts of our StakeDag protocol as follows.

3.1 Stake

Each participant node of the system has an account. The stake of a participant is defined based on their account balance. The account balance is the number of tokens that was purchased, accumulated and/or delegated from other account. Each participant has an amount of stakes , which is a non-negative integer.

Each participant with a positive balance can join as part of the system. A user has a stake of 1, whereas a validator has a stake of . The number of stakes is the number of tokens that they can prove that they possess. In our model, a participant, whose has a zero balance, cannot participate in the network, either for block creation nor block validation.

3.2 Validating Power and Validator Types

In our previous papers [1, 22], a family of Lachesis protocols was proposed. In Lachesis, every node can submit new transactions, which are batched in a new event block, and it can communicate its new (own) event blocks with peers. Blocks are then validated by all nodes, all of which have the same validating power.

Here, in this paper, we present a general model that distinguishes StakeDag participants by their validating power. In this model, every node in protocols has a stake value of . This value is then used to determine their trust or validating power in validation of event blocks.

Every node in protocols can create new event blocks and can communicate them with all other nodes. All the nodes can validate the event blocks. Their validating power is determined by their stake .

Ideally, we could allow participants can do validation only without the need to participate into block creation, if they wish. However, for an asynchronous DAG-based consensus, validators-only in StakeDag protocol still need to create event block to indicate that which blocks (and all of its ancestors) have been validated.

There are two general types of validators that we are considered in this paper. They are described as follows.

  • Validators as power nodes: Every node, either user or validator, can create and validate event blocks. Both users and validators can submit new transactions via their new event blocks.

    The only difference between users and validators of this type is that a validator has more validating power of, say , while a user has a validating power of 1.

  • Validators as validation-only nodes: We now consider another type of validators. Users and validators of this type play more specific roles. A user node can create new event blocks, which contain transactions. User can validate any event blocks.

    In this type, validators are validation-only nodes. Validators can create empty event blocks, but the event blocks created by validator-only nodes contain no transactions. Validators can validate event blocks.

For stake-based consensus, the difference between the two validator types does not have any significant impact on consensus. The two types are different with respect to the responsibility (validation) and the economic expectation of a participant who joins the StakeDag protocol. In particular, the first type allows any validator to include new transactions in the new event blocks it creates, while the second type prohibits validators from adding new transactions.

Remarkably, the resulting OPERA chains on the nodes are the same for two types of validators. Thus, the computation of consensus does not change between these two types. The two models of validators are considered as implementation-specific. In fact, the first type is more general than the second type.

For the sake of simplicity, we distinguish two types of nodes: users and validators. We consider only the first type of validators, throughout the rest of the paper.

3.3 Event Block Creation

In order to create a new event block, a node can choose a top event block(s) of another node as a parent. In StakeDag protocol, users and validators can choose a top event block(s) of another node/validator node to as an other-parent reference to the new event block. Prior to creating a new event block, the node will first validate its current block and the selected top event block(s) from other node(s).

In a StakeDag protocol, each event block has references to other event blocks using their hash values. The references of a new event block satisfy the following conditions:

  1. Each of the referenced event blocks is the top event block of its own node.

  2. One of the references must be a self-ref (or self-parent) that references to an event block of the same node.

  3. The other -1 references, which are also known as other-parent or other-ref references, refer to -1 top event blocks on other nodes.

3.4 S-OPERA chain: A Weighted DAG

In StakeDag protocol, a (participant) node is a server (machine) of the distributed system. Each node can create messages, send messages to and receive messages from other nodes. The communication between nodes is asynchronous.

Figure 3: An example of an S-OPERA chain in StakeDag. The validation scores of some selected blocks are shown.

Figure 3 depicts an S-OPERA chain obtained from the DAG. In this example, validators have validating power of 2, while users have validating power of 1. Blocks created by validators are highlighted in red color. First few event blocks are marked with their validating power. Leaf event blocks are special as each of them has a validation score equal to their creator’s validating power.

The core idea of StakeDag protocol is to use a DAG-based structure, namely S-OPERA chain, which is based on the concept of OPERA chain in our Lachesis protocol [1]. S-OPERA chain is a weighted directed acyclic graph =(,), where is the set of event blocks, is the set of edges between the event blocks. Each vertex (or event block) is associated with a validation score. Each event block also has a validating score, which is the total weights of the roots reachable from it. When an block becomes a root, it is assigned a weight, which is the same with the validating power of the creator node.

Let be the total validating power of all nodes. For consensus, the algorithm examines whether an event block has a validation score of at least . A validation score of means the event block has been validated by more than two-thirds of total validating power in the S-OPERA chain.

3.5 Stake-based Validation

In StakeDag, we use the following validation process. A node, when validating blocks, never assumes the honesty or dishonesty of any block creator. Instead it verifies the blocks just like other consensus engines operating in an untrusted environment. A node must validate its current block and the received ones before it attempts to create or add a new event block into its local DAG. A node must validate its (own) new event block before it communicates the new block to other nodes.

Note that, StakeDag consensus protocols has a more general model than that of the Lachesis protocols [1]. All nodes in Lachesis can be considered as ’user’ nodes in StakeDag, since the validating power is 1 by default.

A root is an important block that is used to compute the final consensus of the event blocks of the DAG. In Lachesis, when a block can reach more than 2/3 of the roots of the network, it becomes a root. Unlike in Lachesis protocol, StakeDag procol takes the stakes of participants into account to compute the consensus of blocks. A stake number of a block is the sum of the validating power of the nodes whose roots can be reached from the block. When a block receives more than 2/3 of the entire validating power of the network, it becomes a root.

3.6 Validation Score

When an event block can reach a root, it takes the validating power of the root’s creator. The validation score of a block is the sum of accummulated validating powers that the block has gained. The validation score of a block is denoted by .

The validation score of a block is used to determine whether the block is a new root. If the block’s score is greater than 2/3 of the total validating power, the block becomes a root. The weight of a root is denoted by , which is the weight of the creator node of the .

3.7 Flagtable Calculation

To quickly compute the validation score of event blocks, we introduce stake-based flagtable. Each flagtable is a mapping of a root and the stake associated with the creator of that root.

Each event block has a flagtable that stores a set of the roots that are reachable from the block. For flagtable, we only consider the roots in the current active root set.

The validation score of a block is computed as the sum of all validating powers of all the roots contained in the block’s flagtable.

Figure 4: An Example of Flagtable

Figure 4 shows an example of flagtable calculation for event blocks. The current active root set contains five roots , , , and with their validating powers of 1, 2, 1, 2, 1, respectively. The flagtable of block contains a single mapping entry (, 2), and thus the validation score of is the same with the validating power of node , which is 2. The validating power of block is the sum of 2 and 1, which gives a result of 3. Similarly, the validation scores of blocks and are 4 and 5, respectively.

3.8 Root Selection

Figure 5 depicts the process of selecting a new root in StakeDag. A node can create a new event block or receive a new block from other nodes. When a new event block is created, its flagtable is updated. Like in Lachesis protocol, each block has a flagtable that contains the sets of roots that are reachable from the block.

Figure 5: The steps for root selection in StakeDag

Root events get consensus when 2/3 validating power is reached. When a new root is found, ’Assign weight’ step will assign a weight to the root. The root’s weight is set to be equal to the validating power of its creator. The validation score of a root is unchanged.

3.9 Main-chain

For faster consensus, we introduce the Main-chain, which is a special sub-graph of the S-OPERA chain. The Main chain is an append-only list of blocks, that caches the final consensus ordering of the finalized Atropos blocks. The local hashing chain is useful to improve path search to quickly determine the closest root to an event block. Root event blocks are important blocks that reach of the network power. After the topological ordering is computed over all event block, Atropos blocks are determined and form the Main chain.

Each participant has an own copy of the Main chain and can search consensus position of its own event blocks from the nearest Atropos. The chain provides quick access to the previous transaction history to efficiently process new coming event blocks. With the Main chain, unknown participants or attackers can be easily detected.

4 StakeDag Staking model

This section presents our staking model for PoS DAG-based StakeDag protocols. We first give general definitions and variables of our staking model, and then present the model in details.

4.1 Definitions and Variables

Below are the general definitions and variables that are important in StakeDag protocol.

General definitions

denotes the network itself
the set of nodes in the network
”Special Purpose Vehicle” - a special smart contract acting as an internal market-maker for FTG tokens, managing the collection of transaction fees and the payment of all rewards
main network token
network transaction token (gas)
set of event blocks in
set of all event blocks validated on day , their number being


set of all participant accounts in the network
accounts with a positive FTM token balance
accounts with a positive FTG token balance
accounts that have staked for validation (some of which may not actually be validators)
validating accounts, corresponding to the set of the network’s validating nodes

A participant with an account having a positive FTM token balance, say , can join the network. But an account in may not participate in the protocol yet. Those who join the network belong to the set .

[Validating account] A validating account is an account with a positive FTM token balance.

Note that, the set of validating accounts contain both users and validators, as presented in our general model in Section 3.

Network parameters subject to on-chain governance decisions

total supply of FTM tokens
period in days for determining Proof of Importance
period in days after which validator staking must be renewed, to ensure activity
1 minimum number of tokens that can be staked by an account for any purpose
30% impact of Proof of Importance for rewards
50% impact of Proof of Importance for transaction staking
30% SPV commission on transaction fees
15% validator commission on delegated tokens

Tokens held and staked

Unless otherwise specified, any mention of tokens refers to FTM tokens.

[Token helding] The token helding of an account is number of FTM tokens held by account .

number of FTM tokens held by account
transaction-staked tokens by account
tokens delegated by account to account
total of tokens delegated to account
total of tokens delegated by account to accounts in
validation-staked tokens by account
0.1% minimum tokens staked by , as a percentage of
0.4% maximum tokens staked by , as a percentage of
15 delegation multiplier - maximum ratio of delegated versus staked tokens
multiplier - maximum fraction of staked or delegated tokens over the holding

The sum of tokens staked or delegated by an account cannot exceed the amount of tokens held:


The following limits apply for token staked for validation by :

The total amount of tokens delegated to an account is:


The total amount of tokens delegated by an account is:


The sum of tokens delegated to an account cannot exceed a fixed multiple of tokens staked by that account:

Finally, there is a limit on the amount of tokens that can be transaction-staked or delegated:

4.2 Absolute Weight Model

[Weight in ] The weight of an account is equal to its token holding .

[Importance in ] The importance is proportional to gas use in the overall network over the most recent period of days.

The importance of a node is computed by:



gas used by account during past days
gas used in the entire network in past days. So .
importance of , rebased to be comparable with
the sum of all the network’s transacting power

[Transacting Power] The transacting power of an account is defined as a weighted average of an account’s weight and importance in .

transacting power of account
total transacting power of . Thus, .

Transacting power of an account is computed by:


Note that, the above model of transacting power includes a gas factor used in smart contracts. Without gas factor, the transacting power of an account is simply given by , which is the token helding of the account.

Network Performance and Transaction Slots

5,000,000,000 Estimated maximum network processing power, in FTG per second
500,000 Estimated maximum network throughput, in Bytes per second
transacting power needed for a slot of 1 FTG per second
transacting power needed for a slot of 1 Byte/second of throughput

Given that at most tokens can be transaction-staked, we have:


4.3 Relative Weight Model

Since only a fraction of tokens are staked or delegated for validation, we define a relative weight in order to correctly determine the total validating power of the entire network .

[Weight in ] A relative weight of a validator is a relative value of the validating power of computed from the total validating power of the entire network .

tokens staked by, and delegated, to validator , which represents the weight of this validator
total tokens staked by, and delegated to, validators. That is, .

The relative weight of is computed by:


[Importance in ] The importance in is proportional to gas use by accounts that have staked or delegated tokens.



gas use over the past days attributable to validator . That is, .
total gas use over the past days attributable to all validators. So .
importance of , rebased to be comparable with

4.4 Validating power

We first present the simplest model of validating power, which is defined as the number of tokens held by an account.

[Validating power - Simple] The validating power of a validator is defined as validator’s weight. The weight of a validator can be the token helding , or the validator’s weight .

We then also present a general model of the validating power, as follows.

[Validator Score] The validator score is the score given for each validator .

the total score of validator

For each validator , validator score will be a number between and representing a composite of three different performance metrics.

validating performance score of
transaction origination score of
processing power score of

[Validating power] The validating power of a validator is defined as a weighted average of a validator’s weight and importance, multiplied by its score.

Thus, the validating power of a node is computed by:



validating power of validator
total validating power of . So .

Note that, Equation 9 gives a general model for calculating validating power, which includes the notion of gas-based importance . The gas is used for smart contracts. When gas factor is not included, the validating power of an account is simply given by , which is the relative weight of .

4.5 Block consensus and Rewards

We then present notations and definitions in our model of rewards.

[Validation score] Validation score of a block is the total validating power that a given block can achieve from the validators .

[Validating threshold] Validating threshold is defined by of the validating power that is needed to confirm an event block to reach consensus.

Below are the variables that define the block rewards and their contributions for participants in Fantom network.

996,341,176 total available block rewards of , for distribution by the during the first 1460 days after mainnet launch
tokens held by the
total circulating supply
total transaction fees paid by network users on day
total transaction rewards retained by the on day
total transaction rewards to be distributed on day
total block rewards to be distributed on day
total rewards to be distributed on day
total daily rewards attributable to validator on day , that will be paid out to the validator and to all user accounts who have delegated tokens to that validator
total daily delegation rewards received by attributable to validator on day (exclusive of validator rewards)
total delegation rewards received by from all validators on day
total delegation rewards received by all delegators attributable to validator
daily validator rewards received by on day (exclusive of delegation rewards)

Block rewards will be distributed over 1460 days (4 years less one day) after launch, corresponding to per day during that period:


4.6 Token Staking and Delegation

FTM tokens will have multiple uses in the Fantom system. Participants can chose to stake or delegate tokens into their accounts. When staking or delegating, the validating power of a node is based on the number of FTM tokens held, plus other factors such as the “importance” to the network as measured by the gas (described in previous section).

We describe three potential ways for staking to achieve wealth.

[Transaction staking] Participants can gain more stakes or tokens via the transaction staking. Transaction submitters will gain transaction fees if the transactions are successfully validated and reach finality. This style of staking helps increases transaction volume on the network. The more liquidity, the more transaction staking they can gain.

[Validation staking] By validating blocks, a participant can gain validation rewards. Honest participants can gain block rewards for successfully validated blocks.

With validation staking, one can join the network using a moderate hardware and a certain small amount of tokens. Once participating the network, the participant can achieve block rewards for blocks that they co-validated and gain transaction fees from transaction submitters for the successfully finalized transactions. The more stake they gain, the validating power they will have and thus the more rewards they can receive as it is proportional to their validating power.

[Validation delegation] Validation deligation allows a participant to deligate all or part of their tokens to another participant(s). Deligating participants can gain a share of block rewards and transaction fees, based on the amount of delegated stake.

Our model of delegation of stakes between participants allow various coordination amongst participants. Early stage participants can borrow stake from other participants to gain more rewards. Meanwhile, participants with large amount of stakes can deligate their stakes to another participant while still earning some shared rewards.

4.6.1 Delegating Staking

Stakeholders will be able delegate a portion of their tokens to validating nodes. Validators will not be able to spend delegated tokens, which will remain secured in the stakeholder’s own address. Validators will receive a fixed proportion of the validator fees attributable to delegators.

Participants are compared by their performance. Higher performing node, with high uptimes and successful validation rates, will earn more rewards. Delegators will be incentivised to choose nodes that have a high validator score, i.e. are honest and high performing.

Delegators can delegate their tokens for a maximum period of days, after which they need to re-delegate. The requirements to delegate are minimal:

  • Security deposit: None

  • Minimum number of tokens to delegate: 1

  • Minimum lock period: None

  • Maximum number of validators a user can delegate to: None

  • Maximum number of tokens that can be delegated to a validator: 15 times the number of tokens the validator is staking

4.6.2 Transaction-Based Staking

We present more details of transaction-based staking used in StakeDag. With transaction-based staking, FTM holders can stake a portion of their tokens to secure a guaranteed transaction volume on the network.

Staking tokens gives FTM holders a guaranteed transaction slot, which consists of the following:

  • gas: expressed in FTG/second

  • data throughput: expressed in Bytes/second

The size of the issued slot will be proportional to the transacting power of the tokens staked.

Network Processing Power and Throughput Here, we give an estimate of the maximum gas that can be spent per second. The gas usage depends heavily on the processing power. At the year of this writing, the best desktop processors (such as the Intel Core i9 Extreme Edition) have already reached teraflop speeds - one trillion floating point operations per second.

Every instruction processed by the Fantom Virtual Machine (”FVM”) will carry some overhead, as it has to verify signatures and track gas spent. The below gives an estimate:

  • Assume that only 10% of processing power is available for executing transactions and smart contracts. Also assume that a single multiplication by the FVM costs 100 floating-point operations.

  • FVM can process one billion multiplications per second (i.e 5 billion gas - utilising Ethereum’s gas pricing as a guide).

  • basic transactions, which are simple transfers of value from one address to another.

  • A basic transaction has, on average, a size of 120 bytes.

  • This would result in a data volume of = 27 MB / second.

From the above, a data volume of 27 MB per second is for new transactions. When consensus protocol traffic is taken into account, it becomes quite too high. This means that if the majority of transactions are relatively simple, the main bottleneck will be network throughput.

The current assumptions are:

  • can support 5 billion gas / second.

  • A reasonably high maximum transaction throughput of 0.5MB / second.

Staking Now we show an example of staking. Assume that each basic transaction has a size of 120 Bytes on average. In order to be guaranteed one basic transaction per second, a user would need to stake tokens with a transacting power corresponding . If that user’s gas usage is in line with his token holdings, his transacting power will be roughly equal to his token holdings. Thus, the necessary number of transaction-staked FTM tokens will also be approximately 762,000. This corresponds to FTG per second.

5 Layering-based StakeDag: Protocol

In this section, we present a specific PoS DAG-based protocol, namely , of the family . Our general model of StakeDag protocols is presented in Section 3. protocol is a layering-based approach, which is based on our ONLAY framework [23]. provides a PoS DAG-based solution to build scalable asynchronous distributed ledgers.

5.1 Framework

We first give an overal design of the protocol. Figure 6 shows the overall framework of layering-based StakeDag protocol. Like the general model in Figure 1, protocol includes the steps to update flagtable and validation score for each new event block. Once a block receives more than 2/3 of the validating power of the network, the block becomes a root.

Figure 6: An Overview of Layering-based StakeDag Protocol

The figure also depicts extra steps used in protocol. The main difference with the general model is that leverages layering and hierarchical graph obtained from a layering step. Like in ONLAY [23], the layer information of the event blocks are used to achieve reliable frame assignment and consensus of finally ordered event blocks. The root graph serves as a convenient data structure to help find new root, detect possible forks and assign new frame to event blocks.

5.2 Main procedure

Algorithm 1 shows the main function serving as the entry point to launch StakeDag protocol. The main function consists of two main loops, which are they run asynchronously in parallel. The first loop attempts to request for new nodes from other nodes, to create new event blocks and then communicate about them with all other nodes. The second loop will accept any incoming sync request from other nodes. The node will retrieve updates from other nodes and will then send responses that consist of its known events.

1:function Main Function 2:     loop: 3:     Let -PeerSelectionAlgo() 4:     Sync request to each node in 5:     (SyncPeer) all known events to each node in 6:     Create new event block: newBlock(, ) 7:     (SyncOther) Broadcast out the message 8:     Update DAG 9:     Call ComputeConsensus() 10:     loop: 11:     Accepts sync request from a node 12:     Sync all known events by StakeDag protocol 1:function ComputeConsensus(DAG) 2:     Apply layering to obtain H-OPERA chain* 3:     Update flagtable 4:     Compute validation score* 5:     Root selection 6:     Compute root graph* 7:     Compute global state 8:     Clotho selection 9:     Atropos selection 10:     Order vertices and assign consensus time 11:     Compute Main chain
Algorithm 1 StakeDag Main Function

In the first loop, a node makes synchronization requests to -1 other nodes to retrieve their top event blocks. It then creates event blocks that references those received event blocks. Once created, the blocks are broadcasted to all other nodes. In line 3, each node runs the Node Selection Algorithm, to find the next -1 nodes that it will need to communicate with. In line 4 and 5, the node sends synchronization requests to get the latest OPERA chain of these nodes. After the latest event blocks are received in the responses, the node creates new event blocks (line 6), and it then broadcasts the created event block to all other nodes (line 7). After creating a new event block, the node updates its OPERA chain and then call compute consensus function (line 8 and 9).

The ComputeConsensus function first applies layering on the DAG (line 2). After layering is performed, H-OPERA chain is obtained. For each new event block, it updates the flagtable, which includes roots reachable from the block (line 3). Then from the flagtable, validation score is computed based on the weights of the reachable roots (line 4). It then checks whether the block is a root (line 5) and build/update the root graph (line 6). In line 7, it recomputes a global state based on its local H-OPERA chain. Then the node decides which roots become Clothos (line 8) and which then becomes Atropos (line 9). When new Atropos vertices are confirmed, the algorithm runs a topological sort to get the final ordering for unsorted vertices for final consensus (line 10). Lastly, the main chain is constructed from the Atropos vertices that are newly found and sorted (line 11).

5.3 Peer selection algorithm

In order to create a new event block, a node in StakeDag protocol needs to synchronize with -1 other nodes for their latest top event blocks. A peer selection algorithm computes a set of -1 nodes that a node should synchronize with.

There are multiple ways to select - 1 nodes from the set of nodes. Examples of peer selection algorithms that are mentioned in our previous paper [23] include: (1) random peer from peers; (2) the least / most used peer(s); (3) aim for a balanced distribution; (4) based on some other criteria, such as network latency, successful rates, number of own events. In general, our protocol does not depend on how peer nodes are selected.

Stake-based Peer Selection We also propose new peer selection algorithms, which utilize stakes to select the next peer. Each node has a mapping of the peer and the frequency showing how many times that peer was selected. These new peer selection algorithms are adapted from the ones above, but take user stakes into account. We give a few examples of the new algorithms, described as follows:

  1. Stake-based selection : select a random peer from peers with a probability proportional to their stakes .

  2. Least used selection: select the peer with the lowest values of .

  3. Most used selection: select the peer with the highest values of .

  4. Balance selection: aim for a balanced distribution of selected peers of a node, based on the values .

There are other possible ways to integrate stakes and stake-related criteria into a peer selection algorithm. For example, we can define new algorithms based some other criteria, such as successful validation rates, total rewards, etc.

5.4 Peer synchronization

Now we describe the steps to synchronize events between the nodes, as presented in Algorithm 2. In the Event synchronization function, each node selects a random peer (from the set of peers computed by peer selection algorithm). It then sends a sync request consisting of the local known events of to . After receiving the sync request from , will compute an event diff with its own known events and will then return the unknown events to . The algorithm assumes that a node always needs the events in topological ordering (specifically in reference to the lamport timestamps). Alternatively, one can simply use a fixed incrementing index or layer assignment to keep track of the top event for each node.

1:function sync-events() 2:      selects a random peer to synchronize with 3:      gets local known events (map[int]int) 4:      sends a RPC Sync request to peer 5:      receives a RPC Sync request 6:      does an EventDiff check on the known event map (map[int]int) 7:      returns the unknown events to 1:function sync-stakes() 2:      selects a random peer to synchronize with 3:      gets stake updates (map[int]int) 4:      sends a RPC Sync request to peer 5:      receives a RPC Sync request 6:      does an StakeDiff check on the peer-stake map (map[int]int) 7:      returns update stakes to
Algorithm 2 Peer Synchronization

For stake synchronization, the function works in a similar manner. Each node computes any new stake updates in its local view. It will select a random peer and then sends a sync request consisting of the local stake updates of to . After receiving the sync request from , will compute a stake diff with its own known stake values and will then return new events to . Note that, any changes to a user’s stake can only be applied and updated after a certain check points. For simplicity, we assume that stake synchronization is done between nodes for every 20th frame.

5.5 Node Structure

This section gives an overview of the node structure in StakeDag. A node in StakeDag system is associated with a stakeholder that participates with other nodes in the network.

Figure 7: StakeDag node structure

Figure 7 shows the structure of a node. Each node consists of an S-OPERA (Stake-based) chain of event blocks, which is the local view of the DAG. Each node stores the account information of all nodes including itself. The account information includes the account id and its current token helding in each account. There are other details including tokens, delegated tokens, as described in Section 4. For the sake of simplicity, we only show the account balance (e.g., number of tokens). The stakes are then computed from account balance of all nodes. Total validating power and validating threshold are updated accordingly.

In each node, it stores the layering information (the resulting H-OPERA chain), roots, root graph, frames, Clotho set and Atropos set. The top event block of each peer is the most recently created / received event block by that peer node. A block can become a root if it receives more than the validating threshold, which is 2/3 of the validating power of the network. A root will become a Clotho when it is further known by another root. A frame contains a set of roots of that frame. When a root becomes Clotho, its Clotho flag is set on and then it is sorted and assigned a final ordering number. After getting the final ordering, the Clotho is then promoted to an Atropos. The Main-chain is a data structure storing hash values of the Atropos blocks.

5.6 Event block creation

Like previous Lachesis protocol [1], protocol allows every node to create event blocks. In order to generate a new event block, a node sends synchronization requests to - 1 other nodes to get their latest event blocks. Then node can create a new event block. A new event block has references: one is self-ref referencing the top event block of the same node, -1 other references referencing the top event blocks of -1 peers. With cryptographic hashing, an event block can only be created or added if the self-ref and other-ref event blocks exist.

5.7 Layering

We then present the main concepts and algorithms of the protocol in our StakeDag framework. This layering-based PoS approach is based on our ONLAY paper [23]. Intuitively, integrates layering algorithms on the S-OPERA chain and then use the assigned layers reach consensus of the event blocks.

For a DAG =(,), a layering of is a mapping , such that for any directed edge (,) , the layer of the source is greater than the layer of the sink ; that is, + 1. Thus, partitions the set of vertices into a finite number of non-empty disjoint subsets (called layers) ,,, , such that = . Each vertex is assigned to a layer .

Recall that S-OPERA chain is a DAG =(,) stored in each node. Each vertex in is an event block, which has a validation score. By applying on the S-OPERA chain, one can obtain the hierarchical graph of , which is called H-OPERA chain, which is the resulting hierarchical graph . One can apply either LongestPathLayer (LPL) algorithm or Coffman-Graham (CG) algorithm on the graph (see details in  [23]).

In StakeDag, the S-OPERA chain is evolunary as each node creates and synchronizes events with each other.Let us consider a model of dynamic S-OPERA chain. For a node , let =(,) be the current S-OPERA chain and =(,) denote the diff graph, which consists of the changes to at a time, either at block creation or block arrival.The vertex sets and are disjoint; similar to the edge sets and . At each graph update, the updated S-OPERA chain becomes =(, ).

5.7.1 Online Layer Assignment

We adopt the online layering algorithms introduced in [23]. Specifically, we use Online Longest Path Layering (O-LPL) and Online Coffman-Graham (O-CG) algorithm, which assign layers to the vertices in diff graph =(,) consisting of new self events and received unknown events. The algorithms are efficient and scalable to compute the layering of large dynamic S-OPERA chain. Event blocks from a new graph update are sorted in topological order before being assigned layering information. The two algorithms are presented in Appendix LABEL:se:app-onlinelayering.

5.7.2 Layer Width Analysis in BFT

We then give ourformal analysis of the layering algorithms with respect to the Byzantine fault tolerance. BFT addresses the functioning stability of the network when Byzantine nodes may take up to validating power, where is the total validating power of the network.

Let denote the layering of obtained from LongestPathLayering algorithm. Let denote the layering of obtained from the Coffman-Graham algorithm with some fixed width .

Byzantine free network We first consider the case in which the network is free from any faulty nodes; all nodes are honest and thus zero fork exists.

Proposition 5.1.

In the absense of dishonest nodes, the width of each layer is at most .

This can be easily proved by induction. Since there are nodes, there are leaf vertices. The width of the first layer is at maximum, otherwise there exists a fork, which is not possible. We assume that the theorem holds for every layer from 1 to . That is, the at each layer has the width of at most . We will prove it holds for layer as well. Since each honest node can create at most one event block on each layer, the width at each layer is at most . We can prove by contradiction. Suppose there exists a layer . Then there must exist at least two events , on layer such that and have the same creator, say node . That means and are the forks of node . It is a contradiction with the assumption that there is no fork. Thus, the width of each layer . It is proved.

Thus, in the absence of forks, LongestPathLayering(G) and CoffmanGraham(G,n) computes the same layer assignment. That is, and are identical; or , = .

1/3-BFT Now, let us consider the layering result for the network with at most validating power are compromised. In this case, there are about dishonest nodes in average, and about -1 dishonest nodes in the worst case.

Without loss of generality, let be the probability that a node can create fork. Let be the maximum number of forks a faulty node can create at a time. The number of forked events a node can create at a time is . The number of fork events at each layer is given by . Thus, the maximum width of each layer is given by:

Thus, if we set the maximum width high enough to tolerate the potential existence of forks, we can achieve BFT of the layering result. The following theorem states the BFT of LPL and CG algorithms.

LongestPathLayering() and CoffmanGraham(, ) computes the same layer assignment. That is, and are identical; or for each vertex , .

5.7.3 Root Graph

With layering information, we propose to a new data structure, called root graph, which gives a more efficient way to compute new roots. The root graph can be used together with the layers for fast computation of frames. This data structure is slightly different from the one in [23] as we use validating powers of roots instead of the root count.

[Root graph] A root graph =(, ) is a directed graph consisting of roots as vertices, and their reachable connections as edges.

The root graph contains vertices as roots , and the set of edges the reduced edges from , such that only if and are roots and there is a path from to following edges in . The root graph initially contains the genesis vertices — leaf event blocks. When a vertex reaches of the validating power of the current root set , it becomes a root. For each root that new root reaches, we include a new edge (, ) into the set of root edges . If a root reaches two roots and of the same node, then we retain only one edge (, ) or (, ) if . This requirement makes sure each root of a node can have at most one edge to any other node.

1:Require: H-OPERA chain
2:Output: root graph
3: set of leaf events
6:function buildRootGraph(, , )
7:     for each layer =1.. do
9:         for each vertex in layer  do
10:               the set of vertices in that reaches
11:               the total weights of roots in (*)
12:              if  then (*)
13:                  for each root  do
17:         for each vertex  do
18:              Let be a root in such that
Algorithm 3 Root graph algorithm

5.8 Root selection

For StakeDag, we propose a new approach that uses root graph and frame assignment. One can also use a Root selection algorithm described in our previous paper [22].

The steps to build the root graph out of an H-OPERA chain is given in Algorithm 3. At the start of each layer, is set to an empty set. The algorithm processes from layer 0 to the maximum layer . is the set of current active roots. At initial stage, contains only the the genesis vertices — leaf event blocks (Line 3). We will update the set after finding new roots at each layer. Line 4 and 5 set the initial value of the vertex set and edge set of the root graph. For each layer , it runs the steps from line 8 to 18. Let denote the set of new roots found at layer . is initially set to empty (Line 8). We then process each vertex in the layer (line 9). We compute the set of all active roots in that can reach (Line 10). The total weight is computed as the total weights of all roots in (Line 11). is the validation score of . If is greater than , becomes a new root (line 12). For every root in , we add an edge into (line 13-14). In lines 15-16, we add into , and also into to keep to keep track of the new roots found at layer . The second inner loop will replace any new roots found at layer with the existing ones in current active set (line 17-19).

The algorithm always updates the active set of roots at each layer. The number of active roots in is always , though the active roots can be from different layers.

5.9 Clotho selection

For pBFT, consensus is reached once an event block is known by more than 2/3 of the nodes and that information is further known by 2/3 of the nodes.

In our PoS protocol, we define the consensus of a root as the condition the root becomes a Clotho. If it can be reached by more than validating power of the roots and the information is confirmed by another validating power of the roots. That is, for a root at frame , if there exists a root at a frame such that reaches and +2, then the root reaches pBFT consensus. The root is called the nominator, which nominates to become a Clotho.

Proposition 5.2 (Global Clotho).

For any two honest nodes and , if is a Clotho in of , then is also a Clotho in of .

Assume a block that exists in both nodes and . Since honest nodes are consistent nodes, then the subgraphs and are the same on both nodes. Suppose nominates a root to be a Clotho in . Because the subgraphs are identical, it can be deduced that also nominates the same root as a Clotho in .

5.10 Atropos Selection

When new Clotho event blocks are found, we will order them and then will assign the final consensus time for them. We first sort the Clothos based on topological ordering. Section 5.13 gives more details on the topological ordering and consensus time assignment.

Once a Clotho is assigned with a consensus time, it becomes an Atropos. Each node stores the hash value of Atropos and Atropos consensus time in the Main-Chain (blockchain). The Main-chain is used for quick retrieval of the final ordering between event blocks.

Proposition 5.3 (Global Atropos).

For any two honest nodes and , if is an Atropos in of , then is also an Atropos in of .

From the above Global Clotho proposition, a root is a Clotho in then it is also a Clotho in . The layering is deterministic and so is the topological sorting. Hence, the sorted list of Clothos on two nodes are identical. Thus, the assigned consensus time for the Clotho is the same on both nodes. An Atropos block in is also an Atropos in , and they have the same consensus time.

5.11 Frame Assignment

We then present a deterministic approach to frame assignment, which assigns each event block a unique frame number. First, we show how to assign frames to root vertices via the so-called root-layering. For a root graph , we assign frame number to roots of as a function , as follows:

  • , .

  • if reaches at least validating power of the roots of frame , then = .

Second, we then assign frame numbers to non-root vertices with respect to the topological ordering of the vertices. The frame assignment to roots are used to assign frames to non-root vertices. For vertices in the layers between layer and layer +1, the vertices are assigned the frame number .

5.12 Fork detection and removal

When a node receives a Sync request from another node, will check if the received events would cause a fork. In 1/3-BFT system, we can prove that there exists an honest node that sees the fork. That honest node will remove one of the forked events from its S-OPERA chain and will then notify the fork to all other nodes.

[Fork] Two events and form a fork if they have the same creator, but neither is a self-ancestor of the other. Denoted by .

The fork relation is symmetric; that is iff . For two events and of the same creator, we can prove the following: iff . By definition of fork, (, ) is a fork implies that and . It means and (by Happened-Before) and thus (by definition of concurrent).

Lemma 5.4.

(Fork Detection). If there is a fork , then and cannot both be roots on two honest nodes.


Since any honest node cannot accept a fork, and cannot be roots on a single honest node. Now we prove a more general case, showing a proof by contradiction.

Suppose that is a root of , and is root of , where and are two distict honest nodes. Because is a root, it reached roots of node set whose weights account for more than of total validating power. Similarly, is a root, it reached roots of node set that has a total weight greater than . Thus, there must exist an overlap of two sets and , whose total weights is more than . For 1/3-BFT system, it is assumed that dishonest nodes account for less than /3 of the power. Hence, there must be at least one honest member in the overlap set. Let be such an honest member. As is honest, does not accept the fork. This gives a contradiction. The lemma is proved. ∎

When an honest node finds a new root , there is a guarantee that there exists no forked events in the subgraph under . If there were, the fork should have been detected and removed prior to the promotion of .

Proposition 5.5 (Fork-free).

For any Clotho , the subgraph is fork-free.

When became a root, any forks under the subgraph has already been detected and removed from . The node then notified / synchronized with peers about the forks it found, and also might receive any notified forks from other peers. By definition of Clotho, is known by roots reached validating power and those are in turn known by another set of roots of validating power. Thus, there exist nodes with more than validating power knew about and removed the detected forks via peer synchronization.

Proposition 5.6 (Fork-free Global chain).

The global consistent OPERA chain is fork-free.

Recall that the global consistent chain consists of the finalised events i.e., the Clothos and its subgraphs that get final ordering at consensus. Those finally ordered Clothos are Atropos vertices. From the above proposition, for every Clotho , there is no fork in its subgraph . Thus, we can prove by processing the Clothos in topological order from lowest to highest.

5.13 Topological sort

After new Clothos are found, the protocol will compute the final ordering for the Clothos as well as the vertices under them. Once the final total order is computed, finalized vertices are assigned with a consensus time.

We present an approach to ordering event blocks that reach finality. Algorithm 4 gives our topological sort algorithm. The algorithm takes as input the set of new Clothos , the H-OPERA chain, layering assignment , frame assignment , current ordered list , and set of all ordered blocks . Initially, the list and the set are empty (line 1-2).

We first order the Clothos vertices using function, which sorts vertices based on their layer, then lamport timestamp and then hash information of the event blocks (line 12-13). Second, the algorithm processes every Clotho in the sorted order (line 5). For each Clotho , the algorithm computes the subgraph under (line 6). The set of vertices contains vertices from that is not yet processed in (line 7). We then apply to order vertices in to get an ordered list of events . For each event block in , it appends into the final ordered list and also adds into the set of already processed vertices .

1: empty list
3:function TopoSort(, , , , , )
5:     for each Clotho  do
6:         Compute the graph
9:         for  do
10:              Append at the end
12:function SortByLayer()
13:     Sort the vertices in by layer, Lamport timestamp and hash in that order.
Algorithm 4 Topological Sort

After the final order of event blocks are computed using the above algorithm, we can assign the consensus time to the finally ordered event blocks. We can prove that the algorithm will sort and assign the final ordering index for each event block once. A proof by induction is fairly straight-forward.

5.14 Transaction confirmations

Here are some steps for a transaction to reach finality in our system, similar to our previous paper [23]. In a successful scenario, five confirmations will be issued and the fifth receipt is the final confirmation of a successful transaction. First, after a client submits a transaction, s/he will be issued a confirmation receipt of the submitted transaction. Second, the node will batch the submitted transaction(s) into a new event block added into the node’s DAG and it will broadcast the event block to all other nodes of the system. A receipt will be then issued to confirm the containing event block identifier is being processed. Third, when the event block receives the majority of the validating power (e.g., it becomes a Root block), or being known by such a Root block, a confirmation will be issued to acknowledge the block has reached that 2/3 validating power. Fourth, when the Root event block becomes a Clotho. A confirmation will be sent to the client showing that the event block has come to the semi-final stage as a Clotho or being confirmed by a Clotho. Fifth, after the Clotho stage, we will determine the consensus timestamp for the Clotho and its dependent event blocks. Once an event block gets the final consensus timestamp, it is finalized and a final confirmation will be issued to the client that the transaction has been successfully finalized.

In some cases, a submitted transaction can fail to reach finality. For example, a transaction does not pass the validation due to insufficient account balance, or violation of account rules. The other kind of failure is when the integrity of DAG structure and event blocks is not complied due to the existence of compromised or faulty nodes. In such unsuccessful cases, the event blocks are marked for removal and detected issues are notified to all nodes. Receipts of the failure will be sent to the client.

6 Discussions

This section presents several important discussions about PoW and PoS previous work. There has been extensive research in the protocol fairness and security aspects of existing PoW and PoS blockchains (see surveys [36, 37]). Then we also highlight the benefits of our proposed DAG-based PoS approach.

6.1 Protocol Fairness

Here, the common concerns about fairness in PoW and PoS in previous protocols are given as follows:

  • PoW protocol is fair in the sense that a miner with fraction of the total computational power can win the reward and create a block with the probability .

  • PoS protocol is fair given that an individual node who has fraction of the total number of coins in circulation creates a new block with probability. In a PoS system, there is always a concern that the initial holders of coins will not have an incentive to release their coins to third parties, as the coin balance directly contributes to their wealth.

Our StakeDag protocol is fair because every node has an equal chance to create an event block. A protocol in family allows node to enter the network without the need to equip an expensive and high-spec hardward like in PoW. Further, any node in protocol can create a new event block with the same propability, unlike stake-based probability of block creation in POS blockchains.

Like a PoS blockchain system, it is a possible concern that the initial holders of coins will not have an incentive to release their coins to third parties, as the coin balance directly contributes to their wealth. Unlike PoS, that concern in StakeDag protocol is about the economic rewards a StakeDag node may get is proportional to the stake they possess after they successfully contribute to the validation of event blocks.

Remarkably, our StakeDag protocol is more intuitive because our reward model used in stake-based validation can lead to a more reliable and sustainable network.

6.2 Validation Procedure

For validation in StakeDag, all the validators will be weighted by the tokens in their deposit. A block reaches consensus when it gains more than 2/3 of the network stake. That means, it is agreed by a set of validators whose stakes are greater than 2/3 of the total network stake.

Our DAG-based PoS approach makes some improvements in validation procedure over the previous PoS approaches. In particular, StakeDag protocol utilizes the following validation procedure, which is based on the Casper PoS model [31]. Our approach can be summarised as follows:

  • Each block is 1-20 seconds and each frame is 1-10 minutes. Every 20th frame is a checkpoint. Stakeholders can choose to make more deposits at each check point, if they want to become validators and earn more rewards. Validators can choose to exit, but cannot withdraw their deposits until three months later.

  • With asynchronous system model, frames and accounts may be not synchronized and validators are incentivized to coordinate on which checkpoints the history should be updated. This coordination is carried out by broadcasting the latest local views amongst nodes.

  • A checkpoint is selected based on a consistent global history that is finalized with more than 2/3 of the validating power for the checkpoint. When a checkpoint is finalized, the transactions will not be reverted. Attackers can attempt double voting to target double spending attachs. Honest validators are incentivized to report such behaviors and burn the deposits of the attackers.

6.3 Security

PoS approach reduces the energy demand, compared to PoW. PoS is considered as more secure than PoW. This section gives some security analysis of PoW, PoS and our StakeDag protocol.

Overall Comparison As for a guidelines, we present a summary that gives the effects of the common types of attack on previous protocols.

Attack type PoW PoS DPoS StakeDag
Short range attack (e.g., bribe) - + - -
Long range attack - + + maybe
Coin age accummulation attack - maybe - maybe
Precomputing attack - + - -
Denial of service + + + +
Sybil attack + + + maybe
Selfish mining maybe - - -
Table 14: Comparison of Vulnerability Between PoW, PoS, DPoS and StakeDag Protols

Table 14 gives a comparison between PoW, PoS, DPoS and our StakeDag protocol. Generally speaking, StakeDag has less vulnerabilities than PoW, PoS and DPoS.

PoW vulnerabilities PoW-based systems are facing selfish mining attack. In selfish mining, an attacker selectively reveals mined blocks in an attempt to waste computational resources of honest miners.

PoS vulnerabilities PoS has encountered new issues arise that were not present in PoW-based blockchains. These issues are: (1) Grinding attack: malicious nodes can play their bias in the election process to gain more rewards or to double spend their money: (2) Nothing at stake attack: A malicious node can mine on an alternative chain in PoS at no cost, whereas it would lose CPU time if working on an alternative chain in PoW.

Shared vulnerabilities in PoW and PoS There are several vulnerabilities that are encountered by both PoW and PoS. DoS attack and Sybil attack are shared vulnerables that PoW are found more vulnerable. A DoS attack disrupts the network by flooding the nodes. In a Sybil attack, the attacker creates numerous faulty nodes to disrupt the network.

For another shared vulnerable Bribe attack, PoS is more vulnerable because a PoS Bribe attack costs 50x lower than PoW Bribe attack. In bribing, the attacker performs a spending transaction, and at the same time builds an alternative chain secretely, based on the block prior to the one containing the transaction. After the transaction gains the necessary number of confirmations, the attacker publishes his chain as the new valid blockchain, and the transaction is reversed.

PoS potential attacks We then discuss two scenarios that are possible attacks in PoS. Both of these attacks can induce conflicting finalized checkpoints that will require offline coordination by honest users.

Double-Spending An attacker (a) acquires of stakes; (b) submits a transaction to spend some amount and then votes to finalize a checkpoint (Atropos) that includes the transactions; (c) sends another transaction to double-spends; (d) gets caught and his stakes are burned as honest validators are incentivezed to report such misbehavior. In another scenario, an attacker acquires (a) to attempt for an attack and suppose Blue validators own , and Red validators own the rest . The attacker can (b) vote for the transaction with Blue validators, and then(c) vote for the conflicting transaction with the Red validations. Then both transactions will be finalized because they have votes. Blue and Red validators may later see the finalized checkpoint, approve the transaction, but only one of them will get paid eventually.

Sabotage (going offline) An attacker owning of the stakes can appear offline by not voting and hence checkpoints and transactions cannot be finalized. Users are expected to coordinate outside of the network to censor the malicious validators.

In StakeDag, the protocol relies on every honest validators to detect and report such attacks. The attack, once detected, will cause a loss of tokens to the attacker. In fact, our StakeDag protocol guarantees a 1/3-BFT in which no more than tokens are owned by misbehaving nodes. We have provided our proof of 1/3-BFT in previous section and also more details are given in the Appendix.

Specially, let us consider the case an attacker in StakeDag network with . In Double-Spending, s/he can manage to achieve a root block with Blue validators and a conflict root block with Red validators. However, in order for either of the two event blocks to be finalized (becoming Clotho and then Atropos), each of root blocks need to be confirmed by two roots of next levels. Since peers always share their event blocks, an attacker cannot stop the Blue and Red validators (honest) to share event blocks to each other. Therefore, there will exist an honest validator from Blue or Red groups, who detects conflicting event blocks in the next level roots. Because honest validators are incentivezed to find out and report such wrongdoing, the attacker will get caught and his stakes are burned. Similarly, for Sabotage attack, the attacker may refuse to vote for a while. But honest validators will find out the absence of those high stake validators after a number of computed layers.

Comparison of attack cost in PoS versus PoW It will cost more for an attack in PoS blockchain due to the scarity of the native token than in a PoW blockchain. In order to gain more stake for an attack in PoS, it will cost a lot for an outside attacker. S/he will need (or for certain attacks) tokens, where is the total number of tokens, regardless of the token price. Acquiring more tokens will definitely increase its price, leading to a massive cost. Another challenge is that all the tokens of a detected attempt will be burned. In contrast, PoW has no mechanism nor enforcement to prevent an attacker from reattempting another attack. An attacker may purchase or rent the hash power again for his next attempts.

Like PoS, our StakeDag protocol employs the PoS mechanism to effectively prevent potential attacks. Attackers will need to acquire tokens (or at least for certain attacks) to fully influence the validation process. Any attempt that is detected by peers will void the attacker’s deposit.

7 Conclusion

In this paper, we introduce a new set of protocols, namely StakeDag, for a scalable asynchronous distributed system with practical BFT. We propose a new family of consensus protocols that uses Proof of Stake to achieve more scalable and robust consensus in a DAG. Further, we present a model of staking used for our StakeDag framework. Weight models and staking choices have been described.

We then introduce a specific consensus protocol, called , to address a more reliable consensus compared to predecedent DAG-based approaches. The new consensus protocol uses the well-known concept of layering of DAG, like in our [23], to achieve a deterministic consensus on the S-OPERA chain. By using Proof of Stake, can improve the scalability, sustainability than previous DAG-based approaches.

We have included formal definitions and semantics for our general model of StakeDag. Our formal proof of pBFT for our StakeDag protocol is given in the Appendix. Our work extends the formal foundation established in our previous paper [22], which is the first that studies concurrent common knowledge sematics [24] in DAG-based protocols. Formal proofs for our layering-based protocol is also presented.

8 Reference

  • [1] Sang-Min Choi, Jiho Park, Quan Nguyen, Kiyoung Jang, Hyunjoon Cheob, Yo-Sub Han, and Byung-Ik Ahn. Opera: Reasoning about continuous common knowledge in asynchronous distributed systems, 2018.
  • [2] Leslie Lamport, Robert Shostak, and Marshall Pease. The byzantine generals problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, July 1982.
  • [3] Melanie Swan. Blockchain: Blueprint for a new economy. O’Reilly Media, 2015.
  • [4] James Aspnes. Randomized protocols for asynchronous consensus. Distributed Computing, 16(2-3):165–175, 2003.
  • [5] Leslie Lamport et al. Paxos made simple. ACM Sigact News, 32(4):18–25, 2001.
  • [6] Michael J Fischer, Nancy A Lynch, and Michael S Paterson. Impossibility of distributed consensus with one faulty process. Journal of the ACM (JACM), 32(2):374–382, 1985.
  • [7] Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. In Proceedings of the Third Symposium on Operating Systems Design and Implementation, OSDI ’99, pages 173–186, Berkeley, CA, USA, 1999. USENIX Association.
  • [8] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. Zyzzyva: speculative byzantine fault tolerance. ACM SIGOPS Operating Systems Review, 41(6):45–58, 2007.
  • [9] Andrew Miller, Yu Xia, Kyle Croman, Elaine Shi, and Dawn Song. The honey badger of bft protocols. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 31–42. ACM, 2016.
  • [10] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008.
  • [11] Scott Nadal Sunny King. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake, 2012.
  • [12] Sergio Demian Lerner. Dagcoin, 2015.
  • [13] Daniel Larimer. Delegated proof-of-stake (dpos), 2014.
  • [14] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles, pages 51–68. ACM, 2017.
  • [15] Yonatan Sompolinsky, Yoad Lewenberg, and Aviv Zohar. Spectre: A fast and scalable cryptocurrency protocol. IACR Cryptology ePrint Archive, 2016:1159, 2016.
  • [16] Yonatan Sompolinsky and Aviv Zohar. Phantom, ghostdag: Two scalable blockdag protocols, 2008.
  • [17] Fraser Hutchison Qi Ma Spandan Sharma Pierre Chevalier, Bartomiej Kamin ski. Protocol for asynchronous, reliable, secure and efficient consensus (parsec), 2018.
  • [18] Chenxing Li, Peilun Li, Wei Xu, Fan Long, and Andrew Chi-chih Yao. Scaling nakamoto consensus to thousands of transactions per second. arXiv preprint arXiv:1805.03870, 2018.
  • [19] Serguei Popov. The tangle, 2017.
  • [20] Anton Churyumov. Byteball: A decentralized system for storage and transfer of value, 2016.
  • [21] Leemon Baird. Hashgraph consensus: fair, fast, byzantine fault tolerance. Technical report, 2016.
  • [22] Sang-Min Choi, Jiho Park, Quan Nguyen, and Andre Cronje. Fantom: A scalable framework for asynchronous distributed systems. arXiv preprint arXiv:1810.10360, 2018.
  • [23] Quan Nguyen and Andre Cronje. Onlay: Online layering for scalable asynchronous bft system. arXiv preprint arXiv:1905.04867, 2019.
  • [24] Prakash Panangaden and Kim Taylor. Concurrent common knowledge: defining agreement for asynchronous systems. Distributed Computing, 6(2):73–93, 1992.
  • [25] Rafael Pass and Elaine Shi. Fruitchains: A fair blockchain. In Proceedings of the ACM Symposium on Principles of Distributed Computing, pages 315–324. ACM, 2017.
  • [26] Sunny King and Scott Nadal. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake. 19, 2012.
  • [27] Pavel Vasin. Blackcoin’s proof-of-stake protocol v2. URL:, 71, 2014.
  • [28] Iddo Bentov, Ariel Gabizon, and Alex Mizrahi. Cryptocurrencies without proof of work. In International Conference on Financial Cryptography and Data Security, pages 142–157. Springer, 2016.
  • [29] Jae Kwon. Tendermint: Consensus without mining., 2014.
  • [30] Jing Chen and Silvio Micali. ALGORAND: the efficient and democratic ledger. CoRR, abs/1607.01341, 2016.
  • [31] Buterin Vitalik and Griffith Virgil. Casper the friendly finality gadget. CoRR, abs/1710.09437, 2017.
  • [32] EOS. technical white paper.
  • [33] Steem. Steem white paper.
  • [34] BitShares. Delegated proof-of-stake consensus.
  • [35] The Ark Crew. Ark whitepaper.
  • [36] Husneara Hamid Sheikh Sheikh, Rahima Meer Rahima Azmathullah, and FAIZA RIZWAN RIZWANUL HAQUE. Proof-of-work vs proof-of-stake: A comparative analysis and an approach to blockchain consensus mechanism. 2018.
  • [37] Alfonso Panarello, Nachiket Tapas, Giovanni Merlino, Francesco Longo, and Antonio Puliafito. Blockchain and iot integration: A systematic survey. Sensors, 18(8):2575, 2018.
  • [38] Ethcore. Parity: Next generation ethereum browser.
  • [39] Colin LeMahieu. Raiblocks: A feeless distributed cryptocurrency network, 2017.
  • [40] George Danezis and David Hrycyszyn. Blockmania: from block dags to consensus, 2018.
  • [41] Jørgen Bang-Jensen and Gregory Z Gutin. Digraphs: theory, algorithms and applications. Springer Science & Business Media, 2008.
  • [42] Robert Sedgewick and Kevin Wayne. Algorithms. Addison-Wesley Professional, 4th edition, 2011.
  • [43] Kurt Mehlhorn. Data Structures and Algorithms 2: Graph Algorithms and NP-Completeness, volume 2 of EATCS Monographs on Theoretical Computer Science. Springer, 1984.
  • [44] E. G. Coffman, Jr. and R. L. Graham. Optimal scheduling for two-processor systems. Acta Inf., 1(3):200–213, September 1972.
  • [45] Jeremy Spinrad. Worst-case analysis of a scheduling algorithm. Oper. Res. Lett., 4(1):9–11, May 1985.

9 Appendix

This section gives further details about the StakeDag protocol. We present the formal semantics of using the concurrent common knowledge that can be applied to a generic model of DAG-based PoS approaches, and then show the proofs for consensus of the protocol.

9.1 Formal definitions

9.1.1 Node State

A node is a machine participating in the protocol. Each node has a local state consisting of local histories, messages, event blocks, and peer information. Let denote the node with the identifier of . Let denote the total number of nodes.

[State] A (local) state of is denoted by consisting of a sequence of event blocks =, , , .

In a DAG-based protocol, each event block is valid only if the reference blocks exist before it. A local state is corresponding to a unique DAG. In StakeDag, we simply denote the -th local state of a node by the DAG . Let denote the current local DAG of a process .

An action is a function from one local state to another local state. An action can be either: a action of a message , a action, and an internal action. A message is a triple where the sender , the message recipient , and the message body . In StakeDag, consists of the content of an event block . Let denote the set of messages. Semantics-wise, there are two actions that can change a process’s local state: creating a new event and receiving an event from another process.

[Event] An event is a tuple consisting of a state, an action, and a state.

Sometimes, the event can be represented by the end state . The -th event in history of process is , denoted by .

[Local history] A local history of is a sequence of local states starting with an initial state. A set of possible local histories for each process .

A process’s state can be obtained from its initial state and the sequence of actions or events that have occurred up to the current state. StakeDag protocol uses append-only semantics. The local history may be equivalently described as either of the following: (1) = ,,, , (2) = , ,, , (3) = , , , , . In StakeDag, a local history is equivalently expressed as: = , , , , where is the -th local DAG (local state) of the process .


Each asynchronous run is a vector of local histories. Denoted by

= .

Let denote the set of asynchronous runs. A global state of run is an -vector of prefixes of local histories of , one prefix per process. The happens-before relation can be used to define a consistent global state, often termed a consistent cut, as follows.

9.1.2 Lamport timestamps and Ordering

Our StakeDag protocol relies on Lamport timestamps to define a topological ordering of event blocks. The “happened before” relation, denoted by , gives a partial ordering of event blocks in a distributed system. For a pair of and , then if : (1) and are events of the same node , and comes before , (2) is the send() by one process and is the receive() by another process (3) and for some .

[Happened-Im-Before] An event block is said Happened-Immediate-Before an event block if is a (self-) ref of . Denoted by .

[Happened-before] An event block is said Happened-Before an event block if is a (self-) ancestor of . Denoted by .

Happened-before relation is the transitive closure of happens-immediately-before. Two event blocks and are said concurrent, denoted by , if neither of them happened before the other. Two distinct events and are said to be concurrent if and . Given two vertices and both contained in two OPERA chains (DAGs) and on two nodes. We have the following: (1) in if in ; (2) in if in .

[Total ordering] Let denote an arbitrary total ordering of the nodes (processes) and . Total ordering is a relation satisfying the following: for any event in and any event in , if and only if either (i) or (ii) = and .

This defines a total ordering relation. The Clock Condition implies that if then .

9.1.3 Consistent Cut

An asynchronous system consists of the following sets: a set of process identifiers, a set of channels, a set of possible local histories for each process , a set of asynchronous runs, a set of all messages. Consistent cuts represent the concept of scalar time in distributed computation, it is possible to distinguish between a “before” and an “after”, see CCK paper [24].

Consistent cut model of StakeDag protocol is based on the model in our previous work [22, 23]. More details can be found in our previous papers.

9.2 DAG and S-OPERA chain

Each node can create event blocks, send (receive) messages to (from) other nodes. Each event block has exactly references: a self-ref reference, and -1 other-ref references pointing to the top events of -1 peer nodes. Each node stores the current local state in a form of a directed acyclic graph =(, ), where is a set of vertices and is a set of edges.

[Event block] An event block is a holder of a set of transactions. An event block includes the signature, generation time, transaction history, and references to previous event blocks.

[Top event] An event is a top event of a node if there is no other event in referencing .

[Ref] An event is called “ref” of event if the reference hash of points to the event . Denoted by . For simplicity, we can use to denote a reference relationship (either or ).

[Self-ref] An event is called “self-ref” of event , if the self-ref hash of points to the event . Denoted by .

An event block is self-ancestor of an event block if there is a sequence of events such that . Denoted by . An event block is an ancestor of an event block if there is a sequence of events such that . Denoted by . For simplicity, we simply use to refer both ancestor and self-ancestor relationship, unless we need to distinguish the two cases.

S-OPERA chain: An S-OPERA chain is the local view of the DAG =(,). Each vertex is an event block. Each block has a weight, which is the validation score. An edge (,) refers to a hashing reference from to ; that is, .

[S-OPERA chain] In StakeDag, a S-OPERA chain is weighted DAG stored on each node.

[Leaf] The first created event block of a node is called a leaf event block.

[Root] An event block is a root if either (1) it is the leaf event block of a node, or (2) can reach more than validating power from previous roots.

[Root set] The set of all first event blocks (leaf events) of all nodes form the first root set ( = ). The root set consists of all roots such that , = 1..(-1) and can reach more than validating power from other roots in the current frame, = 1..(-1).

[Frame] Frame is a natural number that separates Root sets. The root set at frame is denoted by .

[Creator] If a node creates an event block , then the creator of , denoted by , is .

[Clotho] A root in the frame can nominate a root as Clotho if more than 2n/3 roots in the frame